Upload
nigel-miller
View
223
Download
0
Embed Size (px)
Citation preview
Computer Audit Update December 1995
CYBERLAW - LEGAL ISSUES ONLINE
Nigel Miller
Business is being done on the Internet, and
it’s big business. Businesses are using the
Internet for communications, marketing and for
conducting electronic commerce -selling goods
and services. All of this gives rise to a number of
legal issues. Can the law cope with the rapid
advances in technology and digital business?
In most cases the answer to that is yes, but
the job of the Cyberlawyer is to apply the
traditional law to the new technologies. That
requires an understanding of the technology and
a willingness to be innovative.
Electronic Contracting
Every business depends on making
contracts with its customers. They may be
informal and made orally, or they may be formal
written contracts. In most cases, an oral contract
is as binding as a written contract. English law
has been concerned with formulating the rules for
oral and written contracts for centuries. Cases
decided in the 1800’s continue to be valid today.
But business conducted online creates a new
category of contract; the electronic contract. Is
this some strange hybrid? What are the rules?
Let’s examine some areas of concern to
businesses on the Internet.
In writing
The law requires that certain types of contract be in writing and be signed. Moreover, under
English law, certain transactions have to be by
way of deed; there are strict rules concerning the
signing and witnessing of. deeds by individuals
and companies.
There are various types of contract that have
to be in writing.
A contract for the sale or other disposition of
land can only be made in writing and both
parties to the contract must sign.
The Statute of Frauds, passed in 1677,
requires guarantees to be evidenced by
writing.
Intellectual property - copyright, patents,
trade marks - can only be assigned in
writing.
Certain categories of contract must contain
certain wording and be in a particular form; for
example; consumer credit agreements.
There are various reasons why some
contracts are required to be in writing.
First, is the need to have evidence of the
contract and of its terms. Another reason stems
from consumer protection legislation; a
requirement of formality is a form of protection to
the weaker party and might allow the weaker
party to ‘think twice’ before entering into the
transaction.
Can an electronic contract be said to be “in
writing”? The answer is that an electronic contract
almost certainly would be regarded as a written
contract as it does meet the reasoning behind the
requirement for writing.
Signed?
Can an electronic contract be said to have
been “signed”? This has not been addressed by
the courts, but it is probably not enough for a deed
to be executed electronically as it needs to be
witnessed.
The courts have decided that a letterhead
can constitute a signature and telegrams are
good enough to satisfy the Statute of Frauds
requirement for a signature. It is likely therefore
that an E-mail from an individual would be
regarded as signed by him for most purposes.
Offer and Acceptance
When does a contract come into existence
4 01995 Elsevier Science Ltd
December 1995 Computer Audit Update
on the Internet? The basic rule in English law is the offer wants to withdraw his offer before he
that a contract, supported by consideration, receives the message of acceptance but after it
comes into existence when an offer is accepted has been sent, he is too late. As a result, it would
and there is the necessary intention to create be a good idea if offers made electronically
legal relations. specified clearly how the offer can be accepted.
An offer has to be distinguished from an
‘invitation to treat’. That is to say, an offer to
receive offers, or an offer to negotiate. If a trader
places a catalogue or price list on the Internet,
that is an invitation to treat. If this were not the
case, the trader who puts up his catalogue and
receives millions of orders from around the globe
may be in difficulties if each order created a
binding contract!
Payment
But care must be taken not to construct an
invitation to treat as an offer. For example, an
offer to sell an item made to a usertist or
newsgroup may constitute an offer to a class of
person.
Difficulties with credit card payments have
slowed the growth of consumer electronic
commerce. It is possible for criminals to intercept
E-mail messages which contain credit card
details and then to make fraudulent use of those
details. CompuServe has a high degree of
security; they say that they have never had a
credit card fraud as a result of a transaction made
on CompuServe.
Microsoft’s new network is intended to
address this by providing cryptography to protect
payment transactions. But the Internet itself is still
iargety insecure. Deciding upon the time of acceptance may
be important because an offer can be withdrawn
at any time before it is accepted. Also, the place
of acceptance may help determine the jurisdiction
which governs contracts made between people
in different countries.
