Internet commerce threats and opportunities

Document Sample
Internet commerce threats and opportunities Powered By Docstoc
THREATS AND OPPORTUNITIES                                                       POST 114
s     Background to DTI's latest proposals on security                            TECHNICAL                       April
s     Electronic business and erosion of the tax base                              REPORT                         1998
s     Content regulation
                                                                POSTreports are intended to give Members an overview of
Although slow to start, electronic commerce over the             issues arising from science and technology. Members can
Internet is growing fast and making it necessary to                obtain further details from the PARLIAMENTARY
                                                                    OFFICE OF SCIENCE AND TECHNOLOGY (extension 2840).
address key issues which will determine the way in
which this truly global marketplace develops.
                                                             BOX 1 COMMERCIAL USE OF THE INTERNET
This note explains some of the arcane and complex
related issues (e.g. encryption).                            Electronic commerce has been growing for many years, and links
                                                             companies to suppliers, financial institutions together, and business
E- COMMERCE AND THE INTERNET                                 to Government. While business over the Internet is small in
                                                             comparison, it will become increasingly important because of:
The Internet has long been in the news as a means of         q   Mass access - there are already approaching 100M people
spreading information, as a way of communicating and             connected via their computers to the Internet, and new interac-
increasingly as a means of advertising. Many compa-              tive digital TV is likely to offer much easier access to the World
nies have also turned to the Internet to add an extra            Wide Web (WWW).
dimension to their existing business, and there are also     q   There is a general trend toward harmonising current standards
                                                                 (such as CALS, EDI, etc) with Internet standards for all data
companies which have set up from scratch and operate
                                                                 networks, which will make it easier for business to use the
exclusively in an Internet environment. This is push-
                                                                 Internet for business to business contact.
ing to the forefront technical issues such as encryption,
how Internet business should (or could) be regulated         The number of commercial web sites passed 250,000 in 1996 and
and managed, and also how such ‘e-business’ ties in          is still rising fast. The ‘old’ e-commerce required specific relation-
                                                             ships between organisations and individuals. The wide-open mar-
with the tax system. These issues are not trivial - the UK
                                                             ket via the Internet, however, means that anyone with a computer
is the fourth largest IT, electronics and communications
                                                             and Internet access can become a merchant and reach customers
(ITEC) consumer worldwide and has the fifth largest          all over the world; the consumer equally can find out about and buy
ITEC industry (£43B or 6.7% of GDP). This is a strong        products offered anywhere. This throws up very different chal-
base from which to develop e-commerce which is ex-           lenges, opportunities and risks. It can offer companies:-
pected to become a significant fraction of global GDP        q    a new advertising channel;
(see Box 1), making ‘globalisation’ and ‘virtualisation’     q    a new means of reaching customers and receiving orders;
significant terms for the UK and other nations.              q    cutting out the middle-man by direct sale - airline tickets, books,
                                                                  wine, etc. (called 'disintermediation');
ENCRYPTION                                                   q    establishing new ‘virtual’ enterprises, or ‘virtualising’ existing
Electronic commerce has always used encryption. Thus         q    developing and selling new digital products (e.g. software,
when banks or financial service companies transfer                WWW support services);
electronic funds, or an ATM communicates to validate         q    replacing physical goods (e.g. games, books, music) with their
a customer’s PIN number, messages are encrypted to                digital equivalent.
guard against interception and fraud. These proce-
                                                             Estimates of the growth of e-commerce as a whole are rather
dures are not, however, suitable for providing security      speculative still and often fail to differentiate between business over
over open networks such as the Internet since:               secure intranets and over the public internet. Nevertheless, the
l Traditional models of e-commerce involve only a            business conducted over the Internet is expected to rise dramati-
    few participants, and those sending and receiving        cally - to equal that from mail order sales by year 2000. For example,
    messages can use the same encryption software            direct airline ticket sales may reach $5B per year by 2000; one on-
    and secret key. In contrast, the Internet allows         line bookshop sold 6.5 million books in 1997 alone (although this
    business with new customers from anywhere in the         and other operations have yet to be profitable). Some industry
    world, and it is impossible for everyone to have a       estimates are however much higher - e.g. IBM anticipate Internet
                                                             commerce reaching $200 billion by 2000.
    'secret key'. A very different approach is required.
l Because customers and vendors may have no prior            As described in Box 2, one solution to these challenges
    knowledge of each other in Internet commerce,            is public (or dual) key encryption, which works as
    electronic means are needed to verify identities - so    follows. The company that wishes to do business over
    that a customer sending money to a company’s web         the ‘net’ obtains a set of public and private keys and
    page knows it is not fraudulent; so that one party       sets up the appropriate software on its computer sys-
    cannot deny or renege on a commitment, and so a          tems. It then makes its public key available to anyone
    third party cannot easily interfere and change a         who wishes to communicate with it. When a customer
    message (e.g. the terms of contract).                    sends a message, he/she uses the computer to encrypt
  P. O. S. T.     Technical Report            11 4                                                                        April 1998

