ibt- electronic commerce the legal infrastructure victor h. bouganim wcl, american university

IBT- Electronic CommerceIBT- Electronic CommerceThe Legal InfrastructureThe Legal Infrastructure

Victor H. Bouganim

WCL, American University

© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 2

Problem 4.4Problem 4.4 Textbook, p. 166Textbook, p. 166

Professor Pedro (Brazil) buys books at rein.com (Germany), a company owned by rivers.com (USA).

Prof Pedro’s order triggered an automatic computer-generated order addressed to East Publishing Co., an American firm.

Prof Pedro personal information of his purchase sent to rivers.com for marketing purposes.


Class DiscussionClass Discussion

What are the legal issues, which are raised by these activities?

Are there any special issues, which are due to the fact that these activities are done with the aid and/or by computers?

What are the important distinctions, which should be made for the analysis of this problem?


E-Comm - E-Comm - Critical IssuesCritical Issues Identification of trading partners

and authentication Applicable rulesApplicable rules

Choice of Laws & Jurisdiction Contracts and Consumer Protection Privacy protection


E-Commerce - PhasesE-Commerce - Phases

Phase 2:

Tele-ShoppingTele-Shopping

Phase 1:

EDIEDI

Phase 3:

Electronic CommerceElectronic Commerce


Electronic CommerceElectronic Commerce

Contract formationacceptance offer

Full electronic commerce -’soft goods’

Payment performance order

eCatalogue

Deliveryof goods

Digi-cash payment

Tele-Shopping

Digital contract


E-Comm - Closed SystemsE-Comm - Closed Systems

trading partners are identified and known

a pre-defined contract set up the trade rules

typical systems– EDI - Electronic Data Interchange

– SWIFT - International Fund Transfer


E-Comm - Open SystemsE-Comm - Open Systems

open market trading for all

Global marketVirtual trading partnersMicro-Commerce


E-Commerce SystemsE-Commerce Systems


Law Reforms Principles - 1Law Reforms Principles - 1

Neutrality PrincipleLaws should work with whatever technology, science and commercial practices might develop.


Law Reforms Principles - 2Law Reforms Principles - 2

Non-discriminatory principle

Records, legal acts or authentication may not be denied legal effect, validity or enforceability solely on the ground that they are electronic.


International InitiativesInternational Initiatives

E-Commerce Model Law, 1996 E-Commerce

Committee

July 97 - White House paperUCITA - UETA, 1999

Digital Signature Act, 2000

Jul 95 - Information Society1999 - Digital Signature Directive

UNCITRALUNCITRAL


E-Commerce LegislationE-Commerce Legislation UNICITRAL Model Law on Electronic

Commerce 1996 UETA 1999

– Uniform Electronic Transaction Act Digital Signature Legislation

– Third Millennium Electronic Commerce Act 1999 UCITA 1999

– Uniform Computer Information Transaction Act– UCC Article 2B on licensing


Critical Legal TermsCritical Legal Terms

Re-definition of critical terms– writing– document– signature – bill– notice

etc.


Digital Signature - 1Digital Signature - 1

identify the messenger– unique to a person

– under one’s controlauthenticate the message


eSig - AttributioneSig - Attribution

"Attribution procedure" means a procedure to verify that an electronic authentication, display, message, record, or performance is that of a particular person or to detect changes or errors in information. The term includes a procedure that requires the use of algorithms or other codes, identifying words or numbers, encryption, or callback or other acknowledgment.

Sec. 102, Uniform Computer Information Transactions Act 1999


Digital Signature - 2Digital Signature - 2

achievable by employing public-key encryption– e.g. RSA algorithm– needs a trusted-third-party (TTP) or a

certification authority to be effective

Alternative - Bio-metric identity– e.g. Iris check or finger-print etc.


