In light of the influence on social security of Internet-related crime, in 2007 Taiwan passed the amendment to the Communication Protection and Inspection Act (CPIA) to update the articles relating to the surveillance of Internet-related crimes. Moreover, the notification obligator clause was added to the Child and Adolescent Sex Trade Prevention ACT (CASTPA), and the penalty for copyright infringement over the Internet was prescribed in the Copyright Act in order to stop Internet-related crimes.
On 15 June 2007, the legislature of Taiwan passed the amendment to the CPIA which was promulgated by the President of Republic of China on 11 July 2007. The amendment mainly concerns the update of the power of issuing surveillance warrants, the scope of emergency surveillance, the supervisory agencies of relevant surveillance activities, and the evidence power of illegal surveillance. The amendment will be brought into force in five months.
Currently, a surveillance warrant is issued (1) by the district prosecutor following an application made by the police or based on his authority for cases under investigation; and (2) by the judge based on his power for cases on trial. According to Article 5.2 of the amended CPIA, for cases under investigation, the district prosecutor should record the details of surveillance in writing following the applications made by the judiciary police or based on his authority and should state the reasons and submit relevant documents before applying to the jurisdiction court for the issue of the surveillance warrant. The district prosecutor should approve and reply to the applications made by the judiciary police within 2 hours. For cases of greater complexity, the approval and reply time may be extended for another 2 hours with the consent of the chief district prosecutor.
After receiving an application for a surveillance warrant from the district prosecutor, the jurisdiction court should approve and reply to the application within 24 hours. For cases on trial, a surveillance warrant should be issued by the judge based on his authority. Also, the judge may give appropriate instructions for the surveillance in the warrant. Moreover, if an application for a surveillance warrant is rejected by the court, the district prosecutor should make no objection in any form. In other words, the power of issuing a surveillance warrant for cases under investigation has been transferred from the district prosecutor to the judge.
Furthermore, the law-enforcement authorities are given the right to initiate an “emergency surveillance” before application during the investigation of serious criminal cases according to Article 6 of the CPIA. In an investigation of serious criminal cases involving obstruction of voting, kidnapping, offence of the President and Vice President Election and Recall Act, the judiciary police may request the district prosecutor to orally notify the implemental authorities of an emergency surveillance. However, the district prosecutor should report to the jurisdiction court to apply for a make-up issue of the surveillance warrant within 24 hours. The district prosecutor’s office should appoint a responsible district prosecutor or a head district prosecutor as the emergency contact for cases involving emergency surveillance. The court should also assign a special window to take charge of the applications for surveillance warrants made by the district prosecutor, and should issue a make-up surveillance warrant within 48 hours of the acceptance of the application. Should the make-up surveillance warrant not be issued within 48 hours, the emergency surveillance should be terminated immediately.
The district prosecutor, the court of law and agencies taking charge of the country’s intelligence work are responsible for the supervision of surveillance. According on Articles 12 and 16 of the amended CPIA, regulations governing the period and supervision of surveillance are summarized as follows:
(1) The period of surveillance should not exceed 30 days for serious and emergency cases involving endangering national security or social order and blackmailing as in Article 5 of the CPIA; or for cases involving obstruction of voting, kidnapping and offence of the President and Vice President Election and Recall Act as in Article 6 of the CPIA. The responsibility of supervision is the district prosecutor's office for cases under investigation and the court of law for cases on a trial.
(2) The period of surveillance should not exceed 1 year for collecting information of foreign powers or offshore opposing powers as in Article 7 of the CPIA. Intelligence authorities should send agents to supervise the electronic surveillance equipment or to the supplier of surveillance equipment to supervise the conditions of surveillance. Should continual surveillance be needed, the implemental agency should submit concrete reasons to make a second application for surveillance two days before the end of the first surveillance period. However, the surveillance should be terminated immediately when the chief of the intelligence agency believes that it is no need to continue the surveillance before the end of the surveillance period.
Lastly, the exclusivity of the evidence power of information collected from illegal surveillance is added to Articles 5, 6, 7 and 32 of the amended CPIA. According to Articles 5 and 6, should the surveillance involve severe offence of regulations, the information or evidence collected from the surveillance will not be accepted as evidence in a judiciary investigation, a trial or relevant procedure. Additionally, according to Articles 7 and 32, information or evidence collected from illegal surveillance will not be accepted as evidence in a judiciary investigation, a trial or relevant procedure. The severity of the offence should be determined by the judge based on individual cases.
