Authentication Rules and Electronic Records
I. AUTHENTICATION RULES IN LAW
A. The Nature of Authentication
ii) where? who?
B. The Process of Authentication
i) the threats
ii) the risks
iii) the costs
iv) the benefits
C. Authentication Rules
iv) legal effect
II. AUTHENTICATING ELECTRONIC DOCUMENTS
A. The Nature of Electronic Documents
i) uncertainty of storage
ii) uncertainty of retrieval
iii) ease of alteration, difficulty of detection
B. Legal Responses to Electronic Records
III. LEGISLATION ON AUTHENTICATING ELECTRONIC RECORDS
A. Approaches to Formal Authentication of Electronic Records
i) governmental discretion
ii) closed systems
iii) technology specific general rules
iv) technology neutral general rules
· reliability – further legislation
· reliability rule – is it needed?
· Party autonomy – role of contracts to set standards
· Attribution rules
v) hybrid rules – combining neutral and less neutral rules
B. Choosing a Legislative Model
C. Other Rules Affecting Authentication
i) liability rules
ii) recognition rules
Authentication Rules and Electronic Records
John D. Gregory
This paper discusses the legal status of authentication rules in the light of electronic records. It does so in three parts. First, it provides an overview of the nature of rules about authentication of records on paper, and why and how they have evolved. Next, it discusses the impact of electronic records on these rules, and how the rules have responded to them. Finally, it examines the principal methods of modernizing legal authentication regimes in order to accommodate electronic records, while maintaining the policies that led to the authentication rules in the first place.
Authentication is the decision whether a record is what it purports to be. It is
therefore a question of evidence, though not always of the formal law of evidence. It is a judgment of the credibility or reliability of a document.
Three questions arise in the process of authentication: What is this record? Where or who does it come from? Has its content been altered, either intentionally or unintentionally?
i) What? The answer to the first question depends on the context of the individual document. A record may be anything capable of recording information: a contract, a letter, a statute, a laundry list, a bank statement, a ledger of transactions. This question is not generally the subject of legislation.
ii) Where/Who? The second, on the source of the document, gives rise to (part of) the law on signatures.
However, it is very important to note that a signature is just one way of determining the origin of a document. The document is what counts in law, not the signature. One authenticates the document, not the signature. A signature without a document is legally meaningless, it is just an autograph. A document without a signature may be very important legally. One can authenticate an unsigned document and rely on it. But a document whose origin is unknown is unlikely to be given legal consequences.
There are many ways of deciding where a document came from. Its content is one: it may recite its origin, e.g. “This is an agreement made on [date] by [party X and party Y].” A business letter – one that may be part of a legal transaction - usually states the address from which it comes and the address to which it is being sent, along with the identity of the sender and addressee.
Other ways of determining the source of a record include the context (it may be part of an ongoing discussion shown by several records), physical evidence (a letterhead, a fingerprint), postal evidence (a postmark, even a stamp), or testimony of someone who knows (e.g. “this is the contract I made with party X last year”, “this is the latest draft of the contract being negotiated with party Y”.) There may be evidence created by a third party, that is to say someone. not directly affected by a transaction or relationship that the record affects, such as a witness, a public official, a record-keeper, and the like. (Sometimes such people make the originator’s signature more reliable, rather than the document itself.)
As noted, a very common method of showing the source of a record is the signature of the person who created it. A handwritten signature is relatively hard for someone other than the signer to duplicate accurately by hand, so it is a relatively good way to trace the document to the signer. It should be noted that one needs additional evidence to use a handwritten signature – sometimes of the identity of the signer, since some signatures are not legible and unambiguous statements of the signer’s name, and generally of a genuine signature of the signer to compare with the one on the record to be authenticated.
Signatures may be supported by supplementary evidence as well, notably that of one or more witnesses to the signature, or the evidence of a public official such as a notary or clerk of a court. Making a document under oath, such as an affidavit, does not by that fact make its source more reliable. The oath goes to the truth of the contents, not their source or their permanence. However, the person before whom the oath is made – notary or commissioner of oaths – may be a useful witness as to the source. Sometimes the laws of evidence provide that a document witnessed by (or sometimes sworn before) a public official is admissible in evidence without further proof of origin, i.e. it is “self-authenticating”.
iii) Content? The third element of authentication involves a judgment of the integrity of the record. A record can be altered intentionally or unintentionally (for example a page could be lost or torn or words become illegible). If the person relying on the record wants a legal relationship with the person who created it, then the two parties must have a common intention, and the record of that intention must be the same for both of them. In short, the integrity of the document is important for obvious reasons.
Nevertheless the integrity of documents is often protected fairly casually. An original handwritten signature is some evidence of the integrity of the page on which it appears. It is common in some legal systems, notably common law systems, for multi-page contracts to be joined only by a staple. It is uncommon, except for wills, for parties who sign multi-page documents to initial every page. Some legal systems require some kinds of document to be signed before a public official such as a notary, who may keep the original document in safe custody and make true copies for the use of the parties. Sometimes important documents must be deposited in a public registry, thus out of reach of those who might want to alter them, though usually public registries serve as public notice of the contents of the records as much as a means of keeping them secure.
A seal can help show the integrity of a document if it forms an impression through all its pages. This is more common with seals (and documents) of public officials than of seals used by private parties, which tend today to be impersonal and used on a single page.
One of the common ways of strengthening the likelihood of integrity of a document is to ensure that one has an original version of it. It is harder to tamper undetectably with an original than with a copy, which may be the copy of an altered original. For this reason notaries in Latin systems keep the originals of documents made before them, as mentioned a moment ago.
B. The Process of Authentication
One authenticates a document in order to decide whether or not to rely on it, that
is, to change one’s legal position or to enter into legal obligations. This decision is influenced by a number of factors, not all of them related to the technical nature of the document. The process can be described as a “threat-risk analysis”, which involves an evaluation and a balancing of four factors: threats, risks, costs and benefits.
i) The threats to the genuineness of the source: who is interested in providing a false document? This involves considering the history of the relationship with the person providing the document: is the person trustworthy? Has there ever been any problem with a document from this person, transmitted by the same method? Are there others who would benefit from a forgery or an alteration?
ii) The risks to the person deciding whether to rely: what is the likelihood that the source of the document has provided a false document in this case? This involves the technical examination of the evidence of source and integrity.
iii) The costs of relying on a false document: what is at stake if the document is not genuine? How much is lost? What is the cost of getting or asking for better evidence of source or integrity? Will the other person refuse? What are the technical costs of a better security system? Are the costs of more reliability higher than the costs of the loss from a false document?
iv) The benefits of taking a chance on the document: are the potential benefits high compared to the risk of loss and the cost of loss?
Not all documents or relying parties will produce the same result. Different
people will have different tolerance for loss and different estimates of the threats, risks, costs and benefits even in similar circumstances. High value transactions or transactions with strangers will produce different results than less important transactions with trusted partners.
In short, authentication is a judgment, and not an automatic process. It is first of all a business judgment. However, the law has intervened in most countries to set conditions on the exercise of the judgment, making it also a legal judgment.
Documents with legal effect are of course part of a legal system, a system of rules
governing the relations of people and other entities, as devised by some institution of government. Governments often decide to intervene in judgments about authentication, by making rules that influence the process.
i) Purpose: The reason for rules that affect authentication is that the government has seen a public purpose in making them. A number of purposes are at work. The government may decide that the consequences of particular transactions are so important to people that it requires that they be made less risky, by ensuring that some reliable forms of authentication are used. Sometimes only particularly vulnerable people – such as consumers – are made subject to such rules.
Put another way, there is often a difference between what the law requires for validity and what people will choose to do out of prudence. The law may allow a pencil signature on a piece of tissue paper to be valid, but many people would consider it imprudent to accept such a flimsy document and insist on something more durable. Sometimes the law will intervene to move the legal standard closer to what prudence seems to require.
