Legal Requirements in E-Commerce Testing
Microsoft Enterprise Services White Paper
E-Commerce Technical Readiness
Note: This white paper is one of a series of papers about applying Microsoft® Enterprise Services frameworks to e-commerce solutions. E-Commerce White Paper Series (http://www.microsoft.com/technet/archive/itsolutions/ecommerce/plan/ecseries.mspx) contains a complete list, including descriptions, of all the articles in this series.
Credits
Program Managers: Raj Nath, Mukesh Agarwal
Other Contributors: Peter Van Niman, Laura Hargrave
On This Page
 | Introduction |
| Requirements and Best Practices |
| Incorporating Legal Standards |
| Surveying the E-Commerce Landscape |
| Conceptualizing Legal Issues in E-Commerce Testing |
| Practical Strategies for Testing |
| Conclusion |
Introduction
Testing to external standards is taking on a new meaning, and sense of urgency in a global economy that is being profoundly transformed by the Internet. As businesses scramble to position themselves in a convergence of computers, mass media, and telecommunications, software applications are increasingly challenged to meet expectations of usability, performance, and reliability.
Particularly in electronic commerce, these qualitative measures are often associated with business rules. In turn, these rules are driven by legal requirements and perceptions of legal risk. As concerns move from basic functionality and robustness to security and confidentiality, an awareness of legal issues can clarify and reinforce best practices in marketing, payment processing, order fulfillment, logistics, inventory, and customer relationship management.
This paper offers a conceptual framework for requirements testing in business-to-consumer e-commerce applications.
Requirements and Best Practices
Best practices refer to lessons learned from experience based on effective ways to plan, build, and manage a dot-com. Best practices result in a clearer understanding of the circumstances that support successful enterprises. These insights range from technical configuration issues to risks associated with business or market factors. Requirements are included in these insights.
Requirements are reasoned and explicit statements about what a system or product is meant to be, and what it is meant to do. In the e-commerce context, clear requirements and specifications can constitute one of the most effective best practice means of enhancing quality. Functional requirements, together with non-functional requirements drawn from business rules and relevant legal standards, play a crucial role in meeting quality challenges.
Legal Requirements
The rules and regulations acting upon an Internet bank, for example, or online securities trading companies, pharmacies, and liquor retailers are examples of legal requirements. These requirements support the framework and constraints that the legal system may impose on certain commercial activities or ways of doing business.
Legal requirements are important in assessing questions about best practices. What are the business pursuits that are best handled online? What is the most effective mix of e-commerce and traditional business methods? In cyberspace, as elsewhere, it's a good idea to anticipate potential legal problems before they come up to minimize potential problems
E-Commerce Quality Challenges
The importance of quality assurance and testing mechanisms is supported by the well-publicized crashes of prominent e-commerce sites, and persistent concerns about bandwidth, security, and privacy. In an intensely competitive marketplace, stringent quality standards are associated with businesses that survive. With the competition only a click away, quality must be an active strategy instead of merely a slogan.
If, during peak buying seasons a sizable fraction of attempted Web purchases fail, or if users complain of dropped connections, then the economic and public relations consequences can be severe. The same is also true when inaccurate records are generated about transactions or customers cannot determine at the time of ordering if the desired items are in stock or when delivery can be expected, or if the purchased goods never arrive. Fundamental questions about whether it is safe to shop online and, if safe, then if really cheaper, faster and more convenient than on Main Street, are asked and answered in each potential customer's site visitation experience. If the visitor experience is negative due to slow response times, outright crashes, or violations of privacy, consumer confidence can be undermined.
Best practices in e-commerce are challenging to achieve1. In business-to-consumer applications, developers are required to be cognizant of and to deliver the following criteria:
| • | Rapid and easy assembly of application modules |
| • | Testing of component functionality and performance |
| • | Designing models to simulate real-world scenarios |
| • | Deployment to a distributed environment 24 hours a day, seven days a week |
| • | Monitoring performance and transactions |
| • | Analyzing effectiveness and gathering business intelligence. |
Managing Requirements
Uncertainty about the purpose of a system or product and its potential enhancements can cause frustration and failure in software projects. In a frequently cited study of 8,380 information technology projects2, 40 percent were canceled before completion, and 33 percent of the remaining projects were deemed "challenged" by cost and time overruns or by changes in scope. The primary contributing factors in these projects were lack of user input, as well as requirements that were incomplete, ambiguous, or changing.
Business functional requirements are derived from high-level objectives that are often contained in a vision and scope document. They are comprised of use-case scenarios that specify the tasks users of a product or system must be able to perform. Nonfunctional requirements also include design and implementation that contribute to money exchange constraints.
Whether derived from informal brain-storming sessions, research or formal models that rely on application data, processes, objects or use scenarios, requirements should be unambiguous, complete, verifiable, consistent, within product scope, modifiable, traceable, and finally, usable during operations and maintenance.
