Contracting, Reporting and Other Legal Issues

Lecture Notes:

Contracts

Business is usually carried out under contracts where seller and buyers fix the conditions of a specific transaction. The conditions can specify the quality and quantity of the product, delivery, payment, follow up (warranty, service).

There are three cases, when no written contract is needed about the quality of the product:

• The product satisfies a given standard, the conditions specifying into the standard are assumed and do not need to be defined in a written contract. Standards could State's, e.g. Bulgarian State's Standards (BSS), regional - e.g. Euro Norm (EN), or international - issued by the International Standard Organisation (ISO).
• The product is manufactured under conditions specified in a given standard, and an independent organisation certifies that standard requirements are followed (e.g. ISO 9000 series)
• The buyer accepts the product quality as it is advertised (the conditions specified in the advertisement are considered not as a promise, but as an obligation similar to obligations in a written contract).

Usually, delivery conditions depend on the quantity or volume of the product, as well as payment and further relations. The above notes can apply to some of the cases.

A contract is reached by:

• a formal offer from the seller and an acceptance of the offer by the buyer; or
• a formal order from the buyer and an acceptance of the order by the seller.

Contracts range from "simple" (e.g. purchase of a small quantity of low value product) to complex (e.g. "cover" contract for a long period of time fixing the conditions of acquisition of certain types of goods or services). In the simple cases usually no negotiation take place and no written contract is signed. The standards and more general legislation is applied.

EC services applicable to the Legal Activities in a Business Transaction:

• Transaction management (no human involved)- service between applications operating on behalf of the parties. The application serves on either side of the exchange is incorporated into existing Transaction Processing System (TPS). Usually simple orders, under pre-defined conditions.
• Inter-personal service (there is a human dimensions at both sides of the exchange), when some form of a negotiation is required.
• Key management and certification services (trusted third parties TTP) - to ensure that the parties involved in a transaction are who they say they are and that their exchange are protected against threats where appropriate. Guarantee the actual validity of the electronic keys and certificates shown by the involved parties. Part of Network Security.
• Interworking services (exchange when involved non compatible applications). These services are those that make possible the interchange of information between users:
• • service conversion - when the set of available operations or the parameters of the common operations are not the same. Some kind of primitive conversion rules, allowing a service conversion system to "translate" the service.
  • syntax conversion
  • language conversion

Types of activities:

• Buyer/Seller registration
• Electronic Notary
• Authentication
• Purchase order
• Purchase record
• Contract signature

Data Requirements

• Identification of People
• Identification of Organisations
• Identification of Products and Items

Network Security and Privacy

Complex issues of security, authentication, and privacy traverses modern networks. Confidence, reliability, and protection of the information against security threats is a critical prerequisite for the functioning of electronic commerce, especially during contracting and settlement activities.

Types of security:

• client-server security uses various authorisation methods to make sure that only valid users and programs have access to information resources such as databases. Access control mechanism must be set up to ensure that properly authenticated users are allowed access only to those resources that they are entitled to use. Such mechanisms include password protection, encrypted smart cards, biometrics, and firewalls. The problems (or "security holes") could be of the following three levels:
• • physical - access to a particular machine;
  • software - existence bugs or "holes" into a "privileged" programs;
  • inconsistent usage
• data and transaction security ensures the privacy and confidentiality in electronic messages and data packets, including the authentication of remote users in network transactions. The goal is to defeat any attempt to assume another identity while involved with electronic mail or other forms of data communication. Preventive measures include data encryption using various cryptographic methods.

Security techniques:

• trust-based security - trust every one and do nothing extra for protection;
• security through obscurity - security through hiding information about system operations (stand-alone systems);
• password schemes - first-level barrier to accidental intrusion - it pass in unencrypted form during transportation via the line in remote log-in session and it is easy to be trapped;
• biometric systems - comparison of fingerprints, palmprints, retinal patterns, signature verification, or voice recognition - extremely expensive;
• firewall - establishing a barrier between the corporate network and the outside world - placing a device (a computer or a router) between the network and the Internet to control and monitor all traffic between the outside world and the local network;

