Theme Paper

Introduction | Table of contents | Empowering the user

3. BUILDING CONFIDENCE

National governments can contribute significantly to the development of Global Information Networks by providing a framework where both protection of general interests of society and of individuals is ensured and where industry and users have confidence in the operation and use of the networks.

Building confidence by achieving efficient protection is essential to allow the positive development of these networks. Those who entrust their data to the networks wish to be sure that it is not altered and that it will not be disclosed to unauthorised recipients or otherwise infringe their right to privacy. The responsibilities of the different actors must also be clear, so that they can assess both the practical advantages of using Global Information Networks and the legal and financial implications.

Ensuring efficient public protection also implies that law enforcement and judicial authorities should have the means to prevent and combat the misuse of the Global Information Networks, while avoiding undue restrictions.

3.1. Security and confidentiality

3.1.1. Identified Issues

Information Security is one of the key issues for the emergence of the Global Information Society. It is particularly important to create a fundamental common trust in the future of the new communication infrastructure and thus to ensure that it reaches its full potential. Proper use of available technologies, combined with best practice, provide users with integrity and confidentiality for their business transactions and contribute to the protection of their privacy. The use of cryptographic methods is one important way of reducing the vulnerability of data to damage or unauthorised access in such open information networks.

It is also important that the confidentiality of data should be protected where electronic networks are used for ordering goods or services, for electronic payments, for delivery of bids for public tenders or the exchange of medical data, as well as private communications. It will usually also be necessary to ensure that bids and personal data are only available to authorised recipients on the network. Encryption and digital signature are the two principal applications of cryptography applicable in the field of electronic commerce.

Use of cryptographic methods to protect confidentiality may also help criminals (e.g. drug traders or terrorists) to hide their activities. Government agencies may wish to have access to the plain text of encrypted data in certain circumstances, which must be defined by law. A distinction needs to be made between this use of cryptography and the use of cryptography for the protection of data integrity or the authentication of correspondents, particularly in respect of digital signatures, which will be dealt with in the following section, and where the system makes freely available the information required to decrypt and verify the signature.

On 27 March 1997, the OECD approved Guidelines on Cryptography Policy. These Guidelines do not constitute a binding legal document, however they are the first attempt on an international level to bring about a common understanding of the issue of confidentiality. In the European Union, the provisions of the Data Protection Directive would have to be observed.

Technical solutions and user awareness are needed to ensure security and reliability of electronic systems. An example of this is the Century Date change issue, otherwise known as the "Millenium Bug". Many computer programs and processor chips will not be able to cope properly with dates after 31 December 1999. The UK government has started a large-scale awareness action for businesses and public sector users.

3.1.2. Questions

3.1.3. Possible Solutions

3.2. Authentication and integrity of messages

3.2.1. Identified Issues

Global Information Networks can be used for a variety of applications in both the business and personal spheres, e.g. for ordering goods or services, for electronic payments or for delivery of bids for public tenders. Just as in traditional "paper-based" commercial relationships, signatories have to be identified, documents authenticated, non-repudiability established in digital trading.

Particularly in the initial phase of development of electronic commerce, it is necessary to build trust in electronic transactions. One of the keystones in the trustbuilding process is the use of digital signatures.

Based on the contents of the message, and unique to that message, digital signatures can provide the unambiguous confirmation of the identity of the sender of a message, and of the authenticity and integrity of the message. Compared with its analogue counterparts, a digital signature can offer added functions and specific advantages in terms of security and flexibility. A first step to build trust in the system would be the adoption of minimum rules and standards on the infrastructure for digital signatures, which includes certification authorities.

The formal requirements for legal transactions, including the need for signatures, vary in different legal systems. In order that electronic communication can achieve its full potential in the international legal and business realms, digital signatures should have full recognition - as far as formal requirements and their admissibility as evidence are concerned - in the context of national laws and regulations.

The recognition of digital signatures should be drafted to cover all transactions likely to be carried out electronically, since the security against forgery for instance is far higher than with traditional paper transactions. Due attention should be paid to clarifying the liability of those issuing certificates and their responsibility for accurate information and ensuring respect for the right to privacy.

At the same time, digital signatures raise privacy implications. The use of digital signatures might imply the collection of personal data and the creation of systems for personal identification. Therefore, the design and use of digital signatures should respect the fundamental right to privacy and, at least in the EU, has to comply with the Data Protection Directive.

3.2.2. Questions

3.2.3. Possible Solutions

3.3. Responsibility of the actors

3.3.1. Identified Issues

Internet actors may play different roles. The chain which stretches from end user to content provider includes a number of links: host service provider, network operator and access provider. It would be misleading to seek an exact comparison between these roles and more traditional and familiar roles in the world of print or audiovisual, although some parallels may be drawn.

