Australian Society of Archivists
Electronic Records Special Interest Group
Managing Websites Seminar: Gearing up for the
e-commerce era
Legal and recordkeeping issues associated with
management of websites
Barbara Reed, Recordkeeping Systems Pty Ltd
1. Introduction: what are websites?
To discuss websites in relation to legal and recordkeeping issues,
we first have to agree what a website is. Indeed, as we always find
when these issues come to light, a website is a more complex thing
than we would have it at a superficial glance. At a superficial glance
a website is that thing we access using the URL (uniform resource
locator) in a web browser such as Internet Explorer or Netscape. But:
- is the website a simple page, or
- is it the whole of the connected sets of pages linked through the
top level of increasingly complex networks of documents, or
- does it include all the links associated with the web pages, or
- does it include the transactional data bases which support
interaction on the website, or
- is a web page an increasingly transitory thing, being constructed
‘on-the-fly’ from data located elsewhere but put together
to fit the profile of user and information that an individual is
fitted to when hitting the URL?
For the purposes of this discussion, I’ve adopted the
definition by McClure and Spehe(1) :
‘a website is a set of Uniform Resource Locators that
fall under a single administrative control’.
However, the introductory musing on what a website may be does
introduce us to the concept that this form is evolving and is not a
static or passive thing, either in how it is being thought about, nor
how we view or interact with it.
Jay Alden(2) has characterised three major stages
of web development.
Stage One, Experimentation has the following characteristics:
- mimics the current organisation;
- driven by personality and organisational processes; little
influence by users;
- islands of adoption that lack standardisation;
- no mission critical applications;
- little impact on organisational performance.
Stage Two, Institutionalisation:
- diverges from organisational structure;
- still driven by organisation processes but users have input to
functionality;
- standardisation and interactivity;
- support for mission critical applications;
- impact on organisational performance is more tactical than
strategic.
Stage Three, Ubiquity:
- little relationship to organisational structures;
- users have great control over interface and functionality;
- high degree of user interactivity;
- primary means for performing mission critical applications;
- organisational performance is highly dependent on web
functionality.
Other taxonomies for websites have been proposed. Another useful set
is to consider websites as being ‘billboard, informational or
transactional’.
Whichever taxonomy is adopted, it is clear that websites are not
standard forms, but things which are doing different things for
organisations or individuals at different stages of their development.
We need to take care that we don’t loose sight of what function a
website is performing, as this is, as always in recordkeeping, a key
determinant in working out how to manage them.
2. Preliminary recordkeeping concerns
Most of the implementations of web sites are somewhere between the
second and third stages of the taxonomies described above.
For recordkeepers, the first two stages are really pretty boring. It
is here that we see websites as essentially passive sites. They
present information that is basically static. They can be seen as
equivalent to public relations or marketing forms, acting as a
more-or-less fixed public front. Technically, every time a user
accesses a website it is a transaction and records could be captured,
but such transactions are generally not very interesting to
recordkeepers. The closest analogy for such static webpages is the
publishing process which in itself has recordkeeping issues associated
with it, issues which I will return to at the end of this paper.
It is when we get to the ubiquitous or transactional stage of
websites that recordkeepers really need to be able to engage with the
technology - both with the technology as an agent creating records and
the technology as an interface between agents creating records.
Conducting business on the web is enabled through interactive websites
– such interactive websites might create interfaces with business
application systems to create and deliver views of information to
customers/clients and provide mechanisms for customers/clients to
interact with organisations. Once this commences, we have business
transactions happening. Such transactions, as we all know, are the
primary concern of recordkeepers and we need to be extremely active in
establishing rules for working out what records of the transactions we
need to keep and/or enabling technological methods for capturing
records of those transactions. Unfortunately, most of our traditional
recordkeeping tools will not help us greatly in this area at the
moment.
3. Speed of uptake and business drivers
In thinking around these issues it is very important to grasp that
the way organisations are employing websites is changing dramatically
and very quickly. One of the major drivers towards such change is the
thrust towards electronic service delivery on line. At a federal
government level this is being actively pushed by the government, with
delivery promises such those found in the 1997 Investing For
Growth(3) document which establishes the goal of
the conduct of all government payments electronically by 2000.
Governments, at all levels nationally and internationally, are
actively promoting the use of the web as a major part of the
e-commerce infrastructure.
