Amit YORAN <firstname.lastname@example.org>
Riptech Security Consulting Group
This paper suggests a method for evolving legal standards for liability arising from electronic commerce (EC) transactions. For EC to flourish as a viable alternative to traditional commercial transactions, each party to an online transaction must determine what, if any, liability is associated with a given transaction. According to an Office of Technology Assessment study entitled Information Security and Privacy in Networked Environments, "Legal standards for electronic commercial transactions have not been fully developed and have undergone little review by the courts." The development of legal standards is based upon the principle of due care. "Due care" is that which an ordinarily prudent person would have exercised under the same or similar circumstances in a standard commercial transaction.
The paper seeks to identify the "due care" required by a given action in an electronic transaction based upon risk associated with that role. It provides a framework for the development of legal standards that are based on the principles of risk analysis, which are well known to computer professionals. Development of such standards will promote the growth of EC because parties to these transactions will be able to assess their exposure to liability based upon "real-world" factors, as opposed to arbitrarily imposed judicial standards.
The paper will analyze an electronic transaction within the framework of role-based risk analysis (RBRA) as a model for the development of legal standards. The RBRA model (which was first presented at the 1997 National Information Systems Security Conference) is a risk analysis model that refines traditional risk analysis to account for the multiplicity of parties involved in networked environments such as EC.
The paper will use RBRA as a basis for analyzing potential liabilities for the use and transmission of digital signatures to authenticate an online transaction. Although this is only one part of the EC transaction, it will be used in this paper to clarify how such analyses will benefit all parties involved.
The parties or actors involved in this transaction are 1) customer, 2) merchant, 3) acquiring bank, 4) settlement bank, 5) third-party software vendor (e.g., Verisign), and 6) Internet service provider. Each of these participants plays a role in ensuring that the digital signature can be used to verify a transaction and meet the legal requirements that a transaction be authentic, verifiable, and unable to be repudiated. Consequently, each actor may be subject to liability for failure to do so. The paper analyzes each actor's risk using RBRA and suggests liability guidelines based upon the predictability of such risk. The establishment of these guidelines will enable all parties to an EC transaction to better understand their roles, responsibilities, and risk and allow them to make an informed decision to engage in an electronic commercial transaction.
The remainder of the paper will examine the impact of statutes such as the Uniformed Commercial Code on our analysis.
Both risk analysis and principles of due care need further development. Neither approach is necessarily always appropriate and therefore neither is always sufficient to provide a strong defense against liability in the case of monetary loss related to loss, theft, or exposure of networked information. A combination of the two approaches will likely provide improved protection. 
This paper seeks to combine risk analysis and due care principles, as proposed in the Office of Technology Assessment (OTA) report in order to suggest a methodology for developing legal standards for liability arising from electronic commerce transactions. For electronic commerce to flourish as a viable alternative to traditional commercial transactions, each party to an online transaction must determine what, if any, liability is associated with a given transaction. According to an OTA study entitled, Information Security and Privacy in Networked Environments, "Legal standards for electronic commercial transactions have not been fully developed and have undergone little review by the courts." The development of legal standards is based on the principle of due care. Due care has been defined as "Just, proper, and sufficient care, so far as the circumstances demand it; the absence of negligence. That care which an ordinarily prudent person would have exercised under the same or similar circumstances." 
This suggests a framework for the development of legal standards that are based on a synergy of the principles of risk analysis, which are well known to computer professionals and the due care standard required by the law. Development of such standards will promote the growth of electronic commerce because parties to these transactions will be able to assess their exposure to liability based on "real world" factors, as opposed to arbitrarily imposed judicial standards.
The paper will analyze an electronic transaction within the framework of role-based risk analysis (RBRA) as a model for the development of legal standards. The RBRA model (which was first presented at the 1997 National Information Systems Security Conference) is a risk analysis model that refines traditional risk analysis to account for the multiplicity of parties involved in networked environments, such as electronic commerce.
Risk analysis is the process of identifying security risks, determining their magnitude, and identifying areas needing safeguards. Risk analysis is a part of risk management.
One method of managing risk is to apply a well-known risk analysis (RA) model to determine a cost-effective and efficient method of reducing risk. Traditional risk analysis methodologies have existed for many years.  Traditional RA is conducted using the following methodology:
In scenarios where information and responsibilities are distributed among different entities, a role-based methodology is more intuitive and lends itself toward a more accurate depiction of the process. This model enables the actors to more easily and efficiently address the different responsibilities, threats, and countermeasures for each role as required. Standard risk analysis methods are not capable of accurately modeling the modern distributed business process, whereas the RBRA model provides greater comprehension and a clearer depiction of the scenario.
Risk analysis for electronic commerce must allow parties to ensure that vulnerabilities are detected and mitigated, but also that the other questions that are basic to the success of any commercial transaction are addressed. One of the most important is the attribution of legal and therefore fiscal liabilities.
Role-based risk analysis is well suited to electronic commerce because its focus is on actors who impact electronic commerce transactions, as opposed to traditional risk analysis, which only examines the system involved in electronic commerce. Because RBRA focuses on actors with an electronic commerce system, it has natural congruity with the principles of due care.
