Paperless Government and the Law
John D. Gregory
General Counsel, Policy Branch
Ministry of the Attorney General (Ontario) (1)
[prepared for Legal Emissions, Legal Services Branch,
Ministry of the Environment, December 1999.]
I. PAPER AND THE LAW
A. In general
[1] The law has much to do with the analysis and management of information. For a very long time the language of the law has assumed that this information is on paper. The advent of computer communications over the past generation, and particularly the rise of networked personal computers and the Internet, have thrown that assumption into question. Many legal relationships purport to be negotiated, created and executed without paper. How effective are they? Are they fatally flawed in law because they never leave the realm of electrons?
[2] While the law often presumes paper, it does not require paper as often as many people - including many lawyers - may think. More often than not, people use paper not because they have to but because they want to, because it appears prudent to Aget it in writing@. The distinction is very important between what the law compels one to do and what one chooses to do as a matter of business practice.
[3] Prudence leads people instinctively or by training (lawyers by training) to perform a kind of Athreat/risk analysis@. How easy is it to compromise the information on which a proposed or purported legal transaction is based? How serious are the consequences of compromise? How likely is it that anyone would want to compromise the information? How much would it cost to protect the information to a point of lower risk? What is the benefit of using the information in the first place?
[4] People are used to paper. We have used it for centuries. We have a pretty good idea of what is reliable and what is not. We know that signing a document may have legal consequences, and we take the action seriously. We recognize that different kinds of legal consequences will demand different levels of reliability of documentation. Thus initials may satisfy some purposes, or a full signature others, while in higher value matters or transactions between strangers, more documentation is usually sought.
[5] In short, people know how to estimate the risks and benefits of using paper. As a result, a complex set of practices and presumptions has grown up around its use. When we look at replacing the paper with electronic communications, we have to examine whether the practices and presumptions arise only by prudence, or whether the law gives us no other choice but to use paper. Where they are based on prudence alone, then the challenge is to find electronic practices that achieve the same balance of risks and benefits as is offered by paper.
[6] We should not pretend that this is an easy process, or one which all will follow at the same pace. Information security procedures will have to prove themselves over time. Those most at risk from compromised information will set high standards at first, until custom and personal experience persuade them that some less demanding methods will fill the same function. Some people will be slow to accept electronic information at all, though business pressures are increasingly insistent and the efficiencies increasingly persuasive.
[7] It is also certainly true that the law sometimes does use words that appear to indicate the use of paper in some circumstances. One thinks of requirements for notices in writing, signed certificates, information in prescribed form, and many other common demands. Do they foreclose the use of electronic communications, at least in the absence of specific law reform?
[8] A number of techniques have been used to resolve this question. The first two, contracts and technology, may be less useful for government than for the private sector, because government often has relations with the people it governs that do not depend on contract. Technological fixes can be of use sometimes, but they contribute more to the security of transactions where paper is not required but only desired.
[9] The main two techniques of adaptation for government are the common law (i.e. let the judges work it out) and law reform (i.e. let the legislators work it out). The common law does change as the society it serves changes. Just as it came to terms with telegram and telephone and telex, so now it is coming to terms with telecopiers (faxes) and other forms of electronic communications. Judges know that documents are generated electronically, and sent and stored the same way. One sees this reflected in the law of evidence, where computer-generated records are almost never refused admission on the ground that they are unknown or unreliable by nature. The words of the statutes will often be read in a way that accommodates these changes
[10] Just in case they are not, however, the final recourse is to law reform: change the rule that requires paper, in one way or another. Several Ontario statutes have been amended to accommodate electronic records. Some more general law reform is in prospect. Before looking at these initiatives, we will review briefly some of the special challenges that governments have in handling information. These will influence the kind of law reform that is most important and most useful to government.
B. In government
[11] Government shares many of the concerns of the private sector in respect of electronic forms of information. Government enters into contracts, it relies on signatures, it seeks and produces original documents. It retains records, probably to a greater extent than anyone else. The general law of electronic commerce interests governments.
[12] However, government is different, for a number of reasons that affect its legal relationship to electronic information.
[13] First, government collects a lot of information from people and businesses in the territory for which the government is responsible. Some of this information is submitted voluntarily, but some of it is submitted only under compulsion of law. One thinks of tax returns or reports of compliance with environmental regulations. This is very unusual for private sector communications. There is much other information which must by law be submitted accurately and on time. Not everyone sending such information to government will want to make it easy to process.
