Implementing Information Security to Protect Individuals' Privacy

The Research on Cybersecurity Risks in 5G network: Perspectives on Global strategy I. The characteristics of 5G and cybersecurity threats 　　Compared to 4G, 5G adopts several new designs on the network architecture, such as software-defined networking (SDN), a baseband unit (BBU), logical disjunction, network function virtualization (NFV), and multi-access edge computing (MEC), to provide users with high-speed, low-latency and other quality services, as well as flexibility and expansibility to accommodate more emerging applications. 　　According to the three key usage scenarios (see Figure 1) defined by the International Telecommunication Union (ITU), enhanced mobile broadband access (eMBB) provides high-volume mobile broadband services such as AR/VR or ultra-high-definition video. Massive machine type communication (mMTC) provides large-scale IoT services. Ultra-reliability and low latency communication (uRLLC) can be used for services that require low-latency and high-reliability connections, including unmanned driving and industrial automation. 　　However, with 5G’s open, flexible and extensible design, as well as its coexistence with other 4G and 3G systems in the early stage of commercial operation, the cybersecurity threats facing 5G networks are more severe and diverse than the past mobile phone generations. At present, the known 5G cybersecurity threats mainly come from network functional components and connection interfaces among components, including the terminal device, access network, air interface, cloud virtualization, multi-access edge computing rental, core network, back-end/backbone network, roaming and external services, and so on. Source: ITU Figure　1Three key 5G scenarios by the ITU II. Cybersecurity strategy development in major countries 　　5G is not only one of the critical infrastructures, but also an important foundation for pursuing a digital nation, digital economy, the industrial 4.0, and for promoting industrial transformation for upgrading. However, different scenarios require different cybersecurity protection levels, which poses great challenges to both mobile network operators and service providers. 　　Therefore, the construction of favorable environment for 5G development, the promotion of relevant applications and the development of innovative services and so on, have become the priority of governance in the countries around the world. 1. European Union (EU) 　　Then European Commission President Jean-Claude Juncker noted in 2017 that “Cyber-attacks can be more dangerous to the stability of democracies and economies than guns and tanks…Cyber-attacks know no borders and no one is immune,” indicating the EU's high priority in the cybersecurity field. 　　The "Digital Single Market," an important EU policy, lays the foundation for digital economy based on "cybersecurity, trust and privacy." In response to the loss of billions of euros a year in cyber attacks, the EU has taken a series of measures to safeguard and advance the development of the Digital Single Market. For the purposes of this strategy, the European Commission in 2018 came up with the policy of Resilience, Deterrence and Defence: Building strong cybersecurity for the EU,[1]with the aim of improving the level of cyber security, cyber resilience and trust in the EU, and in June 2019 passed the Cybersecurity Act [2] with two highlights described as follows: (1) Strengthen the authority of the European Union Agency for Network and Information Security (ENISA)(see Figure 2), increase the allocation of human and financial resources to ENISA, as well as the preparation for the work items related to the cybersecurity industry, and reinforce cyber security support for EU member states. (2) Establish the EU cybersecurity certification framework. [3] 　　In the European Union, where different cybersecurity certification schemes already exist, the absence of a common certification regime would increase the risk of fragmentation of the single market. For this reason, a set of technical requirements, standards and procedures are provided under this framework to assess whether information/communication products, services and processes are in compliance with security requirements. 　　The certification program includes product and service categories, information/communication security requirements (e.g. reference standards or technical specifications), types of assessment (e.g. self-assessment or third-party assessment), levels of security, and so on. All member states agree that certification not only facilitate cross-border business transactions, but also enable consumers to better understand the security of products and services. Source: Compiled from the ENISA websit Figure　2 ENISA organization and authority strengthening 2. the United States (U.S.) 　　In consideration of cyber security affairs in the country, the US Department of Homeland Security (DHS) in May 2018 unveiled the "Cybersecurity Strategy,"[4] which focused on the objectives and priorities of the U.S. government in future cybersecurity protection, identifying and managing national cybersecurity risks with the overall risk management approach, and addressing security threats to the country, critical infrastructures and private enterprises, as well as preventing cybercrimes. 　　Then the White House in September 2018 released the National Cyber Strategy of the United States of America, [5] based on the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure [6] issued in May 2017, stating the strategy and position of the United States against the threat of cyber- attacks. The strategic goal aimed to, by safeguarding cybersecurity, protect the American people, the homeland, and the American way of life, to build a secure digital economic environment, to promote American prosperity, and strengthen cooperation with partners to deter malicious cyber attackers, so as to maintain peace and security, and continue to expand U.S. influence. 　　The department in July 2019 published the Digital Modernization Strategy [7] to announce its national defense strategy in the digital environment, including the use of cybersecurity, AI, cloud computing, blockchain and other technologies in information security protection to create a more secure, coordinated and efficient platform and improve the security of intelligence transmission and processing. 3. Canada 　　Public Safety Canada in June 2018 released the National Cyber Security Strategy, [8] with the vision of a sustainable, robust cybersecurity environment, innovation and prosperity. Through international cooperation and a domestic public-private partnership, the department has been working on three goals: 1. cyber security and resilience (to reduce cybercrime and ensure Internet privacy; 2. Internet innovation (to create a friendly environment for the development of cybersecurity startups); 3. government leadership and cooperation (to transfer government-owned cybersecurity knowledge to the private sector and set up a cybersecurity governance framework). 　　The Canadian government also attaches great importance to critical infrastructure. In May 2018, the National Cross Sector Forum 2018-2020 Action Plan for Critical Infrastructure [9] was unveiled to facilitate information sharing between public and private partners through sharing and protecting intelligence, and implementing a full risk management approach. Moreover, Public Safety Canada in April 2019 issued a report called Enhancing Canada’s Critical Infrastructure Resilience to Insider Risk, which provided guidelines and suggestions for action on internal risks in critical infrastructure organizations.