Legal and Security Requirements

The issue of security in e-business has gone from an arcane technical concern to a basic issue in exchanging data among companies and individuals. In 1999, many online businesses adopted a voluntary set of guidelines and best practices called the Standard for Internet Commerce (www.gii.com/standard/) that includes several provisions for addressing these concerns.The driving motivation for developing this standard was the continued viability of electronic business over the Internet.The standard meets five basic needs:[13]

• Increase consumer satisfaction and confidence in doing business on the Internet.

• Establish merchant credibility and trustworthiness for customers.

• Help merchants provide a world-class customer experience, innovate rapidly , and lower their costs.

• Support and enhance self-regulation of Internet commerce.

• Help merchants and customers deal with a proliferation of guidelines and symbols.

Because many potential customers have had to overcome security fears before making online purchases, individual businesses have also taken the issue seriously and built in the necessary precautions . A November 2000 survey by ePublicEye, a rating service for online businesses, found the proportion of Internet merchants that use secure transaction processing rose from 85% in 1999 to 93% in 2000, and about 9 in 10 online companies also reported having privacy policies published on their sites.[14]

The need for security in the exchange of data will range from one business scenario to another. In some cases, such as quick lookups of public information, will have little or no security attached to the process. But in most instances, even for the most routine exchanges of data, trading partners will want to protect the transactions.

The messaging services specifications noted the need for ebXML to support security for individual electronic business documents, as well as continuous network sessions, where a number of interactions can occur. The use of session-based security is important for scenarios in which trading partners may have many interactions over a limited period of time. The session-based security model also supports business relationships in which one party monitors in real time the systems of another, such as vendor-managed inventories.

The requirements discuss several individual aspects of security that ebXML needs to address. While these requirements apply to business systems in general, business needs will dictate the extent to which these requirements are implemented from one business system to another.

• Confidentiality. Trading partners need to conduct their interactions with the assurance that the information remains known only to the parties sharing this information. Adequate confidentiality limits the possibility of eavesdropping.

• Authentication of sender and receiver. As e-business becomes more voluminous, more global, more intermittent, and more impersonal, the numbers of potential trading partners will increase from all over the globe, and their interactions become less frequent and more irregular. Companies exchanging data need to have confidence that all parties engaged in the transactions are really whom they claim to be and not imposters seeking to engage in fraud. This concern raises the need to identify and credential the parties involved in the business transaction.

• Integrity. Companies engaged in e-business need assurance that the data items received by one party are the same as the data items sent by the originating party. Trading partners need to limit the possibility of distortion of the message by non-malicious intent, such as network errors, or by deliberate attempts to falsify or otherwise manipulate messages.

• Non- repudiation of origin and receipt. Parties engaged in e-business need to provide a record that the transaction actually took place, and that it could not have been a forgery. Electronic transactions need to have the same level of commitment as a signed paper document to hold parties accountable to that commitment.

• Archiving. Companies need the capability to reconstruct the meaning and intent of one or more transactions several years after the transactions themselves took place. The specifications note that in some instances companies may need to archive their business documents ”both physical and electronic ”for up to 30 years to meet records-retention requirements.

  The specifications indicate that companies can rely on trusted third parties to provide authentication and non-repudiation services. Archiving is one area in which many companies have used third-party services for some time.[15]

Digital Signatures

The specifications include a separate section on digital signatures and note their legal and security implications for identifying the parties in electronic business interactions, and thus their impact on -ebXML's authentication requirements discussed earlier. UN/CEFACT, one of the sponsors of ebXML, identified the need for authentication of trade documents through means other than the traditional physical signature as early as 1979.[16]

Digital signatures have now been enacted in law in North America, Europe, and Asia, so as to have the same legal standing as the traditional pen-and-ink variety, and the specifications cite a 1999 California statute (1999 CA SB 1124) that provides an extended definition of a digital signature:[17]

"Digital signature," for the purposes of this section, means an electronic identifier, created by a computer, that is intended by the party using it to have the same force and effect as the use of a manual physical signature.The use of a digital signature shall have the same force or effect as a manual signature if it embodies all of the following attributes:

It is unique to the person using it.

It is capable of verification.

It is under the sole control of the person using it.

It is linked to data in a manner that if the data is changed, the digital signature is invalidated.

Digital signatures have since become part of U.S. federal law. On 30 June 2000, the U.S. Congress passed and President Clinton signed into law the Millennium Digital Commerce Act (Public Law No. 106-229). Title I of the act affirms the validity of electronic signatures and prohibits their denial of legal standing in many business interactions. Title II directs the Department of Commerce to promote the acceptance and use of digital signatures in interstate and foreign trade, as well as to study the potential barriers to their acceptance within and outside the United States. Title III amends the Securities and Exchange Act of 1934 to reflect this law, but still require manual signatures if needed to deter fraud.[18]

Legal Requirements

The specifications identified a few other legal requirements related to security and digital issues. These requirements include full audit capability, a mechanism to ensure completeness of a transaction, versioning control to help reconstruct the full semantic meaning of transactions, and compliance with the 1979 UN/CEFACT recommendations that identified the need for authentication methods other than traditional signatures.[19]