7 October 1998
Source:
http://www.oecd.org/subject/e_commerce/
Part I of three parts.
O E C D 1 9 9 8
An Inventory of Approaches to Authentication and Certification in a Global Networked Society
An Inventory of Controls on Cryptography Technologies
Protection of Privacy on Global Networks
Consumer Protection in the Electronic Marketplace
Source: http://www.oecd.org/subject/e_commerce/ebooks/ecomm1_1.pdf (285K)
Authentication and certification technologies and mechanisms play an important role in meeting the need to build user confidence in electronic transactions.
Global network technologies for electronic commerce will not be fully embraced by users until they are confident that services and networks are secure and reliable and that transactions are safe and private. Users want to be sure of the origin, receipt and integrity of information they receive and to be able to identify the parties involved. Finally, they must have appropriate redress mechanisms available if something goes wrong. The development and use of authentication and certification technologies and mechanisms play an important role in meeting the need to build user confidence in electronic transactions.
Authentication can be used in the electronic environment to establish identity or privileges, or as part of payment mechanisms, for instance through the use of a password or smart card, or a cryptographic, shared secret or biometric technique. Certification mechanisms can provide assurances about information in the electronic environment to reduce uncertainty in electronic transactions between parties or systems. Where authentication relies on cryptography technologies, a certification mechanism could link the public cryptographic key with an individual or entity. A wide variety of technologies and mechanisms are available to authenticate and certify various elements of electronic transactions, and a number of different architecture models are under consideration in OECD countries.
Authentication and certification in a global networked society is a major concern for all countries developing policies and laws to enable electronic commerce.
As OECD Member countries turn their attention to developing policies and laws to enable electronic commerce, they are looking at issues related to authentication and certification in a global networked society. Conflicting national solutions for electronic authentication and certification could have an impact on the development of global electronic commerce. The OECD provides a venue for ongoing information exchange in order to clarify issues related to authentication and certification and create a solid basis for ongoing international co-operation in this area. The Information Computer and Communication Policy (ICCP) Committee’s Group of Experts on Information Security and Privacy maintains a dialogue involving governments, business and industry, and user representatives to examine more fully the technologies and diverse models for authentication and certification currently used or emerging in Member countries. An Inventory of Approaches to Authentication and Certification in a Global Networked Society was compiled by the Group of Experts based on research of the OECD Secretariat and input from Member countries. It surveys relevant activities in OECD countries, including laws, policies and initiatives in the public and private sectors, at both the national and international level. Specifically, it looks at: the range of authentication, and certification and related services; legal and policy issues under consideration; public sector approaches and private sector initiatives; and international aspects.
9
Governments are developing their approaches to authentication and certification in the global networked society.
Governments tend to focus on encouraging efforts to develop authentication and certification technologies for electronic commerce, and facilitating the use of those technologies and mechanisms. Many countries have formed working groups to examine methods available to establish identity and verify information in the electronic environment, in order to determine whether new legislation is needed or whether existing laws should be updated to foster the migration from a paper-based to a digital environment. A number of countries have undertaken efforts to implement the relevant provisions of the Model Law on Electronic Commerce adopted by the United Nations Commission on International Trade Law (UNCITRAL) in 1996. For instance, many countries are reviewing requirements specifying that only written (or physical) signatures or seals can satisfy legal requirements for "signing" a document.
Enabling digital signature technology is the focus of many policy-making efforts in the area of authentication and certification.
Many of the policy-making efforts related to authentication and certification have, thus far, centred on enabling digital signature technology. Several OECD countries have enacted or proposed legislation for legal recognition of digital signatures. A few others have undertaken studies on the operational requirements for certification authorities to support digital signatures. These countries consider that special legal rules are needed to enable digital signatures based on cryptography. These rules often involve comprehensive regulation for certification authorities that covers liability rules, criteria for evaluation and accreditation, and certificate policies and certification practice statements. Other governments take a more minimalist technology-neutral approach that aims simply to remove existing barriers to global electronic commerce. For example, a law that simply establishes the legal validity of any kind of “electronic signature” allows the parties to use an electronic signature to express their intention to be bound to an electronic contract, whether or not the electronic signature is based on cryptography. The Inventory reports a variety of efforts underway to study the range of legal and policy issues raised by electronic authentication and certification, including examination of the rights and responsibilities of the parties to an electroni c transaction, consumer protection, and the protection of privacy and personal data.