At other times governments act to protect a state interest in authenticity. Public records are often taken to be more important than records used only among private parties, because public records involve the official status of citizens, or the expenditure of public funds, or the documents making up the history of the community. Authentication rules applicable to public records are common.
It is important to note that not all form requirements are based on concerns about authentication. Some are created to produce evidence that certain formalities have been complied with, or that the transaction has been properly conducted. For example, requiring a consumer’s signature on a contract may be a way of ensuring that the consumer appreciates the serious, or at least legally binding, consequences of what is being done. It may be a way of ensuring, and proving later, that the consumer got to look at the terms of the contract before being bound to it. Neither of these motives show any concern about identifying the consumer reliably.
As a result, as we will see later, laws affecting how electronic records can satisfy form requirements may not need to demand a highly detailed support of authentication.
ii) Nature: Authentication rules generally require that documents be made in a particular form, or with particular formalities. Among the most common are:
· writing requirements: that a document made for a particular purpose or between particular parties must be in writing
· signature requirements: that a document must be signed by all parties to it, or by the party that will be subject to the obligations it creates.
· ceremonial requirements: that a document must be signed in certain circumstances, such as before witnesses, or before certain people, such as notaries or other public officials, or by applying a seal (these rules may be more often to protect the signer of the document than to ensure its authenticity later.)
· originality requirements: that a document to have legal effect must be used or presented in its original version and not only as a copy
· registration requirements: that the document be deposited in a public register. Requirements that the public have access to the register may be part of authentication – extra eyes to detect inauthenticity – or part of a public notice regime, for example to establish priorities of claims – that has nothing to do with authentication as such.
iii) Scope: Authentication requirements typically affect certain documents with a serious impact on the affairs of the person making them. Some typical examples in Canada and the United States are:
· land transfers
· contracts for high values or involving consumers
· family status documents such as marriage contracts
· personal care documents like living wills or powers of attorney
It may be safe to say that most documents to be submitted to public authorities are subject to some requirements to show their source and integrity, whether the requirements arise from statute or administrative procedure.
iv) Legal effect: Rules affecting authentication can have one or more of several impacts on the documents subject to them.
· validity: a document that meets the requirement is valid, or one that does not meet the requirement is invalid.
· enforceability: whether or not the document is valid, it may not be enforceable, for example against a party who has not signed it
· admissibility: a document not in proper form may not be admissible in judicial proceedings, particularly those involving its enforcement
· registrability: a document not in proper form may not be registered, and registration may be required to ensure certain rights or priorities concerning the subject of the document.
· acceptability: a document not in proper form may simply be refused by a public authority subject to an authentication regime.
II. AUTHENTICATING ELECTRONIC DOCUMENTS
In recent years many documents formerly made on paper have been appearing in
electronic form. This has caused some concerns and some difficulties with the authentication process. This part of the paper looks at the nature of electronic documents and how they may be authenticated in practice. It then turns to the application of existing authentication rules to electronic documents.
A. The Nature of Electronic Documents
Electronic documents are collections of instructions about electric current, to turn
the current on or off. A bit is a yes-or-no instruction about current flow. With combinations of seven or eight bits (bytes), one can give sufficiently complex instructions to make characters of most alphabets. Electronic documents commonly show the result of these instructions as words or numbers on a computer screen, or printed out onto paper. Despite this effort at understandability and the apparent relation to writing, people have been worried about the reliability of electronic documents. There are three main reasons for this:
i) uncertainty of storage: The electronic instructions about current flow must be stored in some form of electronic medium, whether in a computer’s hard drive, a diskette, a CD, or a magnetic tape (among others). These media may not be completely stable; some data may be lost or altered over time, without human intervention. The media themselves may lose power or data, or they may be affected by outside forces such as magnets or electrical power surges. Likewise if the data are transmitted from one storage place to another, over wires or by wireless means, some of the data may degrade in the process. Finally, the technology of data creation, storage and retrieval are evolving quickly, and data may have to “migrate” from one hardware support to another over its useful life, or be made processible by different software over that period. Will data be lost in those processes?
ii) uncertainty of retrieval: Sometimes data are created in one software or hardware system and retrieved in another. Data may be lost in doing so. In any event the display of the data depends on compatibilities and proper functioning of equipment, and it may be difficult to know if data are being lost in the process. Each time the process is repeated, there is an additional risk of loss.
iii) ease of alteration, difficulty of detection: Since electronic documents are just a collection of instructions, those instructions might be changed by anyone with the right software and access to the document. Once they have been changed, the resulting document may show no signs of the change. A copy of the instructions may be perfect, i.e. it may not be distinguishable in any practical manner from the version first created (unlike documents on paper). Further, evidence of origin – such as a signature – is itself electronic and thus subject to the same undetectable alterations as the signed text. Still further, bits are independent: they can be picked up and moved around, from one document to another as well as within a document. Thus the bits used to sign one document might be moved to appear in another document unknown to the signer of the first document.
The result of these factors is a rebalancing of the threat-risk analysis that one does in authenticating any document. The risks are greater, the costs of avoiding them are different. On the other hand, the benefits of using electronic documents may be greater as well: flexibility, transferability, ease of retrieval, and others.
There are methods to reduce the risks inherent in the nature of electronic documents. This is not the place for a detailed technical description of them. However, an indicative list may be helpful to focus the discussion. These factors apply to one’s own documents and to evaluating those created by others. The information may not always be available on every point, but they may give an idea of matters to inquire about, or even to require disclosure of in dealing with others.
· Check the integrity of the storage process: when a document on paper is transferred to paper, have the resulting electronic text checked for completeness and accuracy. If this is not practicable for all transfers, check a representative sample.
· Use trustworthy processes – i.e. know what the reliability of the technology is and use appropriate levels of it for the purpose
· Control access to the means of creating electronic records. Simple controls of physical access to the means of creating electronic documents may help ensure that only the right people get to them. Likewise electronic controls like passwords or higher level security can keep unauthorized people from the records.
· Use trustworthy people – i.e. ensure the skill and honesty of the people creating, storing and retrieving electronic documents are adequate. Keeping out strangers is a help, but the people you know may also be a risk.
· Use secure communications methods, or if insecure communications are to be used (the Internet being a prime example), secure the data being communicated. The usual way to do this is encryption (see note in next paragraph)
· Use a trusted third party to intervene in the decision-making about reliability, to attest to facts otherwise not readily ascertainable.
A good deal of discussion about protection electronic records turns on uses of
encryption. Encryption can increase dramatically the reliability of identifying the source of a document. If only one person knows the encryption key, besides the person reading the document, then the person reading it can be sure where it came from. (Proving which of the two people who knew the key actually created the document can be harder.) With dual-key cryptography (also called asymmetric or public-key cryptography), this advantage can be obtained for a system with many potential readers, as a different key is used for signing records (the “private key”, known only to the signer) and for reading them (the “public key”, available to be known by anyone who needs to know it).
In addition, encryption allows for a test of the integrity of an electronic record from the time of encryption to the time of reading (also called “verification”). This process involves “hashing” the record, which means taking a mathematical digest or compression of it by a known formula (bits being numbers or digits, they are eminently suitable for mathematical processing). When one hashes the received record by the same method that was used on the original record and the hash results match, then it is safe to say that the record has not changed from beginning to end.
When a private encryption key is used to encrypt the hash digest of a message, or the message itself, for the purpose of identifying the signer and generally to show the integrity of the signed text, it creates a “digital signature”. (Signatures created by any electronic means are described as “electronic signatures”, of which a digital signature is one particular kind.) A system in which the identity of the person holding the private key is certified by a trusted third party, known as a certification authority or provider of certification services, according to certain rules and contracts, is known as a Public Key Infrastructure, or PKI.