The best practices approach is:
1. | To elicit, analyze, specify, verify, and manage a product's requirements |
2. | To write test cases against those requirements. |
This approach establishes the framework for the static and dynamic compliance checking.
Incorporating Legal Standards
Incorporating business rules, external requirements, and legal standards into testing processes connects quality assurance mechanisms with e-commerce best practices. Testing Web applications usually involves functional and unit evaluations in addition to performance, scalability, and integration checks. Best practices should include a detailed review of the business case to try to balance corporate interests and consumer protection. Specific objectives and competing values can be reconciled during this process.
Next, questions should be asked about scope of the project, including financial resources, personnel, equipment and supplies, change protocol, success criteria, and metrics for assessing the bottom line. Third, inventories should be made of all deliverables, acceptance clauses, and service agreements. Finally, risks should be evaluated, specifically those relating to the selection of vendors and consultants, outsourcing decisions, and the selection of underlying technology.
In the course of this review, definitive quality assurance priorities will emerge. For example:
| • | All critical business functions are identified |
| • | Mechanisms are developed to ensure Internet connectivity |
| • | Systems are activated to guard the security of online transactions |
| • | Privacy audits are conducted to confirm that strategies for protecting customer privacy and confidentiality have worked as expected |
| • | Vulnerabilities are analyzed to prevent hacker attacks |
| • | Disaster avoidance measures are developed, such as redundant systems, alternative routing, precise change controls, encryption, capacity planning, load and stress testing, and access control. |
Consider how particular standards would be incorporated under the critical business functions quality assurance priority. For example, take an online auction that is seller controlled. The process is typically for the seller to offer products through the Web site, and for potential buyers to respond with bids to buy. In some business models, buyers are allowed to see competing bids and to adjust their offers accordingly. In other models, the auction is "blind;" bids are received until expiration of the auction period, and are then reviewed by the seller who selects the best one. Payment and delivery arrangements are handled by the parties that are involved in the transaction.
In the traditional economy, sellers have greater power to set prices unilaterally. Better access to information through the Internet means that online prices are far more sensitive to current market conditions. In markets where supply and demand might be volatile, timeliness and accuracy of precise inventory and cost information can be critical. Legal standards for testing can focus on identity of the potential buyers, authenticity of the bids, and the auction process
These questions help to support a productive test case because they can be used to identify the criteria that is tested:
| • | Do the potential buyers satisfy the criteria to participate in the auction? Are there identification requirements or financial status verifications that need to be checked beyond those covered in the logging process? Do potential buyers know the identity of other bidders? |
| • | Are sellers allowed to place bids in order to generate excitement in the sale and to exert upward pressure on the price? If so, does this behavior constitute deceptive trade practices or fraud? |
| • | Are there clear, explicit procedures that define when a bid is blocked by expiration of the auction period? If high traffic conditions can exist in the last few seconds of an auction period, and potential buyers can see the bids of others, what notice and documentation does a participant receive if their bid is the best and final one? Are there selection criteria for the winning bid that are unknown to potential buyers? |
| • | Are there mechanisms to determine if bids are authentic? In particular, do protections exist to guard against buyers using stolen credit card numbers? If suspected instances of credit card fraud arise, are there clear understandings of which entities and authorities must be notified? Are there appropriate bookkeeping arrangements to record such incidents and losses? |
| • | Are the precise steps and criteria for a final sale of an accepted bid spelled out and available to all participants? |
| • | What safeguards control against mistakes? For example, if a bid is off by a factor of ten, what are the rights and obligations of the auctioneer and buyer? If the auction item is a highly sought-after vintage automobile, and the winning bid is $5 million instead of $500,000, does responsibility rest with the seller or with the party who mistakenly bid too high? If the sale is cancelled because of the mistake, are the other bids preserved, with the car going to the next highest bidder, or must the auction process begin again? |
Surveying the E-Commerce Landscape
Over the past forty years, successive waves of automation and innovations from information technology have created changes in the way business is done. Accounting systems, mainframes, the personal computer revolution, local area networks (LANs), electronic data interchange (EDI), client-server technologies, and enterprise resource planning (ERP) software have reshaped the business landscape.
The Internet's impact will affect profound and lasting changes. Companies all over the world are enabling new processes through the Web, transforming fundamental business rules such as the way a company does business, enters new markets, communicates across the enterprise, and deals with suppliers.
Reduced transaction costs are part and parcel of the impact of the Internet and e-commerce. Because transactions are a part of commerce, the potential savings for business done on the Internet supports the theory that in the future, all transactions will be done online. Taking this a step further, there may also come a time when all business will be electronic. Already the rate of Web-enablement of business processes is growing tremendously, even in the most traditional industries. As constant access to information becomes the standard way of doing business, using the Internet effectively is becoming a necessity.
