Authentication
Rules and Electronic Records
OUTLINE
INTRODUCTION
I.
AUTHENTICATION
RULES IN LAW
A. The Nature of
Authentication
i) what?
ii) where? who?
iii) content?
B. The Process of Authentication
i) the threats
ii) the risks
iii) the costs
iv) the benefits
C. Authentication Rules
i) purpose
ii) nature
iii) scope
iv) legal effect
II. AUTHENTICATING
ELECTRONIC DOCUMENTS
A. The Nature of Electronic Documents
i) uncertainty of
storage
ii) uncertainty of
retrieval
iii) ease of
alteration, difficulty of detection
B.
Legal Responses to Electronic Records
III. LEGISLATION
ON AUTHENTICATING ELECTRONIC RECORDS
A.
Approaches to Formal Authentication of Electronic Records
i) governmental
discretion
ii) closed systems
iii) technology
specific general rules
iv) technology
neutral general rules
·
reliability
– further legislation
·
reliability
rule – is it needed?
·
Party
autonomy – role of contracts to set standards
·
Attribution
rules
v) hybrid rules –
combining neutral and less neutral rules
B.
Choosing a Legislative Model
C. Other Rules Affecting
Authentication
i) liability rules
ii) recognition rules
IV. CONCLUSION
Authentication
Rules and Electronic Records
John D. Gregory
Ontario, Canada
November 2001
INTRODUCTION
This paper
discusses the legal status of authentication rules in the light of electronic
records. It does so in three parts.
First, it provides an overview of the nature of rules about authentication of
records on paper, and why and how they have evolved. Next, it discusses the impact of electronic records on these
rules, and how the rules have responded to them. Finally, it examines the principal methods of modernizing legal
authentication regimes in order to accommodate electronic records, while maintaining
the policies that led to the authentication rules in the first place.
I.
AUTHENTICATION RULES IN LAW
A.
The nature of authentication
Authentication is the decision
whether a record is what it purports to be.
It is
therefore a question of evidence, though not always of the
formal law of evidence. It is a
judgment of the credibility or reliability of a document.
Three
questions arise in the process of authentication: What is this record? Where or
who does it come from? Has its content
been altered, either intentionally or unintentionally?
i)
What? The
answer to the first question depends on the context of the individual
document. A record may be anything
capable of recording information: a contract, a letter, a statute, a laundry
list, a bank statement, a ledger of transactions. This question is not generally the subject of legislation.
ii)
Where/Who? The
second, on the source of the document, gives rise to (part of) the law on
signatures.
However, it is very important to
note that a signature is just one way of determining the origin of a
document. The document is what counts
in law, not the signature. One authenticates the document, not the signature. A signature without a document is legally
meaningless, it is just an autograph. A
document without a signature may be very important legally. One can
authenticate an unsigned document and rely on it. But a document whose origin is unknown is unlikely to be given
legal consequences.
There are many ways of deciding
where a document came from. Its content
is one: it may recite its origin, e.g. “This is an agreement made on [date] by
[party X and party Y].” A business
letter – one that may be part of a legal transaction - usually states the
address from which it comes and the address to which it is being sent, along
with the identity of the sender and addressee.
Other ways of determining the
source of a record include the context (it may be part of an ongoing discussion
shown by several records), physical evidence (a letterhead, a fingerprint),
postal evidence (a postmark, even a stamp), or testimony of someone who knows
(e.g. “this is the contract I made with party X last year”, “this is the latest
draft of the contract being negotiated with party Y”.) There may be evidence created by a third
party, that is to say someone. not directly affected by a transaction or
relationship that the record affects, such as a witness, a public official, a
record-keeper, and the like. (Sometimes such people make the originator’s
signature more reliable, rather than the document itself.)
As noted, a very common method of
showing the source of a record is the signature of the person who created
it. A handwritten signature is
relatively hard for someone other than the signer to duplicate accurately by
hand, so it is a relatively good way to trace the document to the signer. It should be noted that one needs additional
evidence to use a handwritten signature – sometimes of the identity of the
signer, since some signatures are not legible and unambiguous statements of the
signer’s name, and generally of a genuine signature of the signer to compare
with the one on the record to be authenticated.
Signatures may be supported by
supplementary evidence as well, notably that of one or more witnesses to the
signature, or the evidence of a public official such as a notary or clerk of a
court. Making a document under oath,
such as an affidavit, does not by that fact make its source more reliable. The oath goes to the truth of the contents,
not their source or their permanence.
However, the person before whom the oath is made – notary or
commissioner of oaths – may be a useful witness as to the source. Sometimes the laws of evidence provide that
a document witnessed by (or sometimes sworn before) a public official is
admissible in evidence without further proof of origin, i.e. it is
“self-authenticating”.
iii)
Content? The third element of authentication involves a
judgment of the integrity of the record.