See the Flash Demos:
Firewall with packet filtering | Duael-homed firewall | Screened Host Firewall
• encryption - reversible mutation of the information in any form. Two types of encryption methods:
• • secret-key cryptography - Data Encryption Standard (DES)
  • public-key cryptography - a pair of keys (private and public) are used. Information encrypted by the private key can be decrypted only through corresponding public key, e.g. RSA (Rivest - Shamir - Adleman) system.
See the Flash Demo
• digital signature - a secure digital signature consists of two parts: a method of signing a document, and a method of verifying that a signature is actually generated by whomever it represents - Digital Signature Standard (DSS) specifies a Digital Signature Algorithm (DSA) is selected to be the digital authentication standard of the U.S.A. government.

See the Flash Demo

Reporting

Business transactions take place within particular regulatory frameworks dictated by Public Authorities. The objectives of this regulation are:

• consumer's interest (e.g. standards for quality of the product)
• community's interest (e.g. taxes)
• international agreements

All trading parties (sellers, buyers, mediators) need to communicate with Public Authorities in order to:

• obtain licences or certificates
• obtain authorisation for export, transport, installation, etc.
• pay taxes and charges.

In most of the cases, Public Authorities require paper based documentation. In 70s in the USA the "Paper Reduction Act" specifies that Government agencies can accept certain documents in electronic format. This Act creates opportunities for using paper-less technologies in such areas as accounting and clean the way of electronic commerce. Currently many countries developed laws regulating use of reporting data presented in electronic format, or accept such documents, because the existing law does not specify precisely the type of the document. E.g. in many standards was written that a certain document must be prepared using typewriter, because the only alternative was hand-written document. Authorities are ready to accept even printed documents as an exception. There are generally two ways to overcome this problem: to change every document regulated procedures and formats of reporting, or accept a single document that specifies the type of cases, which allow electronic format of document.

Digital signatures, Copyright, Online Publishing

The possibility for unique identification of the person, sending a message over the net, formed the idea of digital signature. The very existence of digital signatures is now in the root of performing electronic negotiations and business contracts, validating on-line documents and using digital money.

A digital signature is a number, encrypted by two keys: one is used by the author and the other - by the receiver. The first key is private, the second can be public. The public key can decode only signatures, encrypted by the private key. This permits the receiver of the signed message to be sure who signed it.

Digital signatures are not simply codes like those used in the guarding systems. They are encrypted in connection with the text of the signed documents and are different for different documents, so only the keys can decode them.

Mathematical methods for encryption, used today, proved to be reliable enough to save digital signatures from forging. When using Internet for preparing and signing a contract with a business partner, encryption algorithm ties the full text to the digital signatures. Changing one letter only in the contract destroys the signatures.

The legislation in European countries has not solved in full the problem of accepting digital signatures as real signatures. There is not enough evidence how the courts decide cases for denying or challenging such signatures. But using of digital signatures undoubtedly will be an important part of any Internet business and an element of the Information society. We still cannot evaluate the scope of the digital money in future, but the methods of introducing them in next decade provide using digital money together with digital signatures.

Another legal problem is the copyright on the Internet. All European countries protect the copyright. Yet due to specific presentation of the information on the net there are many cases of braking the copyright laws.

There are two main reasons to explain the growth of such crimes. The first one is technical. Any kind of information on the net - software, databases, multimedia, electronic books and newspapers, business data, stored information materials, etc., is easy to be reached, printed, copied and illegally sold or reused in the same or slightly changed form. The other reason is the belief among many users that the information on the net should be free. This belief is supported by some software and information producers who suggest free software and data on the Internet to attract users and later on continue with paid products. Many users react with attempts to steal them, some succeed.

Two categories of companies are the main victims of copyright crimes on Internet: software vendors and online publishers.

The software on the net is protected by the law as well as the off-line software. The legal protection of the software in USA was imposed in 1980 by the Software Copyright Act. Most countries in the world have such laws, but the categories of copyrightable software is different.

Online publishing (in the broad sense) includes everything put on the net for observation and use (free or paid): texts and hypertexts, multimedia works, data of any kind. All of them are protected by the law, but many materials are objects of crime regardless of copyright.