There are many payment technologies currently available and in use on the Internet. All of these technologies facilitate the same electronic commerce transaction scenario:
A consumer accesses a merchant site using his browser over the Internet. Then when a consumer makes a purchase, a number value will be assigned (+1 to +4) based on the likelihood of exploitation. The higher the likelihood that a vulnerability will be exploited, the greater the duty of care will be imputed. Conversely, the more expensive or difficult a potential defense or fix is, a value (-1 to -4) will be assigned. This rough calculus will determine the "duty of care" required by measuring likelihood of exploitation against the cost/expense or remediation.
Perhaps the best way to convey the need for role-based risk analysis is to provide several scenarios where the security of a system is breached and damages occur. Consider a scenario where a vendor has set up an electronic commerce site on the Internet and is accepting online transactions posted via a Web site using Secure Sockets Layer (SSL). As designed, and under normal circumstances, the controls implemented were deemed to be and are in fact adequate commensurate with the transaction taking place. In our scenario, an electronic commerce vendor is using a Microsoft Internet Information Server Web site, with a digital certificate signed by Verisign. A consumer connects to the site via a Netscape Web browser and after seeing a message that a "secure connection" had been established, purchases goods from the site. There are obviously many places where the electronic commerce transaction process can break down. Consider the following examples to be a small subset of where the attribution of negligence can be made:
This example clearly illustrates where multiple actors within the electronic commerce transaction process can be effected.
|Actor||Risk Level||Potential Defenses||Explanation|
|Consumer||Low (+1)||-4||As information security is a difficult and illusive goal, consumer actors can demonstrate that they were acting reasonably prudent in almost all cases.|
|Merchant||Medium-High (+2.5)||-1||In cases where a security breach occurs, merchant actors must be able to prove that they acted with due diligence and reasonable care. Bercause merchants develop and maintain the framework for the transaction, they can ultimately increase the protection it is capable of maintaining. However, this burden may be mitigated if a merchant outsources its electronic commerce application to a third-party vendor.|
|ISP||Low (+1)||-3||It is unlikely that ISPs will be held accountable for breaches in electronic commerce security, unless they explicitly advertise or make some warranty claiming security. In most cases, ISPs merely act as transport or service providers. However, ISPs are vulnerable to attack and therefore must take preventive measures.|
|Third-Party Software||High (+4)||-1||With the prevalence of programming bugs in software, developers and vendors will likely face scenarios where identifiable mistakes in coding or implementation allowed a security breach to occur. There are countermeasures and quality control checks that can be employed to increase the overall security of the end products.|
The RBRA analysis of a given situation allows for application of the legal doctrine of negligence. First, the defendant must have owed the plaintiff a duty of care to exercise ordinary or reasonable care in performing a role or providing a product in the electronic commerce model. Second, the defendant must have breached that duty. Third, that breach must be the proximate cause of injury to the plaintiff that resulted in economic harm or damages.
"Duty of care" and "breach of duty" are legal terms of art. They are an expression of what an actor ought to do in a given circumstance. It has been pointed out that in the negligence context, the traditional risk utility formula is applied to determine whether the cost of a precaution is warranted. Therefore, an actor would have a duty to take a precaution if the cost of a potential precaution is less than that of the potential harm multiplied by the gravity of its potential injuries.  If an actor fails to prevent a potential harm that is very foreseeable (the risk level is high) and the cost of a potential defense is lower, then the actor would be deemed to have breached his duty. If this calculus is applied to an example of potential risk outlined earlier, the application of the negligence doctrine becomes possible.
In the first example given, there is a bug in the Web server software that results in weak encryption. If RBRA is applied to this scenario, the following determinations may be made:
The ultimate goal of developing this area of law and risk analysis is to promote the growth of electronic commerce. The optimal standard of due care should be one that increases use of electronic commerce and distributes risk in a fashion that will also promote this goal. In the example presented above, the third party software vendor is the actor in the electronic commerce model that can do this. In general, the facilitators will be able to bear the majority of the risks for liability in electronic commerce. Facilitators are commercial entities with the resources to undertake the mitigation of the potential harm arising from electronic commerce transactions. In addition, facilitators will be receive a direct economic benefit from electronic commerce. In contrast, trans-actors are individual consumers and small businesses doing business online. Liability for these actors should be limited relative to facilitators.
According to the Clinton administration's 1997 report on electronic commerce, A Framework for Global Electronic Commerce,
Private enterprise and free markets have typically flourished ... where there are predictable and widely accepted legal environments supporting commercial transactions.... Fully informed buyers and sellers could voluntarily agree to form a contract subject to this uniform legal framework, just as parties currently choose the body of law that will be used to interpret their contract. 
At this time however, no such universally accepted legal regime exists for assigning risks associated with electronic transactions. In the meantime, issues relating to liability will be decided by courts, applying legal constructs such as the negligence doctrine. Hopefully, courts will use tools such as role-based risk analysis in order to develop case law that encourages electronic commerce.
 U.S. Congress, Office for Technology Assessment, Information Security and Privacy in Networked Environments, Government Printing Office, September 1994.
 Henry C. Black, M.A., Black's Law Dictionary, West Publishing, 1979.
 Hoffman, Lance J. Risk Analysis and Computer Security: Bridging the cultural gaps, Presented at the 9th National Computer Security Conference, National Bureau of Standards, Gaithersburg, MD, September 1986.
 Commercial Law of Internet Security, Vol 10:2 High Tech Law Journal (1995).
 A Framework For Global Electronic Commerce, http://www.ecommerce.gov/framewrk.htm.