A record can be altered intentionally or unintentionally (for example a
page could be lost or torn or words become illegible). If the person relying on the record wants a
legal relationship with the person who created it, then the two parties must
have a common intention, and the record of that intention must be the same for
both of them. In short, the integrity
of the document is important for obvious reasons.
Nevertheless the integrity of
documents is often protected fairly casually.
An original handwritten signature is some evidence of the integrity of
the page on which it appears. It is
common in some legal systems, notably common law systems, for multi-page
contracts to be joined only by a staple.
It is uncommon, except for wills, for parties who sign multi-page
documents to initial every page. Some
legal systems require some kinds of document to be signed before a public
official such as a notary, who may keep the original document in safe custody
and make true copies for the use of the parties. Sometimes important documents must be deposited in a public
registry, thus out of reach of those who might want to alter them, though
usually public registries serve as public notice of the contents of the records
as much as a means of keeping them secure.
A seal can help show the integrity
of a document if it forms an impression through all its pages. This is more common with seals (and
documents) of public officials than of seals used by private parties, which
tend today to be impersonal and used on a single page.
One of the common ways of
strengthening the likelihood of integrity of a document is to ensure that one
has an original version of it. It is
harder to tamper undetectably with an original than with a copy, which may be
the copy of an altered original. For
this reason notaries in Latin systems keep the originals of documents made
before them, as mentioned a moment ago.
B.
The Process of Authentication
One authenticates a document in
order to decide whether or not to rely on it, that
is, to change one’s legal position or to enter into legal
obligations. This decision is
influenced by a number of factors, not all of them related to the technical
nature of the document. The process can
be described as a “threat-risk analysis”, which involves an evaluation and a
balancing of four factors: threats, risks, costs and benefits.
i)
The threats to the genuineness of the source: who is
interested in providing a false document?
This involves considering the history of the relationship with the
person providing the document: is the person trustworthy? Has there ever been any problem with a
document from this person, transmitted by the same method? Are there others who would benefit from a
forgery or an alteration?
ii)
The risks to the person deciding whether to rely: what
is the likelihood that the source of the document has provided a false document
in this case? This involves the
technical examination of the evidence of source and integrity.
iii)
The costs of relying on a false document: what is at
stake if the document is not genuine?
How much is lost? What is the
cost of getting or asking for better evidence of source or integrity? Will the other person refuse? What are the technical costs of a better
security system? Are the costs of more
reliability higher than the costs of the loss from a false document?
iv)
The benefits of taking a chance on the document: are
the potential benefits high compared to the risk of loss and the cost of
loss?
Not all documents or relying
parties will produce the same result. Different
people will have different tolerance for loss and different
estimates of the threats, risks, costs and benefits even in similar
circumstances. High value transactions
or transactions with strangers will produce different results than less important
transactions with trusted partners.
In short,
authentication is a judgment, and not an automatic process. It is first of all a business judgment. However, the law has intervened in most
countries to set conditions on the exercise of the judgment, making it also a
legal judgment.
C. Authentication
Rules
Documents with legal effect are of
course part of a legal system, a system of rules
governing the relations of people and other entities, as
devised by some institution of government.
Governments often decide to intervene in judgments about authentication,
by making rules that influence the process.
i) Purpose: The reason for rules that affect authentication is that the
government has seen a public purpose in making them. A number of purposes are at work. The government may decide that the consequences of particular
transactions are so important to people that it requires that they be made less
risky, by ensuring that some reliable forms of authentication are used. Sometimes only particularly vulnerable
people – such as consumers – are made subject to such rules.
Put another way, there is often a
difference between what the law requires for validity and what people will
choose to do out of prudence. The law
may allow a pencil signature on a piece of tissue paper to be valid, but many
people would consider it imprudent to accept such a flimsy document and insist
on something more durable. Sometimes
the law will intervene to move the legal standard closer to what prudence seems
to require.
At other times governments act to
protect a state interest in authenticity.
Public records are often taken to be more important than records used
only among private parties, because public records involve the official status
of citizens, or the expenditure of public funds, or the documents making up the
history of the community.
Authentication rules applicable to public records are common.
It is important to note that not
all form requirements are based on concerns about authentication. Some are created to produce evidence that
certain formalities have been complied with, or that the transaction has been
properly conducted. For example, requiring a consumer’s signature on a contract
may be a way of ensuring that the consumer appreciates the serious, or at least
legally binding, consequences of what is being done. It may be a way of ensuring, and proving later, that the consumer
got to look at the terms of the contract before being bound to it. Neither of these motives show any concern
about identifying the consumer reliably.
