E commerce = commercial transaction online

1. Same rules are applied in the law of contract for Electronic Contracting/ Contracts in
Cyberspace.
The difference is due to the unique nature of the Internet, there are challenges in
applying contract law to electronic contracts
Unique nature = jurisdictional issues
Internet has no boundary cannot make use of Contract Act, this is why we use ECA
2. Unique Situations on the Internet
3. Battle of the forms
This can only happen on the Internet/cyberspace when one deals with contracting via
e-mail and which arises especially in B2B situations
It refers to situations where an offer and acceptance is made via email. However,
some e-merchants have a standard form for making an offer, and a standard form
when making an acceptance.
In other words, the e-merchant already has a standardized format when making an
offer or acceptance. The e-merchant does not write a fresh offer or acceptance all
the time.
A battle of forms happens when A sending a standard offer email is accepted by B
using his own standard form of acceptance, but the way the acceptance is worded can
introduce a new clause or term. (counter-offer)
However, acceptance must be absolute and unqualified and when there has been a
change in the offer, no matter how slight, no acceptance is deemed to have been made.
Thus when the battle of the forms occurs and no contract can be said to have been
formed as there was no unqualified acceptance- even though the changes are minute
and not important.
In this situation, the battle is often won by the party who fired the "last shot", that is,
the last party to put forward terms and conditions that were not explicitly rejected by
the recipient.
4. Clickwrap Agreements
Clickwrap Agreement is one where the website requires the customer or user to
affirmatively review the terms of an agreement through a series of pop-up windows
that ask for the customers to click a button showing that they agree to the conditions.
Under a Clickwrap Agreement the website puts the terms of the agreement directly in
front of the user and requires them to show that they affirmatively accept the terms by
clicking a button.
Click wrap agreements can be simply defined as a contract, which is formed over the
Internet when one party click on the I agree button on a web site. Cases in the
United States will be looked at as there are no Malaysian cases yet.
Examples:
Groff v. American Online, Inc.
This case deals with the validity of a click wrap agreement entered into by America
Online, Inc. and one of its customers.
Before a user can access AOLs system, he must first click on an I agree button to
indicate that he agrees to be bound by AOLs Terms of Service. This button first

appears on a screen that offers the user a choice to either read, or agree to be bound
by, AOLs Terms of Service. It also appears at the foot of the Terms and Services,
where the user is offered the choice of clicking either an I agree or I disagree
button by which he accepts or rejects the Terms of Service.
The court held that the parties contract was entered into online by the click of an I
agree button.
This case states that once a person clicks on the I agree button a contract is formed
and there can be no dispute as to the contents of the agreement. The user cannot then
argue that he did not read the agreement or was unaware of its terms just because he
had not seen them.
However, in Specht v. Netscape Communications Corp the trend appears to have
been shifted. In this case, the court held that the act of downloading software does not
indicate an agreement to be bound by the terms of the license agreement despite the
fact that it is clearly stated in the license agreement that by installing or using the
software the user consents to be bound by it.
Hancock v. American Telephone & Telegraph Co.,
Consumers argued that the clickwrap agreement did not give them notice of and
meaningful opportunity to assent to the forum selection and arbitration clauses in the
terms of service. AT&T technicians presented customers with a printed copy of the
terms and gave customers an opportunity to review the terms, to which customers
agreed by clicking on the I Acknowledge button on the technicians laptop for the
TV/voice terms.
Customers also clicked on the I Agree button to manifest assent to the Internet
terms, which customers had an opportunity to review in a scrolling text box. The court
found the clickwrap agreements enforceable. Clickwrap agreements have been
enforced even when the consumer did not read the agreement

5. Browse-wrap Agreements
Therefore, there is a significant difference between click-wrap agreements and
browsewrap agreements. The legal consequences are drastically different for each
type.
Click wrap agreements require that the user must click on the button to proceed whereas
browse wrap agreements refer to situations when the user can continue using the site
irrespective of whether they click on the button or not. The wider implications of the
Specht case is that even if there is a link to the terms and conditions or even if there is an
I agree button- but it does not force the user to look at it before proceeding, it is
regarded as a browse- wrap agreement. There is no binding contract.
The United States Court of Appeals ruled in Nguyen v. Barnes & Noble, Inc. that
Barnes & Noble's 2011 Terms of Use agreement, presented in a browse-wrap manner
via hyperlinks alone, was not enforceable since it failed to offer users reasonable
notice of the terms.
Similarly, in In re Zappos.com, Inc., Customer Data Security Breach Litigation, the
court ruled against Zappos.com's browsewrap terms of use, describing that its

