Computer Audit Update December 1995

CYBERLAW - LEGAL ISSUES ONLINE

Nigel Miller

Business is being done on the Internet, and

it’s big business. Businesses are using the

Internet for communications, marketing and for

conducting electronic commerce -selling goods

and services. All of this gives rise to a number of

legal issues. Can the law cope with the rapid

advances in technology and digital business?

In most cases the answer to that is yes, but

the job of the Cyberlawyer is to apply the

traditional law to the new technologies. That

requires an understanding of the technology and

a willingness to be innovative.

Electronic Contracting

Every business depends on making

contracts with its customers. They may be

informal and made orally, or they may be formal

written contracts. In most cases, an oral contract

is as binding as a written contract. English law

has been concerned with formulating the rules for

oral and written contracts for centuries. Cases

decided in the 1800’s continue to be valid today.

But business conducted online creates a new

category of contract; the electronic contract. Is

this some strange hybrid? What are the rules?

Let’s examine some areas of concern to

businesses on the Internet.

In writing

The law requires that certain types of contract be in writing and be signed. Moreover, under

English law, certain transactions have to be by

way of deed; there are strict rules concerning the

signing and witnessing of. deeds by individuals

and companies.

There are various types of contract that have

to be in writing.

A contract for the sale or other disposition of

land can only be made in writing and both

parties to the contract must sign.

The Statute of Frauds, passed in 1677,

requires guarantees to be evidenced by

writing.

Intellectual property - copyright, patents,

trade marks - can only be assigned in

writing.

Certain categories of contract must contain

certain wording and be in a particular form; for

example; consumer credit agreements.

There are various reasons why some

contracts are required to be in writing.

First, is the need to have evidence of the

contract and of its terms. Another reason stems

from consumer protection legislation; a

requirement of formality is a form of protection to

the weaker party and might allow the weaker

party to ‘think twice’ before entering into the

transaction.

Can an electronic contract be said to be “in

writing”? The answer is that an electronic contract

almost certainly would be regarded as a written

contract as it does meet the reasoning behind the

requirement for writing.

Signed?

Can an electronic contract be said to have

been “signed”? This has not been addressed by

the courts, but it is probably not enough for a deed

to be executed electronically as it needs to be

witnessed.

The courts have decided that a letterhead

can constitute a signature and telegrams are

good enough to satisfy the Statute of Frauds

requirement for a signature. It is likely therefore

that an E-mail from an individual would be

regarded as signed by him for most purposes.

Offer and Acceptance

When does a contract come into existence

4 01995 Elsevier Science Ltd

December 1995 Computer Audit Update

on the Internet? The basic rule in English law is the offer wants to withdraw his offer before he

that a contract, supported by consideration, receives the message of acceptance but after it

comes into existence when an offer is accepted has been sent, he is too late. As a result, it would

and there is the necessary intention to create be a good idea if offers made electronically

legal relations. specified clearly how the offer can be accepted.

An offer has to be distinguished from an

‘invitation to treat’. That is to say, an offer to

receive offers, or an offer to negotiate. If a trader

places a catalogue or price list on the Internet,

that is an invitation to treat. If this were not the

case, the trader who puts up his catalogue and

receives millions of orders from around the globe

may be in difficulties if each order created a

binding contract!

Payment

But care must be taken not to construct an

invitation to treat as an offer. For example, an

offer to sell an item made to a usertist or

newsgroup may constitute an offer to a class of

person.

Difficulties with credit card payments have

slowed the growth of consumer electronic

commerce. It is possible for criminals to intercept

E-mail messages which contain credit card

details and then to make fraudulent use of those

details. CompuServe has a high degree of

security; they say that they have never had a

credit card fraud as a result of a transaction made

on CompuServe.

Microsoft’s new network is intended to

address this by providing cryptography to protect

payment transactions. But the Internet itself is still

iargety insecure. Deciding upon the time of acceptance may

be important because an offer can be withdrawn

at any time before it is accepted. Also, the place

of acceptance may help determine the jurisdiction

which governs contracts made between people

in different countries.

As regards timing, a classic rule was

developed by the courts in 1818 for acceptances

sent via the post (aka ‘snail-mail’). The courts

decided that a contract is made when a letter of

acceptance is posted, not when it is received.

