Printer Friendly

Romanian E-commerce: a critical analysis and recommendations for improvement.

1 OBJECTIVES OF THE PAPER

The objectives of this paper are to: (1) consider the recent growth of internet accessibility and E-commerce in Romania; (2) discuss the basic aspects of electronic signatures, public-key-infrastructure technology and certification authorities; (3) describe the three generations of electronic signature law; (4) analyze the three Romanian E-commerce statutes; and (5) make recommendations for refinement of those statutes.

2 ROMANIA'S INTERNET ACCESSIBILITY AND GROWTH IN E-COMMERCE

According to the U.S. Central Intelligence Agency, 7.8 million Romanians in a population of approximately 21 million accessed the internet in 2009; this is an internet penetration rate of 37 percent, which ranks 37th in the world. [52] Even in 2007, 44% of internet users already had high-speed broadband, and that figure has undoubtedly increased during the past four years. [43] In 2008, Romania was the home to 340,000 registered domain names. [59] In 2010, the nation had 2.5 million internet hosts, a world ranking of 34th. [52] E-government has flourished in Romania; as early as 2001, planning was already in place for electronic government purchases and for online submission of customs documents and fees. [40]

The rise in the number of broadband connections in the country has made E-transactions quicker and easier to consummate. Because of the growing availability and ease of use of the internet, Romanian E-commerce has increased markedly since 2006. This occurred despite the fact that only 29% of Romanian internet users engaged in E-commerce in 2007. [43] The number of secure E-commerce transactions increased fivefold in 2006 alone. [2] However, one factor that has hampered the growth of E-commerce has been the reluctance of many Romanians to make electronic payments because they are often perceived to be risky and insecure. [43] Accordingly, many citizens of the country prefer to pay for their online orders via remittance of cash to the courier when the item is delivered, or to use a bank draft. [2] Other concerns of Romanian E-shoppers include product quality (37% of respondents to a survey) and trying to save money (21%). [43] Nevertheless, even during the recession of 2009, the registration figure of new E-shops for the month of May was still a respectable 2,324. [2] In 2007, the internet was the preferred place to shop for: photo equipment (according to 35% of respondents to a survey); computer games (32%); travel services (32%); computer software (32%); telephones and accessories (32%); computer hardware (30%); books, CDs and DVDs (28%); and train, bus or airline tickets (24%). [43]

3 ELECTRONIC SIGNATURES

Contract law worldwide has traditionally required the parties to affix their signatures to a document (e.g., U.S. UNIFORM COMMERCIAL CODE Sect. 2201, 2-209 (1998). With the onset of the electronic age, the electronic signature made its appearance. It has been defined as "any letters, characters, or symbols manifested by electronic or similar means and executed or adopted by a party with the intent to authenticate a writing," [49] or as "data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication." [37] An electronic signature may take a number of forms: a digital signature, a digitized fingerprint, a retinal scan, a pin number, a digitized image of a handwritten signature that is attached to an electronic message, or merely a name typed at the end of an e-mail message. [51]

A well-known U.S. consumer group has stated, "Given the current state of authentication technology, it's much easier to forge or steal an e-signature than a written one." [36] This statement seems to assume that all E-signatures offer an equal degree of security. However, such an assumption would be erroneous; some electronic signatures offer more security than others. It is prudent for E-Commerce participants to use the more secure types of electronic signatures, notwithstanding their greater degree of complexity and expense.

3.1 Online Contracts: Four Levels of Security

When entering into a contract online, four degrees of security are possible.

1. The first level would exist if a party accepted an offer by merely clicking an "I Agree" button on a computer screen. [50]

2. The second level of security would be incurred if secrets were shared between the two contracting parties. This would be exemplified by the use of a password or a credit card number to verify a customer's intention that goods or services were to be purchased. [50]

3. The third level is achieved with biometrics. Biometric methods involve a unique physical attribute of the contracting party, and these are inherently extremely difficult to replicate by a would-be cyber-thief. Examples include: a voice pattern, face recognition, a scan of the retina or the iris within one's eyeball, a digital reproduction of a fingerprint, [35] or a digitized image of a handwritten signature that is attached to an electronic message. In all of these examples, a sample would be taken from the person in advance and stored for later comparison with a person purporting to have the same identity. For example, if a person's handwriting was being used as the biometric identifer, the "shape, speed, stroke order, off-tablet motion, pen pressure and timing information" during signing would be recorded, and this information is almost impossible to duplicate by an imposter--In the highly successful Hong Kong Identity Card, the two thumb prints are used as a biometric identifier. [35]

Biometrics, despite its potential utility as a form of electronic signature, has at least two drawbacks in comparison with the digital signature: (1) The attachment of a person's biological traits to a document does not ensure that the document has not been altered, i.e., it "does not freeze the contents of the document;" [45] and (2) The recipient of the document must have a database of biological traits of all signatories dealt with in order to verify that a particular person sent the document. [45] The digital signature does not have these two weaknesses and most seem to view the digital signature as preferable to biometric identifiers. However, one of the experts in computer law and technology--Benjamin Wright--is a notable exception. Wright contends that biometrics is a more preferable authentication method in the case of the general public, although he concedes that digital signatures using PKI are preferable for complex financial deals carried out by sophisticated persons. In PKI, control of the person's "private key" becomes all-important. The person must protect the private key; all of the "eggs" are placed in that one basket, and the person carries a great deal of responsibility and risk. With biometric methods, the member of the general public would be sharing the risk with other parties involved in the transaction, and the need to protect the "private key" is not so compelling. [57] Many also recommend the use of both methods; this was the course taken by the Hong Kong government in designing its identity card. [35]

4. The digital signature is considered the fourth level because it is more complex than biometrics. Many laypersons erroneously assume that the digital signature is merely a digitized version of a handwritten signature. This is not the case, however; the digital signature refers to the entire document. (The Hong Kong E-commerce law typically defines a digital signature as follows: "an electronic signature of the signer generated by the transformation of the electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer's public key can determine: (a) whether the transformation was generated using the private key that corresponds to the signer's public key; and (b) whether the initial electronic record has been altered since the transformation was generated." Hong Kong Special Autonomous Region, ELECTRONIC TRANSACTIONS ORDINANCE, Ord. No. 1 of 2000, s 2.) It is "the sequence of bits that is created by running an electronic message through a one-way hash function and then encrypting the resulting message digest with the sender's private key." [49] A digital signature has two major advantages over other forms of electronic signatures: (1) it verifies authenticity that the communication came from a designated sender; and (2) it verifies the integrity of the content of the message, giving the recipient assurance that the message was not altered. [44]

3.2 Digital Signature Technology: Public Key Infrastructure

The technology used with digital signatures is known as Public Key Infrastructure, or "PKI." [38] PKI consists of four steps:

1. The first step in utilizing this technology is to create a public-private key pair; the private key will be kept in confidence by the sender, but the public key will be available online.