As a result, as we will see later,
laws affecting how electronic records can satisfy form requirements may not
need to demand a highly detailed support of authentication.
ii)
Nature:
Authentication rules generally require that documents be made in a
particular form, or with particular formalities. Among the most common are:
·
writing requirements: that a document made for a
particular purpose or between particular parties must be in writing
·
signature requirements: that a document must be signed
by all parties to it, or by the party that will be subject to the obligations
it creates.
·
ceremonial requirements: that a document must be signed
in certain circumstances, such as before witnesses, or before certain people,
such as notaries or other public officials, or by applying a seal (these rules
may be more often to protect the signer of the document than to ensure its
authenticity later.)
·
originality requirements: that a document to have legal
effect must be used or presented in its original version and not only as a copy
·
registration requirements: that the document be
deposited in a public register.
Requirements that the public have access to the register may be part of
authentication – extra eyes to detect inauthenticity – or part of a public
notice regime, for example to establish priorities of claims – that has nothing
to do with authentication as such.
iii)
Scope: Authentication requirements typically affect
certain documents with a serious impact on the affairs of the person making
them. Some typical examples in Canada
and the United States are:
·
wills
·
land transfers
·
contracts for high values or involving consumers
·
family status documents such as marriage contracts
·
personal care documents like living wills or powers of attorney
It may be safe to say that most
documents to be submitted to public authorities are subject to some
requirements to show their source and integrity, whether the requirements arise
from statute or administrative procedure.
iv)
Legal effect:
Rules affecting authentication can have one or more of several impacts
on the documents subject to them.
·
validity: a document that meets the requirement is
valid, or one that does not meet the requirement is invalid.
·
enforceability: whether or not the document is valid,
it may not be enforceable, for example against a party who has not signed it
·
admissibility: a document not in proper form may not be
admissible in judicial proceedings, particularly those involving its
enforcement
·
registrability: a document not in proper form may not
be registered, and registration may be required to ensure certain rights or
priorities concerning the subject of the document.
·
acceptability: a document not in proper form may simply
be refused by a public authority subject to an authentication regime.
Much of the early conceptual work about such a
system was carried out by the American Bar Association, whose Digital Signature
Guidelines were influential. (The Guidelines are available at http://www.abanet.org/scitech/
ec/isc/digital_signature.html.) The first legislation to this
effect was the Utah Digital Signature Act of 1995. (Utah Act, Utah Code
Annotated, Title 46-3, http://www.le.state.ut.us/~code/TITLE46/46_02.htm.)
It dealt expressly with public key cryptography as signature. It regulated certification authorities and
exempted them from liability if they followed the rules. It also provides a presumption of
attribution for duly certified signatures.
The Utah Act was followed in three other states (Washington, Minnesota
and Missouri).
However, this
approach was severely criticized on several grounds.
·
As technology evolved there were many different
implementations of digital signatures, with different degrees of involvement
and engagement by third parties and relying parties and thus different risks
and degrees of reliability.
Presumptions were not justified to the same degree for each
implementation.
·
The relationship among the participants was not always
as contemplated in the legislation.
Different uses of electronic documents needed different degrees of
reliability, in fact, so having a single system designated by law was sometimes
unhelpful or even risky to the users.
·
The apparent
advantage of not having to prove the technology in court was reduced by the
need to respond persuasively to someone who attacked its reliability.
·
Digital signature legislation was thought to impede the
free development of electronic records systems, as it gave an unfair legal advantage
to the technology of public key cryptography.
·
More recently, privacy advocates have attacked some
features of PKIs as a threat to personal information.
In the result, no further American
states have followed the Utah example. In
the wake of the Utah Act, Germany, Italy and Malaysia also passed digital
signature legislation, with extensive rules about the creation of signatures,
the role of the certification authority, and so on. Germany has since modified its law to conform to the Directive of
the European Union on Electronic Signatures, which is discussed below in the
section on hybrid legislation, and Italy will have to do so as well in due
course.
In distinction to
the specific detailed statutes mentioned here, a number of countries – and
international bodies – have preferred a minimalist response to the quest for
certainty about the legal status of electronic communications and
authentication. They have chosen a
minimalist approach for several reasons.
First, the existing law - statutes and jurisprudence and private law
based on contracts - is capable of resolving a good number of questions on its
own. Electronic messages, even on the
Internet, do not present radically new questions for all legal purposes. As noted, the level of comfort with
electronic records generally increases with familiarity. Next, the technology underlying electronic
records is changing rapidly, so attempts to prescribe specifically how to
conduct legally effective communications risk obsolescence even before they
come into force. In any event the uses
to which electronic communications are put vary so widely that no single
technology would suit all of them. The
proposed legislation can be said to be “technology neutral” for this reason.
