Memorandum by The National Computing Centre
Limited
SUMMARY
The National Computing Centre[88]
offers the following responses to the House of Lords inquiry:e-Commerce:
Policy Development and Co-ordination in the EU.
What needs to be done to create confidence and
to stimulate e-commerce?
An approach which recognises the virtuous circle
which will be created by involving all stakeholders. We must be
cautious of concentrating the focus on trust service providers
alone.
Will codes of conduct and co-regulation provide
sufficient protection? Is there a case for intervention by national
governments and the EU?
The business and legal community are making
considerable steps in creating the e-commerce framework. They
require national and EU government to intervene to create, modify,
or repeal laws which do not support the cross-border opportunities
offered by e-commerce.
Should existing EU institutions' internal structures
be changed, or new ones created to improve policy development
and co-ordination?
e-Commerce is a conglomerate of existing information
technology, business and communal opportunities. Existing institutions
should be strengthened to support and grow the infrastructure.
How can structural change be brought about fast
enough to accommodate to the growth of e-commerce?
Revolutionary change should be avoided. e-Commerce
has been used by many organisations for many years and it is to
these organisations we should turn for the case studies and lessons
learnt from which policies for change may be derived.
INDEX
1. | Preface
|
2. | Trust in e-commerce |
3. | An Overview of the Proposed Scheme
|
3.1 | Under Development
|
4. | Consumers |
4.1 | What the Consumers Want
|
5. | Suppliers |
5.1 | Who's Who?
|
5.2 | Marks out of five
|
6. | Trust Service Providers
|
6.1 | Trust in TSP
|
7. | Awarding Authorities |
7.1 | The CAFE Model
|
8. | Regulatory Authority |
8.1 | Will We Need One?
|
9. | Weltanschauung |
10. | Summary |
10.1 | Advantages from the CAFE Scheme
|
11. | Conclusions |
PREFACE
This paper specifically addresses the following questions
posed by the House of Lords inquiry:
E-COMMERCE:
POLICY DEVELOPMENT
AND CO-ORDINATION
IN THE
EU
(1) What needs to be done to create confidence and to
stimulate e-commerce?
(3) Will codes of conduct and co-regulation provide sufficient
protection? Is there a case for intervention by national governments
and the EU?
(5) Should existing EU institutions' internal structures
be changed, or new ones created, to improve policy development
and co-ordination?
(6) How can structural change be brought about fast enough
to accommodate to the growth of e-commerce?
It regards e-commerce as being built on the following foundations:

1. INTRODUCTION
The National Computing Centre Limited (NCC) was established
in 1966. NCC is a membership organisation, a company limited by
guarantee and an independent research and technology organisation.
NCC's activities concentrate on supporting and developing research
programmes, which generate new knowledge on the effective use
of IT and provide a cost-effective gateway to knowledge, participation,
and services for its member companies. Supporting activities include
the development, supply and support of data management software.
NCC has no shareholders and all profits are reinvested to
promote the more effective use of Information Technology.
NCC's primary products are knowledge, skill and experience.
NCC's membership services provide products and services to NCC
members that seek to meet their needs for timely, comprehensible
and reliable information on current and emerging issues relating
to the use of IT to support business and organisational requirements.
As champions of the user, the National Computing Centre is
concerned that despite proposed levels of excellence, the focus
of e-commerce policy is biased towards the supplier community
and within this, concentrated on the Trust Service Providers.
2. TRUST IN
E-COMMERCE
Trade information, goods, or money with someone you don't
know? It's hard enough to do this when you know that you can stroll
into their shop, office or factory to discuss terms or possibly
iron out a problem. What if their premises are in the next town,
another European country, or on the other side of the world? How
can you be sure that they have registered premises at all?
The designs in this paper will not guarantee the total elimination
of all risks, but they can reduce the risk of danger to an organisation
and individuals from fraud, negligence, or even just common human
error. It can underpin any emerging e-commerce infrastructure
and allow it to grow.
