ICASA to regulate e-commerce - this will be a mess

[MagicDude4Eva]

So news has it that the Department of Communications (DOC) has suggested to Parliament's Portfolio Committee on Communications that ICASA regulate the country's e-commerce industry. The proposal was put forth at hearings on the Electronic Communications and ICASA Amendment Bills on Friday, where over 20 stakeholders had their say. The committee is scheduled to deliberate on received submissions in Parliament before the end of October.

Now this will be an epic mess, considering that ICASA is already incapable of handling communications and now they wish to mingle in e-commerce, something they have zero expertise in. We already sit with a defunct and untested CPA, a non-working RICA and now with some new gravy-train legislation to monitor and manage e-commerce. Sounds to me as an initiative to fill government coffers and stifle internet commerce even more in this country.

Suggestion to ICASA: Why don't you successfully regulate ISPs and make sure that broadband is properly accessible to the South African public at a reasonable cost. e-commerce will govern itself through organic growth and competition - no need to monopolise an industry and cannibalise it.

 

[ToxicBunny]

On what legal grounds would ICASA regulate the industry? They don't get to regulate the normal retail industry do they?

 

[Del Piero 10]

On what legal grounds would ICASA regulate the industry? They don't get to regulate the normal retail industry do they?

Exactly. This move is extremely counter productive & will stunt ecommerce growth. It's bad enough unemployment is at a high & this will discourage entrepreneurs from taking that step to create opportunities for themselves along with providing jobs.

 

[MagicDude4Eva]

On what legal grounds would ICASA regulate the industry? They don't get to regulate the normal retail industry do they?

No clue - hoping to somehow get access to the suggestions or the actual amendment. I assume that it will be part of the proposed ECT act changes (which is another round of mess). ICASA does not have the skill and expertise to understand e-commerce. They will probably draft something into legislation without consulting with any of the major industry players. Still puzzled about the motive - but hopefully in by the end of the month this will become more visible (I think it's money and power - no other reason ICASA has ever done anything else).

Still wondering who those 20 stakeholders are....

 

[Paul Hjul]

bit swamped here at the moment but I have the ECA and ICASA amendment drafts lurking about somewhere.

Amusingly the DoC in their memorandum for tabling mention me (incorrect spelling of surname) as a "parties consulted" all I sent was a submission saying that they shouldn't proceed with the draft bill until the policy review was complete.

I have a suspicion that one of the problems that exists is that certain things - the authentication authority for example - fall under the DoC which should be under ICASA and that there is a general mess concerning how ICASA is but the legislation doesn't address the dysfunctional aspect at all and is premised on undermining the magic of the market.

 

[MagicDude4Eva]

@Paul mind sharing the memorandum? I have yet to see anything proper in writing but did hear that it was discussed in form of a meeting or panel discussion sometime last week with some planned outcome by end of October.

Here is mention of it: http://www.bdlive.co.za/business/te...casa-cannot-manage-additional-e-commerce-role

Also found the drafts but just doing a search, can't find any reference to ICASA/e-commerce (perhaps not the right docs)?:
http://d2zmx6mlqh7g3a.cloudfront.ne...vq8/mtime:1373619451/files/130711b17-2013.pdf
http://d2zmx6mlqh7g3a.cloudfront.ne...8_E/mtime:1373619525/files/130711b18-2013.pdf

And link to PMG here: http://www.pmg.org.za/minutes

 

[MKFrost]

I have to agree that this going to be royal mess.

I cannot see how ICASA can see itself as a regulator for e-commerce, what is it that they want to control or is this perhaps just a way to get a foot in the door so that all transactions can be monitored to ensure that the the treasury gets its share of each and every online transaction.

 

[MagicDude4Eva]

e-commerce companies already have to contend with
- ISPA (wishy-washy process for take-down notices which allows anyone to sabotage a business via an unverified take-down notice via ISPA),
- PASA (3d secure will be enforced in 2014, despite Amex or corporate cards not allowing 3d secure and Bankserv not having a mobile 3d-secure solution for native and mobile apps / hardly any consumer is familar with 3d secure)
- CPA (government launched CPA without ever properly educating the public)
- PAIA (not a problem if you do it will and comply)
- POPI (half-a**ed implementation as it selectively applies to entity)

So all in all, every single "internet"-legislation drafted has been done by "experts" without any clue on how business functions. Will be interesting how this latest disaster will unravel - probably another #ProudlyBroughtByANC

 

[Lightscribe]

e-commerce companies already have to contend with
- ISPA (wishy-washy process for take-down notices which allows anyone to sabotage a business via an unverified take-down notice via ISPA),
- PASA (3d secure will be enforced in 2014, despite Amex or corporate cards not allowing 3d secure and Bankserv not having a mobile 3d-secure solution for native and mobile apps / hardly any consumer is familar with 3d secure)
- CPA (government launched CPA without ever properly educating the public)
- PAIA (not a problem if you do it will and comply)
- POPI (half-a**ed implementation as it selectively applies to entity)

So all in all, every single "internet"-legislation drafted has been done by "experts" without any clue on how business functions. Will be interesting how this latest disaster will unravel - probably another #ProudlyBroughtByANC

In the end, many[vague] analysts have concluded that the Activation During Shopping (ADS) protocols invite more risk than they remove and furthermore transfer this increased risk to the consumer.