Child pornography is easily distributed because of the advancement of Internet communication; and the prepubescent pornography market is expanding as a result. The legislature of Taiwan thus passed on 15 June 2007 the amendment to the CASTPA that was promulgated by the President of Republic of China on 4 July 2007. In the amendment, neighborhood heads, ISPs and telecommunication system providers are the obligator of notification, and “possessors” of child pornography are to be penalized.
According to the explanatory statement of the act, child pornography is the permanent record of the abuse of the victims. This will inflict continual damage on the victims. Moreover, child pornography is considered a “serious child exploitation” all over the world. Therefore, there is an international understanding to penalize the possession of child pornography. Before the amendment, Article 28 of the statue simply penalizes people distributing and selling child pornography in the form of disc, videotape and printing. Those deliberately distributing, broadcasting and/or selling child pornography in the form of pictures, videotape, film, disc, electronic signal or other form will be penalized by imprisonment for a term of less than 2 years and with a fine of under NT$2 million. [In the amendment,] those deliberately distributing, broadcasting and/or selling child pornography are penalized and imprisonment for a term of less than 3 years and with a fine of under NT$5 million.
While child pornography inflicts continual damage on the victims, Article 28.3 has been added to statute. According to this new Article, those in possession without a proper reason of pictures, films, videotapes, discs, electromagnetic recordings and/or other articles containing sexual intercourses or acts of indecency by people under 18 are to be penalized. In this case, the “possession” of child pornography is penalized. The penalization falls into two stages: competent authorities of municipalities and local counties and cities may order the offender to receive guidance education for 2-10 hours if he/she is detected possessing child pornography without a proper reason for the first time; if offenders are detected for the second time or more, they will be fined NT$20000 to NT$200000. The amendment also refers to the legislation in Canada and the Netherland to reduce the scope of “proper reasons for possession” to scientific study, education and for medical treatment purposes in order to protect prepubescent children from sexual exploitation.
Moreover, the amendment has expanded the scope of the notification obligator by including ISPs and telecommunication system providers as the notification obligator. While the Internet and mobile phones are widely used by the public and prepubescent children often receive pornographic information via the chat rooms on the Internet and SMS, this will cause many side effects on prepubescent children in the absence of appropriate management and protection. According to the statistics provided by the Ministry of the Interior, about 300 prepubescent children are sexually assaulted every year from online dating. According to The Garden of Hope Foundation, 40% of sex trade with prepubescent girls found in Taipei County during 2003-5 was conducted over the Internet, and it was 100% for prepubescent boys. It is thus clear that the Internet has become a platform for distributing child pornography.
ISPs and telecommunication system providers are included as the notification obligator in Article 9 of the amended statute. Therefore, if they do not notify the authorities in the knowledge of child pornography, they will be fined NT$6000-NT$30000 according to Article 36 of the statue. Therefore, neighborhood heads, ISPs and telecommunication system providers must notify the local competent authorities or authorities specified in Article 6 of any prepubescent children who engage or probably engage in the sex trade in their knowledge. This is designed in order to strengthen the notification and prevention functions and to effectively stop those who deliberately use chat rooms on the Internet and SMS to engage in true sex trade in the disguise of online dating.
Though the scope of notification obligation has been expanded in the amendment to the CASTPA to strengthen the notification and prevention mechanisms of prepubescent children sex trade and to define the notification obligations of the supplier and provider of SMS, network chat rooms, BBS, blogs and e-news services, many problems arise as a result. First, when telecommunication system providers have the obligation of notification, they also need to submit relevant evidence. However, this may involve the infringement of privacy of communication. If telecommunication system providers must not commit illegal surveillance, they are unable to acknowledge the contents of communication of consumers. In this case, how can they notify any crime? On the other hand, though information over the Internet is open to the public, it is a tough question for law enforcement officers to provide solid evidence proving that the administrator of online chat rooms and blogs has failed to perform his obligation of notification.
The online music downloading service debate has become a heated issue in recent years for the following reasons: “to select only the songs I like”, “comprehensive repertoires”, and “convenience”. According to the Online Music Downloading Survey by the Secure Online Shopping Association (SOSA), 85% consumers have tried the online music downloading service, thus giving rise to the comprehensive online music downloading software and services. However, to attract consumers with files containing unlicensed music, video or other files and charge users of such services, some ISPs provide computer programs or technologies, e.g. point-to-point (P2P), for users to exchange such outlawed materials and charge users for such services. Such acts of making profit from copyright infringement has inflicted disputes in copyright infringement.