[10] 4. Singapore 　　The government of Singapore in 2018 promulgated the Cybersecurity Act, [11] which aimed to fulfill the vision of a Smart Nation by enacting and putting into effect cybersecurity regulations to achieve the goal of a resilient infrastructure and a more secure cyberspace, and to strengthen the protection of critical information infrastructure against cyber-attacks. The Cyber Security Agency of Singapore (CSA) was given the authority to prevent and respond to cybersecurity threats, and to set up a system for sharing security information, as well as a light-touch licensing system for cybersecurity service providers.[12] 　　The Government of Singapore has appointed a Commissioner of Cybersecurity responsible for promoting domestic cybersecurity policy. To safeguard Singaporeans from cybersecurity threats, [13] the government particularly laid down cybersecurity threat or incident response provisions in Chapter 4 of the Cybersecurity Act to empower the Commissioner of Cybersecurity to investigate cybersecurity threats and incidents, such as requiring the parties to the incidents to present statements in person or in writing, producing documents or provide information and so on.[14] 5. Australia 　　The Australian government in 2016 proposed a four-year "Australia's Cyber Security Strategy,"[15] which was expected to invest more than 230 million Australian dollars to strengthen Australia's cyber security capability and complete the following five aspects: national cyber partnership, strong cyber defenses, global responsibility and influence, growth and innovation, and a cyber smart nation. 　　As for the global responsibility and influence, the Australian government in 2017 announced the "Australia's International Cyber Engagement Strategy."[16] which aims to strengthen digital trade, to improve cybersecurity and to response to cybercrime through international cooperation; encourage innovative cybersecurity solutions; provide security advice and best practices, such as Essential Eight strategies[17] to mitigate cyber-attacks; establish the Pacific Cyber Security Operational Network (PaCSON) [18] with neighboring countries to develop regional cybersecurity capabilities; and advance the development of Australia's cybersecurity industry, nurture startups and attract foreign investment. III. Cybersecurity strategy to promote 5G in Taiwan 　　Since President Tsai Ing-wen took office in 2016, she declared that cybersecurity is directly linked to national security. In 2017, the Department of Cyber Security (DCS) under the Executive Yuan issued "National Cybersecurity Development Plan (2017-2020)," and in 2018 the "Cybersecurity Industry Development Action Plan (2018-2025)," in order to enhance the independence of Taiwan's cybersecurity industry, consolidate the nation’s cybersecurity defense line, improve its innovative thinking of cyber security, and further promote it to the international market. 　　To develop a favorable environment to promote 5G, the Executive Yuan on May 10, 2019 approved the “Taiwan 5G Action Plan (2019-2022),” [19] with a total investment about NT$20.466 billion over a four-year period. The plan aims to build a 5G application and industrial innovation environment, and reshape Taiwan's mobile communication industry ecosystem, with its content planned around five themes, including "promoting 5G vertical application field demonstration", "building 5G innovation and application development environment," "completing 5G technology core and cybersecurity protection capabilities," "planning to release 5G frequency spectrums in line with overall interests" and "adjusting laws and regulations to create favorable environment for 5G development," and to promote industrial upgrading and transformation, as well as create the next wave of economic prosperity in Taiwan. 　　Secure, robust and reliable 5G systems are sufficient and requisite conditions for building an innovation ecosystem in digital countries. The third theme of the "Taiwan 5G Action Plan" is to "complete 5G technology core and cybersecurity protection capabilities," which is intended to advance the integration of applied science and technology by establishing advantageous core technologies, set up a 5G technology and test platform, and increase the market competitiveness of 5G industry, while drafting the overall national policies on 5G cybersecurity, building the cybersecurity protection mechanism of 5G homemade products, strengthening 5G critical infrastructure and operational cybersecurity protection capabilities, and promoting domestic suppliers to enter the international 5G reliable supply chain. 　　In terms of strengthening 5G critical infrastructure and operational cybersecurity protection capacities, the NCC has planned a four-year (2019-2022) "5G Network Cybersecurity Protection and Related Regulations Preparation Plan." In coordination with a 5G license issue in 2020, the agency in 2019 added/amended the 5G cybersecurity provisions of the Regulations for Administration of Mobile Broadband Businesses, making it mandatory for the winning bidder of the 5G frequency spectrum to incorporate the cybersecurity protection concept into the system design for system construction. 　　Upon commercial operation of 5G, the NCC will audit from time to time the implementation of the cybersecurity maintenance plan by telecom operators, so as to ensure and reinforce the cybersecurity protection system of Taiwan's 5G telecom network, and create an opportunity for the development of 5G homemade products with cybersecurity protection capability. In addition, the NCC will also face up to the fact that 5G technology standards continue to evolve, and the operators have different construction schedules and heterogeneous mobile networks coexist. Therefore, relevant regulations will continue to be completed from 2020 to 2022, and examples will be verified through cybersecurity function testing laboratories to ensure that cybersecurity protection functions of 5G networks keep pace with the times. IV. Conclusion and Suggestion 　　As for emerging technologies, countries around the world are actively evaluating and constructing 5G systems and services. Taiwan boasts excellent industrial advantages in terms of semiconductors, ICT software and hardware, and high-quality talents, and thus makes a foundation for developing 5G. Furthermore, going with the importance of cybersecurity, it is necessary to pay more attention to planning and developing 5G cybersecurity technology. 　　It is clear that the development of cybersecurity is both a challenge and an opportunity for Taiwan. In order to implement the national policy objectives of "cybersecurity is national security" as well as "innovative economic development programs for a digital nation," and to response to the scientific and technological progress, and the demand for cybersecurity, key development direction is proposed to expedite the establishment of 5G cybersecurity protection. Reference: [1]Resilience, Deterrence and Defence: Building strong cybersecurity in Europe, European Commission, https://ec.europa.eu/digital-single-market/en/news/resilience-deterrence-and-defence-building-strong-cybersecurity-europe [2]The draft Regulation of The European Parliament And of The Council on ENISA, the "EU Cybersecurity Agency", and repealing Regulation(EU)526/2013, and on Information and Communication Technology cybersecurity certification(''Cybersecurity Act'') was published in September 2017 to expand the rights and obligations of ENISA, which would make ENISA the EU's cybersecurity and information competent authority and the authority for critical infrastructure (information) facilities after the passage of the Act. Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (Text with EEA relevance), https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2019.151.01.0015.01.ENG&toc=OJ:L:2019:151:TOC [3]The EU cybersecurity certification framework, European Commission, https://ec.europa.eu/digital-single-market/en/eu-cybersecurity-certification-framework [4]Cybersecurity Strategy(2018), DHS, https://www.dhs.gov/sites/default/files/publications/DHS-Cybersecurity-Strategy_1.pdf [5]National Cyber Strategy of the United States of America(2018), The White House, https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf [6]THE WHITE HOUSE, Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, The White House, https://www.whitehouse.gov/presidential-actions/presidential-executive-order-strengthening-cybersecurity-federal-networks-critical-infrastructure/ [7]DoD Digital Modernization Strategy, DoD, https://media.defense.gov/2019/Jul/12/2002156622/-1/-1/1/DOD-DIGITAL-MODERNIZATION-STRATEGY-2019.PDF [8]National Cybersecurity Strategy, Public Safety Canada, https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/ntnl-cbr-scrt-strtg/index-en.aspx [9]National Cross Sector Forum 2018-2020 Action Plan for Critical Infrastructure, Public Safety Canada, Public Safety Canada, https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/pln-crtcl-nfrstrctr-2018-20/index-en.aspx#a02 The action plan is a three-year program under Canada's2010 National Strategy for Critical Infrastructure (National Strategy) starting in 2010 for all phases. [10]Enhancing Canada’s Critical Infrastructure Resilience to Insider Risk, Public Safety Canada, Public Safety Canada, https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/nhncng-crtcl-nfrstrctr/index-en.aspx [11]Cybersecurity Act 2018, Singapore Statutes Online, https://sso.agc.gov.sg/Acts-Supp/9-2018/ [12]Cybersecurity Act, CSA, https://www.csa.gov.sg/legislation/cybersecurity-act [13]Id. [14]Cybersecurity Act Explanatory Statement, https://www.csa.gov.sg/~/media/csa/cybersecurity_bill/cybersecurity%20act%20-%20explanatory%20statement.pdf [15]Australia’s Cybersecurity Strategy, https://cybersecuritystrategy.homeaffairs.gov.au/ What is the Government doing in cybersecurity, Ministers for the Department of Industry, Innovation and Science, https://www.industry.gov.au/data-and-publications/australias-tech-future/cyber-security/what-is-the-government-doing-in-cyber-security [16]Australia’s International Cyber Engagement Strategy, Department of Foreign Affairs and Trade,https://www.dfat.gov.au/sites/default/files/DFAT%20AICES_AccPDF.pdf [17]Essential Eight Explained, ACSC, https://www.cyber.gov.au/publications/essential-eight-explained [18]Pacific Cybersecurity Operational Network(PaCSON), https://dfat.gov.au/international-relations/themes/cyber-affairs/cyber-cooperation-program/Pages/pacific-cyber-security-operational-network-pacson.aspx Or Strengthening cybersecurity across the Pacific, ACSC, https://www.cyber.gov.au/news/pacific-islands PaCSON is comprised of 15 members, including Australia, Fiji, Marshall Islands, New Zealand, Papua New Guinea, Samoa, and Solomon Islands. [19]Taiwan 5G Action Plan, Executive Yuan,https://www.ey.gov.tw/Page/5A8A0CB5B41DA11E/087b4ed8-8c79-49f2-90c3-6fb22d740488

With digital music industry rising and flourishing these years, in 1995 the US Congress amended the compulsory licensing regulations in the US Copyright Act to include digital music service in the scope of compulsory licensing. By doing so,it tries to save the industry from deprivation in copyright negotiations and to prevent detrimental effects on music circulation. By introducing the compulsory licensing regulations for music copyrights in the US Copyright Act, this paper wishes to provide a reference for the Taiwanese government to amend Taiwan’s copyright act to promote the development of the digital music industry. I. Exclusive rights in digital music copyright According to the US Copyright, the copyright owner has the exclusive rights to do and to authorize any of the following1: To reproduce the copyrighted work in copies or phonorecords; To prepare derivative works based upon the copyrighted work; To distribute copies or phonorecords of the copyrighted work to the public by sale or other transfer of ownership, or by rental, lease, or lending; In the case of literary, musical, dramatic, and choreographic works, pantomimes, and motion pictures and other audiovisual works, to perform the copyrighted work publicly; In the case of literary, musical, dramatic, and choreographic works, pantomimes, and pictorial, graphic, or sculptural works, including the individual images of a motion picture or other audiovisual work, to display the copyrighted work publicly; and In case of sound recordings, to perform the copyrighted work publicly by means of digital music transfer. If it is to be enforced by law that musical works can only be provided after the approval and authorization of the copyright owner, this will be unfavorable for the circulation of musical works. In terms of users, this may mean additional difficulties in providing musical works. Therefore, in addition to negotiating with the copyright owner of the licensing affairs, the US Copyright Act prescribes the compulsory licensing system. As long as the form of use does not violate any terms specified in the Copyright Act, service providers may obtain a license by means of compulsory licensing in order to lawfully “distribute copies or phonorecords of the copyrighted work to the public by sale or other transfer of ownership, or by rental, lease, or lending.2” 1. Scope of compulsory license According to Section 115 of the US Copyright Act, limitation on compulsory licensing comprises two sections3: (1) The scope of compulsory licensing is limited to the “exclusive rights provided by clauses (1) and (3) of section 106”; i.e. “to distribute copies or phonorecords of the copyrighted work to the public by sale or other transfer of ownership, or by rental, lease, or lending.” (2) A compulsory license can only be applied for unless the copyrighted works are Non-dramatic musical works; phonorecords of a non-dramatic musical work which have been distributed to the public in the United States under the authority of the copyright owner; and phonorecords made by a person whose primary purpose is to distribute them to the public for private use. (1) The scope of compulsory licensing is limited to the “exclusive rights provided by clauses (1) and (3) of section 106”; i.e. “to distribute copies or phonorecords of the copyrighted work to the public by sale or other transfer of ownership, or by rental, lease, or lending.” (2) A compulsory license can only be applied for unless the copyrighted works are Non-dramatic musical works; phonorecords of a non-dramatic musical work which have been distributed to the public in the United States under the authority of the copyright owner; and phonorecords made by a person whose primary purpose is to distribute them to the public for private use. (1) The scope of compulsory licensing is limited to the “exclusive rights provided by clauses (1) and (3) of section 106”; i.e. “to distribute copies or phonorecords of the copyrighted work to the public by sale or other transfer of ownership, or by rental, lease, or lending.” (2) A compulsory license can only be applied for unless the copyrighted works are Non-dramatic musical works; phonorecords of a non-dramatic musical work which have been distributed to the public in the United States under the authority of the copyright owner; and phonorecords made by a person whose primary purpose is to distribute them to the public for private use. Later on, to facilitate the application of the emerging digital sound delivery technology and the development of the digital music industry, in 1995 the US Congress passed the Digital Performance Right in Sound Recording Act of 1995 (DPRA) by which Section 115 of the Copyright Act was amended and the Digital Phonorecord Deliveries (DPD) was added. Based on these, the DPD can enjoy compulsory licensing to deliver digital music service. 