As regards timing, a classic rule was
developed by the courts in 1818 for acceptances
sent via the post (aka ‘snail-mail’). The courts
decided that a contract is made when a letter of
acceptance is posted, not when it is received.
This can mean that a binding contract is made,
even if the letter of acceptance never actually
reaches its destination or takes several days to
get there.
This issue is likely to be a temporary
stumbling block to the growth of consumer trade
on the net. To counter difficulties with credit card
transactions, the concept of digicash (or E-cash)
is being developed but has yet to take off. The
concept of digicash transactions will pose
interesting and significant issues for the
regulators and not least for the taxman; for
example, how can transactions involving digital
payments be identified and taxed?
Confidentiality
But how does this rule apply in cyberspace?
The postal rule does not apply to media where
the transmission is instant. Can E-mail be
regarded in this way? The point has not been
tested.
Internet E-mail shares many of the qualities
of snail-mail; it is not usually instantaneous and
can be subject to delay. It may be therefore that
the postal rule applies and that a contract could
come into effect once the acceptor of an offer presses the send button. If, the person who made
This is a major issue which is also operating
as a brake on the exploitation of Internet
commerce. People are concerned (rightly) about
giving out credit card details, but there is also
concern that their meanderings on the Internet
are not as anonymous as might be thought. It is
possible to eavesdrop on Internet
communications. Clever marketeers will trap
information about individual activity on the
Internet and sell it or use it to generate marketing strategies.
For business on the Internet, encryption technology is an important feature. For this to
01995 Elsevier Science Ltd 5
Computer Audit Update December 1995
work, the sender and receiver must use the same
software. This may be workable when a business
wants to communicate with a major client, but is
not workable for (for example) a Virgin megastore
selling records and CDs online.
It is also a problem when communicating with
US businesses; the US government treats
encryption software in the same way as weapons,
and controls its export.
It also appears to want to ban anything that
will prevent the authorities from decrypting
messages sent across public networks! France
seems to have the same paranoia and there is a
fear that the UK may also seek to exercise some
control.
Fraud
Clearly, with electronic commerce the risk of
contract fraud is increased. One party could
modify his copy of the contract to suit his own
needs. To a court, it may not be possible to prove
whether an agreement has been modified by one
party or the other. While forgery of this kind can
also happen with paper contracts, it is less likely
to succeed. Each party may have a separate
physical copy of the contract and an attempt to
modify one copy will leave its physical mark. On
an electronic contract, there will be no such sign.
Liabilities
The Internet is essentially concerned with the
dissemination of information. Information can be
provided in many ways. On Web sites, via FTP
sites and in discussion forums.
In certain circumstances liability can arise in
negligence if that information is wrong or
incomplete and someone acts on it to their
detriment. Is there a duty to the anonymous surfer who visits your web sites and acts on the
(perhaps) defective advice given?
If that advice leads to personal injury or death
(for example, medical advice), then liability could
arise. If that advice leads to financial loss, this
may be more difficult under English law unless a
special :elationship can be established between
the parties-such as there is between a solicitor,
accountant or banker and his client or customer
- under which there is a prospect of financial
loss if defective advice is given. But what if the
defective advice is not on one web site, but on
another to which the first web site links? Could
the owner of the first web site be liable for the
defective advice to people who use the link to
reach the defective site? Possibly, if the web site
owner did not exercise reasonable care in
establishing that link.
In view of these issues, the use of appropriate
disclaimers on the web sites is becoming more
commonplace. But care needs to be taken with
disclaimers to ensure that they will be effective.
Under the Unfair Contract Terms Act, certain
terms which attempt to limit or exclude liability will
only be enforceable if reasonable, and liability for
causing death or personal injury by negligence
cannot be excluded. Also, where appropriate,
professional indemnity insurance should be
checked to ensure that it extends to online
commerce.
Financial services
Businesses providing financial information or
offering financial services through the Internet
must comply with a complex raft of financial
services legislation. Clearly, one must also bear
in mind the international aspects of this medium.
The publication of financial information may
comply with laws in one country, and yet
contravene the law in another.
There are a number of aspects to UK
financial services legislation which are relevant to
the Internet. The most important of these are the
rules relating to investment advertisements.
