Module 4: Other key issues to be addressed in creating an enabling legal and regulatory framework to encourage internet use for business development

V. Earning global confidence

A. Privacy and Data Protection

In information economies, the task of protecting data is of paramount importance. While secure storage and transparent use are important for many categories of public information, managing personal data also involves important issues of privacy.

There is therefore a need to strike a balance between privacy and the various needs to transmit personal data.

Indeed, the transmission of such data is fundamental to the conduct of e-business, but it needs a great deal of trust and confidence.

Note that with the growth of computing, the expanded use of the Internet and the rapid development of new technologies, there is also an increased potential for violations of online privacy. Therefore, some form of legal protection of privacy is important for generating trust in e-commerce.

Furthermore, beyond generating trust, developing countries who wish to participate in the global information economy, will increasingly need to consider laws that protect personal data in order to even have a chance at helping to facilitate the flow of information from developed to developing countries. Note that in European jurisdictions, for example, it is forbidden to transfer data to a jurisdiction that does not provide adequate protection for personal data.

B. Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data

The OECD privacy guidelines were created in 1980, well before the Internet boom and the emergence of e-commerce. Although more than 20 years old, the principles found in the guidelines continue to serve as the basis for most privacy initiatives worldwide.

The guidelines feature eight privacy principles:

Collection Limitation Principle

There should be limits to the collection of personal data. Such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

Data Quality Principle

Personal data should be relevant to the purposes for which they are to be used. To the extent necessary for those purposes, data should be accurate, complete and kept up-to-date.

Purpose Specification Principle

The purposes for which personal data are collected should be specified no later than the time of data collection. The subsequent use should be limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified at each occasion of change of purpose.

Use Limitation Principle

Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the data quality principle except with the consent of the data subject; or by authority of law.

Security Safeguards Principle

Personal data should be protected by reasonable security safeguards against risks such as loss or unauthorized access, destruction, use, modification or disclosure of data.

Openness Principle

There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available for establishing the existence and nature of personal data, the main purposes of their use, as well as the identity and usual residence of the data controller.

Individual Participation Principle

An individual should have the right to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him or her. An individual should have the right to receive that data and to challenge it if incorrect.

Accountability Principle

A data controller should be accountable for complying with measures that give effect to the principles stated above.

What other interests need to be balanced against the need to protect private data?

C. Intellectual Property Rights

Public policy on intellectual property rights poses an interesting challenge to governments, especially in developing countries, given the rapid developments in technology.

Today, however, technology is complicating this process and undermining many of the mechanisms that governed the system in the past. This trend is likely to continue; today’s technologies are the beginning, not the end, of the information revolution. Computers, two-way interactive cable, fibre optics, optical disks, communications satellites, and other devices are becoming steadily more sophisticated and powerful; and their uses are expanding almost daily. The greatest impact, however, will come not from single technologies, but rather from their use in combination.

These new information and communications technologies are challenging the intellectual property system in ways that may only be resolvable with substantial changes in the system or with new mechanisms to allocate both rights and rewards. Once a relatively slow and ponderous process, technological change is now outpacing the legal structure that governs the system, and is creating pressures on the United States Congress to adjust the law to accommodate these changes. The pressures are coming from a number of different parties, and they are motivated by a wide range of concerns:

• Authors, publishers, film makers, and producers; representatives of the recording industry; and other copyright holders whose works can be delivered electronically: This group is concerned that technologies such as tape recorders, videocassette recorders and compact discs are so widely used that they undermine their ability to enforce their copyrights. They are calling on Congress to adopt stronger enforcement measures. Alternatively, some group members would like Congress to provide new ways to protect their incomes, such as imposing taxes or royalties on blank tapes.
• Designers and producers of computer software and other functional works that do not fit comfortably into existing categories of intellectual property law: This group is concerned that, given the uncertainties in the law, their works will be inadequately protected. They are calling for more explicit and extensive protection under new or existing laws.
• Database producers, information analysts, and others who package existing information for specific uses: This group opposes restrictions on the use and re-use of copyrighted materials. They also want incentives to be reallocated so that they receive a greater financial return for the value that they add to information by analyzing, reorganizing and packaging it.
• Manufacturers of equipment capable of copying, reproducing or recording (paper copiers, satellite antennas, videocassette recorders, audio tapes, and blank CDs and DVDs): Members of this group oppose the imposition of taxes or royalties on tapes and any other actions that might increase the cost of their products to the consumer, or that make them less convenient to use. They claim that they aid copyright holders by creating new markets for products and so should not be penalized by having taxes imposed.
• Educators and scientists: Members of this group generally oppose extensions of the law, arguing that such extensions would make the resources and materials they need to do their work prohibitively expensive. Some members of this group seek to exempt educational uses from the law. Others are calling for licensing agreements that would allow them to use copyrighted materials at reduced rates.<
• The general public: Many people are becoming increasingly accustomed to having new technology available at low cost to use as they please in their homes and offices. They want assurance that they can continue to copy films, records, and other information for their private use.
• For SMEs, the interests could be conflicting: On the one hand, human innovation and creativity has increasingly led to the introduction of new products, brands and creative designs in the market. Small and medium-sized enterprises (SMEs) are often the driving force behind such innovations, and intellectual property rights help them to enjoy fuller benefits from their creativity. Adequate protection of the SME's intellectual property is a crucial step in deterring potential infringement and in turning ideas into business assets with a real market value. On the other hand, SMEs, especially in developing countries, may have far greater interest in having access to useful technologies and applications, but may not be able to afford them. Note, too, that some argue that an inappropriately strong intellectual property rights system increases the costs of access to many products and technologies (particularly in health, agriculture, education and information technologies) that developing countries (and SMEs) need.

D. Capabilities and Challenges Posed by the New Technologies

To understand the legal and political pressures that new technologies place on the intellectual property system, one needs to understand their unique capabilities. A few examples convey the scope and pace of technological progress and the problems that it poses:

A problem of identifying authorship

A group of authors using personal computers connected by a telephone network can collaborate in writing an article, a piece of software or a database. This work can exist in various forms, in different places and can be modified by anyone having access to the network. This networking technology provides new opportunities to combine talents, resources and knowledge. In such a world where there are many authors of one work, worldwide collaboration and ever-changing materials, how are intellectual property rights to be allocated or awarded?

A problem of identifying infringements and enforcing rights

The increased communications capacity (in terms of speed, bandwidth, and distance) made possible by fibre optic technology, will allow computer users to rapidly transmit incredible amounts of information at a rate of 100 average-length pages in a second. These high-speed communications media, combined with large capacity optical disk storage technologies, will also pose enforcement problems for the intellectual property system. They allow individuals to trade vast quantities of copyrighted materials without the knowledge or permission of the copyright holders. With these technologies, the situation is no longer simply one of an individual trading or giving away a book to someone else; rather, it is one in which individuals can inexpensively and privately share the contents of an entire library.

A problem of private use

If a private citizen copies information – a film or record, for example – should this be considered an infringement of copyright? At present, the law gives little guidance in this area – nor, until recently, did it need to. Such private use was so limited it posed no threat to industry profits. Second, if it were decided that home copying infringed copyright, how could a ban against it be enforced? Since many people could be engaged in this kind of behaviour in the privacy of their own homes, their activities would be impossible to track.

A problem of derivative use

A major newspaper maintains its index on computer. A user of this index takes the information in it and analyses it for another client, giving him up-to-date, timely information that is precisely tailored to his needs. Using electronic technology, a research chemist can search all bibliographic data on a particular chemical in a matter of hours, instead of the weeks it once would have taken. An investor who must make a snap decision about whether to buy or sell can call up a constantly updated database; and use the information to pursue his profits.

The new information technologies, which allow for this kind of customized information on demand, are creating a wide range of new opportunities to expand the variety, scope and sophistication of information-based products and services.

In fact, a whole new industry has developed to provide these services; and it is now one of the fastest growing sectors in the economy. As the opportunities to create derivative works increase and as this sector comes to play a larger role in the economy, questions arise about what kinds of information can legally be used to create secondary information products. Under existing intellectual property law, copyright holders have the right to benefit from all subsequent works based on their original works. If interpreted broadly, it is possible, however, that this approach will inhibit the production and use of secondary materials.

A problem of meeting educational goals

The intellectual property system was originally designed to enhance learning and the useful arts. This goal is more difficult to meet today because of the increasing market value of intellectual properties.

The technologies provide numerous opportunities for educational use. However, because software development is often expensive, it is in the interest of the developer to concentrate on products for customers who can pay the most – businesses, not schools. The schools then have the choice of doing without software, diverting money from other equally needed educational materials, or developing their own software, since they cannot legally copy copyrighted works. The copyright problem in this situation is simple: Copyright, designed as a policy tool to enhance learning, fails to meet its goal.