FIGURE 1          PUBLIC KEY ENCRYTPION                                 FIGURE 2          SECURE INTERNET TRANSACTIONS

                                                                       :                                                                 :
 (a) CONFIDENTIALITY             (b) VERIFICATION                                         Customer browses and receives informa-
                                                                           Ms             tion from company web page - no security            ABC plc

 Ms A      Hello                 Mr B               Signature             Smith           needed.
 encrypts                        encrypts
 and sends                       and sends

 to            PUBLIC(B)         to                   PRIVATE(B)

                                                                       :                                                                 :
           &!=4gH                                   5&@"LP}<<                             Ms Smith: "I'd like to order something".
 Mr B who                                                                                    ABC plc: "OK, here's my public key".
                                 Ms A who                                  Ms             Ms Smith: "You're genuine, so here's my              ABC plc

                                 decrypts                                 Smith           credit card details or E-credit authorisation"
                    PRIVATE(B)                         PUBLIC(B)

                Hello                               Signature                             (encrypted).
                                                                                             ABC plc "OK, Order confirmed".                        a

with the public key, after which it can only be de-                                                                                            ve g?

                                                                                                                                            ha tin

crypted by the company’s private key. The ‘magical’                                                                                      ith it ra

                                                                                                      CA or Credit                    Sm red

feature of the mathematics involved is that even the                                                                                es y c



                                                                                                                               Do ctor S

                                                                                     pu ES
sender cannot de-crypt the message once it has been

                                                                                                                                   fa YE


encrypted using the public key (Figure 1).                                                                                  sa

Another property of the mathematics involved is that if
the reverse takes place - i.e. a message is sent by the                could be used by organised crime to make its commu-
company with its private key, this can be de-crypted by                nications and money transfers essentially uncrackable
any holder of the public key. If, however, it has been                 by law enforcement agencies; equally, national intelli-
tampered with in any way, this will no longer work,                    gence agencies’ ability to intercept and decode foreign
and thus the ability to de-crypt is proof that the mes-                intelligence material could be compromised. It is how
sage is genuine and has not been tampered with. The                    to strike a balance between these ‘costs and benefits’
same techniques thus allow either party to electroni-                  of strong encryption that gives rise to the current
cally sign the document.                                               policy debate.

To allow companies to do business with any potential                   The more powerful encryption techniques have been
customer, the public keys have to be available - just as               subject to export controls for some time on the grounds
the telephone and fax numbers are in business directo-                 of national security. As described in Box 2, there have
ries. Making the public keys available in this way has                 been several attempts in the USA at striking a 'deal'
several implications. Such information needs to be                     which maintains preferential access by intelligence and
relatively centralised, so people know where to go for                 law enforcement interests to encrypted messages, as
it; there needs to be some method of ensuring that the                 the ‘price’ for allowing export of the technology. The
keys published do actually belong to the company or                    current policy debate centres on what methods should
individual concerned, and that the transaction is reli-                be used to recover keys in order to decrypt messages.
able. A number of bodies offering such services (Cer-                  One route is to require users of strong encryption to
tification Authorities -CA) have already been set up.                  deposit a copy of their private key with an independent
For instance, US companies such as ‘Verisign’ and                      ‘Trusted Third Party’ who would be required to give it
‘Cyberscript’ allow a customer’s computer to check the                 up to appropriate judicial or ministerial authority (key
identity of the company and the validity of its public                 escrow). Another is where the encryption software
key (see Figure 2). Other organisations are developing                 involves registration with a key recovery agent.
similar services - e.g. Natwest and Barclays Bank have                 The last Government’s proposals in this field were set
agreed a legally-binding system for ‘digitally signing’                out in a consultation paper released in March 1997 - this
on-line forms submitted to the UK government. The                      proposed a licensing system for “Trusted Third Parties
market is thus responding to the need for security and                 for the Provision of Encryption Services”. Under these
authentication without government intervention.                        proposals, there would be no interference per se in the
The strength of public key encryption described in Box                 private use of encryption, but anyone offering encryption
2 is related to the length of each key and beyond a                    services to the public would have to be licensed by the
certain limit (perhaps 56-bits or longer), the encrypted               DTI, and a condition of licensing should be that private
message becomes 'uncrackable' even with the most                       encryption keys should be deposited at the TTP, and
powerful computers. Advances in encryption tech-                       should be provided within one hour of receipt of an
niques are thus a two-edged sword - strong encryption                  executive or court order. Since the market for unli-
makes legitimate commerce very secure; it can also                     censed TTPs could be limited, these proposals were
help human rights groups investigate without their                     seen by many as equivalent to mandatory key escrow,
reports being decoded by those whose record is being                   and raised objections.
investigated. But at the same time, strong encryption
 P. O. S. T.   Technical Report                   11 4                                                                   April 1998


