- Section 2: Legal, Regulatory,
Security, Trust and Confidence
The amalgam of Service Providers names:
implication on Internet (liability) regulation?
K. Bodard
- The
Influence of the Legal Environment on Internet Security
I. Gil Pechuan, R.I. Navarro Varela, R.D. Franco
The Influence of the Legal Environment
on Internet Security
M. Lehmann
Online Intermediary Liability Framework
M. Välimäki, P. Martikainen
Managing legal paperwork: an integration
effort
R. Gagliardi, P. Fiorenzani, S. Montanari, G. Mazzini
FILIGRANE: an electronic copyright framework
P. Vannel, G. Tsobgni
Security for E-Commerce Applications
A. Königer
Facilitating Administrative Services
for Mobile Europeans with Secure Multi-Application Smartcards
R. Riedl
Smart Cards Technologies for the Internet:
Security and Interoperability Issues
D. Ankri
PKI case study: Bank of Sabadell
J. Buch
A New Standard For Security In E-Commerce
A. Elsaleh
Digital Signature for Administrative
Simplification and for E-Commerce Development (Digisec Project)
A. Schena
Co-Ordination of Security Activities
between Chambers of Commerce
N. Kyrloglou, D. Polemi, P. Forret, S. Grufferty, P. Landrock,
J. Leerling, O. Mueller, S. Rytlig, D. Spinellis
Authenticating Web-Based Virtual Shops
Using Verifiable Visual Seals
H. Yoshiura, T. Shigematsu, S. Susaki, T. Saito, H. Toyoshima,
C. Kurita, S. Tezuka, R. Sasaki
- A Security
Chain for Trust and Confidence
L. Beslay
Nsafe.no: A Norwegian on-line business
certification and quality label scheme for
e-commerce
A.B.S. Fosse
Business Models and Regulation in the
Electronic Distribution of Music
M. Kretschmer, R. Wallis
Copyright Description Language for Distribution
of Digital Contents
H. Hoshino, A.Yamada
Digital Rights Management and E-Commerce
Applications
A. Torrubia, L.J. Martí, F.J. Mora
Digital Signatures for Web Content
C. Geuer-Pollmann, C. Ruland, P. Sklavos, M. Moula
A PKI Scenario for High-Security Communications:
Re-issued Certificates
O. Cánovas, A.F. Gómez, G. Martínez
Mediating and Monitoring Electronic Commerce
T. de Bree, V. Furundarena
The
amalgam of Service Providers names: implication on Internet (liability)
regulation?
Katia BODARD
Vrije Universiteit Brussel, Faculty of Law,
Department for Development of Law, Comparative Law and European
Law,
Centre for Interaction Law & Technology
Brussel, Belgium
A lot of uncertainty has been
created by using different names to indicate persons or entities
providing services on the Internet. This is complicated by the
fact that those service providers combine different functions.
The result is that different names can be used for one and the
same function or one and the same name for different functions.
Does this confusion have an impact on Internet regulation? Yes
and no! Yes, in so far one has first to define clearly the function
a provider has taken up in a specific case when conflicts arise.
No, in so far Internet regulation like the EC-proposal on e-commerce
and the DMCA are focusing on the function itself to establish
liability rules.
- Top
of Page
- The
Influence of the Legal Environment on Internet Security
Ignacio GIL PECHUÁN(1), Rosa I. NAVARRO VARELA(2) and
Rubén Darío FRANCO(3)
(1) Universidad Politécnica de Valencia, Dpto. Organización
de Empresas , Spain
(2) Universidad Politécnica de Valencia, Dpto. Organización
de Empresas, Spain
(3) Universidad Politécnica de Valencia, Dpto. Organización
de Empresas, Spain
Security concerns are delaying
the definitive takeoff of the electronic commerce. In this work,
the influence of the legal environment in its evolution and development
was analyzed. In order to achieve this, we studied the technical
and legal aspects surrounding the emergence of electronic signature
like the difficulty that presents the legal evidence on electronic
transactions, its probatory effectiveness and its capacity to
prevent information damage, among others. The international initiatives
on Internet security are also revised especially the European
Union Directive and the Spanish Royal Law-Decree on Electronic
Signature. Finally, we select a subset of the Metric for the
Information Society in Spain indicators, proposed by SEDISI,
that let us to track the electronic commerce and security infrastructure
evolution.