2. The second step is for the sender to digitally "sign" the message by creating a unique digest of the message and encrypting it. A "hash value" is created by applying a "hash function"--a standard mathematical function--to the contents of the electronic document. The hash value, ordinarily consisting of a sequence of 160 bits, is a digest of the document's contents. Whereupon, the hash function is encrypted, or scrambled, by the signatory using his private key. The encrypted hash function is the "digital signature" for the document. [45]

3. The third step is to attach the digital signature to the message and to send both to the recipient.

4. The fourth step is for the recipient to decrypt the digital signature by using the sender's public key. If decryption is possible the recipient knows the message is authentic, i.e., that it came from the purported sender. Finally, the recipient will create a second message digest of the communication and compare it to the decrypted message digest. If they match, the recipient knows the message has not been altered. [56]

3.3 Advantages of the Digital Signature

Unlike biometric and other forms of electronic signatures, the digital signature will "freeze" the contents of the document at the time of its creation. Any alterations to the document's contents will result in a different hash value. Furthermore, the encryption of the hash value with the signatory's private key "links uniquely the digital signature to the signatory, i.e., the owner of the private key." [45] Although a handwritten signature is only "signatory-specific," the digital signature is both "signatory-specific" and "document-specific". [45]

The digital signature is the only form of electronic signature which satisfies all three of the UNCITRAL evaluation factors, i.e., that an electronic signature should: (1) authorize; (2) approve; and (3) protect against fraud. [45] Authorization is achieved because the digital signature will accompany the document, which allows for confirmation of the identity of the signatory. Approval is attained via computation of the hash value of the electronic document, which freezes the contents of the document at the time of its creation, and allows for detection of any subsequent alterations. Finally, there is protection against fraud because it is extremely unlikely--virtually impossible--for anyone to determine a signatory's private key with only the public key as a starting point. [45]

3.4 Disadvantages of the Digital Signature

The digital signature has at least two drawbacks. Firstly, since the private key of each person is rather difficult to memorize, they are most often stored in computers. If the computer is not kept in a secure location, the contents of the private key may be vulnerable. This heightens the necessity of maintaining the security of the private key and protecting it from intruders. However, it should be noted that this weakness of the digital signature is also common to most other forms of electronic signatures. The password or the PIN face similar security problems. Therefore, with good security policies and procedures, this disadvantage can be minimized. [45]

The other disadvantage of the digital signature pertains to the digital certificate, which must be issued by a Certification Authority ("CA"). Obtaining the certificate and having to interact with the CA is somewhat inconvenient and costly for the user, but over time this disadvantage should be alleviated as digital signatures become more popular, easier to use, and cheaper. [45] Because the CA plays such a vital role in the viability of the digital signature, it is essential for the user to understand exactly what the CA does.

3.5 The Critical Role of the Certification Authority

In order for PKI to realize its potential, it is crucial that the user be able to ensure the authenticity of the public key (available online) used to verify the digital signature. If Smith and Jones are attempting to consummate an online transaction, Smith needs an independent confirmation that Jones' message is actually from Jones before Smith can have faith that Jones' public key actually belongs to Jones. It is possible that an imposter could have sent Jones his public key, contending that it belongs to Smith. Accordingly, a reliable third party--the Certification Authority (Certification Authority ("CA") is the term used in this Section because it seems to be the most commonly used designation around the world. The most notable exceptions are the Member States of the European Union ("EU"), including Romania. In EU countries, a CA is referred to as a Certification Service Provider ("CSP"). CSP is the label to be used in Sections V, VI, VII, VIII and IX of this paper, which cover the Romanian E-commerce statutes.)--must be available to register the public keys of the parties and to guarantee the accuracy of the identification of the parties. [42]

The most important job of the CA is to issue certificates which confirm basic facts about the subscriber, the subject of the digital certificate. Of course, the certificate is a digitized, computer-held record containing the most pertinent information about a transaction between two transacting parties. Typical information contained in a certificate includes the following: the name and address of the CA that issued the certificate; the name, address and other attributes of the subscriber; the subscriber's public key; and the digital signature of the CA. [39] Sufficient information will be contained in the certificate to connect a public key to the particular subscriber.

In making an application to a CA for a certificate, the prospective subscriber must provide some sort of photo I.D., e.g., a passport or a driver's license. If the application is approved and the certificate is issued, the CA will issue a private key to its new subscriber which corresponds to the public key. This is done, however, without disclosing the specifics of the private key. [49] The steps in this application procedure vary somewhat from CA to CA, according to the type of certificate being offered by the CA. Ordinarily, however, once the CA has verified the genuine connection between the subscriber and the public key, the certificate will be issued. [49]

In order to indicate the authenticity of the digital certificate, the CA will sign it with her digital signature. Ordinarily, the public key corresponding to the subscriber's private key will be filed in the CA's online repository which is accessible to the general public and to third parties who have need of communication with the subscriber. Additionally, the online repository contains information pertaining to digital certificates which have been revoked or suspended by the CA due to lost or expired private keys. This is an important positive aspect of PKI technology: the general public has access to the status of digital signatures, and relying third parties are kept informed, allowing them to judge whether they should place reliance on communications signed with a certain private key. [42]

One of the recurring problems for digital signature lawmakers is in trying to fairly apportion the liability for risk of computer fraud between the CA and the subscriber. Nations around the world, and the state laws of the United States, have arrived at different conclusions regarding this apportionment. The problem is compounded if each CA is required to modify its practices every time it issues a certificate pertaining to a transaction affecting another jurisdiction which happens to have dissimilar digital signature laws. [1]