Before 1976, both ends of an encoded             cur between two parties without prior nego-      key) to use as they wished, but a copy of the
message needed the decryption key which          tiation of a shared secret key.                  private key would be lodged with a US Gov-
had to be sent separately, effectively re-                                                        ernment ‘escrow’ agency, which would re-
                                                 This breakthrough (RSA, asymmetric or
stricting cryptography to parties who al-                                                         lease it under specified conditions (e.g. in
                                                 public key encryption) remained largely
ready had a trustful relationship. Breaking                                                       response to a court order). Anything gener-
                                                 unused commercially because it was pro-
out of this ‘strait-jacket’ completely revolu-                                                    ated by that chip could then be deciphered.
                                                 tected by patent, and its use outside the
tionised cryptography and followed from
                                                 USA restricted by US export controls (for        This proposal was opposed widely by US civil
some rather counter-intuitive properties of
                                                 security reasons). However, in 1992, RSA         liberties groups and seen by interests outside
large prime numbers.
                                                 was adapted for PC-users by a US compu-          the USA as offering a ‘trapdoor’ for US au-
Basically, if one takes 2 large prime num-       ter security consultant who made this public     thorities to commercial traffic. Serious tech-
bers, one can work out 2 other numbers           as PGP (‘Pretty Good Privacy'). Despite          nical shortcomings led to new policies where
which can serve as a set of private and          official USA efforts to suppress PGP, it is      private keys would be held by ‘Trusted Third
public encryption keys. With the Mr B’s          now widely available via the Internet.           Parties’ who, would have the responsibility of
public key, Ms A can send a confidential                                                          responding to court warrants, etc. US compa-
                                                 Official US bodies were concerned at the
message to him which he can decode with                                                           nies could also export encryption of key lengths
                                                 possible spread of such ‘strong’ encryption
his private key. However, the mathematics                                                         of 56 bits or less (a length which may be
                                                 technology because it could make it impos-
involved is ‘one-way’, and the public key                                                         ‘crackable’ anyway), providing the industry
                                                 sible to intercept and decode communica-
cannot decrypt the message it has encrypted                                                       worked to develop 'key recovery products'.
                                                 tions in criminal and national security situa-
- thus the message to B is secure. There is,                                                      These now exist and mean that when a
                                                 tions. It proposed in 1993 to keep control
of course, a mathematical relationship be-                                                        company uses one these products, it has to
                                                 through a device known as the ‘Clipper’ chip
tween the public and private keys, but it is                                                      register with a key recovery agency. This is
                                                 - a tamper-proof chip manufactured under
complex and provided the numbers are big                                                          not the same as depositing the private key,
                                                 Government licence which would contain
enough, can exceed the ability of even the                                                        but still allows targeted traffic to be deci-
                                                 the encryption program itself. Individuals
most powerful computers to ‘crack’. Thus a                                                        phered via a knowledge of the key recovery
                                                 would have the chip (and associated cipher
completely secure communication can oc-                                                           agency and the customer's public keys.

CURRENT ISSUES ON TTPS                                                          potential risk to the customer’s security, as well as
                                                                                an organisational burden which could limit the
The basic market needs for a CA/TTP include:                                    number of bodies able to offer such services and add
l maintaining unique identifiers for individuals and                            to costs;
   organisations, and generating key pairs;                                 l   ways of evading ‘legitimate’ encryption exist - keys
l certification (validation of each names’ public key);                         need not be escrowed or other encryption tech-
l key management -for keys used for validation and                              niques used (e.g. steganography 'hides' messages
   signature; and for maintaining confidentiality;                              in digital data of a picture or music score). The
l storage of encrypted data, key recovery services;                             proposals could thus have brought cost and com-
l security services for validation, time-stamping, non-                         plexity to law-abiding users while not achieving the
   repudiation, etc.                                                            results desired by law enforcement agencies;
l agreement and enforcement of contracts between                            l   the global nature of such schemes introduce juris-
   parties who only meet in 'cyberspace'.                                       dictional issues of extra-territoriality1;
                                                                            l   depositories of many secret keys could be an irre-
At present, such services are provided by the market at
                                                                                sistible target for hackers or criminal/terrorist in-
low cost and are integrated 'unseen' into browser and
other software (Figure 2); meanwhile new CAs/TTPs
can be set up to serve particular markets - for example                     Such questions are not unique to the UK and encryption
the banking sector might wish to establish its own                          has to be recognised as an international issue in which
'internal' TTP system, while other bodies such as the                       many players are currently operating. In the USA,
Post Office, solicitors, or quality control bodies could                    current legislative proposals link licensing of TTPs to
offer more widely available services. Development of                        key escrow, but licensing would remain voluntary.
such services is however seen as needing regulatory                         The OECD agreed a number of principles in March 1997
certainty over what conditions of licensing will be                         which, while recognising that key escrow could be
applied. The 1997 proposals received much support on                        required in certain circumstances, also warned against
the principle of establishing a licensing scheme, and                       "unjustified obstacles to international trade and the develop-
also because they sought to encourage alternatives to                       ment of information and communications networks (8th
the current situation where advanced encryption soft-                       1. One single TTP world-wide is clearly impractical, so there would have
ware often involves relying on US key recovery agents                       to be one or more networks of TTPs to bridge national and international
which are responsive first to US law enforcement agen-                      legal frameworks. Thus a British TTP would have to comply with UK law,
                                                                            but would have to be trusted internationally in order to fulfil its role;
cies. They were however criticised on the grounds that:                     equally, there would have to be restrictions on bodies offering services
l adding key escrow to the role of the CA created a                         outside the UK to evade UK licensing conditions.

