Search the Archive

The Australian Government Information Management Office Archive

Doing Business Online with Government

3. Understanding the e-commerce environment

3.1 Improving your e-commerce skills

Using the Internet and email to conduct business is becoming increasingly widespread. However, one of the impediments holding some businesses back from adopting e-commerce is a lack of technical and management skills in Information and Communications Technology (ICT). At the very least, you will need to have a general understanding of the e-commerce environment if you are to be able to assess the opportunities e-commerce offers your business.

Fortunately there are a wide variety of resources available to help you improve your e-commerce skills. What you will need to do is decide what skills you need, and then identify the appropriate resources to help you build those skills.

New Skills

The skills required for e-commerce vary according to the kind of business you are in, the role you will play in implementing e-commerce, and the e-commerce capability you wish to establish. The skills that may be required range from basic abilities, such as word processing and Internet navigation, to more complex capabilities such as designing and building websites and database management.

You may also be able to obtain skills from outside the business. Many organisations supplement their basic in-house e-commerce skills by engaging external service providers to cover the more complex activities.

Where to start

There are a range of resources to help you broaden your understanding of the e-commerce environment and develop your technical skills. These include online resources, books and magazines, seminars and training courses. Training courses range from low-cost, introductory courses available at most TAFEs, to University degree courses, and specialist qualifications provided by the private sector.

NOIE's website is a good place to begin. It has information about how to get started, as well as links to valuable information resources. You can visit the site at www.noie.gov.au/ebusiness.

National organisations, State and Territory governments, education institutions, and local communities offer a range of services and resources to assist businesses with e-commerce skills. Some useful resources include:

State/ Territory	TAFE/Other	Government
General/National	AUSe.NET (Australian Electronic Business Network Limited) www.aebn.org.au	Australian National Training Authority www.anta.gov.au
	International Computer Driving Licence www.acs.org.au/icdl	Education Network Australia www.edna.edu.au
	Educate IT www.educateit.com.au
	IT&T Industry Training Advisory Body www.ittitab.com.au/home.htm
ACT	Canberra Institute of Technology www.cit.act.edu.au	Canberra Connect www.canberraconnect.act.gov.au/ie4/educationandlearning/ educationandlearning.html
NSW	TAFE NSW www.tafensw.edu.au	ICT Skills www.ebusiness.nsw.gov.au
NT	Northern Territory Education and Training Authority www.nt.gov.au/nteta	Education Directory www.ntde.nt.gov.au/dir
QLD	TAFE Queensland www.tafe.net	ICT Skills and Training www.iib.qld.gov.au/ITCareers.html
SA	TAFE South Australia www.tafe.sa.gov.au/default.asp	Information Economy Workforce Issues www.iepo.sa.gov.au/iesa/issues
TAS	TAFE Tasmania www.tafe.tas.edu.au	Learning Together www.doe.tased.edu.au/learningtogether
VIC	TAFE Courses Directory www.otfe.vic.gov.au/studinfo/courses/index.htm	Multimedia Victoria www.mmv.vic.gov.au
	Victorian Education Channel www.education.vic.gov.au Skills.net www.skills.net.au
WA	Central Tafe http://yourcentral.tafe.wa.gov.au/CollegePortal/default.asp	E-commerce centre www.ecommercecentre.online.wa.gov.au/main/index.htm

IT Skills Hub

Another valuable online resource is the IT Skills Hub. The Hub was established with financial support from NOIE and the then Department of Education, Training and Youth Affairs. It provides links to IT jobs, training and education opportunities as well as online discussion forums. It is a rich source of information on issues, trends, courses, events and other matters related to skills in IT, and includes a specialist section for small businesses with links to relevant articles and resources. You can visit the site at www.itskillshub.com.au.

3.2 Security issues

All forms of trading are vulnerable to threats of tampering or theft and transacting in the online environment is no different. By its nature the Internet is insecure. It is made up of a large number of networks, and information travels along a multitude of pathways, which makes it vulnerable to unauthorised access. However, there are things you can do to make your e-commerce dealings more secure and reliable than paper-based transactions.