There is a general awareness that regulating an emerging industry might risk imposing a specific vision of electronic commerce.
Where governments have determined that digital signatures based on public key cryptography require certification authorities to support their functions on open networks, it is often asked whether certification authorities should be government or commercial entities. If they are commercial entities, should they should be licensed by government? If so, what criteria should be applied? The Inventory reveals a general awareness of the risks of regulating a certification authority industry that is still emerging, as this might impose a very specific vision of electronic commerce. A basic issue is how to strike the appropriate balance between a government role and encouraging market-based solutions.
A number of OECD governments are promoting electronic commerce as users of information and communication technologies, products and services. Several countries have pilot projects underway for implementing various authentication and certification initiatives, including government use of electronic authentication and certification mechanisms to deliver public services to citizens.
10
The Inventory identifies a number of private sector initiatives which highlight industry’s important role in developing business practices and technical standards for authentication and certification.
A number of industry initiatives to address the need for authentication and certification mechanisms for global electronic commerce are also underway. Various commercial authentication and certification services have begun to emerge, and their efforts are being watched closely as they navigate an uncertain technological, legal and public policy environment. The Inventory includes a number of these private sector initiatives which highlight the important role played by industry in developing business practices and technical standards for authentication and certification.
The OECD is working with other international organisations active in this field, to ensure that its work is complementary and avoids duplication.
The Inventory lists a variety of current initiatives at international level. It recognises the work of the International Engineering Task Force (IETF), the International Organization for Standards (ISO), the World Wide Web Consortium (W3C), and other consensus bodies in the area of technical standards development. It notes the European Commission proposal for a European Parliament and Council Directive on a common framework for electronic signatures. It also highlights current activities of the UNCITRAL Working Group on Electronic Commerce to prepare uniform rules on the legal issues of digital signatures and certification authorities. Finally, it recognises the work on public key authentication underway in the Asia Pacific Economic Co-operation (APEC) Telecommunications Working Group. There is general interest in continuing efforts at international level, together with industry, to examine authentication and certification technologies and mechanisms to facilitate global electronic commerce. The OECD is working with other international organisations active in this field, to ensure that its work in this area is complementary rather than duplicative.
11
Source: http://www.oecd.org/subject/e_commerce/ebooks/ecomm1_2.pdf (279K)
Cryptography is used to ensure data integrity and authentication, and confidentiality.
Cryptography is a component of secure information and communications systems. A variety of applications have been developed that incorporate cryptographic methods to provide data security. Cryptography is a tool for dealing with two related, but distinct, aspects of data security: verifying the integrity of data or the authentication of the sender of a message “digital signature”, and ensuring the confidentiality of data “encryption”. Each offers benefits and presents problems.
Despite concerns about illegal use, governments need to encourage its use.
Governments need to encourage wider use of cryptography, both to facilitate electronic commerce and to enable users to protect data by keeping communications private during transmission, securing stored data, or providing assurances about who has sent a particular message or signed an electronic contract. At the same time, governments are concerned about the implications that the widespread use of cryptography may have for law enforcement and national security, in that it may limit the ability of authorities to lawfully access encrypted data. While the 1997 OECD Cryptography Guidelines identify the various interests that must be balanced in the context of international cryptography policy, they do not resolve a fundamental question: how can governments can give the benefits of cryptography to legitimate users, without empowering criminals to use it for illegal purposes?
The OECD promotes sharing information and discussion of cryptography policy.
In recent years, OECD countries have implemented policies relating to cryptography. In many countries, these are still being developed. The Information Computer and Communication Policy (ICCP) Committee’s Group of Experts on Information Security and Privacy exchanges information to promote discussion of related issues. The Inventory of Controls on the Use of Cryptography Technologies (“Cryptography Controls Inventory”) was compiled by the Group of Experts to provide a snapshot of current laws, regulations and policies as reported by Member countries.