A digital certificate is only as reputable as the CA who issued it. If the CA is unreliable and untrustworthy, the digital certificate is also unreliable and untrustworthy. In the final analysis, a party contracting with an unknown stranger must rely upon the CA's registration expertise and its judgment that the subscriber's identification is accurate. [41]

4 THREE GENERATIONS OF ELECTRONIC SIGNATURE LAW

4.1 The First Wave: Technological Exclusivity

In 1995, the U.S. State of Utah became the first jurisdiction in the world to enact an electronic signature law.--UTAH CODE ANN. 46-3-101 et seq., 1995. This first-generation statute was repealed in 2000 and replaced with the Uniform Electronic Transactions Act, a second-generation model law. UTAH CODE ANN. 46-4-101 et seq. (2000). In the Utah statute, digital signatures were given legal recognition, but other types of electronic signatures were not. The authors of the Utah statute believed, with some justification, that digital signatures provide the greatest degree of security for electronic transactions. Utah was not alone in this attitude; other jurisdictions granting exclusive recognition to the digital signature include Argentina [3], Bangladesh, India, Malaysia, Nepal [5], New Zealand and Russia.

Unfortunately, these jurisdictions' decision to allow the utilization of only one form of technology is burdensome and overly-restrictive. Forcing users to employ digital signatures gives them more security, but this benefit may be outweighed by the digital signature's possible disadvantages: more expense because of the fee paid to the certification authority; lesser convenience due to being forced to use a certification authority; forcing users to use one type of technology to the exclusion of others when another type of technology might be better suited to a particular type of transaction; use of a more complicated technology which may be less adaptable to technologies used in other nations, or even by other persons within the same nation; inappropriate risk allocation between users if fraud occurs; and the potential disincentive to invest in development of alternative technologies. [33]

4.2 The Second Wave: Technological Neutrality

Jurisdictions in the Second Wave overcompensated. They did the complete reversal of the First Wave and did not include any technological restrictions whatsoever in their statutes. They did not insist upon the utilization of digital signatures, or any other form of technology, to the exclusion of other types of electronic signatures. These jurisdictions have been called "permissive" because they take a completely open-minded, liberal perspective on electronic signatures and do not contend that any one of them is necessarily better than the others. In other words, they are "technologically neutral." Permissive jurisdictions provide legal recognition of many types of electronic signatures and do not grant a monopoly to any one of them. The United States of America is a member of the second wave; the overriding majority of its jurisdictions (forty-five states, the District of Columbia, and the Territories of Puerto Rico and Virgin Islands) have enacted the Uniform Electronic Transactions Act (either in its entirety or with minor amendments), a permissive second-generation model law. [54] Australia has also enacted a second-generation statute.

The disadvantage of the permissive perspective is that it does not take into account that, in fact, some types of electronic signatures are better than others. A PIN number and a person's name typed at the end of an E-mail message are both forms of electronic signatures, but neither is able to even approach the degree of security that is provided by the digital signature.

4.3 The Third Wave: A Hybrid

Singapore was in the vanguard of the Third Wave. In 1998, this country adopted a compromise, middle-of-the-road position with respect to the various types of electronic signatures. Singapore's lawmakers were influenced by the UNCITRAL Model Law on Electronic Commerce. [53] In terms of relative degree of technological neutrality, Singapore adopted a "hybrid" model--a preference for the digital signature in terms of greater legal presumption of reliability and security, but not to the exclusion of other forms of electronic signatures. Singapore did not want to become "hamstrung" by tying itself to one form of technology. The Singapore legislators realized that technology is continually evolving and that it would be unwise to require one form of technology to the exclusion of others. The digital signature is given more respect under the Singapore statute, but it is not granted a monopoly as in Utah. Singapore allows other types of electronic signatures to be employed. This technological open-mindedness is commensurate with a global perspective and allows parties to more easily consummate electronic transactions with parties from other nations. [7]

In recent years, more and more nations have joined the Third Wave. They recognize the security advantages afforded by the digital signature and indicate a preference for the digital signature over other forms of electronic signatures. This preference is exhibited in several ways: (1) utilization of a digital signature using a PKI system is explicitly required for authentication of an electronic record; (2) utilization of a digital signature with PKI seems to be necessary in order for an electronic record to comply with any statutory requirement that a record be in paper form; and (3) in order for a signature in electronic form to comply with a statutory requirement that a pen-and-paper signature be affixed, it must be a digital signature created with PKI. Nevertheless, the Third Wave jurisdictions do not appear to be as technologically-restrictive as those in the First Wave. They do not compel the E-commerce participant to use only the digital signature, in lieu of other forms of electronic signatures, as the State of Utah did in its original statute of 1995.

The moderate position adopted by Singapore has now become the progressive trend in international electronic signature law. The hybrid approach is the one taken by the European Union's E-Signatures Directive [8], Armenia [9], Azerbaijan [10] Barbados [11], Bermuda, Bulgaria [12], Burma, China [14], Colombia [15], Croatia [16], Dubai [17], Finland [18], Hong Kong [19], Hungary [20], Iran, Jamaica [21], Japan [22], Lithuania [23], Pakistan [24], Peru, Slovenia [25], South Korea [26], Taiwan [27], Tunisia [28], United Arab Emirates [29], Vanuatu and in the proposed statute of Uganda. [31] Many other nations are either currently using the hybrid approach or are considering the adoption of it; Romania is one of them.

5 ROMANIA'S E-SIGNATURE LAW

The Electronic Signature Law ("ESL") was enacted in Romania in 2001. (see http://www.legi-internet.ro/en/e-sign.htm).

