Stephen Mason is a Barrister who specialises in e-commerce,Information Technology and contract law. He is also a consultant to KaltonsSolicitors. Telephone 01462 701098 or 020 7278 1817; email scwm@scwm.co.uk.
The fourth edition of his e-book, ‘The Year 2000: A guide tothe legal issues for business’ is available as a free download from www.reachoutmedia.com.The third edition was distributed to over 300,000 people on the cover CD ROMs ofPC Magazine (May 1999) and PC Pro (July 1999). As far as he is aware, it is thefirst book specifically designed for electronic format.
The twin issues of security and confidentiality on the Internet are in astate of development at present. The aim of this article is to give the reader ageneral survey of the issues relating to security and confidentiality thatlawyers should be thinking of when advising their clients and to consider someof the technical and legal issues.1
When advising clients connected to the Internet, using e-mail or conductinge-commerce, you should ensure the following issues remain in the forefront oftheir thinking.
- Confidentiality Provision for the confidentiality of information or a transaction. Customers should be able to correspond with or buy from a business in the knowledge that the information they give out will not be intercepted or used improperly.
- Authenticity Ensuring the authenticity of the information. When sending or receiving information or an order, both parties need to know the sender of the message is the person they claim to be.
- Integrity and accuracy Having a system in place to demonstrate the integrity and accuracy of the message. Once the message has been received, it is important to know that the content of the message has not been tampered with.
- Enforcement Putting in place an environment in which your client can enforce their rights or protect the privacy of others. If copyright material is posted on the Web, you will need to advise on copyright infringements. By securing the contents electronically, a client can attempt to ensure their copyright material will not be misused.
- Audit Guaranteeing a client can audit the evidential trail. Should the worst occur, and you have to consider advising a client to think about taking legal action against a transgressor, they must be able to demonstrate the integrity of their security system. The evidential weight to be given to electronic evidence is predicated on the degree of control exercised over the controlled and secure environment.
Ideally, businesses should aim to put effective and relevant security systemsin place to avoid legal liability. For instance, every company should havepolicies in place to cover such issues as (this list is not exhaustive):
- protecting personal data
- preventing members of staff from downloading improper material from the Web
- monitoring the content of e-mails for defamatory material.
Readers will be aware of the two celebrated examples of companies failing tocontrol the content of internal e-mail. Norwich Union paid out £450,000 toWestern Provident in 1997 because of the defamatory content of internal e-mails.British Gas had not learnt this lesson in 1999, when it paid out over £100,000to Exoteric Gas Solutions in June for the same reasons.
Methods of Achieving a Secure Environment
There are two main methods used by the security industry to achieve a secureenvironment. Before these are described in outline, it must be emphasised thatelectronic security cannot be treated in the same way as physical security.
Electronic security is not inert, as explained by Howard Fuhs.2A company began selling on the Internet in 1994. They had a firewall installed.The firewall was never audited in four years, so developments in security andthe activities of hackers gradually destroyed most of the electronic securityput in place. It was only when internal corporate information was made public,leading to the loss of a major contract, that management realised how complacentthey had been. The value of the loss amounted to £2.7m and up-dating thesecurity system cost a further £85,000.
This lesson extends to the legal problems of having a presence on the Web,whether your clients have an e-mail link or a Web site. Failing to consider thelegal issues can cost a business as much as failing to deal with the need forsecurity.
Cryptography
Cryptography is the method of hiding the contents of a message, usedfrom ancient times to the present. Encryption is the process by which themessage is disguised sufficiently to hide the substance of the content and decryptionperforms the opposite procedure.
In essence, contemporary cryptographic systems change readable symbols into asecond set of unreadable symbols, using a mathematical process controlled by anumber. This number is called a key. Here is a simple example:
Moses writes to Harris The leaves flutter
The message is encrypted as follows: 1863Z1032420317M410191818316
To read the message, Harris must know how the message was encrypted.
If you know the key to the unreadable symbols, you can work out the messagewhen you receive it. This example does not adequately demonstrate the use of amathematical formula, but is intended to illustrate how the concept works.
There are two types of mathematical families that permit the message to bedisguised: symmetric cryptographic systems and asymmetric cryptographic systems.
Symmetric Cryptographic Systems (Secret Key)
As the name infers, the same number key is used to encrypt and decrypt themessage. Two people can use the same system to send and receive encryptedmessages to each other. This system allows very long keys, which means a messagecan be very secure, because it would take millions of years for a computer tofind the proper numerical key to break the code.