Electronic documents are quite different physically and practically than documents on paper. The methods of keeping them from inappropriate change are often different too. As a result, one of the main challenges in authenticating electronic records is properly evaluating the effect of the differences, both in vulnerability and in protection. In other words, as noted, the threat-risk analysis is harder, and most people have less experience in doing it. This challenge has affected the legal responses to electronic records, a subject to which we now turn.
B. Legal Reponses to Electronic Records
The first and still a very important legal response to authenticating legal records is
the private law method of contract. The parties to a transaction, or the users of a document, agree among themselves what steps to take to make the electronic document reliable enough for them. A typical example of such contracts are the interchange agreements, also called trading-partner agreements, that are common among parties to Electronic Data Interchange (EDI) arrangements. Such agreements often include descriptions of the procedures, the technology, and the intermediaries to be used in communicating electronically. They also prescribe or adopt a standard for the meaning of traditional legal documents, such as purchase orders or receipts.
This paper has been dealing with rules for authentication, i.e. rules laid down usually by the state, not just by private parties. It is a good question to what extent private parties can by agreement among themselves decide how such official requirements can be met. If the law requires that a document be signed, may the parties using a document decide by themselves, without any state authority, that their electronic signatures satisfy that rule? Can the parties simply decree that as between themselves, an electronic document will be considered to be “in writing” as required by law, so that no party may seek to invalidate the document later on ground that it is not in writing because it is electronic? Does it make a difference that the document is to be submitted to an agency of the state, rather than just between private parties? The difficulty in answering such questions was one factor that led to the legislative measures discussed in the next section of this paper.
It is arguable, as noted earlier, that an electronic document is “in writing” for the purposes of an authentication rule requiring writing. In use, many such documents are displayed in letters and numbers that we recognize as characters of writing. This argument runs into several counter-arguments, however, that have led to reluctance to accept electronic documents for this purpose without legislative support. The first is that writing requirements often appear in contexts that seem as a matter of policy to call for a degree of stability of the document, and electronic records do not all have this stability. Second, many places have statutes about the interpretation of other statutes (in Canada they are generally known as the Interpretation Act), and they often define “writing” or related terms in words that suggest if not state outright that some tangible medium must be present. One finds words like “printed” and “lithographed”. Third, writing requirements often appear without the word “writing” itself, but rather terms that imply writing on paper such as “on a prescribed form” or “certified”. Finally, not all documents whose users seek a legal effect do use the characters of writing. Machine-readable documents may also be suitable for the purposes of writing, but they cannot be said to resemble it. Many EDI forms are of this kind – codes recognizable by machines according to agreed standards, but not displayed in letters or numbers.
The courts have sometimes been willing to allow electronic records to satisfy form requirements that are rules about authentication. For example, a Canadian court a few years ago decided that a form of proxy faxed to a corporation for its shareholders’ meeting was “signed” as required by the corporate statute. Its status as a faxed document did not prevent the signature on it from satisfying the requirement. One wonders if the court would have been as confident if there had been any dispute about who had signed the proxy, and not only about its form. One could argue that the court dealt with the letter of the authentication rule – that the document be signed – and ignored the spirit of the rule, which was to provide a good way to judge where the document came from. Since, however, the source of the document in that case was not in dispute, the result is satisfactory for the case.
The case shows the importance of distinguishing between the question of whether a document is signed and the question of who signed it. Often the form requirement demands only that one prove the former, the fact of signature. The parties relying on the signature are left to prove the source of the document separately, just as they have to demonstrate its legal effect once it has been authenticated.
Rather than multiply examples of courts being more or less willing to find authentication rules satisfied by electronic documents, however, it is simply worth noting that court decisions govern only the facts before the courts, however narrow or unusual. Only after a number of cases have been decided similarly can users of documents begin to be confident that the latitude will be applied broadly … or not. In short, it is hard to derive advice on authenticating electronic records from the few cases available in any jurisdiction.
It is fair to say that over time, people have become more comfortable with
electronic documents, and more used to making the appropriate calculations about their authentication. To a significant extent, the available technology has become more secure, as well. Consider the widespread use of Secure Socket Layer (SSL) security in web-based commerce, which allows people to provide credit card numbers or other sensitive personal information with little or no fear of interception. Modern web browsers and word processing software often allow users to encrypt their electronic messages, either for storage in their own machines or in transmission to others. As a result, people have been more willing to contemplate electronic documents satisfying authentication rules.
In the past decade a large number of countries have enacted legislation about the use of electronic documents. Sometimes they simply authorize the state to use electronic documents for official purposes, or to keep official records in electronic form. Sometimes they spell out how to do particular things electronically. The latter class of statute usually has a degree of detail about how things are to be done electronically, in order to satisfy legal requirements. Just as authentication rules for paper documents arose because the state wanted to intervene in the authentication decision – or to take away the decision entirely from the users of documents, so with electronic records, the state sometimes decrees what is good enough and what is not.
Legislation on such matters has become more accepting and less prescriptive. However, states are still involving themselves in the authentication decision, and making a threat-risk analysis, or a prudence analysis, on behalf of their citizens. This is in part because people and their governments still trust electronic records less than paper records. It is also because electronic records do present particular challenges to the interpretation of existing authentication rules. Some legislative assistance is necessary if such rules are not to bar the use of electronic records even when the state and the citizens favour their use.
It is now time to look at the current range of legislation that is available to express the results of that analysis.
III. LEGISLATION ON AUTHENTICATING ELECTRONIC RECORDS
This section reviews legislation that applies broadly to electronic records. It does
not include statutes that prescribe rules for particular documents or narrow classes of documents, or documents only for state use, because such statutes are as varied as the documents they deal with. Some of the approaches described here may be usable for more narrow purposes, of course. The legislation described here is often applicable on its face only to commercial applications, though some countries have applied the principles more broadly in implementing it. Each state deciding to enact laws to accommodate electronic documents will have to decide how much freedom commercial parties should have to make their own arrangements or judgments about authentication, and how far any such freedom may be appropriate for other kinds of documents. There are few if any international models for non-commercial electronic documents, such as those affecting matrimonial matters, administrative law or criminal prosecutions, though some countries have adopted legislation on some aspects of the question, or have applied the commercial models more broadly. This paper focuses on commercial matters and does not explore possible models for non-commercial electronic documents.
After the examination – the longest part of the text – of approaches to authentication rules for electronic records, and of the factors that might lead someone to favour one or the other of them, the paper looks more briefly at some other elements of legislation in this field that do not deal directly with the formalities of authentication but which contribute to the ways the relevant laws operate. In particular that part of the text deals with liability rules and recognition rules.
A. Approaches to Formal Authentication of Electronic Records
There are, roughly speaking, five general approaches to legislating authentication rules for electronic records. Each will be described in turn.
i) governmental discretion
ii) closed systems
iii) technology specific general rules
iv) technology neutral general rules
v) hybrid rules – combining neutral and less neutral rules
i) governmental discretion: This is the most open-ended approach. A government official, or government officials responsible for particular documents, is given the power to prescribe how particular documents are to be done. It is used generally where documents are to be filed with the state, so the state has a specific interest in the reliability of the document but also in the manageability of the process by which the documents are created and submitted. The discretion may be applied to remove existing authentication rules or to adapt them to the new medium of the document.
Example: Ontario’s Business Regulation Reform Act, 1994, s. 10 (Statutes of Ontario, Canada, 1994, chapter 32. See www.e-laws.gov.on.ca for Ontario statutes and regulations.) Also s. 8 of UK Electronic Communications Act, 1998, which allows the responsible minister to declare how form requirements can be satisfied electronically (subject to some Parliamentary control)
ii) closed systems: A “closed” system of communication (i.e. of circulation of documents) is one in which all parties are linked to each other by contract or by admission or permission by someone with the power to control the system. This is often the government or a part of the government. At that point “system rules” will apply to authentication. The nature of the system rules will depend on the needs of the system. If everyone in the system is using the same trusted or officially approved hardware or software, or is identified automatically by the fact of accessing the system, then little other formal authentication may be required.