5.1 No Exclusions from Coverage

Only a handful of the world's countries has enacted an E-signature statute which covers all types of documents with no exclusions from coverage--for example, Azerbaijan's statute contains no exclusions from coverage; it states that electronic documents "can be used (applied) in all activity spheres where software and technical equipment could be applied to create, use, store, transmit and receive information"; Republic of Azerbaijan, Electronic Document Law, 2003, art. 1(1) (emphasis added). Romania is one of them. In the overriding majority of nations, E-documents and E-signatures cannot be used in specified situations. The situations vary from country to country, but these are common examples: documents creating wills and testamentary trusts (the aversion to electronic wills is beginning to dissipate. In 2005, the U.S. State of Tennessee became the first American jurisdiction to recognize the legal validity of a will that is executed with an electronic signature. See Chad Michael Ross, Comment, "Probate--Taylor v. Holt--The Tennessee Court of Appeals Allows a Computer Generated Signature to Validate a Testamentary Will," 35 University Of Memphis Law Review 603 (2005)); documents relating to marriage, annulment, separation and divorce; and documents pertinent to ownership or transfer of ownership of real estate and long-term leases of real estate. In those situations, a paper document with a handwritten signature is required; an E-document signed with an E-signature has no legal validity.

Romanian lawmakers were wise not to write exclusions into the ESL. However, Romania's Electronic Commerce Law does contain three exclusions; it is inapplicable to notaries public, attorneys and gambling situations. Implicitly, they have told the world that Romania sees virtually no limits to the utilization of the electronic form and that they encourage the adoption of the electronic form by its citizens and residents.

5.2 Third-Generation

The ESL is a third-generation statute; the legal validity of all types of E-signatures is recognized, but special privileges are given to the digital signature. For example, an E-document signed with a digital signature is preferred in the Romanian courts; the court grants a presumption of validity to such documents. E-documents signed with other types of E-signatures do not enjoy this presumption.

5.3 "Extended" E-Signatures Given More Privileges

The ESL distinguishes an ordinary E-signature from an "extended" E-signature; the latter must: identify the subscriber; have a unique linkage to the subscriber; be created with a private key under the exclusive control of the subscriber; and have a linkage to the attached document so that any modification of it is detectable.(art.4) Ordinarily, the only type of E-signature which will satisfy these requirements is the digital signature. An E-document with an attached extended E-signature will automatically satisfy a statutory requirement for: (a) a handwritten signature; (art.5) (b) an authenticated document; (art.6) or (c) a writing. (art.7) However, if the E-document is signed with a non-extended E-signature (ordinarily, any type of E-signature other than a digital signature), there will be no automatic satisfaction of the requirements.

5.4 Rules Pertinent to Certification Service Providers and Their Issuance of Certificates

A Certification Service Provider ("CSP") is not required to be licensed (accredited), (art.12.1) but voluntary accreditation (art.36-37) is available through the public authority established by the Minister. (art.26.1) That authority will maintain a Register of CSPs. (art.28.1) A CSP is required to give notice of the following to the authority before beginning operations: its intended start-up; and the certification and security procedures to be employed. (art.13.1 and 2) A CSP enters into a contractual relationship with every subscriber to whom a certificate is issued. (art. 14. The contract must specify: how to use the private key; fees; legal liability of the parties; accreditation of CSP, if any; and limitations on purpose or value to be stated in the certificate). A CSP must maintain confidentiality of information regarding the subscriber. (art.15) A CSP must maintain a register of all certificates that have been issued.(art.17.2) A qualified certificate must contain detailed information,(art.18) and will only be issued after stringent qualifications have been complied with.(art.20 and 21)A certificate may be suspended or revoked for good cause shown (art.23). A CSP is mandated to purchase sufficient liability insurance (art.22). A CSP planning to go out of business is obligated to find another CSP to assume its responsibilities(art.24). The authority is authorized to inspect CSPs and to ensure compliance with the ESL and all other pertinent regulations. (art.31-35) Certificates issued by foreign CSPs may be recognized in Romania if certain requirements are met.(art.40) A CSP may be subjected to a fine in the range of 5 million to 250 million ROL for failure to abide by its obligations. (art.44-45)

6 ROMANIA'S E-COMMERCE LAW

The Electronic Commerce Law ("ECL") was enacted in 2002. [46] The ECL aims to facilitate E-commerce and E-payments and to designate certain related crimes.(art.2.1) The ECL is implemented by the Minister of Communications and Information Technology ("Minister"). (art.33) The ECL is inapplicable to: Notaries Public; attorneys; and gambling.(art.2.3) The ECL does not override, but is compatible with, the following laws: taxation; privacy of personal data; antitrust; consumer protection; public health; and domestic and international contracts(art.2.4 and 5)

6.1 Requirements of E-Sellers

An E-seller must provide the following to buyers: its name and contact information; registration numbers and jurisdiction of incorporation; its regulatory authority; prices to be charged, including VAT; and delivery expenses. (art.5.1) Unsolicited E-mail advertising is prohibited. (art.6.1) Acceptable E-mail advertising must specify: advertising status; the party communicating it; promotional offers and competitions; and other imposed conditions. (art.6.2) An E-seller must inform the buyer the following pertinent to an E-contract: steps necessary to consummate the contract; recording and accessibility of the completed contract; language used; codes of conduct subscribed to; and how to correct errors. (art.8) An E-seller should adhere to any code of conduct that has been drafted in collaboration with the Romanian government to protect consumers.(art. 18)

6.2 E-Contracts

An E-contract is legally valid, (art.7.1) and consent of the parties is not a prerequisite. (art.7.2) A bilateral contract becomes effective when the offeror learns of the offeree's acceptance; (art.9.1) a unilateral contract becomes effective when the offeree begins the requested performance. (art.9.2) An E-contract may be avoided by the buyer if the seller fails to abide by its notice requirements. (art.21) E-contract disputes may be resolved with either court action (art.19) or out-of-court settlement. (art.20) In such disputes, the E-seller generally bears the burden of proof. (art.20)

6.3 Fulfillment of Statutory Requirements

If a statute requires the production or retention of information in its original form, that requirement will be deemed to have been met, provided: high security have been used to ensure the integrity of the information; (art.10.2) the document containing the information has been signed with the extended E-signature of the issuer; and the information is accessible for subsequent reference. (art.10.1)

6.4 Liability of Internet Service Providers

Although an internet service provider ("ISP") is liable for information transmitted on its own behalf, (art.11.2) an ISP is not liable for information it merely: disseminates; (art.12) caches; (art.13) hosts; (art.14) or links. (art.15) An ISP is responsible for informing the authorities (art.17) if it becomes aware of any offending or unlawful materials being disseminated over its system. (art.16) W/T

