The advent of the
internet in recent years as a business tool has opened the way for commercial
and financial transactions becoming easier, speedier and cheaper, through access
to an online global market place which represents a paperless world of
transactions and knows no geographic boundaries. Its very accessibility and
openness, however, have posed a variety of problems for businesses and a new
tide of law–Cyberlaw–has emerged, with governments, businesses, universities
and institutes paying special attention to it.
Guiding considerations
It is important
to formulate a set of clear, consistent and predictable rules, which define the
rights and duties of the parties to the transactions in a just, balanced and
reasonable manner and provide for easily accessible redress procedures. The US
Government’s "Framework for Global Economic Commerce" (July 1997)
affirms the principle that ‘the legal framework supporting commercial
transactions should be consistent and predictable regardless of the jurisdiction
in which a buyer and the seller reside. In the interest of uniformity, the
legislation should conform to internationally accepted principles and practices,
and be flexible enough to accommodate different systems of law and
jurisprudence. Guidance is available in this context from the United Nations
Commission on International Trade Law’s (UNICTRAL’s) Model Law on electronic
commerce adopted by the commission in 1996. The legislation should be media-neutral, i.e. treat transactions conducted
electronically and those conducted using paper documents in the same way. In the
light of the recent and ongoing rapid march of technology, it will be ideal if
law keeps exact pace with the advance of technology. Finally there is a need to
avoid excessive regulation through over-stringent laws which could discourage
electronic business, or any under regulation which could fall short of the
required level of protection, thereby hampering the growth of electronic
commerce.
Addressing the concerns
Addressing the concerns
The UNCITRAL
Model Law gives a legal effect to a ‘data message,’ which is defined as ‘information
generated, sent, received or stored by electronic, optical or similar means
including, but not limited to, electronic data interchange (EDI), electronic
mail, telegram, telex or telecopy.’ Article 5 says "Information shall not
be denied legal effect, validity or enforceability solely on the grounds that it
is in the form of a data message." In a unique way of linking the data
message with the writing requirement, says Article 6, "Where the law
requires information to be in writing, that requirement is met by a data message
if the information contained therein is accessible so as to be usable for
subsequent reference." Thus accessibility and usability for subsequent
reference are the criteria applied to a data message to give it the legal effect
of writing.
As regards
signature requirement, the Model Law says that the requirement is met in
relation to a data message if a method, reliable and appropriate for the purpose
of the data message, is used to identify the person and indicate that person’s
approval of the information contained in the data message (Article 8). There are
also provisions concerning the admissibility and evidential weight of data
messages, their retention, recognition, attribution and acknowledgement as well
as the time and place of dispatch and receipt of data messages.
Security concerns
The transition
from paper based transactions to electronic communications has heightened
security concerns globally. Three essential ingredients of security have been
authenticity, integrity and nonrepudiation.
AUTHENTICITY: Making
sure that a communication purported to be from a particular person is in fact
from that person, and is not a forgery.
INTEGRITY: Ensuring
that the communication is complete and accurate without it having been altered
in any way during transmission or storage.
NONREPUDIATION: Ruling
out the possibility of the sender of the communication denying that it was sent
in the form in which it was received by the recipient.
In case of paper
based transactions, there are collateral assurances of genuineness: the
letterhead, the hand written signature, the company name and logo on the invoice
or purchase order, unique writing or printing styles, special water marks on the
paper and the fact that the communication is a tangible object received.
Electronic communications do not have these assurances. They are merely patterns
of zeros and ones transmitted electronically. Alternations, forgeries and copies
can easily be made and these can hardly be detected since the zeros and ones
constituting the ‘original’ are no different from those making up the
forgeries, copies and alternations.