The leader in this
field is the United Nations (UNCITRAL) Model Law on Electronic Commerce. (Official
Records of the General Assembly, Fortieth Session, Supplement No. 17
(A/40/17)(1996). The text and the
very useful Guide to Enactment are at http://www.uncitral.org/english/texts/electcom/ml-ecomm.htm.) The Model Law sets out an electronic
equivalent to various form requirements that are prescribed for paper. Thus a requirement for a signature of a
person is satisfied if a method is used that identifies the person and
indicates the person’s approval of the electronic record, and if the method
used is as reliable as is appropriate in all the circumstances, including the
existence of any agreement among the parties about the method to be used. (Article 7(1) of the Model Law on
E-Commerce.) It is generally accepted
that “approval” in this formula means only willingness to adopt the text as
one’s own, without necessarily restricting a signature to one used to assent to
a contract.
This function of a
signature – to link a person with a document – is the same for a signature on
paper or a signature associated with an electronic document. This means that the authentication function
can be satisfied by an electronic signature under this formula. However, Article 7(3) of the Model Law
allows implementing countries to exclude particular signatures from the scope
of the permission, without saying what to exclude. The Guide to Enactment asks
that the exclusions be narrow so as not to reduce the scope of the general permission.
A state legislating
on authentication of electronic records may choose to exclude on the basis of
the type of document, the type of transaction, or the type of party. The motive of excluding would be to protect
either the interests of the parties or the interests of the state in reliable
authentication or prudent practices, in other words, the same motive that often
underlay the creation of the authentication rule in the first place, before
electronic documents came into the picture.
The range of exclusions – of cases where authentication decisions cannot
be left to the parties – is likely to be narrower when the documents and
transactions are purely commercial. The
more the enabling legislation extends to non-commercial matters, the more interest
the state may have in involving itself in authentication decisions.
Many of the
countries implementing the UN Model Law on Electronic Commerce have chosen
similar exclusions. They typically
exclude land transfers (though not always short term leases), wills (which are
arguably not commercial anyway), powers of attorney, and negotiable instruments
(bills of exchange, promissory notes, cheques). Land transfers tend to have a
public interest component, at least for the protection of third parties, often
done through a public registration system.
Powers of attorney and wills may be prepared by the parties themselves
without professional advice, which increase the risk of insecurity in matters
very important to the property of the makers.
(Some countries require the participation of notaries in these
documents; if a system of electronic notarial documents can be devised, then
this concern is lessened.) Negotiable
instruments carry in themselves the value they represent, and they therefore
must be unique, i.e. exist in a single official version only. Electronic records are at present impossible
to create so they cannot be copied, if they are still to be transferable.
The Model Law on
Electronic Commerce does not itself exclude consumer transactions. However, its
provisions yield to consumer protection laws in enacting states. Enacting states may have to decide if a
requirement in their law that a consumer contract be in writing or signed
should be satisfied by an electronic document that comply with the Model Law’s
rules, or whether further demands should be imposed. The United States federal law, for example, requires that the
capacity as well as the consent of consumers to communicate electronically be
adequately demonstrated. (See the
Electronic Signatures in Global and National Commerce Act, Public Law 106-229
of 2000.)
We will return to
exclusions in our discussion of hybrid legislation, below.
A number of
countries have implemented the UN Model Law on Electronic Commerce, including the
signature provisions. Examples are
Singapore, Australia, Hong Kong, India, Bermuda, Ireland, Columbia, Canada, the
United States and France. (Useful sources of information on international
developments in this field, and links to online versions – for statutes of all
types - are the Internet Law and Policy Forum, http://www.ilpf.org,
the McBride Baker Coles firm website, http://www.mbc.com/ecommerce/
international.asp , and the Baker & McKenzie firm website, http://www.bmck.com/ecommerce/ .)
Four issues arise
out of the Model Law’s approach that cast light on potential legislation about
authenticating electronic records: reliability standards, rules dispensing with
reliability, party autonomy, and attribution rules.
·
Reliability – further legislation: The
e-signature rule of the Model Law on E-Commerce is very helpful in ensuring
that electronic signatures can be used with legal effect, i.e. that some of the
rules about authentication can be met by an electronic signature. It is however very general. People signing documents electronically will
want assurance at the time of signing that the method they are using is in law
appropriately reliable for their circumstances, so that the signed document
will be legally effective. Without case
law on the subject, reliability and thus effectiveness was a matter of opinion,
debate and uncertainty. As a result, UNCITRAL developed a new Model Law on
Electronic Signatures, adopted in July 2001. (It is available online at http://www.unictral.org/english/texts/electcom/ml-elecsig-e.pdf. A Guide to Enactment will be published on
the same site shortly.)
The new Model Law sets out
criteria for evaluating the reliability of an electronic signature, though it
states clearly that the criteria are not exclusive and that other electronic
signatures may be appropriately reliable too within the meaning of the 1996
Model Law. The criteria for reliability
are these:
(a)
« the signature creation data are, within the context in
which they are used, linked to the signatory and to no other person »
For a signature to be reliable,
the data have to point to one person, at least within the context of the
signature. The qualification would
allow the same signing code for more than one person, but not where it is at
all likely to be ambiguous.