In terms of the technology uptake, a recent report from NOIE(4)
suggests that, in Australia:
- 22% of households have were online in May 1998;
- 48% of small businesses and 82% of medium businesses were
connected to the internet by February 1999; and
- 12% of small businesses and 18% of medium businesses were using
e-commerce to sell their products and services. Projections of these
figures lead the government to anticipate an increase in these
proportions by 2000 to 30% of small business and 38% of medium
business.
It is not difficult to see why e-commerce or e-business is
attracting attention: the costs of delivering services which use
machines instead of employees is proven to be significantly reduced in
many business areas. Within the banking environment, for example, the
costs of delivering customer transactions via a bank branch is
estimated to be $1.08 but using internet banking, the same transaction
is estimated to cost $0.13(5). Most businesses do
not have the same level of client interaction as banks, and despite
the general hype that abounds, it is business to business transactions
(B2B) that are anticipated to be the area of major commercial uptake.
In pushing for an active adoption of e-commerce frameworks the
importance of web technology and protocols is paramount. Such
technology architectures are very different from the old EDI
(electronic document interchange) environments which were essentially
dedicated networks established between closed communities of known
partners, where specific contractual relationships were agreed,
specific software for particular uses developed, and sets of rules and
protocols agreed. In contrast, the web is an open standards
environment using protocols of TCP/IP, routing and communications
protocols, html, dynamic html and increasingly XML to conduct
interactive transactions. Using the protocols of this environment
doesn’t depend on pre-established agreements, software and rules.
The environment is open to all and anyone can join in.
4. Legal/regulatory Framework
The present Federal government, in common with most other national
governments, has been working out the type of regulatory frameworks
that need to apply in order to foster the growth of electronic
commerce. This government and many others world wide have been
reluctant to regulate. This is in part a pragmatic response, as early
regulators tended to regulate for specific technologies, for example
in the area of digital signatures in some US legislatures. Obviously
with the speed of movement of technology, such approaches are not
viable over time.
In Australia, the Federal government has taken the lead in
establishing frameworks for electronic commerce. This has been in four
major areas:
- Trade Practices and consumer confidence;
- Privacy (now a light touch, not a light handed approach) ;
- Electronic Transactions, and
- Authentication.
Each one of these areas is administered by a separate government
agency, which has led to a plethora of agencies concerned with
electronic commerce issues.
4.1 Trade Practices and consumer confidence
Trade Practices and consumer confidence issues are being managed by
the Australian Competition and Consumer Commission. The
Trade
Practices Act, 1974 is relevant for electronic transactions.
Part 5 contains a range of provisions protecting consumers and
corporations as consumers, including s.52 which deals with misleading
and deceptive conduct and prohibits conduct which is misleading or
deceptive, or which is likely to mislead or deceive. Sellers are
required to tell the truth or to refrain from giving an untruthful
impression, including disclosure of relevant information. S 53
prohibits flase claims about sponsorship, approval, performance
chanracteristics, accessories, uses of benefits of goods and services.
These restrictions will apply to electronic transactions and
electronically supplied information as well as to physical goods and
services.
A Policy Framework for Consumer Protection in Electronic
Commerce(6) was released for comment in May
1999. Comments are expected to be in at the end of November.
4.2 Privacy
Privacy has been a vexed issue for the present government which
resolved not to extend the privacy net beyond government. However,
they seem to have been forced to move by the understanding that over
56% of Australians are concerned about the invasion of privacy issues
enabled by the new information technologies. This initial approach has
now been somewhat modified by the adoption of the National
Principles for the Fair Handling of Personal Information
based on the development of industry and business codes of practice
that are consistent with the standards laid down in the existing
Privacy legislation and which are approved by the Privacy
Commissioner. There are many vocal critics of the regulatory
environment relating to privacy, and recently, the stricter
requirements on privacy set by the European Union, particularly in the
area of electronic commerce, are influencing government policy
directions. New legislation to formally extend this coverage beyond
business self regulation is expected to be introduced by the end of
1999(7).
The approach to privacy regulation in Australia has been the subject
of controversy. The NSW Privacy Commissioner, for instance, argues
that such approaches are not in the interests of business and that the
way the provisions have been framed will leave individuals unclear
about what rules apply over which types of transactions - even from a
single source. Significant social concerns about data warehousing,
matching and exploitation exist.(8)
4.3 Electronic Transactions
The Electronic Transactions Bill(9) is a
recordkeeping bill and is the government's response to the Expert
Group constituted to look at the legal framework for Ecommerce(10).