presentation was not prominent, and that no reasonable user would have read the
agreement.
6. Enforcing Online Agreements
In the recent past courts have been deciding how to best deal with the different types
of online agreements. In general, courts have been hesitant to enforce Browse-wrap
Agreements while allowing the enforcement of Clickwrap Agreements. The reason for
this is the likely notice to the customer or user under each type of agreement. Courts
have reasoned that users are more likely to be apprised of all the terms and conditions
when they are forced to affirmatively accept terms and conditions placed in front of
them by the website under a Clickwrap Agreement. However, this does not
completely discount Browse-wrap Agreements. When a website operator can show
that the user or customer had actual or constructive notice of the terms and conditions
a question of whether the agreement can be enforced is raised.
So When is acceptance made?
It is generally agreed that a contract is formed the moment acceptance is made or in
other words complete. The question which arise is: when is an acceptance deemed
complete? There is no difficulty when one is face- to face, but what about situations
when an acceptance is made by post? or fax? There are two aspects to look at with
regards to acceptance: when it is done using slow methods (post) or the quick
methods (fax or instantaneous communications.)
(a)
Postal Rule
Adams v Lindsell any acceptance must be made by post within a week from the date
of the letter of offer. The letter of acceptance was posted immediately upon receiving
the offer, but it arrived a week after the offer was made meaning that the time limit
was up. By that times the wool had already been sold to someone else.
So the question was: when was acceptance made? Was acceptance made when the
letter was posted, or when it was received? In the former, then a contract is formed. If
the latter then no contract is concluded. The court ruled that the contract was complete
as soon as it was put into transmission. In other words, there as a binding contract the
moment the letter was put into the post box:
(b)
Receipt Rule: Instantaneous communications
Instantaneous communication refers to any mode of communication which makes it
as if the parties are face-to-face. Not in the literal sense, but the passage of time
required between making an offer and an acceptance is nearly instant. The best
example is a telephone conversation.
In the case of Entores Ltd. V Miles Far East Corporation it was stated by Lord
Denning that:
The rule about instantaneous communications between parties is different from the
rule about post. The contract is complete when the acceptance is received by the
offeror.
In other words, when dealing with instantaneous communication, an acceptance is
complete once it is received and not when it is sent. Is the position the same in
Malaysia bearing in mind section 4 of the Contracts Act 1950?

To answer this the Indian case of Bhagwandas v Girdharlal is helpful. Section 4 of

the Indian Contracts Act 1872 is identical with section 4 of the Malaysian Contracts
Act 1950. In the said case, the court decided that the section does not apply to
instantaneous communications.
Therefore, when dealing with a contract that is made via instantaneous
communication, a contract is only formed once the acceptance is communicated. That
is, when it is received. Thus, when someone calls up the offeror to make his
acceptance, the contract is complete the moment the offeror hears the words I
accept This is also known as the receipt rule.

Unique Situations in Cyberspace: E-mail

The next question that arises is which rule applies when dealing with contracts made
via email? Would it be the postal rule or is it regarded as instantaneous
communication (receipt rule? )
Unfortunately, there are no clear cut answers, for the nature of an e-mail neither falls
neatly into postal rule nor receipt rule.
In order to argue which rule is applicable it is best to understand the manner in which
an e-mail is sent.
First, the user must have Internet access. This may be achieved though a
telecommunications service provider which enables one to connect to the Internet,
whereas the ISP enables the message to be sent.
Since there are various ISPs, essentially a message travels between one ISP to another,
irrespective of whether it is within the same country or going to other countries. In
other words, the senders ISP will send the message to the recipients ISP which will
then send the message to the actual recipient when the recipient sends a request to his
ISP to download the message that it has received.
Once the download is completed, the message actually reaches the recipient
Application of Postal Rule
It is arguable that the postal rule is applicable as like the post the sender does not
know whether or not the email has arrived. The email is sent off into the Internet and
routed around- by various computers until it reaches its destinations. In other words,
once the sender clicks the send button control of the message is lost- just like when
one puts the letter in the post box, control of the letter is lost.
However, if the postal rule is used, then it must be determined what exactly is meant
by send.
Issues to consider
Is it the moment the user clicks on the button on his computer to send mail, or when
the email is routed out of the internal server. It is argued that an email should not be
regarded as sent until it has actually been taken over by the ISP. If it still being
controlled by the internal server, then it is arguably not sent yet.
Just like when the letter is placed in the companys to send tray but has yet to be
delivered. The email or letter is still within the power of the sender as it is still in
the company. It cannot be regarded as having been sent until it is outside the
companys premises.
Application of the Receipt Rule
There are strong arguments that the receipt rule should apply.