[14] Second, the nature of information in the hands of government differs from private information. It is often the foundation of rules of law or of legal relationships. Much of it is by definition the official, the formal, the effective version. As such, it must be available in authoritative forms. The law often gives particular consequences to information certified as accurate by a public official. Findings of civil liability and of criminal or quasi-criminal responsibility often turn on the contents of the public record. The creation, storage, reproduction and authentication of this information must be reliable.
[15] Third, even in the absence of such considerations, government is subject to particularly demanding standards in its information practices. It is expected to keep to the high road. Democratic government is accountable for its adherence to such standards, and politicians and critics are sensitive to this demand. This accountability alone requires sound information, since the first requirement for judgment is a reliable record of what has been done with the power of the state.
[16] Statutes reinforce this duty, notably (in Ontario) the Freedom of Information and Protection of Privacy Act (FIPPA) and its municipal counterpart. FIPPA makes government disclose records of public matters, but keep commercial and personal information confidential. This set of duties in principle constrains government to proper record management practices.
[17] Government has a present duty and a duty to history as well, exemplified by the Archives Act. All official document are to be turned over to the Archivist no later than twenty years after their useful life. This requires that government think more than most private sector entities about the long term consequences not just of its acts, but of the way it documents its acts.
[18] How do these duties play out in government=s adherence to writing requirements? The government may be held to a strict rule of law, to the letter of statutes and regulations requiring paper documents. Adherence to form requirements often means the use of prescribed forms. The desire to be even-handed and accountable can lead to an overly diligent reliance on forms and documents, known in its extreme forms as red tape. The result tends to be caution, aversion to risk, avoidance of the new. Add to this the professional reservations of lawyers, and one understands why technology in government is likely to be embraced gingerly.
[19] However, government is feeling many of the same pressures as the private sector to go electronic: the efficiencies, the improved service, the lower costs, the need for communications with the wider world. It is therefore fair to say that government has had recourse more quickly than the private sector to law reform to satisfy these pressures.
II. LAW REFORM
A. Law reform targeting government
[20] Most of the law reform in Ontario dealing with the use of electronic communications has applied to government uses, rather than to private sector transactions with other private sector bodies. Three reasons can be offered for this. First, government ministries have had access to the legislative process for their own programs and purposes, and have used that access to ensure the legal effectiveness of those programs.
[21] Second, the power of public bodies to innovate may be more often in question than it is for private entities. Some public bodies are entirely creatures of statute, and have no more power than is expressly given to them by their governing law. Municipalities are in this class, as are many agencies, boards and commissions. Even where the limits are not so clear, there is comfort in knowing that the Legislature has allowed the use of the new media.
[22] The third reason is that government is held to stricter standards of legality and openness than private entities, so legislation has been more urgently needed to ensure compliance with the appropriate legal standards than for the private sector.
[23] This is not to say that the private sector is unaffected by the early reforms, only that it is its relationship to government programs and registries that is usually at issue. Here are some of the types of laws that have been passed in recent years.
1 General use of electronic records
[24] The provincial government generally has the powers of a natural person, unless restricted by statute. As noted above, this is not true of all public bodies, and others have been cautious. In any event, the use of records and in particular electronic records has been authorized by statute in some cases. One notable example is the 1997 amendment to the Public Guardian and Trustee Act, essentially to permit electronic imaging of the incoming flow of paper.
2. Electronic Records as Evidence
[25] Sometimes the reforms have focussed mainly on the use of electronic records in judicial proceedings. For example, all the taxation statutes were amended in 1994 to provide that where information is filed electronically, the Minister may make printouts and the printouts are as admissible as the original information; certain electronic information may be extracted from electronically-filed information and that extract is admissible; and if the electronically-filed information is destroyed, a duly authenticated printout of it is admissible Aand shall have the same probative force as the original return or document would have had if it had been proved in the ordinary way@.
[26] Similar amendments have been made to the Public Guardian and Trustee Act.
3. Electronic filing
[27] There are a number of reasons why people may send information to government, and a number of degrees of importance that the information may have once it is in government hands. Both factors influence the design of electronic filing systems.