There is a need to develop a common understanding by defining the role of every actor at the national and international levels and the responsibility of each player in order to build confidence and to increase clarity for all those involved in the chain between content creation and user. It should be clear who is responsible for what and what consequences should flow from a failure to carry out these responsibilities. This is true in the case of illegal content, where the knowledge of responsibilities is of special importance for governments, regulatory and legal authorities, but also in the case of most on-line transactions where the participants may need to determine it whenever a mistake is thought to have occurred or a dispute arises as to what was agreed.

Government has an important role to play in laying down the legal framework for responsibility of the actors of Global Information Networks. The practical implementation of these rules may be facilitated by appropriate activities on the part of the actors concerned, such as codes of conduct and self-regulatory mechanism.

The test used to measure those responsibilities should give due weight to what is technically feasible and what the actor knowing the existence of illegal content can reasonably be expected to do. The test under consideration in Germany and that proposed by the Working Party is that Internet service providers should only be liable for illegal content where they are themselves the content provider, or where they have been informed and failed to take reasonable steps to remove illegal content from a service which they offer.

Liability was a factor in discussions at the Diplomatic Conference on certain copyright and neighbouring rights questions held at Geneva from December 2 to 20, 1996 but the treaties and declarations adopted by the Conference leave Contracting Parties free to adopt their own solutions on this issue.

3.3.2. Questions

3.3.3. Possible Solutions

3.4. Preventing and combating misuse

3.4.1. Identified issues

Doubts are sometimes expressed whether the existing criminal law is adequate to deal with the phenomenon of misuse of global networks for criminal activities or distribution of illegal content. Global Information Networks do not exist in a legal vacuum, since all those involved (authors, content providers, host service providers, network operators, access providers and end users) are subject to their respective national laws. Difficulties may arise in enforcement of national laws in an environment which is not limited by national boundaries.

The public must be confident that these networks do not harm national security or public order and do not allow criminals to develop illegal activities or to endanger individuals. What is illegal off-line must also remain illegal on the networks.

Global Information Networks may be subject to misuse aimed at those connected (malicious hacking) or used as a tool by criminal organisations, terrorist groups and paedophile rings to assist illegal activities (fraud, illegal drug dealing, illegal gambling) or to distribute illegal and harmful content, such as child pornography and incitement to racial hatred. Other criminal activities such as money laundering, fraud and counterfeiting could develop rapidly with the increase in use of electronic means of payment discussed below.

Where the content or use of networks is illegal under the law of both the country where the content is placed in circulation and in the country where it is received, prosecution and sanction of users and content providers do not pose major problems from a law enforcement and a judicial point of view. In most countries, legislation already exists but some adaptations might be required. International co-operation between public law-enforcement authorities is required.

Far more difficult is the question of content considered illegal under the law of the country of reception but not in the country where the content is placed in circulation. As the definition of offences varies from one country to another, all reprehensible acts are not necessarily punishable in all countries. Some national rules require access providers to restrict access to sites which contain such content.

Identification of offenders may not always be possible in the absence of rules requiring either that access providers keep a log of usage for a certain period or that the content provider be identified. Such rules would however raise difficult issues of privacy and anonymous use.

Hot-lines and service providers acting on the advice of self-regulatory bodies can assist the law enforcement authorities by informing them of the existence of illegal material, and are best placed to reduce the flow of illegal content. The European Commission documents discuss this in more detail and bodies have been set up in some EU Member States. International co-operation between these groups is also a good means of improving the effectiveness of their operations.

Questions of the law relating to criminal procedure and evidence, including interception of communications need to be addressed, as do technical issues of ensuring the practicability of lawful interception. Although difficult to achieve due to different legal traditions and cultures, the definition of certain common minimum legislative standards that could apply to the area of Global Networks would facilitate both police and judicial co-operation by filling loopholes.

In any case, enforcement of the law and prosecution are matters for national law enforcement and judicial authorities and they should seek to collaborate closely at international level. The Council of Europe has adopted relevant Ministerial Recommendations, and is considering drafting a Convention. The Organisation for Economic Co-operation and Development (OECD) is examining the issues raised by following initiatives by France and Belgium. Other relevant international activity under way includes preparation for the P8 Summit in Denver in June 1997. This will examine a statement related to combating computer-related crime.

Further initiatives relate to mutual assistance and identifying and training investigators and prosecutors familiar with computers. The Council of Europe is also working on a Convention on Computer Crime, as well as examining wider issues of new services at a conference in Thessaloniki.

3.4.2. Questions

3.4.3. Possible solutions

Introduction | Table of contents | Empowering the user

Home - Gate - Back - Top - Confiden - Relevant