A transactional-cycle approach to evidence management for dispute resolution

https://doi.org/10.1016/j.im.2004.04.002Get rights and content

Abstract

Dispute resolution, a necessary function in electronic commerce, must rely on evidence that includes mechanisms to ensure non-repudiation of actions by the participants. In open systems comprising computer networks, this “non-repudiation service” is one type of security service defined in the ISO/IEC standards. These, as well as other literature, have defined a system framework for such a service. Evidence management is the central part. We propose a new methodology for evidence management with a model using a transactional cycle in which evidence is collected in compliance with the legal concept of chain-of-evidence. Evidence then exists as a set of relevant pieces instead of an atomic item. A case study involving credit-card-over-SSL transactions was used to demonstrate how the model works. Our aim was to present a new approach and show that evidence accountability can be better ensured.

Introduction

Disputes are inevitable in business, and their resolution is necessary in electronic commerce just as it is in any other form of business. But disputes cannot be legally resolved unless the evidence underlying them has been previously recorded. A non-repudiation service establishes evidence and is one type of security service for open systems [6]. We reviewed the literature on information security and found that these services have been less discussed than others, such as authentication. Pertinent international standards on non-repudiation include ISO/IEC 10181-4 [7], 13888-1 [8], 13888-2 [9], and 13888-3 [10], which deal mainly with general concepts of evidence and define the system framework and some mechanisms for non-repudiation. The goal of this type of service is to generate, collect, maintain, make available, and validate irrefutable evidence concerning a claimed event or action in order to resolve disputes about the occurrence of the event or action.

Due to evidence accountability, evidence management is a critical part of the security framework. Previous research [3], [15], [18], [19], [20] dealt with evidence management as a unit of evidence involving a particular event or action; but this fails to pick up the complete context. Given that no business activity is atomic, we must consider a series of activities formed onto a complete transaction, rather than an isolated unit. It follows that evidence does not exist as an atomic piece but as a chain-of-evidence. This concept was originally introduced in law-enforcement. However, we integrate the concept with evidence management to trace accountability of each event or action into the overall transaction.

Section snippets

A business-to-consumer transaction cycle

Business-to-consumer (B2C) activities are an important type of electronic commerce involving: (i) the buyer/payer; (ii) the seller/payee; (iii) the financial institution; and (iv) the delivery authority. Only if money flow and logistics operate in coordination can the activity complete successfully. Tygar [16] discussed atomic transactions in electronic commerce and defined three levels: money, goods, and certified delivery. Money transactions deal with the transfer of funds. Goods transactions

Evidence management

The primary types of consumer problems, according to a report of the OECD Committee on Consumer Policy [4], can be divided into: “I didn’t do it” (unauthorized transactions), “I didn’t receive it”, and “I don’t want it.” Irrespective of the approach taken to settle disputes, the important first step is to establish evidence. Non-repudiation services deal with this and its accountability is a key factor in examining the details and context of a claim. Therefore, we have defined a general

Case study: credit-card payment over SSL

A survey of consumer shopping over the Internet, conducted by ActiveMedia Research and reprinted in [12], shows that most credit card transactions utilize systems based on a Secure Sockets Layer (SSL), which is software incorporated in browsers to protect communication security. However, some (27% in the year 2000) Internet shoppers preferred off-line payment. The implication of this is discussed in [14]; apart from security, consumers had misgivings about follow-up processes after

Conclusions

A new evidence-management methodology and its associated establishing procedures were discussed and then applied to a credit-card-over-SSL transaction case. The concept of chain-of-evidence and the transactional-cycle approach were integrated into the evidence-management methodology. Once each piece of stored evidence was generated, a map could be drawn to trace back the accountability of each event or action along the transactional cycle. We presented a systematic treatment of evidence

Acknowledgements

The authors would like to thank the anonymous referees for their helpful comments on an earlier manuscript of this paper, and to thank Prof. Edgar H. Sibley, the Editor-in-Chief, for his excellent editing work and revisions that substantially improved the quality of this paper. Part of this research was funded by the National Science Council of Taiwan under the contracts of NSC 90-2213-059 and NSC 91-2416-H-182-009; the former contract was conducted by the corresponding author (J.J. Hwang)

Min-Hua Shao is a candidate for doctorate degree at National Chiao Tung University in Taiwan. She received her MBA degree in 1998 with major in information management from National Chengchi University, Taiwan. Her current research interests include information security management and financial services such as Internet banking and payment systems in electronic commerce.

References (20)

  • T.P. Liang et al.

    Effect of store design on consumer purchases: an empirical study of on-line bookstores

    Information & Management

    (2002)
  • C. Ranganathan et al.

    Key dimensions of business-to-consumer web sites

    Information & Management

    (2002)
  • J.L. Abad Peiro et al.

    Designing a generic payment service

    IBM Systems Journal

    (1998)
  • N. Asokan, E.V. Herreweghen, M. Steiner, Towards a framework for handling disputes in payment systems, in: Proceedings...
  • T. Coffey et al.

    Non-repudiation with mandatory proof of receipt

    Computer Communication Review

    (1996)
  • DSTI/CP (Directorate for Science, Technology and Industry/Committee on Consumer Policy), Report on consumer protection...
  • A.O. Freier, P. Karlton, P.C. Kocher, The SSL protocol version 3.0, Netscape Communications Corporation, November 18,...
  • ISO/IEC, ISO/IEC 10181-1, Information technology—open systems interconnection—security frameworks for open system:...
  • ISO/IEC, ISO/IEC 10181-4, Information technology—open systems interconnection—security frameworks for open system:...
  • ISO/IEC, ISO/IEC 13888-1, Information technology—security techniques—non-repudiation part 1: general,...
There are more references available in the full text version of this article.

Cited by (5)

Min-Hua Shao is a candidate for doctorate degree at National Chiao Tung University in Taiwan. She received her MBA degree in 1998 with major in information management from National Chengchi University, Taiwan. Her current research interests include information security management and financial services such as Internet banking and payment systems in electronic commerce.

Jing-Jang Hwang began his academic career in 1976 as an instructor at National Chiao Tung University (NCTU) in Taiwan. He worked at NCTU for more than 25 years until the summer of 2002, and is now a Professor of Chang Gung University. Given leave of absence from NCTU, he studied Business Administration at the University of Cincinnati, and then studied Computer Science at the University of Florida. He received his PhD degree from the University of Florida in 1987. In addition to teaching, he has designed several computerized information systems, which include the administrative and the library systems of NCTU itself, the business system of a securities brokerage firm, and the office automation system of the judicial courts in Taiwan. Since 1990, he has also been involved in research on subjects of cryptography, information security, and electronic commerce, and has contributed research articles, in the English language as well as in the Chinese language, to various magazines and journals. He is now an editor of Computer Standards & Interfaces, a journal published by North-Holland.

Soushan Wu received his PhD in Finance from the University of Florida in 1984. He is currently a Chair Professor and Dean of College of Management, Chang-Gung University, Taiwan. He is also a visiting scholar in Clemson University, Hong Kong Polytechnic University now. His research interests include Management Science, Investment Science, Capital Markets and Information Systems. He has published more than 90 articles in Research in Finance, Financial Management, Asia-Pacific Journal of Finance, International Journal of Accounting and Information Systems, etc. He is now an editor of several academic journals, including Journal of e-Healthcare, Taiwan Management Review, and Journal of Financial Studies.

View full text