2. Entitlement of compulsory license Any person who wishes to obtain a compulsory license shall, before or within thirty days after making the recording, and before distributing any phonorecords of the work, serve notice of intention to do so on the copyright owner. The notice shall comply, in form, content, and manner of service, with the requirements that the Register of Copyrights shall prescribe by regulation. If the registration or other public records of the Copyright Office do not identify the copyright owner and include an address at which the notice can be served, it shall be sufficient to file the notice of intention in the Copyright Office4. After obtaining the compulsory license, service providers shall deliver to the copyright owner or its designated collecting agent the information relating to the royalty of the month and the successes or failures of downloading within twenty days from the end of every month5. If service owners are unable to identify how to deliver the royalty to the copyright owner, the collecting agent shall keep the royalties for the compulsorily licensed nondramatic musical works for three years in an independent trust account. The collecting agent shall assume no responsibility for the safekeeping of such royalties if the copyright owner is unreachable within three years6. 3. Royalty for compulsory license The criteria for calculating the royalty of compulsory license are established by the Copyright Arbitration Royalty Panel formed by the Librarian of Congress. This panel updates the calculation criteria on a biennial basis. The calculation can be done by minute or by work. Applicants must pay the highest royalty calculated with either of the schemes7. 4. Limitation of compulsory license A compulsory licensee shall only reproduce or distribute specific sound recordings and shall not use the work in the making of phonorecords duplicating a sound recording fixed by another; unless the making of the phonorecords was authorized by the owner of the copyright in the sound recording or such sound recording was fixed lawfully.8 II. Conclusions Though compulsory licensing terms have been specified in the Copyright Law of Taiwan, users only need to apply for a compulsory license for sound recordings published for a full six months and the sound recording is used in the making of other musical works for sale9. In this case, the digital music industry will be unable to obtain a compulsory license to deliver lawful services, and negotiation with the copyright owner has thus become a prerequisite for service providers to deliver lawful services. As a result, service providers often become the weaker side of the negotiation and must pay the copyright owner a very substantial royalty. Consequently, the cost of the services will increase. In the future, if the government can amend the copyright law to include the reproduction and delivery of digital music in the scope of compulsory license of sound recordings with reference to the compulsory license terms for sound recordings in the US Copyright Act, service providers can have other access to obtain a license for sound recordings to deliver lawful digital music service other than negotiations with the copyright owner. It is believed that this will promote the fair royalties of sound recording licensing in Taiwan and the development of digital music application service industry in Taiwan. 17 U.S.C.A. §§ 106 17 U.S.C.A. §§ 115 17 U.S.C.A. §§ 115(a)(1). 17 U.S.C.A. §§ 115(b)(1). 17 U.S.C.A. §§ 115(c)(5). 68 FR 57815 See the following for details of royalty criteria for compulsory license: U.S. Copyright Office, Mechanical License Rates-Copyright Royalty Rates Section 115, the Mechanical License, available at http://www.copyright.gov/carp/m200a.html (last visited 2007/8/17) 17 U.S.C.A. §§ 115(a)(1). Article 69, Copyright Law.

Although third-party payment is already one of the most popular ways to do the payment online in many countries, for example, Alipay of China and Paypal of USA, third-party payment in Taiwan is just about to start. For these days, the legislation of third-party payment has become a highly debated issue. However, due to many reasons, the legislation of third-party payment eventually has not been realized. And in fact, the third-party payment in Taiwan is not mature yet. A third-party payment system in Taiwan is unable to deposit stored value in advance. This is one of the basic functions of third-party payment system abroad, such as Alipay in China and Paypal in USA. Mainly, what third-party payment provides in Taiwan is money transmission based on real trade. 1. Latest progress of third-party payment in Taiwan. (1)Credit card payment for third-party payment system. Recently, third-party payment has a breakthrough development. According to the resolution of the meeting “Obstacles of using credit card in third party payment” held by Executive Yuan in September this year, Financial Supervisory Commission has made the commitment that the third party payment is allowed to be a “contracted merchant” under “Regulations Governing Institutions Engaging in Credit Card Business”, and personal entity or small business which is not provided with the qualification of “contracted merchant” are allowed to accept credit card payment though third party payment system. This is a very important progress in third-party payment in Taiwan. It means credit card payment is available for C2C transaction now. This will improve the safety of C2C transaction and reduce the quantity of fraud transaction. In other way, boost the prosperity of E-commerce. (2)Evaluation Requirements for Data Processing Services Industry Performing Trans-border Internet Transaction. In response to the Central Bank’s request, MOEA (Ministry of Economic Affairs) approved and announced the “Evaluation Requirements for Data Processing Services Industry Performing Trans-border Internet Transaction” on October 3rd, 2012. Any Data Processing Services Industry Performing Trans-border Internet Transaction would like to obtain the qualification as a mandatory under Article 8 of “Regulations Governing the Declaration of Foreign Exchange Receipts and Disbursements or Transactions”, should pass the evaluation according to the “Evaluation Requirements for Data Processing Services Industry Performing Trans-border Internet Transaction”, and get the compliance certification. The “Evaluation Requirements for Data Processing Services Industry Performing Trans-border Internet Transaction” has set up several requirements for a business which would like to run the payment service for trans-border internet transaction. Mainly, basic requirements are as the followings. 1-2-1　The applying data processing service enterprise should be a limited company or a company limited by shares. 