MSc International Business 2014

International e-business

Lecture 8:
Aspects of Design
e-Business Security:
Risks and Threats
Legal & Ethical Issues
1
 Learning Objectives

• Understand the scope of e-commerce crime and security

problems
• Describe the key dimensions of e-commerce security
• Understand the tension between security and other
business practices
• Identify the key security threats in the e-commerce
environment
• Describe how various forms of encryption technology help
protect the security of messages sent over the Internet
• Identify the tools used to establish secure Internet
communications channels
• Identify the tools used to protect networks, servers, and
clients
• Appreciate the importance of policies, procedures, and
laws in creating security

2
 Reading and Site Visiting

• Chaffey: Chapter 11
• Schneider: Chapters 7 & 8
• Chen: Chapter 9
• Jelassi & Enders: Appendix 3
• Turban: Chapter 9, Chapter 13
• Oz: Chapter 10
• Farhoomand: Module 3 [Chapter 6 and case 6.1]
• http://www.cisecurity.org/
• http://antivirus-software.6StarReview.com/
• http://www.cert.org/
3
 Security Issues - Scope

• FBI and Computer Security Institute Annual Survey

(available on Canvas) - 700 US respondents
http://reports.informationweek.com/abstract/21/7377/Securit
y/research-2010-2011-csi-survey.html
• Main Threats:
• Unauthorised use of computer systems
• Unauthorised access to information
• Theft of proprietary information
• Viruses, Trojan Horses, Worms, SpyWare (Malware)
• Denial of Service (DOS) and Distributed DOS attacks
• Government Departments suffered most attacks
• “Inside Jobs” (the most common source of problems)
• http://www.gfi.com/blog/top-5-web-security-issues/ (YouTube)

4
 Security: Scope of Problem

• Overall size of cybercrime unclear; amount of

losses significant but stable; individuals face new
risks of fraud that may involve substantial
uninsured losses
• Symantec: Cybercrime on the rise from 2010 – 2011
• http://www.symantec.com/threatreport/
• IC3: Processed 200,000+ Internet crime complaints
• 2010 CSI survey: 46% of online firms detected security breach;
91% suffered financial loss as a result
• Underground economy marketplace that offers sales of stolen
information is growing (quickly)
• WikiLeaks has added to the increasing fear that compromised
systems may release inappropriate information

5
 Management Issues

• What are the critical success factors for analysis

and design of e-business systems?
• What is the balance between requirements for
usable and secure systems and the costs of
designing them in this manner?
• What are the best approaches for incorporating
new IS solutions with legacy systems into the
architectural design of the e-business, and
ensuring that SECURITY is built in at the planning
and design phases of IS Development?

6
 Analysis for e-business

• Understanding processes and information flows

to improve service delivery and security
• Pant and Ravichandran (2001) say:
‘Information is an agent of coordination and
control and serves as a glue that holds together
organizations, franchises, supply chains and
distribution channels. Along with material and
other resource flows, information flows must also
be handled effectively in any organization.’
(Mentioned earlier)

7
Client-Server Architecture

3-Tier Client/Server Architecture in e-business8

 Client/Server: Separation of Functions

• Data storage. Predominantly on server. Client storage is ideally

limited to cookies for identification of users and session
tracking. Cookie identifiers for each system user are related to
the data for the user which is stored on a database server.
• Query processing. Although some validation can be performed
on the client.
• Display. This is largely a client function.
• Application logic. Traditionally, in early PC applications this has
been a client function, but for e-business systems the design
aim is to maximize the application logic processing including
the business rules on the server.