The Consumer Assurance Framework for e-commerce (CAFE) is
a scheme to promote trust in e-commerce. Trust underpins all other
aspects including access and understanding. It will allow consumers
to have confidence in Internet transactions. CAFE will deliver
a method for business to manage the selection and retention of
Trust Service Providers (TSPs), and a code of practice for the
stakeholders themselves. It will ultimately deliver a package
to promote excellence in electronic commerce and create a hub
for international electronic business.
CAFE will pave the way for effective e-commerce through standards,
certification and education, for business to implement and for
consumers to make well-informed choices. Such a virtuous circle
will help to produce a truly market-driven environment.
It is also important to recognise that the scope of electronic
commerce extends beyond the popular image of credit card transactions
over the Internet. Knowledge trading is one other example. The
use of micro payment systems is another. The definition in the
recent Cabinet Office report (e-commerce@its.best.uk) is
excellent as it summarises the activity without the distraction
of financial activity:
"Electronic commerce is the exchange of information across
electronic networks, at any stage in the supply chain, whether
within an organisation, between businesses, between businesses
and consumers, or between the public and private sectors, whether
paid or unpaid."
CAFE will embrace this definition by building on the foundations
set out in the diagram below. CAFE will draw together the supplier
led initiatives such as tScheme for Trust Service Providers, TrustUK
for traders, and the financial institution-based Identrus.

3. AN OVERVIEW
OF THE
PROPOSED SCHEME
The proposed scheme envisages the following stakeholders
in e-commerce, all of whom will benefit from a formal scheme whether
voluntary or enforced by legislation.
Trust Services Providers;
Awarding Authorities; and
Regulatory Authorities.
The proposed scheme would allow for a stakeholder taking
on different roles pertaining to different relationships with
other stakeholders. For example, a customer of one stakeholder
may be the supplier of another. CAFE is an umbrella, and a focal
point for other initiatives which concentrate on single aspects
of the supply chain.
3.1 Under Development
CAFE is a research and development project of the National
Computing Centre. Some of the ideas in this paper may become part
of the final specification but currently, all are just suggestions
and examples of how the proposed scheme may operate.
The National Computing Centre has identified the need for
CAFE to allow IT business users to find their way through the
many pathways which lead to e-commerce in all its forms. CAFE
recognises that there are national and private schemes, and proposals,
being announced from all quarters; CAFE will bring the issues
back to street level, in practical terms, which can be understood
by the ordinary business community. For some, EDI will continue
to be the way forward, for others it may be XML to refer to only
two pieces of the jigsaw. It is important not to be distracted
by one company selecting a different solution over another. Summary
rejection of established standards is throwing the baby out with
the bathwater"progress is bad things happening faster"
some may say.[89] If
the community is to become a centre of excellence, it must pool
its strengths and present a picture which will make the world
confident when it clicks on domains in the EU. CAFE can provide
these credentials.
4. CONSUMERS
4.1 What the Consumers want
Consumers want to be able to make informed choices and this means
that they will need reliable information on price, quality and
the safety of products. They need to know about returns policies
and other contractual rights.
Electronic commerce is not new but the opportunity for many
individuals and companies freely to do business with each other
electronically is, thanks to the rapid growth of Internet and
related technologies.
Purchasing electronically or passing sensitive information
over the Internet needs to be underpinned by a simple mechanism
to instil confidence. The proposed scheme will deliver a tiered
level of certification (such as the proposed online "hallmark")
for Internet sites to which information may be sent safely. This
would initially be identified by an "approved site"
symbol. A developed scheme would successfully negotiate with Internet
tool (such as browsers) providers to incorporate an electronic
certification mechanism that would warn customers of the security
rating of a site.
CAFE will research and define the user requirements for the
security and integrity of e-commerce transactions. This may be
based on already accepted work.