Online publishing includes all web-pages of companies and institutions (free but copyright protected), public materials, directories, research and study results, business information (both free and paid), digital books and journals (many of them paid) and so on. A large number of companies make their money publishing on Internet and they are most interested of strong online publishing copyright protection.

Some online materials are specially protected - e-mail messages, bulletin boards, individual messages of all kinds. For them the copyright laws to be imposed are to be joined with the constitutional human rights of free correspondence and privacy and corresponding legislation.

Law on the Internet

For several years the use of Internet was not object of any restrictions concerning the content of information sent on the mail. Gradually, a number of cases showing the use of the tremendous possibilities of Internet for criminal and dangerous goals brought to considering the problem of controlling the information spread on the Internet.

In the USA on June 15, 1995 the Senate passed the Communications Decency Act (CDA), restricting the kinds of information which can be put on Internet. CDA extended the existing law of telephone usage, prohibiting obscene or harassing phone calls mainly to protect children of access to such materials on the net. The problems of Internet use, of course, are much more difficult due to the incomparable possibilities of Internet to handle written information, video and voice together. But even the restrictions of CDA caused many protests in the USA of people being afraid that such Act restricts their freedom of speech, guaranteed by the Constitution. In the Supreme Court of the United States in a case of American Civil Liberties Union the CDA was named "unconstitutional as a flat ban on protected speech". The CDA was said to represent a unique censorship scheme that demands strict juridical scrutiny.

In Europe the problem of illegal and harmful content on the Internet was also examined as a major problem. The European Commission prepared a Communication to the European parliament, the Council, the Economic and Social Committee and the Committee of the regions. In this document the following areas of potential harmful or illegal contents which can be misused for criminal activities were shown:

• national security (instructions on bomb-making, illegal drug production, terrorist activities);
• protection of minors (abusive forms of marketing, violence, pornography);
• protection of human dignity (incitement to racial hatred or racial discrimination);
• economic security (fraud, instructions on pirating credit cards);
• information security (malicious hacking);
• protection of privacy (unauthorised communication of personal data, electronic harassment);
• protection of reputation (libel, unlawful comparative advertising);
• intellectual property (unauthorised distribution of copyrighted works, e.g. software or music).
• The Commission stressed that it is fully aware of the importance of this issues, and of the need to strike the right balance between ensuring the free flow of information and guaranteeing protection of the public interest so as to meet justified concerns.
• "As regards the distribution of illegal content on the Internet, it is clearly the responsibility of Member States to ensure the application of existing laws. What is illegal off- line remains illegal online" - points out the document.

  The prime responsibility for content of the information on the net lies with the authors and content providers. At the same time there are legal responsibilities of Internet access providers and host service providers. Although they do not directly control the content available on the Internet, in some cases they have been investigated by the authorities because of the existence of illegal and harmful content. Network operators, on the other hand, are not normally exposed to liability in criminal or civil law for the content.

  In a number of Member States, Internet access providers and host service providers have already set up systems of self-regulation. The Commission welcomed this general move towards self-regulation and had encouraged the setting-up of a European network of associations of Internet Access Providers.

  Computerised Voting and Electronic Democracy

  Use of Internet permits realisation of some political, social and economic activities which are important elements of the Democratic Information Society. One of them is the voting. Internet allows people of distant places to take part in a online discussion on a given problem as well as to vote. In some organisations and companies computerised voting is now fact. Much more difficult will such voting be in case of political elections, due to the huge number of voters and the specific problems of the election campaign.

  Any voting system must assure the following:

• to check that the voter is authorised to do so and that he votes only once;
• to secure that the voting is secret (except in the specific case when the vote is declared to be open);
• to make sure that nobody can change anyone else's vote and that all votes are counted.
• All these requirements can be realised in a well designed Internet based system. Such system must be able to check any voter and to write his name in the computerised voting protocol.
• It will not allow him to vote twice or more. Than the voter answers all questions on the ballot and provides his code (a large number, able to identify him in a unique manner) in the electronic voting message. He sends the message and keeps the code in case he wants to check that the system has included him in the voting protocol and his vote was correctly accepted by the system.

  The system may have additional checks to identify the voters. At the end it must publish the results of the voting - individually (including the identification codes and the votes for personal checks) and summarised.

