General TTCS comments on the Draft "National Policy on Electronic Transactions" v1.0 at http://www.fastforward.tt/files/cms/ElectronicTransactionsPolicy.pdf -------------------------------------------------------------------- Below is the Trinidad and Tobago Computer Society comments on the aforementioned draft policy. Also, additional Issues raised at a recent Fastforward (www.fastforward.tt) open forum on December 2nd, 2004 were also listed. Dev Anand Teelucksingh Trinidad and Tobago Computer Society at http://www.ttcsweb.org/ "networking local computer users!" ***************************************************************************** Terms used in this document: GOTT: Government of the Republic of Trinidad and Tobago. MPAI: Ministry of Public Administration and Information. NPET: National Policy on Electronic Transactions "the Policy": National Policy on Electronic Transactions General comments: --------------------------------------------------------------------------- * (Reference : 2.0 Purpose, Page 2) - the Bermuda Model the UNICTRAL Model Law on Electronic Commerce (Parts II and III) --------------------------------------------------------------------------- The draft policy refers to/builds upon these models. Yet these references are not listed (title, date of these documents) --------------------------------------------------------------------------- * (Reference : 3.21 Delivery, page 56-7) --------------------------------------------------------------------------- Should a mechanism to acknowledge receipt be made mandatory through law? Should a mechanism to acknowledge receipt be voluntary? What redress does the end user have if the user acknowledges receipt yet a record of such acknowledgement cannot be found? --------------------------------------------------------------------------- * 3.5 Principle 5: Original Form --------------------------------------------------------------------------- possible problem because electronic data formats change so rapidly; hardware gets outdated ; storage media gets outdated and corrupted e.g. data will be lost as magnetic media ages. the life span of recordable optical media (CDR and DVDR) is unknown. Properly stored paper may be still better at retaining long term data than electronic formats. An informative news article about the perils of digital preservation is the BBC Doomsday project, a digital archive of British life in the 1980s. The data was nearly lost just 16 years after in 2001. http://news.bbc.co.uk/1/hi/technology/2534391.stm http://observer.guardian.co.uk/uk_news/story/0%2C6903%2C661093%2C00.html What redress does the end user have if the data is lost due to corruption or obsolescence of the hardware and media used to store the data? --------------------------------------------------------------------------- * 3.7 Principle 7: Retention of Electronic Records. [(a) the electronic record is accessible and is capable of retention for subsequent reference] [(b) the electronic record is retained in the format in which it was generated, sent or received, or in a format which can be demonstrated to represent accurately the information generated, sent or received;] --------------------------------------------------------------------------- Refer to comments made about Principle 5: Original Form This cannot be guarenteed for electronic documents due to hardware obsolesence and data corruption due to age. yes paper has similar problems but it is not as severe. --------------------------------------------------------------------------- * 3.10 Principle 10: [An electronic record is attributable to a person if the electronic record resulted form the action of the person, acting in person, by his agent, or by his electronic agent device.] --------------------------------------------------------------------------- Possible problem: suppose the "electronic agent device" is infected with a virus and unknown to the owner, generates fraudulent electronic records or generates fraudulent acknowledgement receipts . what is the legal liability of the device owner in such a situation? What redress does the end user have if victimised by fraudulent electronic records and/or fraudulent acknowledgement receipts generated in such a manner? --------------------------------------------------------------------------- * 3.11.4 [Where the originator receives the addressee's acknowledgement of receipt, it is presumed that the related electronic record was received by the addressee, but that presumption does not imply that the electronic record corresponds to the message received.] --------------------------------------------------------------------------- This has legal implications if not phrased properly. The record received by the addressee may not be the same record sent by the originator because it was corrupted during transmission. how can the addressee be held legally liable (according to the policy/law) in such a circumstance? clause 3.11.6 states: "this section is not intended to deal with the legal consequences that may flow either from that electronic record or from the acknowledgement of its receipt." but there must be some legal provision to address this issue. --------------------------------------------------------------------------- - 3.14 Principle 14: [The provision of certification services for electronic signatures is not subject to prior authorization however a certification service provider can apply to Government to provide accredited certificates.] --------------------------------------------------------------------------- What does this mean? on one hand, provision of certifcates does not require "prior authorization" yet on the other hand, "a certification service provider can apply to Government to provide accredited certificates". Is the GOTT accrediting providers? Do such providers require licences? Who really validates the authenticity of a certificate provider? What redress does the end user have if the certificate provider is a fraud? or is acting in a manner so as to jeopardise the integrity of the electronic record? --------------------------------------------------------------------------- - 3.16 Principle 16: Encryption [Regulations shall be developed respecting the use, import and export of encryption programs or other encryption products and prohibiting the export of encryption programs or other encryption products from this jurisdiction generally or subject to such restrictions as may be prescribed.] --------------------------------------------------------------------------- Why? no one produces any encryption progams in this country therfore there is no "industry" to protect. Is this a case of international pressure to have such regulations? MUST avoid restricting the use of encryption because such limits can jeopardise the integrity and security of the records that this policy seeks to support. Remember: if you outlaw encryption, then only the outlaws will have encryption. --------------------------------------------------------------------------- - 3.17.2 [Nothing in this section relieves an intermediary from complying with any court order, injunction, writ, Ministerial direction, regulatory requirement, or contractual obligation in respect of an electronic record.] --------------------------------------------------------------------------- Why is the term "Ministerial direction" in this section? Are government ministers now laws onto themsleves? why would a government minister want to commit such a gross violation of the law (and data privacy as advocated in the data privacy policy) by interfering in a protected transaction? The term "Ministerial direction" should be removed immediately due to the potential for encouraging corruption. --------------------------------------------------------------------------- - 3.18 Principle 18: [There shall be an Advisory Board whose functions will be to provide advice to Government on matters connected with the discharge this policy.] --------------------------------------------------------------------------- Who will be on this board? What are the qualifications for being on this board? How will the members of the board be selected? What protection does the general public have from persons on this board abusing their position? --------------------------------------------------------------------- Additional Issues raised at a recent Fastforward open forum on December 2nd, 2004 for the Draft National Policy on Electronic Transactions : - The Draft National Policy on Electronic Transactions as drafted does not state the core priniciples on which the policy is based on ; a purpose of the policy is stated and principles to satisfy that purpose are described.