6.5 Civil Contraventions and Criminal Offenses

An E-seller may be fined (in the range of ROL 10 million to 500 million) for unauthorized E-mail advertisement, or for failure to abide by its notice requirements. (art.22) It is a crime to: falsify electronic payment instruments; (art.24) possess equipment which may be used to falsify electronic payment instruments; (art.25) make false statements for the purpose of issuance or use of electronic payments instruments;(art.26) fraudulently undertake financial operations; (art.27) accept financial operations fraudulently undertaken; (art.28) and undertake unauthorized operations in an IT system.(art.29)

7 ROMANIA'S CYBER-CRIME LAW

The Cyber-Crime Law ("CCL") was enacted in 2003. [47] The CCL contains provisions pertinent to: prevention of cyber-crime; (art.36-41) offenses against the confidentiality and integrity of data and computer systems; (art.42-47) computer-related offenses; (art.48-50) child pornography via computer systems; (art.51) applicable procedures; (art.54-59) and international cooperation. (art.60-67)

The CCL does not contain a specific prohibition of the intentional injection of a virus into a computer system. The CCL does, however, contain two articles which could be used to prosecute a virus-injecting offender. If the injector did so in order to incur an economic benefit, the range of duration of imprisonment would be "3 to 12 years." (art.48) But if the injector did not do so in order to incur an economic benefit--the most typical situation--the offender's period of imprisonment would be limited to "2 to 7 years." Given the potentially catastrophic effects that a widespread virus injection could have on a nation's economy, the Romanian lawmakers may want to consider amending these provisions to make them more stringent.

8 RECOMMENDATIONS FOR IMPROVEMENT OF ROMANIAN E-COMMERCE LAW

Romania has established a satisfactory legal framework for E-commerce. However, Romania's E-commerce law needs to be refined and supplemented; the following amendments should be considered.

8.1 Enact a Comprehensive Electronic Transactions Law

All of the laws pertinent to electronic transactions should be included under the umbrella of a Electronic Transactions Law ("ETL"). A comprehensive statute is easier for all affected parties to research and to comprehend. Accordingly, the ESL, ECL, CCL and all other existing laws pertinent to electronic transactions should be consolidated in the ETL.

Pursuant to the author's model in his forthcoming book, the ETL should include the following sections: Introduction; Legal Recognition of Electronic Form and Secure Electronic Documents and Signatures; Legal Presumptions, Admissibility and Evidential Weight of Electronic Evidence in a Court of Law or Administrative Proceeding; Use of Electronic Form to Comply With Requirements of Other Statutes; Regulation of CA's; Duties and Liabilities of CA's; Duties of Subscribers and Relying Third Parties; Electronic Contracts; Consumer Protections in E-Commerce Transactions; Computer Crimes; Computer Criminal and Civil Justice; E-Government; Domain Name Registration; Network Intermediaries; Privacy of Information; and Other Issues. [32]

8.2 Make the ETL Supreme In All Things Electronic

If the ETL is in conflict with another law or statute, the ETL should prevail.

8.3 Add: A List of Other Laws Affected by the ETL

There should be a list of other statutes and regulations that are modified or affected by the ETL. Additionally, there should be a list of the names of all other statutes currently in force (and the applicable provisions in each) which can be complied with using the electronic form instead of the paper form.

8.4 Add: Legal Validity of Electronic Form To Comply With Several Additional Requirements of Other Statutes

The ETL should state a general presumption that the electronic form may be used to satisfy requirements contained in other statutes which are prerequisite to incurrence of a legal right. Those requirements include, but are not limited to, the following: the witnessing of a handwritten signature or seal; a paper document's notarization, certification, acknowledgement, verification, attestation, or being made under oath; production of multiple copies of a paper document (where production of one electronic copy is sufficient); communication by registered or certified mail (provided that the electronic message is transmitted thorough the sender's Certification Service Provider and confirmed by him); and seller's provision of a notice to a consumer in writing. For a comprehensive list of such electronic compliance allowances, refer to the New Zealand statute.

8.5 Add: E-Contract Rules

As mentioned, Romania should include E-contract rules in its Electronic Transactions Law. Several types of E-contract rules are needed. For attribution, refer to South Korea's Electronic Commerce Act. For acknowledgement of receipt, look to Singapore's Electronic Transactions Act. For time and place, use Holland's Electronic Commerce Act. For carriage contracts, Colombia' s Electronic Trade Law has a commendable paradigm. For automated contracts, the U.S. Uniform Electronic Transactions Act contains a good model.

8.6 Add: More Stringent Consumer Protections for E-Buyers

Romania needs to enact a general consumer protection statute applicable to all internet consumers. The Republic of Tunisia can be used as a model for good consumer protections. The Tunisian E-commerce statute gives consumers: (1) a "last chance" to review an order before it is entered into; (2) a 10-day window of opportunity to withdraw from an agreement after it has been made; (3) a right to a refund if the goods are late or if they do not conform to specifications; and (4) no risk during the 10-day trial period after goods have been received. Tunisian E-consumers enjoy some of the best protections in the world.

8.7 Add: I.T. Courts for E-Commerce Disputes

Because of the specialized knowledge often required in the adjudication of E-commerce disputes, Information Technology Courts should be established as a court-of-first-instance for them. The I.T. Courts would be tribunals consisting of three experts. The chairperson would be an attorney versed in E-commerce law, and the other two persons would be an I.T. expert and a business management expert. The attorney would be required to hold a law degree and be a member of the bar with relevant legal experience; the I.T. person would be required to hold a graduate degree in an I.T.-related field and have experience in that field; and the business management expert would be required to hold a graduate degree in business administration and have managerial experience. The E-commerce law of Nepal can be used as a model.

8.8 Add: Long-Arm Jurisdiction Against Foreign E-Commerce Parties

Because so many of the E-commerce transactions incurred by the residents of Argentina will be with parties outside the borders of Romania, it would be prudent for the ETL to explicitly state its claim of "long arm" jurisdiction against any E-commerce party who is a resident or citizen of a foreign jurisdiction, so long as that party has established "minimum contacts" with Romania. The Kingdom of Tonga can be used as a model.