A problem of integrity

Assisted by the computer, a film maker can create scenes that were never actually filmed, or take existing images and place them in entirely new contexts. These capabilities open new avenues for creativity. But at the same time, they may be used to misrepresent a work or undermine its integrity. An unscrupulous artist, for example, might use technology to distort a well-known piece of art for his own purposes or profit without the knowledge of the original artist.

In this electronic environment, creators may become as concerned about the integrity of their works as they are about their profits. To be effective, intellectual property law may need to take into account the problem of artistic integrity, as well as that of financial rewards.

An international problem

All of the capabilities and problems that characterize domestic use of the new technologies are equally prominent – sometimes more so – when they are used internationally. Satellite technology permits global communication, but it also beams in programming that nations may not want. Satellites collect valuable agricultural and environmental information about the developing world. But once it has been analyzed by a commercial company and copyrighted, it may be priced too high for developing countries to afford. A nation near the United States is able to pick up and unscramble satellite programming that viewers want – and do so without paying the fee charged by the company. Domestic companies have no way to monitor use or enforce their copyright claims. These problems are exacerbated by considerable disagreement among nations about intellectual property issues.

E. Cross-border Cooperation and Harmonization

Different countries will have different approaches to the challenge of policymaking in the policy areas discussed above. Given the “borderless” nature of the Internet, conflicting rules and regulations will only serve to hamper and discourage participation in e-commerce, especially by SMEs.

The following cases provide vivid illustrations on the need for cross-border cooperation and harmonization of laws and rules.

Privacy and Data Protection.

India has been extremely successful in developing an outsourcing industry, from basic data entry processing to more sophisticated services such as customer call centres and financial services. Indian businesses have attracted a wide range of Western companies to relocate various business processes to the subcontinent. However, concerns have recently been voiced in the European Parliament about the vulnerability of personal data being transferred under such outsourcing arrangements. Some view outsourcing as a process that effectively circumvents European safeguards. As a consequence, Indian companies are now pressuring their government to take regulatory action to forestall any adverse reaction from Europe.

To give another example, Ms Mugure Mugo, founder of PrecissPatrol, a Kenyan outsourcing enterprise dealing with IT services, has already received requests from European-based clients specifically wanting to know her company’s policy on the collection and security of collected data. Ms Mugo recognizes that the fact that Kenya does not have specific data protection laws may constitute a barrier to the development of the country’s e-business.

Intellectual Property Law.

With annual revenues of more than US$1 billion, Adobe is the second-largest PC software company in the United States. In an effort to lead the market for software that enables the digital distribution of books, Adobe developed the Adobe Acrobat eBook Reader which was designed as a “trusted system”, offering publishers a spectrum of copyright protection options when encoding their content.

Meanwhile, founded in 1990 and headquartered in Moscow, ElcomSoft is a software company that "specializes in producing Windows productivity and utility applications for businesses and individuals". Among the many software products developed by ElcomSoft is the "Advanced eBook Processor (AEBPR)", which used to be available for download from their site (but seems to now have been removed). The program enables users to (a) disable the copyright protection controls deployed by book publishers using Adobe's software and (b) repackage their digital books in a variety of common formats without copyright controls.

Dmitry Sklyarov is a young programmer and cryptographer formerly employed by ElcomSoft who has been researching cryptanalysis in furtherance of a Ph.D. he hopes to earn from a Moscow university. He is allegedly responsible for much of ElcomSoft's AEBPR, most notably, the decryption algorithms it employs to circumvent Adobe's copyright protection controls.

[Sklyarov] was invited to give a presentation at the DEF CON conference in Las Vegas about the electronic security research work he has performed as part of his Ph.D. research. His presentation concerned the weaknesses in Adobe's eBook technology software. Dmitry was arrested at his hotel in Las Vegas, on 16 July [2001,] as he was leaving to return to Russia.

In its 28 August 2001 press release, the United States Department of Justice (DOJ) reported:

The United States Attorney's Office for the Northern District of California announced that Elcom Ltd. (also known as Elcomsoft Co. Ltd.) and Dmitry Sklyarov, 27, both of Moscow, Russia, were indicted today by a federal grand jury in San Jose, California on five counts of copyright violations.