Legal requirements in e-commerce testing are important because they are so much a part of the effective use of the Internet.
To be sure, some businesses lend themselves more readily to Web processes. It is no coincidence that among the first business processes that companies put on the Web were paper-based and transaction-intensive; many of those processes were related to money. It is also common for businesses to start by capturing customer orders online and then processing them offline.
However, when businesses start with information-only sites and then gradually phase in transactional abilities, you'll see associated planning and efficiency costs. The work doesn't simply end when someone inputs an order. Buyers expect good credit card security and also a high level of customer service. They expect current inventory information and the ability to track the progress of an order through picking, packing, and shipping.
Integration is more difficult. For many e-commerce retailers, selling a product online is becoming surprisingly easy; the challenge is in finding an efficient way to make the product immediately available, and then quickly getting it to the customer. Therefore, digital-age e-commerce companies are brought back to industrial age concerns, such as roads, trucks, warehouses, and airports; ways to speed up the whole system.
As increasing numbers of e-commerce companies opt to outsource the delivery of their products to catalog companies and other businesses with existing warehouse and delivery systems, a possibility arises. Perhaps obtaining and keeping satisfied customers has comparatively little to do with elaborate Web sites, but a great deal to do with getting the goods to the customers. Indeed, some observers are projecting that the next level of intense Internet competition may be time shopping. The emphasis on order fulfillment rings true with surveys that consistently report that while most small and medium businesses have some corporate Web presence, only a third use sites to sell products or provide online customer support.
Defining Electronic Commerce
Typology and nomenclature issues are prominent in new fields of study. Electronic commerce can happen in many ways, either through business-to-business connections or through online retail shopping. E-commerce can also refer to online stock and bond transactions, buying and downloading software, accessing online content and games.
Jonathan Morell at the Center for Electronic Commerce, a research division of the Environmental Research Institute of Michigan, has defined five distinct types of electronic business.
Information Access
In this category, search and retrieval capabilities for public domain and proprietary data archives are provided for a fee. Examples are credit agencies and directory services.
Self Services
These businesses provide important commercial and personnel information 24 hours a day, seven days a week. Examples include self-service applications for online employee benefit enrollment, access to shipping status of customer orders, and online banking.
Shopping Services
These services include retail sales of goods or services through electronic networks and online auctioning. Note that this can go beyond retail sales. It can apply to the purchase of used industrial equipment, commodities, or freight capacity.
Interpersonal Communication Services
Businesses in this area offer enhanced communications that improve levels of two-way cooperation. Examples include online interactive Helpdesks and a purchasing agent that uses e-mail to negotiate a schedule with a supplier.
Virtual Enterprises
These are business arrangements in which trading partners separated by geography and expertise are able to engage in complex joint ventures as if they were a single enterprise. One example is true supply chain integration, where planning and forecast data are transmitted quickly and accurately throughout a multi-tier supply chain. The joint venture announced by General Motors, Ford Motor Company, and DaimlerChrysler to create an online supply network illustrates this level of integration on a very large scale. Another example is non-competing suppliers with a shared, common customer. The suppliers use e-business to allow the customer to do "one stop shopping." In other words, a single phone call will bring the right materials to the right location at the right time.
To generate, carry out, and fulfill E-Commerce transactions has its specific requirements. In fee-based search and retrieval services, examples of legal standards would include (a) ownership and access criteria spelled out in statutes or administrative agency regulations and (b) consumer protection accuracy-in-reporting considerations. Representative test cases would elicit whether the business was entitled to the particular personal information contained in a private database. Other test cases would focus on information available from a public database. For example, are the categories of information neutral (stock quotes, judicial decisions, best-seller lists, house-sale data from multiple listings)? Do the specific items of information raise suspicions of criminal activity, such as identity theft? If the business offers Social Security numbers for sale, are these numbers combined with online data gleaned from consumers' offline purchases from major retailers, catalog companies and publishers?
In the case of businesses covered by federal and state regulations, productive test cases can be developed by following the structure of rules that control how goods and services are produced and sold and advertised.
Shopping services use ongoing best practices throughout production: Attraction of customers to the site(s); Content on goods and services provided to site visitors; Customization enabling visitors to tailor what they want to be ordered, assembled, fulfilled and delivered; Closing the Deal; Payment through credit, debit or cash; Customer Support on information, advice, order status and dispute resolution; Physical Delivery and supply and demand forecasting; and Data Mining analysis of consumer behavior and preferences. Legal requirements in each of these steps come from three areas:
| • | Issues related to what is being sold |
| • | How goods or services are sold |
| • | Attributes of the buyers and target markets |
Legal requirements for Helpdesks include:
| • | Authorization of Helpdesk staff to issue credits up to a certain limit |
| • | Liability for data loss or system misconfiguration |
Virtual enterprises can include extranet arrangements through which both public and private sector requirements are at stake. In a Department of Defense procurement program for a top-secret satellite, the lead contractor could have multi-layer relationships with many different sub-contractors. In some areas of the project, the main contractor and its subcontractors are full partners and need to share data freely. In other areas of the project, the companies are fierce rivals and need to keep their trade secrets and related information proprietary. The government can mandate how the work is undertaken and financed. This type of project features legal requirements specific to the procurement, quality and accounting sectors, as well as other legal requirements that deal with the companies' interests in protecting sensitive data.