(b)
« the signature creation data were, at the time of
signing, under the control of the signatory and of no other person »
People are safely presumed to
control the means for creating a handwritten signature – their signing
hand. Traditional cheque-signing
machines present similar problems to electronic signatures: they are acceptable
often only because the relying party has strong assurance that the purported signer
will not repudiate the signature. For
electronic signatures (also created by a kind of machine), the ability to
control the use of the signing data is here made part of the criteria for
reliability.
(c)
« any alteration to the electronic signature, made after
the time of signing, is detectable »
The next two paragraphs reflect a
debate within the Working Group about the extent to which a signature at law
shows the integrity of the signed document.
Common law delegates generally said it did not. Civil law delegations
generally said it did. (No one doubted
the need for a relying party to know that the document was trustworthy; the
debate dealt only with the function of a signature to show that.) The
compromise was to focus in one paragraph on alterations to the signature, which
could be understood to refer to any doubt about the link between the signature
and the document with which it was linked, and in another with alterations to
the document. The test in paragraph (c)
is not that a signature that is altered is invalid, but only that the alteration
must be detectable. Once detected, the
change may have a range of effects, largely within the judgment of the relying
party, since the relying party takes the risk if the signature is invalid.
(d)
« where a purpose of the legal requirement for a signature
is to provide assurance as to the integrity of the information to which it
relates, any alteration made to that information after the time of signing is
detectable. »
The provision is a standard
provision for the characteristics of digital signatures (those created using
public key cryptography). The Working Group did not decide that this
characteristic was needed for any electronic signature to be reliable – unless
preserving or showing the integrity of the document is considered an essential function
of a signature. This was the civil law view, and civil law countries may want
this provision as part of their criteria for a signature reliable enough to
have the same legal effect as a handwritten signature, if they choose a
reliability test at all – a question discussed below.
Paragraph 6(5) repeats the caveat
of Article 7(3) of the Model Law on E-Commerce, that enacting states may carve
out some unspecified kinds of signature as exceptions to the general rule. It is open to discussion whether the need
for a carve-out is as strong when criteria for reliability are clearer than
they were in the old text. Compliance
with mandatory rules is already guaranteed under Article 5. Perhaps enacting states will find it clearer
to list by statute the places where higher standards are required. This question is noted again in the
discussion below of hybrid legislation.
Article 7 anticipates a short-cut
to reliability: the declaration by an authorized body that a particular method
of creating an electronic signature is reliable. This body may be in the public sector or may be a private body
authorized by the public authorities to give such accreditation. The declaration is intended to avoid the
need to prove that any particular signature technique meets the general
standard of reliability or the particular criteria of paragraph 6(3).
Although the article does not
intend for countries to designate how reliable e-signatures must be
done, only particular ways that are deemed to be reliable, there will be much
pressure in practice for signers to use the approved methods. Some concerns have been expressed that
countries will introduce disharmony in what is acceptable, by accrediting
inconsistent signature methods under this article. Any such accreditation must be in accord with recognized
international standards, to reduce the chances of this. The recognition rules discussed below also
bolster this approach.
To date no country has adopted
the Model Law on Electronic Signatures, though traces of its reasoning are
found in the New Zealand Electronic Transactions bill published in 2000.
The more “reliable” a signature
has to be to meet a legal signature requirement, the more comfortable a state
can be that its existing authentication rules (i.e. designed originally for
paper documents) can accommodate electronic documents that comply with the UN
model. However, it is important that
the hurdles to electronic documents not be set too high for all purposes. The discussion earlier about commercial and
non-commercial documents is relevant here.
Some countries have done without any specific reliability test for
electronic commercial documents, as the following text explains.
.
·
reliability rule: is it needed? Some implementations of the UN Model Law on
Electronic Commerce omit the reliability test entirely, so that any electronic
signature meets a signature requirement.
The e-signature would have to be made with intention to sign the
document, so evidence would be needed of its nature. The Canadian and American uniform statutes, the American federal
statute, the Quebec provincial statute, and the European Union Directive on
Electronic Signatures all take this approach (the EU Directive for basic
e-signatures, though it provides special rules for advanced electronic
signatures, discussed below. (Directive 99/93/EC, December 1999, http://europa.eu.int/comm/internal_market/en/media/sign/Dir99-93-ecEN.pdf.)
The reason for the omission is that current law
imposes no reliability test on handwritten signatures. Anything that can be shown to be linked to a
person with intent to sign a document can be a signature. As noted earlier, a signature is just one
way to authenticate a document. If one
can show with respect to any document, or any apparent signature, who created
it, what it relates to, and what the intention was (a matter of context not
form), then the task of authentication is complete. Showing in addition that the form of signature met some kind of
reliability test, independent of what one can actually prove toward
authentication, seemed superfluous, if not simply a trap for the unwary, a risk
of invalidity despite clear proof of authenticity.