[28] The Electronic Registration Act (Ministry of Consumer and Commercial Relations Statutes) 1991 allows electronic filing under MCCR statutes, when and to the extent that the methods of filing are prescribed by regulation. The first filing regime was established for the Personal Property Security Act in 1992, the next for the Repair and Storage Lien Act in 1993. The electronic forms themselves are established by the Registrar rather than appearing in regulations.
[29] Financing statements registered under the electronic system are not signed. However, everyone who registers electronically (mainly financial institutions and law offices) have contracted with MCCR and use approved software and hardware. In other words, the system is Aclosed@. They also establish a financial credit, from which the registration fees are drawn down as registrations are made. As a result, the ministry=s system is able to keep track of who is doing what, and is also sure of being paid, since it takes the money in advance.
[30] The Land Registration Reform Act was amended in 1994 to authorize electronic registration of land transfers, using the Teranet system. Lawyers and some other users are issued digital signature signing keys, which they will use to send registration information to the Land Titles office. Again, it is a closed system, where all participants are controlled by contract.
[31] Land transfer documents themselves will not need to be signed, since the documents are not registered. The statute provides that the electronic record, once duly accepted by the Director, prevails over paper versions. This system is being brought into force gradually across the province. It depends on a fairly complex set of regulations, as befits a system whose security is essential to the integrity of land values in Ontario.
[32] The Provincial Offences Act was amended in 1993 to allowed for electronic documents in form approved by regulations. The functional description of the electronic program is almost always left to regulations, since it requires more details than are usually put into statutes, the details may change as technology evolves, and frequently the responsible ministries do not know in detail what they want to do at the time the statute is enacted. The POA regulations require an electronic document to be Aintelligible in a form prescribed under the Act when that information is used for any purpose under the Act@ and unaltered after it is signed.
[33] Under the POA, a document is properly signed in an electronic format if the document contains a code, name or number of a person that is capable of identifying the person as the originator of the document and the code, name or number is reasonably secure against unauthorized use. Such security can be provided by physical protection of the signing device or by electronic security for the data.
[34] The POA also provided for electronic filing, either on tape or by direct transmission. The regulations deal with when something is filed as well, and requires acknowledgments before the filing is considered effective.
[35] These regulations were created for the photoradar program and have not been used since that program was discontinued. However, they remain in the book for later attention.
4. Electronic signatures
[36] Signatures are one of the most important areas in electronic communications, and one of the most difficult. As noted at the outset of this paper, one must distinguish between signatures required by law and signatures desired by habit. On occasion one may use signatures when one wants only to demonstrate the accuracy of the information on the signed document. There may be other and even better ways of ensuring the accuracy than by a signature. This point is dealt with further in the discussion of particular programs below, and again below in section IV dealing with legal advice to government.
[37] The primary functions of a signature are to identify a person (or an office or holder of authority) and to link that person with a text of some kind. The legal effect of a signature cannot be generalized. Sometimes one signs to bind oneself to a contract, sometimes to show that one has seen a draft, or to witness another signature, or to approve conditionally, or to notarize.
[38] Law reform relating to government has taken a number of approaches to existing signature requirements. Electronic filing rules have used the two main ones. The first is to close the system, so all participants in communications are identified securely and bound by contract to particular technology and particular legal effects of its use. In other words, the identification is done at the time of entry into the system, and the link to the texts to be generated in the future is agreed by contract to be adequate, given the use of agreed technology.
[39] The second approach is to eliminate the need for signatures altogether, where little purpose is served by them, or where signatures on paper documents are never verified in any event. As noted earlier, the electronic system does not have to be more reliable than the paper one it is replacing or supplementing.
[40] Ontario has taken other approaches as well. Sometimes it Aoutsources@ the signature requirement. The pilot project for electronic filing of civil court documents in the Toronto region dispensed with most signatures on filings. However, the key document was evidence that the opposing party had notice of the action at all. On paper, proof of personal service of this notice must be done by affidavit of the person who has made the service. The electronic system required that this affidavit be made as well, but the affidavit on paper would be kept at the offices of the party starting the action, while an electronic certificate of appropriate service would be filed. The affidavit was to be produced on request. In other words, the court office did not have to figure out whether an electronic signature was good enough for this important purpose.
[41] A further approach to signatures is to allow the Executive to use whatever technology appears satisfactory. For example, the Compulsory Automobile Insurance Act permits the use of any signature approved by the Minister. The Minister has approved an electronic signature created by pressing on an AI agree@ icon on the screen of a Service Ontario kiosk, when one has finished applying electronically for renewal of one=s licence plates. The signer has by that time already entered his or her plate number, insurance policy number and credit card number, so the chances of falsely denying signing the certificate of insurance are slim.