EDI systems governed by trading partner agreements, as described above, are closed systems. To the extent that legislation recognizes the effectiveness of the contractual authentication devices to satisfy official requirements, they are logically included in the list of legislative approaches. We will see below that the more general legislative approaches usually make some room for private authentication systems alongside the statutory schemes.
Example: the Toronto E-Filing Pilot Project, 1996 – date. See Rules of Civil Procedure, Revised Regulations of Ontario, 1990, chapter 194, as amended, Rule 4.05.1. Private law firms using software provided by the Ministry of the Attorney General are allowed to file electronic court documents without the signatures needed on their paper equivalents. They may also pay the filing fees from their bank accounts by electronic means. All participants are known to and approved by the Ministry.
iii) technology specific general rules:
Governments that have wanted to facilitate the use of electronic documents, generally or in commerce, have often moved cautiously to remove the barriers caused by existing authentication rules. They have spelled out the attributes of the technology deemed appropriate for commercial uses, for example, and have given special legal effect to it. The usual technology chosen for such statutes is public-key cryptography. This technology has the advantage of being well tested in theory and predictably reliable.
It has the additional advantage of offering a third party to make it more reliable. A signature on paper involves two people or classes of people: the signer and the person(s) relying on the signature. While an electronic signature may also involve only the same two classes, it may also involve a third person, someone who acts as an intermediary to establish the relying party’s trust in the signature itself. An electronic signature is only bits, like any other electronic document. Many people believe that electronic signatures will inspire more confidence if a trusted third party certifies to the relying party that the signature bits are in fact the signature of a particular person. (The technology and not the third party guarantees the integrity of the electronic document supported by a digital signature.)
The technology has however two disadvantages, both arising from its technical complexity. First, it is hard for the general potential user of such a system to judge whether the technical requirements are being properly met. Second, it may be hard to demonstrate to a court just why the technology is reliable and should be accepted by the court.
Legislation has thus been devised to ensure that such certification authorities (CAs) follow trustworthy procedures. Some statutes offer to the relying party reinforced credibility of the identification in such certificates, by way of a presumption of attribution, and also a presumption of the integrity of the document involved. It is thought that such presumptions help the signer choose the technology with confidence, and relieve the relying party of having to get into the details of the technology before a court.
Much of the early conceptual work about such a system was carried out by the American Bar Association, whose Digital Signature Guidelines were influential. (The Guidelines are available at http://www.abanet.org/scitech/ ec/isc/digital_signature.html.) The first legislation to this effect was the Utah Digital Signature Act of 1995. (Utah Act, Utah Code Annotated, Title 46-3, http://www.le.state.ut.us/~code/TITLE46/46_02.htm.) It dealt expressly with public key cryptography as signature. It regulated certification authorities and exempted them from liability if they followed the rules. It also provides a presumption of attribution for duly certified signatures. The Utah Act was followed in three other states (Washington, Minnesota and Missouri).
However, this approach was severely criticized on several grounds.
· As technology evolved there were many different implementations of digital signatures, with different degrees of involvement and engagement by third parties and relying parties and thus different risks and degrees of reliability. Presumptions were not justified to the same degree for each implementation.
· The relationship among the participants was not always as contemplated in the legislation. Different uses of electronic documents needed different degrees of reliability, in fact, so having a single system designated by law was sometimes unhelpful or even risky to the users.
· The apparent advantage of not having to prove the technology in court was reduced by the need to respond persuasively to someone who attacked its reliability.
· Digital signature legislation was thought to impede the free development of electronic records systems, as it gave an unfair legal advantage to the technology of public key cryptography.
· More recently, privacy advocates have attacked some features of PKIs as a threat to personal information.
In the result, no further American states have followed the Utah example. In the wake of the Utah Act, Germany, Italy and Malaysia also passed digital signature legislation, with extensive rules about the creation of signatures, the role of the certification authority, and so on. Germany has since modified its law to conform to the Directive of the European Union on Electronic Signatures, which is discussed below in the section on hybrid legislation, and Italy will have to do so as well in due course.
The place where PKI legislation is still actively under development is among governments for state use. Many governments have decided that their electronic records require this technology, and for their own purposes are legislating the legal requirements for, and the results in law of, its use. An important part of the motivation for such legislation is the duties and liability of the parties when the technology is used, a topic discussed in a later section of this paper.
iv) technology neutral general rules
In distinction to the specific detailed statutes mentioned here, a number of countries – and international bodies – have preferred a minimalist response to the quest for certainty about the legal status of electronic communications and authentication. They have chosen a minimalist approach for several reasons. First, the existing law - statutes and jurisprudence and private law based on contracts - is capable of resolving a good number of questions on its own. Electronic messages, even on the Internet, do not present radically new questions for all legal purposes. As noted, the level of comfort with electronic records generally increases with familiarity. Next, the technology underlying electronic records is changing rapidly, so attempts to prescribe specifically how to conduct legally effective communications risk obsolescence even before they come into force. In any event the uses to which electronic communications are put vary so widely that no single technology would suit all of them. The proposed legislation can be said to be “technology neutral” for this reason.
The leader in this field is the United Nations (UNCITRAL) Model Law on Electronic Commerce. (Official Records of the General Assembly, Fortieth Session, Supplement No. 17 (A/40/17)(1996). The text and the very useful Guide to Enactment are at ) The Model Law sets out an electronic equivalent to various form requirements that are prescribed for paper. Thus a requirement for a signature of a person is satisfied if a method is used that identifies the person and indicates the person’s approval of the electronic record, and if the method used is as reliable as is appropriate in all the circumstances, including the existence of any agreement among the parties about the method to be used. (Article 7(1) of the Model Law on E-Commerce.) It is generally accepted that “approval” in this formula means only willingness to adopt the text as one’s own, without necessarily restricting a signature to one used to assent to a contract.
This function of a signature – to link a person with a document – is the same for a signature on paper or a signature associated with an electronic document. This means that the authentication function can be satisfied by an electronic signature under this formula. However, Article 7(3) of the Model Law allows implementing countries to exclude particular signatures from the scope of the permission, without saying what to exclude. The Guide to Enactment asks that the exclusions be narrow so as not to reduce the scope of the general permission.
A state legislating on authentication of electronic records may choose to exclude on the basis of the type of document, the type of transaction, or the type of party. The motive of excluding would be to protect either the interests of the parties or the interests of the state in reliable authentication or prudent practices, in other words, the same motive that often underlay the creation of the authentication rule in the first place, before electronic documents came into the picture. The range of exclusions – of cases where authentication decisions cannot be left to the parties – is likely to be narrower when the documents and transactions are purely commercial. The more the enabling legislation extends to non-commercial matters, the more interest the state may have in involving itself in authentication decisions.
Many of the countries implementing the UN Model Law on Electronic Commerce have chosen similar exclusions. They typically exclude land transfers (though not always short term leases), wills (which are arguably not commercial anyway), powers of attorney, and negotiable instruments (bills of exchange, promissory notes, cheques). Land transfers tend to have a public interest component, at least for the protection of third parties, often done through a public registration system. Powers of attorney and wills may be prepared by the parties themselves without professional advice, which increase the risk of insecurity in matters very important to the property of the makers. (Some countries require the participation of notaries in these documents; if a system of electronic notarial documents can be devised, then this concern is lessened.) Negotiable instruments carry in themselves the value they represent, and they therefore must be unique, i.e. exist in a single official version only. Electronic records are at present impossible to create so they cannot be copied, if they are still to be transferable.
