The Real 'Who's Who' of Electronic Commerce:
The Identification of Organisations

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Scratch-Pad of 20 December 1998

© Xamax Consultancy Pty Ltd, 1998

This paper is being prepared for submission to the Journal of Strategic Information Systems

This document is at http://www.anu.edu.au/people/Roger.Clarke/EC/OrgID.html


Abstract

The identification of organisations is thought to be a prerequisite to public confidence in electronic commerce. The concepts of identity, identification and authentication are examined, as they apply to organisations operating in information infrastructure-enabled marketspaces. Generic strategies are proposed for dealing with the risks involved in electronic commerce. To complement the recent drive for increased authentication of identity, it is concluded that much more attention should be paid to value authentication, attribute or eligibility authentication, and authenticated pseudonymity.


Contents


Introduction

It is widely believed that the growth of electronic commerce is being stunted by uncertainty among both businesses and consumers concerning the security of dealings in the virtual 'marketspace'. A major element of this uncertainty is the lack of clarity in cyberspace about who it is that you're dealing with. Hence the identification of organisations appears to be at the heart of the problem.

Despite the expressions of concern, there is a serious shortage of analyses of the underlying concepts and practices. This paper sets out to overcome that shortfall.

The paper commences by examining the underlying concepts of identity, identification and authentication. These ideas are applied initially to natural persons, and then to unincorporated and incorporated organisations. The manner in which organisations act in the real world is examined, including their dependence on human agents, and progressively also software agents.

The available approaches whereby organisations can be identified and authenticated are assessed, and specific challenges identified. This leads to an assessment of risks involved in electronic dealings, and generic strategies that can be adopted to address those risks.


Conceptual Foundations

talk first in terms of abstract 'entities'

Identity

Identification

Authentication


Natural Persons

brief exposition on human identity, identification, authentication

reference to ../DV/HumanID.html

important to use this as a basis for an examination of the identity, identification and authentication of organisations


Artificial Entities

purposes of organisations:

historical development of organisations

incorporation and the 'legal person' concept

typology of organisations

(c) Identification of Business Enterprises

A business enterprise is a legal person that conducts commercial transactions. There are three broad classes of business enterprise:

Bodies Corporate include entities that are created under statute law, in particular:

Other kinds of body corporate may be recognised under the common law, in particular the various forms of trust. A trust is an obligation, enforceable in equity, which rests on a person as owner of some specific property (the trustee) to deal with that property for the benefit of another person (the beneficiary), or for the advancement of certain purposes. Some trusts are responsible for substantial economic activity, such as trading trusts (whose trustees trade on the market on behalf of the beneficiaries), and unit trusts (where the trust is divided into units of specific values).

Bodies Politic are sovereign states, and components of sovereign states that have independent existence. The Australian States are bodies politic, having been established as colonies of the United Kingdom, and been granted independence at the time of federation; and the two self-governing Territories are bodies politic through Acts of the Commonwealth Parliament. There are therefore nine bodies politic in Australia.

Most government agencies are not themselves capable of entering into contract with anyone, because they are merely segments of the relevant nation, State, Territory, province (Canada), Land (Germany), Departement (France) canton (Switzerland), etc. All Commonwealth portfolio departments, for example, are merely segments of the Commonwealth, not legal entities capable of entering into contract, or being sued, or themselves suing.

Some agencies, however, are established as bodies corporate, under the corporations law or under a special statute. Paradoxically, some of the agencies for which a portfolio department has fiscal responsibility may themselves be legal entities, capable of performing legal acts on their own behalf.

A great deal of business is conducted by unincorporated enterprises, including:

Such enterprises have no existence for the purposes of contracts and various other laws, and no ability to sue or be sued. The legal persons who are deemed in law to make up the enterprise are jointly and severally liable for its acts. Those legal persons are in most cases people, but can also be corporations or even bodies politic.

(d) Roles

A business entity plays many different roles, and has many different kinds of relationship with many kinds of other organisations. Examples of these relationships include:

There are many circumstances in which it is most convenient for a business enterprise to recognise another business enterprise according to the role that it is playing. If one business entity fulfils several roles in its dealings with another business entity, it may have multiple identifiers.

(e) Agents

An agent is an entity that has the legal capacity to formally represent another person or organisation, called the principal, and to bind them in contract. Agents may be appointed to act on behalf of people, or of bodies corporate.

Bodies corporate are a legal fiction that has served advanced economies very well, and continues to do so. There are serious practical limitations, however, on the extent to which acts can actually be directly performed by bodies corporate, and indeed by bodies politic.

There is an increasing number of examples of acts delegated to artificial intelligences, through such means as automated telephone, fax and email response; automated re-ordering; and program trading. Subject to some qualifications, legislatures and courts may be becoming willing to accept these acts as being binding on the entity concerned, at least under some circumstances. Despite the progress being made in computing and robotics, however, the vast majority of acts continue to be performed by natural persons on behalf of business entities.

Note, too, that where a body corporate or a body politic appoints as its agent another body corporate, that body corporate cannot itself perform acts, but must depend ultimately on some human agent. There may therefore be a cascade of agency relationships.

The identification schemes operated by business enterprises must be sufficiently sophisticated to distinguish between the acts and identities of principals, of intermediate agents, and of ultimate agents.


Organisations in Action

powers, rights and duties of organisations

actions in the name of an organisation

actions by an agent for an organisation, ultimately an entity capable of action in the real world (and perhaps sentience):

chains of agency, through multiple organisations


The Identification and Authentication of Organisations

examples (if possible, within a typology) of:

challenges:


Risks

identification carries risks for the identified party: privacy, confidentiality, liability

motivations for avoidance of identification:

mechanisms for anonymity

alternative of pseudonymity

degrees of authentication


Strategies

Need to work up an application of the classic categories of risk management:

* Pro-Active: Deterrence, Prevention

supra-organisational comprises inter, multi, extra and public

differential strategies are appropriate for each

inter: partnering, closed systems, PN or VPN/extranet

multi, hub-and-spoke: ditto, but multi-lateral, with some form of hub-arrangement, physical or virtual

multi, cascading: ditto, but governance needs to reflect the once-removed relationships

extra: framework similar, but public Internet, and more emphasis on risk management

public: largely risk-managed

* Tolerance

insurance

* Avoidance

authentication of something other than identity:

'authenticated pseudonymity' as a balanced approach between anonymity and identification


Conclusions

foundational analysis provided for an aspect of EC that is very important

available for analyses by other authors

an indication of the basic theory's implications is provided, in the form of a set of generic strategies for organisations, and proposals for specific avoidance mechanisms that balance the various interests involved, namely value authentication, attribute or eligibility authentication, and authenticated pseudonymity


References

Text


Navigation

Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Created: 23 October 1998

Last Amended: 20 December 1998


These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).
The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, 6288 6916