Identificating and treating rules for law enforcement of electronic commerce products
Some standard content:
ICS03.120.99
National Standard of the People's Republic of China
GB/T37919—2019
Identifying and treating rules for law enforcement ofelectroniccommerceproducts
Release on August 30, 2019
State Administration for Market Regulation
Standardization Administration of the People's Republic of China
Implementation on March 1, 2020
Normative reference documents
Terms and definitions
Basic principles
Workflow
E-commerce product law enforcement investigation and evidence collection flow chart Clue handling
5.3 Case filing
5.4 Law enforcement investigation and evidence collection
5.5 Evidence verification and analysis
Appendix A (Normative Appendix)
References
Normative forms for law enforcement evidence collection and investigation
GB/T37919—2019
This standard was drafted in accordance with the rules given in GB/T1.12009. GB/T37919—2019
Please note that some contents of this document may involve patents. The issuing organization of this document does not assume the responsibility for identifying these patents. This standard is proposed and managed by the National Technical Committee for Standardization of Quality Management of Electronic Commerce (SAC/TC563). Drafting units of this standard: China Institute of Inspection and Quarantine, China National Institute of Standardization, Xiamen Meiya Pico Information Co., Ltd., Beijing Wancheng Credit Evaluation Co., Ltd., Hangzhou National Electronic Commerce Product Quality Monitoring and Disposal Center. Main drafters of this standard: Jiang Li, Sun Xinzhao, Liu Caihong, Xu Yingcheng, Yang Yuexiang, Li Ying, Li Ya, Zhong Lihua, Ma Chaoying, Ye Kai 1 Scope
E-commerce product law enforcement investigation and evidence collection rules GB/T37919—2019
This standard specifies the basic principles and work flow of the evidence collection standards of electronic data, physical objects, etc. in the law enforcement and investigation of e-commerce products. This standard applies to the evidence collection work of law enforcement and investigation of e-commerce products. 2 Normative reference documents
The following documents are indispensable for the application of this document. For any dated referenced document, only the dated version applies to this document. For any undated referenced document, the latest version (including all amendments) applies to this document. GB/T35408-2017 E-commerce Quality Management Terminology 3 Terms and Definitions
The terms and definitions defined in GB/T35408-2017 and the following terms and definitions apply to this document. 3.1
E-commerce
electronic commerce
Business activities of trading products and services through information networks [GB/T35408-2017. Definition 2.1.1]
E-commerce platformelectronic commerceplatformIn e-commerce, an information network system that provides web space, virtual business premises, transactions and transaction cooperation, information release, funds payment and other partial or complete services for both or multiple parties. Examples: third-party e-commerce platform, self-operated e-commerce platform. [GB/T35408-2017 Definition 2.1.2
E-commerce operator electronic commerce serviceprovider An organization or individual that provides products and services to customers on an e-commerce platform Note: This includes merchants, distribution service providers and payment service providers, etc. [GB/T35408-2017, Definition 2.1.7] 3.4
E-commerce product electronic commerce product A product traded through an e-commerce platform (3.2). 3.5
storage medium
Storage medium
Electronic equipment, hard disk, optical disk, USB flash drive, memory stick, memory card, memory chip and other carriers with data information storage function3.6
Integrity check value
integrity check value
In order to prevent electronic data from being tampered with or destroyed, the electronic data is calculated using a specific algorithm such as a hash algorithm to verify the data integrity1
GB/T37919—2019
data value.
Network remote investigationnetwork remote investigationInvestigation of remote computer information systems through the network, discovery, extraction of electronic data related to violations, recording of computer information system status, determination of the nature of violations, analysis of violations, determination of the direction and scope of investigation, and provision of clues and evidence for the investigation of illegal cases. 3.8
Digital signaturedigitalsignature
A data value calculated by a specific algorithm on electronic data to verify the source and integrity of electronic data. 3.9
Digital certificate
digital certificate
An electronic document containing a digital signature and authenticating the source and integrity of electronic data. 3.10
access and operation log
Access operation log
A detailed record of access and operation of electronic data automatically generated by a computer information system to examine whether electronic data has been added, deleted or modified.
electronicdata
Electronic data
Data stored, processed and transmitted in digital form based on electronic technical means such as computer and network applications, communications and modern management technologies.