For example, the IFPI’s accusation in 2003 of Kuro, a P2P platform provider, is the first convicted case of P2P music downloading service in Taiwan. Though the software supplied by Kuro is a neutral technology which is not illegal, Kuro recruited members and charged them membership fees for allowing them to illegally downloading, exchanging and reproducing a large amount of unlicensed copyrighted materials with such software and the platform services it supplies. Kuro also advertised that consumers can download tens of thousands of the latest popular songs with the Kuro software and even encouraged members to download them. Therefore, the court decided that Kuro and its members who have practically downloaded copyrighted music illegally are guilty of copyright infringement.
On the other hand, ezPeer, another P2P downloading platform provider, was not found guilty of copyright infringement because no law was practiced at that time to prohibit or restrict the use of P2P software. Also, as a transfer platform, ezPeer offers comprehensive functions and it is thus not a tool for committing crime. Even some users transfer or download unlicensed copyrighted materials with this tool, there is possibility for the non-liability reasonable use. Moreover, ISPs have no filtering obligations in the Copyright Act of the ROC. Therefore, even consumers may use the services for illegal activities, P2P service providers are not an accomplice.
Therefore, to define the liabilities of P2P platform providers, the legislature of Taiwan passed on 14 June 2007 the amendment to the Copyright Act to include P2P software providers in governance of the act. In the future, platform providers will be prohibited by the Copyright Act from charging members for unlicensed activities. New objects of copyright infringement are added to the amendment, and the amendment includes the addition of Article 87.1.7, 87.1.2, and 97.1; and the revision of Article 93.4.
According to Article 87.1.7, attempt to allow the public to openly transfer or reproduce works of others without prior consent or licensing from the owner is copyright infringement, and supply of computer programs and/or technologies that can be used for public transfer and/or reproduction of such for the purpose of making profits is deemed as copyright infringement. As the supplier of computer programs and/or technologies is the focus of this article, behaviors categorized based on this article must also meet the following requirements: (1) attempt to allow the public to download and/or transfer over the Internet copyrighted materials without prior consent or licensing of the copyright owner; (2) the act of supply of computer programs and/or technologies; (3) and making profits from such behaviors. In other words, the focus of the amendment is to prohibit providers by written law from supplying computer programs and/or technologies for users to transfer and/or exchange unlicensed music, video and/or other copyrighted materials and from charging users or making profits from such services. However, the amendment has adopted the principle of technology neutrality and specifies that P2P software providers will only be penalized when they have the act of making profit and the intention of copyright infringement in order not to prevent technological development and to save ISPs from breaking the law all the time.
As the “intention” of copyright infringement is the criterion of judgment, Article 87.2 is added to the Copyright Act in the present amendment. According to this article, whether or not the doer instigates, guides or incites in advertisements or other active actions the public to use the computer programs and/or other technologies it supplies to commit copyright infringement is the criterion for determining the “intention” of copyright infringement. Also, the court will determine with severity whether or not the advertisements or other active actions are ready for instigating, guiding or inciting the public use the computer programs and/or other technologies the doer supplies to commit copyright infringement.
In general, when providers offer services, such as web photo albums, BBS, instant messengers, auctions, web disks and online discussions, it is not their initial intention to supply software and/or technologies for users to illegally download and/or transfer the copyrighted materials of others, nor do they encourage, instigate, guide, incite and/or convince users to commit copyright infringement. Even such software can be used for transferring and/or distributing unlicensed copyrighted materials, providers must not be restricted, and it should be the users who take the liability of copyright infringement.
After the enactment of the amendment, providers who make profit from supplying software for others to distribute unlicensed copyrighted materials and encourage users to exchange such materials with the software are to be penalized by imprisonment for a term of less than 2 years, community service, or fined, or penalty together with a find of under NT$500000 according to Article 93. Moreover, by adding Article 97.1, the competent authorities are entitled to order ISPs to shutdown or close the business when they are convicted for the abovementioned offences and refuse to stop such illegal acts after being determined for “severe copyright infringement” and “severely injury of the benefits of the copyright owner”.
After this amendment of the Copyright Act, service providers can no longer use the excuse “we simply provide a service platform and have no right to check the behavior of consumers” as an escape of their liabilities. In fact, P2P service providers who charge users monthly fees for the P2P software, such as Kuro and ezPeer, have already signed licensing agreements with music companies before the enactment of this amendment. Therefore, the music they provide for users to download is no more unlicensed copyrighted materials. Therefore, the amendment has certain effect on improving copyright protection.