[42] A more radical approach to signatures is to define the problem away. A substantial number of Ontario statutes simply say that a certificate of authority (e.g. identifying an inspector who has the right to enter premises to check them over) Apurporting to bear the signature of the Minister@ is admissible in court. One understands the desire not to have to prove the Minister=s signature or the authority to hold the certificate in every prosecution. However, such a form of self-authentication was not conceived for an era of electronic documents and arguably will not work well in the electronic world without further assurances of the information in the document.
[43] Failing these methods, the government has also more recently had recourse to specific statutes. Two recent welfare statutes (the Ontario Works Act, 1997 and the Ontario Disability Support Program Act, 1997) contain the following provision on electronic signatures.
[44] Where this Act or the regulations require an individual=s signature, one or more of the individual=s personal identification number (PIN), password, biometric information or photographic image may be used in the place of his or her signature to authenticate the individual=s identity and to act as authorization of or consent to a transaction relating to an application for or the receipt of assistance.
[45] This provision is not currently in use. Its form is modern and flexible. It will be necessary to spell out who decides when the provision comes into force and what particular method will be used in practice. The individual welfare recipient will not be called on to make those decisions, though the language of the section appears to leave it open to any party to communications to do so.
B. Generic law reform
[46] Some more recent reforms of the law have aimed to facilitate the use of electronic records more generally.
1 Law of Evidence
[47] As noted earlier, the courts have generally admitted computer-generated records as evidence. However, their technical grounds for doing so have varied, as they have tried to fit the evolving technology into existing legal categories. As a result, a number of lawyers have hesitated to advise their clients to go wholly electronic, particularly when that would involve destroying paper originals in order to rely on electronic images of them.
[48] The Uniform Law Conference of Canada, a federal-provincial harmonization body, created the Uniform Electronic Evidence Act to help answer the main outstanding questions. The Red Tape Reduction Act 1999, Bill 11, introduced in November 1999, amends the Ontario Evidence Act to enact the Uniform Act here. Part 3 of the federal government=s Bill C-6, the Personal Information Protection and Electronic Documents Act, puts the Uniform Act into the Canada Evidence Act, which governs Criminal Code trials and proceedings before federal administrative tribunals like the National Energy Board.
[49] The main effect of the Uniform Electronic Evidence Act is to eliminate the search for an Aoriginal@ of an electronic record. The notion of originality is hard to apply to electronic records, because of the way they are created and transmitted. The point of asking for an original, as the Abest evidence@ rule in court does, is to help ascertain if the document has been altered. Computer records do not show alteration in the same way. Instead, the Uniform Act says that the best evidence rule is satisfied by proof of the integrity of the record-keeping system from which the evidence is taken. This in turn can be shown, among other methods, by showing compliance with recognized standards, whether industry-wide or more restricted. Many kinds of records will be presumed to have integrity without specific proof, where this is not seriously put in issue by the other party to the proceeding.
2 Electronic Commerce Act
[50] The Uniform Law Conference of Canada has lately adopted a Uniform Electronic Commerce Act (UECA). This statute is based on a United Nations model, and resembles statutes in the United States and Australia, among other places. The government of Ontario is currently considering whether it should adopt this Uniform Act. (An annotated version of the UECA is at http://www.law.ualberta.ca/alri/ulc/current/ euecafa.htm.)(The federal government=s Bill C-6 allows the government and bodies it regulates to go electronic, once the appropriate rules are designated and supported by regulations.)
[51] The UECA aims to remove statutory barriers to the use of electronic communications with legal effects. It is not limited to buying or selling, Acommerce@ in a narrow sense. It does this by providing Afunctional equivalents@ of documents on paper. Where the law now says something is to be in writing, the UECA allows an electronic document to satisfy this requirement if it is accessible for subsequent use. If something has to be an original, an electronic document is acceptable if there is reasonable assurance of its integrity since the text was first generated. Records may be retained in electronic form too.
[52] The UECA says that a signature requirement may be satisfied by an electronic signature. This is defined as electronic information that a person creates or adopts in order to sign a document and that is in or associated with a document. One notes that the intention for an electronic signature is the same as for a signature on paper. The UECA is trying to make the law media-neutral, i.e. the same legal concepts will apply to paper and to electronic information. Someone wanting to rely on an electronic signature would have to show that it was created by the alleged signer, and that the electrons were properly associated with the text said to be signed. One would have to prove the same thing for a paper document, though the link between the signature and the document is usually easier to show on paper.