In many OECD countries, cryptography laws and policies for encryption are considered separately from “digital signature” laws.
In an attempt to separate the issues in terms of the two distinct uses for cryptography, most OECD countries have adopted a dual approach to the regulation of cryptography: that is, law and policy about cryptography used for encryption is considered separately from “digital signature” laws. The Cryptography Controls Inventory intends to facilitate international co-operation by surveying international and national instruments relating to controls on the export, import and domestic use of cryptography technologies in OECD countries. It examines domestic controls on encryption, and any amendments to domestic laws under consideration. It looks at import or export controls on encryption, and any possible amendments to such laws. Laws on the use of cryptography for authentication and certification are covered by a separate report directed specifically at that issue, the Inventory of Approaches to Authentication and Certification in a Global Networked Society.
13
The OECD has surveyed instruments for controlling the export, import and domestic use of cryptography technologies.
OECD countries have different approaches to controlling the use of cryptography for encryption. One makes it illegal to use cryptography to conceal information unless the government has access to the private decryption keys. Another allows domestic use of cryptography, but restricts the export of cryptography products. To address the criminal use of cryptography to conceal information, the court system can be used to force an accused party to provide keys to encrypted data.
The Wassenaar Arrangement is the main international instrument dealing with export controls on cryptography technologies.
The main international instrument dealing with export controls on cryptography technologies is the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (July 1996). It defines a set of preliminary guidelines, covering both armaments and sensitive dual-use goods and technologies, which participating countries should implement fully at the national level. Participants agree to control through their national laws, regulations and policies those items and technologies contained in a list of Dual-Use Goods and Technologies – which includes cryptographic goods and technologies – and a separate Munitions List. All but two OECD countries are members of the Wassenaar Arrangement. In fulfilling their obligations under the Arrangement, 27 of the 29 OECD Member countries place controls on the export of cryptography technologies. Although most of these countries have enacted legislation or regulations and created licensing authorities, implementation details vary.
National export controls on cryptography products differ in their treatment of cryptography software that is “generally available to the public”.
The Cryptography Controls Inventory reveals that national export controls on cryptography products differ with respect to the treatment of cryptography software which is “generally available to the public” or in the “public domain”. The Wassenaar Arrangement’s “General Software Note” exempts such software from export controls. However, according to the Inventory, this note is not implemented at all in some participating countries and only partially i n others. Differences in national approaches to export controls also exist with respect to the treatment of software distributed in an intangible form over a data network such as the Internet. Not all OECD countries have explicitly addressed this issue. In those that have, the Inventory shows that some distinguish between “tangible” and “intangible” transfers, while others treat both in the same manner.
The domestic use of cryptography products is unrestricted in most OECD countries.
The Cryptography Controls Inventory found that the domestic use of cryptography products is unrestricted in most OECD Member countries. However, a small number have general laws governing the domestic use of cryptography technologies or minor sector-specific regulations and several place controls on the import of cryptography technologies, such as licensing requirements.
14
Source: http://www.oecd.org/subject/e_commerce/ebooks/ecomm1_3.pdf (285K)
The importance of international co-operation to online protection of privacy and personal data is inciting OECD countries to build bridges between their different approaches.
Given the global nature of network technologies, international co-operation is a key aspect of online protection of privacy and personal data. The geographic ties that once bound data collectors to data subjects do not necessarily exist on global networks, and trans-border exchanges of personal data are increasing. In order to secure effective privacy protection on global networks and to avoid unnecessary restrictions on transborder flows of personal data, OECD countries have started working to build bridges between their different approaches to ensuring data protection on global networks. Recent OECD work in this area has focused on implementing and enforcing privacy principles in the context of global network technologies. Work is now underway under the auspices of the OECD Group of Experts on Information Security and Privacy to complete a factual inventory of privacy instruments and mechanisms (including laws, self-regulation, contracts and technology) for implementing and enforcing the 1980 OECD Privacy Guidelines on Global Networks.