9
Vulnerable Areas in e-Biz

10
How Do We Assess the Risks

11
 Computer Security Classifications

• Secrecy
• Protecting against unauthorized data disclosure and
ensuring the authenticity of a data source
• Integrity
• Refers to preventing unauthorized data modification
• Problem: Man-in-the-Middle Exploit (Intercept Messages
and make Modifications, before transferring to
Destination)
• Necessity
• Refers to preventing data delays or denials

12
 How is Security Compromised?

• Inadequate attention paid to security issues

• IDENTITY THEFT
(need to take care over release of private details)
• Failure to protect private information sent over Internet
• Failure to create a “security awareness” environment within
the organization (a Managerial issue)
• Malicious Software use: MALWARE
• Viruses and “Worms” [often referred to interchangeably]
• Spyware [see: http://www.spychecker.com/spyware.html ]
• Web Bugs
• Hacking
• “phishing” and “pharming”
[http://www.cpni.gov.uk/Docs/Phishing__pharming_guide.pdf ]

13
 Key Security Issues

• Integrity: ability to ensure that information being displayed

on a Web site or transmitted/received over the Internet has
not been altered in any way by an unauthorized party
• Nonrepudiation: ability to ensure that e-commerce
participants do not deny (repudiate) online actions
• Authenticity: ability to identify the identity of a person
or entity with whom you are dealing on the Internet
• Confidentiality: ability to ensure that messages and data
are available only to those authorized to view them
• Privacy: ability to control use of information a customer
provides about himself or herself to merchant
• Availability: ability to ensure that an e-commerce site
continues to function as intended

14
Requirements for Secure e-commerce

15
 UK Information Security Breaches
Source: DTI (2013) Department of Trade and Industry
Information Security Breaches Survey.

http://www.pwc.co.uk/assets/pdf/cyber-security-2013-exec-summary.pdf
16
 Other Security Breaches (UK)
Source: DTI (2013) Department of Trade and Industry
Information Security Breaches Survey

See:http://www.pwc.co.uk/pdf/premium/isbs_survey_2013_executive_summary.pdf
17
 Security Perspectives
Security Issue Customer View
Integrity of Data Has the data sent or received been
altered in any way in transit?
Nonrepudiation Can a party to an action later
deny taking the action?
Authenticity Who am I dealing with?
How can I be sure they are who they
say they are?
Confidentiality Can anyone other than the intended
recipient read my messages?
Privacy Can I control information about
myself transmitted to e-commerce
merchant?
Availability Can I get access to the site?
Merchant View
Has the data on site been altered
without authorisation? Is data from
customer valid?
Can a Customer deny ordering
products?
What is the REAL identity of the
Customer?
Are messages or confidential data
accessible to unauthorised persons?
What use (if any) can be made of
personal data collected as part of an
e-commerce transaction? Is personal
data used inappropriately?
Is the site operational?
18
 Conflict Between Security and
Other Issues

• Security vs. ease of use: the more security

measures that are added, the more difficult a
site is to use, and the slower it becomes
• Placing security hurdles in place may discourage
Customers from proceeding with transactions
(B2C)
• Need for tight Security vs. desire of individuals to
act anonymously can act as barrier to online
trade
• Absolute Security: Difficult to achieve – Create
Barriers deterring Intentional Violators
• Reduce Impact of Natural Disasters/Terrorist Acts
19
 PASSWORDS: Idiocy

USE STRONG Passwords, and change them often

 Explanation of Terms

• Spoofing: Misrepresenting oneself by using fake e-mail

addresses or masquerading as someone else
• Denial of service (DoS) attack: Hackers flood Web site with
useless traffic to inundate and overwhelm network
• Distributed denial of service (DDoS) attack: hackers use
numerous computers to attack target network from
numerous launch points
• Sniffing: type of eavesdropping program that monitors
information traveling over a network; enables hackers to
steal proprietary information from anywhere on a network
• “phishing”: http://www.webopedia.com/TERM/p/phishing.html
• “pharming”: http://en.wikipedia.org/wiki/Pharming
• Insider jobs: single largest financial threat

21
 Hacking and Cybervandalism

• Hacker: Individual who intends to gain unauthorized

access to computer systems
• Cracker: Used to denote hacker with criminal intent
(two terms often used interchangeably)
• Cybervandalism: Intentionally disrupting, defacing
or destroying a Web site
• Types of hackers include:
 White hats – Used by corporate security departments
to test their own security measures
 Black hats – Act with the intention of causing harm
 Grey hats – Believe they are pursuing some greater
good by breaking in and revealing system flaws