The effectiveness of this system depends on the strength of the algorithm andthe length of the key number. The longer the key number, the stronger the key.If, for instance, a key is 56 bits in length, it will take a supercomputerprocessing a million keys a second 2,285 years to find the secret key. Such akey is suitable for closed user groups where there is a strong element of mutualtrust between the users.3
However, there are disadvantages. The key must be kept secure and secret. Twopeople must have the key to communicate. If you want to receive encryptedmessages from a large number of people, you will have to give out a large numberof keys. You have to rely on those people with access to the key to ensure it iskept secure and secret.
As a result, if a client intends to establish an e-commerce site on theInternet, they may be reluctant to permit people to obtain access to the site bymeans of a secret key, because they will have to send out a large number ofkeys. However, some organisations might consider this a benefit. In the same waythat supermarkets give out loyalty cards, so a site might have a private key forcustomers for the same reasons. This type of key can be useful in somecircumstances.
One further problem is establishing the authenticity of the person that sentthe message. If the message is sent by a forger, the recipient will not be awarethat the sender of the message has used the key improperly. This problem can beovercome by keeping appropriate records, but they represent an added evidentialburden on the system.
Asymmetric Cryptographic Systems (Public Key)
There are two number keys with this system. The system can work in two ways.
Private Public Key Lulu wants to encrypt information. She can generateher own public and private keys using the software on her computer. Although shekeeps the private key number secret, she tells everybody that wants to know thatshe has got a public key number, and posts it on the Internet.
If Rirette wants to write a confidential e-mail to Lulu, she can obtainLulu’s public key number and use it to encrypt the message. Rirette cancomfort herself that only Lulu can read the e-mail because only her private keynumber will decrypt the message.
But there is a problem: what, for example, if an impostor wanted to disruptLulu’s life by interrupting her ability to receive and send encryptedmessages? A person could generate their own public and private keys, post thepublic key on the Internet and claim it belongs to Lulu. Rirette might think sheis sending messages to Lulu, but in fact the message is posted to the impostor.In addition, the impostor could use their own private key to send messages toRirette, who would assume they came from Lulu.
Trusted Third Party Trusted Third Parties or Trust Services Providers,4are public or private bodies that act to certify the connection between a personand their public key number. The Trusted Third Party guarantees the authenticityof the public key number. Trusted Third Parties are also called ‘CertificationAuthorities’, sometimes abbreviated to CA.
The Certification Authority issues an electronic authenticationcertificate, which has the following characteristics:
- it identifies the Certification Authority
- it identifies the subscriber
- it contains the subscriber’s public key
- it is digitally signed with the Certification Authority’s private key.
The electronic authentication certificate also contains other information,such as the level of inquiry carried out by the Certification Authority beforeissuing the certificate.
To acquire such a certificate, Lulu will provide the Certification Authoritywith a copy of her public key number and proof of her identity. The degree ofproof of identity will differ, depending on the size of transaction Lulu wantsto enter. If Lulu wanted to operate an e-commerce site selling expensivebathroom furniture, she might be required to provide sufficient credentials todemonstrate her ability to deal with high-value transactions.
When Lulu sends a message to Rirette, she also sends her a copy of hercertificate. Rirette’s computer will decrypt the message according to the keyshe has been given, and at the same time the Certification Authority willconfirm to Rirette that:
- Lulu is who she purports to be
- her certificate has not been revoked or expired.
To sum up, the role of Trusted Third Parties, or Certification Authorities,is to provide certificates that establish the identity of the owner of thepublic key number. These bodies can be public or private, licensedor unlicensed. In either instance, they must be trustworthy.
They can also form part of a hierarchy, with a chain of CertificationAuthorities. It is envisaged by some that there could be a Root Authoritybelonging to a state agency that licenses Certification Authorities to issuecertificates. In addition, people might decide whether to choose between thestate licensed Certification Authorities and the unlicensed privateCertification Authorities, including Certification Authorities from anothercountry.
Another phrase you may be aware of is ‘PKI’ meaning Public KeyInfrastructure, which is also used when discussing Trusted Third Parties andCertification Authorities.
Biometrics
Biometrics is the method by which a machine can identify you by recognisingyour physical characteristics, such as voice, iris pattern, fingerprint, two orthree dimensional facial recognition, veincheck and automatic signatureverification.
Some systems have used these types of recognition for a number of years. Theimmigration system in the USA has used hand geometry to permit businesstravellers that pass through immigration regularly to be identified by the shapeof their hand. Fingerprinting is used in US benefits systems (thereby reducingpayments by one quarter), prison visitor systems and computer network security.Facial recognition is also used in air terminals and border crossings.
