Content Blocking Report: Now Available

The Internet Law & Policy Forum commissioned a working group in 1996 to examine the trends in global content regulation and technological developments designed to address content issues by blocking or providing user-enabled filtering. The report is work-in-progress and appears on this site. The working group process disclosed that, despite the reach of the Internet and its power to collect and distribute information, there is no systematic collection or examination of Internet content regulation.

Accordingly, the ILPF is expanding its working group to now conduct a global inventory of Internet content regulation. The goal of this effort is to amass, on a country-by-country basis, the laws and regulations that specifically encompass Internet content regulation. ILPF seeks to create a network of correspondents that will voluntarily advise the Internet community through the auspices of ILPF of emerging content regulation, enforcement activities related to content laws and links to sites that address content issues. Digital copies of any pertinent laws or regulations will be archived and made available to the global Internet community. Correspondents are invited to provide their analysis of the particular laws or rules.

ILPF will continue to examine the trends in Internet content regulation and plans to report on the "State of Internet Content Regulation" annually. Periodic summaries of information received will be provided on this site.

Individuals, groups, and organizations may submit information regarding content blocking regulations via our ILPF Content Blocking Working Group Submission Form. Survey of State Electronic & Digital Signature Legislative Initiatives

PROJECT OVERVIEW

The Internet Law & Policy Forum ("ILPF") commissioned Perkins Coie to survey current legislative efforts by individual states in the United States and drafting committees concerning digital and electronic signatures to assist the ILPF Digital Signature Working Group in considering model state legislation. This report provides a state-by-state comparison of electronic authentication initiatives and a summary and analysis of trends. The terms of reference of the Working Group and project schedule are available on ILPF's web site. The text of all of the state initiatives and related resources have been collected on ILPF's web site as well. ILPF seeks public comment on this report, particularly in regard to the categorization of state initiatives, information on any new initiatives, or corrections to the report. Any comments should be forwarded for consideration to the ILPF via its web site or to the authors of this report, John P. Morgan and Albert Gidari.

I. BACKGROUND

Legislators are faced with unique and fundamental policy choices regarding the role of government in the development of electronic commerce. Recognizing that government must play a role in enabling electronic commerce by removing traditional barriers, nearly every state has sought to eliminate barriers caused by traditional writing and signature requirements by drafting legislation designed to permit the authentication of documents and signatures through electronic means. In the electronic environment, however, the authentication of documents and signatures is considerably more difficult than in the traditional written environment. An original message may be virtually indistinguishable from a copy, and the potential for fraud is heightened by the ease of alteration.

New challenges, therefore, arise in determining government's function, if any, in solving problems unique to electronic authentication such as issues of data integrity, non-repudiation, evidentiary standards, choice of technology, liability standards, contractual freedom, consumer protection, and cross-border recognition of electronically signed documents.

In the international arena, numerous governments and organizations have called for private sector leadership in developing electronic commerce principles rather than premature government regulation. However, these policy initiatives also recognize that government may serve an essential facilitating role by eliminating barriers and providing a broad legal framework to protect the interests of the public.

In the United States, 40 states either have considered or enacted electronic authentication laws. Thirteen states have initiated task forces to study the various impacts of electronic commerce and traditional writing and signature requirements. See Appendices A & B. Although the numbers suggest that there has been a flurry of substantive activity, in fact, most legislation has been narrow in scope. While 21 states have proposed 31 laws that encompass public and private sector communications ("general" laws), only ten states have enacted 13 such laws. Instead, most legislative activity has involved laws that have a "limited" transactional scope; that is, laws that apply only in a government or narrow private sector context such as the use of electronic signatures by health care providers or for motor vehicle registration. Indeed, twenty-eight states have introduced 48 limited statutes. Of these, 23 states have enacted 36 limited laws. See Appendices B & C.

II. AUTHENTICATION MODELS

A variety of authentication models have been considered or enacted by the states. The vast majority of all legislative initiatives enacted by state legislatures were electronic signature laws while only a handful have enacted digital signature laws.

While the distinction between an electronic and digital signature is an important one, the terms frequently are used interchangeably. For purposes of consistent analysis here, "electronic signature" means any identifiers such as letters, characters, or symbols, manifested by electronic or similar means, executed or adopted by a party to a transaction with an intent to authenticate a writing. A writing, therefore, is deemed to be electronically signed if an electronic signature is logically associated with such writing.