Note 1: Electronic data includes but is not limited to the following information and electronic files: a) Information published on network platforms such as web pages, blogs, microblogs, friend circles, forums, and network disks; b) Communication information of network application services such as mobile phone text messages, emails, instant messaging, and communication groups; c) User registration information, identity authentication information, electronic transaction records, communication records, login logs, etc. d) Documents, pictures, audio and video, digital certificates, computer programs, and other electronic files. Note 2: Evidence involved in the case recorded in digital form is auxiliary electronic data evidence (3.12) and does not belong to electronic data (3.11). If necessary, the collection, extraction, use, review, and transfer of relevant evidence can refer to this standard. 3.12
auxiliary electronic data evidence
Evidence generated during the acquisition of electronic data to prove the authenticity of electronic data. Such as digital signatures, digital certificates, access operation logs, videos of the evidence collection process, transcripts, etc. bzxz.net
Electronic evidence verification electronic evidence verification is to review the compliance, authenticity, and integrity of electronic evidence acquisition from the perspectives of the regulatory requirements of laws and regulations and the technical implementation methods.
Electronic data collection electronic data collection is the process of using technical means to collect, preserve, and record electronic data evidence materials such as e-commerce transactions and transaction information, online quality inspections, tests, and product traceability, in order to identify illegal acts in e-commerce transactions. Note: Rewrite GB/T35408-2017, definition 5.10. 3.15
Electronic commerce product forensics is the act of using corresponding professional and technical means to conduct a comprehensive investigation and analysis of the electronic and non-electronic data of e-commerce operators (3.3) engaged in e-commerce and issue an investigation report. 2
4 Basic principles
GB/T37919-2019
4.1 Legality: E-commerce product law enforcement investigation and evidence collection should strictly comply with the relevant provisions of national laws, regulations, and rules. 4.2 Professionalism: Evidence collection equipment and methods should comply with relevant technical standards and specifications. The review and identification of e-commerce product evidence should follow the principles of science, objectivity, fairness and independence.
4.3 Confidentiality: Electronic data involving state secrets, commercial secrets, and personal privacy should be kept confidential. Electronic data integrity: For electronic data used as evidence, one or more of the following methods should be adopted to protect the integrity of the electronic data.4
Integrity:
Seize and seal the original storage medium of electronic data; calculate the integrity check value of electronic data;
Make and seal the backup of electronic data;
Freeze electronic data;
Record the activities related to collecting and extracting electronic data; other methods to protect the integrity of electronic data. Workflow
E-commerce product law enforcement investigation and evidence collection flow chart The process of law enforcement investigation and evidence collection for e-commerce products is shown in Figure 1: 5.2 Clue handling
5.2.1 Clue discovery
5.2.2 Clue analysis
5.3 Case filing
5.3.1 Determine the basis for investigation
5.3.2 Formulate the implementation steps of law enforcement investigation
5.4 Law enforcement investigation and evidence collection
5.4.3 Acquisition of non-electronic evidence
5.4.2 Acquisition of electronic evidence
5.4.4 Preservation and display of evidence
5.5 Evidence verification and analysis||tt ||5.5.1 Evidence Verification
5.5.1.1 Electronic Evidence Verification
5.5.1.2 Non-electronic Evidence Verification
5.5.2 Evidence Research and Judgment
5.5.3 Investigation Report
Figure 1 E-commerce Product Law Enforcement Investigation and Evidence Collection Flowchart 3
GB/T37919—2019
5.2 Clue Handling
5.2.1 Clue Discovery
Relevant administrative law enforcement management departments shall form evidence collection clues based on collected complaints and reports, daily patrol monitoring, and information transferred by other departments in accordance with the national laws and regulations on the management of the e-commerce industry. 5.2.2 Clue Judgment
Determine whether to implement investigation and evidence collection behavior in accordance with relevant national laws and regulations. 5.3 Case Filing
5.3.1 Determine the Basis for Investigation
Seek support at the level of laws and regulations for the objects, methods, and basis of evidence collection. 5.3.2 Formulate the implementation steps for law enforcement investigations
In combination with the industry situation and in accordance with the requirements of Appendix A, formulate a correspondence table between the content and basis of law enforcement evidence collection (see Table A.1), conduct research and analysis on the suspected illegal acts of the e-commerce products to be collected, determine the main work objectives of e-commerce product evidence collection, clarify the basis for law enforcement, and formulate an investigation and evidence collection plan (see Table A.2).