In theory, the use of public and private keys deals with the twin issues ofsecuring a message and establishing the authenticity of the sender. However, ifthe private key is compromised, an unauthorised user can create or modify amessage without being detected. It is argued that the private key can be morereadily secured by using a biometric code, instead of a key number.
The use of biometrics has been hampered by the lack of processing power,amongst other factors. Until recently, neither the technology nor theinfrastructure was in place to allow this method to be used on a wide scale,although there are an increasing number of products available on the market. Nodoubt this method will be used more extensively in the future.
Endnotes
1. This article does not consider any of the legislation fromthe United States of America. You might usefully being your research at www.ilpf.org/digsig/digrep.htm.
2. Howard Fuhs, ‘Static Security’ Information SecurityBulletin, Vol 4, Issue 3, May 1999, 49-50.
3. However, RSA, one of the leading providers of security,recently announced the code used by many financial institutions and e-commerceWeb sites to encrypt financial data was broken. As Ben Hammersley reported,‘‘Numbers up as encrypt code cracked’’, The Times Interface,September 1 1999, 3, it took ‘‘scientists at eleven sites in six countriesseven months and 292 different computers, working for 35 years of computingtime, to find the two 155 digit-long prime numbers needed’’.
4. This phrase is used by the UK government in the paper‘‘Promoting Electronic Commerce’’, Cm 4417.
5. The Times, 30 April 1999, 23.
A report by James Bone5 indicates the type ofproblem that can occur. Andrew Tyler is the 13-year-old son of Ingrid Tyler.The boy used his mother’s account number to purchase items worth nearly $3million on the ebay Internet auction site. It appears the identity of theaccount holder was not established sufficiently in this instance. This is wherea biometric identification can be more effective.
Electronic Signatures
There are differences between a ‘digital signature’ and an ‘electronicsignature’:
- A digital signature is a technique that can include many other possibilities, other than an electronic substitute for a hand-written signature. A digital signature can also be used to establish the origin and integrity of electronic data. It is easier to understand the digital signature as being a technique used for various purposes, one of which can be an electronic signature.
- An electronic signature is the application of an electronic substitute for a hand-written signature.
Conventionally, a signature serves to confirm a serious intention. As aresult, a hand-written signature permits persons to identify themselves,confirms the integrity of the document to which it is applied and demonstratesto the other party that the signer intends to be bound by the content of adocument. An electronic signature seeks to provide similar evidence for the samereasons.
A digital signature (this phrase incorporates electronic signatures) usescryptography to provide assurance to the recipient that the data is authenticand as to the authenticity of the person sending the message. However, unless amechanism exists that can verify the identity of the sender, the process remainsopen to use by an impostor.
This is where the Trusted Third Party or Certificate Authority can provide asolution to the problem within the Public Key Infrastructure. The debate aboutdigital signatures’ centres on the legal status of a signature producedelectronically.
The Digital Signature
This is how the secure digital signature process works:
- Rebecca, the Chief Executive of One plc wishes to send a copy of a contract (1) to Amelia, the Financial Director for her comments.
- Rebecca passes the message through an algorithm (2), called a ‘digest’ or ‘hash’ function. The hash carries out a mathematical operation on the original message. It creates a unique and concise version of the original text. This is called the ‘Message Digest’ (3). Any change in the message, no matter how slight, will cause significant changes in the message itself. The message digest is very short in comparison to the actual message, so it does not take long to carry out this function.
- Rebecca then encrypts the Message Digest (4) with her private key. This encryption forms the actual digital signature of the message. The digital signature is the message digest and the private key.
- Rebecca can send the plain text with the digital signature (5), or she can keep the details of the contract confidential by encrypting the message (6) using Amelia’s public key.
- When Amelia receives the message, her computer and software perform separate operations to identify the identity of the sender and to determine whether the message was altered in transit.
- To verify Rebecca’s identity, Amelia’s system takes Rebecca’s digital signature and uses her public key (7) to decrypt the digital signature. This will produce the message digest (8). If successful, Amelia can be sure that Rebecca sent the message, because she is the only person with access to her private key (in theory).
- To find out if the message has been altered in transit, the message, if sent in plain text, is run through the same hash function that Rebecca used (9). This will provide Amelia with a message digest of (10) Rebecca’s message. Amelia will then compare the two message digests. If they are the same, she will know they have not been altered.
- If Rebecca encrypted her message, Amelia will then have to decrypt it using her private key (11) and compare it with the message text.
There is a problem, however. What happens if George, with whom Rebecca isnegotiating, takes her private key away from her at the meeting she isattending? George then sends a message to Amelia, asking for a quick replybecause of the sensitivity of the contract. In this instance, Amelia has notestablished the identity of the sender, despite the technology used.