  P. O. S. T.   Technical Report           11 4                                                                  April 1998

principle)" and "legislation which limits user choice (2nd          legitimate needs of interception, surveillance and
principle)." The 5th principle states that: "The fundamen-          decryption take full account of these realities and en-
tal rights of individuals to privacy, including secrecy of          sure that the necessary measures are both technology-
communications and protection of personal data, should be           independent and avoid stifling legitimate commerce or
respected in national cryptography policies and in the imple-       rendering it vulnerable to industrial espionage. One
mentation and use of cryptographic methods".                        option cited by some would be to strengthen the law to
                                                                    make it an offence to refuse to decrypt specific trans-
Independent experts saw the former Government's
                                                                    missions or data targeted by a judicial warrant (or to
proposals as going beyond the OECD position and
                                                                    require them to provide hard copy of the original
essentially leading to mandatory key escrow and an
                                                                    transmission). A parallel approach may need to recog-
expansion in the capabilities of surveillance authorities
                                                                    nise that the volume of e-traffic is now so large and
to access and decode routine traffic. As such they
                                                                    growing so fast2 that much greater selectivity is needed
attracted opposition from industry which saw them
                                                                    to identify those transmissions of interest, and to recog-
threatening vulnerability to fraud and industrial espio-
                                                                    nise a greater role for sectors of business to regulate
nage, while also being linked to one technical approach
                                                                    themselves - perhaps under more official guidance (e.g.
to encryption at a time when technology was bringing
                                                                    via codes of practice) on security, access control, and
in a range of alternative encryption systems to main-
                                                                    how to identify and respond to suspicious traffic.
tain confidentiality. The value of private key encryption
is now increasingly for verification - exactly the area
                                                                    INTERNET COMMERCE AND TAX
where key escrow is undesirable.
                                                                    Governments are clearly interested in the potential
Many anticipate that the DTI's revised proposals (ex-
                                                                    macroeconomic effects of Internet commerce. Some of
pected imminently) will reflect these concerns and
                                                                    these will benefit consumers who will be able to shop
provide for a more voluntary regime with less demand-
                                                                    globally for the best prices on goods and services,
ing conditions for private key escrow. It will also
                                                                    potentially levelling heretofore distorted markets (with-
recognise the importance of attaching conditions only
                                                                    out the need for complex intergovernmental trade
to confidentiality keys (and not those for authenticity,
                                                                    negotiations). On the deficit side, Internet commerce
where national policy will need to mesh with a pro-
                                                                    may diminish the ability of government to raise taxes
posed EU draft directive on digital signatures). Inde-
                                                                    on goods, services or income.
pendently of any regulations, the UK industry (via the
Alliance for Electronic Business) proposes a voluntary              The current complex web of national and international
'Trust Services Infrastructure' whereby CA/TTPs would               tax legislation has evolved around conventional mod-
be able to join a UK Trust Services Association acting as           els of business - where physical goods are bought and
a 'voluntary' regulator to ensure appropriate standards             sold, and where customers and suppliers have a place
of competence and trustworthiness of member bodies.                 of residence. As increasing amounts of trade have
It would also work to develop a 'Global Trust Infra-                involved less tangible items such as financial and tel-
structure' through coordination and mutual recogni-                 ecommunications services, tax agreements have
tion of equivalent bodies overseas.                                 adapted accordingly, but the potential growth in
                                                                    Internet-mediated business could pose real challenges
Even with DTI's new proposals, tensions will still
                                                                    to the ability of Government to maintain revenues.
remain between the interests of efficient e-business
                                                                    These issues are being addressed in a number of fora,
(flexible strong and cost-effective encryption services)
                                                                    for example by the OECD’s Committee on Fiscal Af-
and those of law enforcement and intelligence agencies
                                                                    fairs, and also within the EU. This subject is complex
which still need access to suspicious communications.
                                                                    and still very fluid, and thus only key questions are
Those in the industry see the primary goal as an
                                                                    outlined in Box 3, relating to the twin problems of how
unrestricted market for strong encryption products
                                                                    best to avoid tax evasion or double taxation.
which is globally interoperable, but wish to work with
Governments (US and EU) to define conditions of                     Overall, internet commerce impacts most severely on
access for law enforcement purposes etc. without man-               the two key concepts of residence and source. For
datory key escrow.                                                  instance, is a computer server connected to the Internet
The ultimate solution to this quandary is not yet de-               in a country in which the enterprise has no other
fined, but many point out that the 'genie' is already out           presence, a 'permanent business establishment'? Or
of the 'bottle' and strong encryption which does not                should tax status be related more to the support, stor-
depend on public key encryption is in use making                    age and distribution centres? Even where it is possible
reliance on key escrow too technology-dependent. At                 to establish where the enterprise is located for tax
the same time, those concerned to thwart interception               purposes, the ability of residents to establish off-shore
can use their own keys or other techniques to evade                 2. In 1997, the number of e-mails (2.7 trillion) was five times the number
controls. Many thus argue that it is important that the             of paper mail delivered worldwide.