It is not unusual to find a posting - perhaps
from someone outside the UK - inviting people to
participate in a profit making venture. There are
various directories on the Internet which provide sources of financial information which could be
such as to encourage people to enter into an
investment agreement.
6 01995 Elsevier Science Ltd
December 7 995 Computer Audit Update
There is considerable scope with such
postings for committing criminal offences under
the financial services legislation.
An investment advertisement is any
advertisement which is calculated to lead to
someone entering into an investment agreement.
An investment advertisement must be either
issued or approved by an authorized body.
An advertisement which has been issued
outside the UK will be treated as having been
issued in the UK if it is directed to people in the
UK or is made available to them, for example, by
the Internet.
Aside from the issue of investment
advertisements, recently, the Internet has been
used to provide information in the context of
take-overs and mergers. IBM posted information
on its web site as part of its take-over bid for Lotus
Development. The UK panel on take-overs and
mergers appears to accept that the provision of
information on the Internet will be regarded in the
same way as publication in any other medium.
Similar problems can arise under consumer
protection legislation. Specifically, criminal
offences can be committed under the Trade
Descriptions Act and Consumer Credit Act if
appropriate information is not provided in
compliance with that legislation.
Intellectual property
Trademarks
One major issue relates to the domain name
system, which translates computer names into
their associated IP addresses.
lnternic (NIC being the abbreviation for
Network Information Centre) registers Internet
addresses to ensure that there is no duplication.
But this is done on a ‘first come first served’ basis.
Problems have occurred where companies
seeking to register their corporate name or trade
name as an Internet domain name have discovered that it has already been registered.
McDonalds and Coke are examples of this. There
is no legal system for the protection of domain
names as such; the individual who registered
McDonalds had no less right to that name than
McDonalds itself. If that happens and the third
party trades off the name, then there may be a
question of remedies in passing off or trademark
infringement.
But if the person does not trade with the
name, but simply blocks it, there may be little that
can be done.
The message here is to ensure that
companies have their name registered as a
domain name as soon as possible - if they have
not already done so - so that they will not be
prevented from using their own name on the
Internet and to prevent the potential for the
unscrupulous to trade off a deception.
Copyright issues
The debate concerning intellectual property
rights on the Internet often centres on whetherthe
existing legislation is able to adapt to cope with
the new technologies. Some people challenge
the validity of copyright on the Internet on the
basis that any material posted on the Internet is,
in essence, nothing more than a series of 1 s and
OS.
Copyright law protects original works of
authorship. It protects literary, dramatic, musical
and artistic works as well as sound recordings
and films. It will, therefore, protect all aspects of
material posted onto the Internet including
multimedia works. Copyright is infringed not only
by copying, but also by making of transient or
incidental copies and storing works in any
medium by electronic means.
Almost everything communicated on the
Internet is subject to copyright protection.
Whereas a telephone call does not give rise to
copyright issues, the electronic equivalent often
will.
‘The author of an E-mail automatically has the copyright in the message. Anyone who copies,
re-publishes or otherwise uses the same words
without consent is violating copyright. The
01995 Elsevier Science Ltd 7
Computer Audit Update December 1995
recipient of the message can only use it in a way
consistent with the sender’s wishes. If the
recipient copies and distributes it to the entire
network, that would violate the copyright.
Sending a message to a message base or
news group is similar to sending an E-mail.
Although it is fairly common place, re-posting a
message to another forum will almost certainly be
an infringement of copyright. It may be tempting
and easy to capture the text of someone’s
message and re-post it into another forum, but it
is likely to be illegal unless you have the consent
of the author.
Similarly, information provided at web sites
will be the copyright material of the web site
owner. It is easy enough to copy text found on a
web site and save it on your own hard disk for
future use. That text may then find its way into
documents of your own creation. Each of these
acts is likely to be an infringement of the copyright
in the original material.
The concept of an implied licence can in
certain circumstances be used to excuse what
might otherwise be copyright infringement. If a
copyright work is created for someone’s use or
as part of a discussion in a particular forum, then
it could be said that the copyright owner gives an
implied licence for his work to be used for all
purposes reasonably contemplated. This would
probably include re-posting in that particular
forum, but would probably not allow posting of the
same message in other forum. This is based on
the same principle as that which applies when
someone writes a letter to the editor of a
newspaper. Although he owns the copyright in
the letter, by his actions he is giving an implied
licence to the newspaper to publish the letter in
the paper. On the other hand, he is probably not
giving implied permission for the contents of his
letter to be used in a newspaper article or to be
contained in a separate anthology.
