REGIONAL AND INTERNATIONAL DIMENSIONS

There are a number of new standardization and legal issues that can only be resolved at the international level. In response to these, several intergovernmental organizations have established or are working on international instruments, standards or benchmarks aimed at simplifying documentation and information on exporting and importing and facilitating the development of electronic commerce. At the regional level, the work of ESCAP has been significant. Table V.4 lists the major international bodies and regional organizations undertaking such work, as well as their Web sites, and presents a more detailed review of the areas of work and technical assistance of these institutions. Three major issues being addressed at the international level are briefly outlined below.

Security issues

The future of electronic commerce ultimately rests on the trust that the transacting parties place in the security of the transmission and content of their communications. Equally, it rests on their faith that these communications will be granted adequate recognition to assure their enforceability in any domestic or foreign jurisdiction. This security is required for the assets of the trading partners, as well as any network provider. The assets can be categorized as physical, for instance computer hardware; as personnel, people with access to the hardware; and actual information stored on the hardware, whether user data or software. Security is also an issue in regard to the creation of the electronic data message, data protection techniques applied to the data message, and its transmission to the recipient. Different levels of security have to be selected between different trading partners according to the vulnerability of their business processes. Six important threats for messaging are: a message may be duplicated, lost or replayed; a message may be intercepted and modified; a third party may pretend to be a valid message sender; the sender may claim he never sent a particular message (repudiation of message responsibility by its sender); the recipient may claim he never received a particular message (repudiation of message responsibility by its receiver); and a message may be read by a third party (unauthorized disclosure of message content).

It costs effort, money and transaction time to secure electronic communications. The solutions developed by the ECE Working Party on Facilitation of International Trade Procedures using the available UN/EDIFACT standards cover integrity, authentication, non-repudiation and confidentiality and are shown in figure V.1.¹⁸

In terms of the use of the Internet for electronic commerce, the additional security concerns are the following: no assured delivery (this is an inherent weakness of the Internet as it consists of a vast number of connected networks, and the path through the networks is not predictable); confidentiality (intermediaries can listen in on private communications); integrity or alteration of the message; impersonation of the sender or recipient; and availability (for example, a hacker taking up all resources on a server and preventing access by genuine users). Currently, neither the technical infrastructure nor the legal framework necessary to deal with these security concerns exists in most of the countries of the region. With the overwhelming choice of the Internet as the medium for inter-organizational communication, firms, organizations and countries have to opt for an individual enhanced security architecture. Available security products fall into two main categories: point tools, and trust management products and services.

Many private solution providers offer point tools that include access control, confidentiality and integrity, and audit and monitoring. These tools allow enterprises to take care of many of their security needs at the enterprise level. However, this is not enough. The concern for the policy maker is the availability of trust management products and services that will provide the foundation for trust for wide use of the Internet. Trusted third-party products and services have three components: cryptographic tool kits; other trust management products; and trust management services.

Cryptographic tool kits provide the essential building blocks for trust. The important applications of cryptography are digital signatures and encryption. Digital signatures can help to prove the origin of a data message (authentication) and verify whether a data message has been altered (integrity). Encryption can help, keeping the data message and communication confidential. There are various ways of signing a document electronically; electronic signatures based on public-key cryptography or dual-key cryptography are known as digital signatures. They employ an algorithm using two different but mathematically related keys. The so-called "private key" is used only by the person doing the signing, the signer, to create a digital signature, and the "public key" can verify the digital signatures created by the private key. While the private key is known only to the signer and must be kept secret, the public key must be available to those who need to verify the signer's digital signature. Although the public and private keys are mathematically related, it is not possible to discover the private key by knowing a given public key. The public key can therefore be publicized, for example through a public directory, without the risk of disclosure of the private key and its use to forge digital signatures.¹⁹