First although email does not arrive instantaneously (like telephone conversation) the
time lapses between the message being sent and arriving is negligible. Unless
something unexpected happens, the message can actually arrive within 24 hours, at
least.

No clear cut which rule to use but ECA provide guidance:

Section 7: formation of contract, offer and acceptance may be expressed by means of

electronic message
Section 20: Time of dispatch ..Electronic message is deemed to be sent when it
enters an information processing system outside the control of the originator
Section 21: Time of receipt: Electronic message is received
(a) where the addressee has designated an information processing system for the
purpose of receiving e/m, when the e/m enters the designated information processing
system or
(b) where the addressee has not designated an information processing system for the
purpose of receiving e/m, when the e/m comes to the knowledge of the addressee.

Digital Signatures Act 1997

1. In electric commerce, business is conducted using online transaction (electronic
communication and digital information processing technology).
2. One of the key concern establishing the identity of the person making the
transaction
3. In the physical world, it is common to use handwritten signatures on handwritten or
typed messages used to bind signatory to the message.
4. Similarly, a digital signature is a technique that binds a person/entity to the digital
data. This binding can be independently verified by receiver as well as any third
party.
5. Digital signature is a cryptographic value that is calculated from the data and a secret
key known only by the signer. Cryptography is codes used to secure and to give
authenticity to the person sending it/to confirm the sender.
Importance of Digital Signatures:6. Digital signature serves 3 requirements that a handwritten signature would as
addressed in the Act, security concerns like data-origin authentication, message
integrity and non-repudiation.
7. Cryptography can provide a form of electronic signature, serving the purpose of
identifying the sender of the message (authenticating the message), ensuring it has
not been altered (ensuring integrity) and making it difficult for the signer to deny
having signed something (non-repudiation).
8. Message authentication When the verifier validates the digital signature using
public key of a sender, he is assured that signature has been created only by sender
who possess the corresponding secret private key and no one else.
9. Data Integrity In case an attacker has access to the data and modifies it, the digital
signature verification at receiver end fails. The hash of modified data and the output
provided by the verification algorithm will not match. Hence, receiver can safely
deny the message assuming that data integrity has been breached.
10. Non-repudiation Since it is assumed that only the signer has the knowledge of the
signature key, he can only create unique signature on a given data. Thus the receiver
can present data and the digital signature to a third party as evidence if any dispute
arises in the future.
How digital signature works:
11. S. 2 Digital Signatures Act 1997 :

 Interpretation:
digital signature: "a transformation of a message using an asymmetric
cryptosystem"
asymmetric cryptosystem: an algorithm or series of algorithms which provide a
secure key pair
key pair: a private key and its corresponding public key in an asymmetric
cryptosystem, where the public key can verify a digital signature that the private
key creates;
private key: the key of a key pair used to create a digital signature
public key: the key of a key pair used to verify a digital signature
12. The digital signature scheme is based on public key cryptography also known as
asymmetric cryptography. (Private key cryptography = Symmetric cryptography)
13. Asymmetric cryptography uses 2 keys, also known as key pair. One key for
encryption and another key for decryption. (Symmetric cryptography uses single key
for both encryption and decryption)
14.