Regarding the issue of critical infrastructure protection, the emphasis in the past was put on strategic facilities related to the national economy and social security merely based on the concept of national defense and security1. However, since 911 tragedy in New York, terrorist attacks in Madrid in 2004 and several other martial impacts in London in 2005, critical infrastructure protection has become an important issue in the security policy for every nation. With the broad definition, not only confined to national strategies against immediate dangers or to execution of criminal prevention procedure, the concept of "critical infrastructure" should also include facilities that are able to invalidate or incapacitate the progress of information & communication technology. In other words, it is elevated to strengthen measures of security prevention instead. Accordingly, countries around the world have gradually cultivated a notion that critical infrastructure protection is different from prevention against natural calamities and from disaster relief, and includes critical information infrastructure (CII) maintained so that should be implemented by means of information & communication technology into the norm. In what follows, the International CIIP Handbook 2008/2009 is used as a research basis. The Subjects, including the coverage of CIIP, relevant policies promoted in America, are explored in order to provide our nation with some references to strengthen the security development of digital age. 1. Coverage of Important Critical Information Infrastructures Critical infrastructure is mainly defined in "Uniting and Strengthening our country by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, as known as Patriot Act of the U.S., in section 1016(e)2 . The term ‘critical infrastructure’ refers to "systems and assets, whether physical or virtual, so vital to our country that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." In December 2003, the Department of Homeland Security (DHS) promulgated Homeland Security Presidential Directive 7 (HSPD-7)3 to identify 17 Critical Infrastructures and key resources (CI/KR) ,and bleuprinted the responsibility as well as the role for each of CI/KR in the protection task. In this directive, DHS also emphasized that the coverage of CI/KR would depend on the real situations to add or delete sectors to ensure the comprehensiveness of critical infrastructure. In March 2008, DHS added Critical Manufacturing which becomes the 18th critical infrastructure correspondent with 17 other critical infrastructures. The critical infrastructures identified by DHS are: information technology, communications, chemical, commercial facilities, dams, nuclear reactors, materials and waste, government facilities, transportation systems, emergency services, postal and shipping, agriculture and food, healthcare and public health, water, energy (including natural gas, petroleum, and electricity), banking and finance, national monuments and icons, defense industrial Base, and critical manufacturing. 2. Relevant Policies Previously Promoted With Critical Infrastructure Working Group (CIWG) as a basis, the President's Commission on Critical Infrastructure Protection (PCCIP) directly subordinate to the President was established in 1996. It consists of relevant governmental organizations and representatives from private sectors. It is responsible for promoting and drawing up national policies indicating an important critical infrastructure, including natural disasters, negligence and lapses caused by humans, hacker invasion, industrial espionage, criminal organizations, terror campaign, and information & communication war and so on. Although PCCIP no longer exists and its functions were also redefined by HDSP-7, the success of improving cooperation and communication between public and private sectors was viewed as a significant step in the subsequent issues on information security of critical infrastructure of public and private sectors in America. In May 1998, Bill Clinton, the former President of the U.S., amended PCCIP and announced Presidential Decision Directive 62, 63 (PDD-62, PDD-63). Based on these directives, relevant teams were established within the federal government to develop and push the critical infrastructure plans to protect the operations of the government, assist communications between the government and the private sectors, and further develop the plans to secure national critical infrastructure. In addition, concrete policies and plans regarding information security of critical infrastructure would contain the Defence of America's Cyberspace -- National Plan for Information Systems Protection given by President Clinton in January, 2000 based on the issue of critical infrastructure security on the Internet which strengthens the sharing mechanism of internet information security messages between the government and private organizations. After 911, President Bush issued Executive Order 13228 (EO 13228) and Executive Order 13231 to set up organizations to deal with matters regarding critical infrastructure protection. According to EO 13228, the Office of Homeland Security and the Homeland Security Council were established. The duty of the former is mainly assist the U.S. President to integrate all kinds of enforcements related to the protection of the nation and critical infrastructure so as to avoid terrorist attacks, while the latter provides the President with advice on protection of homeland security and assists to solve relevant problems. According to EO 13228, the President's Critical Infrastructure Protection Board directly subordinate to the President was established to be responsible for offering advice on polices regarding information security protection of critical infrastructure and on cooperation plans. In addition, National Infrastructure Advisory Council (NIAC), which consists of owners and managers of national critical infrastructure, was also set up to help promote the cooperation between public and private sectors. Ever since the aforementioned executive order, critical infrastructure protection has been more concrete and specific in definition; for instance, to define critical infrastructure and its coverage through HSPD-7, the National Strategy for Homeland Security issued in 2002, the polices regarding the National Strategy to Secure Cyberspace and the National Strategy for Physical Protection of Critical Infrastructure and Key Assets addressed by the White House in 2003; all of this are based on the National Strategy for Homeland Security. Moreover, the density of critical infrastructure protection which contains virtual internet information security was enhanced for the protection of physical equipment and the protection from destruction caused by humans. Finally, judging from the National Infrastructure Protection Plan (NIPP), Sector-Specific Plans (SPP) supplementing NIPP and offering a detailed list of risk management framework, along with National Strategy for Information-Sharing, the public-private partnership (PPP) and the establishment of information sharing mechanism are highly estimated to ensure that the network of information security protection of critical infrastructure can be delicately interwoven together because plenty of important critical infrastructures in the U.S. still depend on the maintenance and operation of private sectors. 