Various approaches have been taken:
Various approaches have been developed to implement and enforce privacy principles in the online environment, including legislative or regulatory, self-regulatory, technological and contractual mechanisms. These may be combined in various ways, and it is important that they be developed in a manner that is technologically neutral.
… the legislative or regulatory approach…
Governments may take action to protect online privacy and personal data in a number of ways. Privacy legislation may be enacted on either a comprehensive or sectoral basis, to set privacy principles and create enforcement mechanisms. The interpretation of laws based on general concepts can be tailored to the circumstances of particular industries or emerging technologies. Legislation may establish central oversight authorities, such as Data Protection Officers and Privacy Commissioners, to ensure compliance with privacy laws, mediate or adjudicate complaints, undertake independent investigations, prosecute offenders and/or make quasi-judicial decisions. Legislation can also provide the right to a judicial remedy.
… the self-regulatory approach…
Governments can work with the private sector to develop criteria for effective privacy protection which the private sector can implement through self-regulatory codes. These codes can ensure good privacy practices online and the creation of effective enforcement mechanisms. They also allow privacy protection to evolve as technology develops and be tailored to particular industries.
15
… the technological approach…
Privacy-enhancing technologies can also be used in conjunction with either self-regulatory or legislative approaches. These technologies can enable users to protect their privacy and personal data, for instance by providing mechanisms for user anonymity, encryption, or automated application of user privacy preferences. Technologies can also support certification mechanisms: web sites that adhere to specific criteria in their privacy practices can display an icon that can be used to verify information and compliance with the criteria. Privacy-enhancing technologies should not be seen primarily as novel technical developments or as additions to existing systems. Rather, they should be seen as part of a design philosophy: one that encourages (in appropriate circumstances) the removal of identifiers linked to personal data, thereby anonymising the data. The applicability of this approach will vary. It may not be appropriate or practical to anonymise data, or pseudonymity might be preferable. The approach emphasises the need to incorporate privacy protections into a system at an early stage, not as an afterthought.
… and the contractual approach.
In addition, private commercial contracts may be used to protect privacy. For example, model transborder data flow contracts, which determine the principles to be applied when personal information is passed from one data controller to another, can play a significant role in protecting privacy and in satisfying legal requirements for transborder data flows.
In this mixed environment, enforcement and redress are fundamental issues…
In this mixed environment of legislative, self-regulatory, technological and contractual approaches, enforcement and redress are fundamental issues. They may be dealt with in different ways. For example, central data protection authorities or other independent bodies may perform proactive audits, investigate complaints and take the necessary action to ensure compliance with privacy laws and codes of conduct. Enforcement mechanisms implemented as part of an effective system of private-sector self-regulati on can provide consumer recourse, certification mechanisms and consequences for non-compliance with privacy principles. General laws relating to breach of contract, fraud and fair trading practices may apply in a self-regulatory regime when a web site violates its own privacy statement. Certification mechanisms can provide assurance that privacy principles are being complied with and may also be an avenue for seeking redress. These are only some of the ways in which these various approaches can provide administrative, civil and/or penal means of redress. Furthermore, market forces (such as the threat of bad publicity) may encourage onli ne busi nesses to comply with privacy principles and provide redress voluntarily.
… while education and awareness are essential for individual users and for businesses.
Finally, education and awareness about privacy issues, protection and enforcement mechanisms are fundamental. This is particularly true in the online world where the collection and handling of personal data is simple and inexpensive, and where user-empowering technologies can give control of and responsibility for personal privacy to individual users. Users need to be educated about the risks they face, their rights, the technological and legal means available to protect their privacy, the meaning and effect of privacy statements and the means of redress available for breaches of privacy principles. Education is also important to businesses who need to be aware, not only of any legal obligations to
16
which they may be subject, but also of the importance of privacy to their customers, the technologies they should use, and practices they should follow in order to comply with the applicable privacy principles.