Current Trends
More than one million new Web pages are added every day. Many academic and government agency reports point to the Internet's astounding rate of growth in terms of yearly percentage and dollars. Online business-to-business sales that were $45 billion in 1998 are forecast to reach $1.3 trillion in 2002. (The total United States economy is approximately $9 trillion.) Online advertising revenue, estimated at $1.8 billion in 1998, is projected to reach $15 billion in 2003. The U.S. Commerce Department's June, 1999 report on the emerging digital economy supports this sharp upward trend for online retail sales.
| Year | Billions (Dollars) |
1995 | 0.5 |
1996 | 1.1 |
1997 | 2.6 |
1998 | 7.8 |
Preliminary figures for 1999 show online sales close to $10 billion.
United States retail sales figures, compiled monthly since 1951, have been used as a key indicator of how the economy is doing. However, characterizing monthly revenue totals and knowing where online earnings fit is a challenge. Beginning in October of 1999, the Commerce Department is asking the 13,300 retailers it already queries as part of its Monthly Retail Trade Survey to report how much of their sales revenue was generated online.
Until now, these numbers have been hard to obtain. Publicly traded retailers are required to report their sales figures quarterly, but those with brick-and-mortar operations are not required to break out Web sales. Very large online companies like Amazon.com do not have to break out sales by category; companies that are closely held don't have to report at all. Now, revenue generated by Internet-only retailers such as Amazon.com are already counted as part of the tally of mail-order companies. Also, the Internet retail count excludes companies conducting non-retail business, such as travel, ticketing, and financial services.
These metrics are relevant in that they highlight the difficulties in defining what counts as an online sale.
The definition of a consumer sale is blurred by the online concept. For example, if a customer goes to a Web site and fills in an order form but then calls the 800 number to give then their credit card number, is that call counted as an online sale? There is currently no consensus. In addition, some companies are worried about disclosing information on the precise amount of their online sales, and this makes actual online sales numbers more scarce. This scarcity explains the large differences in market research data and estimates.
BizRate, a company that queried 135,000 actual online buyers as they checked out at more than 1,700 online merchant sites, reported that 1998 online sales were $4.4 billion. They also estimated that this revenue would jump to $11.2 billion in 1999. CyberDialogue, a company that distinguishes online sales from those completed offline, reported that Internet consumers spent $26.5 billion in 1998 and would spend $42.7 billion in 1999. Jupiter Communications reported that in 1998 consumers had spent $7.8 billion and would spend $14.9 billion in 1999. And Shop.org, a trade association of more than 200 online retailers, reported that online consumer sales were $14.9 billion in 1998 and would reach $26.6 in 1999.
However measured, it is important to note that online consumer purchases still account for only a small percent of total sales. If by 2004 the Forrester Research Company is correct in its projection that online sales will reach $185 billion, purchases at that level will constitute only seven percent of the nation's retail sales. Business-to-business (B2B) vertical and horizontal markets have the largest share. But many of the management and quality assurance challenges facing e-commerce companies also impact B2B, where the rules of the Web can wreak havoc on existing business relationships and economic structures. Internal competition between branches and franchises can raise thorny issues; automation can magnify rather than solve paper-based and existing operations problems.
In terms of approach, good sense for one firm might be perfect nonsense for another. Is it best to focus on one narrow thing or cast out wide nets? In one form or another, that question preoccupies e-commerce executives everywhere. In start-ups and large businesses ranging from aerospace to telecommunications, CEOs are making life-and-death strategic bets, trying to position their companies to take advantage of productivity and technology trends that they are only beginning to understand. Very often, major players are making completely divergent bets within the same industry. This makes for exciting if uncertain times.
Conceptualizing Legal Issues in E-Commerce Testing
The Internet is not a lawless Wild West. Online companies face many of the same legal restrictions that apply to Main Street shops, including state rules regulating sweepstakes and promotions, federal banking, securities, antitrust, consumer protection laws, and copyright and trademark protections. What can be different and more challenging for online firms, however, is learning what rules are applicable.
