Brussels, Belgium
23 April 1999

International Consensus Principles for Electronic Authentication

The Internet Law & Policy Forum ("ILPF") convened a working group in Brussels, Belgium on 23 April 1999 to consider the high level principles presented in the ILPF's Legislative Principles For Electronic Authentication and Electronic Commerce (the Legislative Principles) within the current international context. The earlier Legislative Principles found wide use as the public dialogue over the recognition of electronic authentication began in earnest. The ILPF convened this international working group after publishing its survey of the trends in legislative proposals to address electronic authentication around the globe (the International Survey) taking into account extensive international dialogue on this complex topic thus far.

This International Working Group included experts from national governments and international intergovernmental bodies, European universities, the private practice of law, and the private sector, including providers of electronic authentication services. Discussion leaders and participants are listed at the end of the resulting International Consensus Principles.

The following principles reflect the views of business, as represented by those who participated in the discussion of 23 April and as informed by the other expert views expressed around the table. The term "electronic authentication" was meant in the broadest sense, to include a variety of authentication technologies and tools. The International Working Group continued to recognize the need to address electronic authentication consistent with existing legislative frameworks. In addition, perhaps in recognition of the challenges of establishing a detailed uniformity across a variety of national jurisdictions, the group reaffirmed a principle of party autonomy. They suggested that wide recognition of the traditional legal principle of freedom of contract, that is, respecting the rights of parties, both businesses and consumers, to agree to their own requirements for electronic authentication (so called "system rules"), subject only to paramount public interests, could reduce the need for detailed national legislation. The group itself did not have an opportunity to discuss in detail what particulars might be included in the carve out for matters of paramount public interest.

The group continued to underscore the value of harmonization of national legal frameworks and asked states to recognize that technological innovation and the growth of a vigorous global market in authentication products and services will best serve users.

These international Consensus Principles are intended to facilitate global electronic commerce based on the creation of a predictable legal environment for electronic authentication which protects users and reflects their needs. The working group process is intended to provide a neutral forum for an exchange of views on a complex set of issues.

The ILPF invites and encourages public comment on these principles.

CONSENSUS PRINCIPLES: The following principles were distilled from the discussion of the International Working Group convened in Brussels on 23 April 1999 and represent the consensus of the group and commentary by the Internet Law & Policy Forum. Commentary was provided by the Working Group to clarify the nature and scope of the principles.

REMOVE LEGAL BARRIERS TO ELECTRONIC AUTHENTICATION

Governments should identify and remove legal barriers that hinder the recognition of electronic authentication.

An electronic authentication should not be denied legal effect solely because of its electronic form.

COMMENTARY: Governments should address formal writing, signature, and authentication requirements in law, regulation and policy to ensure that, where appropriate, electronic authentications (including electronic and digital signatures) are legally recognized. In many cases, whether or not existing laws or regulations impose legal barriers to the recognition of electronic authentication techniques may not be altogether clear. One important goal of legislation in this area should be to remove any such uncertainty. The approach for removal of such barriers differs between legal systems and national jurisdictions.

Removing legal barriers to the recognition of electronic authentication techniques and the removal of any related uncertainty should be the first goal of legislation in this area - to the extent legislation is required at all. Governments should not introduce requirements for electronic authentication where none exist for traditional authentication.

RESPECT FREEDOM OF CONTRACT AND PARTIES' ABILITY TO SET PROVISIONS BY AGREEMENT

To the fullest extent possible, national laws and jurisdictions should recognize and give full legal effect to contractual agreements concerning the use and recognition of electronic authentication techniques.

COMMENTARY: Governments should respect party autonomy (freedom of contract) as it relates to electronic authentication. For example, parties to an electronic transaction should be permitted to define their use of and reliance on specific technology and security requirements. Exceptions may apply if there is a demonstrable and compelling public policy interest for a government to provide a moderating or protective role, for example, to protect the public safety or prevent fraud.

HARMONIZATION: MAKING LAWS GOVERNING ELECTRONIC AUTHENTICATION CONSISTENT ACROSS JURISDICTIONS

Legal rules relating to electronic authentication should be made to operate collaboratively and provide consistent results across jurisdictions to promote the growth of electronic transactions and establish a predictable legal environment for the use and recognition of electronic authentication methods.

COMMENTARY: A consistent, harmonized legal framework will promote the growth of global electronic commerce. (Consistency or harmonization is not synonymous with uniformity.) However, the need for legislative or governmental action to harmonize legal rules may be reduced if users within a "closed" system are able to set their own rules for recognition (so-called "system rules"). Because closed systems are likely to grow significantly in number and size, particularly at the international level, and because these systems have the ability to create global interoperability so long as they are left unimpeded by national regulation, a harmonized legal framework can be fostered by providing a reasonable level of certainty that system rules will be recognized and enforced internationally. Neither authentication service providers nor users will be served by a premature designation of technologies or rules which are created for the sole purpose of erecting a uniform framework.

AVOID DISCRIMINATION AND ERECTION OF NON-TARIFF BARRIERS

Governments should recognize that their actions with respect to electronic authentication can create barriers to trade. Governments should not unreasonably discriminate against electronic authentication methods or providers from other jurisdictions or erect improper non-tariff barriers to trade.

COMMENTARY: Electronic commerce occurs over an inherently global medium. Users of electronic authentication can profit from free and fair competition among service providers, including those located outside their national jurisdiction. In addition, governments should not unreasonably discriminate against electronic authentication technologies that originate in other jurisdictions or against communications that are authenticated by entities located in other jurisdictions. Governments should furthermore not impede global competition (for example, in limiting the provision of electronic authentication services from foreign suppliers), and should avoid erecting improper non-tariff barriers (for example, in improperly impeding the recognition of foreign electronic signatures).

ALLOW FOR USE OF CURRENT OR FUTURE MEANS OF ELECTRONIC AUTHENTICATION

Governments should not require or unduly promote the use of particular electronic authentication means or technologies.

COMMENTARY: Governments should anticipate that authentication means (including both the use of business practices and technology solutions) will change over time in response to technological developments and market demands. They should avoid any action likely, directly or indirectly, to preclude or discourage innovation in authentication technologies or new applications for those technologies. In particular, when a government acts as participants in the marketplace, engaging in transactions with citizens and other parties, it should not "lock in" particular electronic authentication means through the force of its presence in the marketplace, but rather should allow for changing market standards and applications for existing and future technologies.

PROMOTE MARKET-DRIVEN STANDARDS

Standards for use of electronic authentication methods or technologies should be market-driven to meet user needs.

COMMENTARY: Governments should avoid laws that force the private sector to designate a particular technology for electronic authentication. Standards (for example, for technical interoperabililty) should evolve in response to needs in the commercial market, not by the requirements of government.