This document discusses legal and regulatory issues related to information and communications technology. It covers five core research areas: the networked individual, access to and control of information, information security and trust, information transport through electronic communications, and the emerging electronic society. For each area, it provides examples of relevant legal topics and ongoing discussions around balancing privacy, security and enabling new technologies. The overall aim is to closely monitor the regulatory framework and how it relates to technical research at IBBT.
2. Core Research Areas
The Networked Individual
Access To And Control Of Information
Information Security And Trust
Information Transport – Electronic Communications
The Electronic Society
2
3. 1. The Networked Individual
The Citizen
The Patient
The Consumer
…
3
4. Example: the Citizen
E-Government: collect data once
and re-use them subsequently
for all government services
Data protection legislation: only
use personal data for specific
purpose for which they have
been collected
4
5. Discussion: Legal limitations for the use of unique
identifiers
Belgium: prohibition to use
national number without specific
permission
Belgium: promotion of e-ID (with
national number) for private
transactions
5
6. Discussion:
How to validate electronic signatures
without “using” the national identifier?
6
7. Similar problems
The Patient The Consumer
Legal principle: collect data Legal principle: no direct
directly from the patient marketing without consent
E-health platforms: sharing Personalisation technologies:
health data (BeHealth, proposed legal framework for
Flemish Health Information RFID
System)
7
8. 2. Information: Access & Control
Content Regulation
Intellectual Property Rights
Public Information: Access & Re-use
Geographical Information Systems
8
9. Example 1: New legislation on re-using public
information
European Directive: promote re-use of government-owned
information in commercial applications
Example: company register (KBO)
Belgium: no re-use of personal data without
anonymisation
9
10. Example 2: Geographical information and personal data
ROP (DORO 18/05/99)
Discussion: Can we publish the list of building lots (bouwgronden) on
the Internet (without the land register number or the name of the land
owner)
10
11. Opinion Privacy Commission 27/09/2006
Maps of building lots contain personal data!
• personal data: all data containing
information on an identifiable person
• identifiable: every person who can be
identified directly or indirectly
• land owners are (very often) natural
persons
• via a map or an aerial photograph the name
and address of the land owner can be
discovered
11
12. Conclusion Privacy Commission 27/09/2006
- the Register of Building Lots (ROP) has a
specific purpose (administration)
- publication of these data on the Internet is
not compatible with this purpose
- OK for publication of aerial view but only on
1/50,000 scale and without possibilities for
interactive selection
12
13. 3. Information Security & Trust
Electronic Signatures
Digital Preservation
Cybercrime
13
15. Example 1: Electronic employment contract
Draft law: possibility to conclude
written employment contracts in
electronic form
Signature by means of e-ID
Or by « equivalent » means
Employer should guarantee the
electronic archival of the contract via
an accredited trusted archival
service provider (draft law)
15
16. Example 2: Trusted Third Parties
Draft law: Legal status of TTPs
Electronic archiving
Electronic time stamping
Electronic registered mail
Legal value of documents or
transactions can be made dependent
of quality conditions
Voluntary accreditation: independent
technical auditors
Evaluation profile: to be drafted by
technical working group (within
Fedict)
Commission for Trusted Services:
deals with complaints
16
17. Example 3: Preservation of invoices
In principle: 2 originals , 7 years
(private consumer: 5 years)
Preservation in Belgium, or
elsewhere in the EU (subject to
on line access)
Authenticity and integrity must
remain guaranteed
17
18. Digital archiving of paper invoices
Permitted by law since January 2006
Also valid for (« old » invoices)
Example: scan all my invoices of 2005
Only valid scans from original invoices (not from parallel files)
If invoice refers to order form: also scan the order form
Very important: scan results in a copy of the invoice
The authenticity and integrity of this copy should be guaranteed !!!
18
19. How to guarantee that a copy is « authentic »?
Authentic: copy = original
Not possible by technological means
VAT-Administration: keep your paper invoices for 6 months (after the date of
scanning)
Example: I scan all my (paper) invoices of 2005 on 20 January 2007 – Keep
original paper invoices until 20 June 2007
19
20. How to guarantee the integrity?
Scanning process: strict conditions
Scanning software/configuration without edit/import possibilities
Scanning (always) recto/verso - If verso only contains General Terms (scan only
once)
Keep original colors / Sufficient resolution
Unique identification number + date/time on the digital image
Immediately secure the digital image (advanced electronic signature or sealing
algorithm+WORM)
Identification of the person who scans
Secure scanning environment (protect access)
Possibilty for immediate retrieval (ex. by unique number)
Incoming invoices: first terminate the administrative process (or use OCR and keep
the data of the administrative process)
Back up
Document the scanning process (describe company, hardware, software, security
measures, etc…)
20
21. First method: scanning + advanced electronic signature
Scan recto/verso
Keep colors
Minimum 300 dpi/24bit-colors/JPEG2000
Isolated scanning module (no edit/import facility)
PDF or TIFF
Automatically add unique id-number
Add fields with id of operator, login name, date/time of creation, …
Immediately secure with digital signature
Outsourcing: certificate of outsourcer needed
Retrieval using unique id-number of invoice
Possibility to combine unique id-number with other identification data (needed to
process the result in ERP system)
Minimum application: 1 subbook of incoming invoices for minimum 12 months
starting 1 January (or start accounting year).
21
22. 2. Second method: scanning + sealing algorithm
Compose seal: seal of previous invoice, invoice date, invoice number,
scanning date, sequential nr, VAT numbers of provider/client, VAT
amount, total amount
Generate seal (algorithm)
Store seal in a separate record with other data
Link record with previous record
Scan invoice
Write seal on the digital image
Store result on WORM disk
Keep disks on Belgian territory
22
23. 4. Information Transport – e-Communications
access to communications networks and services
interconnection and interoperability
network integrity and security
radio spectrum allocation
universal service
23
24. Example: Wholesale Line Rental (WLR)
Fact: introduction of competition in the market of “access
to the telephone network from a fixed location” is very slow
Remedy 1: carrier selection / carrier pre-selection
Remedy 2: local loop unbundling
Proposed remedy 3 (intermediate): wholesale line rental
(doorverkoop van abonnementen)
24
26. Convergence
Who is competent to regulate
“converged” e-communications?
26
27. 5. The Information Society
e-Health
e-Voting
e-Business
e-Government
e-Learning
e-Banking
e-Justice
…
27
28. Example: Proposed Directive on Payment Services
Europe: harmonisation of strict rules for payment service providers
(banks, credit card companies, etc.)
New evolution: payment via mobile phone (mobile operator becomes
a payment service provider)
Example: m-banxafe (Belgium)
Discussion: from which stage will we apply the strict rules for payment
services to mobile operators?
28
29. Conclusion
IBBT: close interaction between:
Technical & User-Oriented
R&D
Monitoring the Regulatory
Framework for ICT-
Applications
29