  P. O. S. T.    Technical Report                     11 4                                                               April 1998


Internet commerce brings in several areas             q   E-commerce may increasingly involve         A parallel set of issues affects the collection
of complexity with which existing systems                 new forms of electronic money not read-     of consumption taxes, such as VAT.
have never had to deal. Some of these are:-               ily recognised by the tax system.           q   Place of supply is a critical concept in
q   The ‘entry costs’ to global markets have          q   E-commerce may replace physical                 VAT which presumes a fixed establish-
    been reduced and made it accessible to                goods (e.g. CDs) which can be taxed             ment. Internet transactions could need
    many small companies, leading to rapid                crossing borders. The digital equivalent        to be treated in the same way as tel-
    expansions in cross-border activities.                flows unnoticed across communications           ecommunications services, and taxed
q   Many constraints on physical location                 links.                                          at the customers’ end.
    are removed. The ‘front office’ may be            q   Tax havens and off-shore banking facili-    q   The difference between goods and serv-
    ‘virtual’ and no more than a computer                 ties become more accessible, allowing           ices is blurred by Internet commerce.
    system with communication links, and                  more people to use these to reduce or           This is particularly important where it
    infinitely mobile. Internet business can              avoid taxation. Internet banking offers         relates to goods imported from outside
    involve many countries (one for the ‘web’             high degrees of anonymity and imme-             the EU, where currently they are liable
    site, another for product storage and                 diacy of funds transfer.                        to VAT at importation. Downloading the
    distribution; other national networks carry       q   With detection and enforcement, E-com-          physical good as data may allow VAT to
    messages). It is thus difficult to define             merce provides far less evidence of             be avoided altogether.
    where an activity is carried out.                     transactions than traditional commerce.     q   VAT rules distinguish between different
q   It can be difficult to identify participants in       Disintermediation may also mean that            services, which become difficult to dif-
    Internet commerce - for instance the                  the contracting parties are unaware of          ferentiate when all data are digitised.
    web page address provides no informa-                 withholding obligations. Encryption will    q   Even with off-line services involving the
    tion on where the machine is located.                 also contribute to the near impossibility       transfer of goods across borders, the
q   The removal of intermediate institutions              of tracking all movements and conduct-          increased volume of international traffic
    removes the main tool for revenue col-                ing audit trails.                               may well swamp the ability of customs
    lection - intermediate taxing points.                                                                 authorities to collect tax.

companies could lead to a tax-driven migration of                              indeed it would go against one of the areas of agree-
businesses to the Internet and Internet businesses to                          ment between the EU and USA on Internet Commerce
low tax jurisdictions. Combined with the anonymity                             - that taxes should not be heavier on the Internet than
and potential for evasion, this could have major impli-                        on traditional commerce (see later). Moreover, the USA
cations for tax recovery. By making source income                              has proposed that, at least in the initial stages, the
increasingly difficult to track, the growth of new elec-                       Internet should be declared a tariff-free environment,
tronic commerce may lead to the criterion of residence-                        whenever it is used to deliver products or services (this
based taxation assuming greater importance. The in-                            does not exclude it from tax liabilities when it is used in
creasing globalisation of companies may also increase                          the same way as a mail order service).
their flexibility to set transfer prices between different
                                                                               Such considerations have led to extensive debate and
parts of the business to minimise overall tax liability.
                                                                               consultations. For instance, the US Department of the
Such issues can be slow and difficult to resolve - as                          Treasury has put out a very detailed analysis of the
illustrated by the persistence of the Service Provider
                                                                               implications above, as part of an overall consultation;
anomaly where EU-based SPs charge VAT but those                                the OECD Committee on Fiscal Affairs has organised
based outside the EU do not.
                                                                               various discussion documents and meetings to try and
The difficulties foreseen in maintaining tax revenues                          identify consensus on the way forward. The UK Treas-
have led some to call for alternative, more direct taxes                       ury, Inland Revenue and Customs and Excise are
on Internet activity - for instance a 'bit tax', which                         engaged in these international activities.
would apply to the volume of data, irrespective of its
underlying value. Many UK Internet users already ay                            OTHER REGULATORY ISSUES
the equivalent of such a tax, in that they pay VAT on                          The USA sees the Internet as having a potentially
their telephone call to connect to a service provider, but                     profound effect on the global trade in services, whether
the bit tax would be specifically linked to the amount of                      these involve computer software, entertainment prod-
data traffic. Such a tax could, however, present many                          ucts, information services, product licences, financial
problems -for instance, it could not discriminate be-                          and professional services, or in terms of direct retail
tween high volume/low value uses (e.g. telemedicine)                           sales and marketing where customers are able to shop
and low volume/high value transactions (e.g. selling                           in their homes for products from all over the world.
shares). It could also be an unstable arrangement - as
the volume of data on the Internet increases, presum-                          The above applications potentially raise problems
ably the tax rate would have to be constantly adjusted.                        which could lead to governments attempting to regu-
The question of bit taxes is thus not being seriously                          late. For instance, different national regulations for
examined in the various international groups involved,                         professional qualifications make trans-border profes-