This can mean that a binding contract is made,

even if the letter of acceptance never actually

reaches its destination or takes several days to

get there.

This issue is likely to be a temporary

stumbling block to the growth of consumer trade

on the net. To counter difficulties with credit card

transactions, the concept of digicash (or E-cash)

is being developed but has yet to take off. The

concept of digicash transactions will pose

interesting and significant issues for the

regulators and not least for the taxman; for

example, how can transactions involving digital

payments be identified and taxed?

Confidentiality

But how does this rule apply in cyberspace?

The postal rule does not apply to media where

the transmission is instant. Can E-mail be

regarded in this way? The point has not been

tested.

Internet E-mail shares many of the qualities

of snail-mail; it is not usually instantaneous and

can be subject to delay. It may be therefore that

the postal rule applies and that a contract could

come into effect once the acceptor of an offer presses the send button. If, the person who made

This is a major issue which is also operating

as a brake on the exploitation of Internet

commerce. People are concerned (rightly) about

giving out credit card details, but there is also

concern that their meanderings on the Internet

are not as anonymous as might be thought. It is

possible to eavesdrop on Internet

communications. Clever marketeers will trap

information about individual activity on the

Internet and sell it or use it to generate marketing strategies.

For business on the Internet, encryption technology is an important feature. For this to

01995 Elsevier Science Ltd 5

Computer Audit Update December 1995

work, the sender and receiver must use the same

software. This may be workable when a business

wants to communicate with a major client, but is

not workable for (for example) a Virgin megastore

selling records and CDs online.

It is also a problem when communicating with

US businesses; the US government treats

encryption software in the same way as weapons,

and controls its export.

It also appears to want to ban anything that

will prevent the authorities from decrypting

messages sent across public networks! France

seems to have the same paranoia and there is a

fear that the UK may also seek to exercise some

control.

Fraud

Clearly, with electronic commerce the risk of

contract fraud is increased. One party could

modify his copy of the contract to suit his own

needs. To a court, it may not be possible to prove

whether an agreement has been modified by one

party or the other. While forgery of this kind can

also happen with paper contracts, it is less likely

to succeed. Each party may have a separate

physical copy of the contract and an attempt to

modify one copy will leave its physical mark. On

an electronic contract, there will be no such sign.

Liabilities

The Internet is essentially concerned with the

dissemination of information. Information can be

provided in many ways. On Web sites, via FTP

sites and in discussion forums.

In certain circumstances liability can arise in

negligence if that information is wrong or

incomplete and someone acts on it to their

detriment. Is there a duty to the anonymous surfer who visits your web sites and acts on the

(perhaps) defective advice given?

If that advice leads to personal injury or death

(for example, medical advice), then liability could

arise. If that advice leads to financial loss, this

may be more difficult under English law unless a

special :elationship can be established between

the parties-such as there is between a solicitor,

accountant or banker and his client or customer

- under which there is a prospect of financial

loss if defective advice is given. But what if the

defective advice is not on one web site, but on

another to which the first web site links? Could

the owner of the first web site be liable for the

defective advice to people who use the link to

reach the defective site? Possibly, if the web site

owner did not exercise reasonable care in

establishing that link.

In view of these issues, the use of appropriate

disclaimers on the web sites is becoming more

commonplace. But care needs to be taken with

disclaimers to ensure that they will be effective.

Under the Unfair Contract Terms Act, certain

terms which attempt to limit or exclude liability will

only be enforceable if reasonable, and liability for

causing death or personal injury by negligence

cannot be excluded. Also, where appropriate,

professional indemnity insurance should be

checked to ensure that it extends to online

commerce.

Financial services

Businesses providing financial information or

offering financial services through the Internet

must comply with a complex raft of financial

services legislation. Clearly, one must also bear

in mind the international aspects of this medium.

The publication of financial information may

comply with laws in one country, and yet

contravene the law in another.

There are a number of aspects to UK

financial services legislation which are relevant to

the Internet. The most important of these are the

rules relating to investment advertisements.

It is not unusual to find a posting - perhaps

from someone outside the UK - inviting people to

participate in a profit making venture. There are

various directories on the Internet which provide sources of financial information which could be

such as to encourage people to enter into an

investment agreement.

