Internet Policy

Internet PolicyDay 4 - Workshop Session No. 8

E-commerce Issues

Prepared for CTO by Link Centre, Witwatersrand University, South Africa

CTO / DFID Internet Policy workshop, Jamaica, 22-26 April 2002

Session Summary Day 1

– Session 1History and technical background– Session 2Market structure

Day 2– Session 3Interconnection, IXPs and voice over IP– Session 4Governance and domain names

Day 3– Session 5The impact of telecommunications regulation– Session 6Internet specific policy issues

Day 4– Session 7Content on the Internet – Session 8 E-commerce issues

Day 5– Session 9Internet tools for regulators


E-commerce Issues

The purpose of this session is to provide participants with an overview of the issues that regulators need to be aware of in the context of growing e-commerce.


Topics of Discussion

Security Encryption Authentication Privacy Interception and Monitoring Fraud Taxation


Security

Importance– Integrity: Make sure no-one breaks the system– Fraud: Prevent changes to transaction

information– Confidentiality: Ensure safety of client data

Steps– User education (password, general security)– Firewalls and access control lists– System audits

DoS attacks


Encryption

Can anyone prohibit the use of encryption?– The illegal t-shirt– Steganography

Policy initiatives– Special access to keys– Restrictions on cryptography suppliers– Interception and monitoring


Public key encryption

Bob decides to make use of PKI Bob generates two keys

– Private key– Public Key

Bob sends his Public Key to Alice Alice encrypts data with Bob’s public key Bob decrypts the data Alice sent with his

Private key


Public key encryption

Bob Public key

Private KeyAlice

Hello BobAdgft;lfdjikhdfkdhkldhsflkl

Adgft;lfdjikhdfkdhkldhsflkl

Hello Bob


Encryption and digital signatures

Bob can sign messages with his private key

Alice can verify Bob sent the message by using his public key to verify the signature

Non-repudiation– Bob can’t deny he sent the message

provided his private key is secure


Encryption between hosts

Encryption between hosts– ensures electronic transactions cannot be

monitored– credit card details can be kept secure– can also be utilised for email or voice/video

communication– however issues over governance do arise

widespread encryption vs. security of state


Authentication: digital certificates

Like an ID book Digital file of specific format

– i.e. X.509 Issued by Certification Authority (CA)

– Verisign - http://www.verisign.com– Thawte -http://www.thawte.com

(Now owned by Verisign) Used to ensure identity Can be used for encryption purposes


Privacy

Rapid growth of the Internet means many privacy issues have surfaced

All electronic communication carries reference data of some sort– email headers– cookies

Right to privacy


Privacy

Need for privacy protection laws– Data sharing prohibitions: My data has

value!– Special concern: medical, financial and

child-related– Need to prevent unauthorised use and

dissemination– Assure control and security of data


Privacy

Informed consent– Users must be told how their data is going to be

used, and agree to such use Self-regulation

– Voluntary disclosure and standards for usage of data

Government regulation– Mandatory standard for data privacy

Technical approaches– Software filters


Interception and monitoring

‘Wiretap’ method– monitors everything related to transmission– often involves special equipment– requires court approval– expensive

Addressing info– everything but content of transmission– seldom requires specific court approval– easy to obtain from phone companies

(records are used to generate billing data)


Why is monitoring needed?– National security– Criminal activity– Outdated legislation– Move towards proactive law enforcement, not reactive

Controversial– Previous method of monitoring less invasive– Proposed methods are "always on"– Ease at which people can be monitored without court order– Lack of watchdog or public oversight– Knowledge of previous instances of misuse– Bad guys use encryption anyway

Interception and monitoring


Internet monitoring

Layered protocols– HTTP over TCP/IP– Email protocols over TCP/IP– TCP/IP over Ethernet

Very little difference between content and addressing info when dealing with multiple layers of protocols– May have to operate outside the limits of a court order in

order to get the information required by the court order


Layered protocol example

The HTTP protocol involves both

addressing and content info: addressing info:

– the name of the file being retrieved

– the site the file is being retrieved from

content info:– content of the file being

retrieved

The TCP/IP protocol also hasaddressing and content info: addressing info:

– source address / port of transmission

– destination address / port of transmission

– checksum data related to packets

content info:– packets of data being

transferred


Case Study: UK

Regulation of Investigatory Powers Act of 2000 was introduced to:

Update existing legislation Cope with new methods of electronic communication Grant law enforcement additional powers Grant law enforcement access to encryption keys Require communications providers to install

communication links to government monitoring centre


Regulation of Investigatory Powers Act of 2000 requires:

Companies providing communication services to install wiretap technology or access to network

Companies to retain information (logs) for a period of time

1 in 10000 customers to be watched at the same time

Case Study: UK


Regulation of Investigatory Powers Act of 2000 drew criticism from the start from:

Privacy watchdogs Lobby groups Business leaders Business associations

Case Study: UK


Interception: Big Brother fears

Ease of monitoring communications will result in huge increase in wiretaps

Loss of privacy Individual rights being threatened Law enforcement has to much power Too few safeguards on law enforcement's actions Heavy burden on companies which have to comply Law enforcement will randomly monitor transmissions

to look for suspicious activity rather than restrict surveillance to where a warrant has been obtained


Fraud Growth of the Internet had led to many old scams

being re-introduced to an unsuspecting public by means of technology

Scams commonly involve conning people into passing on money or credit card details in exchange for goods and services which are never delivered

Fake websites of e-commerce hosts can be set up and made to look like the real thing

Identity theft is growing Email scams are proliferating


Fraud - 2000 Internet Fraud Statistics

2000 Top 10 Frauds Online Auctions 78% General Merchandise Sales 10% Internet Access Services 3% Work-At-Home 3% Advance Fee Loans 2% Computer Equipment/Soft. 1% Nigerian Money Offers 1% Information Adult Services 1% Credit Card Offers .5% Travel/Vacations .5%


Taxation

Effects of e-commerce on global taxation– Existing tax principles --> physical presence– Problems of physical location, distance and time

overcome Digitised Products Cross-border transactions


Summary

E-commerce covers a broad range of issues, including:– Security– Encryption and authentication– Privacy, interception and monitoring– Taxation– Fraud

E-commerce policy is still in its infancy and global efforts at creating standardised policy are yet to be broadly implemented

However, there are still some international examples and precedents to learn from

Internet Policy

Documents

internet session

workshop session

internet tools

internet policyday

session summaryday

use of encryption

arisewidespread encryption

bobs public keybob