The verification process, however, does not necessarily establish the identity of the owner of the public key. Since a public and private key pair are simply a pair of numbers, a reliable mechanism is necessary to link a particular person or entity with the key pairing. This is done using trusted third parties, or certification authorities. Certification authorities play a crucial role in ensuring acceptability and legal recognition of digital signatures. To associate a key pair with a prospective signer, a certification authority issues a certificate, an electronic record which lists a public key, as well as other details, and confirms that the signer identified in the certificate holds the corresponding private key. A certificate may be invalidated because of misrepresentation of material facts, such as the identity of the signer. Also, it may be suspended or revoked by the certification authority if the private key is compromised, for example by the signer's loss of control of the private key. Not many firms in the region will want to implement certification products in-house but will prefer to buy trust management services from a third party. In order to promote trust in a certification authority, it can be certified by a central authority, which can be a governmental or other trustworthy authority supported by legislation. When certification authorities are certified or licensed, this is called having a "public key infrastructure". In several countries, the legal basis for the operation of certification authorities, including their duties and responsibilities, has been addressed in national laws on digital signatures.

Certification authorities need to be able to cross-certify each other across borders. There is thus a need to establish common international standards on mutual recognition of certification authorities and their digital certificates, and to establish a framework for sharing legal and commercial liability between them.

Legal issues

The developments in technology and the rapid acceptance of electronic commerce have, to a certain extent, outstripped the laws governing conventional business trading. That regulations and laws need to be modified or created to accommodate new and changing technology is not disputed. However, the process of enacting new laws or legislation is generally a long and slow process. The increased use of electronic means of communication, such as EDI, e-mail and the Internet, has raised concerns about their legal effect, validity and enforceability. In most countries of the region, the existing national laws do not contemplate the use of modern means of communication. National and international laws impose restrictions on the use of electronic communication techniques by requiring "written", "signed" or "original" documents. As electronic commerce is not restricted by national boundaries, its adoption requires that the legal ramifications are considered by all those interested in international trade and development.

Efforts are proceeding at national, regional and international levels to create a legal and technical environment for facilitating electronic commerce. Several national governments have been involved in enacting legislation and establishing a regulatory framework to remove any uncertainty that might exist from the use of electronic means of communication. Table V.5 summarizes the status of development of such laws in selected countries in the region. International organizations concerned with the harmonization of international trade laws and facilitation measures have been active in preparing model rules, regulations and guidelines and setting directions for future legislative reform. Private sector organizations have been busy arriving at a consensus on technical standards, and establishing infrastructure and required services. The objective of all these efforts is to create a favourable legal environment for electronic commerce.

Table V.5 Selected national actions in the region to amend laws and legislation for electronic commerce

Source: National Focal Points of AFACT, November, 1998.
Notes: 1 = No action. 2 = In draft stage. 3 = Submitted for legislative approval. 4 = In effect. 5 = Law being used in the court. n.a. = not available.

The legal issues raised by the use of electronic commerce include evidential, contractual and liability issues. The evidential issues of electronic commerce have two distinct aspects. The first considers the question of admissibility: whether an electronic document is admissible as evidence in court. The second considers the need to have trade data properly authenticated: the requirement to be "signed". Contractual issues are concerned with the impact that the use of electronic communication may have on traditional contract formation. Questions arise about when and where contracts are concluded. Within an EDI network, two major relationships exist: that between the service suppliers and the users, and that between the users themselves. These relationships inevitably lead to questions concerning the pattern and extent of commercial responsibility and liability. To these must be added certain other novel legal issues such as jurisdiction and conflict of laws, intellectual property and liability of intermediaries, crime prevention, data protection and privacy, payments for transactions and taxation on the Internet.²⁰ The legal framework for electronic commerce can thus be divided into two areas: (a) a national legal framework, consistent with regional and international frameworks, which allows for documents transmitted using electronic communication to be legally binding; and (b) a contractual arrangement between trading partners to agree on terms under which EDI documents will be considered legally binding and acceptable.

The Model Law on Electronic Commerce of UNCITRAL, which was adopted by the United Nations General Assembly in 1996,²¹ covers several legal issues, some of which are given below.

Requirements of form (document). An electronic document has the same legal status as a written one if it is accessible so as to be usable for subsequent reference.

Requirements of form (signature). An electronic signature has the same legal value as a written signature if a reliable method is used to identify the person doing the signing and for approval of the information. UNCITRAL is presently working on a model law on electronic signatures.

Original. The legal requirement of an original is met by an electronic document if a reliable assurance exists as to the integrity of the information from the time it was first generated and this can be displayed.