[53] The UECA goes on to specifically permit electronic contracting and to provide rules for the place and time of sending and receiving electronic messages.
[54] Government information has some degree of special status under the UECA. To start with, it is specifically authorized to use electronic documents for all purposes. The Act does not require anyone to use or accept information in electronic form. In the case of government, its consent must be express and not implied from its conduct. This consent to accept electronic documents must be communicated to those likely to be affected by it. This might mean the public at large or a smaller group with whom a particular ministry deals. The Act does not say how this is communicated.
[55] The UECA also allows government to set its own Ainformation technology requirements@ for incoming information. For notices, it may also set acknowledgment rules, i.e. notice would not be considered to have been given until the sender receives an acknowledgment of receipt. For signatures, it may set rules as to method of signatures and their reliability.
[56] If the Act were adopted in Ontario, a number of ministries or programs would be spared the need to seek their own special authority to operate electronically, or to prescribe their own rules for documents relating to the program. The UECA would not actually amend any statutes; it would serve as a master guide to how other statutes operate. (It would not however change any rules that already have been set for using electronic documents.)
[57] There would also be less doubt in some minds about the efficacy of what is now being done. Since a number of programs are now using electronic documents, it may be helpful to look at the legal foundation for them.
III. Government programs using electronic documents
[58] An increasing number of programs run by the Ontario government are relying heavily on electronic communications. The legal authority varies. Sometimes a broadly permissive statute supports all the proposed activities. At other times tailored regulations have been made. Some programs rely on the common law=s flexibility, or the terms of existing media-neutral legislation. All of them rely to some extent on a threat/risk analysis of the kind mentioned earlier, to determine if the technology used will protect the integrity of program data and operations sufficiently to support the benefits to be achieved by using electronic communications.
A. Ontario Business Connects
[59] Ontario Business Connects intends to be a Aone-window@ gateway for business into government authorization and regulation. It now permits easy registration under four separate programs, including business name registration and retail sales and employer health tax permits. It will soon extend to other programs, including municipal and federal programs. At present it runs from free-standing work stations around the province; Internet service is planned. The legal authority for all its actions to date is the Business Regulation Reform Act, 1994, which allows very broad discretion to make regulations about electronic forms and electronic signatures for business information. So far it has relied on fairly weak authentication systems, as does the paper it replaces.
[60] Similar programs for individual dealing with government are at earlier stages of development under the ServiceOntario umbrella, led by the Ministry of Transportation, and electronic land information is centralized under Land Information Ontario (Ministry of Natural Resources).
B. Integrated Justice Project
[61] The three ministries in the justice sector are cooperating in a public/private partnership to integrate the flow and format of information throughout the justice system. Some of the law being examined is federal, such as the Criminal Code. Attempts are being made as well to change the rules of court in appropriate ways. Few changes to provincial legislation are anticipated.
C. Ontario Energy Board
[62] The Ontario Energy Board is collaborating with the National Energy Board and its Alberta counterpart in a very ambitious AElectronic Regulatory Project@ to simplify the documentary requirements of what are often very complex cross-jurisdictional proceedings. This has involved the creation of Avirtual filings@, in which the websites of the participants - industry and board and intervenors alike - have been used to assemble and publicize information. No statutes have had to be amended to permit this. Further details can be found at http://www.oeb.gov.on.ca/Erf00e.htm
D. Drive Clean
[63] The Ministry of the Environment has established a testing system for pollution from automobiles. Much of the data from this system is transmitted electronically from the inspection stations, in a form able to be analyzed usefully. Payment information is also in electronic form. This system rests largely on contracts among the participants. Individuals= personal information is subject to FIPPA, so the system has been designed to block improper access to this information.
E. Electronic Authentication
[64] Many legal documents contain official information that people can rely on to take action or change their legal position. This information thus has to be right. Current law recognizes this need through certificates and other documents that attest to their credible origins - usually with some public institution. The documents are usually required to have some kind of evidence of their source, such as letterhead or seals or signatures of public officials. Some of these security requirements also tend to show that the information has not been altered since the issue of the documents.