The openness of
electronic transactions has generated doubts and concerns regarding the security
and privacy of business communications. These concerns are bound to grow as the
usage of the internet accelerates, especially in the new millennium. Already ‘spoofing’
(impersonation, where a sender gives a ‘return’ address other than his own),
‘hacking’ (use of hidden computer programmes to pry into sensitive personal,
especially financial, information and misusing it), attacks into internet
systems introducing unmanageable viruses or ‘spams’ (unsolicited mass
advertisements using the internet) are creating barriers to the smooth flow of
international business. Technological defence mechanisms such as ‘firewalls’
are available, but these can possibly be countered by any one intent on invoking
the ‘negative’ march of technology. This situation indeed postulates the
need for formulating appropriate legislation to ensure that business
transactions over the internet are conducted in an atmosphere of trust and
confidence of business persons that there will be no abuse or deceit pertaining
to their business information and that their rights and obligations will be
fully respected.
Digital signature
One of the
effective and promising methods now available in the electronic world to ensure
privacy and security of transactions is the digital signature. It constitutes an
identification mark covering the entire document and is therefore unique to
every document. The creation and verification of digital signatures is done by
using private and public keys unique to an individual, through a ‘public key
infrastructure.’ The process consists of running an electronic communication
through a one-way hash function and encrypting the resulting message with the
sender’s private key. A digital signature, like a manual signature, confirms
the authorship of the message but goes beyond the latter in providing whether
the message was altered after the digital signature. It satisfies the criteria
of authenticity, integrity and non-repudiation.
Legislative efforts
Legislative efforts
Necessary
legislation to give legal validity to digital signatures has been passed in some
countries and is being drafted in some others. It seeks to define the rights and
duties of persons using digital signatures, those facilitating such use, and
those relying on the signatures. Utah in USA was the first state to pass digital
signature legislation in 1995. This was followed by similar legislations in
other states, some deriving guidance from the Digital Signature Guidelines
prepared by the American Bar Association. Some of these use the more general
expression ‘electronic signature.’ At the Federal level, the Electronic
Signatures in Global and National Commerce Act (1999) defines the term ‘electronic
signature’ as ‘an electronic sound, symbol or process attached to or
logically associated with an electronic record and executed or adopted by a
person with intent to sign the electronic record.’ The Federal Government is
enjoined to remove paper-based obstacles to electronic transactions by adopting
relevant principles from UNCITRAL Model Law; permit parties to a transaction to
determine the appropriate authentication technologies and implementation models
which are to be recognized and enforced, and take a non-discriminatory approach
to electronic signatures and authentication methods from other jurisdictions.
There have been
significant legislative developments in some of the Commonwealth countries as
well. In the United Kingdom, the Secretary of State for Trade and Industry
presented to the Parliament in July 1999 and published a draft of the Electronic
Communications Bill for consultation purposes. It is intended to facilitate and
create confidence in the use of electronic communications. There is provision to
require a disclosure of a key needed to make lawfully obtained protected
information intelligible and failure to disclose is made a punishable offence.
The Bill also establishes a Tribunal for hearing complaints and awarding
compensation in certain cases.
In Canada, a new
electronic commerce privacy legislation called ‘The Personal Information
Protection and Electronic Documents Act, 1999’ has been passed. It is
purported, to support and promote electronic commerce by protecting personal
information that is collected, used or disclosed in certain circumstances, by
providing for the user of electronic means to communicate or record information
or transactions. The government has also brought out a comprehensive paper
titled ‘The Canadian Electronic Commerce Strategy,’ indicating the goal,
framework and the priorities for action in the field of electronic commerce. The
paper states that ‘the overriding need is to remove barriers to the use of
electronic commerce by clarifying how these rules apply to the digital economy
and updating them where necessary. The objective is to ensure that equivalent
treatment is provided for digital and non-digital transactions in a consistent
and predictable manner.’
Australia’s
Electronic Transactions Bill of 1999 is based on UNCITRAL’s Model Law and is
designed to provide a legislative framework that will facilitate the use of
electronic transactions, promoting business and community confidence in their
use. The Bill states that a transaction is not invalid because it took place
wholly or partly by means of one of more electronic communications.