5.4 Law enforcement investigation and evidence collection
5.4.1 E-commerce transaction evidence collection process record Fill in the e-commerce product evidence collection process record form, including the on-site evidence record form (see Table A.3) and the evidence list and related instructions form (see Table A.4), to record the investigation and evidence collection process
5.4.2 Electronic evidence acquisition
5.4.2.1 Electronic data evidence collection content
The sound, image or other information recorded and displayed by means of recording, photographing, videotaping, computer storage, etc. to prove the facts of the case, such as the photographing, recording, and videotaping materials used for tracking and monitoring by technical means, and the electronic registration information and transaction record data of the suspected illegal parties extracted from the e-commerce platform. 5.4.2.2 Electronic data acquisition methods
Includes but is not limited to photographing, recording, videotaping, computer screenshots and internal data extraction, which can be achieved through online search, online sample purchase, and obtaining internal data of e-commerce platforms. Screenshots of online chat records, screenshots of product information displayed on the Internet, screenshots of order payment, screenshots of logistics details and related network links are used directly as evidence. 5.4.2.3 Preservation technical measures for obtaining electronic evidence 5.4.2.3.1 Collect and extract electronic data. If the original storage medium of electronic data can be seized by the suspected illegal subject, the original storage medium should be seized and sealed, and a record should be made to record the sealing status of the original storage medium. 5.4.2.3.2 When sealing the original storage medium of electronic data, it should be ensured that the electronic data cannot be added, deleted or modified without lifting the sealing status. Photos of the sealed original storage medium should be taken before and after sealing to clearly reflect the status of the seal or the place where the seal is posted. When sealing storage media with wireless communication functions such as mobile phones, measures such as signal shielding, signal blocking or power supply cutting should be taken. 5.4.2.3.3 If it is impossible to collect and extract electronic data according to the method described in 5.4.2.2, relevant evidence shall be fixed by printing, taking photos or recording videos, and the reasons shall be stated in the record.
GB/T37919—2019
5.4.2.3.4 In accordance with the provisions of laws and regulations, the electronic data of the suspected illegal subject shall be frozen, and the specific requirements are as follows: a) The data volume is large and it is impossible or inconvenient to extract; b) The extraction time is long, which may cause the electronic data to be tampered with or lost; c) The electronic data can be more intuitively displayed through network applications; d) Other situations where freezing is required
5.4.2.3.5 When freezing electronic data, a notice of assistance in freezing shall be prepared, indicating the network application account number of the frozen electronic data and other information, and sent to the electronic data holder, network service provider or relevant department for assistance. If the freeze is lifted, a notice of assistance in lifting the freeze shall be prepared within three days and sent to the electronic data holder, network service provider or relevant department for assistance. To freeze electronic data, one or more of the following methods shall be adopted:
a) Calculate the integrity check value of electronic data; b) Lock the network application account;
c) Other measures to prevent the addition, deletion, and modification of electronic data 5.4.2.3.6 When retrieving electronic data, a notice of evidence retrieval shall be prepared, indicating the relevant information of the electronic data to be retrieved, and notifying the electronic data holder, network service provider or relevant department to execute. 5.4.2.3.7 When collecting and extracting electronic data, a record shall be prepared to record the cause of the case, object, content, time, place, method, and process of collecting and extracting electronic data, and an electronic data list shall be attached, indicating the category, file format, integrity check value, etc., and signed or stamped by the investigator and the electronic data holder (provider): If the electronic data holder (provider) is unable to sign or refuses to sign, it shall be noted in the record and signed or stamped by the witness. If conditions permit, relevant activities should be recorded on video. 5.4.2.3.8 The collection and extraction of electronic data should be witnessed by a third party with no vested interest (qualified organization, natural person or judicially recognized technical measures, etc.) in accordance with the provisions of the Administrative Penalties Law. If it is impossible for a qualified person to serve as a witness due to objective reasons, the situation should be noted in the record and the relevant activities should be recorded. For the collection and extraction of electronic data from multiple computer information systems at the same site, at least one witness should be present. 5.4.2.3.9 For electronic data inspection, the unpacking process of the electronic data storage medium should be recorded, and the electronic data storage medium should be connected to the inspection device through a write-protection device for inspection; if conditions permit, a backup of the electronic data should be made and the backup should be inspected; if the write-protection device cannot be used and the backup cannot be made, the reason should be noted and the The relevant activities shall be recorded. A record shall be made for the inspection of electronic data, indicating the inspection method, process and results, and signed or stamped by the relevant personnel. 5.4.2.3.10 If it is difficult to determine the specialized issues involved in the electronic data, the judicial appraisal agency designated by the law enforcement department shall issue a report. 5.4.2.3.11 In the process of evidence collection, please use the requirements of Appendix A to prepare the on-site evidence record form (see Table A.3) and the evidence list and related instructions form (see Table A.4), and fill in the relevant records. 5.4.3 Acquisition of non-electronic evidence
In accordance with laws and regulations, the types of non-electronic evidence are as follows: 5.4.3.1
a) Documentary evidence;
Physical evidence;
Witness testimony;
Statements and defenses of the parties;
Inspection (appraisal) opinions;
Investigation records and on-site records.