1.Cf. Luiijf, Eric A. M. , Helen H. Burger, and Marieke H. A. Klaver, “Critical Infrastructure Protection in the Netherlands:A Quick-scan”. In:Gattiker, Urs E. , Pia Pedersen, amd Karsten Petersen (eds. ) . EICAR Conference Best Paper Proceedings 2003, http://cip.gmu.edu/archive/2_NetherlandsCIdefpaper_2003.pdf (last accessed at 20. 07. 2009) 2.For each chapter of relevant legal cases, please visit http://academic.udayton.edu/health/syllabi/Bioterrorism/5DiseaseReport/USAPatriotAct.htm. The text regarding the definition of critical infrastructure is cited as "Critical Infrastructure Defined- In this section, the term “critical infrastructure” means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matter. " 1.Cf. Luiijf, Eric A. M. , Helen H. Burger, and Marieke H. A. Klaver, “Critical Infrastructure Protection in the Netherlands:A Quick-scan”. In:Gattiker, Urs E. , Pia Pedersen, amd Karsten Petersen (eds. ) . EICAR Conference Best Paper Proceedings 2003, http://cip.gmu.edu/archive/2_NetherlandsCIdefpaper_2003.pdf (last accessed at 20. 07. 2009) 2.For each chapter of relevant legal cases, please visit http://academic.udayton.edu/health/syllabi/Bioterrorism/5DiseaseReport/USAPatriotAct.htm. The text regarding the definition of critical infrastructure is cited as "Critical Infrastructure Defined- In this section, the term “critical infrastructure” means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matter. " 3.Introduction of Consumer Protection in Taiwan , Republic of China , Consumer Protection Commission (CPC), Executive Yuan.http://www.fas.org/irp/offdocs/nspd/hspd-7.html ( Last visit 2008/6/27 )
The legal challenges of ubiquitous healthcareWhereas the burden of private nursing for the elderly is getting heavier, industrialized countries with an aging society are endeavoring to seek possibilities of reducing the unit healthcare cost, such as technology assistance, and even the introduction of the brand new care type or model, which is an emerging application field of increasing importance. The development of such kind of healthcare industry not only is suitable for aging societies but also coincides with the growing health management trend of modern people. Also, while the focus on acute diseases in the past has changed to chronic diseases which are common to most citizens, the measuring and monitoring of physiological indicators, such as blood pressure, pulse, blood sugar and uric acid have critical effects on condition control. However, it will mean huge financial and physical burdens to the elderly or suffering from chronic diseases if they need to travel to hospitals to measure these physiological indicators. At this moment, an economical, reliable and timely physiological information collection and transfer system will be technology with good potential. For this reason, the purpose of this study is to investigate the potential business opportunities by applying the emerging information technology (IT) to the healthcare industry and the derivative legal and regulatory issues, with a focus on the seamless healthcare industry. It is hoped that by assessing the opportunity and risk in terms of legal and strategic analysis, we can single out the potential imbalance of fitting seamless healthcare, an IT-enabled service (ITeS), in the conventional control framework, and thereby establish a legal environment more appropriate for the development of the seamless healthcare industry. Referring to the existing electronic healthcare classification, the industry is divided into the following four blocks: electronic content provider, electronic product provider, electronic linking service provider and electronic passport service provider. Also, by depicting the outlook of the industry, the mode of application and the potential and common or special legal problems of different products are clarified. Given that health information collected, stored and transferred by electronic means involves unprecedented risk in information privacy and security, and that the appropriate control of such risk will affect the consumer’s faith in and willingness to subscribe seamless healthcare services, this study analyzed the privacy framework of the USA, the EU and Taiwan. Results indicate that future privacy legislation in Taiwan should include the protection for non-computer-processed personal information, expand the scope and occupation of applications, reinforce control incentives, and optimize the privacy protection mechanism. Further, only when service providers have the correct and appropriate concept of privacy protection can the watch-and-wait attitude of consumers be eliminated. These can help to promote subsequent development of the industry in the future. Due to the booming international trade as a result of globalization, and the gradual opening of the domestic telecommunication and healthcare markets following Taiwan’s entry into the WTO, transnational distance healthcare will gradually become a reality. However, the determination of the qualifications of practitioners is the prerequisite of transnational healthcare services. Taiwan may also consider lowering the requirements for physicians to practice in other countries and thereby to enhance the export competitiveness of Taiwan’s healthcare industry by means of distance healthcare via endorsement or reciprocity. Lastly, whereas the risks distance healthcare involves are higher than conventional healthcare services, the sharing of burdens and disputes over applicable laws in case of damages are the gray areas for executive control or judicial practice intervention. For this reason, service providers are unwilling to enter the market because the risks are too unpredictable. Therefore, this study recommends that the insurance system for distance healthcare should be the focus of future studies in order to promote the development of the industry.