The Model Law on Electronic Commerce does not itself exclude consumer transactions. However, its provisions yield to consumer protection laws in enacting states. Enacting states may have to decide if a requirement in their law that a consumer contract be in writing or signed should be satisfied by an electronic document that comply with the Model Law’s rules, or whether further demands should be imposed. The United States federal law, for example, requires that the capacity as well as the consent of consumers to communicate electronically be adequately demonstrated. (See the Electronic Signatures in Global and National Commerce Act, Public Law 106-229 of 2000.)
We will return to exclusions in our discussion of hybrid legislation, below.
A number of countries have implemented the UN Model Law on Electronic Commerce, including the signature provisions. Examples are Singapore, Australia, Hong Kong, India, Bermuda, Ireland, Columbia, Canada, the United States and France. (Useful sources of information on international developments in this field, and links to online versions – for statutes of all types - are the Internet Law and Policy Forum, , the McBride Baker Coles firm website, , and the Baker & McKenzie firm website, .)
Four issues arise out of the Model Law’s approach that cast light on potential legislation about authenticating electronic records: reliability standards, rules dispensing with reliability, party autonomy, and attribution rules.
· Reliability – further legislation: The e-signature rule of the Model Law on E-Commerce is very helpful in ensuring that electronic signatures can be used with legal effect, i.e. that some of the rules about authentication can be met by an electronic signature. It is however very general. People signing documents electronically will want assurance at the time of signing that the method they are using is in law appropriately reliable for their circumstances, so that the signed document will be legally effective. Without case law on the subject, reliability and thus effectiveness was a matter of opinion, debate and uncertainty. As a result, UNCITRAL developed a new Model Law on Electronic Signatures, adopted in July 2001. (It is available online at . A Guide to Enactment will be published on the same site shortly.)
The new Model Law sets out criteria for evaluating the reliability of an electronic signature, though it states clearly that the criteria are not exclusive and that other electronic signatures may be appropriately reliable too within the meaning of the 1996 Model Law. The criteria for reliability are these:
(a) « the signature creation data are, within the context in which they are used, linked to the signatory and to no other person »
For a signature to be reliable, the data have to point to one person, at least within the context of the signature. The qualification would allow the same signing code for more than one person, but not where it is at all likely to be ambiguous.
(b) « the signature creation data were, at the time of signing, under the control of the signatory and of no other person »
People are safely presumed to control the means for creating a handwritten signature – their signing hand. Traditional cheque-signing machines present similar problems to electronic signatures: they are acceptable often only because the relying party has strong assurance that the purported signer will not repudiate the signature. For electronic signatures (also created by a kind of machine), the ability to control the use of the signing data is here made part of the criteria for reliability.
(c) « any alteration to the electronic signature, made after the time of signing, is detectable »
The next two paragraphs reflect a debate within the Working Group about the extent to which a signature at law shows the integrity of the signed document. Common law delegates generally said it did not. Civil law delegations generally said it did. (No one doubted the need for a relying party to know that the document was trustworthy; the debate dealt only with the function of a signature to show that.) The compromise was to focus in one paragraph on alterations to the signature, which could be understood to refer to any doubt about the link between the signature and the document with which it was linked, and in another with alterations to the document. The test in paragraph (c) is not that a signature that is altered is invalid, but only that the alteration must be detectable. Once detected, the change may have a range of effects, largely within the judgment of the relying party, since the relying party takes the risk if the signature is invalid.
(d) « where a purpose of the legal requirement for a signature is to provide assurance as to the integrity of the information to which it relates, any alteration made to that information after the time of signing is detectable. »
The provision is a standard provision for the characteristics of digital signatures (those created using public key cryptography). The Working Group did not decide that this characteristic was needed for any electronic signature to be reliable – unless preserving or showing the integrity of the document is considered an essential function of a signature. This was the civil law view, and civil law countries may want this provision as part of their criteria for a signature reliable enough to have the same legal effect as a handwritten signature, if they choose a reliability test at all – a question discussed below.
Paragraph 6(5) repeats the caveat of Article 7(3) of the Model Law on E-Commerce, that enacting states may carve out some unspecified kinds of signature as exceptions to the general rule. It is open to discussion whether the need for a carve-out is as strong when criteria for reliability are clearer than they were in the old text. Compliance with mandatory rules is already guaranteed under Article 5. Perhaps enacting states will find it clearer to list by statute the places where higher standards are required. This question is noted again in the discussion below of hybrid legislation.
Article 7 anticipates a short-cut to reliability: the declaration by an authorized body that a particular method of creating an electronic signature is reliable. This body may be in the public sector or may be a private body authorized by the public authorities to give such accreditation. The declaration is intended to avoid the need to prove that any particular signature technique meets the general standard of reliability or the particular criteria of paragraph 6(3).
Although the article does not intend for countries to designate how reliable e-signatures must be done, only particular ways that are deemed to be reliable, there will be much pressure in practice for signers to use the approved methods. Some concerns have been expressed that countries will introduce disharmony in what is acceptable, by accrediting inconsistent signature methods under this article. Any such accreditation must be in accord with recognized international standards, to reduce the chances of this. The recognition rules discussed below also bolster this approach.
To date no country has adopted the Model Law on Electronic Signatures, though traces of its reasoning are found in the New Zealand Electronic Transactions bill published in 2000.
The more “reliable” a signature has to be to meet a legal signature requirement, the more comfortable a state can be that its existing authentication rules (i.e. designed originally for paper documents) can accommodate electronic documents that comply with the UN model. However, it is important that the hurdles to electronic documents not be set too high for all purposes. The discussion earlier about commercial and non-commercial documents is relevant here. Some countries have done without any specific reliability test for electronic commercial documents, as the following text explains.
· reliability rule: is it needed? Some implementations of the UN Model Law on Electronic Commerce omit the reliability test entirely, so that any electronic signature meets a signature requirement. The e-signature would have to be made with intention to sign the document, so evidence would be needed of its nature. The Canadian and American uniform statutes, the American federal statute, the Quebec provincial statute, and the European Union Directive on Electronic Signatures all take this approach (the EU Directive for basic e-signatures, though it provides special rules for advanced electronic signatures, discussed below. (Directive 99/93/EC, December 1999, .)
The reason for the omission is that current law imposes no reliability test on handwritten signatures. Anything that can be shown to be linked to a person with intent to sign a document can be a signature. As noted earlier, a signature is just one way to authenticate a document. If one can show with respect to any document, or any apparent signature, who created it, what it relates to, and what the intention was (a matter of context not form), then the task of authentication is complete. Showing in addition that the form of signature met some kind of reliability test, independent of what one can actually prove toward authentication, seemed superfluous, if not simply a trap for the unwary, a risk of invalidity despite clear proof of authenticity.
This approach puts the authentication of electronic records on a closer footing to that of paper records. If the law requires a signature on a paper record, then the party wishing to enforce the record at law can simply show the fact of signature. Then the legal requirement is met. Going on to show just who signed it and why it is reliable is a separate issue. The party seeking enforcement must then prove fact, not compliance with a vague or complex legal standard. This is an easier task, and one more in tune with the nature of authentication, which is a business judgment about the acceptability of risk.
· Party autonomy – role of contracts to set standards: Article 7 of the 1996 Model Law allows a court to take into account any agreement among the parties to a document when judging the reliability of a signature method. In doing so the court could presumably not follow the agreement. Otherwise the parties cannot opt out of this standard for satisfying a signature requirement, or the other “functional equivalence” rules of Chapter II of Part One of the Model Law on Electronic Commerce. The new Model Law on Electronic Signatures shows an evolution of this position. Article 5 says that parties to a transaction may vary or opt out of any provision of the Model Law (i.e. of implementing legislation) except where this is prohibited by law. This was intended to be the equivalent of saying that the power to opt out is limited by “mandatory rules” or considerations of “public order”, in the language of international conventions. It was not intended to encourage countries to prohibit commercial parties from making their own arrangements across a range of documents. This is therefore a broader autonomy to make one’s own arrangements than in the older text.