Law always lags behind the pace of technological change, and this lag creates periods of uncertainty, experimentation, and controversy that will be difficult and awkward for a digital economy. The process through which law accommodates profound social trends is a highly political process that involves the courts, Congress, and legislatures in 50 states. This lag of legal standards behind technical reality directly affects the Internet.
Changes in computer science and information technology are upsetting many of law's ancient truths, forcing new definitions to be created for old words, and posing new, more complex questions for the law to solve. Judging by our experience with changes in transportation, communications, and modern medicine, the process will take years, perhaps decades. Until all of the legal concepts, definitions, and fine points can be ironed out in statutes, court opinions, and rulings by administrative agencies, there is no comprehensive or authoritative list of legal requirements in e-commerce testing.
The future of the Internet will be determined as much by policy choices as by technological capabilities, especially in areas such as personal privacy, content regulation on behalf of children, and taxation. Questions include whether current laws should be changed to fit the Internet, or whether entirely new regulations should be proposed.
New circumstances call for new laws. Over time, the rules and regulations governing all aspects and dimensions of e-commerce will change to accommodate the novel and unexpected. But the process will take very many of the 60-90 day "Internet years" in which e-commerce companies are obliged to compete.
Spectrum of Rules and Sanctions
A contract or license to use a Web site can involve representations, warranties, choice of law, venue, copyright, and trademark issues. By contrast, buying something over the Internet can involve many of the traditional issues of contract law. When you purchase something from a site, this can involve several contracts or licenses, including a site use license governing use of the site absent any purchases, a privacy agreement, and an agreement governing the sale itself.
Earlier we noted uncertainty about what counts as an online sale. Notice that many practical questions point to other ambiguities. In what physical location may such a sale be deemed to have taken place? When is payment of a sales tax required? Under what circumstances may linking and deep linking on Web sites be regarded as intrusive? Which particular Internet activities can subject parties to the laws of another country/region (or another state in the U.S.) than the one where they are logged on? Is it possible to achieve a "meeting of the minds" and to conduct arms-length bargaining in cyberspace? Are so-called "click-wrap" agreements on sites (online contracts that indicate which laws apply in the event of scrutiny or dispute) valid after the user clicks "I Agree"? Are innovative ways of doing business appropriate for patents? At what point does data mining of the "clickstream" become Orwellian? Does it matter if the monitoring surreptitiously collects information on medical, financial or sexual behavior, or on children's surfing habits?
Even passing reference to general subject categories (in international, federal, state and local laws), each worlds unto themselves, suggests the depth of complexity and difficulty into which practical business questions can sink.
The following list contains legal standards that apply differently to specific types of sales:
| • | Antitrust |
| • | Securities Regulation |
| • | Copyright, Trademark, and Patent |
| • | Consumer Protection |
| • | Criminal Law |
| • | Content Regulation (free speech, filtering and censorship) |
| • | Privacy and Encryption |
| • | Taxation (federal, state and local) |
Of course, there are some distinctions, questions, and answers that can be made by attorneys, public reference sources, academic centers, and industry-sponsored research groups. The key point is that the environment for both questions and answers is highly dynamic.
In legislative sessions in 44 states this year, more than 2,000 Internet-related bills will be introduced and many will be passed. In addition to State-level law-making on privacy, Internet sales and access taxes, and content issues such as unsolicited commercial e-mail, there are also conspicuous crackdowns on Internet sales of tobacco products to children.
These cases are reminders of the changing role of state attorney generals in criminal law enforcement and civil protections for consumers and vulnerable groups. Congress will continue to review online auctioning of certain illegal or objectionable items, cyber-squatting, database protection, intellectual property reforms, Internet content filtering, privacy and confidentiality, Internet access, cyber-terrorism, encryption and export controls, online alcohol and gun sales, Internet gambling, digital signatures, technology infrastructure, education, and research and development. Currently at least 12 federal agencies are fashioning rules and regulations for the Internet.
The Internet may be borderless, free-spirited, open, and fast-growing, but it is also becoming populated with rules and sanctions, definitions and requirements, standards, and constraints. The best practice approach is to be aware and informed, and to plan for uncertainty and inconsistency in areas where legal standards are evolving.
A complexity in testing legal requirements for e-commerce is that the buyer, seller, distributor, and communications mechanisms are each in different places with different rules. The difficulty is that glaring contradictions can result if state laws are deemed to apply to some Internet transactions but not to others.
For example, in a case where a state's law prohibits casino gambling, does it matter that the virtual casino's server is located off-shore? If the act of entering the bet and transmitting the information from such a state via the Internet is enough to constitute illegal gambling activity, then there will be trouble in distinguishing other transactions. From a policy point of view, it may be questionable for a bet placed over the Internet to be deemed to have taken place in the bettor's computer, while a book purchased through Amazon.com does not.