The Technical Issues
The technical and legal issues are, to a certain extent, linked. Althoughsecurity systems already exist, there is no agreed set of industry standards ortechnical specifications at present.
Standardisation initiatives
Various initiatives have been established at national, regional andinternational level, including the International Chamber of Commerce,6Internet Law and Policy Forum,7 the InternetEngineering Task Force (IETF),8 the World Wide WebConsortium (W3C)9 and the American Bar Association.10Useful reports have also been prepared by the following:
- European Electronic Signature Standardization Initiative (EESSI),11 an industry initiative by the Information and Communications Technology Standards Board (ICT SB)
- European Telecommunications Standards Institute (ETSI) TC Security TTP Ad Hoc Group of the European Union12
- Quercus Information Ltd as part of the European Union European Trust Services (EU ETS) project.13
The aim is to standardise the technological approach to the various issuesthat relate to digital signatures. This article will not discuss the technologyor the methods of encryption, but briefly considers the various practicalproblems that need to be overcome.
Practical issues that need to be addressed
To establish a viable worldwide security network, standards need to be agreedto allow the user to communicate with the various authorities, such asCertificate Authorities, Registration Authorities and the other authorities thatmay be established that are mentioned in the ETSI Report.14In addition, this Report asserts that there is no mechanism to support anelectronic signature at present. If this is the case, then interoperabilitybetween users will be difficult until a technical solution is agreed.
Verifying the identity of a person is crucial. The provision of smart cardsis one option that is being considered at present by both the industry and thevarious discussion fora.
One other area of importance is the cryptographic functions. At present thereare two major types of algorithms, hash functions and digital signaturealgorithms, full details of which are given in annexe B to the ETSI Report.Decisions need to be made to establish which type to use to permit thedevelopment of electronic signatures.
The Legal Issues
In broad terms, the significant legal point is whether an electronicsignature has the same validity as a written signature. The Department of Tradeand Industry, in the White Paper ‘Building Confidence in ElectronicCommerce’,15 suggested there is doubt whether,where there is a requirement in law for a signature, such a requirement can besatisfied by an electronic signature. Others have argued that English law issufficiently flexible to cover the introduction of electronic signatures.
There are several relevant factors that must be taken into account whenconsidering the legal issues. The way in which each interacts with the otherwill affect the development of an international legal framework for e-commerce.The legal issues evolve around:
- the legal structure a country adopts when it implements the law relating to an electronic signature,
- the legal recognition of an electronic signature,
- the relationship between licensing, accreditation and limitation of liability,
- how technical standards interact with the law and
- cross-border recognition.
The legal structure of electronic signatures
The Internet Law and Policy Forum16 suggest thatthere can be a tension between legislation that seeks to be technologicallyneutral and the establishment of legal rules to provide for electronicauthentication. Recent discussions on this topic put forward the view that wherelegal rules are developed, they should not prevent the development andacceptance of new technologies that have yet to be invented. Stewart Baker andMatthew Yeo identified three types of approach which have been taken by variouscountries:17
The prescriptive approach Germany,18Italy19 and Malaysia20were the first countries to enact legislation that refers to digital signatureswithin the framework of a Public Key Infrastructure only, and Argentina willprobably be the first Latin American country to enact similar legislation.21This approach does not allow for the introduction of other methods of security.As a result, the law in these countries will probably have to be changed whennew technology develops.
The two-tier approach This approach was adopted by Singapore in the ElectronicTransactions Bill, enacted in June 1998.22 Thislegislation differentiates between (a) electronic records and signatures and (b)secure electronic records and signatures. The Bill provides that an electronicsignature can be proved in any manner, whereas a secure electronic signaturemust satisfy criteria laid down in the legislation. When a secure electronicsignature conforms to the legal requirements, three legal presumptions follow:that documents authenticated in this way are entitled to a presumption ofintegrity; a presumption that the signature is that of the person with whom itis associated, and a presumption that the person affixed his or her signaturewith the intention of signing or approving the document sent.
Endnotes
6. The International Chamber of Commerce have produced ‘‘GUIDEC’’,General Usage for International Digitally Ensured Commerce, available at http://www.iccwbo.org/guidec2.htm.
7. A short paper called ‘‘International ConsensusPrinciples for Electronic Authentication’’ is available at http://www.ilpf.org/didsig/intlprin.html.
8. Information available at www.letf.org.
9. Information available at www.w3.org.
10. Information available at www.abanet.org.
11. The Final Report of the EESSI Expert Team dated 20 July1999 is available at www.ict.etsi.org/essi/Final-Report.doc.
12. The ETSI Report is entitled Electronic SignatureStandardisation, version 4.1 is dated 16 September 1998, reference ETSI/TC-SEC(98)8– TD 008 and is available at www.accurata.se/QC/main.html.