In addition, Article 3 of the new Model Law states clearly that the parties are free to decide what will be good enough among themselves, even if they choose a more demanding authentication technique than that which would be considered appropriately reliable under Article 6. They may also take advantage of any rule of law that would allow for a less reliable signature than the general standard of appropriate reliability. (One does not contemplate legislation approving “inappropriate” reliability, but rather legislation setting a lower standard for a good reason, in the absence of which reason and legislation the signature technique could be considered insufficiently reliable.)
Legislation based on the UN models thus makes space for the trading partner agreements done for EDI, mentioned earlier, that spell out that the electronic signature or document authentication processes named in the contract will satisfy the authentication rules of the applicable law. This is true especially for electronic signatures. The other rules would have to comply with the standards of the 1996 Model Law, but they are likely to be compatible with what the parties would agree on anyway.
This broad role for party autonomy recognizes that authentication is more a matter of business risk management than of legal duty. However, the law still plays two roles: first, it tells those without the power to negotiate standards how to get to a generally acceptable system. Second, it sets the important standards for authentication, those that cannot be derogated from, in other words those that are so important that parties are not allowed to make their own judgment. This power is given not only by the submission of private agreements to public order, but also by the power to exclude some kinds of signatures or records from the statutory permissions altogether. The exclusions would put electronic documents back into the general law about forms that affect authentication. Sometimes, as we have seen earlier, they will not be able to satisfy those forms for technical reasons, and electronic documents will not be legally effective.
(Possibly in some cases the right policy response would be special rules for those special form requirements. For example, the province of Ontario has followed the general Canadian uniform statute in excluding land transfer documents from the permission to use electronic documents and signatures. Nevertheless the province has established an electronic system of land transfers, with its separate statutory and technical security regimes.)
Legislation that leaves much autonomy to the parties to decide what evidence they need of authentication also exposes parties to the risk of wrong decisions. If this is done, then it is important to ensure that parties are free to decide not to use electronic records and signatures at all. The Canadian, American and Australian statutes, among others, are all very clear on that point. As the Canadian uniform statute puts it, in section 6(1), “nothing in this Act requires any person to use or accept information in electronic form, but consent may be inferred by conduct.”
The power to say No is the power to say Yes, If …, and thus impose for particular transactions or classes of transaction the rules for reliable authentication that seem appropriate to that person. Since the relying party takes the risk, on paper or online, that the document or signature is not genuine, that party should be able to decide on the medium in which it will run that risk. One may however bind oneself by contract to accept electronic records, at least for a period. The American uniform statute expressly grants the right to change one’s consent on this point and prevents people from waiving that right (s. 5(c)).
· Attribution rules: Article 13 of the U.N. Model Law on Electronic Commerce provides that data messages may be attributed to those who create them or who authorize their creation. This is of course the general law in most countries. The United States and Australia have legislated similar provisions. The Canadian legislators thought this went without saying, so did not say it.
The 1996 U.N. Model Law goes on to provide a rule (or presumption) of attribution where certain agreed security procedures are used on data messages, or if an unauthorized person got access to the security procedures through the fault of the authorized user (Model Law paragraphs 13(3) and (4)). To date these rules have not been widely adopted by implementing countries. The American drafting group attempted to devise similar rules, but they fell under severe criticism based partly on the fluidity of the technology available and partly on the likely lack of sophistication of its users. (Reports of the Drafting Committee meetings can provide details. Online at: , notably the meetings of September 1997 and January 1998.) The Canadian uniform statute did not try to follow the Model Law on this point in the Uniform Act, but the federal government has given it some echo in its legislation, discussed below.
The working group of UNCITRAL on electronic signatures aimed to give more substance to the provisions of Article 13 of the 1996 text, but there too, efforts to draft clear attribution rules ended up much narrower than originally hoped. (See the reports of the meetings of UNCITRAL’s Working Group on Electronic Commerce, notably for July 1998 (A/CN.9/454, para. 40 – 53); for February 1999 (A/CN.9/457, para. 99 – 107, and Working Paper WP.79 para 31 - 33); for September 1999 (A/CN.9/465, para. 68 – 77); and for February 2000 (A/CN.9/467, para. 44 – 71). They are all at http://www.uncitral.org/english/workinggroups/wg_ec/index.htm.)
Where legislation is silent on attribution, parties to electronic transactions will have to satisfy themselves of the origin of electronic documents and signatures. What is prudent will depend on the circumstances, including the other identification methods available (such as use of a credit card), the total value of the transaction and the cost of getting better assurance of origin. A technology-neutral statute can do little more without hampering parties who are capable of making their own decisions. Statutes that say more about the technology may permit themselves to say more about attribution as well.
v) hybrid general rules
As the Utah model fell into question, attempts were made to find technology-neutral statutes that would nevertheless recognize that some kinds of e-signatures were more reliable than others. The most solidly drafted of these was the Illinois Electronic Commerce and Security Act of 1998, which went through several public drafts with commentary on its way to passage. Illinois provided that parties might agree that an electronic signature would satisfy a legal signature requirement. In addition, particularly reliable e-signatures were described as “secure electronic signatures”. These had certain characteristics first described in the United States by the National Institute of Science and Technology (NIST) in the early 1990s.
These characteristics were, in the words of the Illinois Act (s. 10-110):
· The signature is unique to signer in the context in which it is used;
· It can be used to objectively identify the person signing the electronic record;
· It was reliably created by such identified person (e.g. because some aspect of the procedure involves the use of a signature device or other means or method that is within the sole control of such person) and that cannot be readily duplicated or compromised;
· It is created and linked to the electronic record to which it relates, in a manner such that if the record or signature is intentionally or unintentionally changed after signing then the electronic signature is invalidated.
Illinois allowed the Secretary of State to designate electronic signature systems that met these criteria, so that litigants would not have to prove compliance with them in every case. Where the criteria were present, the Act provided a presumption of attribution, i.e. that the signature actually came from the person who apparently made it. It also sets out criteria for evaluating the reliability of certificates.
The Illinois model has influenced many others, including California in the US, Singapore (the first nation to implement the U.N. Model Law on Electronic Commerce), India, Hong Kong, Bermuda, and others. Among international bodies, it affected the UNCITRAL Model Law on Electronic Signatures and the European Directive on that subject.
In Canada, the federal government has adopted the Personal Information Protection and Electronic Documents Act (PIPEDA), Part 2 of which deals with electronic documents. (S.C.2000 c.5, http://lois.justice.gc.ca/en/P-8.6/index.html) It is a hybrid statute as well. Some of the signature provisions simply allow signature requirements to be satisfied electronically by use of an e-signature in the form to be prescribed by regulation. However, several sections contemplate the use of a “secure electronic signature”. For example, one can use a secure electronic signature to create a certificate signed by a minister or public official that is proof of a fact or admissible in evidence. A secure electronic signature may serve as a seal, if the seal requirement has been designated under the Act. Affidavits may be made electronically if both deponent and commissioner of the oath sign with a secure electronic signature. Declarations of truth may be made with such signatures, in similar circumstances. Witnesses may sign under similar conditions. It is worth noting that unlike most of the hybrid statutes, the Canadian federal law gives no choice about whether to use a secure electronic signature. To sign electronically and validly within the meaning of the provisions named, people must use the secure electronic signature.
A “secure electronic signature” is not defined in the Bill, except as “an electronic signature that results from the application of a technology or process prescribed by regulations made under subsection 48(1)”. That subsection sets out the usual provisions for signatures of this type, as we have discussed above in regards to Illinois. The intention is that in the first instance the only technology to be designated will be that of digital signatures certified by the Government of Canada, or those from systems cross-certified with the GOC PKI. (Cross-certification allows two or more public key infrastructures to recognize each other’s certificates and thus signatures. More on the Government of Canada PKI can be found online at ) Some provincial governments are developing public key infrastructures as well, and they hope to be cross-certified with the federal PKI. To date no regulations have been made on secure electronic signatures.