  P. O. S. T.   Technical Report         11 4                                                               April 1998

sional services potentially problematic. The laws a              BOX 4 US AND EU POLICIES ON INTERNET COMMERCE
consumer relies on for protection at home might not              The US "Framework for Global Electronic Commerce" (The White
apply in the country selling the service, and thus               House, July 1997) set out 5 principles for policy on e-commerce:
redress (e.g. refunds) might be difficult to obtain. 'Con-       1. The private sector should lead, with governments encouraging
tracts' agreed in Cyberspace might not fulfil national              industry self-regulation.
legal requirements. Supporters of Internet commerce              2. Governments should refrain from imposing new and unneces-
see considerable dangers if national governments (or                sary regulations, bureaucratic procedures or taxes and tariffs
the EU) react by imposing extensive regulations on the              on commercial activities over the Internet.
Internet and electronic commerce, arguing that this              3. Where government intervention is necessary, its goal should be
                                                                    "minimalist" - to ensure competition, protect intellectual prop-
would stifle it before it has attained economic viability.
                                                                    erty and privacy, prevent fraud, foster transparency, support
Potential areas of regulation foreseen included taxes               commercial transactions and facilitate dispute resolution.
and duties, restrictions on the type of information              4. Existing laws that may hinder electronic commerce should be
transmitted, control over standards development, li-                reviewed or eliminated.
censing requirements and rate regulation of service              5. The legal framework supporting commercial transactions on the
providers, measures to 'protect' the consumer, and                  Internet should be governed by consistent principles across
other potential regulations (e.g. on digital signatures).           state, national and international borders.
                                                                 The EU/US Summit in Geneva (5 December 1997) reiterated the
In an attempt to avoid such a scenario, the USA pro-
                                                                 principle of market forces, but also committed (inter alia) both sides
posed a "Framework for Global Electronic Commerce",
                                                                 to work towards:
which should follow the primary principles espoused              q   A global understanding that when goods are ordered electroni-
in Box 4. These are essentially the same as the UK                   cally and delivered physically, there will be no additional import
Government's own four principles:                                    duties applied in relation to the use of electronic means. In all
l The law should apply on-line as it does off-line,                  other cases of electronic commerce, the absence of duties on
    with the result that each person is responsible for              imports should remain.
    their own conscious acts and omissions.                      q   Ensuring the effective protection of privacy with regard to the
l Need international co-operation between enforce-                   processing of personal data on global information networks.
    ment authorities in different jurisdictions, and be-         q   The creation of a global market-based system of allocation and
                                                                     governance of Internet domain names which fully reflects the
    tween legislatures where harmonization of existing
                                                                     geographically and functionally diverse nature of the Internet.
    laws is possible (e.g. a Uniform Commercial Code).
                                                                 q   Active support for the development of self-regulatory codes of
l Businesses and consumers should have access to                     conduct and technologies to gain consumer confidence in
    tools enabling them to protect themselves (e.g.                  electronic commerce (including involving all market players and
    rating/filtering for harmful content; digital signa-             consumer interests).
    tures for verification etc.).                                q   Close co-operation and mutual assistance to ensure effective
l Service providers should take voluntary action to                  tax administration and to combat and prevent illegal activities on
    uphold the law on-line, while government keeps an                the Internet.
    open mind on possible needs for future regulation.           Some specific EU Measures are starting to emerge. For instance,
                                                                 a draft directive has just been released on Digital Signatures, the
The EU has also accepted the need to avoid 'regulation           Regulatory Transparency Directive may affect e-commerce in its
for regulation's sake', but has identified a number of           extension to services. The EC is also establishing principles for
areas where electronic commerce poses challenges,                content regulation by service providers.
which, in the Commission's view, require action under
                                                                 products can attract a refund from credit card operators
the Single Market framework (see also Box 4). Some of
                                                                 and offending merchants could be taken off card com-
the early proposals under these headings are already
                                                                 panies' lists of approved vendors.
raising concerns in industry about their potentially
inhibitory effect on the growth of e-commerce within             Some need for regulations is foreseen however -e.g. to
the Community. For instance, Commission proposals                define the requirements for electronic contracts to be as
on digital signatures need to avoid being technology-            valid as paper ones. But when needed, there is a wide
dependent (e.g. recognising only the use of public key           consensus that they need to be international or interna-
encryption), thereby excluding other approaches which            tionally coordinated, and technology-neutral, in view
might be acceptable to the market. Some ideas on                 of the rapid changes involved. An example of such a
'consumer protection' have also suggested introducing            light regulatory touch might be to establish the frame-
a requirement that terms and conditions be provided in           work for legal recognition of digital signatures, but
hard copy, before an electronic transaction can be con-          enabling any technology to be accepted as producing a
firmed, which would rather go against the purpose of             digital signature providing it meets general require-
e-commerce to eliminate such steps! Supporters of e-             ments of reliability, unambiguity, etc.
commerce point out that there is much potential for              With the dominance of the USA in the Internet's history
self-regulation which has already evolved without the            and current usage (80% of Internet traffic is in the USA),
intervention of regulators. For example, unsatisfactory
  P. O. S. T.   Technical Report                   11 4                                                                 April 1998