Minimum contacts will exist if a cyber-seller outside of the country makes a sale to a person in Romania. In that situation, Romanian laws should be applicable to the foreign party because that party has had an effect upon the country through the transmission of an electronic message that was received in Romania. The foreign party should not be allowed to evade the jurisdiction of the Romanian courts merely because it is not physically present in the country. After all, E-commerce is an inherently international and multi-jurisdictional phenomenon.

8.9 Add: National ID Card With Digital Signature

Romania should adopt a National ID Card. It would contain several types of personal information, including voter registration. [35] Application and other information pertinent to the National ID Card should be made available at the Government Portal. Only a handful of jurisdictions have adopted an ID card; they include Belgium and Hong Kong. In those jurisdictions, the ID Card's computer chip can serve as the E-signature of the cardholder. [35] This idea is recommended for adoption in Romania.

8.10 Add: Romania's Post Office To Become an Accredited Certification Service Provider

In order to promote the utilization of E-signatures among the general public and to make them cheaper and more accessible, the Romanian Post Office should be designated as an accredited Certification Service Provider. For a model, look to the Belgian Post Office, which has implemented a promotional campaign to educate the general public about E-signatures and their availability through the Post Office.

8.11 Add: Intentional Injection of a Computer Virus to the CCL

Because of the potentially calamitous effects of a widespread computer virus on a nation's economy, the crime of Intentional Injection of a Virus Into a Computer System should be added to the CCL. (Romanian lawmakers may also want to consider the enactment of other cyber crimes. When they do so, they should inspect the meticulous list of cyber crimes contained in Republic of Singapore, COMPUTER MISUSE ACT (Cap. 50A), 30 August 1993; http://agcvldb4.agc.gov.sg/non_version/cgi-bin/cgi_gettopo.pl?actno=1998- REVED-50A.) Draconian penalties should be enacted: first offense, 15 years' imprisonment; second offense, life imprisonment.

9 SUMMARY AND CONCLUSIONS

9.1 The Internet and E-Commerce in Romania

During the past decade, Romania has experienced rapid growth in internet broadband accessibility and E-commerce.

9.2 Electronic Signatures

An E-signature is used to sign an electronic document. There are several types of E-signatures: a digital signature, a digitized fingerprint, a retinal scan, a pin number, a digitized image of a handwritten signature that is attached to an electronic message, or merely a name typed at the end of an e-mail message. The most secure of these is the digital signature because it will freeze the contents of the message to which it is attached and will indicate if the message has been altered since its creation. Because of the high degree of security it offers and its assurance that an attached document has not been altered, the digital signature is the most preferred and is given the highest degree of legal status. However, biometric E-signatures (e.g., a retinal scan) are also very useful and are often employed in conjunction with the digital signature.

9.3 Three Generations of E-Signature Law

There have been three generations of E-signature law since the world's first E-signature statute was enacted in 1995. These three successive generations emphasized, respectively: exclusive recognition of public key infrastructure ("PKI") technology and the digital signature; technological neutrality, with all types of E-signatures and technologies recognized; and a hybrid perspective which recognized all types of E-signatures, with a preference shown for PKI in admission of E-signatures and electronic documents ("E-documents") into evidence.

9.4 Romanian E-Commerce Law

The nation has enacted three E-commerce statutes: (1) the E-Signature Law ("ESL") is third-generation and its most noteworthy aspect is an extensive list of penalties for Certification Service Providers ("CSP") who violate the ESL or other laws; (2) the E-Commerce Law ("ECL") is distinguished by the fact that consent of all parties is not required to have a valid E-contract, its provisions pertinent to out-of-court settlement as well as court action, and a range of civil and criminal penalties provided for unlawful E-commerce sellers; and (3) the Cyber-Crime Law creates computer crimes relating to crime prevention, data confidentiality, computer tampering and online child pornography.

9.5 Recommendations for Improvement of Romanian E-Commerce Law

The three Romanian E-commerce statutes (ESL, ECL and CCL) provide a satisfactory legal foundation for E-commerce, but they need to be calibrated and supplemented. Recommended changes and additions to Romanian E-commerce law include: (1) enactment of a comprehensive Electronic Transactions Law which would incorporate all laws pertinent to E-commerce, including E-contract rules; (2) recognition of the validity of the electronic form in compliance with several additional requirements of other statutes, including notarization; (3) addition of rules for electronic automated contracts and electronic carriage contracts; (4) addition of more stringent consumer protections for E-buyers; (5) establishment of Information Technology Courts for resolution of E-commerce disputes; (6) creation of long-arm jurisdiction over foreign E-commerce parties; (7) designation of the Romanian Post Office as an accredited Certification Service Provider ("CSP"); (8) adoption of a National ID Card containing a digital signature which can be activated by an accredited CSP, including the Post Office; and (9) enactment of a new computer crime, Intentional Injection of a Virus into a Computer System, with onerous penalties for offenders.

REFERENCES

[1.] Berman B.A. (2001). Note, "International Divergence: The 'Keys' To Signing on the Digital Line--The Cross-Border Recognition of Electronic Contracts and Digital Signatures," 28 SYRACUSE J. INT'L L. & COM. 125, 143-44

[2.] Bertea P. (2009), "E-commerce development--the case of Romania," Doctoral School of Economics, Alexandru Ioan Cuza University, Iasi, p. 4; available at address http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1521496

[3.] Blythe S. (2011). "A Critique of Argentine E-Commerce Law and Recommendations for Improvement," Golden Gate University Annual Survey of International and Comparative Law, published by Golden Gate University School of Law, San Francisco, California USA.