Risk-Sensitive Approaches to Usability, Performance, and Reliability
A good starting point for incorporating legal standards into testing is the called worst-first approach. This risk-sensitive view is particularly appropriate for Web-based applications. Best practices suggest candid and explicit responses to the following questions:
| • | What are the strict requirements associated with the worst things that can happen? |
| • | What secondary business rules support or contradict these requirements? |
| • | What worries the developer, investors, and business manager most? |
| • | Are any of the resources or essential components capable of being tampered with? Are any of these essential components susceptible to being influenced by any other process within the application in ways that are not documented? |
| • | What is the biggest load each particular process can handle? Would stress make useless system security arrangements? |
| • | Would failure of any particular process create issues with external authorities or create potential legal liabilities? |
| • | From a map of the inter-relationships and dependencies, what are the connections to specific external components, services, states, or configurations? |
| • | If data becomes corrupted, what is the impact and how does news of this happening get relayed? |
Another testing approach adopts the guerilla warfare mentality of the criminal, terrorist, or prankster. This approach is called "Bad Man." Instead of viewing systems and processes from the perspective of the developer or target audience, these test cases probe for the weak points and gaps that a malicious person would seek. In precisely the same way that home security companies consult with burglars in order to improve locks and alarms, "Bad Man" test cases examine the whiteboard architecture with an eye to mischief:
| • | What is the function of this box? Since it is connected to transactional data from which credit card numbers could be obtained, how can I make it fail or get around it? |
| • | Can this function be invoked at the wrong time or made to enter an endless loop? |
| • | What do these arrows mean? What happens if one or more of the arrow connections are broken? |
Strict requirements associated with the worst things that can happen include:
| • | Extortion based on stolen credit card numbers |
| • | High-profile cases of identity theft based on stolen credit card numbers |
| • | Other losses attributed to fraud |
Tips
Consider these practical tips for online merchants:
| • | Because many fraudulent orders are placed in the middle of the night, pay particular attention to overnight orders | ||||||||
| • | Reinforce the business rule that no online order is accepted unless all required information on the form is completed | ||||||||
| • | Ship expensive products and very large orders of inventory only to the credit card holder's registered address after obtaining the credit card holder's signature Develop red flag warnings when the customer
| ||||||||
| • | In the case of a serious loss, step through terms of the contract with both the credit card processing agent and the bank | ||||||||
| • | Determine if the credit card processing agent supports digital signatures and public/private key encryption | ||||||||
| • | Request that the credit card processing agent provide online debit arrangements. |
Identifying Issues
Still another useful approach in legal requirements testing involves a classification of potential issues, such as the sale of a book vs. the sale of imported hides of an endangered species. Next, consider issues in relation to how the goods and services are being sold, such as potential deceptive trade practices or violations of consumer rights.
Finally, consider potential issues raised by the attributes of the buyers and target markets. For example, perhaps these customers present risks on account of age.
The goal of concentrating on these questions is to anticipate difficulties by exposing potential risks, thereby avoiding or minimizing them. Legal requirements test cases can be very productive when an online business states that all transactions must comply with and are subject to all applicable federal, state, and local laws.
The following checklist can help:
| • | Human organs and body parts |
| • | Assault weapons |
| • | Pre-Columbian artifacts |
| • | Escort services |
| • | Home-distilled liquor |
| • | Raffle tickets |
| • | Prescription drugs |
| • | Bald eagle feathers |
Of course this is not a complete list; the point is that online companies should give advance thought both to the categories that are to be excluded from sale, and also to particular items within those categories that might be considered offensive or inappropriate to target markets.
Practical Strategies for Testing
Transactions involving money are highly suggestive of test cases for legal requirements. Because there are no internationally recognized technical or legal standards for secure electronic documents and electronic signatures, each online transaction therefore poses three questions:
1. | Is it legal (valid and binding)? |
2. | Can the message be trusted? |
3. | Are there rules of conduct to follow that are different from ordinary paper-based transactions? |
Questions exist as to whether electronic agreements are enforceable, how online contracts will be interpreted by the courts, and the extent to which parties will have rights to online information.
Where laws fail to keep current with technological and commercial developments, needs of businesses for a uniform framework of rules become acute. Developing a legal framework for e-commerce is important so that electronic transactions presumed to be valid and binding will be either upheld as such or handled under precise rules and remedies covering default or disappointment
Digital Signatures, Certification Authorities and Public/Private Key Cryptography
Testing strategies for electronic money build on the legal requirements of traditional contracts. Electronic and paper-based contracts have common elements, the most important of which is the signature requirement
A signature is a mark, including an electronic mark, made with the intention of authenticating a document. A digital signature fulfills several roles, and each of these roles support test cases. A digital mark assures integrity of communication by verifying that the document has not been altered and that the signer really exists. Therefore, the digital signature meets the following four traditional requirements:
1. | It is unable to be forged |
2. | It can be authenticated |
3. | It is unalterable |
4. | It is nonreuseable. |
Digital signatures use the private key/public key cryptography encryption process. Once encrypted, you can only read the message if you have a matching decryption key. Typically, the public key is widely published so that anyone can encrypt messages using it. The private key that performs decryption is kept secret.