Censoring or jamming undesirable or illegal        Where materials are held to be illegal, how       The most promising approach is voluntary
content faces two primary challenges - first,      can one go about removing them, given the         content labelling, possibly backed up by
deciding on what is to be restricted, and          difficulty of assigning responsibilities in the   access providers making it a condition that
then actually restricting it.                      complex web of the net. After all, the            all material posted is so labelled. Once
Most material on the Internet is generally         content provided may not originate in the         labelled, it is a simple job (either for the SP
available in other formats by other means.         UK, or be put on the net in an area where the     or user) to apply a filter and to restrict use
What the Internet does is allow individuals        material is not illegal. Since UK law does not    to specified ratings. Such an approval
or small groups a huge audience at little          extend outside the UK, most attention has         system is under development by the Plat-
cost. Some of these society may well regard        focused on the Service Provider's (SP)            form for Internet Content Selection
as ‘deviant’ and object to, but there are many     responsibilities in controlling content since     (PICS). Other methods of making it more
more groups (e.g. for disabilities) which use      these companies provide the Internet con-         difficult to post undesirable material include
the Internet to their benefit, and there is        nection, and access in the UK itself.             a requirement for subscribers posting con-
widespread resistance to interfering with          Technical filtering of the broad contents of      tent to explicitly identify themselves, and
the 'freedom' of the ‘Net’ among its users.        all sites is theoretically feasible, but the      providing SPs the ability to monitor and
                                                   computers need to be primed with key              sample content to ensure the accuracy of
The Internet is not, however, a law-free
                                                   words to search for, or some other guid-          conten labels.
zone - material that is illegal off-line is also
illegal on-line, and criminal liability falls on   ance. Much filtering software has the prob-       While such technologies would make it
those who hold and access clearly illegal          lem of blocking out perfectly legitimate sites    easier to filter out undesirable content, they
material, such as child pornography. The           along with those dealing in, for example,         still place much of the responsibility on the
global nature of the Internet may, however,        sexually explicit images. Such systems            individual user to ensure that their wishes
make such principles difficult to enforce.         cannot, therefore, even in principle be relied    are being met. Broad efforts to ‘clean-up’
Outside cases of clear illegality, defining        on to make statutory judgements, although         the net are almost bound to be doomed to
what is undesirable faces the same prob-           they can raise alerts about material with         failure, even after the adoption of a rating
lem as for material available by other means.      particular characteristics - for instance, rac-   system because the technical complexity
For example in the UK, defining what, under        ist words, explicit sexual language, flesh        of the system and the sophistication and
the terms of the Obscene Publications Act          tone in a graphics file, violence, and alert      motivation of many of its users will always
(1989), would ‘deprave and corrupt’.               individual users to exercise their own choice.    leave loopholes.

there are concerns at the potential use of the interna-                      viders etc., and the fact that with thousands of web sites
tional regulatory regimes to advance national eco-                           setting up each day, and thousands closing, compre-
nomic interests. Thus the USA already exports $40B                           hensive content scanning would be almost impossible.
per year of goods and services in the categories for
                                                                             As described in Box 5, the main approach being pur-
which Internet commerce is seen as a medium of
                                                                             sued in the UK is voluntary self-regulation - whereby as
growth, and thus maintaining the Internet as a 'free
                                                                             soon as a SP is aware of illegal material it is under an
trade' zone can be seen as very much in the USA's
                                                                             obligation to remove it (or face legal liability as an
economic interest. Some see the EU countries' failure so
                                                                             accessory). At present, sites are identified primarily
far to develop a common position on issues such as
                                                                             through a 'hot-line' run by the Internet Watch Founda-
encryption that is also acceptable to the Middle Eastern
                                                                             tion (IWF) - an industry-funded group which receives,
and ASEAN nations, as assisting the USA to impose its
                                                                             vets and where necessary acts on reports. Where
own trading and regulatory regimes, as well as making
                                                                             content is deemed illegal, the sites are removed from
it difficult for European suppliers to develop a viable
                                                                             the SP's servers and where appropriate, police advised
market for their encryption products. Notwithstand-
                                                                             in the UK or other countries. Although child pornogra-
ing these concerns, progress is being made towards a
                                                                             phy has been the primary focus so far as clearly illegal,
common viewpoint between the USA and the EU, and
                                                                             other categories exist which may also be illegal - e.g.
a joint statement following the EU/USA summit in
                                                                             disseminating bomb-making recipes, advice on how to
Geneva (December 1997) reiterates the principle of
                                                                             make fraudulent bank notes. But the main volume of
market forces applying in the Internet, and commits
                                                                             traffic comes in the greyer area where it may not be
both sides to working towards the objectives in Box 4.
                                                                             illegal but is offensive to many, such as adult pornogra-
One area which illustrates the limited power of regula-                      phy, racist material or personal slander.
tory authorities when faced with the global phenom-                          Here the emphasis is very much on making it easier for
enon of the Internet is what to do about public concerns                     individuals to restrict their (or others such as children)
over illegal and harmful content. As explained in Box                        access according to ratings on sex, nudity, language
5, the technical challenges of an effective means of                         and violence. Some web sites already carry such a
filtering out undesirable content are complicated by the                     rating (e.g. from the Recreational Software Advisory
Internet's global reach, the variability of 'illegal or                      Council - RSAC), and modern Internet browsers can be
harmful' content between different countries, debate                         instructed to 'screen out' sites with particular ratings (or
over responsibilities of content providers, service pro-                     those without any rating). The IWF and analogous
  P. O. S. T.   Technical Report               11 4                                                                    April 1998