i) Each person adopting this scheme has a 'public-private' key pair

ii) Generally, the key pairs used for encryption/decryption and signing/verifying
are different. The private key used for signing is referred to as the signature
key and the public key as the verification key.
iii) Signer creates own private key. Signature itself is actually a hash a string of
digits that may compromise numbers, letters and/or symbols. Signer hashes
the message and take the result of the hash and encrypts it with one's private
key
iv) Signer types the pass phrase and the private key result: digital signature
(encrypted hash)

v) Recipient decrypts the digital signature by using public key

vi) If the decrypted hash matches a second computed hash of the same data, it
proves that the data hasn't changed since it was signed. If the two hashes don't
match, the data has either been tampered with in some way (integrity) or the
signature was created with a private key that doesn't correspond to the public
key presented by the signer (authentication).
vii) Since digital signature is created by private key of signer and no one else can
have this key, the signer cannot repudiate signing the data in future (nonrepudiation).
15. A certification authority (CA) authenticates the key holders identities.
16. The CA is a trusted third party. CAs are computerized databases that issue digital
certificates. A digital certificate is a computer record sent via a computer network.
Such a certificate usually states the CAs name, the name of the person being certified
and that persons public key.
Effect of a Digital Signature
17. S. 62(2) - a document signed with a digital signature is as legally binding as a
document with a handwritten signature of thumbprint.
18. Digital signature is equivalent to hand-written signature/thumbprint. Digitally-signed
message is deemed to be a written and original document s. 64 & 65
19. Where the recipient decides not to rely on the digital signature, he must promptly
notify the sender and state the grounds for not relying on the digital signature.
20. If reliance on the digital signature is suspect but the recipient proceeds with the
transaction based on the digital signature he assumes the risk if the digital signature is
forged. Thus the recipient assumes the burden. Should there be grounds to suspect
tampering of the document, he should notify the sender.
21. The Act will not apply to online transactions that utilized a more advanced and secure
technology.
Why?
Digital signature confines itself to the utilization of asymmetric cryptology in its
creation
Other types of technologies which are equivalent/better do not fall under the
purview if the act still can be utilized, but Act does not apply to it
How this law helps e-business environment?
22. The background behind the rise of electronic signatures is that in online commercial
activities, authentication is seen very crucial.
23. The nature of e-business allows anonymous communications and non-physical
engagement of the sales and purchases. Therefore, in order to obtain some assurance,
the engaging parties need to authenticate each other.

24. Digital signature is one way to accomplish this task: it employs private and public
keys which are certified by a trusted third party called a certification authority.
25. So, with the use of digital signature, there is a verification of the genuineness and
authentication of the senders identity by a trusted third party, furthermore, this
process will help secure the information exchanged between the trading parties.
Formation of Electronic Contracts: Rights of the Seller
26. Essentially, there are two things the seller will have to look out for:
i) Whether he is able to escape liability?
ii) What would happen if he made a mistake under the contract?
27. Exclusion Clause
Most online contracts are standard form of contracts. In all standard form
contracts, there would be inserted a clause known as the exclusion clause.
This clause is essentially a declaration by the merchant that he is not responsible
for certain actions or consequences suffered by the consumer for using a product.
(i) Validity of the clause
The terms and conditions in a contract, including an exclusion clause can only be
binding upon the parties if there has been notice before the contract is entered
into.
Two concepts must be looked at: notice and when a contract is formed.
(a) Notice
Bring the attention of the buyer to the terms of the contract before the contract is
entered into.
o Thornton v Shoe Lane Parking [1971] 2 QB
o The claimant was injured in a car park partly due to the defendant's
negligence. The claimant was given a ticket on entering the car park after
putting money into a machine. The ticket stated the contract of parking
was subject to terms and conditions which were displayed on the inside of
the car park. One of the terms excluded liability for personal injuries
arising through negligence.
o The question for the court was whether the term was incorporated into the
contract i.e. had the defendant brought it to the attention of the claimant
before or at the time the contract was made. This question depended upon
where the offer and acceptance took place in relation to the machine.
o Held:
The machine itself constituted the offer. The acceptance was by putting the
money into the machine. The ticket was dispensed after the acceptance
took place and therefore the clause was not incorporated into the contract.