13. Standardisation issues for the European Trusted Services– ETS by Andrew Colleran, May 1997 and available at www.quercus.co.uk.
14. See paragraphs 2.2.2 to 2.2.3.
15. URN 99/642 dated 5 March 1999.
16. Their paper ‘‘Survey of International Electronic andDigital Signature Initiatives’’, written by Stewart Baker and Matthew Yeo,is available at http://www.ilpf.org/digsig/survey.htm.
17. ibid.
18. The Digital Signature Ordinance (Signaturverordnuny –SigV) is available at www.iid.de/iukdg/sigve.html.
19. Unfortunately, I have not been able to locate the siteto download this legislation. I am grateful to Stewart Baker and Matthew Yeo fortheir article that brought the Italian legislation to my attention. Dumortierand Van Eecke provide the following Web site, www.aipa.it/english/index.asp.although I have no yet managed to gain access to this site.
20. The Digital Signature Bill 1997 is available at www.geocities.com/Tokyo/9239/digisign.html.
21. The Presidential Decree dated 16 April 1998 is availableat www.sfp.gov.ar/decree427.htmland Resolution 45/97 incorporating digital signatures into the informationprocess in the public sector is available at www.sfp.gov.ar/res45ing.html.See also http://news.cnet.com/news/0-1005-200-346270.html?owvfor a short article written in August 1999.
22. The Electronic Transations Act 1998 is available at www.ec.gov.sg/ETBmain.html.
The draft European Union Directive23 on a commonframework for electronic signatures also adopts a two-tier approach. The draftDirective distinguishes between an electronic signature and a qualifiedcertificate. The electronic signature must satisfy the four criteria ofuniqueness, identity, security and integrity. A qualified certificate canidentify a person, providing it meets the technical requirements of Annexe I.Member States will have to accept an electronic signature based on a qualifiedcertificate as evidence of a hand-written signature.
The United Nations has also adopted the two-tier approach in the DraftUniform Rules on Electronic Signatures.24 Two typesof signature are envisaged: electronic signatures that satisfy the requirementsof Article 7 of the Model Law25 and enhancedelectronic signatures that satisfy a higher standard.
The minimalist approach The Australian government has followed therecommendations of the Report of the Electronic Commerce Expert Group26and adopted Article 7 of the UNCITRAL Model Law.27This decision has been made on the premise that there is no internationallyuniform legislative approach to this issue, and it is important merely to dealwith the legal effect of electronic signatures. By taking this approach, theAustralian government have decided to allow the market to determine the issuesthat do not have a legal effect, such as levels of security and reliability.
Legal recognition of electronic signatures
There are three issues that have to be taken into account when consideringthe legal acceptance of electronic signatures.
- It is not always explicit that there is a legal requirement for a signature. For instance, a signature is required when buying or selling land within the jurisdiction of England and Wales. However, in some instances, the law does not specify the need for a signature, but it sets out a procedure that only takes into account the use of paper documents. In such instances, the law does not state that a hand-written signature is required. An electronic signature is not an acceptable alternative because the procedure is predicated on the use of paper.
- The value of electronic signatures differs between jurisdictions. In England and Wales and the Netherlands, parties can agree to accept electronic signatures as evidence of their intentions, and the judges will accept the evidence of such a signature. This is not accepted in other EU countries, such as Germany and Belgium. Jos Dumortier and Patrick Van Eecke point out that Belgium has recently introduced legislation to deal with this issue.28 The proposed solution means a judge will be required to examine the identity of the signatory, to consider whether the parties gave their consent to the contents of the document and to determine the integrity of the document.
- One party might not have the technology available to provide or accept an electronic signature. This will be a major stumbling block for large numbers of people who do not have access to any form of technology.
There are several methods of incorporating the legal recognition ofelectronic signatures into law. For instance, Italy passed law number 59 on 15March 1997 relating to the legal recognition of electronic signatures. ByArticle 15, paragraph 2, an electronic signature for all instruments, data anddocuments produced by public services or private persons, using a computer andtelecommunications, is valid and effective for all legal purposes.29
Two problems arise. First, not everybody can provide a digital signature.This issue will probably be addressed if technology becomes more widelyavailable. Second, it is debatable whether the electronic signature should bedirectly equated to the hand-written signature. A well established set ofprocedures has been developed to prevent fraud with hand-written signatures.Many think it more appropriate to provide for a separate set of procedures orconditions for electronic signatures. In this respect, the draft EU Directiveprovides for the legal recognition of an electronic signature, providing anumber of conditions are met, as set out in Annexe I.