6 01995 Elsevier Science Ltd

December 7 995 Computer Audit Update

There is considerable scope with such

postings for committing criminal offences under

the financial services legislation.

An investment advertisement is any

advertisement which is calculated to lead to

someone entering into an investment agreement.

An investment advertisement must be either

issued or approved by an authorized body.

An advertisement which has been issued

outside the UK will be treated as having been

issued in the UK if it is directed to people in the

UK or is made available to them, for example, by

the Internet.

Aside from the issue of investment

advertisements, recently, the Internet has been

used to provide information in the context of

take-overs and mergers. IBM posted information

on its web site as part of its take-over bid for Lotus

Development. The UK panel on take-overs and

mergers appears to accept that the provision of

information on the Internet will be regarded in the

same way as publication in any other medium.

Similar problems can arise under consumer

protection legislation. Specifically, criminal

offences can be committed under the Trade

Descriptions Act and Consumer Credit Act if

appropriate information is not provided in

compliance with that legislation.

Intellectual property

Trademarks

One major issue relates to the domain name

system, which translates computer names into

their associated IP addresses.

lnternic (NIC being the abbreviation for

Network Information Centre) registers Internet

addresses to ensure that there is no duplication.

But this is done on a ‘first come first served’ basis.

Problems have occurred where companies

seeking to register their corporate name or trade

name as an Internet domain name have discovered that it has already been registered.

McDonalds and Coke are examples of this. There

is no legal system for the protection of domain

names as such; the individual who registered

McDonalds had no less right to that name than

McDonalds itself. If that happens and the third

party trades off the name, then there may be a

question of remedies in passing off or trademark

infringement.

But if the person does not trade with the

name, but simply blocks it, there may be little that

can be done.

The message here is to ensure that

companies have their name registered as a

domain name as soon as possible - if they have

not already done so - so that they will not be

prevented from using their own name on the

Internet and to prevent the potential for the

unscrupulous to trade off a deception.

Copyright issues

The debate concerning intellectual property

rights on the Internet often centres on whetherthe

existing legislation is able to adapt to cope with

the new technologies. Some people challenge

the validity of copyright on the Internet on the

basis that any material posted on the Internet is,

in essence, nothing more than a series of 1 s and

OS.

Copyright law protects original works of

authorship. It protects literary, dramatic, musical

and artistic works as well as sound recordings

and films. It will, therefore, protect all aspects of

material posted onto the Internet including

multimedia works. Copyright is infringed not only

by copying, but also by making of transient or

incidental copies and storing works in any

medium by electronic means.

Almost everything communicated on the

Internet is subject to copyright protection.

Whereas a telephone call does not give rise to

copyright issues, the electronic equivalent often

will.

‘The author of an E-mail automatically has the copyright in the message. Anyone who copies,

re-publishes or otherwise uses the same words

without consent is violating copyright. The

01995 Elsevier Science Ltd 7

Computer Audit Update December 1995

recipient of the message can only use it in a way

consistent with the sender’s wishes. If the

recipient copies and distributes it to the entire

network, that would violate the copyright.

Sending a message to a message base or

news group is similar to sending an E-mail.

Although it is fairly common place, re-posting a

message to another forum will almost certainly be

an infringement of copyright. It may be tempting

and easy to capture the text of someone’s

message and re-post it into another forum, but it

is likely to be illegal unless you have the consent

of the author.

Similarly, information provided at web sites

will be the copyright material of the web site

owner. It is easy enough to copy text found on a

web site and save it on your own hard disk for

future use. That text may then find its way into

documents of your own creation. Each of these

acts is likely to be an infringement of the copyright

in the original material.

The concept of an implied licence can in

certain circumstances be used to excuse what

might otherwise be copyright infringement. If a

copyright work is created for someone’s use or

as part of a discussion in a particular forum, then

it could be said that the copyright owner gives an

implied licence for his work to be used for all

purposes reasonably contemplated. This would

probably include re-posting in that particular

forum, but would probably not allow posting of the

same message in other forum. This is based on

the same principle as that which applies when

someone writes a letter to the editor of a

newspaper. Although he owns the copyright in

the letter, by his actions he is giving an implied

licence to the newspaper to publish the letter in

the paper. On the other hand, he is probably not

giving implied permission for the contents of his

letter to be used in a newspaper article or to be

contained in a separate anthology.

