Internet Policy Day 4 - Workshop Session No. 8 E-commerce Issues Prepared for CTO by Link Centre, Witwatersrand University, South Africa
Jan 12, 2016
Internet PolicyDay 4 - Workshop Session No. 8
E-commerce Issues
Prepared for CTO by Link Centre, Witwatersrand University, South Africa
CTO / DFID Internet Policy workshop, Jamaica, 22-26 April 2002
Session Summary Day 1
– Session 1History and technical background– Session 2Market structure
Day 2– Session 3Interconnection, IXPs and voice over IP– Session 4Governance and domain names
Day 3– Session 5The impact of telecommunications regulation– Session 6Internet specific policy issues
Day 4– Session 7Content on the Internet – Session 8 E-commerce issues
Day 5– Session 9Internet tools for regulators
CTO / DFID Internet Policy workshop, Jamaica, 22-26 April 2002
E-commerce Issues
The purpose of this session is to provide participants with an overview of the issues that regulators need to be aware of in the context of growing e-commerce.
CTO / DFID Internet Policy workshop, Jamaica, 22-26 April 2002
Topics of Discussion
Security Encryption Authentication Privacy Interception and Monitoring Fraud Taxation
CTO / DFID Internet Policy workshop, Jamaica, 22-26 April 2002
Security
Importance– Integrity: Make sure no-one breaks the system– Fraud: Prevent changes to transaction
information– Confidentiality: Ensure safety of client data
Steps– User education (password, general security)– Firewalls and access control lists– System audits
DoS attacks
CTO / DFID Internet Policy workshop, Jamaica, 22-26 April 2002
Encryption
Can anyone prohibit the use of encryption?– The illegal t-shirt– Steganography
Policy initiatives– Special access to keys– Restrictions on cryptography suppliers– Interception and monitoring
CTO / DFID Internet Policy workshop, Jamaica, 22-26 April 2002
Public key encryption
Bob decides to make use of PKI Bob generates two keys
– Private key– Public Key
Bob sends his Public Key to Alice Alice encrypts data with Bob’s public key Bob decrypts the data Alice sent with his
Private key
CTO / DFID Internet Policy workshop, Jamaica, 22-26 April 2002
Public key encryption
Bob Public key
Private KeyAlice
Hello BobAdgft;lfdjikhdfkdhkldhsflkl
Adgft;lfdjikhdfkdhkldhsflkl
Hello Bob
CTO / DFID Internet Policy workshop, Jamaica, 22-26 April 2002
Encryption and digital signatures
Bob can sign messages with his private key
Alice can verify Bob sent the message by using his public key to verify the signature
Non-repudiation– Bob can’t deny he sent the message
provided his private key is secure
CTO / DFID Internet Policy workshop, Jamaica, 22-26 April 2002
Encryption between hosts
Encryption between hosts– ensures electronic transactions cannot be
monitored– credit card details can be kept secure– can also be utilised for email or voice/video
communication– however issues over governance do arise
widespread encryption vs. security of state
CTO / DFID Internet Policy workshop, Jamaica, 22-26 April 2002
Authentication: digital certificates
Like an ID book Digital file of specific format
– i.e. X.509 Issued by Certification Authority (CA)
– Verisign - http://www.verisign.com– Thawte -http://www.thawte.com
(Now owned by Verisign) Used to ensure identity Can be used for encryption purposes
CTO / DFID Internet Policy workshop, Jamaica, 22-26 April 2002
Privacy
Rapid growth of the Internet means many privacy issues have surfaced
All electronic communication carries reference data of some sort– email headers– cookies
Right to privacy
CTO / DFID Internet Policy workshop, Jamaica, 22-26 April 2002
Privacy
Need for privacy protection laws– Data sharing prohibitions: My data has
value!– Special concern: medical, financial and
child-related– Need to prevent unauthorised use and
dissemination– Assure control and security of data
CTO / DFID Internet Policy workshop, Jamaica, 22-26 April 2002
Privacy
Informed consent– Users must be told how their data is going to be
used, and agree to such use Self-regulation
– Voluntary disclosure and standards for usage of data
Government regulation– Mandatory standard for data privacy
Technical approaches– Software filters
CTO / DFID Internet Policy workshop, Jamaica, 22-26 April 2002
Interception and monitoring
‘Wiretap’ method– monitors everything related to transmission– often involves special equipment– requires court approval– expensive
Addressing info– everything but content of transmission– seldom requires specific court approval– easy to obtain from phone companies