Open Government Data in TaiwanIn the recent years, the tide of open movement has pushed vigorously from the open source software, open hardware and the recent open data. More and more countries have joined the global initiative of open government data in order to achieve the ultimate goal to promote the democratic governance. National government adopts open data policy to enhance the transparency, participation and collaboration of the citizen into the government operation. Meanwhile, fueled by the knowledge economy and the statistical analysis of the big data technology, open government data could work as the catalyst to individuals, industries and government agencies to transform data into potential knowledge-based services. Up to the end of 2013, there are around 77 countries have adopted the Open Government Data policy. Taiwanese government also declared to take part in the open data revolution. The government had officially launched the open data policy in 2012. In Resolution No. 3322, the Executive Yuan prescribes that open government data could enhance the transparency of the government; improve the quality of life of people; and meet the needs of the industry. Governmental agencies under the authority of the Executive Yuan shall to recognize the importance of the empowerment brought from open government data to the quality of the decision-making process and asked the agencies to implemented the policy from the perspectives of the user’s needs and applications, and also the consider to include machine readable format for the data. The Executive Yuan directed the Research, Development and Evaluation Commission (RDEC)(行政院研究發展考核委員會) to develop related principles and measures to support government agencies of the Executive Yuan to plan, execute and open up their data. At the same time, it also directed the Industrial Development Bureau(IDB), Ministry of Economic Affairs (MOEA) (經濟部工業局)to develop responsive strategies to cope with the industrial development. Pursuant to the Resolution No. 3322 of the Executive Yuan, RDEC worked through the open government data related laws and regulations, proclaimed the “Open Government Data Operating Principle for Agencies of the Executive Yuan”(行政院及所屬各級機關政府資料開放作業原則)and the “Essential Requirements for Administrate Open Government Data Datasets” (政府資料開放資料集管理要項)in the early 2013. All government agencies of the Executive Yuan have to adopted the following 3 open government data steps:"open up government data for public use”, “provide data free of charge subject to certain exemptions”, "automated systematic release and exchange data”, and work in with 4 open government focus strategies: “release data actively and by the priority in the field of daily necessity”, “develop the norm of open government data”, “promote the use of Data.gov.tw”, and “demonstrate and advocate open government data services”. Ministry of Economic Affairs (MOEA) (經濟部工業局)also provided grants ($9,200 NTD) to the open government data value-added applications and development. The open government data platform (data.gov.tw) was launched in July, 2013, as the official Taiwan government site providing public access and reuse of government data sets from 62 government agencies of the Executive Yuan, including the Ministry of Interior (MOI)(內政部), Ministry of Foreign Affairs (MOFA)(外交部), Ministry of Economic Affairs (MOEA)(經濟部), Council for Economic Planning and Development (CEPD)(行政院經濟建設發展委員會), Hakka Affairs Council (HAC)(客家委員會), Water Resources Agency, Ministry of Economic Affairs (WRA) (經濟部水利署), and 4 local governments. At the end of 2013, each government agency is required to release at least 55 data sets. In addition, the rising tide of private-sector (individual or enterprise) also aims to mine the gold in open government data. Act upon the National Information and Communication Initiative (NICI)(行政院國家資訊通信發展推動小組)in the consultation of the open government data policy, Taipei Computer Association (TCA)(台北市電腦同業工會)organized the “Open Data Alliance” (ODA)(Open Data聯盟)as a bridge between the information provide-side (public sectors) and the demand-side (private sectors), to communicate and coordinate the expectations and needs from communities (bottom-up) towards open government data. On Dec. 11, 2013, Taiwan took one more step in the global open data initiative. Open Data Alliance (ODA) and the Open Data Institute (ODI) in UK signed the memorandum of understanding (MOU) and announced the alliance established to promote and explore the potential opportunities of open data holds for the public, private and academic sectors. The engagement of ODA and ODI could bring another catalyst for the open movement in Taiwan to take one big step in the international community. According to a survey from ODA, the biggest challenge so far is the available data sets do not really meet the needs of the industry. And most of the feedback reflects the concerns in licensing, charge, frequency of updates, data formats and data quality. These voices echo the open government data issues encountered in many countries. There are still some obstacles with the applicable laws and regulations (for example, Charges and Fees Act, Personal Data Protection Act, Accoutability & Liability etc.) wait to be solved before both public and private sectors to go onto the next level of open data development.