On the international front, the UNCITRAL Model Law on Electronic Signatures aims to help the parties determine in advance whether the reliability standard of the 1996 Model Law has been met, as noted above. The new Model Law also avoids detailed descriptions of the technology to be used, however, for the reasons that support minimalism in the first place. Earlier drafts talked of “secure” or “enhanced” electronic signatures. The terms have been dropped but the criteria of identification, sole control and detection of alteration remain in the new criteria for reliability of an electronic signature. The new Model Law is barely a hybrid within the meaning of this discussion. It shows that even hybrids have a range of degrees of obligation about the methods of authentication that they authorize.
Compare the European Union’s Directive on Electronic Signatures. It ensures that electronic signatures can be valid despite their electronic form and despite not meeting the more demanding standards described in the rest of the Directive. It goes on to prescribe in considerable detail a regime for “advanced electronic signatures” created by a “secure-signature-creation device” and supported by “qualified certificates”. Again one recognizes the NIST/Illinois language, though the appendices on technical requirements for qualification are more detailed than in those texts. The result of using this technology is an electronic signature to which member states must give the legal effect of a handwritten signature. There are no presumptions of attribution. This may strike some as a weak result for a strong technology.
Two main motives inspire this kind of legislation. The first is certainty, the same motive as for the technology specific legislation in Utah and elsewhere. While the general permission to use electronic signatures – with a reliability test, often, outside North America – may satisfy some more sophisticated parties, those who want to know that their signature process will be taken to be reliable, or those who do not want to have to prove its reliability, may be well served by the more detailed rules. Hybrid legislation reflects the nature of authentication among private parties: different weight is given to different documents and to different technologies. The difference is of course the role of the state in making the calculations mandatory and in defining them to some extent.
The second motive is closely related to authentication. Some classes of signature may not be made electronically except with a secure electronic signature. This is the case under the Canadian federal legislation, the Personal Information Protection and Electronic Documents Act. Documents whose authentication is considered particularly important must use the most secure processes to be authenticated in an electronic form. It is worth noting that most of the items in the list in the Canadian statute relate to the use of the signed document in evidence.
It is arguable that the detailed requirements in the hybrid legislation will not be easy to meet, judging from the difficulties in setting up public key infrastructures in Canada and the United States. However, even when they are met on their face, the assurances of identity of the signatory are vulnerable, depending on the design of the system. It is arguable that even presumptions of attribution are risky outside the context of a state-supported or at least state-regulated system, where the technical standards and trustworthy procedures are well known and expertly applied.
As noted in the earlier discussion of the nature of a signature, the fact of a signature is only one way in a commercial transaction to provide evidence of attribution. (Indeed, the identity of the other party is often less important than its solvency or the quality of its goods or services. For this reason one distinguishes sometimes between identification – who is this person? – and authentication – is this the person I want it to be? The latter is often a more important function of a signature, because one uses other means to determine who one wants to deal with. This paper uses the term “authentication” to cover both aspects, however.) Business parties may in practice choose to satisfy themselves about attribution through procedures that do not qualify as a signature at all, and certainly not as an advanced or a secure signature.
This statement brings us back to two earlier points that are worth considering in the context of hybrid legislation, in part because of the popularity of this kind of legislation. The first is that authentication is first of all a business decision about risk tolerance and risk management, though it is often supported or framed by official rules about what is acceptable authentication.
Second, the need for official rules will vary with the use to which the authenticated document will be put. The more likely the document is to be used only among sophisticated commercial parties, the less need there is for government to intervene or to prescribe detailed rules. If there will be less sophisticated parties, like consumers, or if the purposes of the document are not commercial but relate to personal life or official status, then the state is more likely to want to intervene.
There are two means of “intervening”, in that sense. The first is to provide detailed rules for acceptable authentication of electronic documents, as is done in the hybrid legislation. These rules may be restricted in their application to uses in particular need of reliability, as has been done in the Canadian federal law. The second means is to exclude particular classes of document or transaction from the general permission to authenticate by electronic means. The UNCITRAL Model Laws both contemplate exclusions. Typical exclusions in national legislation have been mentioned already.
It should be noted that these two methods work in the same direction, support the same policy, i.e. to protect those who need extra protection. The more detailed the rules are for electronic authentication, the fewer documents need to be excluded from the permission to authenticate electronically. Conversely, if a country excludes most sensitive documents from the legislation, then the remaining documents may well be left to be authenticated however the parties to them see fit.
B. Choosing a Legislative Model
When deciding whether to legislation on acceptable methods of authenticating electronic records, countries need to keep several factors in mind. Some are neutral, some indicate a preference for minimal technology-neutral rules, and some may favour a more detailed law like the hybrid legislation described above.
· Harmonization – is the law consistent with that of one’s major trading partners, or with that of countries with which one hopes to trade? In days of global borderless trading, how open does one need to be to distant or new potential trading partners? Is it easier to harmonize a more simple regime?
· Users’ familiarity with electronic technology – are people faced with electronic documents likely to make sound decisions about their authentication? The more familiar they are, the less likely they are to need legislative assistance. Are people required to use electronic records – in which case they may need more protection – or are they free to accept or reject – in which case they may have more power to choose what authentication methods are acceptable to them without state help.
· Available technology – is equipment readily available to the creators and users of electronic records that would allow them to satisfy detailed technical requirements of legislation?
· Purposes of rules – different authentication rules may apply to different documents, parties or transactions. If the rules exclude some of the more sensitive of these, then they may be able to be more open to party autonomy for what is covered. State records may need different treatment from private records, as noted earlier. A single rule on authentication may not be sufficient for the variety of records and transactions and parties possible.
· Traditions of party autonomy – how much choice do people have to authenticate documents on paper? Does legislation limit and channel this process as well? People may expect a consistent approach among media. Is there a tradition of strong state involvement in authentication decisions?
· Law of evidence – does the law of evidence in the country require particular formalities of presentation or signing? These formalities or their equivalents may be required to ensure authentic electronic records are available for courts.
· Standards – are technical standards available for creating electronic records or signatures? The European Electronic Signature Standard is in preparation, as is a Canadian standard on electronic documents. Standards might be a useful basis of a legislative requirement, or the basis on which a government decides to let private parties make their own “standardized” decisions.
· Avoid surprises – Would rules about validity or enforceability of documents based on their compliance with authentication rules surprise users of documents, so that they would find documents (and thus transactions) invalid when they expected them to be acceptable? Are there common forms of transactions over the Internet that do not readily meet the legislated standards?
· Complexity of legislative system – can the parties readily figure out that a document is authentic and thus usable (subject to other legal defects, as always), under proposed legislation? Is authentication largely a question of fact, or does it depend on difficult legal judgments?
C. Other Rules Affecting Authentication
Some legislation on authenticating electronic records has gone beyond
the strict requirements of authenticity to deal with related matters. The two most notable are liability rules and rules on the recognition of foreign electronic documents or signatures. While such provisions are not necessary to a sound authentication regime, they are not irrelevant. Liability rules may push all the parties to electronic records to conduct themselves in a way that will maximize the chances that the records they produce will be reliable. Recognition rules generally increase the confidence with which one may deal with foreign electronic documents, which promotes international commerce. The rules ensure that foreign methods of authentication are accepted where the documents are to be used, while protecting the country of use by requiring that the reliability of the foreign methods be equivalent to those in the country of use.
i) liability rules
For documents used between two parties, there seems to be little desire to legislate on the liability of the parties. The usual rule is that the relying party takes the risk of inauthenticity. Traditional authentication rules are more likely to invalidate non-compliant documents than they are to impose liability on their users. For three-party systems, with a certification authority between the signer and the relying party, some countries have wanted to legislate to ensure that parties knew what their responsibilities were. Another aim was to allocate liability in a way to promote activity of trusted third parties, who have sometimes been considered essential to the development of reliable e-commerce. This latter motive was strongly evident in Utah, which relieved the third party of liability if the rules were followed.