Top
of Page
The
Influence of the Legal Environment on Internet Security
Electronic Commerce and Consumer Protection in Europe
Michael LEHMANN
University and MPI Munich, Germany
On May 4, 2000 the European
Parliament approved the Directive on Electronic Business in Europe
which deals primarily with the possibility of advertising on
the Internet, especially in the World Wide Web (www), with commercial
communications, with the formation of a contract with a one click
scheme, order and confirmation and with the new rules of liability,
civil and criminal, for all net service providers. Hosting services
e.g. are free of any responsibility if they react immediately
upon given notice and take down from their server or block any
entrance to the incriminated contents, e.g. pirated music. This
paper explains the main objectives of this new European Directive
and critizises it under the aspects of adequate consumer protection
in Europe and the international standards of protection of industrial
and intellectual property given by the Treaty on trade related
aspects of property rights (TRIPs) of the world trade organization
(WTO-Geneva).
Top
of Page
Online
Intermediary Liability Framework
Mikko VÄLIMÄKI and Petri MARTIKAINEN
Helsinki Institute for Information Technology, Finland
The article describes a conceptual
framework, which can be used to detect and analyze online intermediary
liabilities. The presentation is divided in three parts: (1)
liability regarding the role of the transacting parties, (2)
liability regarding the transaction itself and (3) liability
regarding the application in use. The first part identifies various
intermediaries and their roles. A starting point for analysis
is the identification of weak points in the transaction chain.
The second part of the issue is the object of the transaction.
Examples include copyrighted or patented content and private
customer data. The third part of the problem is based on the
application. Basic issue is the protection of digital property
rights, which has a number of implications. Finally, the adequacy
of the developed three-step framework is illustrated in Napster
and DeCSS cases.
Top
of Page
Managing
legal paperwork: an integration effort
Roberto GAGLIARDI, Paolo FIORENZANI, Sergio MONTANARI, Giacomo
MAZZINI
Consorzio Pisa Ricerche, Pisa, Italy
Within the framework of "one-stop
desk points" - still a complex challenge for both traditional
and electronic government - an infrastructural and functional
architecture is proposed for e-bureau networks, where information
and transaction services have to be distributed and their legal
validity has to be guaranteed. An outlook is given of faced problems
and proposed solutions to fulfil the basic requirements of such
"administrative portals". Whereas performance can be
deferred to secondary technological improvements, development
prospects impose at least protection of data integrity and authentication
of communications, besides high architectural scalability, flexibility
and interoperability with legacy systems, software platform independence.
Moreover, information - distributed in a scaleable manner - has
to be widely and easily accessible, consistently available, standardised
and structured.
Top
of Page
FILIGRANE:
an electronic copyright framework
Pierre VANNEL(1) and Guy TSOBGNI(2)
(1)Gemplus Labs, Gémenos, France
(2)Gemplus Services Europe, MARSEILLE, France
Filigrane is a Java framework proposing a secure system for mobile
software trading through networks (Internet, GSM…). It well
fits the needs of the emerging market of the application service
providing, including agent-based services. It aims both the application
service provider and the consumer device manufacturer (PC, e-book,
PDA…). To the application provider, it provides packaging
services to protect the IPRs (Intellectual Property Right) of
the software to deliver, according to a license agreement with
the end-user. An IPMP (Intellectual Property Management and Protection)
system specific to the software producer, plugged into the framework,
coordinates the packaging services. Inside the client device,
the corresponding IPMP system interprets the execution rules
set and coordinates the previous operations. It could be split
in two parts: one in the device and the other inside a multi-application
smart card (i.e. a JavaCard) as an IPMP card applet.