This approach puts the authentication
of electronic records on a closer footing to that of paper records. If the law requires a signature on a paper
record, then the party wishing to enforce the record at law can simply show the
fact of signature. Then the legal
requirement is met. Going on to show
just who signed it and why it is reliable is a separate issue. The party seeking enforcement must then
prove fact, not compliance with a vague or complex legal standard. This is an easier task, and one more in tune
with the nature of authentication, which is a business judgment about the
acceptability of risk.
·
Party autonomy – role of contracts to set standards: Article 7 of the 1996 Model Law allows a
court to take into account any agreement among the parties to a document when
judging the reliability of a signature method.
In doing so the court could presumably not follow the agreement. Otherwise the parties cannot opt out of this
standard for satisfying a signature requirement, or the other “functional
equivalence” rules of Chapter II of Part One of the Model Law on Electronic
Commerce. The new Model Law on
Electronic Signatures shows an evolution of this position. Article 5 says that parties to a transaction
may vary or opt out of any provision of the Model Law (i.e. of implementing
legislation) except where this is prohibited by law. This was intended to be the equivalent of saying that the power
to opt out is limited by “mandatory rules” or considerations of “public order”,
in the language of international conventions.
It was not intended to encourage countries to prohibit commercial
parties from making their own arrangements across a range of documents. This is therefore a broader autonomy to make
one’s own arrangements than in the older text.
In addition, Article 3 of the new
Model Law states clearly that the parties are free to decide what will be good
enough among themselves, even if they choose a more demanding authentication
technique than that which would be considered appropriately reliable under
Article 6. They may also take advantage of any rule of law that would allow for
a less reliable signature than the general standard of appropriate reliability.
(One does not contemplate legislation approving “inappropriate” reliability,
but rather legislation setting a lower standard for a good reason, in the
absence of which reason and legislation the signature technique could be
considered insufficiently reliable.)
Legislation based on the UN
models thus makes space for the trading partner agreements done for EDI, mentioned
earlier, that spell out that the electronic signature or document
authentication processes named in the contract will satisfy the authentication
rules of the applicable law. This is
true especially for electronic signatures.
The other rules would have to comply with the standards of the 1996
Model Law, but they are likely to be compatible with what the parties would
agree on anyway.
This broad role for party
autonomy recognizes that authentication is more a matter of business risk
management than of legal duty. However,
the law still plays two roles: first, it tells those without the power to
negotiate standards how to get to a generally acceptable system. Second, it sets the important standards for
authentication, those that cannot be derogated from, in other words those that
are so important that parties are not allowed to make their own judgment. This power is given not only by the
submission of private agreements to public order, but also by the power to
exclude some kinds of signatures or records from the statutory permissions
altogether. The exclusions would put
electronic documents back into the general law about forms that affect
authentication. Sometimes, as we have
seen earlier, they will not be able to satisfy those forms for technical
reasons, and electronic documents will not be legally effective.
(Possibly in some cases the right
policy response would be special rules for those special form
requirements. For example, the province
of Ontario has followed the general Canadian uniform statute in excluding land
transfer documents from the permission to use electronic documents and
signatures. Nevertheless the province has established an electronic system of
land transfers, with its separate statutory and technical security regimes.)
Legislation that leaves much
autonomy to the parties to decide what evidence they need of authentication
also exposes parties to the risk of wrong decisions. If this is done, then it is important to ensure that parties are
free to decide not to use electronic records and signatures at all. The Canadian, American and Australian
statutes, among others, are all very clear on that point. As the Canadian uniform statute puts it, in
section 6(1), “nothing in this Act requires any person to use or accept information
in electronic form, but consent may be inferred by conduct.”
The power to say No is the power
to say Yes, If …, and thus impose for particular transactions or classes of
transaction the rules for reliable authentication that seem appropriate to that
person. Since the relying party takes
the risk, on paper or online, that the document or signature is not genuine,
that party should be able to decide on the medium in which it will run that
risk. One may however bind oneself by
contract to accept electronic records, at least for a period. The American uniform statute expressly
grants the right to change one’s consent on this point and prevents people from
waiving that right (s. 5(c)).
·
Attribution rules: Article 13 of the U.N. Model Law on Electronic Commerce provides
that data messages may be attributed to those who create them or who authorize
their creation. This is of course the
general law in most countries. The United States and Australia have legislated
similar provisions. The Canadian legislators
thought this went without saying, so did not say it.