The Relationship between Licensing, Accreditation and Limitation of Liability
Liability
Whether there is a need to license or accredit Certification Authorities orTrusted Third Parties depends on the views taken by government over the issue ofliability. One lawyer in the United States of America, C. Bradford Biddle,30argues that the allocation of legal liability is easier to establish under aclosed system, rather than an open Public Key Infrastructure.
Put simply, his argument is this: if a closed system was acceptedinternationally, people could have many certificates for different purposes,much like the supermarket loyalty cards.
For instance, suppose a third party steals a key or obtains it by fraudulentmeans. Assume the stolen key gave the user the right to buy CDs from aparticular shop on the Internet. In the same way that fraudulent use of a creditcard limits the liability of the card holder, so the shop operating the schemecan also have a limitation of liability on the key number they issue. Thecontractual chain could look something like this:
- The shop enters into a contract with a Certification Authority (CA) to provide key numbers to any member of the public that wants to buy CDs from their Internet site. The CA establishes a set of criteria that will determine whether a card will be issued to members of the public, such as the provision of credit card and bank account details, driving licence number, etc. The CA undertakes (providing the shop gives out key numbers according to the requirements of the CA) to limit the shop’s liability to, say, £30 per transaction per card. The shop will know the full extent of its liability and can therefore pay for suitable insurance cover to meet any liabilities.
- The individual deciding to obtain such a key number with this shop will already be familiar with the concept of being liable for the first £30 spent, because they will have used a credit card for a number of years.
- The CA will know what exposure it might face and can take out insurance to cover the risk.
Clearly, providing somebody with a key number as described above will be arelatively simple matter. The shop issuing the key number can check the veracityof the information provided by the person quickly, and every party to theagreement will understand the full extent of their individual liability. Anindividual can obtain key numbers for different uses, providing different typesof information to different CAs, depending on the risk involved in giving out akey number.
However, it is suggested that, if an open Public Key Infrastructure is widelyadopted, the issue of liability must be established by law. This is because aperson will probably have one key number for many uses. The issue of liabilitycannot, therefore, be as easily distributed as with a closed infrastructure.
Liability issues have already been dealt with by Malaysia, Singapore, Italyand Germany. Malaysia and Singapore permit a CA to establish a ‘recommendedreliance limit’ on any certificate they issue. This limit sets a cap on anyliability that comes about because losses occur as a result of (a) reliance on amisrepresentation in the certificate of any fact the Authority was required bylaw to confirm, or (b) a failure to comply with the requirements laid down bystatute when issuing a certificate.
Neither Germany nor Italy has chosen to address the issue of liability. It isthought in Germany that the legal principles relating to liability that arealready in place are sufficient to cover the liability of CAs. These MemberStates of the EU will be required to amend their law if the draft Directive isaccepted. This is because the draft Directive generally imposes a strictliability on a CA for losses caused by reliance on an inaccurate certificate orfailure to issue a certificate according to the requirements laid down in theDirective.
The Internet Law and Policy Forum31 considerthat such a lack of consensus on the liability issue might affect the success orfailure to formulate international standards on electronic authentication.
To licence or accredit?
The debate also revolves around whether to require a CA to be licensed orwhether to allow voluntary licensing or accreditation. It was mentioned abovethat a new law in Italy provided that an electronic signature has the sameeffect as a hand-written signature. However, only signatures authenticated by alicensed CA will have the benefit of this provision. Consider the variousoptions:
- the Malaysian legislation requires every CA to be licensed, but paradoxically does not permit a judge to deny an electronic signature if accredited by an unlicensed CA
- the Singapore legislation does not require CAs to be licensed, but imposes a number of requirements about the validity of the key numbers they issue
- the EU draft Directive prohibits Member States from requiring a CA to be licensed – if the draft Directive is accepted, Italy and Germany will both need to change their law, because both countries have created such a regime indirectly
- there is an assumption that governments in many jurisdictions will establish Root Authorities, however the Netherlands have established a voluntary Trusted Third Party Chamber, bringing together government and commercial representatives – this Chamber will set the standards for the use of electronic signatures in the Netherlands.32
Licensing can be mandatory or voluntary, state or private. If you have readthis far, you will appreciate that there is a great deal to be discussed innational, regional and international fora before a satisfactory solution can bereached about the issue of liability, licensing and accreditation.
Endnotes
23. Available at www.accurata.se; see also Ter Kah Leng ‘‘E-commerce NewLaws on e-commerce: Signapore’’, The Computer Law and Security Report,January-February 1999, Vol 15, Issue 1, 8-14.