 (b)Before Contract
General rule: you are only bound by the terms and conditions of the contract if
they were given before the contract is entered into.
One exception to this requirement of notice for an exclusion clause is with regards
to a contract that had been signed.
o In LEstrange v Graucob [1934]2 KB 394
o The claimant purchased a cigarette vending machine for use in her cafe.
She signed an order form which stated in small print 'Any express or
implied, condition, statement of warranty, statutory or otherwise is
expressly excluded'. The vending machine did not work and the claimant
sought to reject it under the Sale of Goods Act for not being of
merchantable quality.
o Held:
In signing the order form she was bound by all the terms contained in the
form irrespective of whether she had read the form or not. Consequently
her claim was unsuccessful.
Adequate notice must be given before the contract is formed. Firstly, the terms
and conditions of the contract must be seen before the contract is entered into.
Secondly, the electronic contract itself must be clearly indicated.
The electronic contract must be shown in such a way that it stand out from the rest
of the terms and conditions. This can be done in a variety of ways: making the
words bold, use of capital letters or a different colour font. The normal practice of
website owners is to place the e-contract in capital letters. This appears to be
sufficient.
28. Mistake
Mistake made before entering contract contract is either void or valid
2 types: mistake of fact & mistake of law
Mistake of fact: there has been a mistake regarding the subject matter
Mistake of law: determine which law is being referred to. Malaysian law or foreign
law? Depending on the type of law, whether contract void/valid.
Electronic Security and Risk Management
29. What is E-Security?
-

The protection of information, data, networks and computers against unauthorised

access, use or modification and includes measures to detect, document and
counter such threats.

E-security involves a whole range of measures such as risk assessment, planning

and strategy formulation, design, audit, testing, maintenance and constant
monitoring.

30. E-Security Policies

-

E-security policy, the following basic steps should be taken:

a. Identify all assets to be protected and its corresponding value;

b. Identify the vulnerabilities of the system, the potential threats and the likelihood
of such threats occurring;
c. Write the policy;
d. Implement the policy through formal communication to the users, and continuous
training/education
31. E-Security Audits
-

Organisations should also conduct regular or periodic E-security audits to assess

the effectiveness of the policies, plans and mechanisms as well as the latest
potential threats.

The audit should recommend countermeasures and changes, if any to improve

overall effectiveness.

Technological Measures
32. Technological measures or mechanisms to counter cyber crime and threats to:
a) Prevention mechanisms are mechanisms that users cannot override. Examples of
such mechanisms include passwords, encryption, firewalls, anti-virus software
and spam filtering software.
b) Detection mechanisms accept that an attack will occur but aim to determine that
an attack is occurring or has occurred, and report it. Examples of such
mechanisms include intrusion detection systems.
c) Recovery mechanisms either stops an attack, assesses and repairs any damage
caused by that attack or enables a system to continue to function correctly while
an attack is occurring.
33. Apart from technological measures, physical measures should also not be overlooked,
such as:
a) Servers should be located in a secure room where only authorized personnel are
allowed to enter.
b) For highly sensitive areas, technology such as biometric authentication may be
employed.
c) Access to organisations confidential information should be restricted.
Specific Regulatory authorities in Malaysia

34. Cyber Security Malaysia (formerly known as NISER)

an agency under the Ministry of Science, Technology and Innovation tasked with
addressing ICT security issues in Malaysia.
Cyber Security Malaysias functions/services:
-

Implements National Cyber Security Policy, i.e. defines, communicates with,

coordinates and facilitates national cyber security programmes.

Provides specialized ICT security services and with continued efforts, identifies
any possible loopholes which could be detrimental to national security.

Renders its services to any party requesting assistance where the public or national
interest is at stake.

35. Malaysian Communications and Multimedia Commission (MCMC)

In relation to Cyber crime, however, the Enforcement Department of MCMC has a
primary function to conduct investigation upon receiving reports relating to the
commission of offences under the CMA
The objective of the investigation is to ascertain whether or not the offender has
committed the offence and also to gather sufficient evidence on the offender
MCMC has introduced its Guidelines on Complaints Handling which set out the
principles and procedures for the making, receipt, handling and resolution of
complaints in relation to the conduct or operation of licensees under the CMA.
36. Royal Malaysian Police or Polis Diraja Malaysia (PDRM)
To investigate and prosecute computer crimes, which includes crimes committed with
the aid of a computer. The investigation and prosecution of Cyber crime by PDRM is
carried out by the CCU under the purview of Jabatan Siasatan Jenayah Komersil
(Commercial Crimes Investigation Department), one of the many departments in the
PDRM.
Reporting a Cyber crime/complaint to PDRM:
If you have encountered a security breach in your system, and depending on the
nature of the security breach, you can report it to them.
37. Attorney-Generals Chambers (AGC)
Reporting a Cybercrime/complaint to the AGC:

The AGC usually collaborates with PDRM in the investigation, enforcement and
prosecution of Cybercrime. Notwithstanding the same, the public may still report any
such incident to the AGC.