In contrast to an electronic signature, a "digital signature" is an electronic identifier that utilizes an information security measure, most commonly cryptography, to ensure the integrity, authenticity, and nonrepudiation of the information to which it corresponds. Cryptography refers to a field of applied mathematics in which digital information may be transformed into unintelligible code and subsequently translated back into its original form.

In public key cryptography or asymmetric cryptography, an algorithmic function is used to create two mathematically related or complementary "keys." One key is used to code the information while the other is used to decode it. Cryptography can be used to ensure the confidentiality of data (i.e., encryption) and to verify the authenticity and integrity of transmitted data. The advantage of public key cryptography is that it allows the confidential transmission of information in open networks where parties do not know one another in advance or share secret key information.

In an open network context, public key encryption depends on the public and private use of these complementary algorithmic keys.

The "public" key is associated with a particular party and is made readily available in a directory. A trusted third party or certification authority can authenticate the relationship between a public key and its owner thereby ensuring public confidence in the use of the readily available key. This public key is then used to encrypt a message or data to be sent to the person associated with the key. The recipient of the encrypted message then uses his or her "private" key to decrypt the information. The "private key" is so named because it must remain secret in order for the process to be secure, for while the public key of a particular party is known to the public, only the private key can be used to decrypt. With strong encryption, it is virtually impossible to derive the private key from its public counterpart.

In the context of "digital signatures," the process essentially is reversed. First, a signer uses a "hash" function to create a compressed form of the message to be sent. This "message digest" is unique to the message and can be used subsequently to verify the authenticity of the document once received. Before sending the document electronically, the signer applies the private key to the message digest thereby encrypting it and creating a secure digital signature. The document may then be sent (perhaps encrypted with the receiver's public key) along with the digital signature. Upon receipt, the digital signature can be decrypted with the signer's public code and the message digest can be used to verify the contents of the electronic document. The creation of an open public cryptographic system has commonly been referred to as public key infrastructure ("PKI").

Thirty-three of 49 electronic signature statutes introduced (23 of 28 states) were enacted. Nearly all of these laws were "limited" in scope. With respect to digital signature laws, only ten of 21 initiatives introduced (7 of 14 states) were enacted. Florida, New Hampshire, and Oregon have approved legislation for both. See Appendices B & E.

Most of the electronic and digital signature initiatives fall into three categories: prescriptive, criteria-based, and signature enabling. See Appendix D. The prescriptive states delineate specific PKI schemes for digital signatures and typically have "general" applicability. Utah's model is predominant among the prescriptive states, accounting for ten of the 18 states using a prescriptive PKI digital signature approach. The criteria-based states recognize the authentication of digital or electronic signatures, provided the signatures satisfy certain criteria of reliability and security. California is the leading model and has been uniformly followed by states utilizing the criteria-based approach. The signature enabling states take the most modest approach by recognizing electronic signatures and documents in a manner that is parallel to traditional signature and writing laws. These laws are technology-neutral in that they adopt no specific technological approach or criteria. Massachusetts has taken the representative lead in this area. These various approaches are discussed in more detail below.

A. Prescriptive Approach

The prescriptive approach is a comprehensive effort that seeks to enable and facilitate electronic commerce with the recognition of digital signatures through a specific regulatory and statutory framework. It establishes a detailed PKI licensing scheme (albeit voluntary), allocates duties between contracting parties, prescribes liability standards, and creates evidentiary presumptions and standards for signature or document authentication.

On the whole, 18 states have adopted or considered PKI-based digital signature laws. Of these, 14 states have addressed digital signatures alone while four states have considered giving effect to both electronic and digital signatures. See Appendix E. California may also be included in this latter category with the recent promulgation of proposed regulations by the Secretary of State that approve of PKI and digital signature use.

The leading model for the prescriptive approach is the Utah Digital Signature Act. Utah Code § 46-3-101 et seq. Utah's digital signature law originally was enacted in 1995 and significantly amended in 1996 by Utah Senate Bill 188. This legislation was influenced heavily by the efforts of the American Bar Association Information Security Committee (the "Security Committee"). Over a four-year period, the Security Committee had sought to draft a model law for digital signatures. However, given the diverse views on several key areas such as a subscriber's duty of care, the Security Committee produced the Digital Signature Guidelines (the "Guidelines") in the summer of 1995 in lieu of a model law. The Utah Digital Signature Act and the Guidelines have been very influential in shaping other states' legislative initiatives (together "Utah/Guidelines" model).