1-2-2　The applying data processing service enterprise should open a special purpose deposit account to deposit the entire transmitting amount received from consumers. And the transaction of this account should be only based on the consumers’ directions of money transmitting. 1-2-3　Users of the third-party payment service provided by the data processing service enterprise should register for the first time usage. And the user’s name, birth and ID number are required for registration. The applying data processing service enterprise has the liability to check the reality of the information provided. 1-2-4　The contract between the data processing service enterprise and the user should be in writing. If the contract is performed in electronic way, it should follow the requirement of “in writing” according to Article 4 of “Electronic Signatures Act”. In addition, the contract should contain the mandatory articles about foreign exchange declaration listed in the “Evaluation Requirements for Data Processing Services Industry Performing Trans-border Internet Transaction”. 1-2-5　The data processing service enterprise should be equipped with sound information security system and operating regulations, comply with “Personal Information Protection Act” and the related directives, join ECTSA (E-commerce Trust Security Alliance), and get the ISO27001 certificate or PCI-DSS validation. 1-2-6　The data processing service enterprise should keep detailed transaction information for at least 5 years. 1-2-7　The data processing service enterprise should set up money laundering prevention operating regulations, and provide money laundering prevention employee training annually. Once MOEA receives the application, MOEA will set up a special team, which assembles legal professionals, information engineering experts and financial experts, to conduct the evaluation. The compliance certification of the evaluation will be valid for 5 years. During these 5 years, the data processing enterprise has the duty to accept the annual examination and non-timed examination by MOEA. 2.Three-Party Legal Relationship under Third-Party Payment The nature of a third-party payment service is “service of payment collection and forwarding”. Generally, payment collection and forwarding refers to the transfer of a transaction payment performed by a third party in its role of assisting the buyer and the seller. The current practice in Taiwan of making payment to and collecting product from a convenient store pursuant to online transaction or of paying for product upon delivery by shipping company is a type of “payment collection and forwarding” business. In a relationship of payment collection and forwarding service, the legal relationship between the buyer and the payment collector/forwarder is a “contract of mandate” under Article 528 of the Civil Code. Refer to Article 8 of the Regulations Government the Use of Uniform Invoices: “When a business entity is engaged to handle collection and payment on behalf of another party, if there is no difference between the amount collected and the amount paid, and the purchaser specified on the payment receipt voucher is the engaging party, then the business entity may deliver the voucher to the engaging party and is exempt both from issuing a uniform invoice and from including the payment as a sales amount.”. Article 18-2 of the Profit Seeking Enterprise Income Tax Audit Standard also has similar stipulations. As to whether or not a contract of mandate is formed between the seller and the payment collector/forwarder, depends on the agreement between the parties. If it is agreed that the buyer has completed payment when the payment collector/forwarder receives the fund, then the payment collector/forwarder receives the fund on behalf of the seller and a contract of mandate is formed. Under the contract of mandate, the seller grants the payment collector/forwarder the right of agency and the right of processing. Generally speaking, it is deemed that when the buyer pays the fund to the payment collector/forwarder, the buyer has completed the obligation of payment. Therefore, both the buyer and the seller form a contract of mandate with the payment collector/forwarder and grant the right of agency under such contract of mandate. Diagram 1 Three-party relationship diagram under collection/forwarding of transaction payment Source: Prepared by author The payment collector/forwarder under online transaction acts as the agent of the buyer and the seller at the same time with regard to the act of payment and collection. This constitutes the legal issue of “acting as agent for both parties” under Article 106 of the Civil Code. However, the payment collector/forwarder performs the contract of sale and purchase for the buyer and the seller. Therefore the exception provided under Article 106 of the Civil Code is applicable. 3.Payment Custody Mechanism under Third-Party Payment (1)Overview The important value of a third-party payment mechanism is that it provides a credit guarantee between the buyer and seller. Through a third-party payment organization, the buyer receives the merchandize and then sends an instruction to the third party payer for the price previously provided to the third party payer to be forwarded to the seller. Although the buyer and the seller cannot verify each other’s creditworthiness and the quality of the merchandize face-to-face, through third party payment, the buyer can be assured that the merchandize will be received after the price is paid. The buyer can even be assured that he/she will receive the merchandize that he/she is satisfied with. For example, in “Alipay”, the after shopping, the consumer pays the transaction price to Alipay. Only when the consumer replies with “production received” will Alipay forward the money to the seller. So “third-party payment service” helps activate E-commerce and is especially helpful in C2C transactions. This is one of the important features that differentiate “third-party payment service” from “Internet banking”. Therefore, although the Central Bank of Mainland China introduced the function of “Super Internet Bank” in 2009, consolidating the consultation and account transfer systems of many banks, it is generally considered that this did not have a strong impact on the third-party payment service industry which is already flourishing in Mainland China, because it does not provide value-added services, such as a guarantee and delayed payment provided by third-party payment service. Although third-party payment service provides account transfer service, absorbing part of the functions of Internet banking, it also created new business opportunities for the banks. In reference to the experience of Mainland China, the tasks are divided between third-party payers and banks as follows: Source: Xi-Song Zhang, Choice of Development Model for Third-Party Payment in China – From the Perspective of Full Intervention by Commercial Banks, Review by Xi’An University of Finance and Economics, Volume 22, Book 2, Page 46 (March 2009). So the service provided by third-party payment and the service provided by Internet banking overlap to a certain degree. Both perform the function of fund transmission. However, instead of thinking that the two as competitors, it is better to think of them as a cooperative. (2)Relevant Legal System in Taiwan The feature of the above-described third-party payment is that the third party holds the property for the benefit for others until the satisfaction of certain conditions. A similar legal system in Taiwan is “trust”. In accordance with Article 1 of the Trust Act: “For the purposes of this Law, the term "trust" refers to the legal relationship in which the settler transfers or disposes of a right of property and causes the trustee to administer or dispose of the trust property according to the stated purposes of the trust for the benefit of a beneficiary or for a specified purpose.”