Ongoing work in the area of online protection of privacy and personal data is included in the OECD Programme of Work for 1999-2000. In particular, the ICCP Group of Experts on Information Security and Privacy could:
Useful future work by the OECD may include: facilitating an exchange of information on effective methods for protecting privacy on global networks…
• Facilitate the exchange of information about effective methods to protect privacy on global networks through, for example, questionnaires for Member countries on privacy principles and their application; a survey of web sites examing personal information practices; and a survey of individual users and consumers to examine user awareness of privacy issues and experiences in the online environment.
… examining specific issues relating to the implementation of the OECD Privacy Guidelines…
• Examine specific issues raised by the implementation of the OECD Privacy Guidelines in relation to global networks, taking into account the different approaches to privacy protection adopted by Member countries and drawing on the experience of Member countries and the private sector. Such issues could include: the means by which bridges can be built between the different approaches to privacy protection in order to provide coherent and effective privacy protection at an international level and avoid unnecessary restrictions on transborder flows of personal data; the use of privacy policy statements in the online environment; the need to balance the maintenance of user anonymity with the public interest in identifying users whose online behaviour is undesirable or illegal.
… providing practical guidance…
• Provide practical guidance based on examples of the different approaches to privacy protection and drawing on the experience of Member countries and the private sector, on the implementation of the OECD Privacy Guidelines in relation to global networks.
… and helping to develop international education programmes, technologies, and policy initiatives.
• Work, in co-ordination with OECD Member countries, private sector businesses and organisations, and regional and international bodies towards the development of international educational programmes, technological developments and policy initiatives such as model transborder data flow contracts.
17
Source: http://www.oecd.org/subject/e_commerce/ebooks/ecomm1_4.pdf (297K)
Consumers today are hesitant to embrace electronic commerce.
The vast amount of information available online has the potential to influence commercial sales both online and in the “real world” by increasing consumers’ ability to easily access and compare business and product information from around the world. Yet, despite the broad range of products and services currently available for sale in the electronic marketplace, consumers have not fully embraced the idea of buying online. Today, the most common online consumer shopping experience consists of buyers using the technologies to research products and services, then turning to more traditional methods – phone, fax or local retail outlets – to make the actual purchase. Faced with questions about the accuracy of information, contract formation, the availability of redress and dispute resolution mechanisms, the potential for fraud, and privacy issues, consumers are concerned about the practicalities and the safety of the electronic environment and are reluctant to fully participate in electronic commerce. Consumers need assurances that the electronic marketplace provides a safe and predictable place for them to do business.
Yet, as computer technologies become more pervasive and easier to use…
Still, consumer interest in computer technologies and graphic-based Internet applications is growing as more powerful, less expensive and easier to use devices and applications become available. Global networks and network applications (like the World Wide Web), hardware and software innovations (including interactive television, wireless personal computing devices, touch screens, voice and optically activated software), and information sorting and filtering tools are all part of an evolving technological environment that makes it easier for users to operate computers and access the online environment. In addition, network connected pay phone units, computer terminals and public access kiosks are increasingly found in airports, shopping malls, libraries and “cybercafes” and can offer consumers Internet and e-mail access and the ability to conduct other online business away from the home or workplace environment.
… consumers are becoming more accustomed to and more with the electronic world.
Consumers are growing more accustomed to the convenience that technology adds to their daily lives. For some time, banks and other financial institutions have been using proprietary networks and inter-comfortable faces, such as automatic teller machines, to offer consumers accessible and efficient self-service options like information and account inquiries, electronic forms and bill payment. This experience is helping consumers become comfortable with electronic assistance and access to information and may help increase confidence in electronic transactions as these and other services begin to migrate to global networks and the Internet.
19
While consumer interest in online shopping is increasing…
Online sales statistics for items such as books, travel and computers, and profiles of companies selling on the Web are making headlines around the world, fuelling the interest in the online environment and increasing speculation about the potential benefits of electronic commerce. While the potential problems and pitfalls of the online marketplace receive as much attention as the stories of its promise and success, there is evidence that the number of consumers online and their interest in shopping online is growing.