22
Typical B2C Transaction

23
 Security Threats in e-business

• Three key points of vulnerability:

 Client
 Server
 Communications channel
• Most common threats:
 Malicious code
 Hacking and cybervandalism
 Credit card fraud/theft
 Spoofing
 Denial of service attacks
 Sniffing
 Insider jobs
24
 Control of Security Threats

Employee controls (a) governance and (b) technical solutions

25
 Simple Rules Approach
MailMarshal SMTP

Source: Marshal Ltd. www.marshal.com 26

Prevalence of SPAM

27
Attempts to Control Spam

28
Use of Firewalls and Proxy Server

29
 Encryption

• Encryption: The process of transforming plain text or data

into cipher text that cannot be read by anyone other than
the sender and receiver
• Purpose:
 Secure stored information
 Secure information transmission
• Provides:
 Message integrity
 Nonrepudiation
 Authentication
 Confidentiality

30
 Encryption: Debate

• Encryption Technology intended to Make Internet

Communication SECURE;
• Strong Encryption:
http://http.apache.org/docs/2.0/ssl/ssl_intro.html
• Leads to … 128 & 256-bit Encryption Debate -
• Industry wants Strong Encryption, to stimulate
growth of e-Business
• US Government reluctant to release 256-bit
system:
• Potential criminal activity
• “Hostile” Government use, “Terrorists”, etc.

31
 Encryption: Principles

• Based on Principles of Cryptography

(Ancient Greece)
• Four Basic Principles:
1. Plain Text: Original Message (readable format)
2. Cipher Text: Encrypted to render it unreadable
3. Encryption Algorithm: Mathematical Formulae
4. Key: Encryption and Decryption of Message
• Can use Different Algorithms for Encryption
• Message remains secure as long as key is
unknown
• Length of Key Determines Level of Security
32
 Symmetric (Synchronous) Key

• Also known as secret key encryption

• Both the sender and receiver use the same digital
key to encrypt and decrypt message
• Requires a different set of keys for each
transaction
• Data Encryption Standard (DES): Most widely
used symmetric key encryption today; uses 56-bit
encryption key; other types use 128-bit keys up
through 2048 bits
• See oraclegeek.net/joomla/content/view/19/35/

33
 Encryption: Public and Private Keys

Shared Key Shared Key

Message Encrypted Message
Text Text Text

Encryption Decryption
Synchronous (Private Key) Encryption
Public Key
Private Key
of Sender
of Recipient
Message Encrypted Message
Text Text Text

Encryption Decryption

Asymmetrical (Public Key) Encryption 34

 Encryption: Issues

• Private Key Encryption:

• Much Internet Traffic - between unknown people and
machines
• Web Servers face large amounts of traffic: Private Key
Numbers might be cracked, leaked or stolen;
• Led to Development of Public Key Encryption:
• Pair of Keys: Public and Private
• Public Key available to anyone wishing to send encrypted
data
• Data can only be decrypted with Private Key
(no need to agree on keys in advance of data transfer)
• Only 3 or 4 (published) Public Key Encryption Algorithms

35
 Public Key Encryption

• Public key cryptography solves symmetric key

encryption problem of having to exchange secret
key
• Uses two mathematically related digital keys –
public key (widely disseminated) and private key
(kept secret by owner)
• Both keys are used to encrypt and decrypt message
• Once key is used to encrypt message, same key
cannot be used to decrypt message
• For example, sender uses recipient’s public key to
encrypt message; recipient uses his/her private key
to decrypt it

36
Simple Public Key Encryption

37
 Using Signatures and Hash Key

• Application of hash function (mathematical

algorithm) by sender prior to encryption
produces hash digest that recipient can use to
verify integrity of data
• Double encryption (digital envelope) with
sender’s private key (digital signature) helps
ensure authenticity and nonrepudiation

38
Public Key with Digital Signatures

39
 Digital Envelopes

• Addresses weaknesses of public key encryption

(computationally slow, decreases transmission
speed, increases processing time) and symmetric
key encryption (faster, but more secure)
• Uses symmetric key encryption to encrypt
document but public key encryption to encrypt
and send symmetric key

40
Public Key Encryption + Envelope

41
 Digital Certificates and PKI

• Digital certificate: Digital document that includes:

 Name of subject or company
 Subject’s public key
 Digital certificate serial number
 Expiration date
 Issuance date
 Digital signature of certification authority (trusted
third party (institution) that issues certificate
 Other identifying information
• Public Key Infrastructure (PKI): refers to the
Certification Authorities (CAs) and digital certificate
procedures that are accepted by all parties

42
Digital Certificates and CAs

43
Digital Certificate (Cengage)

See Also Verisign, Thawte, Co-Sign, etc.