Technically, the digital signature is a message that uses an asymmetric cryptosystem and a hash function. A person that has the initial message and the signer's public key can accurately determine whether the message used the private key that corresponds to the signer's public key, and whether the initial message been altered since the transformation was made.
Digital signatures differ from other types of electronic signatures, such as an electronically-stored handwritten signature, in that it is composed of a unique sequence of bits. These bits identify a specific message from a specific individual or computer.
A Certification Authority (CA) is a trusted third party that provides independent verification of the link between the public key and the signer's true identity. This reduces fraudulent representations. CAs issue certificates of varying types. Basic certificates are digitally-signed messages that delegate an attribute to a public key. Identity certificates bind the name of an entity to a public key.
Digital signatures have several advantages. For one, float can be virtually eliminated. Business can be conducted more rapidly. Electronic documents are easier to send and cheaper to store. Access is faster. Digital signatures also allow for authentication and provide safeguards against forgery.
As electronic documents become cheaper and more reliable than paper, their use will broaden, thereby changing the way we do business. By securing transactions over the Internet rather than attempting to secure the Internet itself, the use of digital signatures allows e-commerce companies to benefit from the openness of the Internet and its low transaction costs while having the protection of a closed network.
Microsoft® BizTalkServer supports digital encryption and security. This server facilitates the interchange of business documents among various platforms and operating systems regardless of the application being used to process a business document. By providing a standard gateway for sending and receiving documents via the Internet, BizTalk™ allows companies to interchange documents with external trading partners.
Trading partner authentication is accomplished through the exchange of digital signatures, or certificates. Each trading partner publishes a certificate as part of a trading partner profile. Through the use of encryption, BizTalk Server is able to maintain data and document privacy. Security specifications are part of the envelope schema that is contained in a trading partner profile.
Verification requires that the recipient possess a copy of the public key from the sender's signature certificate. The recipient then decrypts the digital signature using the public key and calculates a message digest independently. (In this system a digest is a value that can be used to verify the authenticity of a data stream or a business document.) The results of the two digests are compared; if they are identical, the information has not been tampered with and the recipient is able to view the information.
These processes are reminders of how negotiations and agreements in cyberspace can depend heavily on technological assistance, particularly where contracts would provide for a non-immediate exchange of funds and goods.
Electronic Contracting
The law of sales is complex. Moving any sale to the Internet adds further complexity. It can sometimes be difficult to know where an Internet sale took place; it can also be hard to verify who the buyer and seller really are, or to confirm that they are authorized to do what they are doing.
Testing for legal requirements in sales is important. Transactions involving material goods can parallel traditional purchases made by telephone, mail order, or in person. These sales are covered by existing rules concerning the ways buyer and seller can identify one another.
On the other hand, the sales of information over the Internet is different. An e-mail address does not provide enough information about the person sending the message. For this reason, the role of trusted third parties (Certificate Authorities) is crucial in authenticating the parties.
In test cases, the identification and authentication process is important for transactions that extend over time. For example, if the communications are part of an ongoing relationship (such as instructions to a broker), if terms of the sale allow delayed payments, or if there are warranties or service contracts involved, authentication of the parties involved is important.
Designing Tests for the Transactional Context
In simple sales over the Internet there are transactions must be secure. Confirmation involves proof of order, non-repudiation, receipt, and recourse. Both buyer and seller have a vested interest in knowing that each is who they say they are, and that each is authorized to do what they are proposing to do. Test cases that focus on these points can be productive in exposing opportunities to minimize fraud and misunderstanding.
Authentication
Authentication helps to guarantee the order and payment of a buyer. Over time, the company may want to know more information about their customers and their buying preferences.
Test cases that provide for false positive and false negative results from authentication screens are helpful. It's a good idea to check against known samples which contain boundary and equivalence class ranges.
Certification
The buyer may need to possess a certain attribute or satisfy a certain requirement. For example, the merchant may need proof, that the purchaser is over the age of 18 or is the holder of an import license. There are some products cannot be sold in some parts of the country/region. Many products are subject to export restrictions. Business rules clarifying these standards are fundamental in testing legal requirements.