In 1996, there were fewer than 40 million people connected to the Internet worldwide; by December 1997, that number grew to approximately 96 million, and growth projections for 2005 predict there will be nearly one billion users online. In addition, surveys of the more than 58 million online users in North America suggest that more than 70% had searched the Internet for product information and that 10 million of those users had actually made a purchase online. So far, however, electronic commerce has primarily been a tool for business-to-business transactions and, while consumers are beginning to buy a range of products and services online, direct business-to-consumer sales remain a small percentage of the total.
…electronic commerce will not realise its full consumer potential until shoppers are convinced that their protection is assured.
Direct business-to-consumer electronic commerce will not reach its full potential until consumers are assured that the online environment is a safe and predictable place for them to do business. In the “real world”, domestic retail markets offer consumers assurances that their interactions and purchases are covered by national legal and private sector consumer protection. However, in the global electronic marketplace, such protection cannot be taken for granted. The lack of face-to-face contact between businesses and consumers increases the need for a trustworthy electronic marketplace. Businesses and consumers alike must be aware of the legal and self-regulatory rules and practices that apply to them online. Working together, governments, businesses and consumer representatives can help to ensure that consumers in the electronic marketplace are provided with the same level of protection online that they enjoy in other forms of commerce.
Despite some broad areas of international agreement on consumer protection, regulatory differences continue to require attention.
While there are generally broad areas of international agreement on consumer protection practices and standards, there continue to be significant differences as well, many of which involve the regulation of commercial communications. Governments are faced with questions about how best to protect their citizens without inhibiting the growth of the evolving electronic marketplace. They must determine whether current rules and practices are applicable and sufficient to protect consumers online and, if not, how to proceed in developing and implementing effective and practicable consumer protections. While this is not likely to require the development of an entirely new set of rules for the online environment, it will require governments and the private sector to review, clarify and adjust existing laws and self-regulatory codes to accommodate the special circumstances of electronic commerce. Addressing these challenges requires an understanding of the advantages and limitations of the technology and the existing consumer protection framework, as well as a determination of the appropriate balance between government intervention and industry self-regulation in achieving market goals.
20
Both for consumers and for businesses, the question of “adequate” online information requires a careful balance.
Advertising and product information are essential elements of the electronic marketplace. Without the ability to physically hold and inspect merchandise, consumers must rely on an electronic “view” of the products and services being offered. Product information can be organised in a way that allows consumers to choose what information and how much detail they would like, while sophisticated search software can automatically identify relevant data according to consumer-defined criteria. Armed with accurate business and product information and comparisons, consumers are able to make better informed purchasing decisions. However, in some instances this flood of information can be confusing and consumers may have no effective means to verify its accuracy. For businesses, maintaining a current and accurate web site requires diligence and may be more expensive than an occasional physical publication or broadcast in another medium.
Technological solutions can help resolve some of the difficulties presented by the online purchasing process.
Direct international business-to-consumer transactions may be subject to varying legal and self-regulatory standards, including commercial codes for advertising, marketing, and sales disclosure requirements. This raises questions about the conditions and requirements for the writing, execution, and enforcement of contracts. Technological solutions may help to resolve some of the questions related to “consent” and the conditions for “written” confirmation of transactions. The use of a "clickwrap," for example, allows a consumer to be guided through the online purchasing process by means of a series of hyper-linked steps that could include: viewing a screen or a succession of screens that state the terms of the contract, and allowing consumers to confirm their acceptance on each successive screen. Authentication and certification techniques could also be used to identify the parties in an electronic transaction, and could be recognised in the same way as a signature at the bottom of a page.
Effective means of responding to consumers’ complaints will have to be developed to increase consumer confidence.
Just as they do in the “real world”, consumers in the electronic marketplace will have products arrive broken, defective or in some way fail to meet their expectations, and they will need access to effective complaint and redress mechanisms to help resolve disputes. Efforts to resolve disputes between consumers and businesses located in different parts of the world may prove to be time-consuming, expensive and difficult. However, online businesses may find that by responding to consumer problems, providing online information and effective means to resolve differences can reduce costs, increase productivity and boost consumer confidence. In addition, voluntary alternative dispute resolution mechanisms could help businesses and consumers alike avoid more formal and costly legal actions.