The Utah/Guidelines model attempts to delineate a comprehensive scheme for the recognition of digital signatures in a PKI environment utilizing state-licensed certification authorities ("CAs"). The model can be divided into four main categories: (1) licensing of CAs; (2) issuance, suspension, and revocation of certificates issued by CAs; (3) duties, warranties, and obligations of licensed CAs, subscribers, third parties, and key repositories; and (4) rules regarding the recognition and validity of digital signatures. Some key attributes of these areas include:

• Regulatory authority is vested with the Secretary of State or other agency and may serve as a CA;

• "Voluntary" licensing scheme for CA--unlicensed CAs lose evidentiary presumptions of authenticity and civil liability limitations;

• CAs liability limited by certificate statements; statutorily liable only for direct, compensatory reliance damages;

• A digital signature is self-authenticating if (1) it is verified as valid by a public key listed with a licensed CA; (2) it was affixed with the intention of signing a message; and (3) the recipient has no knowledge of either a breach of duty by the subscriber or does not rightfully hold the private key affixed to the message;

• Writing requirements are met if (1) the message bears a digital signature and (2) that signature is verified by a valid licensed public key;

• Auditing and bonding requirements for CAs;

• Cross-border recognition for states whose licensing or authorization requirements are substantially similar if the Secretary of State recognizes the CAs by rule; and

• Subscribers have a duty of reasonable care in control of private keys and must indemnify CAs.

Although the Utah/Guidelines model has received considerable attention, it has not, in fact, been widely followed. Seven states have considered but not adopted the Utah/Guidelines model: Hawaii, Maryland, Michigan, New York, Rhode Island, Vermont, and Virginia. Although incorporating most of the model, draft legislation in Virginia and Hawaii notably deleted the cross-border recognition provision. Numerous other states have adopted or considered Utah's definition of a digital signature without adopting the model itself. Minnesota and Washington are the only states to enact the Utah/Guidelines model with some variation. See Appendices C & D. For example, Washington has enacted legislation that allows the parties, with some exception, to alter the terms of the statute by contract.

B. Alternatives to the Prescriptive-PKI Model

The Utah/Guidelines model likely has not had more impact due to its inherently regulatory and prescriptive nature. By selecting PKI as the baseline for electronic authentication, the model may be viewed as technology-forcing. Although it is ostensibly "voluntary," the favorable liability limits and evidentiary presumption associated with state licensing likely will impair alternatives. No presumptions or liability limits are afforded to other technological solutions that may have comparable or superior security or trustworthiness. For this reason, many states have sought legislative alternatives that more broadly address electronic authentication and have more flexibility. Generally, these alternatives utilize a technology-neutral approach and eschew any specific liability regime in order to avoid market-distorting effects in the emerging technology fields of electronic commerce.

Thirty-one states have or are considering 58 statutes that address electronic signature or electronic authentication standards. See Appendix E. Fifty-five of these initiatives representing 29 states may be divided between the criteria-based and enabling categories. See Appendix D.

1. Criteria-Based Approach

The predominant model for criteria-based laws is the "California" authentication standard. Akin to an evidentiary standard, the California model incorporates some requirements into the definition of an electronic signature in order to satisfy security and trustworthiness concerns. An electronic signature is legally effective if it is:

1. Unique to the person using it;

2. Capable of verification;

3. Under the sole control of the person using it;

4. Linked to the data in such a manner that if the data is changed the signature is invalidated; and

5. In conformity with regulations adopted by the appropriate state agency usually the Secretary of State.

Cal. Gov't Code § 16.5(a) (1995). Prior to the model's enactment, the California legislature explicitly considered and rejected the Utah/Guidelines model, in part, due to concerns of market distortion and technological neutrality.

The California criteria-based approach has proven quite flexible for various state legislators. The broad criteria may apply both to electronic and digital signatures since it is designed to lay the requirements for trustworthiness and security. For example, the California Secretary of State has recently published its Proposed Digital Signature Regulations, in which it adopts two acceptable technologies: PKI digital signatures and signature dynamics. Indiana has adopted the California criteria as a prerequisite for the recognition of digital signatures. Illinois is considering the criteria as a basis for evaluating whether an electronic signature may be deemed "secure." The first four elements of the California standard also have been used in legislation from New Hampshire, Rhode Island, and Virginia as optional criteria that the trier of fact may consider when evaluating the authenticity of an electronic signature.