Threats to the online environment include random malicious attacks of vandalism by computer hackers, as well as fraudulent activity, such as intercepting and/or misusing personal or financial information. In addition, you may need to establish the true identity of your trading partners without the normal assurance of face-to-face dealings or paper-based signatures. You also need to ensure that information exchanged online is kept confidential between transacting partners. In addition, recent privacy legislation means that organisations, including businesses, are obliged to take reasonable steps to protect the personal information they hold from misuse, disclosure, modification and loss.

But you can protect your online environment. You can ensure that you have sound procedures for using the Internet. A wide range of software is also available to assist you secure your computer systems and transactions on the Internet, and authenticate the identity of your trading partners. This section provides a general overview of issues and technologies relating to security and authentication.

Security refers to ensuring the confidentiality, integrity, access and availability of data during its transmission and its storage in all formats.

Authentication is the solution to the need for certainty in the identity of the other party to a transaction.

If you are interested in using particular technologies to trade with your customers in Commonwealth agencies, you should check that their security environment allows them to be used.

Identifying and managing risks in the online environment

Regardless of the size of your business or your involvement in e-commerce, there are things you can do to make your use of the Internet more secure. One of the first things to do is undertake a risk assessment. This need not be a complicated exercise as long as you address the major issues, taking into account how you use or plan to use the Internet. Consider the types of transactions conducted, and identify the associated risks. These could include fraud, impersonation and theft. You should then assess the magnitude of these risks, focussing on the potential for damage to your business and the likelihood that the threats will occur. Finally, you will need to identify how to manage these risks, that is, the specific measures you take to protect against them.

The risk management measures you take will depend on how you plan to use the Internet. If you are using the Internet to send and receive email and access information only, the measures you take may be more basic. They could include:

• installing protective anti-virus and personal firewall software
• ensuring that you keep the software up to date by installing software 'patches'
• using passwords that can not be easily guessed, with a combination of letters, numbers and symbols
• exercising caution when opening attachments to email.

The table at the end of this section describes some threats to Internet security, and what you can do to protect against them.

If you are implementing more advanced e-commerce capabilities, such as an online catalogue with transaction facilities, you will need to take more sophisticated protective measures. You may need to develop a formal IT security policy for your operations and have a response plan for computer security incidents. Some organisations choose to outsource their security arrangements to specialist service providers.

Using authentication/security technologies to protect your business

If you are implementing an advanced e-commerce capability, you will need to consider arrangements for authenticating your trading partners and securing your transactions. There are many different types of technology, which can help you do this, some of which you will already be familiar with. The most common kind that almost everyone uses is a plastic card and Personal Identification Number (PIN) to access funds in a bank account.

Broadly speaking, authentication relies on one or more of the following:

• Something you know (such as a Password or PIN)
• Something you have (such as a smart card or a hardware token)
• Something you are (such as a fingerprint or iris scan).

It is important to note that authentication is not the same as security. Authentication must operate in conjunction with an organisation's overall security framework ¹².

The above diagram ¹³ illustrates a hierarchy of authentication technologies. The level of protection provided increases as you move up the pyramid, but so does the complexity and expense. The table below, describes the main authentication methods¹⁴.

Technology	How it works	Pros	Cons
Password authentication	Matches user name and password to restrict access and authenticate identity.	Inexpensive. Well understood by users. Can be readily changed.	Can be compromised by users. Does not authenticate data. Often transmitted insecurely
SSL (Secure Sockets Layer)	Creates a secure connection between Internet application and user.	Widely supported in Web browsers. Offers protection for all data transmitted between servers.	Customers cannot choose when it is used. Relies on passwords for initial access.
PGP (Pretty Good Privacy) - Digital Signature Certificates	Uses public key cryptography; keys can be generated and authenticated by individual users.	Keys provide higher levels of authentication. Supported by many software packages. Cannot be easily changed.	Private keys can be compromised. Public keys required to send information.
PKI (Public Key Infrastructure)	Uses public key cryptography; keys are generated by certificate authorities.	Keys provide higher levels of authentication. Used by governments and major companies. Cannot easily be changed. May be used with Biometrics to access private keys.	Issuing certificates can be costly. Businesses may require multiple certificates. Private keys can be compromised. Public keys required to send information.
VPNs (Virtual Private Networks)	Create encrypted 'tunnels' between corporate networks and Internet.	Gives easy access to remote users. Can provide sophisticated access controls.	Expensive to implement. Does not support transactions with consumers.