Top
of Page
Security
for E-Commerce Applications
Axel KÖNIGER
Infineon Technologies AG, Security and Chip Card ICs, Munich,
Germany
Doing business dramatically
changed with the last few years due to the emergence of the internet
and related applications. Not only private customers but also
business customers and organisations face completely new ways
to exchange information, conduct financial transactions and to
deliver respectively receive goods. Two main features are essential
to enable a broad spread of e-commerce. These are ease of use
for the user together with a mature niveau of security. With
the development of technology more and more portals open the
way to the electronic world of doing business. Whereas PCs are
the most common platform for e-commerce today, portals like set-top
boxes and especially mobile devices (phones and PDAs) will clearly
dominate in 3 to 4 years. Secure hardware is a key feature to
enable a trust relationship between customers and service/content
providers. Modern cryptography based on public key algorithms
together with the possibility store private keys in a tamperproof
device as well as performing critical operations in a trusted
environment will be the basic requirements for future e-commerce
applications. Infineon Technologies is proactively thinking on
future applications in order to provide security components right
in time.
Top
of Page
Facilitating
Administrative Services for Mobile Europeans with Secure Multi-Application
Smartcards
Reinhard RIEDL
Department of Computer Science, University of Zurich, Zurich,
Switzerland,
We discuss how JavaCard technology may be exploited for facilitating
better administrative services for a broad class of inter-organizational
and brokerage processes. Particular emphasis is given to the
required interdisciplinarity of the engineering process.
Top
of Page
Smart
Cards Technologies for the Internet: Security and Interoperability
Issues
David ANKRI
Smart IS Marketing
Neuilly, France
This paper will address the
strategic issues related to smart cards technologies and security
infrastructure for Internet applications, and will present the
main European initiatives and international actions in progress
to standardize the concept of electronic identity by smart cards
for all Internet end users.
Top
of Page
PKI
case study: Bank of Sabadell
Jordi BUCH
Safelayer Secure Communications, Spain
Bank of Sabadell, is the first
Spanish Bank to offer their clients PKI technology using smart
card in order to secure the operations of Internet Banking. This
paper describes the application of this technology in the Bank
of Sabadell. After an introduction of the characteristics of
the PKI and several aspects to consider, the author explains
how the final "home banking" solution was implanted
in the Bank of Sabadell. The model is based in a Certification
Authority that generates lots of digital signature and authentication
certificates in smart cards support. The generated certificates
are not associated to any client in particular. This association
is carried out later. This characteristic permits that the clients
get everything is needed for doing "Home Banking" in
one time and they should not came back for completing the registration
procedure as is habitual in other PKI systems. The emission of
this type of digital certificates is based on the fact that a
private key and a digital signature and authentication certificate
are provided. Their strength and viability was based on three
technological aspects:
- 1024 bits key sizes.
- Smart card only support.
- PKCS#11 and Crypto Service
Provider allows Netscape Communicator and Microsoft Internet
Explorer applications the use of Bank of Sabadell digital Certificates.
Top
of Page
A
New Standard For Security In E-Commerce
Amin ELSALEH
Managing Director EDIAUDIT
Bourg-La-Reine, France
We believe that the new generation
of servers for e-commerce are basically oriented towards three
standards association: XML-EDI-JAVA. This association enabled
us to build a certification tool for EDI messages supported by
a knowledge database that is unique for each business type and
a dynamic routing engine to provide communications with on-line
users. During the last two years we populated one of those knowledge
databases dedicated to the Insurance sector and we built in parallel
a new security standard based on two concepts: the data interception
in a structured document and their verification according to
security rules applied to the intercepted data. This security
standard consists of a set of expressions which allow to populate
the knowledge database for any commercial sector (namely Insurance,
Distribution, Banking and others). It also allows consequently
to migrate any type of traditional business to e-commerce with
that guarantee of full data reliability exchanged between the
involved partners in a business transaction and a full tracing
of all the documents exchanged during the business transaction
lifecycle with the supply of automatic reporting including those
who might trigger the rejection of non-coherent or fraudulent
documents. We believe with that new standard we would be able
to provide a valuable type of content to all proposed Portal
solutions; the knowledge database for each business type associated
to a new type of security; the business rules which are not public
and are exclusively under the control of the executive management
within a given company.