Evidence. An electronic document is admissible in court as evidence. The court shall, when assessing the evidential weight of the electronic document, take into account the reliability of the method used for generating, storing and communicating the message and for maintaining the integrity of the document.

Formation of the contract. A contract entered into electronically is valid and enforceable.

Abuse of the electronic signature. A message is deemed to have been sent by the originator if it contains his electronic signature.

The main objective of the Model Law is to facilitate electronic trading by providing a set of internationally acceptable rules which can be used by governments in enacting legislation to overcome legal obstacles and uncertainties which may exist. It also provides individual traders with guidelines when they are preparing their contractual agreements. In addition to this framework, many of the legal issues discussed can be resolved by trading partners using a contract or interchange agreement which details the rights and duties of each partner and specifies actions to be taken if any problems occur when EDI is being used. The agreement also details the individual roles and legal responsibilities of the trading partners for transmitting, receiving and storing electronic messages. In the absence of clear legal rules and principles, an interchange agreement provides a company with a readily available solution for formalizing the EDI relationship between that company and its trading partners. The United Nations Model Interchange Agreement is particularly suitable for international trade. It has been developed taking into account the differing national legal systems and offers practical solutions for overcoming any difficulties that these might cause. It is intended to be sufficiently flexible to meet the requirements of all of the business sectors involved in international trade.²²

Although the principles of conflicts of law should apply equally in cyberspace, difficulties arise because of the borderless nature of cyberspace and the lack of geography in determining place of performance and place of formation of contracts by electronic means across international boundaries. A "click" in one country can have an effect in another country, or in very many countries. The traditional rules of offer and acceptance are, for example, not directly applicable to offer and acceptance by electronic mail, which is fast, but not quite the same as instantaneous communication. Investigating and combating crime in a transient and intangible world without forensic evidence pose fresh challenges to law enforcement authorities. Some crimes may be so new as to escape the current penal statutes, for example denial of service and access code trafficking. Cryptography also enables criminals to encrypt incriminating evidence. With the increasing volume of data messages available and the greater ease with which they can be retrieved and mined, privacy and data protection become important issues. The leakage of trade secrets and sensitive financial information and the possibility of data mining will be of immediate concern to businesses participating in electronic commerce. Moreover, the European Union's directive on data protection, which came into force on 24 October 1998, may seriously affect trans-border flow of data to and from Europe.

Taxation issues

There is concern about the potential for excessive taxation of the Internet. For example, the United States Government believes that no new discriminatory taxes should be imposed on Internet commerce. It also believes that no customs duties should be imposed on electronic transmissions. The application of existing taxation on commerce conducted over the Internet should be consistent with the established principles of international taxation, should be neutral with respect to other forms of commerce, should avoid inconsistent national tax jurisdictions and double taxation, and should be simple to administer and easy to understand.

However, intergovernmental cooperation is essential to define and agree to the principles of taxation for cross-border electronic commerce. These principles cover issues such as how the tax liability of on-line companies can be assessed; how on-line companies are to be audited; how international databases can be protected and controlled; how intellectual property will be protected; and how internationally agreed practices can be monitored and enforced. These issues are extremely complex. Take, for example, the tax liability of a German citizen travelling in the United States, ordering Asian spirits through the Internet for delivery to a holiday residence in France. In which national jurisdiction would the tax be paid and what would be the implications, if any, if payment was made anonymously using electronic cash? These issues are mainly of academic interest as long as trade over the Internet is relatively modest, but will become highly relevant to policy formulation as the value of Internet-based electronic commerce increases.

Next

²² The fact that there have been no lawsuits resulting from the use of EDI has several possible explanations. To implement EDI, considerable cooperation, as well as advanced coordination and testing, is required between trading partners. Therefore, misunderstandings are uncommon. EDI reduces or eliminates processing errors and those introduced from data rekeying, thus reducing the number of inaccuracies in end applications such as product ordering or order interpretation. Many corporate EDI relationships are formed between large organizations, or between a large organization and its suppliers. This trading relationship is often so important that it transcends any legal dispute which might otherwise occur over the interpretation of an individual contract. In other words, such trading partners avoid the necessity for legal dispute, preferring to settle their differences amicably.