The
1996 U.N. Model Law goes on to provide a rule (or presumption) of attribution
where certain agreed security procedures are used on data messages, or if an
unauthorized person got access to the security procedures through the fault of
the authorized user (Model Law paragraphs 13(3) and (4)). To date these rules have not been widely
adopted by implementing countries. The
American drafting group attempted to devise similar rules, but they fell under
severe criticism based partly on the fluidity of the technology available and
partly on the likely lack of sophistication of its users. (Reports of the
Drafting Committee meetings can provide details. Online at: http://www.webcom.com/legaled/ETAForum/mtgrpts.html, notably the meetings of September
1997 and January 1998.) The
Canadian uniform statute did not try to follow the Model Law on this point in
the Uniform Act, but the federal government has given it some echo in its
legislation, discussed below.
The
working group of UNCITRAL on electronic signatures aimed to give more substance
to the provisions of Article 13 of the 1996 text, but there too, efforts to
draft clear attribution rules ended up much narrower than originally hoped.
(See the reports of the meetings of UNCITRAL’s Working Group on Electronic
Commerce, notably for July 1998 (A/CN.9/454, para. 40 – 53); for February 1999
(A/CN.9/457, para. 99 – 107, and Working Paper WP.79 para 31 - 33); for
September 1999 (A/CN.9/465, para. 68 – 77); and for February 2000 (A/CN.9/467,
para. 44 – 71). They are all at http://www.uncitral.org/english/workinggroups/wg_ec/index.htm.)
Where legislation is silent on
attribution, parties to electronic transactions will have to satisfy themselves
of the origin of electronic documents and signatures. What is prudent will depend on the circumstances, including the
other identification methods available (such as use of a credit card), the
total value of the transaction and the cost of getting better assurance of
origin. A technology-neutral statute
can do little more without hampering parties who are capable of making their
own decisions. Statutes that say more
about the technology may permit themselves to say more about attribution as
well.
As the Utah model
fell into question, attempts were made to find technology-neutral statutes that
would nevertheless recognize that some kinds of e-signatures were more reliable
than others. The most solidly drafted of these was the Illinois Electronic
Commerce and Security Act of 1998, which went through several public drafts
with commentary on its way to passage. Illinois provided that parties might
agree that an electronic signature would satisfy a legal signature
requirement. In addition, particularly
reliable e-signatures were described as “secure electronic signatures”. These
had certain characteristics first described in the United States by the
National Institute of Science and Technology (NIST) in the early 1990s.
These
characteristics were, in the words of the Illinois Act (s. 10-110):
·
The signature is unique to signer in the context in which
it is used;
·
It can be used to objectively identify the person
signing the electronic record;
·
It was reliably created by such identified person (e.g.
because some aspect of the procedure involves the use of a signature device or
other means or method that is within the sole control of such person) and that
cannot be readily duplicated or compromised;
·
It is created and linked to the electronic record to
which it relates, in a manner such that if the record or signature is
intentionally or unintentionally changed after signing then the electronic
signature is invalidated.
Illinois allowed the Secretary of
State to designate electronic signature systems that met these criteria, so
that litigants would not have to prove compliance with them in every case. Where the criteria were present, the Act
provided a presumption of attribution, i.e. that the signature actually came
from the person who apparently made it.
It also sets out criteria for evaluating the reliability of
certificates.
The Illinois model
has influenced many others, including California in the US, Singapore (the
first nation to implement the U.N. Model Law on Electronic Commerce), India,
Hong Kong, Bermuda, and others. Among
international bodies, it affected the UNCITRAL Model Law on Electronic
Signatures and the European Directive on that subject.
In Canada, the federal government
has adopted the Personal Information Protection and Electronic Documents Act
(PIPEDA), Part 2 of which deals with electronic documents. (S.C.2000 c.5, http://lois.justice.gc.ca/en/P-8.6/index.html) It is a hybrid statute as well.
Some of the signature provisions simply allow signature requirements to
be satisfied electronically by use of an e-signature in the form to be
prescribed by regulation. However,
several sections contemplate the use of a “secure electronic signature”. For example, one can use a secure electronic
signature to create a certificate signed by a minister or public official that
is proof of a fact or admissible in evidence. A secure electronic signature may
serve as a seal, if the seal requirement has been designated under the
Act. Affidavits may be made
electronically if both deponent and commissioner of the oath sign with a secure
electronic signature. Declarations of
truth may be made with such signatures, in similar circumstances. Witnesses may sign under similar conditions. It is worth noting that unlike most of the
hybrid statutes, the Canadian federal law gives no choice about whether to use
a secure electronic signature. To sign electronically and validly within the
meaning of the provisions named, people must use the secure electronic
signature.