  Electronic voting systems, used today, are even more complex because they must be absolutely independent from the people running them. But they are still used for internal needs of corporations and organisations, not for nation-wide elections.

  In next decade may be we will see first large-scale electronic voting. Probably it will not be for political elections but for exact measuring the public opinion on important matters (i.e. referendum). If it proves to be exact, honest and inexpensive, it will open the road to electronic democracy. It means that the authorities in a really democratic nation may often enough ask for the opinion of their citizens about important questions of legislation, local and central management, public expenditures and nation-wide projects. And sooner or later political elections based on electronic voting also will take place.

  The age of electronic democracy is not so far from now as some people think. The speed of solving the technical problems (computers, communications, software) perhaps is higher than that of solving the corresponding legal, social and political problems arising from the possibility of frequent mass electronic voting. But if there is a will in a country of going toward direct democracy, all problems can be solved in next one or two decades.

  Electronic Taxpaying

  Taxpaying systems in any developed country may be redesigned from using paper documents to electronic means. As collecting taxes is a vital activity for each country the usage of computers for this aim is not something new. What now is to be done is creating new taxpaying systems based on more courageous application of the networks.

  Electronic taxpaying is convenient for both sides. The state will faster and with less expenses collect the taxes. The taxpayers will not be forced to keep (or forget or lose) their records of the incomes and all the time calculate the taxes.

  The problems to be solved are mostly of legal and organisational, not of hardware or informational nature. The computers and the networks in many countries are already able to handle a nation-wide taxpaying system. The identification of the taxpayers (persons and legal entities) was completed and it has been long time used in different information systems. Now electronic signatures are to be introduced for the same reason and electronic money systems may be very helpful. The legislation and the governments are those who must go their part of the road to be ready for development and introducing electronic taxpaying systems.

  Electronic Negotiations and Legislation

  Negotiating and concluding contracts is a very important part of every business. Now all means of communication - letters, telephones, telexes, faxes, e-mail, etc. are used to support this work. The Internet allows the partners to negotiate faster, to prepare and co-ordinate much easier the portions of the future contract, to make the final version and to conclude the contract.

  All activities of both partners from beginning of the negotiations until the completing the final version of the contract are clear enough and do not produce any big legal problem. The last stage - the signing (and in this way - the concluding) of the contract is what poses legal problems, because the contract cannot be signed by the hands of authorised of both sides persons on the net. A possible solution is the usage of digital signatures as described at the beginning of this chapter. It still hides some danger for the partners in case of non-fulfilment of one side's duties and bringing it to trial. The digital signatures may not stand up in the court. The legislation in most countries is still not ready to meet such problems.

  Another problem (it arises often when other communication means are used, too) is the problem when of one of the partners wishes to change the contract informing the other partner by Internet but not perfectly signing a corresponding document (amendment, annex, additional agreement or so on). In such case the general rule is that the changes of the contract are not legal.

  Civil Rights, Liberty and Privacy

  New information and communication technologies and the world wide use of Internet may be dangerous to some civil rights. The content of Internet may be illegal or harmful, as was pointed out above in this chapter, and in such respect to violate the rights of Internet users. From the other side the proposed restrictions of free flow of information on the net may be regarded as a violation of such fundamental human right as the right of free speech. Most civil rights organisations insist that all speech, no matter how controversial, must be carried without discrimination, and system operators are to be protected from liability for user's actions.

  The very existence of more and more Internet-connected personal computers at homes hides some dangers for the liberty and privacy of their owners. Everybody can send messages to the owner, to try to interfere in his web materials or to use illegally his software. In the USA the central law protecting the privacy of electronic communications is the Electronic Communications Privacy Act. This Act forbids the interceptions of messages when hey are in transit (except in some well specified cases of extreme necessity). Another laws protect personal privacy rights: nobody can disclose someone's personal affairs in public, the medical and banking information is also protected. Business information, especially trade secrets, are illegal to be disclosed, too.

  The problem of protecting the civil rights and privacy of Internet users is not satisfactory solved yet anywhere in the world because the matter is a relatively new one and the legislators usually need more time to enact the necessary laws. But the problem has another side - the prompt reaction of the society to any violation of these rights will be the support the people need until the legal protection gets imposed.