 Limits to Encryption

• PKI applies mainly to protecting messages

in transit
• PKI is not effective against insiders
• Protection of private keys by individuals may
be haphazard
• No guarantee that verifying computer of
merchant is secure – unless verified by a third-party
Certification Authority (VeriSign, Thawte, etc)
• CAs are unregulated, self-selecting organizations

45
VeriSign (CA)

46
Amazon’s Security Certificate

47
 Security & Electronic Business

• Security: Major Control Issue for Management

• Commercially Sensitive Data MUST be kept private
• Transmitted data MUST be protected against alteration by
someone other than the sender (e.g. Stock Market Execution
Order)
• Encryption Standards:
• SSL (Secure Sockets Layer)
• S-http (Secure http transmission: visual cues – locked
padlock)
• SET (Secure Electronic Transactions) (Visa and
MasterCard)
• Other Payment Methods:
• e-cash; electronic cheques; digital wallets, e.g Microsoft
Wallet (E-Wallets have largely been a failure)
• Payment by Mobile Phone (Extremely common in Kenya,
and other African Countries; SG, S Korea, etc)

48
Securing Communication Channels

• Secure Sockets Layer (SSL): Most common form of

securing channels of communication; used to establish a
secure negotiated session (client-server session in which
URL of requested document, along with contents, is
encrypted)
• S-HTTP: Alternative method; provides a secure message-
oriented communications protocol designed for use in
conjunction with HTTP
• Virtual Private Networks (VPNs): Allow remote users to
access internal networks securely via the Internet, using
Point-to-Point Tunnelling Protocol (PPTP)

49
SSL

50
SSL (2)
 Security: Use of VPN
• A VPN is an Extranet
• An Extranet connects companies with suppliers or other
companies, and can take any of the following forms:
• A public network
• A secure (private) network
• A Virtual Private Network (VPN)
• VPN uses public networks and protocols to send sensitive
data to partners, customers, suppliers and employees
using a system called “tunnelling” or “encapsulation”
• Tunnels are private passageways through the public
Internet that provide secure transmission from one extranet
to another
• VPN provides security shells, with the most sensitive data
under tightest control.
• Easy to create (single mouse-click on a Mac)

52
 How does VPN work?
• Company employees in remote locations can send information to
the company without outsiders “seeing” the data.
• Data is sent over the public Internet, with additional
• Data encryption (to scramble the communications)
• Authentication (to ensure that the data has not been altered in
transit,
and comes from a legitimate source)
• Access control (to regulate who can access the network -
password protection
and other security measures)
• Benefits of VPN: MUCH cheaper than alternative methods of
secure communication.
• Alternatives:
• Private leased line (expensive, and not easily scaleable)
• Dial-up to Remote Access Server (RAS) using a bank of
modems to obtain direct access to the company LAN.

53
 Technical Issues
• Maintaining Confidentiality and Integrity of Data
• How? Protocol tunnelling:
• Data packets are first encrypted,
• then encapsulated into IP packets for transmission
across the Internet,
• and then decrypted (using a special host computer or
router)
• Protocol tunnelling also supports multiprotocol networking
(e.g. LANs typically employ protocols such as Novell’s IPX,
which need to be encrypted for IP packet transmission, then
encapsulated and read at the other end). To users the data
appears as if they are directly connected to the LAN
• Protocols used:
1. Point-to-point (PTP) [implemented by Microsoft, and used
in Windows NT, Windows 2000, Win XP];
2. Layer 2 Tunnelling Protocol (L2TP) - becoming the
standard