5. SUPPLIERS
5.1 Who's Who?
To draw a diagram which shows the range of activities going on
in electronic commerce and relate that to the many roles within
those activities would probably produce a figure as complex as
the Internet itself.
On the Internet, one supplier may be the customer of another
whilst receiving its Internet services directly from that supplier.
Another organisation may receive the same services through an
independent third party. Or more simply: suppliers who trade electronically
may provide their own service or use a trusted third party. The
same site certification rules would apply in both instances. Suppliers
would be expected to make trading only available from sites which
were "stamped" with the accredited symbol. To receive
permission to use an accredited symbol, a supplier would need
to comply with certain rules contained in codes of practice; different
codes of practice would be required for the different situations.
5.2 Marks out of five
When the UK Government called for comments on its proposed
electronic commerce strategy, industry raised the concern that
award schemes require high investment from those seeking certification.
CAFE proposes a tiered approach which will allow organisations
to select a level of certification commensurate with levels of
business risk. It will also apply opportunities for self-assessment
which will require no external costs to the organisations involved.
Individuals may be able to make informed choices after thinking
through a few short questions which could be printed on a mousemat.
For example:
|
Grade | Means . . .
|
|
1 | Complies with basic codes of practice
|
2 | Complies with advanced codes of practice
|
3 | Complies with advanced codes of practice and BS 7799
|
4 | Complies with advanced codes of practice and BS 7799, ISO 9000
|
5 | Complies with advanced codes of practice and BS 7799, ISO 9000, and rules of recognised regulatory authorities such as the British Banking Association, the Financial Services Authority, and the Association of British Insurers
|
|
Alternatively, these grades could be translated into simple
checklists that can be applied by users with varying levels of
expertise to carry out a risk assessment of what they are trying
to achieve by e-commerce.
CAFE would bring under its umbrella the best practices from
around Europe and, if appropriate, beyond. This would serve the
very important purpose of building on current successes and the
experience of IT practitioners and the users in the different
fields of commerce, and the supporting professions. It will be
important to recognise the e-business opportunities are built
on new ways of doing the activities that have been in place for
centuries.
CAFE would bring national initiatives such as TrustUK into
the framework.
6. TRUST SERVICE
PROVIDERS
6.1 Trust in TSP
The hub of the proposed scheme will be a set of rules or
guidelines (depending on the market drive for a mandatory or voluntary
code of practice) for Trust Service Providers. Certification or
accreditation against these rules would be tiered to allow for
different grades of transactions (for example: sensitive or non-sensitive
information) and different grades of service provider, as shown
in the table below.
This will allow for truly third-party encryption services
and (say) a large corporation which wished to offer products and
services to its customers over an "extranet".
The proposed scheme would award ratings based on the level
of independence of the services provider and the technologies
that are offered. The proposed scheme would be sufficiently flexible
to incorporate current technologies and encompass future innovation.
The rating system would allow service providers to gain low-level
accreditation easily, and then build up the level of approval
commensurate with the opportunities its market offers. This will
minimise the cost and potential bureaucracy of the early accreditation.
Ratings for the service providers would work like the system
for suppliers. However, a higher entry level would be expected.
For example:
|
Grade | Means . . .
|
|
1 | It would not be appropriate to make low grades available for Service Providers
|
2 | It would not be appropriate to make low grades available for Service Providers
|
3 | Complies with advanced codes of practice and BS 7799
|
4 | Complies with advanced codes of practice and BS 7799, ISO 9000
|
5 | Complies with advanced codes of practice and BS 7799, ISO 9000, and rules of recognised regulatory authorities such as the British Banking Association, the Financial Services Authority, and the Association of British Insurers
|
|
CAFE would bring national initiatives such as tScheme into
the framework.
7. AWARDING AUTHORITIES
7.1 The CAFE Model
Accreditation of service providers would be through suitably
qualified assessment bodies. These assessment bodies would in
turn be accredited to certify service providers by a "regulatory"
or "guiding authority". This will be a self-supporting
scheme by charging for their services (cf. ISO 9000 and BS 7799).