Top
of Page
Digital
Signature for Administrative Simplification and for E-Commerce
Development (Digisec Project)
Alberto SCHENA
InfoCamere, Roma, Italy
The DIGISEC project represents
the trial phase of a wider project aiming at a massive introduction
of the digital signature as an instrument helping both administrative
simplification and e-commerce development. The proposers have
to provide for the Italian Chambers of Commerce and their users
(the enterprises) a service of Certification Authority (CA),
suitable for 2 millions of digital signature devices (smart cards)
by the end of 2001. Secure identification, non-repudiability
of documents, electronic payments, will assure simple, secure
and inexpensive interchange between enterprises and Public Administration
and for e-commerce transactions. Existing technologies have not
yet been tested and proved in a real operative situation with
a massive initial user base. The trial, involving about 100,000
subjects, will support the final choice between the "traditional"
smart card and the new "Java card", very promising
for the future but still lacking in concrete applications.
Top
of Page
Co-Ordination
of Security Activities between Chambers of Commerce
Nikolaos KYRLOGLOU(1), Despina POLEMI(2), Peter FORRET(3), Sharon
GRUFFERTY(4), Peter LANDROCK(5), Jan LEERLING(6), Otto MUELLER(7),
Steen RYTLIG(8), Diomidis SPINELLIS(9)
(1)Athens Chamber of Commerce and Industry; Greece
(2)Institute of Communications and Computer Systems; Greece
(3)GlobalSign NV/SA;
(4)Baltimore Technologies Ltd.; Ireland
(5)Cryptomathic A/S; Denmark
(6)Amsterdam Chamber of Commerce and Industry; The Netherlands
(7)Zurich Chamber of Commerce and Industry; Switzerland
(8)Danish Chamber of Commerce; Denmark
(9)University of Aegean; Greece
E-Commerce is now a new challenge
for the Chambers of Commerce (CoCs) world-wide. On the one hand,
the traditional business based on paper documents is diminishing
and must be supported by electronic documents and communication.
On the other hand, the replacement of paper documents by electronic
files offers new opportunities for the CoCs to act as Trusted
Third Parties. The necessary technical infrastructure and the
tools to cope with this challenge already exist and can be implemented.
The European Commission under the Telematics Applications Programme
for Administrations has funded a two-year project entitled COSACC
(Co-Ordination of Security Activities between the Chambers of
Commerce). It started in July 1998 and it aimed to identify current
and future business scenarios for CoCs, which can be handled
electronically, to permit the CoCs to act as a vehicle for international
electronic commerce and to provide a secure link between CoCs
in order to enable them to take their primary business into an
electronic realisation. The project concluded successfully in
June 2000 and arrived at a set of services to be offered to the
CoC members.
Top
of Page
Authenticating
Web-Based Virtual Shops Using Verifiable Visual Seals
Hiroshi YOSHIURA, Takaaki SHIGEMATSU, Seiichi SUSAKI, Tsukasa
SAITO, Hisashi TOYOSHIMA, Chikako KURITA, Satoru TEZUKA, Ryoichi
SASAKI
Hitachi, Yokohama, Japan
Authenticating virtual shops
is critical to establishing consumer trust in e-commerce, and
one way to authenticate these shops is to use guarantee seals
pasted on their Web pages. The effectiveness of this method,
however, depends on the reliability of the seals. This paper
therefore describes a verifiable seal system based on embedding
the digital signatures of authorities into seals by using digital
watermarking. This system can guarantee that the seal on a shop's
Web page was issued to that shop by the designated authority,
that the seal has not been forged or tampered with, and that
the seal has not expired. The consumer can therefore trust honest
shops and avoid fake shops.
