1 / 26

Internet Policy

Internet Policy. Day 4 - Workshop Session No. 8 E-commerce Issues Prepared for CTO by Link Centre, Witwatersrand University, South Africa. Session Summary. Day 1 Session 1 History and technical background Session 2 Market structure Day 2

meriel
Download Presentation

Internet Policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet Policy Day 4 - Workshop Session No. 8 E-commerce Issues Prepared for CTO by Link Centre, Witwatersrand University, South Africa

  2. Session Summary • Day 1 • Session 1 History and technical background • Session 2 Market structure • Day 2 • Session 3 Interconnection, IXPs and voice over IP • Session 4 Governance and domain names • Day 3 • Session 5 The impact of telecommunications regulation • Session 6 Internet specific policy issues • Day 4 • Session 7 Content on the Internet • Session 8 E-commerce issues • Day 5 • Session 9 Internet tools for regulators

  3. E-commerce Issues • The purpose of this session is to provide participants with an overview of the issues that regulators need to be aware of in the context of growing e-commerce.

  4. Topics of Discussion • Security • Encryption • Authentication • Privacy • Interception and Monitoring • Fraud • Taxation

  5. Security • Importance • Integrity: Make sure no-one breaks the system • Fraud: Prevent changes to transaction information • Confidentiality: Ensure safety of client data • Steps • User education (password, general security) • Firewalls and access control lists • System audits • DoS attacks

  6. Encryption • Can anyone prohibit the use of encryption? • The illegal t-shirt • Steganography • Policy initiatives • Special access to keys • Restrictions on cryptography suppliers • Interception and monitoring

  7. Public key encryption • Bob decides to make use of PKI • Bob generates two keys • Private key • Public Key • Bob sends his Public Key to Alice • Alice encrypts data with Bob’s public key • Bob decrypts the data Alice sent with his Private key

  8. Public key encryption Bob Public key Hello Bob Alice Adgft;lfdj ikhdfkdh kldhsflkl Private Key Adgft;lfdj ikhdfkdh kldhsflkl Hello Bob

  9. Encryption and digital signatures • Bob can sign messages with his private key • Alice can verify Bob sent the message by using his public key to verify the signature • Non-repudiation • Bob can’t deny he sent the message provided his private key is secure

  10. Encryption between hosts • Encryption between hosts • ensures electronic transactions cannot be monitored • credit card details can be kept secure • can also be utilised for email or voice/video communication • however issues over governance do arise • widespread encryption vs. security of state

  11. Authentication: digital certificates • Like an ID book • Digital file of specific format • i.e. X.509 • Issued by Certification Authority (CA) • Verisign - http://www.verisign.com • Thawte -http://www.thawte.com (Now owned by Verisign) • Used to ensure identity • Can be used for encryption purposes

  12. Privacy • Rapid growth of the Internet means many privacy issues have surfaced • All electronic communication carries reference data of some sort • email headers • cookies • Right to privacy

  13. Privacy • Need for privacy protection laws • Data sharing prohibitions: My data has value! • Special concern: medical, financial and child-related • Need to prevent unauthorised use and dissemination • Assure control and security of data

  14. Privacy • Informed consent • Users must be told how their data is going to be used, and agree to such use • Self-regulation • Voluntary disclosure and standards for usage of data • Government regulation • Mandatory standard for data privacy • Technical approaches • Software filters

  15. Interception and monitoring • ‘Wiretap’ method • monitors everything related to transmission • often involves special equipment • requires court approval • expensive • Addressing info • everything but content of transmission • seldom requires specific court approval • easy to obtain from phone companies • (records are used to generate billing data)

  16. Interception and monitoring • Why is monitoring needed? • National security • Criminal activity • Outdated legislation • Move towards proactive law enforcement, not reactive • Controversial • Previous method of monitoring less invasive • Proposed methods are "always on" • Ease at which people can be monitored without court order • Lack of watchdog or public oversight • Knowledge of previous instances of misuse • Bad guys use encryption anyway

  17. Internet monitoring • Layered protocols • HTTP over TCP/IP • Email protocols over TCP/IP • TCP/IP over Ethernet • Very little difference between content and addressing info when dealing with multiple layers of protocols • May have to operate outside the limits of a court order in order to get the information required by the court order

  18. The HTTP protocol involves both addressing and content info: addressing info: the name of the file being retrieved the site the file is being retrieved from content info: content of the file being retrieved The TCP/IP protocol also has addressing and content info: addressing info: source address / port of transmission destination address / port of transmission checksum data related to packets content info: packets of data being transferred Layered protocol example

  19. Case Study: UK Regulation of Investigatory Powers Act of 2000 was introduced to: • Update existing legislation • Cope with new methods of electronic communication • Grant law enforcement additional powers • Grant law enforcement access to encryption keys • Require communications providers to install communication links to government monitoring centre

  20. Case Study: UK Regulation of Investigatory Powers Act of 2000 requires: • Companies providing communication services to install wiretap technology or access to network • Companies to retain information (logs) for a period of time • 1 in 10000 customers to be watched at the same time

  21. Case Study: UK Regulation of Investigatory Powers Act of 2000 drew criticism from the start from: • Privacy watchdogs • Lobby groups • Business leaders • Business associations

  22. Interception: Big Brother fears • Ease of monitoring communications will result in huge increase in wiretaps • Loss of privacy • Individual rights being threatened • Law enforcement has to much power • Too few safeguards on law enforcement's actions • Heavy burden on companies which have to comply • Law enforcement will randomly monitor transmissions to look for suspicious activity rather than restrict surveillance to where a warrant has been obtained

  23. Fraud • Growth of the Internet had led to many old scams being re-introduced to an unsuspecting public by means of technology • Scams commonly involve conning people into passing on money or credit card details in exchange for goods and services which are never delivered • Fake websites of e-commerce hosts can be set up and made to look like the real thing • Identity theft is growing • Email scams are proliferating

  24. Fraud - 2000 Internet Fraud Statistics 2000 Top 10 Frauds • Online Auctions 78% • General Merchandise Sales 10% • Internet Access Services 3% • Work-At-Home 3% • Advance Fee Loans 2% • Computer Equipment/Soft. 1% • Nigerian Money Offers 1% • Information Adult Services 1% • Credit Card Offers .5% • Travel/Vacations .5%

  25. Taxation • Effects of e-commerce on global taxation • Existing tax principles --> physical presence • Problems of physical location, distance and time overcome • Digitised Products • Cross-border transactions

  26. Summary • E-commerce covers a broad range of issues, including: • Security • Encryption and authentication • Privacy, interception and monitoring • Taxation • Fraud • E-commerce policy is still in its infancy and global efforts at creating standardised policy are yet to be broadly implemented • However, there are still some international examples and precedents to learn from

More Related