A “secure electronic signature” is not
defined in the Bill, except as “an electronic signature that results from the
application of a technology or process prescribed by regulations made under subsection 48(1)”. That subsection sets out the usual provisions
for signatures of this type, as we have discussed above in regards to Illinois. The intention is that in the first instance
the only technology to be designated will be that of digital signatures
certified by the Government of Canada, or those from systems cross-certified
with the GOC PKI. (Cross-certification
allows two or more public key infrastructures to recognize each other’s
certificates and thus signatures. More
on the Government of Canada PKI can be found online at http://www.cio-dpi.gc.ca/pki-icp/index_e.asp.) Some
provincial governments are developing public key infrastructures as well, and
they hope to be cross-certified with the federal PKI. To date no regulations have been made on secure electronic
signatures.
On the international front, the
UNCITRAL Model Law on Electronic Signatures aims to help the parties determine
in advance whether the reliability standard of the 1996 Model Law has been met,
as noted above. The new Model Law
also avoids detailed descriptions of the technology to be used, however, for
the reasons that support minimalism in the first place. Earlier drafts talked of “secure” or
“enhanced” electronic signatures. The terms have been dropped but the criteria
of identification, sole control and detection of alteration remain in the new
criteria for reliability of an electronic signature. The new Model Law is barely a hybrid within the meaning of this
discussion. It shows that even hybrids
have a range of degrees of obligation about the methods of authentication that
they authorize.
Compare the European Union’s Directive on Electronic
Signatures. It ensures that electronic
signatures can be valid despite their electronic form and despite not meeting
the more demanding standards described in the rest of the Directive. It goes on to prescribe in considerable
detail a regime for “advanced electronic signatures” created by a
“secure-signature-creation device” and supported by “qualified certificates”. Again one recognizes the NIST/Illinois language,
though the appendices on technical requirements for qualification are more
detailed than in those texts. The
result of using this technology is an electronic signature to which member
states must give the legal effect of a handwritten signature. There are no
presumptions of attribution. This may
strike some as a weak result for a strong technology.
The use of electronic documents
and especially the Internet has stimulated the need for consistent rules for
recognizing foreign documents. One
country’s authentication rules are not applied only to its own residents’
records. The more consistent these
rules are, the more confident people will be to trade internationally by
electronic means.
Where different countries are
using three-party certification processes to authenticate electronic records,
one hears of “cross-certification” to ensure the use of the records in another
country. This is a technique by which
one certification authority certifies a document on the strength of the
certificate of another certification authority. It depends on very detailed technical coordination of
certification standards and operations among participating CAs. (The concept appears for use within
countries as well as across borders.)
While national cross-certification agreements exist, they seem more at a
demonstration level for the moment.
(Such agreements have been published, for example, between Canada and
Singapore.) They also are restricted to
certification models, i.e. they are technology-specific.
It has become more common to speak
of “cross-recognition”, or simply of “recognition”, of foreign electronic
records. “Cross” suggests a mutuality:
A recognizes B’s records if B recognizes A’s records. Given the speed and unpredictability of electronic commerce, it
is likely to be more productive for a country to recognize electronic records
from anywhere that meets its standards, without concern for reciprocity.
The UN Model Law on Electronic
Signatures deals with recognition in Article 12. It makes the location of the origin of an electronic signature or
certificate irrelevant to the recognition of the document. Likewise the place of business of the issuer
of the certificate or of the signer is irrelevant. The article requires implementing states to give the same legal
effect to a foreign signature or certificate that a domestic signature or
certificate would have, if they have substantially equivalent reliability.
(Exact technical conformity is not required.)
This language is chosen to allow
for a range of degrees of reliability.
Thus the domestic rules on authentication can be respected. If a country insists on high reliability for
particular kinds of documents, it can insist that foreign electronic records
demonstrate equivalent reliability at that high level. Lower levels of reliability may be met by
lower level foreign records.
However, the rules on reliability
are to meet “recognized international
standards” for reliability. This important provision intends to prevent a
multiplicity of standards, including those that might be imposed as non-tariff
barriers to trade. The UN Working Group
discussed whether to define « recognized international
standards. » While no definition
was retained, the Guide to Enactment of the MLES will point out that such
standards may originate with public or private bodies and may be
« standards » adopted by official standard-setting bodies, or
guidelines. No doubt there would be
some kind of unofficial hierarchy in favour of public standards, if an
accreditation authority found that applicable standards varied when it needed
to decide about signing methods.
Finally, Article 12 of the new
Model Law allows parties among themselves to agree to their own standards,
which are to be recognized unless they are invalid under applicable law. This language echoes the limits to party
autonomy on domestic signatures, discussed earlier. Implementing countries should be slow to intervene in such
private decisions, but if their authentication rules are particularly important
to them, they are allowed to do so.
While the language of the UN Model
Law deals only with signatures and certificates, its principles
(non-discrimination against foreign records, equivalent reliability and broad
though not limitless party autonomy) are readily applicable to any other rules
affecting the authentication of electronic records.