. However, in accordance with Article 2 of the Trust Act, a trust must be done through a contract of trust. What is different from the contract of mandate formed under the payment collection/forwarding described above is that, in a contract of trust, the parties must specify the purpose of the trust in the contract. Otherwise, the contract of a trust is not formed. An exception is trust by declaration for the purpose of public interest under Article 71 of the Trust Act. Below we discuss the structure and feasibility of providing third-party payment service through trust. 3-2-1Third-Party Payer Acts as Trustee When a third-party payer acts as the trustee of under the contract of trust and the buyer that pays the price under an Internet transaction designates it as the principal and the beneficiary, a trust for self benefit is formed. It is a trust with a purpose. The purpose of the trust is to transfer the price of sale and purchase. The seller is also the beneficiary. According to the “principle of identified beneficiary” under the laws of Taiwan as long as the beneficiary is identifiable, even though many transactions may be formed with many sellers after the buyer registers to use third-party payment service, a contract of trust can still be formed. However, in accordance with Article 2 of the Trust Act, unless the principal has reservations in the contract of trust, the termination of a trust for the benefit of others is subject to the consent of the beneficiary. So it is simpler to process under a trust for one’s own benefit. Diagram 2 Diagram of trust relationship under third-party payment (where the third-party payer is the trustee) Source: Prepared by author To form a contract of trust, in accordance with Articles 9 to 12 of the Trust Act, the fund entrusted by the service user to the third party to be forwarded becomes trust property and can be effectively segregated from bankruptcy. If the trustee is bankrupt, the trust property will not be included in the bankruptcy property, and the creditors of the trustee cannot enforce upon the trust property, providing more protection for the user of third-party payment service. Also, in accordance with Article 24, the principal shall manage the trust property and the principal’s own property separately. A monetary trust can be managed by keeping separate accounts. So if a contract of trust is formed under a contract of third-party payment service, it can ensure proper accounting of trust property by the service provider. Also, in accordance with Paragraph 2, Article 9, property right acquired by the trustee through the management, disposal, loss, destruction or other event of the trust property remains part of the trust property. Therefore, proceeds received from the deposit by third-party payer with the bank of any fund before it is forwarded become part of trust property and belong to the buyer, i.e., the principal and beneficiary. Certain doubts as to whether the Trust Enterprise Act is applicable to third-party payment service provider. In accordance with Article 2 of the Trust Enterprise Act, “trust enterprise” referred to in this Act means an organization approved by the competent authority in accordance with this Act to operate trust activities. There are 4 targets regulated by the Trust Enterprise Act: Trust companies that operate trust activities with approval by the competent authority, banks they also operate trust activities, securities investment trusts, investment consulting businesses and securities dealers that also operate trust activities and trust investment companies. A third-party payer is not a trust enterprise approved by the Banking Bureau of the Financial Supervisory Commission. Therefore, the contract of trust formed under third-party payment service is a general trust under civil law and is subject to supervision by the court in accordance with Article 60 of the Trust Act. The court may select an inspector and impose other necessary disposition by order pursuant to the petition for inspection on trust activities filed by an interested party or a prosecutor. However, the court has a role of passive supervision and does not have the general authority of supervision and management by the Bureau of Banking. Third-party payment is a service provided to unidentified members of the society. Including third-party payers into the system of financial supervision for trust will provide better protection for interest of the general public. Also, in accordance with Article 34 of the Trust Act, trust enterprises have the obligation of provisioning compensation reserves. No such obligation is imposed under general civil-law trust. So if third-party payers are included as trust enterprises, better protection will be available to the consumers. Also in accordance with Article 19 of the Trust Enterprise Act, a trust contract must be done in writing. In case of an electronic document, requirements under Article 4 of the Electronic Signature Act must be met: “the content of the information can be presented in its integrity and remains accessible for subsequent reference, with the consent of the other party”. Under third-party payment service, the third-party payer must make payment in accordance with the user’s instructions. So the trust that is formed is “a trust where the trustee does not have discretion over utilization of trust property”, as referred to under Paragraph 2, Article 7 of the Enforcement Rules for Trust Enterprise Act. It is also “a monetary trust under specific centralized management and utilization” under Article 8 of the Enforcement Rules for Trust Enterprise Act. However, in accordance with Article 9 of the Trust Enterprise Act: “A trust enterprise's name shall indicate the word, ‘trust.’ This rule does not apply to an entity which conducts a trust business concurrently with the approval of the Competent Authority.” If the third party payer adds the word “trust” in the company name, it will create a difference from the scope of business of third-party payment service. So an approval from the competent authority, the Bureau of Banking of the Financial Supervisory Commission, allowing third party payers to also operate the trust activity, seems to be a better solution. 