To avoid difficulties with implied licences and to take account of the realities of the Internet, it is
often advisable to include in documents posted
on the Internet express permission for them to be copied and circulated subject to certain
conditions; for example, that the document be
circulated in its entirety and that due accreditation
is given.
Net crime
There is considerable scope for an individual
sitting in the comfort of his home to commit
serious criminal offences which could lead to his
imprisonment. The fact that computer software
can be quickly and cheaply transferred around
the world at the flick of a key does not make it
legal!
The Computer Misuse Act of 1990 -
otherwise known as the Hackers Act - created a
number of criminal offences in the UK. In
particular, these included obtaining unauthorized
access to computer material and making
unauthorized modifications.
This would include hacking as well as the
dissemination of computer viruses.
Since it came in, the Act has been used to
prosecute a number of adolescents for hacking,
but with varying degrees of success due to the
difficulties of showing criminal intent.
Infringement of copyright can also give rise
to criminal offences.
Personal rights
The Internet poses legal issues which are no
less controversial when one considers the issue
of personal rights.
In the UK, there is generally no right of
privacy, unlike the US for example. However, the
UK does have the Data Protection Act and the
principles under that Act relating to data held on
computer about living individuals. This Act limits
the extent to which data can be sent outside the
country. But an E-mail on the Internet from London to Manchester may go via Paris or New
York, without either sender or receiver knowing
what route it took. The position will become more
regulated when an EC Directive on Data
Protection is implemented in the next two to three
years.
8 01995 Elsevier Science Ltd
December 1995 Computer Audit Update
Defamation on the net has given rise to court
cases in the USA. In the UK, a bill is being
considered to protect online service providers
from defamation actions in respect of
communications where they exercise no editorial
control.
But how are Web site owners who link to sites
which contain defamatory material going to be
treated? Remember, the local newsagent can be
liable for defamation contained in a magazine it
sells even though he is faultless, unless he can
show for example that he did not know of the
defamatory material and the lack of knowledge
was not due to negligence.
Web site owners have the opportunity to
consider the material on the sites to which they
link - will this defence be available to a ‘deep
pocket’ web site owner who has linked to a
defamatory web site ‘of straw’?
some basic preventative controls such as unique
identities, password protection and tailored
access rights.
It will expect that you, as its auditor will
ensure the monitoring facilities fully integrated
into the AS/400 have been implemented so that
access violations are detected and reported. This
article guides you through these monitoring
facilities and explains how to make best use of
the enhancements in the latest releases of the
operating system.
Key controls that need monitoring
The key access controls need to be identified
and their effectiveness monitored on a regular
basis. The following access control areas are key
to system security and therefore require
monitoring.
Nigel Miller is a partner at City law firm Fox
Williams, a founding member of the international
Alliance for Interactive Media Law, LLC. Nigel
advises web entrepreneurs and others in relation
to online commerce. He can be contacted by
E-mail: [email protected], CompuServe:
1004 17,1421. Fox Williams’ home page is at
http://www. foxwilliams.co.uk/foxwilliams/index.
html
AS/400 SYSTEM ACCESS MONITORING
Keith Lester
Introduction
Organizations are discovering that
computers can make crime, especially fraud and
malicious damage, much more effective. Concern is heightened by the mass media which
has a fascination with hacking and viruses and
delights in saying that no one is safe from these
menaces. Most organizations have instigated
--
Key control areas
OSystem values for the level of security and
the number of sign on attempts allowed.
PiUse of the service tools which can bypass
system security.
q Use of privileged profiles that can bypass
system security and/or normal package
controls.
OFailed access attempts.
IZlUse of dial up lines.
Tests can be performed that only give
assurance at a specific time or over a short
period. For example, you may check that security
is currently activated. However, in the past, it may
have been switched off and back on again. The enhanced auditing capabilities can be set to
monitor continuously the key access controls and
record events in the audit journal for reporting.
01995 Elsevier Science Ltd 9