Top
of Page
A
Security Chain for Trust and Confidence
Laurent BESLAY
Institute for Prospective Technological Studies - European Commission
- Joint Research Center, Sevilla, Spain
The primary parameter for a
sustained growth of E-commerce is the institution of trust relationships
into the virtual world. Making this trustworthy environment a
reality will not only depend on new technologies but also on
management of privacy and security. I will present a new methodology
to manage and reduce the risk in information technology systems:
the security chain that is supported by the C.I.A (confidentiality-integrity-Authentication)
concept and the HACCP (Hazard Analysis Critical Control Point)
method. Based on a strong parallelism between the cold chain
in the food sector, the security chain involves the entire group
of actors in the same objective: the security of the raw material
(information) for the benefits of all and not only for the consumer.
Top
of Page
Nsafe.no:
A Norwegian on-line business certification and quality label
scheme for e-commerce
Agnes Beathe Steen FOSSE,
Stiftelsen eforum.no, Oslo, Norway
Nsafe is a Norwegian on-line
business certification and quality label scheme for
e-business. The scheme includes a seal, code of conduct, directory
of seal holders and an appeal board all combined into one system.
Nsafe.no was launched on 24 November 1999. Nsafe is set up to
improve the relationship between e-businesses and consumers to
make e-commerce easier and safer. The code of conduct is of course
based on the Norwegian law. The code of conduct and the law are
at some points with EU regulations harmonised, but we have still
further steps to go. The Nsafe system can easily be adjusted,
so it can be used in other countries and areas. It can e.g. be
adjusted for greater areas, as we will do when Scansafe are developed
and launched in the Nordic Countries.
Top
of Page
Business
Models and Regulation in the Electronic Distribution of Music
Martin KRETSCHMER(1) and Roger WALLIS(2)
(1)Centre for Intellectual Property Policy & Management,
School of Finance & Law
Bournemouth University, Dorset, United Kingdom
(2)Dept. of Media Technology and Graphic Arts, Royal Institute
of Technology (KTH), Stockholm, Sweden
Drawing on more than 100 interviews
conducted between 1996 and 2000 with multinational and independent
music companies in 10 markets, strategies of the major players,
current business models and regulatory responses to the on-line
distribution on music files are reported and analysed.
Top
of Page
Copyright
Description Language for Distribution of Digital Contents
Hiroshi HOSHINO, Atsushi YAMADA
Kyoto 600-8813 JAPAN
In order to protect copyrights
of digital contents, the standard of copyrights description is
needed as well as watermark, encryption, and accounting technologies.
We have developed copyright description language (called CMF)
which can describe complex copyrights in the compound contents.
CMF is based on XML and can define contents information, right
holder information and use conditions which includes offered
terms, agreed terms and charge rules of the contents. The agreed
terms are selected by the user of the contents from the use conditions
which the author has offered. As author declares the price of
contents in the charge rules, users can calculate the cost of
the contents.
Top
of Page
Digital
Rights Management and E-Commerce Applications
Andrés TORRUBIA(1), Luis J. MARTÍ(2) and Francisco
J. MORA(3)
(1) Alicante, Spain
(2) Alicante, Spain
(3) Universidad Politécnica de Valencia, Dpto. Ingeniería
Electrónica, Camino de Vera, Valencia, Spain
In the present environment,
an increasing number of e-commerce applications are continuously
appearing, offering many possibilities to worldwide online customers,
among which sales of intangible assets are a significant part.
The management of intangible assets sets some questions that
must be solved. An effective Intangible Assets Management (IAM)
system must take into account several security issues, such as
privacy, confidentiality and intellectual property rights, which
must be protected. The use of cryptographic techniques in Digital
Rights Management (DRM) systems helps achieving these objectives,
assuring that copyrights are fully respected. Another important
issue is the interoperability of e-commerce systems. Any e-commerce
solution must take into account that easy-to-use systems are
more likely to become standards over the Internet than complex
and not user-friendly solutions.