Consider Internet pharmacies as an example. These companies offer the same services as Main Street pharmacies with the added convenience of Internet shopping. Licensed, full-service Internet pharmacies are distinguished from disreputable Web sites by particular benefits and services, including:
| • | Operation with all licenses required by the Drug Enforcement Administration and state boards of pharmacy |
| • | Cooperation with guidelines and requests of the Food and Drug Administration and the Federal Trade Commission |
| • | Requirement of an authorized prescription by a fully accredited physician or health care professional licensed to prescribe prescription drugs |
| • | Employment of appropriately licensed and registered pharmacists to dispense prescriptions and counsel patients |
| • | Handling both first-time prescriptions and refills |
| • | Provision of patients with both written and oral information on how to take the prescription correctly, including proper dosing, possible side effects, and contraindications |
| • | Service as an educational resource by providing access to pharmacist and information regarding possible drug interactions |
| • | Provision of professional prescription fulfillment 24 hours a day, seven days a week with next-day delivery |
| • | Guaranteeing patients the same insurance assistance and coverage that they have been accustomed to at traditional drug stores |
Confirmation
If a third party, such as a credit card company, is involved in the transaction, then the merchant may need to be able to prove to them that the customer authorized payment.
Non-repudiation
If the customer claims falsely that an order was never placed, or that the ordered goods were never delivered, it is important for the merchant to be protected.
Payment
Obviously, the merchant wants assurance that the correct payment will be made.
Anonymity
In some situations it may be important for the merchant to control the amount of information disclosed to the customer.
The e-commerce buyer has similar interests and concerns. Test cases can be developed for each of the following areas.
Anonymity
In many cases the buyer will want control over the amount of information disclosed to the merchant. It is one thing for a Main Street clerk to ask for a Zip Code in a cash purchase. It is quite another to ask for a Social Security number.
Privacy
Many buyers want to know the amount of personal and transactional information the merchant plans to disclose to third parties. Some buyers would insist on controlling this flow of information.
Authentication
When the seller's identity is confirmed prior to purchase, this can help to ensure that the goods are genuine and that that service or warranties will be provided as promised.
Integrity
It's important to the buyer that they have adequate protection against unauthorized payments and any misuse of personal information.
Recourse
If the seller fails to perform or deliver, the buyer usually requests a full refund, a substitute of goods, or an explanation of the process through which complaints are handled.
Confirmation
At the most simple level, the receipt provides confirmation. Depending on the transaction and the number of parties, however, there may be more extensive documentation required to satisfy the buyer.
Confidentiality Mechanisms
Electronic commerce happens one person at a time, one decision at a time, one click at a time, in cyberspace relationships founded necessarily on trust. Violations of personal privacy, and insensitivity to privacy worries on the part of potential customers, are important to consumer confidence and goodwill. The testing process for privacy and confidentiality issues should focus on mechanisms of data collection, storage, and sharing. Test cases should reflect the nature and extent of information collected on customers. Are different sorts of information collected on different customers? For example, does the company seek personal information from customers who are under age 13? If this is true, there may need to be formal policies explaining how the company's data collection practices conform to the Children's On-Line Privacy Act of 1998. More generally in relation to company policies, the testing process should reference the four touchstones of what the Federal Trade Commission calls "fair information practices."3
Are customers informed about what is done with information collected about them and their purchases?
Are customers given any choice in how the E-Commerce firm uses their information?
Are customers given access to their information that the firm has collected?
Are assurances given to customers about site security arrangements and information-handling policies?Privacy mechanisms encompass the following four basic principles:
Notice
Document business rules and test actual site performance in terms of what prospective customers are told about the information that will be collected and what will be done with it.
Choice
Identify any procedures by which customers can choose not to have their information shared outside the company. Distinguish between transactional data and personal information.
Security
Determine what company policies say on what it is that constitutes tampering, theft, misappropriate and misuse of information. Check into the security assurances that customers receive.
Review and Correction
Confirm if company policy provides customers access to information collected about them and their purchases. Check if customers are provided means to correct any errors in that data.
On each of these principles, perform audits that track compliance and consistency. Consider whether the collection and storage of particularly sensitive data (specific financial data, certain medical data, and most information about children) warrants additional security.
Conclusion
Attention to legal requirements helps focus the testing process toward practical constraints on the design, implementation, and successful operation of e-commerce sites. The transition in quality assurance priorities from basic functionality and performance to security and confidentiality is increasing awareness of the existence of a broad range of legal issues and of needs for managers as well as testers to be informed about them. Incorporating these sensitivities and emerging legal standards into test planning will encourage the articulation and refinement of best practices.
Macintosh is a registered trademark of Apple Computer, Inc.
1 A valuable perspective on solutions is provided in Microsoft's TechNet "Rapid Deployment of a Highly Scalable E-Commerce Site," [January, 2000].
2 Standish Group CHAOS report, cited in Karl Wiegers, "Process and Techniques: 10 Requirements Traps to Avoid," Software Testing & Quality Engineering, January/February, 2000, pp. 34-40.
3 Notifying users of the site's data collection practices, giving users a choice of opting out, giving users access to personal data collected about them, and providing assurances on the security of users' personal data.