54
 Creating a VPN
• L2TP: Multivendor interoperability is important
• Often combined with IPSec [IP Security standard, developed by IETF]
• Three crucial technology components:
• Firewall products (hardware and software) [Activity: Find out
what a Firewall is]
(Visit Check Point Software Technologies)
• Routers (can operate as firewalls as well as routers) can ALSO
operate as VPN servers
• Software applications that operate as complete VPN service
providers
(visit www.vpnc.org/features-chart.html for a comparative list of
features and benefits of a range of commercial VPN Products)
• Many telecoms companies and ISPs offer VPN services for dial-up
and PTP communications. Often these include private network
service backbones with added security services, Internet
connectivity and dial-up (e.g AT&T; PSINet; Cable & Wireless (at the
moment!) etc.
55
 e-Business and Fraud

• Internet Stocks Fraud

• In 2003, SEC brought charges against 44 companies and
individuals who illegally promoted stocks on computer bulletin
boards, online newsletters and investment Web sites
• Other Financial Fraud
• Selling bogus investments, phantom business opportunities,
and other fraud schemes
• Other Fraud in e-Commerce
• Customers may
• receive poor quality products and services
• not get products in time
• be asked to pay for things they assume will be paid for by sellers

56
 Common online scams
• Business opportunities
• Bulk mail solicitors
• Investment opportunities
• Work-at-home schemes
• Health and diet schemes
• Effortless income
• Nigerian Scam [419 Scam]
• “phishing”
• Identity Theft
• Guaranteed loans or
credit,
on easy terms
• Free goods
• Chain letters
• Cable descrambler kits
• Credit repair
• Vacation prize promotions
• Lottery “wins”
• See:
http://www.ic3.gov/crimesc
hemes.aspx
57
 Protection for Sellers

• Sellers must be protected against:

• Use of their names by others
(Identity Theft - fastest growing white-collar crime)
• Use of their unique words and phrases, names, and
slogans, trademarks, and their web addresses
• Dealing with customers who deny that they placed an
order
• Other potential legal issues related to sellers’ protection
• Customers downloading copyrighted software and/or
knowledge and selling it to others
• Not being properly paid for products and services
provided

58
 Government Initiatives

• 2002 Organization for Economic Cooperation and

Development (OECD) Guidelines for the Security of
Information Systems and Networks has 9 principles:
 Awareness
 Responsibility
 Response
 Ethics
 Democracy
 Risk assessment
 Security design and implementation
 Security management
 Reassessment

59
Electronic Payments

60
 PayPal

• One of e-commerce’s major success stories: Started 1999

• Went public in 2002; acquired by eBay October 2002
for $1.5 billion
• An example of a “peer-to-peer” payment system
• Fills a niche that credit card companies avoided –
individuals and small merchants
• Piggybacks on existing credit card and cheque payment
systems
• Weakness: suffers from relatively high levels of fraud
• Fraud increasingly reported (2010-11)
• Competitors include Western Union (MoneyZap), AOL
(AOLQuickcash) and Citibank (C2it)

61
 Online Payment Systems

• Credit cards are dominant form of online payment,

accounting for around 92%+ of online payments (in B2C,
but NOT in B2B) in 2013)
• New forms of electronic payment include:
 Digital cash
 Online stored value systems
 Digital accumulating balance payment systems
 Digital credit accounts
 Digital cheques
 Payment by “Contactless” cards (Oyster)
 Payment by Mobile Phone

62
 Limitations of CC Online

• Security – neither merchant nor consumer

can be fully authenticated
• Cost – for merchants, around 3.5% of purchase
price plus transaction fee of 20-30 cents (US)
per transaction
• Social equity – many people do not have access
to credit cards (young adults, plus others who
cannot afford cards or are considered poor risk)
• In many countries, people prefer to pay cash or
COD, rather than use credit cards

63
 Digital Divide (US)

• Digital Divide: Some groups don’t have same access to

computers and Internet that others do
• Digital “have nots” include:
• Households with incomes below $35,000
• Those without college educations
• People living in rural areas
• African-Americans and Hispanics
• Seniors over 65
• Disabled
• Most recent Department of Commerce study -- most of
above groups gaining access to computers and Internet
due to falling computer prices and free or low cost ISPs
• But without credit cards, still hard for people to shop online

