On-line transactions

The functionality of websites is increasing as the Internet and technology mature. Previously, websites were seen solely as communicators of information, but this view is changing as more sites are built that are capable of transacting with users.

Encryption of user’s personal data and authentication of their identity are key issues in the e-Economy. These have security implications are a likely to be dealt with by a Departmental Security Officer and an IT Security Officer.

The acceptance of orders and payments and their fulfillment electronically will require a change to your business practices and systems.

Introduction

The concept of electronic business was around before the Internet became popular. An example of this is Electronic Data Interchange (EDI). However, e-business would not be possible on such a large scale without the Internet. This provides the environment for suppliers to conduct dealings with their customers through computer and communications networks. The development of networks and electronic transference of funds have contributed to the growth of operational websites. These sites allow users to conduct transactions electronically on a large scale, making the business process more accessible and more efficient.

There are many issues with electronic business, most prominently information security. Additionally government business transactions need to have record capturing mechanisms appropriate to their nature. This is to record what has taken place robustly for the benefit of both parties. In addition public business needs to be accountable. A variety of approaches to this are outlined in guidance from the Public Record Office at:

Information security

Confidentiality and trust

Confidentiality and trust are implemented through the use of cryptography. Encryption makes sure that if information is intercepted or sent to the wrong person, it cannot be read. Only the recipient has the knowledge to decrypt it. This knowledge is called the key. Traditional encryption involved both sender and user sharing the same key. In order to make encryption more generally available, e-commerce usually relies on two completely separate keys, one to encrypt and another to decrypt. The public key is openly available to anyone wanting to encrypt data. The private key needed to decrypt the data is held only by authorised recipients. Those sending the information can trust that only those with the private key can read the information.

Data protection and privacy is a sensitive issue for Internet users and modern web browsers now support encryption. Many Internet services also offer Public Key Infrastructure (PKI) which combines encryption with authentication.

Authentication

Authentication is a means of checking a user’s identity. This is usually done through a user ID and a password. Websites requiring authentication will not allow a user entry into the site unless the authorised ID and password details have been entered.

Traditionally, a person’s signature is recognised as authentication of an individual. However, it is impossible to sign in pen and ink when undertaking an online transaction. An alternative was needed and a security mechanism known as a digital signature was initiated. Documents can be digitally signed which then allows verification of who signed it and whether or not the document was changed during transmission.

Legal issues

For a contract to be made, under English law, a number of factors have to be in place. An ‘offer’ has to be made and accepted, a ‘consideration’ has to be given by each side, eg, usually in the form of goods or services exchanged for cash, and the parties have to have the intention of making a contract. When setting up an e-Commerce website it is recommended that it be structured so that the user (customer) makes the offer to you - which you either accept or decline - and not the other way round. If you get this the wrong way round it can lead to contracts being concluded by the user (customer) accepting an offer on the website - which you may not be able to fulfil.

Digital signatures are the basis for a legally binding agreement, just as a hand written signature would be on a paper-based contract. Their legal status is confirmed in the Electronic Communications Act 2000.

Explanation of e-commerce terms

Electronic means of identifying and verifying legitimate application users and devices.

Digital signature

A security mechanism that includes a user’s private and public keys, which the browser uses to validate from the user.

Encryption

The conversion or transformation of readable data into an unreadable steam of data using a reversible coding processes.

SHTTP (Secure HTTP)

A protocol that provides server authentication, digital signatures and encrypted sessions for web traffic.

SSL (Secure Sockets Layer)

A technology from Netscape for encrypting data sent between client and server.