To avoid difficulties with implied licences and to take account of the realities of the Internet, it is

often advisable to include in documents posted

on the Internet express permission for them to be copied and circulated subject to certain

conditions; for example, that the document be

circulated in its entirety and that due accreditation

is given.

Net crime

There is considerable scope for an individual

sitting in the comfort of his home to commit

serious criminal offences which could lead to his

imprisonment. The fact that computer software

can be quickly and cheaply transferred around

the world at the flick of a key does not make it

legal!

The Computer Misuse Act of 1990 -

otherwise known as the Hackers Act - created a

number of criminal offences in the UK. In

particular, these included obtaining unauthorized

access to computer material and making

unauthorized modifications.

This would include hacking as well as the

dissemination of computer viruses.

Since it came in, the Act has been used to

prosecute a number of adolescents for hacking,

but with varying degrees of success due to the

difficulties of showing criminal intent.

Infringement of copyright can also give rise

to criminal offences.

Personal rights

The Internet poses legal issues which are no

less controversial when one considers the issue

of personal rights.

In the UK, there is generally no right of

privacy, unlike the US for example. However, the

UK does have the Data Protection Act and the

principles under that Act relating to data held on

computer about living individuals. This Act limits

the extent to which data can be sent outside the

country. But an E-mail on the Internet from London to Manchester may go via Paris or New

York, without either sender or receiver knowing

what route it took. The position will become more

regulated when an EC Directive on Data

Protection is implemented in the next two to three

years.

8 01995 Elsevier Science Ltd

December 1995 Computer Audit Update

Defamation on the net has given rise to court

cases in the USA. In the UK, a bill is being

considered to protect online service providers

from defamation actions in respect of

communications where they exercise no editorial

control.

But how are Web site owners who link to sites

which contain defamatory material going to be

treated? Remember, the local newsagent can be

liable for defamation contained in a magazine it

sells even though he is faultless, unless he can

show for example that he did not know of the

defamatory material and the lack of knowledge

was not due to negligence.

Web site owners have the opportunity to

consider the material on the sites to which they

link - will this defence be available to a ‘deep

pocket’ web site owner who has linked to a

defamatory web site ‘of straw’?

some basic preventative controls such as unique

identities, password protection and tailored

access rights.

It will expect that you, as its auditor will

ensure the monitoring facilities fully integrated

into the AS/400 have been implemented so that

access violations are detected and reported. This

article guides you through these monitoring

facilities and explains how to make best use of

the enhancements in the latest releases of the

operating system.

Key controls that need monitoring

The key access controls need to be identified

and their effectiveness monitored on a regular

basis. The following access control areas are key

to system security and therefore require

monitoring.

Nigel Miller is a partner at City law firm Fox

Williams, a founding member of the international

Alliance for Interactive Media Law, LLC. Nigel

advises web entrepreneurs and others in relation

to online commerce. He can be contacted by

E-mail: nmiller@foxwilliams.co.uk, CompuServe:

1004 17,1421. Fox Williams’ home page is at

http://www. foxwilliams.co.uk/foxwilliams/index.

html

AS/400 SYSTEM ACCESS MONITORING

Keith Lester

Introduction

Organizations are discovering that

computers can make crime, especially fraud and

malicious damage, much more effective. Concern is heightened by the mass media which

has a fascination with hacking and viruses and

delights in saying that no one is safe from these

menaces. Most organizations have instigated

--

Key control areas

OSystem values for the level of security and

the number of sign on attempts allowed.

PiUse of the service tools which can bypass

system security.

q Use of privileged profiles that can bypass

system security and/or normal package

controls.

OFailed access attempts.

IZlUse of dial up lines.

Tests can be performed that only give

assurance at a specific time or over a short

period. For example, you may check that security

is currently activated. However, in the past, it may

have been switched off and back on again. The enhanced auditing capabilities can be set to

monitor continuously the key access controls and

record events in the audit journal for reporting.

01995 Elsevier Science Ltd 9