64
 Digital Cash

• One of the first forms of alternative payment

systems: Has not really flourished
• Not really “cash” – rather, they are forms of value
storage and value exchange that have limited
convertibility into other forms of value, and
require intermediaries to convert
• See http://ganges.cs.tcd.ie/mepeirce/Project/Mlists/minifaq.html
• Many early examples have disappeared; concepts
survive as part of P2P payment systems
http://www.ex.ac.uk/~RDavies/arian/emoney.html
• BIT Coins and other Digital Money: P2P payments
http://bitcoin.org/en/

65
 Other Security Measures: Biometrics

• Photo of face
• Fingerprints
• Hand geometry
• Blood vessel pattern in the retina of a person’s
eye (fairly commonplace)
• Voice (can be difficult: illness or stress affects
voice)
• Signature (and Digital Signatures)
• Keystroke dynamics

66
 E-Signatures

• Electronic Signatures in Global and National Commerce Act

(E-Sign Law): Went into effect October 2001 in US
• Gives as much legal weight to electronic signature as to
traditional version
• So far, not much impact
• Companies such as Silanis and others still moving ahead
with new e-signature options:
• http://www.silannis.com
• http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gc
i211953,00.html
• http://www.thefreedictionary.com/e-signature

67
 Digital Signatures

• Ensures confidentiality and integrity of message

1. Use hash function to create “digest” of message
(standard hash functions may be obtained, Stein (1998):
“Web Security: a Step by Step Reference Guide”, Addison-
Wesley)
2. Hash function result sent to recipient; recipient applies hash
function and compares results
3. If identical, message has not been altered. Sender encrypts
message, using recipient’s public key (produces block of cipher
text)
4. Sender encrypts entire block of cipher text (again), using
sender’s PRIVATE KEY. This produces a Digital Signature
5. This final step ensures authenticity, and prevents later
repudiation.
6. NB: The digital signature is UNIQUE, both to the individual
sender AND TO INDIVIDUAL DOCUMENTS

68
 Issues for Discussion

• SSL:
• communication protocol, included in most browser
software
• Common Method of Encrypting Credit Card Numbers
• Does NOT verify ownership of credit card!!!
• Used by Visa, MasterCard, American Express, etc.
• Is SSL adequate in protecting purchaser from fraud?
• Mondex Cards (and other Smart Cards) – higher security,
but not a successful product/service
• Digital Wallet Systems (e.g. Gator) – not widely used
• Electronic Cheques (complete with digital signatures)
• VeriSign; TrustE; thawte and other Trusted third Parties

69
 Managerial Issues

• Multinational corporations face different cultures in

the different countries in which they are doing business
• Issues of privacy, ethics, etc. may seem to be tangential
to running a business, but ignoring them may hinder
the operation of many organizations
• The impact of electronic commerce and the Internet can be
so strong that the entire manner in which companies do
business might be changed, with significant impacts on
procedures, people, organizational structure, management,
and business processes (for discussion)

70
 Management and Security

• What managerial issues arise relating to security?

• Need for comprehensive and coherent Security Plan
1. Undertake a Risk Assessment
2. Develop Security Policy
3. Design and Develop a Security Implementation Plan
4. Create a Security Team [important HR consideration]
5. Create a Climate of Awareness in the company
6. Put in Place a Security Management System (KMS)
7. Perform Periodic Security Audits
8. Keep the security systems updated

71
 Security Tools

Encryption Firewalls Security tools

Network
Security Access
Protocols Controls
Security
Virtual Management
Private Authentication
Networks

Proxy
Tunnelling Agent Intrusion
Systems Detection

72
Internet Security Environment

73
e-commerce Security Plan

74
 Some Legal Issues in E-Biz

• All businesses:
• Must comply with the same laws and regulations
• Face the same set of penalties
• Web businesses face additional complicating
factors
• Web extends reach beyond traditional boundaries
• Subject to more laws more quickly than brick-and-mortar
business
• More interactive and complex customer relationships
• Due to increased communications speed and efficiency