The approaches to promote critical infrastructure protection in JapanThe approaches to promote critical infrastructure protection in Japan are illustrated below: 1. Coverage of Critical Information Infrastructure In the "Action Plan on Information Security Measures for Critical Infrastructure" promulgated by the Information Security Policy Council (ISPC) in 2005, critical infrastructure is defined as: Critical infrastructure which offers the highly irreplaceable service in a commercial way is necessary for people's normal lives and economic activities, and if the service is discontinued or the supply is deficient or not available, it will seriously influence people's lives and economic activities. Based on the definition of the action plan, the critical infrastructure contains: telecommunication systems, administration services of the government, finance, civil aviation, railway, logistics, power, gas, water, and medical services 2. Promoted Relevant Policies of The Past The issues regarding the CIIP are gradually being developed with the norm of information social security policy in Japan. Adopting the Action Plan of the Basic Guidelines Toward the Promotion of an Advanced Information and Telecommunications Society of 1998 proposed by the Japanese government in 1998 as a basis. The Japanese government keeps presenting polices of improvement for the relevant issues in order to acquire the stable development of telematics and telecommunications. Several years later, the Ministry of Economy, Trade, and Industry (METI) announced the Comprehensive Strategy on Information Security in 2003. The formulation of the strategy not only emphasizes the possible telematics-related risks and protection against threats that may be encountered in the information society, but it also enhances the level of information security to the level of national security and presents a comprehensive information security improvement program. Furthermore, the submission of the strategy has identified government’s responsibility in the development of information security Therefore, a division which is solely responsible for information security was established in the Cabinet Secretariat and is devoted to the development of it. In 2005, the Ministry of Economy, Trade, and Industry (METI) amended the Comprehensive Strategy on Information Security and announced the First National Strategy on Information Security based on the creation of a policy of a long-term information security task in Japan which is also the foundation for the policy of guidelines and action security concerning critical information infrastructure. This is in addition to being the most important basis for the policy of information security development. The strategy is different from the Comprehensive Strategy on Information Security in connotation. In the range of information security protection, it not only maintains information security from the perspective of the government; for instance, to divide the rights and duties on information security protection practices between the central government and the local government, and to strengthen the capacity of the government to solve emergencies such as cyber attacks, but it also tries to employ the public-private partnership on the CIIP issue to construct an extensive information security protection and to develop a Capability for Engineering of Protection, Technical Operation, Analysis and Response (CEPTOAR): one similar to the ISAC of America, to strengthen the information sharing and analysis of information security of all industry involved. According to the strategy, the METI established the Information Security Policy Council (ISPC) and the National Information Security Center (NISC) under the subordination of the Cabinet Secretariat in order to reach a goal of dependable society of information security.1 Finally, the information security policies more directly related with the CIIP are the Action Plan on Information Security Measures for Critical Infrastructure and the Standards for Information Security Measures for the Central Government Computer Systems, both of which regulate CI-related threats, information security standards, public-private partnership information sharing system, and the levels of information security standards between different governments and critical infrastructures, respectively. 3. Oraganization Framework Generally speaking, the Cabinet Secretariat is the main division of the CIIP and the information security for the Japanese government, while the ISPC and the NISC established under the Cabinet Secretariat in 2005 are the core organizations for the development of the CIIP policy. In addition, the National Policy Agency (NPA) and the Ministry of Internal Affairs and Communications (MIC) also played an important role in assisting the Cabinet Secretariat with critical infrastructure protection. The part of public-private partnership is covered by the CEPTOAR which takes the responsibility for information sharing and analysis of information security between the government and private organizations. 