Simple EncryptionSimple Encryption

plain-text encrypt cypher-text

cypher-text decrypt plain-text

secret key


Public-Key EncryptionPublic-Key EncryptionRSA AlgorithmRSA Algorithm


The Need for Certification AuthoritiesThe Need for Certification Authorities The effectiveness of certification authorities are

based on trust Digital certificates are used to authenticate a

person or organization with a public key– The role of the certification authority is to provide

this link between a unique private/public key pair and the actual identity of a group or individual

– The certification authority actually provides certificates which are computer-based records that identify a subscriber and contain the subscriber's public key


Electronic Signature CertificationElectronic Signature Certification ”Certificate"

– means an electronic attestation which links signature-verification data to a person and confirms the identity of that person

“Certification-service-provider” – means an entity or a legal or natural person who issues

certificates or provides other services related to electronic signatures;

European Directive on a Community framework for electronic signatures (1999/93/EC, 13 December 1999)


Digital Certificate ProcessDigital Certificate Process A private/public key pair is generated on a trustworthy system. The public key along with personal identification information,

such as passport, birth certificate or drivers license, are taken to the CA.

The CA verifies the person's identity. The CA creates a digital certificate consisting of the person's

public key. This information is then digitally signed by the CA using the

CA's own private key. This allows anyone with the CA's public key to be able to decrypt the digital certificate and identify the sender.


Authentication ProcedureAuthentication Procedure

ProviderProviderCustomerCustomer

KeyKeyKeyKey

TTPTTPCertificationCertification

AuthorityAuthority


Authentication ProcedureAuthentication Procedure

ProviderProviderCustomerCustomer

TTPTTPCertificationCertification

AuthorityAuthority

Message + Key

Key

OK

Message + Key

Key

OK


Certification Authority PoliciesCertification Authority Policies

A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements.

Certificate policies allow infrastructures, Certification Authorities, and their subscribers to inter-operate at the appropriate trust levels.


TTP - Regulatory ModesTTP - Regulatory Modes

Private-sector-based supervision systems

Governmental supervision– CA Rules prescribed

in legislation

US: eSig Act– Does not regulate CA– Self regulated industry

e.g. Verisign

EU: DigSig Directive– Option between governmental

or self regulated supervision

State DigSig Laws– e.g. Utah, California


Digital Signature State LegislationDigital Signature State Legislation

Utah – Most of Utah's bill deals

with the regulation of certification authorities.

– Utah's Digital Signature Act specifies the required use of public/private cryptography as a way of safely transferring information.

– Only lawyers and banks will be allowed to function as certification authorities.

California– California Digital

Signature Regulations

– “Certification Authority" means a person or entity that issues a certificate, or in the case of certain certification processes, certifies amendments to an existing certificate.

– The Regulations define the requirements for CA


EU - CA RegulationsEU - CA Regulations Directive 1999/93/EC of the European Parliament and

of the Council of 13 December 1999 on a Community framework for electronic signatures.

Set-up the rules and requirements for the operation of CA

– Annex II of the Directive– Article 8 - Data protection

Member States shall ensure that certification-service-providers and national bodies responsible for accreditation or supervision comply with the requirements laid down in Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data


EU - Requirements for CA - 1EU - Requirements for CA - 1

ensure the operation of a prompt and secure directory and a secure and immediate revocation service

ensure that the date and time when a certificate is issued or revoked can be determined precisely

verify, by appropriate means in accordance with national law, the identity person to which a qualified certificate is issued


EU - Requirements for CA - 2EU - Requirements for CA - 2

employ personnel who possess the expert knowledge, experience, and qualifications necessary for the services provided

use trustworthy systems and products which are protected against modification and ensure the technical and cryptographic security of the process supported by them

take measures against forgery of certificates, and guarantee confidentiality

ibt- electronic commerce the legal infrastructure victor h. bouganim wcl, american university

Documents

american university

bouganim wcl

f ueta

known f

ibt electronic commerce

electronic commerce

american firm

class discussion f