• Law Evolves Slowly; E-Business Changes Quickly

 Legal E-Biz Environment

• Online communications
• Facilitate strategic alliances and supply web
relationships
• Web creates network of customers
• Significant levels of interaction (with each
other)
• Implications of violating law or breaching
ethical standards
• Web businesses face rapid, intense reactions
from customers and stakeholders
 Borders and Jurisdiction

• Physical world of traditional commerce

• Territorial borders clearly:
• Mark range of culture
• Mark reach of applicable laws
• Physical travel across international borders
• People made aware of transition through:
• Formal document examination
• Language and currency change
 Laws, Culture and Ethics

• Geographic influences of area’s dominant culture

• Limit acceptable ethical behavior and laws adopted
• Culture affects laws directly and indirectly
• Through its effect on ethical standards
 Borders and Jurisdiction (2)

• Geographic boundaries on culture

• Historically defined by lack of distant travel
• Today people travel easily between countries
• Example: European Union citizen movement and use of
common currency (the euro) in some Member States
• Relationship between geographic and legal
boundaries
• Defined by four elements
• Power, Effects, Legitimacy, Notice
Geographic and Legal Boundaries
 Jurisdiction on Internet

• Difficult
• No geographic boundaries
• Power, effects, legitimacy, and notice
• Do not translate well to e-commerce
• Governments need to enact and enforce Internet
business conduct laws:
• Must establish jurisdiction over conduct
• Contract
• Promise between two or more legal entities
• Provides for exchange of value between
them
 Jurisdiction on Internet (2)

• Breach of contract
• Occurs if either party does not comply with
contract terms
• Other party can sue (failure to comply)
• Tort
• Intentional (negligent) action taken by a legal
entity
• Causing harm to another legal entity
• Other than breach of contract
• Sufficient jurisdiction requires:
• Subject-matter jurisdiction and personal
jurisdiction (Court’s Authority & Subject’s
Residence Issues)
Online Contractual Issues

See Schneider (2013), Chapter 7

 Ethical Issues

• Web electronic commerce sites:

• Expected to Adhere to same ethical standards of
other businesses
• Consequences all companies suffer
• Damaged reputation, long-term loss of trust, and
loss of business
• Web advertising or promotion
• Include true statements; omit misleading
information
• Ensure products supported by verifiable
information
 Taxation & E-Commerce

• Web businesses must comply with multiple tax

laws in different countries – and many evade tax
• Several types of taxes
• Income taxes: levied on net income
• Transaction taxes (transfer taxes): levied on
products or services company sells or uses
• Sales taxes, use taxes, excise taxes
• Property taxes: levied on personal property,
real estate
• Greatest concern: income and sales taxes
 Import Tariffs

• Countries regulate import and export of goods

• Goods imported: only if tariff paid
• Tariff (customs duty, duty)
• Tax levied on products as they enter country
• Many reasons for imposing tariffs
• Beyond scope of this book
• Goods ordered online: subject to tariffs
• When crossing international borders
• Products delivered online: subject to tariffs
• Example: downloaded software
 EU and VAT

• European Union (EU)

• Transfer taxes generate revenues
• Value Added Tax (VAT): most common
• 2003: VAT applied to sales of digital goods
• EU-based companies
• Must collect VAT on digital good sales
• Non-EU companies
• Must register with EU tax authorities, levy,
collect, remit VAT if sales include digital
goods delivered into EU (Taxation without
Representation: Reason for US War of
Independence)
 Online Resources

• http://www.palamida.com/solutions/open-source-
security.html
• http://security.symantec.com/sscv6/default.asp?langid=ie&
venid=sym (checks your own computer’s security)
• http://www.onlinesecurity.com/
• http://www.auditmypc.com/ (conducts a complete
assessment of your machine’s security)
• http://security.yahoo.com/
• http://www.onlinesecurity-guide.com/
• http://www.onlinesecurity-guide.com/articles/pc-security-
for-beginners.htm

88