3-2-2Bank Acts as Trustee As mentioned above, in a payment collection/forwarding relationship, the underlying legal relationship between the third-party payer and buyer is a “mandate”. Under a separate relationship of mandate, the buyer can grant the third-party payer the right of agency to sign a contract of trust with the bank on behalf of the buyer. The bank will act as the trustee and the buyer will act as the principal and beneficiary. The third-party payer will be the agent of the principal. Same as above, the beneficiary can also be the seller here. Under the current structure of the Trust Act of Taiwan, almost all rights that can be exercised by a principal can also be exercised by a beneficiary, including the rights under Articles 23, 24, 32, 35 and 65. Therefore, it is more convenient for a bank, with the qualification of trust enterprise, to serve as the trustee. However, trust related fees may be payable to the bank, raising the cost of third-party payment service. The relevant cost will most likely be transferred to the user of third-party payment service. The third-party payment service fee is generally paid by the seller, i.e., the payee. Under the structure where the third-party payer acts as the trustee, the relationship between the third-party payer and the bank is solely one between a depositor and a depository account. Therefore the third-party service provider does not need to pay any fee to the bank. It may even receive interest from the deposit, constituting proceeds from trust property which belong to the principal. So if the bank acts as the trustee, the cost of transaction flow is higher. On the other hand, it may obstruct the development of the industry. However, it is more consistent with the model of trust management. Diagram 3 Diagram of trust relationship under third-party payment (bank being the trustee) Source: Prepared by author 4.Conclusion There is currently no legal restriction against simple payment collection and forwarding. The contract of mandate under the Civil Code can process the tri-party legal relationship (buyer, seller and payment collector/forwarder). The transaction guarantee for third-party payment and the mechanism of custody and delayed payment of price can be processed with the structure of trust. As mentioned above, under the structure of a trust, the third-party payer can act as the trustee and the bank can act as the principal (at which time the third-party payer represents the principal and signs a contract of trust with the bank on behalf of the buyer). The formation of trust ensures account management, avoiding improper utilization of the transaction price under custody. When the third-party payer is the trustee, a general civil-code trust is formed, which is only subject to inspection by court pursuant to petition by interested party or the judge. The supervision and management are more relaxed. However, third-party payment serves an unidentified public of society and has an extensive impact. It is suggested that the competent authority, the Financial Supervisory Commission, allows third-party payers to also operate the business of trust and include third-party payers into the scope of financial supervision. When the bank acts as the trustee, the transaction cost is higher. However, the supervision and management of its business activities under the current legal system is more complete. Currently, a more feasible way is when the bank serves as the trustee and the third-party payer serves as the agent of the principal. In the long term, it can be studied to open up for third-party payers to also operate Internet transaction trust business, acting as the trustee. Third-party payment replaces bank’s fund settlement function to a certain extent. Contrary to the traditional industry of payment collection and forwarding, third-party payment provides the convenience of fund collection/payment function and can fall prey to money laundering criminal activities. For the purpose of protecting the consumers and prevention of money laundering crimes, it is indeed necessary to include third-party payment into legislative management. The priority focus of such control is to require that the operator possesses a sound corporate structure and financial status. The requirement regarding capital is different depending on the country. The flexible requirement of capital amount in the EU can be used as a reference. For smaller operators with lower transaction volumes, a lower capital amount should be required under flexibility. In 2011, the Internet shopping market in China was 773.5 billion CNY. The amount of Internet payment was approximately 70 billion CNY. In 2011, the Internet shopping market in Taiwan was only 562.7 billion NT Dollars. If the minimum capital amount required of third-party payment operators in China is applied to third-party payment operators in Taiwan, it would not be reasonable. We can refer to the US method and ask operators to take out insurance to lower the risk and avoid market monopoly or oligopoly due to high capital amount barrier, blocking full competition. With the capital amount requirement, it is highly possible that the operators will increase the amount of transaction processed in accordance with the development of E-commerce, creating the necessity to increase the capital. It is best to choose the form of limited stock companies in order to answer to capital placement requirement swiftly. Regarding the issue of money laundering prevention, third-party payment institutions are currently not the “financial institutions” under Article 5 of the Money Laundering Prevention Act of Taiwan. However, it should be a “payment tool” under Article 9, with only an obligation to freeze the payment account and cooperate with investigation as required by prosecutors. At the same time of developing third-party payment services, the Bureau of Investigation of the Ministry of Justice should also develop a money laundering prevention reporting system for third-party payment services. In reference to the US legal system, third-party payers should be included into the network of money laundering crime prevention of Taiwan for management. In addition, third-party payment services should be performed on real-name basis. The general public should be required to register and use third-party payment services with their true identities. As for verification of identity, the so-called KYC process, the banks’ KYC can be relied upon to a certain degree, such as comparison of account name information of the credit card holder or the deposit account. In reference to the legal system of different countries and the current financial legal system of Taiwan, third-party payment operators should have the obligation to maintain payment transaction information in order to facilitate criminal investigation. To protect consumers, the rights and obligations between the consumers and the third-party payers should be specified in a written contract. If it is displayed in electronic form, the written requirement should be consistent with Article 4 of the Electronic Signature Act of Taiwan. In addition, the consumers’ funds should only be used in accordance with the consumers’ payment instructions. To avoid other uses by the operators, there should be a requirement to deposit into special bank accounts to provide clear trace of transaction history. In reference to Article 24 of the Trust Act, separate account management is required under trust. So if a trust is formed, then the requirement for special deposit account can be waived. Furthermore, to avoid insolvency by the operators, operators can be required to take out insurance and acquire full performance guarantee. Prevention is better than a cure. We should take precautions about possible issues that may arise from third-party payment. In addition, clear rules of the game will encourage industry development. On the other hand, with the new type of money flow payment activities in the Internet era, traditional financial industries should see it as a new opportunity of business development, and not a threat. What third-party payment system processes is information flow; the actual flow of funds is still dependent on the banking system. Internet payment operators are still dependent upon the finance industry to provide financial planning and new types of financial products (such as trust and insurance) in order to promote their business. Building a sound Internet payment system indeed requires contributions from the information industry, the finance industry and the legal industry.