[4.] Blythe S. (2006). "A Critique of India's Information Technology Act and Recommendations for Improvement,", Syracuse, Journal of International Law and Commerce, 34 (1), New York, USA

[5.] Blythe S. (2008). "On Top of the World, and Wired: A Critique of Nepal's E-Commerce Law," 8:1 Journal of High Technology Law, Boston, Massachusetts USA

[6.] Blythe S. (2005). "Digital Signature Law of the United Nations, European Union, United Kingdom and United States: Promotion of Growth in E-Commerce with Enhanced Security," 11: 2 Richmond Journal of Law and Technology 6

[7.] Blythe S. (2006). "Singapore Computer Law: An International Trend-Setter with a Moderate Degree of Technological Neutrality," 33 Ohio Northern University Law Review 525-562

[8.] Blythe S. (2008). "E-Signature Law and E-Commerce Law of the European Union and its Member States," The Ukrainian Journal of Business Law, pp. 22-26, May, 2008, Kiev, Ukraine

[9.] Blythe S. (2008). "Armenia's Electronic Document and Electronic Signature Law: Promotion of Growth in E-Commerce via Greater Cyber-Security," Armenian Law Review, May, 2008

[10.] Blythe S. (2007). "Azerbaijan's E-Commerce Statutes: Contributing to Economic Growth and Globalization in the Caucasus Region," 1:1 Columbia Journal of East European Law 44-75

[11.] Blythe S. (2006). "The Barbados Electronic Transactions Act: A Comparison with the U.S. Model Statute," 16 Caribbean Law Review 1

[12.] Blythe S. (2008). "Bulgaria's Electronic Document and Electronic Signature Law: Enhancing E-Commerce With Secure Cyber-Transactions," 17:2 TRANSNATIONAL LAW AND CONTEMPORARY PROBLEMS 361

[13.] Blythe S. (2010). "Rangoon Enters the Digital Age: Burma's Electronic Transactions Law as a Sign of Hope for a Troubled Nation," 3:1 International Business Research

[14.] Blythe S. (2007). "China's New Electronic Signature Law and Certification Authority Regulations: A Catalyst for Dramatic Future Growth of E-Commerce," 7 Chicago-Kent Journal of Intellectual Property, (1)

[15.] Blythe S. (2009). "Computer Law of Colombia and Peru: A Comparison With the U.S. Uniform Electronic Transactions Act," a book chapter in INTERNET POLICIES AND ISSUES, Frank Columbus, Editor, Nova Science Publishers, Inc., New York, USA

[16.] Blythe S. (2008). "Croatia's Computer Laws: Promotion of Growth in E-Commerce Via Greater Cyber-Security," 26: 1 European Journal of Law and Economics, pp. 75-103

[17.] Blythe S. (2007). "The Dubai Electronic Transactions Statute: A Prototype for E-Commerce Law in the United Arab Emirates and the G.C.C. Countries," 22:1 Journal of Economics and Administrative Sciences 103

[18.] Blythe S. (2008). "Finland's Electronic Signature Act and E-Government Act: Facilitating Security in E-Commerce and Online Public Services," 31:2 Hamline Law Review 445-469

[19.] Blythe S. (2005). "Electronic Signature Law and Certification Authority Regulations of Hong Kong: Promoting E-Commerce in the World's 'Most Wired' City," 7 North Carolina Journal of Law and Technology 1

[20.] Blythe S. (2007). "Hungary's Electronic Signature Act: Enhancing Economic Development With Secure E-Commerce Transactions", 16:1 Information And Communications Technology Law 47-71

[21.] Blythe S. (2009). "Internet Law As A Potential Catalyst For Growth Of Caribbean E-Commerce: Jamaica's Statute As A Model," a paper presented and published in the Readings Book of The Academy of Business Administration Global Trends Conference, Cancun, Mexico, December 19-22

[22.] Blythe S. (2006). "Cyber-Law of Japan: Promoting E-Commerce Security, Increasing Personal Information Confidentiality and Controlling Computer Access," 10 Journal of Internet Law 20

[23.] Blythe S. (2007). "Lithuania's Electronic Signature Law: Providing More Security in E-Commerce Transactions," 8 Barry Law Review 23

[24.] Blythe S. (2006). "Pakistan Goes Digital: the Electronic Transactions Ordinance as a Facilitator of Growth for E-commerce," 2:2 Journal of Islamic State Practices in International Law 5

[25.] Blythe S. (2007). "Slovenia's Electronic Commerce and Electronic Signature Act: Enhancing Economic Growth With Secure Cyber-Transactions," 6: 4 The I.C.F.A.I. Journal of Cyber Law 8-33

[26.] Blythe S. (2006). "The Tiger on the Peninsula is Digitized: Korean E-Commerce Law as a Driving Force in the World's Most Computer-Savvy Nation," 28: 3 Houston Journal of International Law 573-661

[27.] Blythe S. (2006). "Taiwan's Electronic Signature Act: Facilitating the E-Commerce Boom With Enhanced Security," a paper presented and published in the Proceedings of The Sixth Annual Hawaii International Conference on Business, Honolulu, Hawaii USA, May 25-28

[28.] Blythe S. (2006). "Computer Law of Tunisia: Promoting Secure E-Commerce Transactions with Electronic Signatures," 20 Arab Law Quarterly 317-344

[29.] Blythe S. (2009). "The New Electronic Commerce Law of the United Arab Emirates: A Progressive Paradigm for Other Middle Eastern Nations to Emulate," a paper presented and published in the Proceedings of The Annual International Conference on Global Business, Dubai, United Arab Emirates, May 10-13

[30.] Blythe S. (2006). "South Pacific Computer Law: Promoting E-Commerce in Vanuatu and Fighting Cyber-Crime in Tonga," 10: 1 Journal Of South Pacific Law

[31.] Blythe S. (2009). "The Proposed Computer Laws of Uganda: Moving Toward Secure E-Commerce Transactions and Cyber-Crime Control," a paper to be presented and published in the Proceedings of the tenth Annual Conference of The International Academy of African Business and Development, Kampala, Uganda, May 19-23

[32.] Blythe S. (2012). The E-Commerce Law Trilogy, Volume 2: An E-Commerce Law For The World: The Model Electronic Transactions Act (Bloomington, Indiana USA: Xlibris Corporation, 2012).

[33.] Boss A. (2009). "The Evolution of Commercial Law Norms: Lessons To Be Learned From Electronic Commerce," 34:3 Brooklyn Journal of International Law 673, 689-90

[34.] Chan W.H., F. (2006). "E-Commerce All at Sea: China Welcomes Digital Bills of Lading Under the Electronic Signature Law 2005", 3 Oklahoma Journal of Law and Technology 31

[35.] Chung C.Y. ,R. (2003). Hong Kong's 'Smart' Identity Card: Data Privacy Issues and Implications for a Post-September 11th America, 4 ASIAN-PACIFIC L. & POL'Y J. 442

[36.] Dessent M. (2002), Browse-Wraps, Click-Wraps and Cyberlaw: Our Shrinking (Wrap) World, 25 T. Jefferson L. REV. 1, 4

[37.] The European Parliament and The Council of 13 December 1999, European Union Directive 1999/93/EC on a Community Framework for Electronic Signatures, (1999/93/EC)--19 January 2000, OJ L OJ No L 13 p.12.