See the figure below.

THE CAFE MODEL
8. REGULATORY AUTHORITY
8.1 Will We Need One?
CAFE will include methods for self assessment by contributors
to the supply chain. CAFE will also use similarly accessible methods
for individuals and organisations to carry out second-party assessments
of good practice to manage the risk in procurement decisions.
These may be applied using fast-track, short checklists or more
in-depth analysis.
After initially establishing the proposed scheme, NCC may
hand over the running of the proposed scheme to a suitable organisation;
the United Kingdom Accreditation Service (UKAS) may be approached.
It may be appropriate to expand the remit of (say) TrustUK. This
level of the model will very much be governed by industry opinion
and detail of legislation. The success of the proposed scheme
will rely on:
the manageability of the codes of practice;
legislation or market driven;
the credibility of the hallmark/certificate;
the independence from any market sector;
the independence from any part of the model: suppliers,
consumers, service providers etc;
feedback from the public either directly, by survey,
or investigation into (say) types of litigation or alternative
dispute resolution, to test the effectiveness of codes of practice
and purchasers decisions based on them.
9. WELTANSCHAUUNG
There is already significant work being done nationally and
internationally which CAFE will collate and direct to the diverse
stakeholder participants of e-commerce. As a corollary, CAFE will
also make contributions to organisations such as the Global Business
Dialogue and the World Intellectual Property Organisation. These
organisations are already providing direction for the e-commerce
agenda; CAFE will take a positive, pragmatic view to steer through
the industry enablers and political policy makers to provide practical
guidance to the doers. The flexibility and scalability of the
CAFE framework means that the scheme can provide a practical vehicle
for e-minister or e-envoy to deliver whatever the social and economic
agenda suggests.
At least some of the cloud of uncertainty which surrounds
e-commerce is clearing. This is happening through traditional
processes and so validates the need for the framework. Recent
reports have identified that good e-commerce is susceptible to
the same mistakes as any other discipline. Project planning procedures
must be in place and reviewed in no less detail than (say) traditional
engineering projects. The wide variety of user types means that
social implications must be considered even more so than an application
which is rolled-out in company. CAFE will take note of the trends
for e-commerce uptake so that implementers can scale their e-commerce
to fit with the outlook and keep the business model up to date.
Initial research for CAFE already suggests that business should
be wary of whirlwind romances with innovative technology which
may alienate them from the silent majority of loyal customers
who may take longer to woo to the Internet; some may never make
the transition, others may have another electronic path which
may be equally as effective for the activities in hand.
10. SUMMARY
10.1 Advantages from the CAFE Scheme
This proposed scheme will develop mechanisms that:
are eminently scalable, and easily customised
to fit the needs of the e-commerce market place as a voluntary
or a statutorily backed scheme;
are based on guidelines already internationally
endorsed by users, solicitors, lawyers and trusted third party
organisations;
will contain a framework into which additional
licensing criteria can be slotted or impractical licensing criteria
removed;
will provide an umbrella for any other standardisation,
legislation, or voluntary practice required for technically detailed
areas such as encryption, digital signatures etc. Also, insurance
for transactions may be considered depending on the use of accredited
services;
the opportunities for contributing and encouraging
the e-commerce market are shown in the figure below.
These will provide the yardsticks to measure conformity to
the CAFE model. This is another feature keeping CAFE in line with
recent reports: an opportunity for a time-based (say annual) status
report, providing key indicators for continuous improvement.

11. CONCLUSIONS
(Conclusions as at Summary)
21 February 2000
88
Daniel Dresner, Head of Standards, The National Computing
Centre Limited, Oxford House, Oxford Road, Manchester M1 7ED,
Telephone: 0161 242 2352, Fax: 0161 242 2499, E-mail: daniel.dresner@ncc.co.uk. Back
89
As popular author Terry Pratchett writes. Back
|