24. The ‘‘Rules’’ are available at www.uncitral.org/english/sessions/wg_ec/wp-73.htm.
25. The UNCITRAL Model Law on Electronic Commerce 1996 isavailable at www.uncitral.org/english/texts/electcom/ml-ec.htm.
26. Electronic Commerce: Building the Legal Framework, aReport of the Electronic Commerce Expert Group to the Attorney General dated 31March 1998 is available at www.law.gov.au/aghome/advisory/eceg/single.htm.
27. Available at www.uncitral.org/english/texts/electcom/ml-ec.htm.
28. ‘‘Electronic Signatures The European Draft Directiveon a common framework for electronic signatures’’, Computer Law andSecurity Report, Vol 15 number 2, 1999 at 109. The Bill is available at http://www.law.kuleuven.ac.be/icri/papers/dutch_eng.htm.
29. Dumortier and Van Eecke, 108.
30. ‘‘Legislating Market Winners Digital Signature Lawsand the Electronic Commerce Marketplace’’ by C. Bradford Biddle is availableat www.w3journal.com/7/s3.biddle.wrap.html.
31. In their report ‘‘Survey of International Electronicand Digital Signature Initiatives’’ available at www.ilpf.org/digsig.survey.htm.
32. I owe this information to the ILPF paper written byStewart Baker and Matthew Yeo.
How Technical Standards Interact with the Law
Technical standards can play a crucial role in the development of a market,although a standard can also be an obstacle to changes and developments,depending on the state of the market. The production of a technical standard isusually left to bodies that have been established for such a purpose. However,the relationship between technical standards and the law has altered over time,and the difference between them is changing even more rapidly with thedevelopment of the Internet.
In particular, Jos Dumortier and Patrick Van Eecke have pointed out that theGerman Digital Signatures Act establishes a non-binding standard for theuse of the digital signature technique.33 What isunusual is that it has not been established through the usual method, which isto pass it to a German standardisation body. The standard has been establishedthrough a mechanism normally reserved for the creation of legislation. Twopoints are relevant. First, the standard only refers to a specific application,whether an electronic signature and the method by which it is authenticated isequivalent to a hand-written signature. Second, the standard has been passed tothe standardisation bodies to complete the development of the standard.
Two criticisms have been levelled against this arrangement. First, technicalspecifications should not be related to legal rules because they might inhibitthe development of the market. Second, the original technical catalogues are fartoo detailed. However, it should be noted that this method of dealing with theissue of standards was a deliberate political decision. Apparently theintroduction of the standard has been faster, which in turn has had a beneficialeffect on the market.
Cross-border Recognition
Two issues stand out and will affect the use of the Internet.
The first substantive issue relates to the legal requirements of electronicsignatures. If the legislation between countries differs as to theauthentication of an electronic signature and if CA are subject to differinglegal and technical requirements, transactions between countries might be verydifficult to bring about.
The second issue concerns how countries recognise foreign electronicsignatures and certificates. If a CA is required to comply with local laws andstandards, each CA might have to consider obtaining a licence in everyjurisdiction, which might be costly and time consuming.
The different approaches by the countries that have already enactedlegislation illustrate the problems. There are two possibilities in Malaysia. Aforeign CA might either face criminal prosecution for issuing or validating adigital certificate in Malaysia without permission, or they may berecognised by the Controller of Certificate Authorities, providing the CA waslicensed in its jurisdiction. However, the latter possibility applies only tothose CAs that can demonstrate they have been licensed. If the jurisdiction theyoperate from does not operate a licensing regime, it appears the CA will have nochoice other than to establish a presence in Malaysia.
The Italian legislation recognises only Authorities that can satisfyequivalent requirements and which are from another EU Member State or from theEuropean Economic Area. The German law has a similar restriction to the Italianlaw, but the Authority is required to demonstrate an equivalent level ofsecurity (by using smart cards), although foreign Authorities can be recognisedthrough the mechanism of an international agreement.
The EU draft Directive will require Authorities outside the EU to becomeaccredited in a Member State or enter into a cross certification arrangementwith an accredited Authority. The draft Directive does, however, permit anAuthority to be recognised as the result of an international treaty.
The Proposals by the British Government
The draft e-commerce bill, the Electronic Communications Bill was publishedon 23 July 1999. The proposed legislation provided for the following:
- a register of approved providers of cryptography support services
- the recognition of electronic signatures and
- powers requiring the disclosure of a key number.