[65] These considerations are sometimes spoken of as elements of Aauthentication@. This term does not have a clear meaning in Canadian law, but it combines an indication of the source of the information with some assurance of its integrity. How is this to be done electronically? Two main methods seem to be developing, depending in part on the type of information at issue and its uses. The first is a reference back to some official and secure database. The second is the encryption of the documents, often in the context of a public key infrastructure.
1. Official database references
[66] The Companies Branch of the Ministry of Consumer and Commercial Relations creates corporations, which are bodies with special rules about liability. It is important for people to be able to know whether a particular organization is currently a corporation in good standing, and who its directors and officers are. The Companies Branch has always issued ACertificates of status@ about corporations. It will also certify the names that appear on its register as directors and officers.
[67] In recent years the Branch has been issuing electronic certificates of this information. The certificates include a digitized signature of the Director of the Branch, i.e. an electronic representation that displays like her handwritten signature. This makes a printout of the certificate look like the traditional document, but the electronic signature is worth nothing as security. Electrons can be moved from one document to another without detection (unless special measures such as encryption are used).
[68] The real authentication feature in the electronic certificate is a Aunique identifier@, which is a code that refers back to the official corporation file in the hands of MCCR. Each certificate has a different identifier, so the certificate as well as the corporation can be identified. Someone who wants to check the validity of the information in a certificate can ask the Branch to provide information about the corporation so identified. The ease of checking the official information deters fraudulent alteration of the certificate by increasing the risk that such changes will be detected.
[69] The Ministry of the Attorney General has recently established a similar system. People who win civil lawsuits are entitled to enforce their win by seizing and selling the defendant=s property, within limits. The court issues a Awrit of seizure and sale@, through the office of the sheriff. This writ can also be registered against land held by the defendant, so money owed can be collected from the proceeds of any future sale of the land.
[70] The writs and their registration against the land are now being done in electronic form. The system must obviously ensure that the amounts seized and the person from whom they are seized are those named by the court in the judgment. This requirement is met by the use of a unique identifier that refers the electronic document back to the court file. Anyone needing to check the information can do so against the official record, and not have to trust the electronic document being presented at the time.
[71] In addition, the writs are court documents. The Courts of Justice Act requires that any document issued by the Court must bear the seal of the court. The Act goes on to say that the Court shall have such seals as are approved by the Attorney General. While seals were originally impressions of particular forms on wax, and later on paper, their form has become much more flexible over time. The intention behind the mark is more important, just as it is for signatures. The Attorney General has approved the unique identifiers as seals of the court for the purpose of the writs. Since these identifiers are unique to the document and link to a unique file, they provide better authentication than the physical seal, which simply identified the name of the court, and which could be imitated by someone with the means and incentive to do so.
[72] The use of such unique identifiers to authenticate information depends on the reliability of the official database. Thorough security is needed to preserve that resource. The same is true of paper files, of course, and electronic files may be more secure than paper against loss or alteration, if they are properly managed.
2. Public key infrastructure
[73] Some uses of legal documents do not permit a reference back to the database. Sometimes the identity of the person or the office sending the information is essential to its user. Where the document itself has to be traced, or its contents have to be secure on their own, then people may prefer to use encryption for authentication.
[74] Encryption has been around for a long time to keep documents secret. If the key to the code is known only to two people, then the recipient of a coded message also knows who sent it. For reasons beyond the scope of this paper, traditional encryption is not adequate for widespread use by large numbers of people. A relatively new form of encryption can be used for these purposes, and many public sector and private sector bodies are working to set up systems to use it.
[75] Public key encryption uses two mathematically related keys to process documents. One of the key pair encrypts, and only the other one of the pair will decrypt. Either one can do either task. If you know one key, you cannot figure out the other one.
[76] The principle of using public key cryptography is that one key of the key pair will be kept secret (the Aprivate key@) by its holder, and the other one will be made public (the Apublic key@) to anyone who might need to know it. Anyone who holds the public key can read something encrypted with the private key. Only the holder of the private key can read something encrypted with the public key.
[77] This means that the use of a private key to encrypt is the equivalent of a signature - only one person can have encrypted the document. Confidentiality is ensured by using the recipient=s public key - only the private keyholder can read what has been encrypted.
[78] There is also a way to use this technology to show that information has not been altered from the time it is encrypted to the time it is read.