It was presented to parliament in June 1999. It is based on the United
Nation's Model Law on Electronic Commerce and will form the basis of
national legislation to be adopted by each of the states and
territories. This bill is based on the principles of:
Technology neutrality and
Functional equivalence.
‘“Electronic communication” is defined as:
‘a communication of information by means of guided
and/or unguided electromagnetic energy. The term “communication”
should also be interpreted broadly. Information that is recorded,
stored or retained in an electronic form but is not transmitted
immediately after being created is intended to fall within the scope
of an “electronic communication”’.
Transaction is also broadly defined, to include transactions of a
non-commercial nature. (The term “transaction” is defined in
clause 5.) It is intended to:
‘be read in its broadest sense of doing something,
whether it be conducting or negotiating a business deal or simply
providing information or a statement. It should not be read narrowly
to confine it to contractual or commercial relationships. Nor is it
limited to the actual transmission of the information.’
Of further interest to recordkeepers are the following clauses:
Clause 9 Writing
Clause 10 Signature
Clause 11 Production of document
Clause 12 Retention
Clause 14 Time and place of dispatch and receipt of electronic
communications
Clause 15 Attribution of electronic communications.
The Bill identifies and defines:
- Useability
- Accessibility
- Reliability
- Integrity
- Authenticity.
4.4 Authentication
The fourth major area identified above is that of authentication.
This area is one which is still being worked through after some
abortive starts. A new body has been recently established to advise on
policy issues: the National Electronic Authentication Council.
At present the authentication frameworks focus on the identity of
the sender. The issue of digital signatures and trusted third parties
as authenticators of identity are being worked through. Issues of
authenticating transactions, or authenticating authority to do
particular business are not yet well articulated or addressed.
These broader issues of authentication concern recordkeepers who are
responsible for the maintanence of reliable evidence of transaction. A
further issue is that of encryption and the robustness of the
mechanisms that are available to ensure that transactions are
trustworthy and untampered with. For recordkeepers, encryption is also
an issue concerning when and how records are captured.
The development of frameworks and standards for authentication have
been outsourced to Standards Australia, who are specifically
responsible for developing a framework of technical standards and
codes of business practice.
5. Recordkeeping issues
Web sites and web pages can be regarded as just another media. What
is really important is what is being done and, as recordkeepers, this
is how we should approach the management of all formats.
Questions such as ‘are web pages records’ are slightly
bizarre. Unfortunately things get muddy when web pages are looked at
out of context. If the focus of the question is on the artifact - the
webpage – they are being regarded as passive information
resources, and are perhaps the purview of the librarianship
discipline. As websites evolve into more active sites conducting
business, this artefact view ceases to be relevant. The electronic
transaction is the record and the record relates to the business being
transacted. The synergy between record and business becomes much
stronger.
At early stages of web development it might be possible to be a bit
dismissive and say that websites are variants of a paper form and that
the authoritative record is to be found somewhere else, perhaps in
paper form. But this comfortable assumption ceases to be true very
quickly. Even for passive documents (ie those with little
interactivity connected) the premise is flawed, as the degree of
reliance placed upon the electronic version distributed via the
intranet or internet forces us to regard the electronic version as the
locus of authority.
Passive sites will need to comply with the legislative frameworks
outlined above.
There have been a number of responses for recordkeeping relating to
websites: the most typical is to pretend that this stuff is not a
threat, an approach that is very limited in its application.
A second approach is to regard the record of transactions relating
to websites as located within the publishing process. This approach is
to capture the record as a part of a publishing process – the
process guiding the placement of material onto the web. While this is
valid up to a point, it still regards websites as different and
separate from the conduct of business. A third approach is to catch
the record where the business responsibility lies - but is the form of
the record as it is being processed in business the same form as it
appears on the web?
The linking of web based documents with other transactional records
from the point where the business is generated is obviously much more
consistent with approaches endorsed by recordkeeping frameworks.
However, the problems here are that the business units and the
publishing process need to coalesce and coordinate in ways that are
often not well worked through.
Obviously web pages need to be linked to electronic recordkeeping
systems. While some of our recordkeeping packages can capture these
formats, it is not the format that is the problem it is the capture of
appropriate context.
Once businesses move to integrating web sites with business systems,
creating active websites, the problems become much more complex. These
web sites generate records ‘on the fly’, often tailored in
presentation views to the customer profile of the person interacting.