21
Coping with online fraud may require concerted international efforts.
Given the size of the electronic marketplace, fighting fraud online is a formidable task. Much of the fraudulent conduct surfacing online is not new. The problems that arise in more traditional commercial media are also occurring online: pyramid schemes, fraudulent business opportunities and products that either don’t arrive or fail to meet consumer expectations. What is new is the relative ease and reach of these activities when conducted online. Fraudulent operators are taking advantage of the novelty of the online environment through the media and its marketing capabilities to reach millions of consumers worldwide. The potential for anonymity and the transitory nature of the environment make it likely that the fraudulent offer itself may not be found from one moment to the next. Co-operative law enforcement efforts like Internet “Sweep Days” in which agencies worldwide join forces to “surf” the Internet for specific schemes and other targeted national law enforcement actions, coupled with business and consumer education about the risks of fraudulent behaviour and how to protect themselves online, are proving to be effective consumer protection strategies against online fraud.
The amounts of data generated and the capacity to analyse them will require governments and business to co-operate to ensure effective privacy protection.
The growth of electronic commerce and the global expansion of digital and network technologies encourage information exchange, increase consumer choice, and facilitate the ways in which data can be generated, accessed, compiled, processed, linked and stored on global networks. While this data processing offers benefits, it also allows the creation of detailed online user profiles that track online activities and electronic transactions that threaten privacy. The interactive characteristics of digital and computer network technologies can help consumers to develop skills to protect themselves and exercise choice with respect to privacy protection online. Technology alone, however, will not provide consumers with sufficient online privacy protection. Both governments and the private sector have an important role to play to ensure that consumers benefit from seamless privacy protection on global networks that are at least consistent with the 1980 OECD Privacy Guidelines.
The private sectors will need to play a greater role in developing the security and authentication mechanisms needed by both business and consumers.
Consumers and businesses alike need assurances that the electronic marketplace is secure and reliable, and effective mechanisms to ensure information security is a key element of building trust in electronic transactions. Security and authentication mechanisms can help to verify user identity and other information about transactions and transacting parties and ensure information integrity. While establishing trust in economic transactions has traditionally been a role for government, technological solutions for security and authentication call for the private sector to play an increasingly leading role.
22
User education is essential if consumers are to become aware of potential risks and learn how to avoid them.
Education is an essential aspect of consumer protection, and electronic networks are well suited to help provide comprehensive and up-to-date information and advice. It may not be possible to definitively address some of the problems inherent to the electronic marketplace by legislative or self-regulatory means, and consumers may need to accept some of the risks that shopping online entails. It is important that consumers be aware of these risks and how best to avoid them. Co-ordinated efforts among governments, the private sector and consumer representatives can provide user education about the rights, obligations and the potential risks of doing business online.
Business and consumer groups can work together to develop voluntary self-regulatory codes for protection of consumers.
The changing online environment makes it difficult to anticipate all of the potential consumer protection problems and solutions. Businesses have a vested interest in helping to create and promote a safe environment for consumers. Self-regulatory efforts may offer some of the most promising avenues for consumer protection in this new and evolving medium, without inhibiting its growth and development. Business and consumer groups can work together to develop voluntary self-regulatory codes that provide consumer protection mechanisms which could go a long way toward building consumer trust and confidence in electronic commerce. Both government and non-governmental organisations can stimulate the introduction of voluntary self-regulatory consumer protection codes by providing guidance for the basic elements of global consumer online protection. Governments also have an ongoing role in enforcing laws to back-up self-regulatory plans where a business that claims to comply with the private sector standards fails to do so.
It is important for government, business and consumer representatives to work together at international level to address these issues.
Governments are challenged to strike the right balance between the desirability of social development and economic growth based on emerging network technologies, and the necessity to provide their citizens with effective and consistent consumer protection. Disparate national policies may impede the growth of electronic commerce and, as with many other issues in the electronic marketplace, consumer protection can be addressed most effectively through international consultation and co-operation. The OECD is well placed to bring government, business and consumer representatives together to clarify specific policy and regulatory issues relating to consumer protection in the context of electronic commerce.
23