(records are used to generate billing data)
CTO / DFID Internet Policy workshop, Jamaica, 22-26 April 2002
Why is monitoring needed?– National security– Criminal activity– Outdated legislation– Move towards proactive law enforcement, not reactive
Controversial– Previous method of monitoring less invasive– Proposed methods are "always on"– Ease at which people can be monitored without court order– Lack of watchdog or public oversight– Knowledge of previous instances of misuse– Bad guys use encryption anyway
Interception and monitoring
CTO / DFID Internet Policy workshop, Jamaica, 22-26 April 2002
Internet monitoring
Layered protocols– HTTP over TCP/IP– Email protocols over TCP/IP– TCP/IP over Ethernet
Very little difference between content and addressing info when dealing with multiple layers of protocols– May have to operate outside the limits of a court order in
order to get the information required by the court order
CTO / DFID Internet Policy workshop, Jamaica, 22-26 April 2002
Layered protocol example
The HTTP protocol involves both
addressing and content info: addressing info:
– the name of the file being retrieved
– the site the file is being retrieved from
content info:– content of the file being
retrieved
The TCP/IP protocol also hasaddressing and content info: addressing info:
– source address / port of transmission
– destination address / port of transmission
– checksum data related to packets
content info:– packets of data being
transferred
CTO / DFID Internet Policy workshop, Jamaica, 22-26 April 2002
Case Study: UK
Regulation of Investigatory Powers Act of 2000 was introduced to:
Update existing legislation Cope with new methods of electronic communication Grant law enforcement additional powers Grant law enforcement access to encryption keys Require communications providers to install
communication links to government monitoring centre
CTO / DFID Internet Policy workshop, Jamaica, 22-26 April 2002
Regulation of Investigatory Powers Act of 2000 requires:
Companies providing communication services to install wiretap technology or access to network
Companies to retain information (logs) for a period of time
1 in 10000 customers to be watched at the same time
Case Study: UK
CTO / DFID Internet Policy workshop, Jamaica, 22-26 April 2002
Regulation of Investigatory Powers Act of 2000 drew criticism from the start from:
Privacy watchdogs Lobby groups Business leaders Business associations
Case Study: UK
CTO / DFID Internet Policy workshop, Jamaica, 22-26 April 2002
Interception: Big Brother fears
Ease of monitoring communications will result in huge increase in wiretaps
Loss of privacy Individual rights being threatened Law enforcement has to much power Too few safeguards on law enforcement's actions Heavy burden on companies which have to comply Law enforcement will randomly monitor transmissions
to look for suspicious activity rather than restrict surveillance to where a warrant has been obtained
CTO / DFID Internet Policy workshop, Jamaica, 22-26 April 2002
Fraud Growth of the Internet had led to many old scams
being re-introduced to an unsuspecting public by means of technology
Scams commonly involve conning people into passing on money or credit card details in exchange for goods and services which are never delivered
Fake websites of e-commerce hosts can be set up and made to look like the real thing
Identity theft is growing Email scams are proliferating
CTO / DFID Internet Policy workshop, Jamaica, 22-26 April 2002
Fraud - 2000 Internet Fraud Statistics
2000 Top 10 Frauds Online Auctions 78% General Merchandise Sales 10% Internet Access Services 3% Work-At-Home 3% Advance Fee Loans 2% Computer Equipment/Soft. 1% Nigerian Money Offers 1% Information Adult Services 1% Credit Card Offers .5% Travel/Vacations .5%
CTO / DFID Internet Policy workshop, Jamaica, 22-26 April 2002
Taxation
Effects of e-commerce on global taxation– Existing tax principles --> physical presence– Problems of physical location, distance and time
overcome Digitised Products Cross-border transactions
CTO / DFID Internet Policy workshop, Jamaica, 22-26 April 2002
Summary
E-commerce covers a broad range of issues, including:– Security– Encryption and authentication– Privacy, interception and monitoring– Taxation– Fraud
E-commerce policy is still in its infancy and global efforts at creating standardised policy are yet to be broadly implemented
However, there are still some international examples and precedents to learn from