bodies in other countries see this as the way forward                    Other issues arise from the 'convergence' between
rather than national regulatory authorities attempting                   telecoms, broadcasting, and computing in the Internet
to control content further. Indeed, the USA explicitly                   and also the many different services (financial, retail,
supports the broadest possible free flow of information                  marketing, etc.) delivered over it, which can involve
across international borders, rejects the types of content               several different regulators. The DTI will be consulting
regulation applied to radio and TV, and sees dangers                     later in the year on the implications for the regulatory
that attempts by nation states to regulate content could                 system of digital convergence, and there have also been
disguise trade barriers as attempts to maintain cultural                 calls (e.g. via the EC's 1997 Green Paper) to re-examine
or ethical values. The current regulatory inconsisten-                   the role of the many regulators involved, to eliminate
cies whereby the Internet offers access to material                      inappropriate cross-over in their responsibilities and
which would be banned (or subject to prosecution) if                     provide a simple system of protection for consumers,
delivered by conventional broadcast media will thus                      businesses and the public interest. In this context, the
continue and users will remain very much 'on their                       DG of OFTEL recently called for existing bodies to be
own' when it comes to protecting their interests.                        rationalised into two 'Electronic Communications' bod-
                                                                         ies - one dealing with competition, economic and social
There are many other issues relating to the 'Information                 policy issues; the other with content regulation.
Society' which have been covered elsewhere3 - intellec-
tual property protection, data privacy etc. However,                     A final point on regulating the Internet comes from the
one important management issue is the apparently                         responsibility of Government to safeguard its people
mundane question of how people or organisations are                      and national assets. There is growing concern that
awarded their 'domain' names- the electronic 'ad-                        Governments are ill-prepared for the threats of 'infor-
dresses' of the Internet web sites. Thus the UK Parlia-                  mation warfare', computer crime and 'cyber-terrorism'
ment’s web address is; that of the                     as nations become increasingly reliant on the Internet
White House is; such domain                           and other electronic systems in every aspect of life. In
names have clear advantages over their electronic                        the USA, much attention is being given to these issues
equivalent (a string of eleven numbers). As the Internet                 (e.g. by Congress). In the UK, the debate is starting to
has expanded however, the difficulties of a company                      develop through professional institutions such as the
obtaining the domain name it prefers have grown, and                     IEE and BCS, and a Cabinet Committee is also con-
new ways of allocating these are being sought. As the                    cerned with vulnerability of IT infrastructure (e.g. to
Internet essentially grew out of a US research network,                  the 'millennium bug').
the US National Science Foundation set the original
name allocation system up, but the US Government is                      MAINTAINING THE DEBATE
seeking to privatise these functions, introduce compe-
tition and make them more accountable to the user                        Internet commerce interacts with many programmes in
community.                                                               government, between governments, within interna-
                                                                         tional organisations, and within national and interna-
There are many different communities that use the                        tional business. In the UK, DTI's Information Society
Internet - individuals, academics, business and, in-                     Initiative is central and brings together such pro-
creasingly, governments, etc. and finding a consensus                    grammes as 'IT for All', the ISI Programme for Busi-
on this is proving difficult. Domain names can have a                    ness, and the 'Enterprise Zone'. DTI acts within the EU,
high commercial value, and there are an increasing                       and is also the conduit for UK input into current
number of disputes over registered 'trade names' etc.                    discussions in the OECD on common approaches,
The proposed replacement for the current system with                     while the UN is also involved via the UN Commission
US private registrars has caused concern, particularly                   in International Trade Law (UNCITRAL) and WTO.
outside the USA, and the Internet’s Policy Oversight                     UK industrial views are now being developed through
Committee, has put forward proposals to increase the                     such bodies as the Alliance for Electronic Commerce.
number of names available, and to diversify their man-                   At the European level, the lobbying over the Copyright
agement into a more international framework. This                        and Liabilities Directives by Internet and Telecoms
issue is not yet resolved, but again emphasises the                      providers on the one hand and by publishers and
importance of developing a timely EU-wide view so                        content providers on the other, is particularly intense.
that foreign users of the Internet are not disadvantaged                 Meanwhile the Internet also has the potential to trans-
- perhaps through 'the Bangemann proposals' for a new                    form the relationship between the citizen and the state
international framework for Internet management,                         as well as the way in which public services are organ-
along the lines of other international bodies such as                    ised and delivered3. All these aspects of electronic
OECD and WIPO.                                                           government provide much material for parliamentary
                                                                         Parliamentary Copyright, 1998. (Enquiries to POST, House of Commons, 7,
3. For example, POST's reports "Information Superhighways" in 1995       Millbank, London SW1P 3JA. Internet
and "Electronic Government" in 1998.

Shared By:
gjmpzlaezgx gjmpzlaezgx