- Top
of Page
Digital
Signatures for Web Content
Christian GEUER-POLLMANN(1) and Christoph RULAND(1) , Panagiotis
SKLAVOS(2) and Marina MOULA(3)
(1) University of Siegen, Institute for Data Communications Systems,
Siegen, Germany,
- (2)EXPERTNET S.A., Athens,
Greece
(3)PROODOS S.A. - New Telematic Services, Products and Applications
Co S.A., Athens, Greece
The eXtensible Markup Language
(XML) will form the basis for information interchange between
the next generation of computer systems, especially in the field
of business-to-business-communications. It will make the electronic
exchange of documents and other exchangeable information much
easier and less expensive. Security (e.g. integrity, authenticity
of the message and/or signer authentication) of exchanged information
and documents will be provided by the XML Signatures. Main goal
of the ISIS project <WebSig> is to develop a publicly available
library for embedding digital signatures in XML in compliance
to the W3C standard "XML Digital Signature" in order
to assure the integrity and authenticity of exchanged documents.
The second goal is to use an existing e-commerce application
(ERMIS) as a demonstrator. ERMIS is an electronic system on the
Internet promoting tourism in the Aegean Region and allowing
on-line booking and payment. Tourist companies, hotels and other
agencies participate in the ERMIS network. <WebSig> enhances
the security of ERMIS system. Digitally signed reservation vouchers
are sent by the system to the hotel owner and the customer.
Top
of Page
A
PKI Scenario for High-Security Communications: Re-issued Certificates
Oscar CÁNOVAS(1), Antonio F. GÓMEZ(2) and Gregorio
MARTÍNEZ(2)
(1)Dpto. de Ingeniería y Tecnología de Computadores
(2)Dpto. de Informática, Inteligencia Artificial y Electrónica
University of Murcia, Campus de Espinardo, Murcia, Spain
There are certain communications
based on the X.509 standard, which we denominate of high-security,
requiring a high reliability about the status of the involved
certificates. The X.509 standard provides suitable mechanisms
for cached operation, certificate revocation lists (CRLs), but
CRLs have specific lifetimes and they are not suitable for systems
needing a near-instantaneous statement about the validity of
the involved certificate. However, online mechanisms for real-time
confirmation create the need for a high bandwidth, and also decrease
the overall performance introducing a great amount of new messages
on the network. We propose a system for high-security communications
based on signed statements establishing the validity of the concerning
certificates. This proposal is based on trusted elements, which
communicate each other using SSL connections, and transmit signed
sentences that can be validated by any other system entity. The
essential signed statement, the re-issued certificate, provides
a standard method for validation, since all the applications
based on SSL, S/MIME, SET, or other widely used protocols, work
with X.509 certificates.
Top
of Page
Mediating
and Monitoring Electronic Commerce
Tony DE BREE(1) and Víctor FURUNDARENA(2)
(1)ABN Amro Bank NV, The Netherlands
(2) Federation for Enterprise Knowledge Development, Spain
The purpose of the Mediating
and Monitoring Electronic Commerce (MeMo) Project is to construct
a safe and trusted environment dedicated to the promotion of
international electronic commerce activities for SMEs. MeMo,
as an Electronic Commerce Broker Service (ECBS), will stimulate
the electronic commerce transactions and interactions among SMEs
in different European countries beyond the typical purchase of
catalogue products ("posted pricing") and the e-auction
models. The MeMo system basically covers the complete flow from
Searching to Fulfilment although the project focuses on the Search,
Negotiate and Deal Making stages. The whole workflow is supported
by XML-formatted messages. The first case covers the Construction
Industry. Due to its powerful partner and product searching based
on Concept Navigating, negotiation, and contracting mechanisms,
MeMo will allow SMEs to identify opportunities for business and
co-operation, establish solid and trustworthy relationships,
and trade value added services over the Internet; something that
is usually only possible through large investments of time and
face to face interactions. Trust services provided by financial
services institutions like ABN AMRO will increase the level of
trust in their marketplaces.
Top
of Page |