[79] The actual operation of this technology can be very complex. It depends on very reliable identification of the holders of the private keys to the potential users of the system. It also requires good key management, especially where large numbers of keyholders include those who retire or change positions or lose their private keys (which threatens to compromise the reliability of anything signed with those keys). The system of software and hardware specification and rules of conduct of the parties is known as a public key infrastructure, or PKI.
[80] The government of Ontario is building the AGO-PKI@, and several ministries want to use it. Among them are Health, Community and Social Services, and the Justice sector ministries. Some Children=s Aid Societies are now using public key cryptography for secure electronic communications about vulnerable children. A number of policies and design features of the PKI remain to be developed. PKI is not a magic bullet, and one size does not fit all. Each user community will have to decide how to make the technology work for its members. It does seem to be the best form of electronic authentication for some programs.
[81] At present, it seems likely that PKI will not have special legislative authority, but it will be supported by a network of contracts, as are some of the electronic registration systems examined earlier in this paper.
IV. Legal advice to government
[81] Government lawyers face a number of challenges in advising their clients on proposals to use electronic communications, either internally or in programs aimed at the public. They have to understand enough about the potential of the technology to recognize the legal issues that can be presented. They have to know how the law is evolving to keep pace with technology, and where the legal rules are not changing quickly enough, and where the old rules are still good. They have to be able to participate in the Athreat/risk analysis@ that will underlie the design of any electronic commerce or electronic service delivery. As always, they will have to understand their clients= environment and programs to do this.
[82] Just as electronic commerce crosses borders easily, electronic programs in government are crossing ministry boundaries. Some of the shared programs have been mentioned earlier in this paper. As a result, government lawyers have to know how their clients= uses or legal problems relate to those faced elsewhere, in government and outside. They have to know what law reform is contemplated, or already done, to evaluate whether further reform would benefit their clients.
[83] In Ontario, the Ministry of the Attorney General (MAG) is responsible for providing legal advice to government. Management Board of Cabinet is the centre of policy for the use of information technology. MAG and the Management Board Secretariat (MBS) have established a joint project on the Legal Framework for Electronic Commerce, to help respond to these challenges. Each ministry has at least one representative on the Legal Team. A handful of particularly experienced lawyers make up a Core Group, which acts as an expert resource to the Team. The project reports to the Information and Information Technology Management Committee (IITMC). It also works with a Consultative Council comprising a score of representatives of the major IT user groups in government who provide a sounding board for its priorities and work projects.
[84] The Legal Team meets monthly. The meetings are a mix of continuing legal education and simple exchange of information. It is essential to reduce duplication of effort and to formulate consistent approaches to the problems common to many parts of the government. Work groups have done presentations to the Team on electronic signatures and filing, certification, procurement, and liability issues, as well as recent law reform proposals. In addition, formal educational programs have been presented to government lawyers generally.
[85] The main documentary achievement of the project in its first year was a paper called AElectronic Commerce in Government: Guide to Legal Issues@. This is a plain-language guide for program managers and IT professionals, to alert them to the legal issues that may arise as they work in electronic communications. It is not a list of things to avoid, simply a reference work of matters to discuss with the legal advisors. That paper is available on the Intranet at the I&IT Connect site: http://intra.itconnect.gov.on.ca/mbs/itpb/it.nsf/ . It is at the end of the description of the project, which is itself listed under AMajor I&IT Projects@.
[86] Any employee of the government with responsibilities for electronic communications might find the Guide of interest. Those who work with their ministries= lawyers should read it carefully, to help themselves receive the most useful advice on this changing field.
Conclusion
[87] The law of electronic commerce is built on many elements of existing law, both judge-made law and current statutes. Generic law reform is also in the works. Each program will have to decide on the right combination of known rules and new ones. However, we should exercise caution about proposing Ministry-specific or program-specific legislation. We risk duplication of, or worse, inconsistency with, what is already available. Government should try to work on consistent language for consistent concepts, when special legislation is needed. This is one of the tasks for the Legal Team in the Framework for Electronic Commerce project, working with Legislative Counsel who draft the texts.
[88] Lawyers and clients need to band together to optimize the uses of information technology and electronic communications. Ministry boundaries are falling, and information needs to be shared to maximize its value. The legal project exists to build the knowledge base. Best practices will be built on best legal analysis, and it takes all the legal expertise and experience in government to build that.
1. * The views expressed here are not necessarily those of the Ministry of the Attorney General.