Gatekeeper is the Commonwealth Government's strategy for using Public Key Infrastructure (PKI). It includes an accreditation scheme for providers of Digital Signature Certificates. Gatekeeper ensures that communications between Australian businesses and Government agencies, such as the ATO and the Health Insurance Commission, can be secured to a high level. More information about the Gatekeeper strategy is available at http://www.noie.gov.au/trust/securing/gatekeeper

Internet security threats and counter-measures

The table below outlines some of the more prominent Internet security threats and what can be done to protect against them.

Threat	What it does	How to guard against it
Virus	A virus is a piece of code that, when loaded onto a computer, is capable of attaching itself to other files and repeatedly replicating itself, usually without user knowledge. Some viruses can lie dormant until activated by a trigger such as a date (for example, 'time-bomb').	Anti-Virus software protects against infection. You can also subscribe to a Virus Alert mailing list (for example, AusCERT, www.auscert.org.au). Exercise caution with unsolicited emails, especially if they have attachments. When in doubt, delete. Avoid having the preview pane open when using email.
Worm	A worm is a specialised type of virus. The most common form, an email macro virus, occurs as an attachment to an email. Opening the email message activates the worm, which then sends itself to every address in your address book.	Most Anti-Virus software will stop worms or help fix the computer after infection. Exercise other precautionary measures as for viruses generally.
Trojan Horse	A Trojan Horse is another type of virus, which carries unauthorised software or viruses to your computer. Some free software, shareware or games downloaded from the Internet may contain Trojan Horse viruses. Be cautious of accepting email attachments, especially executable files ending with '.exe'.	Most Anti-Virus software will stop Trojan Horse viruses or help fix the computer after infection. Exercise other precautionary measures as for viruses generally.
Denial of Service (DoS) attack	DoS attacks can render Internet-connected computers and networks unusable, mainly by overloading computers with messages. DoS attacks are popular with hackers and can deny users access to a website.	Anti-DoS attack software programs are available to assist in securing networks.
Port Scanning	Port scanning identifies 'open doors' to a computer (vulnerabilities which may provide a point of access by hackers). A computer's port is scanned because this is the place where information travels to and from the computer. Port scanning can unnecessarily increase your Internet usage and associated costs by increasing the amount of data transmitted to and from your computer.	Firewalls (specific network servers and/or routers that filter out unwanted packets of data) can protect computers and servers from port scanning. Firewalls can be used to protect individual PCs as well as networks of computers.
Sniffer Program	Sniffer software programs track data travelling over the Internet or other networks. They can be used legitimately for network management purposes, however they can also be used to steal unsecured data and information (including sensitive information such as passwords).	Ensure that no unauthorised equipment is connected to computers or the network. Use encryption to protect sensitive communications across a network.
Dumping	Internet Dumping occurs when a person logged on to the Internet has their modem connection to their usual dial-up number disconnected and reconnected to another number - either an international number or a 1900 (premium rate) number. In many cases people are not aware that they have been dumped until they receive an unusually high phone bill as a result of the modem's re-connection.	To prevent dumping place a bar on all calls starting with 1900 on phone services and exercise caution in downloading and installing software from sites you do not trust. Complaints can be lodged with the Telecommunications Industry Ombudsman at www.tio.com.au.

Note: Apart from inherent system vulnerabilities, these threats are usually transmitted by some or all of the following: an email attachment; downloading an infected program from another website; a floppy disk or CD.

Further information

More information about security issues and how to secure your online business is available on the electronic security section of the NOIE website at http://www.noie.gov.au/trust/protecting, and in Trusting the Internet, which is available on the NOIE website.