[38.] Fischer Frederick S.(2001). "California Saving Rosencrantz and Guildenstern in a Virtual World? A Comparative Look at Recent Global Electronic Signature Legislation," Association of American Law Schools 2001 Annual Meeting, Section on Law and Computers, 7 B.U. J. SCI. & TECH. L. 229, 233

[39.] Froomkin M. (1996). "The Essential Role of Trusted Third Parties in Electronic Commerce," 75 OR. L. REV. 49, 58

[40.] Ganciu, O. M. (2001). International Telecommunications Union, Regional Seminar on Information Society and E-Commerce, Moscow, Russian Federation, 3-5 July 2001, "E-Commerce in Romania," Document No. 10, pp. 2-3; http://www.itu.int/ITU-D/ecdc/Seminars/ MoscowCIS/Presentations/romania.pdf.

[41.] Hallerman D. (1999). "Will Banks Become E-commerce Authorities?," 12 BANK TECH. NEWS, June 1

[42.] Hogan T. (2000). Notes and Comments--Technology, "Now That the Floodgates Have Been Opened, Why Haven't Banks Rushed Into the Certification Authority Business?," 4 N.C. BANKING INST. 417, 424-25

[43.] Lazar, A. (2007), E-Commerce In The Countries Of Central And Eastern Europe, "Romania" March,, p. 7; available at address http://files.gemius.pl/Case_Studies/gemiusAdHoc/ecommerce_in_CEE_Romania_ Short_version.pdf.

[44.] Poggi, Ch. T. (2000). "Electronic Commerce Legislation: An Analysis of European and American Approaches to Contract Formation", 41 VA. J. INT'L L. 224, 250-51

[45.] Pun K.H., Hui, Lucas, Chow K.P., Tsang W.W., Chong C.F. and Chan H.W. (2002). Review of the Electronic Transactions Ordinance: Can the Personal Identification Number Replace the Digital Signature?, 32 HONG KONG L.J. 241, 256

[46.] Republic of Romania, Law no. 365 of June 7th, 2002 on the Electronic Commerce ("ECL"); http://www.legi-internet.ro/en/e-commerce.htm.

[47.] Republic of Romania, Anti-Corruption Law on Preventing and Fighting Cyber-Crime, 2 April 2003 ("CCL"); http://www.legi-internet.ro/en/cybercrime.htm.

[48.] Roland S. (2001). Note, "The Uniform Electronic Signatures in Global and National Commerce Act: Removing Barriers to E-Commerce or Just Replacing Them with Privacy and Security Issues?" 35 Suffolk U. L. REV. 625, 638-45

[49.] Smedinghoff J.Th. (1999). Electronic Contracts: An Overview of Law and Legislation, 564 PLI/P at 125, 162

[50.] Stern E., J. (2001)., Federal Legislation: The Electronic Signatures in Global and National Commerce Act, 16 Berkeley Tech. L.J. 391, 395

[51.] Tang K.Y, D. (1999). Electronic Commerce: American and International Proposals for Legal Structures, in Regulation and Deregulation: Policy and Practice in the Utilities and Financial Services Industries 333, Chrisopher McCrudden ed.

[52.] U.S. Central Intelligence Agency (2011), THE WORLD FACTBOOK, "Romania" 23 August 2011, pp. 3, 13; available at address www.cia.gov/library/publications/the-world-factbook/geos/ro.html.

[53.] United Nations Commission on International Trade Law ("UNCITRAL"), MODEL LAW ON ELECTRONIC COMMERCE WITH GUIDE TO ENACTMENT (hereinafter "MLEC"), G.A. Res. 51/162, U.N. GAOR, 51st Sess., Supp. No. 49, at 336, U.N. Doc. A/51/49 (1996).

[54.] United States of America, National Conference of Commissioners on Uniform State Laws, UNIFORM ELECTRONIC TRANSACTIONS ACT, 7A U.L.A. 20 (Supp. 2000); http://www.law.upenn.edu/bll/archives/ulc/fnact99/1990s/ueta99.htm.

[55.] United States of America, ELECTRONIC SIGNATURES IN GLOBAL AND NATIONAL COMMERCE ACT ("E-Sign"), Public Law 106-229, 15 U.S.C. 7001, 114 Stat. 464, 30 June 2000; http://www.esignrecords.org/resources/esign.pdf.

[56.] Zaremba J. (2003). "International Electronic Transaction Contracts Between U.S. and E.U. Companies and Customers," 18 CONN. J. INT'L L. 479, 512

[57.] Wright B. (2001). Symposium: Cyber Rights, Protection, and Markets: Article, 'Eggs in Baskets: Distributing the Risks of Electronic Signatures, 32 WEST L.A. L. REV. 215, 225-26

[58.] "The Legality of Electronic Signatures Using Cyber-Sign is Well Established," CYBER-SIGN, at http://www.cybersign.com/news news.htm

[59.] "Internet in Romania," WIKIPEDIA, THE FREE ENCYCLOPEDIA; http://en.wikipedia.org/wiki/Internet in Romania.

Stephen E. Blythe

Law and Accounting, College of Business Administration, Abu Dhabi University, Abu Dhabi, United Arab Emirates

ecommercelaw@hotmail.com
COPYRIGHT 2012 Springfield Publishing Corporation
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2012 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Blythe, Stephen E.
Publication:International Journal of Emerging Sciences
Article Type:Report
Geographic Code:4EXRO
Date:Mar 1, 2012
Words:8775
Previous Article:Detection of abnormal masses using divide and conquer algorithmin digital mammogram.
Next Article:The effect of monetary policy shock on employment and output: the case of Turkey.
Topics:

Terms of use | Privacy policy | Copyright © 2019 Farlex, Inc. | Feedback | For webmasters