Days before the deadline for this article, the Queen’s Speech announcedthat:
- the powers requiring the disclosure of a key number will be placed in Home Office legislation, the Regulation of Investigatory Powers Bill34
- the proposed scheme for the statutory regulation of providers of authentication services will be removed from the draft Bill
- an additional measure will be introduced to change the requirements for existing laws which insist on the use of paper in official documents.
Clause 7 of the draft Bill proposes that an electronic signature shall beadmissible in evidence in relation to (a) the authenticity and (b) the integrityof the communication. The government has not taken the two-tier approachdescribed earlier in this article. There is no distinction between a‘signature’ and a ‘secure electronic signature’, as provided for in theUnited Nations Draft Uniform Rules on Electronic Signatures. In addition, thereis no difference between an electronic signature and a qualified certificate asprovided for in the draft European Union Directive. When the draft EuropeanDirective is finally agreed, the Bill will have to be amended to take intoaccount the European law.
By clause 3, the authenticity of a valid electronic signature will beestablished by a person who can demonstrate the authenticity or integrity of theelectronic signature, or both. No standards have been laid down. This means itwill be a matter of providing evidence to demonstrate the authenticity andintegrity of the electronic signature.
It will be interesting to note how many Certificate Authorities and userswill want to work or use encryption within such a harsh framework. Will the UKbe the best environment for electronic business by 2002?
General Comments
The commentary attached to the draft Bill repeats the often quoted assertionthat the British government intends ‘the UK to be the best environment forelectronic business by 2002’.35 There are twopoints to be made about this political slogan – a similar phrase is used bythe Ministry of Economic Affairs in the Netherlands.36
First, any business conducted on the Internet is, by definition, conducted ona global scale. The physical location of a business is irrelevant. Companieswithin a free market move their geographical location when it suits them. As aresult, the e-commerce framework offered by the British government will berelevant only to companies that intend to remain within the jurisdiction of theUK. Other factors will continue to be more important when deciding whether tomove location, such as standard of living, taxation and regulatory issues. Thee-commerce framework in the UK is only one factor to be taken into account by acompany intending to do business within the geographical limits of the UK. Theprovisions of the draft Bill will not, therefore, affect companies alreadyconducting business on the Internet in other jurisdictions.
Second, until individual countries agree an international e-commerceframework that will have worldwide effect, the attempts by individual countriesto legislate on such matters will inevitably lead to fragmentation and aretardation of the development of the Internet as a forum for commerce. Thepiecemeal approach adopted by individual countries such as the UK will not helpthe development of global e-commerce.
It is the author’s view that the international community needs to conduct asubstantial review of the legal matters relating to global commerce. Thedevelopment of the Internet has given governments the world over the opportunityto reconsider the legal rules and procedures relating to commerce on a globalscale. If the international community cannot reach agreement over such mattersas evidence and proof, licensing, limitation of liability, rules and proceduresand how matters are dealt with by national courts, the Certification Authoritieswill have to consider establishing themselves in different jurisdictions tocomply with local laws.
The relevance of electronic signatures will become clearer if the legal andtechnical issues can be resolved satisfactorily. I concur with the comments ofBenjamin Wright,38 that it is far better toestablish the need for a change before passing laws that will probably need tobe altered to take account of the way in which electronic signatures are used inthe future.
Endnotes
33. Dumortier and Van Eecke, 107-108.
34. This part of the Bill is not of direct relevance to thisarticle. The provisions relating to the disclosure of a key number appear to besomewhat draconian and unnecessary. It has clearly been planned in detail, fromthe requirement that you must prove a negative, down to the provisions relatingto imprisonment if you fail to inform the authorities of your key number or tellanother party that you have revealed their key number to the authorities. Withthe inclusion of hearings before a tribunal that can hold hearings both insecret and in the absence of the accused or their lawyers, the provisions ofthis part of the Bill illustrate the attitude of the present government withrespect to law enforcement. The comments by Andrew Katz in a letter to theeditor, Computers and Law, April/May 1999, Vol 10, Issue 1, p´39, illustratesome of the practical issues that have yet to be considered.
35. Taken from paragraph 13 on page 5 to Part 1 ‘‘Theconsultation document and the government’s response to the Trade and IndustryCommittee’s Report’’.
36. See http://info.minez.ml/kennisent/ecom/engles/why.htm.
37. Christopher Kuner has written a paper ‘‘DraftConvention on the Mutual Recognition of Digital and Electronic Signatures’’.It is available at www.mbc.comm/ecommerce/legis/convention-kuner.html.
38. Benjamin Wright, ‘‘Electronic Signatures Makingelectronic signatures a reality’’, The Computer Law and Security Report,November – December 1999, Vol 15, Issue 6, 401-402.