3.3 Legal issues

It is only since the mid-90s that the Internet has been used extensively for commercial transactions. Other forms of electronic trading, such as electronic data interchange (EDI), had been employed for decades previously, but usually only by relatively small numbers of users, and within particular industries. The fact that the use of the Internet for business transactions was a relatively recent phenomenon created uncertainty in the minds of many about the legal standing of these transactions.

It could be assumed that, in general, laws that applied to paper-based transactions would also apply to electronic transactions. For example, it would still be necessary to comply with laws regarding defamation and intellectual property when publishing on the Internet. But it was unclear exactly how the courts would interpret and apply existing laws to electronic transactions. This made some hesitant to trade in the online environment, and was an impediment to broader adoption of e-commerce.

To promote community and business confidence in the online environment, the Commonwealth, State and Territory governments agreed to establish a light-handed, technology-neutral legal framework to support the use of e-commerce. Most governments have implemented or are implementing legislation dealing with the legal status of electronic transactions. While a comprehensive body of e-commerce law will only develop as specific cases are decided in the courts, this legislation sets the framework for electronic transactions.

The Electronic Transactions Act 1999 (the ETA)

The Federal Government's ETA is an important part of the legal framework for e-commerce in Australia. In general, the ETA removes existing legal impediments that may prevent a person using electronic communications to satisfy obligations under Commonwealth law. The ETA generally gives business and the community the option of using electronic communications when dealing with Government agencies. It establishes the basic rule that, for the purposes of a law of the Commonwealth, a transaction is not invalid simply because it took place by means of an electronic communication.

Specifically, four types of requirements under a law of the Commonwealth can now be satisfied using electronic communications. These are the requirements to:

• give information in writing
• provide a signature
• produce a document
• retain or record information.

Under the ETA, electronic transactions satisfying these requirements have the same legal status as equivalent paper-based transactions. But while the ETA enables members of the public and business to transact electronically under Commonwealth law, they are not compelled to do so, and must consent to receiving electronic communication from the Government. At the same time, the ETA allows Government agencies to specify particular technology requirements for electronic transactions, including electronic signatures, to ensure that the transactions take place in an appropriate way. For further information about the ETA, see http://law.gov.au/publications/ecommerce/Welcome.html.

Complementary State and Territory Legislation

The Commonwealth Government's ETA applies only to transactions under Commonwealth laws. In order to establish a consistent framework across all jurisdictions, the States and Territories agreed to enact corresponding legislation dealing with transactions in their own jurisdictions. This legislation is based on a Uniform Electronic Transactions Bill which is similar to the Commonwealth ETA. This legislative framework now provides for a national approach to electronic transactions, which is essential to the success of e-commerce in Australia. Most States and Territories have now enacted the uniform legislation.

Electronic contracts

The complementary State and Territory legislation is particularly important from the point of view of contract law, which is primarily a State/Territory responsibility. There is no general rule in Australian law that requires contracts to be in writing. However, written evidence of a contract may be required in some circumstances through the operation of usually State and Territory legislation, such as legislation giving effect to the Consumer Credit Code.

Like the Commonwealth's ETA, the complementary State and Territory legislation establishes the basic rule that a transaction will not be invalid or unenforceable simply because it took place by means of an electronic communication. Enactment of the uniform legislation means that, for the first time in Australia, the law makes absolutely clear the general principle that a person can enter into contracts electronically.

It is likely that the current contract law principles will apply in an online environment. For example, the common law of contract formation and the various statutory protections against pressured negotiations or unconscionable contracts continue to apply in judging whether in particular cases contract terms and conditions are enforceable or, for example, have been adequately brought to the attention of the consumer or business.

Other relevant legal issues

There are many other legal issues to consider when moving to e-commerce. This section is not intended to be a comprehensive legal guide or to cover all these issues. It would be prudent to seek separate legal advice on issues specific to your business. You may choose to conduct a 'legal risk analysis', considering the potential and actual legal risks and opportunities represented by the online environment, in the context of the Australian legal framework.

It is important to remember that liability can arise in relation to both the provision of services and in disseminating information in the online environment, for example by:

• breach of specific Australian law, including anti-discrimination, privacy, defamation and intellectual property laws
• misleading and deceptive conduct (for example, Trade Practices Act 1974)
• ineffective or inappropriate authentication mechanisms
• security failure and breaches.