1. Organization Framework In the organization framework of critical infrastructure protection, there are mainly the public departments and the PPP organizations. The functions and task description of relevant organizations are as follows. (1) Department of Homeland Security After the September 11 attacks in America, the Homeland Security Act was passed in November 2002, and based on this act, 23 federal organizations, plans and offices were integrated to establish the Department of Homeland Security (DHS) to take responsibility for homeland security in America. The tasks include: (1) to analyze intelligence data collected from various departments such as the Central Intelligence Agency (CIA) and the Federal Bureau of Investigation (FBI) so that any threats to security can be discovered in time, (2) to protect and defend critical infrastructure, (3) to coordinate and lead America to prevent and respond to the attacks from nuclear weapons, biochemical weapons and other and (4) to coordinate the tasks of the federal government, including emergency and rescue. For the task regarding critical infrastructure and critical information infrastructure protection, the main units in charge are the Office of Infrastructure Protection (OIP) and the Office of Cybersecurity and Communications (CS&C) subordinate to National Protection and Programs Directorate (NPPD), Department of Homeland Security (DHS), to reduce the risk in both physical and cyber security to maintain national security1 (2) Congress Relevant units and committees are established both in the Senate and the House of Representatives to be responsible for protection and making policies pertinent to important critical infrastructure and critical information infrastructure. (3) Computer Crime and Intellectual Property Section In 1991, the Department of Justice (DOS) established the Computer Crime and Intellectual Property Section (CCIPS), a section of the Criminal Division, to be responsible for all crime combating computer and intellectual property. Computer crime is referred to cases which include electronic penetrations, data thefts, and cyber attacks to the important critical infrastructure. CCIPS also prevents, investigates, and prosecutes computer crimes by working with other government agencies, the private sector, academic institutions, and foreign counterparts. (4) Other Relevant PPP Organizations 2The Information Sharing and Analysis Center (ISAC) is responsible for the information security message sharing among the industries of each critical infrastructure to ensure the liaison and cooperation among industries. Finally, for the issue on critical information infrastructure, especially cyber crimes, both the National Cyber Security Alliance (NCSA) and the Cross Sector Cyber Security Working Group (CSCSWG) are designated to serve as crucial roles in governmental and non-governmental internet security prevention to be responsible for techniques and education. 2. Notification System (1)Computer Emergency Response Team Coordination Center The Computer Emergency Response Team Coordination Center (CERT/CC) run by Carnegie Mellon University is the oldest and most important early-warning organization for information security in the USA. With its experts studying internet vulnerabilities and risk assessment released regularly, it reminds people of the possible dangers which exist in the information age and the need to improve internet security. (2)US Computer Emergency Readiness Team The US Computer Emergency Readiness Team (US-CERT) was established in 2003. It is responsible for protecting the infrastructure of the internet in America and for coordinating and providing response support and defense against national cyber attacks. It interacts with federal agencies, industry, the research community, state government, and others to disseminate reasoned and actionable cyber security information to the public. (3)Federal Bureau of Investigation The Federal Bureau of Investigation (FBI), the first early warning center of critical infrastructure at the national level, is responsible for providing the information pertinent to legal execution presently and also taking responsibility for the investigation of cyber crime. (4)Information Sharing and Analysis Centers Currently, industry in America, including finance, telecommunications, energy, traffic, water resources, together established individual Information Sharing and Analysis Centers (ISACs) based on the policy made in PDD-63. The ISAC of the financial system established in October 1999 being the first established center. These ISACs further work together to form an ISAC Council to integrate the information from each of them and improve their interaction and information sharing. 3. Legal Norms In reference to the laws and regulations of critical infrastructure protection, America has aimed at critical infrastructure protection and computer crime to formulate the following regulations. (1) Federal Advisory Committee Act of 1972 According to the Federal Advisory Committee Act (FACA), the advisory committee can be established in every federal agency to provide the public, along with received open advice, with relevant objectives, and to prevent the public from being inappropriately influenced by the policies made by the government. However, to keep the private institutions which run the critical infrastructures from worrying the inappropriate leak of the sensitive information provided and consulted by them, Critical Infrastructure Partnership Advisory Council was established so that the Secretary of Homeland Security has the right to disregard the regulations of FACA and establish an independent advisory committee. (2) Computer Fraud and Abuse Act of 19863 The Computer Fraud and Abuse Act (CFAA) was enacted and implemented in 1986. It mainly regulates computer fraud and abuse. The Act states that it is against the law for anyone to access a protected computer without authorization. However, it also recognizes the fact that accessing a computer system of electronic and magnetic records does not mean a violation of the law. According to the CFAA, what is needed is one of the following requirements to be the wrongful conduct regulated in the Act: (1) whoever intentionally accesses a computer to obtain specific information inside the government or whoever has influenced the transmission function of the computer system; (2) whoever intentionally accesses a computer to obtain a protected database (including the information contained in a financial record of a financial institution or of a card issuer, or the information contained in a file of a consumer reporting agency on a consumer, or the information from any department of agency of the United States, or the conduct involving an interstate transaction); (3) whoever intentionally accesses any nonpublic computer of a department or agency of the United States, and causes damage. In addition, the Act also prohibits conduct such as transmitting malicious software, and defrauding traffic in any password or similar information. For any person who suffers damage or loss by reason of a violation of the law, he/she may maintain a civil action to obtain compensatory damages and injunctive relief or other equitable relief. However, the Computer Abuse Amendment Act (1994) expands the above Act, planning to include the conduct of transmitting viruses and malicious program into the norms whose regulatory measures were adopted by the USA Patriot Act enacted in October 20014 (3) Homeland Security Act of 20025 The Homeland Security Act provides the legal basis for the establishment of the Department of Homeland Security and integrates relevant federal agencies into it. The Act also puts information analysis and measures of critical infrastructure protection into the norm. And, the norm in which private institutions are encouraged to voluntarily share with DHS the information security message of important critical infrastructure is regulated in the Critical Infrastructure Information Act: Procedures for Handling Critical Infrastructure Information. According to the Act, the DHS should have the obligation to keep the information provided by private institutions confidential, and this information is exempted from disclosure by the Freedom of Information Act. (4) Freedom of Information Act Many critical infrastructures in America are regulated by governmental laws, yet they are run by private institutions. Therefore, they should obey the law and provide the government with the operation report and the sensitive information related with critical infrastructure. However, knowing that people can file a request at will to review relevant data from the government agencies based on the Freedom of Information Act (FOIA), then the security of national critical infrastructure may be exposed to the danger of being attacked. Therefore, the critical infrastructure, especially the information regarding the safety system, early warning, and interdependent units, are all exempted by the Freedom of Information Act. (5) Terrorism Risk Insurance Act of 20026 After the 911 Incident, Congress in America passed the Terrorism Risk Insurance Act to establish the mechanism to underwrite terrorism risk insurance, in which insurance companies are required to provide terrorism attack risk insurance and the federal government will also cover part of loss for severe attacks. 1.http://www.dhs.gov/xabout/structure/editorial_0794. shtm (last accessed at 21. 07. 2009). 2.http://www.thei3p.org/ (last accessed at 21. 07. 2009). 3.http://www.panix.com/~eck/computer-fraud-act. html (last accessed at 21. 07. 2009). 4.Mark G. Milone, Hacktivism：Securing the National Infrastructure, 58 Bus. Law, 389-390, 2002. 5.http://www.dhs.gov/xlibrary/assets/hr_5005_enr.pdf (last accessed at 21. 07. 2009). 6.http://www.ustreas.gov/offices/domestic-finance/financial-institution/terrorism-insurance/pdf/hr3210.pdf (last accessed at 21. 07. 2009).