In this environment we need to maintain much more complex records than
merely those of 'publishing’ a particular web page. At present
the answers seem to be in maintaining logs of web transactions, with
more detailed documentation of the web pages update process, with some
advocating snapshots of whole web sites at strategic times. I think
that this response is inappropriate, for all the reasons that database
records and audit logs are inappropriate as a strategy for capturing
records of evidence.
The newer transactions need different strategies - ones that are not
yet around in recordkeeping systems. We need to have trigger events -
possibly taken from event logs, which then populate specified fields
and lock the transaction into context at the time it is taking place.
To do this we need robust metadata specifications and recordkeeping
functionality built into the transaction based things that are
happening on the web. We need to build records from the things
happening via web sites, in ways that we can just begin to imagine.
Unfortunately the software vendors for recordkeeping software can't
even begin to see those glimmers of imagination. There is a short
window of great opportunity here and we have many of the structural
planks in place: conceptual thinking; emerging metadata sets(11),
understanding of some of the distributed network architectures and
tools for grabbing metadata from various sources. What we need to do
is to get some viable operational examples of this stuff working in
practice. This will be our next challenge.
6. Conclusion
While these issues are being worked through, as recordkeepers we
should be:
- advocating integration with business processes;
- Understanding that web transactions are business transactions and
fall under the same set of recordkeeping business and policy rules;
- use of the electronic record systems that are around;
- advocacy with web managers;
- promulgation of business understanding of risks and liabilities
in this medium;
- keeping up to date with the fast moving, light handed, regulatory
framework; and
- advocacy of recordkeeping issues with policy bodies such as
NOIE and NEAC.
Recordkeeping References
McClure and Sprehe, Guidelines for Electronic Records Management on
State and Federal Agency Websites, February 1998,
http://www.istweb.syr.edu/~mcclure/
Information Management Forum, Internet/Intranet Working Group, An
Approach to Managing Internet and Intranet Information for Long Term
Access and Accountability, September 1999
http://www.imforumgi.gc.ca/forum_e.html
Information Management Forum, Internet/Intranet Working Group,
Managing Internet and Intranet Information for Long Term Access and
Accountability – Implementation Guide, September 1999
http://www.imforumgi.gc.ca/forum_e.html
John McDonald, 'Managing Internet and Intranet information for long
term access and accountability' presentation slides for talk to
Records Management Institute, 10 November 1999, which was based on the
presentation done for the Monash University/Recordkeeping Systems
seminar, ‘Doing Business Electronically’
http://www.recordkeeping.com.au
© Copyright Barbara Reed 2000
Footnotes
(1) McClure and Spehe, Guidelines for Electronic
Records Management on State and Federal Agency Websites, Febuary 1998,
http://istweb.syr.edu/~mcclure/
(2) Jay Alden, ‘Strategic Impact from Websites’
Presentation,
http://istweb.syr.edu/~mcclure/web-eval-ho/index.htm
(3) Investing for Growth, 1997
http://www.dist.gov.au/growth/html/infoage.html
(4) National Office for the Information Economy, ‘E-Australia.com.au’
Australia’s e-commerce report card’, November 1999
http://www.noie.gov.au
(5) Booz, Allan Hamilton, at
http://www.bah.com/press/bankstudy.html
(July 1999)
(6) http://www.treasury.gov.au/
(7) The
Privacy Amendment
(Private Sector) Bill was released for public comment on 14
December 1999 (with comments due by 17 January 2000!).
(8) For an example of the criticisms being made,
see Roger Clarke, Submission to the Commonwealth Attorney General Re:
‘A privacy scheme for the private sector’: Release of Key
Provisions’ of 14 December 1999,
http://www.anu.edu.au/people/Roger.Clarke/DV/PAPSSub0001.html
(January 2000)
(9) Available from Commonwealth Attorney General’s
home page: http://www.law.gov.au/publications/ecommerce/
(10) Electronic Commerce: Building the Legal
Framework, March 1998, Report of the Electronic Commerce Expert Group
to the Attorney General,
http://www.law.gov.au/aghome/advisory/eceg/ecegreport.html
(11) The most obvious cross sectoral standard is
emerging from the Monash University collaborative research project
which has produced the Australian Recordkeeping Metadata Schema, see
http://www.sims.monash.edu.au/rcrg/,
and jurisdiction specific sets which have been influenced by this set,
including the National Archives of Australia: Recordkeeping Metadata
Standard for Commonwealth Agencies, May 1999, available from the NAA
website at
http://www.naa.gov.au/recordkeeping/control/rkms/summary.htm
and the emerging NSW State
Records Metadata Set. |