The table below, outlines some relevant legal issues you should consider when transacting business electronically.

Issue	Description
Privacy Act 1988	The Act applies to Commonwealth and ACT government agencies, with only limited application to the private sector in respect of tax file numbers and the credit reporting industry. Government agencies must comply with certain guidelines for online privacy, and a comprehensive privacy policy or statement must be displayed on government websites, see www.privacy.gov.au/act/index.html.
Privacy Amendment (Private Sector) Act 2000	Since December 2001, privacy legislation has applied to most private sector organisations as well, with all health service providers, and all organisations with an annual turnover of more than $3 million now subject to privacy standards when handling personal information. These organisations, and those others which do not comply with exemption criteria, must comply with ten National Privacy Principles (NPPs) that regulate the way many private sector organisations collect, use, keep secure and disclose personal information. There are special provisions directed at outsourcing government services to ensure that contracting agencies include privacy clauses in their contracts. Refer to the Privacy Commissioner's National Principles for the Fair Handling of Personal Information and the associated Guidelines (see www.privacy.gov.au/government/guidelines/index.html and www.privacy.gov.au/publications).
Trade Practices Act 1974 and Australian Securities and Investments Commission Act 1989 and State and Territory Fair Trading legislation	This legislation requires that businesses do not engage in conduct that is deceptive or misleading, or make false or misleading representations about the goods or services they supply. The Corporations Act 2001 provides for offences for false or misleading statements that are likely to induce persons to buy or sell financial products. Some of the legal issues relevant to doing business electronically are discussed in Building Consumer Sovereignty in Electronic Commerce: A best practice model for business (see www.ecommerce.treasury.gov.au/html/ecommerce.htm).
Disability Discrimination Act 1992	This Act requires businesses to make reasonable adjustment in the provision of goods and services to ensure that they are accessible to people with a disability. Refer to Access to electronic commerce and new information and service technologies for older Australians and people with a disability, and Working paper for e-commerce reference: web accessibility (see www.hreoc.gov.au/disability_rights and www.austlii.edu.au/au/legis/cth/consol_act/dda1992264).
Cybercrime Act 2001	The Act covers computer crimes such as hacking, denial of service (DoS) attacks, spreading computer viruses and website vandalism. It also covers the unauthorised use of a computer with intent to commit a serious offence such as fraud or sabotage. The new Act gives police greater investigative powers with regard to searching computer equipment and compelling assistance from computer owners (see http://scaletext.law.gov.au/html/comact/11/6458/top.htm).
Copyright Act 1968	Copyright is designed to give authors control over their original work (such as reproducing or publishing the material). Copyright protects a range of material found in the online environment for example, written material, graphics, artworks, film and/or sound. Those wanting to use material must seek permission from the copyright owner (exceptions include for research or study). Ownership of copyright should be considered when negotiating contracts (for example, for website development by external providers). In Australia, copyright protection is automatic and the copyright symbol (©) does not have to be used (this is not always the case for other countries). Refer to Copyright Law in Australia: A short guide at www.law.gov.au/publications/copyrightlawaust/index.html
Intellectual Property	With the exception of copyright and circuit layout rights (that is, 3-dimensional configuration of electronic circuits), which are automatic, obtaining legal rights of ownership requires formal registration (for example, patent, trademarks and/or designs). Registering your Intellectual Property (IP) rights in Australia does not provide international protection see (www.ipaustralia.gov.au).
Use of a disclaimer	Use of a disclaimer limits your risk and liability. A disclaimer may refer to information on your site, linked sites and/or contract material. It should be in a prominent position and clearly visible to others. You should obtain legal advice when drafting a disclaimer and designing its availability and appearance on a web page.

---

Footnotes

¹² Information about authentication issues is available in the NOIE guide, Online Authentication: A Guide for Government Managers, available on the NOIE website.

¹³ This diagram is from the NOIE guide, Trusting the Internet, available on the NOIE website

¹⁴ This table is from the NOIE guide, Trusting the Internet, available on the NOIE website