In accordance with laws and regulations, the following are the ways to collect non-electronic evidence: Conduct technical tracking and commissioned inspection or appraisal of illegal products, shipping addresses, return addresses, storage addresses and logistics status;
Conduct on-site inspections of the product production sites or other relevant sites of the offline parties;5
GB/T37919—2019
Question the parties, interested parties, other relevant units or individuals: Inquire and copy the account books, documents, agreements, vouchers, documents and other materials related to the case: Listen to the statements and defenses of the parties or relevant personnel; Take registration and preservation measures in accordance with the law;
Take sealing, seizure (temporary seizure) measures in accordance with the law;h)
Apply for notarization to preserve evidence;
Request the quality supervision and management department of the place where the illegal online store is registered or where it operates to assist in investigation;k)
Other ways to collect evidence in accordance with the law.
Evidence preservation and display
Electronic evidence preservation and display
5.4.4.1.1 To ensure the authenticity and reliability of electronic data, the following methods should be adopted: a) The evidence to be transferred is the original storage medium; when the original storage medium cannot be sealed and is inconvenient to move, the reason should be explained, and the collection and extraction process and the storage location of the original storage medium or the source of the electronic data should be noted: the electronic data has special identification such as digital signatures and digital certificates; b) The collection and extraction process of electronic data can be reproduced: if there are additions, deletions, modifications, etc. of electronic data, an explanation should be attached; d) The integrity of electronic data is guaranteed during the collection of electronic evidence. 5.4.4.1.2 Verification of the integrity of electronic data. The following methods should be adopted: Review the seizure and sealing status of the original storage medium; a
Review the collection and extraction process of electronic data, and check the video; c
Compare the integrity check value of electronic data; d) Compare with the backed-up electronic data; Review the access operation log after freezing; other methods.
5.4.4.1.3 The preservation of electronic evidence will adopt different storage and preservation methods according to the evidence collection method, and the evidence will be fixed and preserved through disk images and electronic data auxiliary evidence; for volatile electronic data, it is necessary to consider using indirect evidence and auxiliary evidence (even in combination with related electronic data) to fix and preserve the evidence. The specific methods are as follows: a) For electronic data such as web pages, documents, and pictures that can be directly displayed, it is advisable to directly preserve and display them in combination with auxiliary electronic evidence; for electronic evidence that is inconvenient to display, indirect evidence (such as printed documents, special tools, etc.) should be used to preserve them, and the auxiliary evidence should include instructions for display tools and methods;
b) For frozen electronic data, indirect electronic evidence should be used to preserve a list of frozen electronic data, indicating the category, file format, frozen subject, key points of evidence, and related network application accounts, and instructions for viewing tools and methods should be included in the auxiliary electronic evidence; for electronic data that cannot be directly displayed, such as programs, tools, and computer viruses that invade and illegally control computer information systems, instructions for recording the properties and functions of the electronic data in indirect electronic data evidence should be used; d) For issues such as data statistics and data identity, law enforcement evidence collectors should explain them in the auxiliary electronic evidence. 5.4.4.1.4 Electronic evidence shall be kept for no less than 3 years. 5.4.4.2
Preservation of non-electronic evidence
5.4.4.2.1 The collected physical evidence shall meet the following requirements:a)
Extracting the original:
If it is really difficult to extract the original, it is advisable to extract a copy that is verified to be consistent with the original or other photos, videos, etc. that prove the physical evidenceb)
Tip: This standard content only shows part of the intercepted content of the complete standard. If you need the complete standard, please go to the top to download the complete standard document for free.