In some cases, 3-D Secure ends up providing little security to the cardholder, and can act as a device to pass liability for fraudulent transactions from the bank or retailer to the cardholder. Legal conditions applied to the 3-D Secure service are sometimes worded in a way that makes it difficult for the cardholder to escape liability from fraudulent "cardholder not present" transactions

http://en.wikipedia.org/wiki/3-D_Secure

 

[MagicDude4Eva]

Don't breach to the converted about 3d secure - hardly worth the effort and from peers within the industry it will result in a 30-40% drop in credit card transactions as users (1) have not enrolled, (2) don't know what it is, (3) use an unsupported card, (4) never ever get their SMS OTP or email. Banks will however still give you a run-around if you challenge a charge-back (due to fraud) on a 3d-secure transaction.

Anycase - if anyone else can shed some more clarity on ICASA and the discussed e-commerce involvement, that would be great - perhaps MyBB could contact them directly?

 

[Lightscribe]

Don't preach to the converted about 3d secure - hardly worth the effort and from peers within the industry it will result in a 30-40% drop in credit card transactions as users (1) have not enrolled, (2) don't know what it is, (3) use an unsupported card, (4) never ever get their SMS OTP or email. Banks will however still give you a run-around if you challenge a charge-back (due to fraud) on a 3d-secure transaction.

Anycase - if anyone else can shed some more clarity on ICASA and the discussed e-commerce involvement, that would be great - perhaps MyBB could contact them directly?

True. That bit quoted from wiki, with the interesting points made about 3D-Secure, under the "Buyers and credit card holders" and "Criticism" sections on that wiki page, as you mention, more consumers need to be aware of.

Here Dominic mentions the OP issue also: http://www.itweb.co.za/index.php?op...E-commerce-a-push-too-far-for-ICASA&catid=147

 

[ToxicBunny]

Intriguing.. so 3D Secure moves the "liability" to me the cardholder?

Thank you but no thank you then.

 

[MagicDude4Eva]

Intriguing.. so 3D Secure moves the "liability" to me the cardholder?

Thank you but no thank you then.

But you are the only one who is supposed to know the 3d-secure code (i.e. either a PIN you set, or a OTP or email you received). None of those mechanisms are in my mind particularly secure. In my tests (with SBSA), I waited 9(!) hours for a OTP to arrive and the Bankserv session did not timeout and I could enter the OTP to process the transaction.

 

[ToxicBunny]

But you are the only one who is supposed to know the 3d-secure code (i.e. either a PIN you set, or a OTP or email you received). None of those mechanisms are in my mind particularly secure. In my tests (with SBSA), I waited 9(!) hours for a OTP to arrive and the Bankserv session did not timeout and I could enter the OTP to process the transaction.

Theoretically yes....But reality has this ability to thwart theory often enough to be worrying.

I'm not the worlds biggest online purchaser anyway at this point in time, purely because no online stores give me the service or prices I think are reasonable just yet.

 

[xrapidx]

Well, they already can't regulate, so business as usual?

 

[Space_Chief]

Intriguing.. so 3D Secure moves the "liability" to me the cardholder?

Thank you but no thank you then.

Yes, I pointed this out before.

(You won't have a choice as most banks in SA are moving to this. But not all merchants require this. Thankfully. Also this system is PITA. Sometimes the SMS never comes - especially when the bank misconfigures your 3D secure data.)

 

[Space_Chief]

Theoretically yes....But reality has this ability to thwart theory often enough to be worrying.

I'm not the worlds biggest online purchaser anyway at this point in time, purely because no online stores give me the service or prices I think are reasonable just yet.

Thankfully PayPal, Amazon and most foreign sites don't use 3D secure.

 

[Space_Chief]

But you are the only one who is supposed to know the 3d-secure code (i.e. either a PIN you set, or a OTP or email you received). None of those mechanisms are in my mind particularly secure. In my tests (with SBSA), I waited 9(!) hours for a OTP to arrive and the Bankserv session did not timeout and I could enter the OTP to process the transaction.

I see ABSA has gone back to user generated passwords. They used to do SMS OTPs but now the last time I used an ABSA card, it asked me to create a new password, using my ID number, last 3 digits of the CC and email address. They operated this way in the past. This means a bad guy only need to have your CC number / last 3 digits and ID number and they win. Of course the bankserv connection could also be spoofed. This system probably provides some extra protection, but the big issue is the liability. Before CC users were protected, not anymore.

Note that normal PIN codes you use with Chip and Pin cards also shift the liability to you. Previously the signature meant to prove that you authorized the transaction. You could dispute any transaction made with a fake signature - but with the PIN, the PIN is your signature and who knows who looks over your shoulder in that crowded check out line or restaurant.

 

[Paul Hjul]

@Paul mind sharing the memorandum? I have yet to see anything proper in writing but did hear that it was discussed in form of a meeting or panel discussion sometime last week with some planned outcome by end of October.

Here is mention of it: http://www.bdlive.co.za/business/te...casa-cannot-manage-additional-e-commerce-role

Also found the drafts but just doing a search, can't find any reference to ICASA/e-commerce (perhaps not the right docs)?:
http://d2zmx6mlqh7g3a.cloudfront.ne...vq8/mtime:1373619451/files/130711b17-2013.pdf
http://d2zmx6mlqh7g3a.cloudfront.ne...8_E/mtime:1373619525/files/130711b18-2013.pdf

And link to PMG here: http://www.pmg.org.za/minutes

My Submissions View attachment 14 Sept 2012.pdf
The draft on which the comments where made: http://www.info.gov.za/view/DownloadFileAction?id=170757

The really amusing inclusion by the Department of Communications of a "Paul Huji ICT Policy Analyst" appears on page 31: http://www.info.gov.za/view/DownloadFileAction?id=196630
- you really have to see the amusement in government's regarding of a 2 page don't be stupid memo as "consultation" but at least they gave me a flattering description even if not perfectly accurate