On the whole, 11 states have 19 initiatives that incorporate the criteria-based approach. Ten states have adopted the California standard into law. See Appendix D. Nine of the enacted laws, California's among them, are "limited" in scope. See Appendix A. Georgia, Kansas, New Hampshire and Virginia have enacted "general" statutes that use the California criteria-based approach. Electronic signature laws enacted in Georgia and Kansas are unique because the criteria is incorporated into the definition of an electronic signature.

2. Signature-Enabling Approach

The remaining legislative initiatives fall within the signature-enabling category. The "general" laws permit any electronic mark that is intended to authenticate a writing to satisfy a signature requirement. See Appendix D. The net effect of this approach is to give legal recognition to both digital and electronic signatures for statutory and common law writing and signature requirements.

An early example of this approach is Florida's Electronic Signature Act of 1996, Fla. Stat. § 1.01 (1996 Fla. H.B. 942). The key elements of the operative terms are:

• The word "writing" includes handwriting, printing, typewriting and all other methods and means of forming letters and characters upon paper, stone, wood, or other materials. The word "writing" also includes information which is created or stored in any electronic medium and is retrievable in perceivable form.

• "Electronic signature" means any letters, characters, or symbols, manifested by electronic or similar means, executed or adopted by a party with an intent to authenticate a writing. A writing is electronically signed if an electronic signature is logically associated with such writing.

• Unless otherwise provided by law, an electronic signature may be used to sign a writing and shall have the same force and effect as a written signature.

Massachusetts also is representative. Massachusetts has put forward the most modest position regarding electronic authentication due to similar concerns voiced in California regarding the potential for market distortions and the need for technological neutrality. Massachusetts, however, does not adopt any particular authentication criteria like California in removing signature and writing barriers. Massachusetts' draft legislation provides, in part:

Section 1. Definitions.

As used in this chapter, the following terms have the following meaning:

"Record" means information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form. The term "record" includes, without limitation, electronic records and written records.

"Signed" or "signature" includes electronic and digital signature methods.

Section 2. Electronic Records and Signatures.

(a) Where the law requires information to be in writing, that requirement is met by a record. In any legal proceeding, a record shall not be inadmissible in evidence on the sole ground that it is an electronic record. Any duplicate record that accurately reproduces the original record shall be admissible in evidence as the original itself unless in the circumstances it would be unfair to admit the duplicate in lieu of the original.

(b) Where the law requires a signature of a person, that requirement is met by that person's electronic signature. Where any rule of law requires a signature to be notarized or acknowledged for filing, that rule is satisfied by an electronic signature that meets standards established by the secretary of the commonwealth.

(c) This section shall not apply:

(i) when its application would be inconsistent with the manifest intent of the parties;

(ii) when its application would involve a construction of a rule of law that is clearly inconsistent with the manifest intent of the law making body or repugnant to the context of the same rule of law, provided that the mere requirement that a record be "in writing" or "written" shall not by itself be sufficient to establish such intent.

Massachusetts' approach also differs from Florida's in its use of a "record" to address writing and signature requirements, which derives from the United Nations Commission on International Trade Law 's Model Law on Electronic Commerce ("UNCITRAL Model Law") and is consistent with language used by the National Conference of Commissioners on Uniform State Laws ("NCCUSL") in revising the Uniform Commercial Code ("UCC") Articles 2B and 4B.

On the whole, 27 states have or are considering the enabling approach. Twenty-two states enacted legislation of which five had "general" applicability. The bulk of the initiatives considered remain in the "limited" class. See Appendix D. In general, all of these states are silent regarding such issues as certification authority standards, cross-border recognition, and liability issues. The marketplace and existing laws are left to resolve unanswered questions. Although electronic signatures are recognized, no evidentiary presumptions attach to the use of either electronic or digital signatures. This is in sharp contrast to those states that have addressed digital signatures alone. Thus, this approach is merely "enabling" in that the policy objective simply is to remove writing and signature barriers without endeavoring to facilitate any form of development.

C. Hybrid Approach

Of all the legislation introduced over the past two years, only Florida, Illinois, New Hampshire, and Oregon authored electronic authentication statutes that addressed both electronic and digital signatures. All four give general recognition to electronic signatures and authorize digital signatures in varying degrees of specificity.

The comprehensive draft legislation being circulated by the Illinois Attorney General Commission on Electronic Commerce and Crime falls between the Massachusetts and Utah/Guidelines model approach and incorporates aspects of California's criteria-based model. The Illinois draft gives broad recognition to electronic signatures, adopting many provisions of the UNCITRAL Model Law. The legislation creates a new category of electronic signature based on the California criteria model called "secure electronic signatures." Signatures that qualify are accorded rebuttable evidentiary presumptions regarding the genuineness and integrity of the signature. Parties to a transaction may select from a security procedure that is defined by the statute or one that is commercially reasonable and agreed to by the parties.