  ---

  Guest Lecturers:

  Contracts: The Basics

  How to write a business report

  How to present business results

  Password Security, Protection, and Management - US-CERT

  VeriSign Digital ID Center

  The International PGP Home Page

  FAQs ABOUT COPYRIGHT

  FREQUENTLY ASKED QUESTIONS ABOUT COPYRIGHT

  VeriSign Digital ID Center - Introduction to digital certificates

  ---

  Assessment Remark: The completion of the assignments included in this module (test, essay and participation in discussion) will form 10% of the final assessment.

  ---

  Test

  Answer the following questions in several sentences and mail the answers to your tutor.

  • Shortly describe the peculiarities of contracting through the Internet.
  • What kind of security techniques are used to solve the problems of the insufficient privacy and security on the Internet?
  • Comment the significance of reporting.
  • What are the problems related to copyright and online publishing?

  ---

  Questions for Discussion:

  Do you believe that legislation can efficiently control the Internet?

  ---

  Essay

  Write a two-page essay on the following topic:

  • The human dimensions of the electronic democracy

  ---

  Resource Bank

  • The Security and Privacy topic has several aspects when connected to business over the Net. Here are the aspects covered here:

    • Secure passwords
    • Computer privacy
    • Secure mail
    • Anti-virus security
    • Copyright, trademarks, patents, etc.
    • Public certificates
    • Other Resources

