International Working Group On Electronic Authentication
23 April 1999
International Consensus Principles for Electronic Authentication
The Internet Law & Policy Forum ("ILPF") convened a working group in
Brussels, Belgium on 23 April 1999 to consider the high level principles
presented in the ILPF's Legislative Principles For Electronic
Authentication and Electronic Commerce (the Legislative
Principles) within the current international context. The earlier
Legislative Principles found wide use as the public dialogue over the
recognition of electronic authentication began in earnest. The ILPF
convened this international working group after publishing its survey of
the trends in legislative proposals to address electronic authentication
around the globe (the International Survey) taking into account
extensive international dialogue on this complex topic thus far.
This International Working Group included experts from national
governments and international intergovernmental bodies, European
universities, the private practice of law, and the private sector,
including providers of electronic authentication services. Discussion
leaders and participants are listed at the end of the resulting
International Consensus Principles.
The following principles reflect the views of business, as represented
by those who participated in the discussion of 23 April and as informed by
the other expert views expressed around the table. The term "electronic
authentication" was meant in the broadest sense, to include a variety of
authentication technologies and tools. The International Working Group
continued to recognize the need to address electronic authentication
consistent with existing legislative frameworks. In addition, perhaps in
recognition of the challenges of establishing a detailed uniformity across
a variety of national jurisdictions, the group reaffirmed a principle of
party autonomy. They suggested that wide recognition of the traditional
legal principle of freedom of contract, that is, respecting the rights of
parties, both businesses and consumers, to agree to their own requirements
for electronic authentication (so called "system rules"), subject only to
paramount public interests, could reduce the need for detailed national
legislation. The group itself did not have an opportunity to discuss in
detail what particulars might be included in the carve out for matters of
paramount public interest.
The group continued to underscore the value of harmonization of
national legal frameworks and asked states to recognize that technological
innovation and the growth of a vigorous global market in authentication
products and services will best serve users.
These international Consensus Principles are intended to facilitate
global electronic commerce based on the creation of a predictable legal
environment for electronic authentication which protects users and
reflects their needs. The working group process is intended to provide a
neutral forum for an exchange of views on a complex set of issues.
The ILPF invites and encourages public comment on these principles.
The following principles were distilled from the discussion of the
International Working Group convened in Brussels on 23 April 1999 and
represent the consensus of the group and commentary by the Internet Law
& Policy Forum. Commentary was provided by the Working Group to clarify
nature and scope of the principles.
|REMOVE LEGAL BARRIERS TO ELECTRONIC AUTHENTICATION|
Governments should identify and remove legal barriers that
hinder the recognition of electronic authentication.
An electronic authentication should not be denied legal effect
solely because of its electronic form.
COMMENTARY: Governments should address formal writing, signature, and
authentication requirements in law, regulation and policy to ensure that,
where appropriate, electronic authentications (including electronic and
digital signatures) are legally recognized. In many cases, whether or not
existing laws or regulations impose legal barriers to the recognition of
electronic authentication techniques may not be altogether clear. One
important goal of legislation in this area should be to remove any such
uncertainty. The approach for removal of such barriers differs between
legal systems and national jurisdictions.
Removing legal barriers to the recognition of electronic authentication
techniques and the removal of any related uncertainty should be the first
goal of legislation in this area - to the extent legislation is required
at all. Governments should not introduce requirements for electronic
authentication where none exist for traditional authentication.
|RESPECT FREEDOM OF CONTRACT AND PARTIES' ABILITY TO SET PROVISIONS BY AGREEMENT|
To the fullest extent possible, national laws and jurisdictions
should recognize and give full legal effect to contractual agreements
concerning the use and recognition of electronic authentication
COMMENTARY: Governments should respect party autonomy (freedom of
contract) as it relates to electronic authentication. For example, parties
to an electronic transaction should be permitted to define their use of
and reliance on specific technology and security requirements. Exceptions
may apply if there is a demonstrable and compelling public policy interest
for a government to provide a moderating or protective role, for example,
to protect the public safety or prevent fraud.
|HARMONIZATION: MAKING LAWS GOVERNING ELECTRONIC AUTHENTICATION CONSISTENT ACROSS JURISDICTIONS|
Legal rules relating to electronic authentication should be
made to operate collaboratively and provide consistent results across
jurisdictions to promote the growth of electronic transactions and
establish a predictable legal environment for the use and recognition of
electronic authentication methods.
COMMENTARY: A consistent, harmonized legal framework will promote the
growth of global electronic commerce. (Consistency or harmonization is not
synonymous with uniformity.) However, the need for legislative or
governmental action to harmonize legal rules may be reduced if users
within a "closed" system are able to set their own rules for recognition
(so-called "system rules"). Because closed systems are likely to grow
significantly in number and size, particularly at the international level,
and because these systems have the ability to create global
interoperability so long as they are left unimpeded by national
regulation, a harmonized legal framework can be fostered by providing a
reasonable level of certainty that system rules will be recognized and
enforced internationally. Neither authentication service providers nor
users will be served by a premature designation of technologies or rules
which are created for the sole purpose of erecting a uniform framework.
|AVOID DISCRIMINATION AND ERECTION OF NON-TARIFF BARRIERS|
Governments should recognize that their actions with respect to
electronic authentication can create barriers to trade. Governments should
not unreasonably discriminate against electronic authentication methods or
providers from other jurisdictions or erect improper non-tariff barriers
COMMENTARY: Electronic commerce occurs over an inherently global
medium. Users of electronic authentication can profit from free and fair
competition among service providers, including those located outside their
national jurisdiction. In addition, governments should not unreasonably
discriminate against electronic authentication technologies that originate
in other jurisdictions or against communications that are authenticated by
entities located in other jurisdictions. Governments should furthermore
not impede global competition (for example, in limiting the provision of
electronic authentication services from foreign suppliers), and should
avoid erecting improper non-tariff barriers (for example, in improperly
impeding the recognition of foreign electronic signatures).
|ALLOW FOR USE OF CURRENT OR FUTURE MEANS OF ELECTRONIC AUTHENTICATION|
Governments should not require or unduly promote the use of
particular electronic authentication means or technologies.
COMMENTARY: Governments should anticipate that authentication means
(including both the use of business practices and technology solutions)
will change over time in response to technological developments and market
demands. They should avoid any action likely, directly or indirectly, to
preclude or discourage innovation in authentication technologies or new
applications for those technologies. In particular, when a government
acts as participants in the marketplace, engaging in transactions with
citizens and other parties, it should not "lock in" particular electronic
authentication means through the force of its presence in the marketplace,
but rather should allow for changing market standards and applications for
existing and future technologies.
Standards for use of electronic authentication methods or
technologies should be market-driven to meet user needs.
COMMENTARY: Governments should avoid laws that force the private sector
to designate a particular technology for electronic authentication.
Standards (for example, for technical interoperabililty) should evolve in
response to needs in the commercial market, not by the requirements of
Working Group on International Consensus Principles
for Electronic Authentication
23 April 1999
List of Participants
||Mads Bryde Andersen, University of Copenhagen
||Chris Kuner, Morrison & Foerster LLP, Brussels
Visa International EU
Warburg Dillon Read
||NEC Europe Ltd.
Steptoe & Johnson
UK Post Office Legal Services
UK Department of Trade & Industry
University of Leuven
University of Namur