The Utah system was however much criticized on its liability (and attribution) rules: it was said to distort the true value of the technology to legislate liability. The real risks would become apparent and would be reflected in insurance premiums and the prices of services. Essentially the digital signature statutes were allocating risk by law differently than how the real risk fell. This was “legislating market winners”, which was said to be inappropriate in a free market. (B.Biddle, “Legislating Market Winners” (1997), http://www.acusd.edu/~biddle/LMW.htm .)
The UN Model Law on Electronic Signatures says that parties must “bear the consequences” of failing to comply with the conduct set out in the Model Law. This adds little to current law. At one point it was thought helpful to ensure that all enacting countries did impose some liability for negligent mis-statement of fact. It is not clear that this much is left in the current formulation.
It is however worth noting that the responsibility of the relying party may be different from that of the signer (the holder of the signing device) and the certification authority, called in the Model Law (and the EU Directive) the certification service provider (CSP). Negligence of the signer or CSP is very likely to harm others. Negligence of the relying party harms only the relying party, who may end up with a contract with the wrong person, or with no one. The consequences of the relying party’s negligence is thus not to be liable to someone else but to be unable to blame anyone else for the loss (though liability could be shared in some cases.)
The EU Directive on Electronic Signatures requires member states of the Union to ensure certain liabilities of the CSP but also provides for CSPs to limit their liability by appropriate disclosures. Otherwise there are no standards or values for liability.
The Quebec statute on information technology is essentially a technology-neutral statute but nevertheless makes detailed provision for the activity of persons who certify the identity of signatories of technology-based documents and it sets up a voluntary accreditation scheme for them. It also examines the nature of recognized standards for reliable technology in this area. Further, Quebec provides for the liability, or the exemption from liability, of communications intermediaries like Internet service providers. (An Act to establish a legal framework for information technology, Statutes of Quebec 2001 c.32.)
Concerns have been raised about liability provisions even of the level of generality of the UNCITRAL Model Law on Electronic Signatures. They are drafted with a three-party model, really a digital signature/PKI model, in mind, but apply on their face to any electronic signature. The conduct they promote may be too demanding for some kinds of signature. In addition, the terms are sufficiently general that inconsistent implementation is likely, and this will be confusing for commercial parties – in any of the three roles – that want to operate internationally. The responsibilities of the parties may often be better determined by contract among themselves. It also needs to be clear whether the party autonomy permitted by such legislation allows parties to change the rules of conduct and liability or whether these rules are mandatory in all cases.
ii) recognition rules
The use of electronic documents and especially the Internet has stimulated the need for consistent rules for recognizing foreign documents. One country’s authentication rules are not applied only to its own residents’ records. The more consistent these rules are, the more confident people will be to trade internationally by electronic means.
Where different countries are using three-party certification processes to authenticate electronic records, one hears of “cross-certification” to ensure the use of the records in another country. This is a technique by which one certification authority certifies a document on the strength of the certificate of another certification authority. It depends on very detailed technical coordination of certification standards and operations among participating CAs. (The concept appears for use within countries as well as across borders.) While national cross-certification agreements exist, they seem more at a demonstration level for the moment. (Such agreements have been published, for example, between Canada and Singapore.) They also are restricted to certification models, i.e. they are technology-specific.
It has become more common to speak of “cross-recognition”, or simply of “recognition”, of foreign electronic records. “Cross” suggests a mutuality: A recognizes B’s records if B recognizes A’s records. Given the speed and unpredictability of electronic commerce, it is likely to be more productive for a country to recognize electronic records from anywhere that meets its standards, without concern for reciprocity.
The UN Model Law on Electronic Signatures deals with recognition in Article 12. It makes the location of the origin of an electronic signature or certificate irrelevant to the recognition of the document. Likewise the place of business of the issuer of the certificate or of the signer is irrelevant. The article requires implementing states to give the same legal effect to a foreign signature or certificate that a domestic signature or certificate would have, if they have substantially equivalent reliability. (Exact technical conformity is not required.)
This language is chosen to allow for a range of degrees of reliability. Thus the domestic rules on authentication can be respected. If a country insists on high reliability for particular kinds of documents, it can insist that foreign electronic records demonstrate equivalent reliability at that high level. Lower levels of reliability may be met by lower level foreign records.
However, the rules on reliability are to meet “recognized international standards” for reliability. This important provision intends to prevent a multiplicity of standards, including those that might be imposed as non-tariff barriers to trade. The UN Working Group discussed whether to define « recognized international standards. » While no definition was retained, the Guide to Enactment of the MLES will point out that such standards may originate with public or private bodies and may be « standards » adopted by official standard-setting bodies, or guidelines. No doubt there would be some kind of unofficial hierarchy in favour of public standards, if an accreditation authority found that applicable standards varied when it needed to decide about signing methods.
Finally, Article 12 of the new Model Law allows parties among themselves to agree to their own standards, which are to be recognized unless they are invalid under applicable law. This language echoes the limits to party autonomy on domestic signatures, discussed earlier. Implementing countries should be slow to intervene in such private decisions, but if their authentication rules are particularly important to them, they are allowed to do so.
While the language of the UN Model Law deals only with signatures and certificates, its principles (non-discrimination against foreign records, equivalent reliability and broad though not limitless party autonomy) are readily applicable to any other rules affecting the authentication of electronic records.
Authenticating a document is an exercise of judgment, of balancing the risks of
acceptance against its benefits. Sometimes the state intervenes to require certain forms to be observed, in order to protect the interests of parties or of the state itself. Electronic documents present some new challenges, in part to estimate if the current rules are sufficiently strong for them, and in part, conversely, to see how the current rules can be made flexible enough to accommodate them.
An increasing body of legislation and international models for legislation exists to guide countries who are trying to decide how to deal with electronic records in the context of their own culture, traditions, and existing legal rules affecting authentication. This paper has reviewed the principles underlying many of the existing rules and discussed the main trends in the legislation. It has also suggested a number of factors that may properly influence the decision of someone considering new legislation. The values of harmonization with one’s neighbours and the international community, and the usefulness of allowing the parties to commercial transactions to set their own rules, move one towards a minimalist regime of acceptance. Values of protecting vulnerable parties and assisting those unfamiliar with the technology may move one towards more detailed statutory requirements.
There is no single right answer to the questions raised here. The responses given by the United Nations Commission on International Trade Law should arguably be at the base of reflection, as they represent a broad consensus of all the worlds’ legal systems. But UNCITRAL has left a good deal of space for implementing countries to make their own decisions, not only by the choice of the model law as its texts, but in the room given for exceptions to the scope of legislation and in the reference to what will be evolving international standards. It is hoped that the discussion in this paper will prove useful in taking the next steps to accommodate the electronic world in which we all find ourselves.
 A note on vocabulary:
a) This paper uses the terms “record” and “document” interchangeably. The former tends to be used in the United States, and the latter in Canada. Archivists often distinguish them on the basis that a record is a document in the context of an organized method of storage and retrieval, i.e. record-keeping system.
b) The term “authentication” is sometimes used, especially in the United States, to refer to the process engaged in by the creator of a record, to provide, along with a record, the evidence that will later be used to determine its credibility. Notably it is used as a near-synonym for “signing”. The present paper uses the term only to refer to the process engaged in by the holder of a document who wants to estimate its reliability. The rules established to make this process work will of course affect the manner in which the creator of a record creates it.