The provision on
signature (clause 10) is interesting because it merely says that a signature
requirement with regard to an electronic communication is taken to have been met
if a method is used to identify the person and indicate the person’s approval
of the information communicated; there is no mention of a digital signature and
the reason given in the connected explanatory memorandum is that by not
endorsing particular electronic signature technologies, the bill does not need
to be revised to take account of technological changes. There are also some
variations from the UNCITRAL Model Law, such as in regard to attribution of
electronic communications, where Australia’s agency law has been preserved.
Singapore’s
Electronic Transactions Act of 1998 is a detailed document aimed at facilitating
electronic commerce, promoting secure electronic commerce by minimizing the
incidence of forgery, alteration of records and fraud and facilitating
electronic filing of documents. It introduces the term ‘electronic record’
and clarifies that an offer and an acceptance may be expressed by means of
electronic records and the contract formed shall not be denied validity or
enforceability. It provides for both electronic and digital signatures, leaving
it to the parties to agree expressly between themselves as to why they require.
There are provisions for securing an electronic signature through a prescribed
or commercially viable security procedure and securing a digital signature by
ensuring that it is created during the period of validity of a trustworthy
certificate and is verified by reference to the sender’s public key. The Act
also provides for obligation of confidentiality with regard to electronic
records, investigation of offences and penalties.
India’s
Information Technology Act, 2000 is a comprehensive attempt to tackle
legislatively the growing area of electronic commerce. It provides for legal
recognition of electronic records and digital signatures, their use, retention,
attribution and security, regulation of certifying authorities, issue,
suspension and revocation of digital signature certificates, and duties of
subscribers in regard to generation of key pairs and retention of private keys.
Penalties are prescribed for computer crimes which include tampering with
computer source documents, hacking and electronic publishing of obscene
information. There is also a provision for compensation in certain cases by the
guilty to the affected persons. In order to nip computer crimes in the bud, as
it were, broad powers have been conferred on police officers not below the rank
of a Deputy Superintendent of Police or any official of the Central or State
Governments authorized by the Central Government, to enter any public place,
search and arrest without warrant any person reasonably suspected of having
committed, committing or about to commit any offence. Appeals against the orders
of adjudicating officers will lie to a Cyber Regulations Appellate Tribunal to
be constituted. The Act is also intended to apply to offences committed outside
India if the act constituting the offence involves a computer, computer system
or computer network located in India. Network service providers are exempt from
liability for third party information provided by them if they exercise due
diligence and are unaware of any offence or contravention. Requisite amendments
to other related acts, adding electronic records, electronic account entries,
printouts of electro-magnetic data etc to their coverage, are also included in
the act.
The list grows
The list grows
The list of
countries that have enacted or introduced electronic commerce-related
legislation is growing. Malaysia has introduced a new detailed legislation while
Italy, Sweden, Japan and South Korea have introduced special digital signatures
legislations recently. The latest addition to the list is Mexico, which has
passed a legislation recognizing electronic business transactions and giving
validity to internet purchases as binding contracts.
In the light of
the wave of cyber legislation that has started, there is no doubt that more
countries will be seeking to enact legislations of their own. The question
arises in this context as to whether every country should go in for such
legislation. It is obvious that without legal recognition of electronic
communications and signatures providing for the legal and institutional
infrastructure needed for ensuring security and privacy of electronic
transactions, electronic commerce will not take off or its growth will be
stifled. There are various models of legislation available already, but the
decision as to which model to choose, what modifications should be made in it
and when to enact the appropriate legislate should indeed be left to individual
countries, in view of the extent of business development, the current level of
internet use and the views of the business community, among other factors.
However, there is no doubt that the promotion and regulation of electronic
commerce will be a high priority, items on the agenda of several countries in
the initial years of the new millennium.