  • Secure passwords. The most important feature of a password is whether it is safe or not. Most of the passwords people choose are easy to crash by the sophisticated programs run on powerful computers. If you choose a word for your password such a program can crash it for less than an hour. How to choose a safe and secure password which is still easy for you to remember? Here are several links that will help you choose your password:
  • Password Security tips for choosing a password
    Choosing a Safe and Secure Uniqname Password
    Password Security: A Guide for Students, Faculty, and Staff of the University of Michigan
    Firewalls Mailing List: Re: Randon password generators (fwd) A discussion on random password generators
    Password Security Useful tips for choosing a secure password
    Benchin' Browse - System & Utilities : Security : Password Recovery Tools for recovering lost passwords.
  • Computer privacy
  • Electronic Privacy Information Center Home Page news and resources on privacy
    Computer Privacy Information Computer Privacy Information from University of Pennsylvania. A directory with a lot of useful links
  • Secure mail and cryptography. The electronic mail is a very useful and easy to use delivery medium. It is often used by businessmen to deliver confidential information. However without proper encryption e-mail is by no means safe and other eyes may see the information you send. Utilities like PGP can help you for the encryption and decryption of your mail messages. Here are some useful links on e-mail security and cryptography:
  • Data Recovery Services - some useful links
    A brief comparison of email encryption protocols . This document briefly reviews and compares five major email encryption protocols under consideration: MOSS, MSP, PGP, PGP/MIME, and S/MIME.
    "Default" . Aslide show about public key cryptography, the technology underlying secure e-mail
    PGP User's Guide, Volume I: Essential Topics
    MIT PGP Frequently Asked Questions Questions and Answers about MIT's Release of PGP 2.6
    PGP 2.6.2 FAQ, Buglist, Fixes, and Improvements . PGP 2.6.2: Frequently Asked Questions, Known Bugs, and Improvements
    MIT PGP Home page . MIT distribution site for PGP (Pretty Good Privacy) - PGP or Pretty Good (TM) Privacy is a high-security cryptographic software application that allows people to exchange messages with both privacy and authentication.
    E-mail insecurity - Nov 1993 . The University of Pennsylvania's computing magazine.
    Secure electronic Messaging . A paper about the PGP software, contains a lot of links to PGP resouces
    Your Eyes Only Reviewer's Guide . Norton's PC security tool - encryption and decryption
    Setting up Eudora Pro for Kerberos Security . Setting up Eudora to use Kerberos authentication protocols. Kerberos is an ultra high security password/authentication/encryption system designed by MIT and Cornell University.
    SECURTY1.DOC -- 19960730 -- Email thread on NetWare Security Issues . Email thread on NetWare Security Issues
    Cryptography . a list of freely available crypto systems, with comments
    Pointers to Cryptographic Software . This page contains a catalog of software packages related to cryptography.
    VeriSign Digital ID Center . The solution to problems of identification, authentication, and privacy in computer-based systems lies in the field of cryptography. This site presents an introduction to cryptodraphy - Public Key Cryptography, Digital ID, Certification Hierarchies, etc.
    RSA's FAQ About Today's Cryptography: General
  • Anti-virus security. The security of your data includes the anti-virus security. Here are some tools on fighting with the infection and information about viruses and how to prevent the damages:
  • Antivirus Resources, Antivirus Software . A directory of anty-viral resources - software and information
    Computer Virus Information from University of Pennsylvania - Resources and newsgroups
    Data Fellows World-Wide Web Server . Business software and information. Anti-virus and cryptography info and software are available
  • Copyright, trademarks, patents, etc. The laws in the area of copyright, trademarks, patents, etc. for computer products.
  • Computers and Law
  • Public certificates
  • Public Key Certificates . In order for a public key scheme to be successful, users must be guaranteed that the public key of another user truly belongs to that user. The means by which a public key is bound to a user is the public key certificate. The public key certificate is a collection of information issued and signed by a CA (Certification Authority). A certificate contains: the owner's public asymmetric encryption key, the DN (Distinguished Name) of the owner, the DN of the certification authority, he period during which the certificate is valid, a version number, a serial number.
    VeriSign Digital ID Center FAQs . Digital IDs provide an electronic means of proving your identity, much like a driver license or passport does in face-to-face interactions. With a Digital ID, you can assure friends, business associates, and online services with whom you communicate electronically that the messages they receive from you are authentic. This document provides answers to questions that you might have about using Digital IDs.
    VeriSign Digital ID Center . This document introduces Digital IDs and answers questions you might have about how Digital IDs are used.
  • Other links to information and products on password, data, computer, network security
  • Hacking and Security . A lot of links divided into the following topics: Basic Stuff, Site Security, Password Crackers and Checkers, Password Protection, Login Monitoring, Firewall Ref, Firewall Tools, Secure Service, Kereberos, Cryptography Export, SATAN, Trusted Systems, Security for the Net, Hackers & Crackers, Other Resources
    M-Tech -- Security assessment services . M-Tech offers a variety of security assessment and planning services. This document outlines our services, and provides a broad introduction to the development of network security across platforms and throughout an entire organization.
    M-Tech Mercury Information Technology, Inc. . M-Tech is a computer network security company. "We provide a broad range of computer security services and products, including: A password synchronization program called P-Synch; Network security assessment and development services; Contract development of secure and/or distributed software."
    FIRST Computer Security Clearinghouse Conference of the Forum of Incident Response and Security Teams June 1997
    Higher Education Information Security Pages . This is a list of known higher education information security pages.
    Computer Security Information . Computer Security Information from University of Pennsylvania
    Gateway to Information Security Home Page . Information Security Links and other information
    Network Working Group D. Eastlake, 3rd Request for Comments: 1750 DEC . Randomness Recommendations for Security
    rfc1244 . Site Security Handbook
    rfc1750 . Guidelines for the Secure Operation of the Internet
    Phrack Inc.== Volume Three, Issue 27, File 5 of 12 COSMOS COmputer System . solutions to some computer security problems
    CNS - Network Security Pages - Bibliography . information about several books on topics related to security
    Return to the FIPS: Category Index. | Numerical Index. FIPS PUB 112 Federal . Federal Information . Processing Standards Publication 112. Announcing the Standard for PASSWORD USAGE .
    HELPFUL HINTS WHEN SELECTING DATA SECURITY SYSTEMS (#1940) . HELPFUL HINTS WHEN SELECTING DATA . SECURITY SYSTEMS
    SIDEBAR: Twelve Tips for Top-Notch Security . tips for making your system more secure .
    Web Page Security . Password Protected Web Pages . You may protect the security of your web pages by setting up username-password controlled directories within your web site. When the user tries to browse to a protected page, she is asked for a username and password. Both must be correct to enable entry.
    Security for Internet Commerce: How Much is Enough? a slide show.