The defendants were each indicted on one count of conspiracy to traffic in technology primarily designed to circumvent, and marketed for use in circumventing, technology that protects a right of a copyright owner, in violation of Title 18, United States Code, Section 371; two counts of trafficking in technology primarily designed to circumvent technology that protects a right of a copyright owner, in violation of Title 17, United States Code, Section 1201(b)(1)(A); and two counts of trafficking in technology marketed for use in circumventing technology that protects a right of a copyright owner, in violation of Title 17, United States Code, Section 1201(b)(1)(C).

Sklyarov's arrest prompted outcries of outrage from software developers, civil libertarians and all who generally oppose the Digital Millennium Copyright Act (for ideological or "practical" reasons). He faced a maximum fine of $2.25 million and up to 25 years imprisonment. Not surprisingly, the DOJ promptly reached an agreement with Sklyarov, under the terms of which they have agreed not to prosecute him personally if he assists in their (criminal) prosecution of ElcomSoft.

On 17 December 2002, a federal jury acquitted ElcomSoft of all criminal charges against it and Sklyarov was released subject to a plea agreement.

This case is highly fact-specific and unlikely to be repeated. But it demonstrates the power and reach of copyright-related laws outside the geographic boundaries of a given jurisdiction, especially when a country like the United States demonstrates a willingness to extend its competence beyond state and national boundaries to enforce its intellectual property jurisprudence interpretation into other jurisdictions.

Cyber Crime.

Cyber crime presents one of the most complex and exigent circumstances for international cooperation. For example, an e-mail sent to a colleague across town may be routed via packet switching through China, Argentina and South Africa before reaching the recipient's inbox. Cyber criminals can intentionally "weave" their communications through several carriers and countries before attacking a network or system. Likewise, a cyber stalker can route his communication through several jurisdictions before reaching the victim. A child pornographer can hide his identity and route materials over networks of multiple countries before reaching the intended recipients. Someone can also commit a cyber crime against persons in several countries.

A cyber criminal does not have to leave his own home – or cross a national boundary – to commit an act in several countries around the globe. His communications may be routed through local phone companies, long distance carriers, Internet Service Providers and wireless and satellite networks and may go through computers located in several countries before attacking targeted systems around the globe. Evidence of the cyber crime may even be stored on a computer in a different country from where the criminal executed the act.

Law enforcement, however, is stopped at the borders of nation states and must go through proper legal channels to receive assistance in cyber crime investigations -- which is often dependent upon the skill levels of law enforcement in that country. Assistance is also dependent upon that country's legal system. Foreign assistance may be needed even if the act is local. Frequently, communications may pass through several countries; requiring law enforcement to seek international assistance just to find out the perpetrator is a local person.

Recent examples of the need for international cooperation and assistance include these:

• Officers in Wales, working in coordination with the Federal Bureau of Investigation (FBI), arrested two persons for intrusion into e-commerce sites and theft of information pertaining to 26,000 credit cards. Losses were estimated to be as high as US$3 million. In developing the case, the FBI worked closely with the Dyfed-Powys Police Service in Britain, the Royal Canadian Mounted Police in Canada, and private industry and involved seven FBI field offices, the United States Legal Attaché in London, and the National Infrastructure Protection Centre.
• A hacker in the United States recently pled guilty to illegally accessing computers belonging to the United States Postal Service, the State of Texas, the Canadian Department of Defence and a publishing company located in the state of Wisconsin. The conviction of the hacker was the result of a joint investigation involving the Texas Department of Public Safety, the Royal Canadian Mounted Police, the Canadian Forces National Investigative Service and the United States Postal Service Office of the Inspector General.

While it is important for developing countries to have cyber crime laws in place, it is equally important that countries have the legal authority to assist foreign countries in an investigation, even if the country at issue has not suffered any damage itself and is merely the location of the intruder or a pass-through site. "Inadequate regimes for international legal assistance and extradition can therefore, in effect, shield criminals from law enforcement: criminals can go unpunished in one country, while they thwart the efforts of other countries to protect their citizens" (American Bar Association 2002).

To conclude, and to repeat, there is no one set of policies that will be correct or appropriate for every nation. Best practices and experiences in other countries will surely help, but such lessons should be taken in the context of your nations’ respective social, political and economic environments. Ultimately, nations will have to choose the mix of policies that can best balance competing interests and goals.