4. Notification System For critical infrastructure protection, Japan has set up a warning and notification system in addition to the emphasis on fundamental information security protection. With the concept of public-private partnership, various messages related with information security are analyzed and shared in order to prevent information security incidents from occurring. The network of notification system in Japan mainly consists of several organizations as listed below. (1) National Incident Response Team The National Incident Response Team (NIRT) which is the information security office under the Cabinet Secretariat in the organization framework belongs to the Computer Emergency Response Team (CERT)2 and is first in line in the government to handle internet emergencies. According to the Action Plan for Ensuring e-Government's IT Security, the NIRT which consists of 17 experts from the government and the private organizations is responsible to (1) accurately understand and analyze emergencies, (2) develop technical strategies to solve and rehabilitate emergencies to prevent incidents from reoccurrence, (3) provide other governmental organizations the assistance to solve the information security issue, (4) collect and analyze information or intelligence so that effective solutions and strategies may be provided when an incident happens, (5) provide the governmental organization with professional knowledge and information, and (6) enhance and improve all knowledge pertinent to information security. The Japan Computer Emergency Response Team Coordination Center (JPCERT/cc) is the first Computer Security Incident Response Team (CSIRT) established in Japan. It consists of internet service suppliers, security products/service suppliers, governmental agencies, and associations of industry & commerce. The JPCERT/CC is also a member of the Asia Pacific Computer Emergency Response Team (APCERT) and a member of the Forum of Incident Response and Security Teams (FIRST). It coordinates and integrates prevention measures pertinent to information security and is consistent with other CSIRTs. (3) Telecom Information Sharing and Analysis Center In Japan, besides the mechanism responsible to notify the government, which functions as a bridge for communication between it and all those outside of it, the mechanism of information sharing and notification is also established among industries to provide each with a channel for information exchange and consultation. In 2001, Japan established the Telecom Information Sharing and Analysis Center Japan (Telecom-ISAC Japan). In addition to real-time inspection for computer intrusion incidents and conducting information collection and analysis, the Telecom-ISAC Japan proposes to e-government many suggestions related with the Transact-SQL issue as well. The reasons for launching the Telecom-ISAC are to instantaneously detect a computer intrusion incident, and to instantaneously gather and analyze its information, and then exchange this with other telecom carriers and offer them relevant countermeasures for precaution; so that in can reach the goal of ensuring telecom security since it is an important infrastructure concerning social economy. (4) Cyber Force The reasons for launching the Cyber Force are to maintain the security to use the internet by regularly "patrolling" it, searching for evidence of internet crime, and to notify the critical infrastructure operators about any unusual internet use so as to prevent the occurrence of cyber terror attacks. The Cyber Force also assists operators to solve and diminish the damage and influences when an incident occurs. (5) Portal Site of National Police Agency The National Police Agency owns the portal site "@police". It exists to prevent large-scale cyber emergencies and to provide gathered information concerning information security to government. In addition to providing the techniques related with the safe use of computer networks, @police is also dedicated to educating internet users about the concept of information security and to increase security awareness. (6) Ministry of Economy, Trade and Industry Since 1990, the Ministry of Economy, Trade and Industry (METI) has cooperated with the JPCERT/CC and the Information Technology Promotion Agency (IPA) to provide reports on virus, intrusion, and the damage caused by them, to remind the public to pay attention. 5. Legal Norms The laws regarding critical infrastructure protection in Japan are illustrated as follows: (1) Unauthorized Computer Access Law of 1999 The Unauthorized Computer Access Law includes various conducts such as cyber intrusion, and data thefts, into the norms of criminal punishment to deter cyber crimes from spreading in order to ensure the safety of the critical information infrastructure. (2) Act on Electronic Signatures and Certification Business of 2000 With the formulation of the Act on Electronic Signatures and Certification Business, the smooth promotion of the electronic signature system is ensured and the circulation and process of electronic communication can be fostered further. (3) Basic Law on Formation of an Advanced Information and Telecommunication Network Society of 2001 Through the formulation of the Basic Law on Formation of an Advanced Information and Telecommunication Network Society, the legal basis to execute an information technology policy is enhanced, and the direction and job content for the government to execute this policy is explicitly stated. 1.http://www.nisc.go.jp/eng/pdf/national_strategy_001_eng.pdf(last accessed date: 2009/07/20). 2.http://www.nisc.go.jp/en/sisaku/h1310action.html(last accessed date: 2009/07/20).