The "secure status" of a secure electronic signature may be challenged (1) by evidence indicating either that a security procedure authorized by the statute is generally not trustworthy or a security procedure agreed to by the parties is not commercially reasonable or implemented in an untrustworthy manner, or (2) by evidence suggesting that the relying party's reliance was not reasonable. Factors affecting the "reasonableness" of a recipient's reliance upon a signature also may be considered, including the relying party's knowledge, course of dealing, and trade usage. The security procedure authorized by the statute is the use of digital signatures. Electronic records that are signed with digital signatures may constitute a secure electronic record if the digital signature is created and verified by a valid certificate that is considered trustworthy.

The Illinois draft is more flexible and less restrictive than the Utah/Guidelines model in creating a PKI scheme, allocating presumptions, and authorizing the use of digital signatures. The Secretary of State is authorized to take several steps to ensure the quality of certificates issued including the adoption of certain security standards for CAs, voluntary licensing, and third party accreditation. Compliance with the Secretary of State's quality control measures will give rise to a rebuttable presumption of trustworthiness, but a default rule also permits trustworthiness to be found by the trier of fact. Like the Utah/Guidelines model, the ultimate burden of going forward with some evidence (burden of persuasion) is placed upon the party challenging the integrity of the record or the genuineness of the signature. The important distinction between the Illinois draft and the Utah/Guidelines model is that the presumptions generically apply to secure electronic signatures rather than digital signatures exclusively.

There are no express CA auditing or bonding provisions and the Secretary of State is not authorized to serve as a CA. CA liability is not statutorily limited but may be limited by the CA's certification statements. Subscribers have a duty of care (reasonableness) in holding their private keys secure. CAs have a similar duty to use trustworthy methods and may be bound by certain warranties. Like the Washington law, the Illinois draft also has a blanket authorization to vary its terms by agreement, the only other legislative initiative to do so.

NCCUSL also is drafting its Uniform Electronic Transactions Act. The current draft adopts many of the initial enabling provisions of the UNCITRAL Model Law that give legal recognition to electronic signatures and documents (records). In addition, the NCCUSL draft has adopted the Illinois concept of a "secure electronic record" and "secure electronic signature" and utilizes the California criteria as a litmus test before according any evidentiary presumptions. Its definition of "security procedure" is broad and encompasses the familiar UCC concept of commercial reasonability. Unlike the Illinois draft however, the NCCUSL draft makes no attempt to facilitate the development of the prescriptive digital signature/PKI model by linking evidentiary presumptions with digital signatures. The determination of "security" with its associated presumptions stands independently. Overall, the NCCUSL draft endeavors to be more technology-neutral.

III. CONCLUSIONS

There is no uniformity in state approaches to electronic authentication. States have been most active in deciding appropriate authentication standards for limited transactions with government or discrete areas of private law such as medical records. No electronic authentication model has come to dominate the legislative marketplace and experimentation continues.

This report finds that legislative efforts have been focused predominantly on enacting limited electronic signature laws as opposed to general laws. In the "general" class of statutes, seven states have enacted legislation adopting PKI with three using the Utah/Guidelines model; four states have enacted legislation utilizing the California-criteria model of which two use the criteria permissively; and five states have enacted signature- enabling legislation. See Appendix D. This contrasts sharply with the 36 limited laws enacted of the 48 proposed during the same time period. See Appendix E.

As evidenced by the hybrid approaches of NCCUSL and Illinois, the recent trend is toward legislation that: (a) at a minimum, enables electronic commerce by recognizing that the primary objective of electronic authentication is the removal of barriers associated with traditional writing and signature requirements and (b) establishes evidentiary presumptions in favor of the electronic signature user based on security and trustworthiness standards. The pattern suggests that as security measures increase and provide a heightened indicia of trustworthiness, stronger evidentiary presumptions may attach.

The trend analysis also reveals what is absent from the various state initiatives. For example, only the prescriptive model addresses cross-border recognition of electronic or digital signatures. The Utah/Guidelines model only recognizes digital signatures originating in states that have "substantially similar" authentication and licensing standards and that are recognized by the state regulatory authority by rule. Florida is the only state with a prescriptive statute that requires less and authorizes reciprocity. Additionally, no state initiative addresses choice of law or choice of forum issues with the exception of the NCCUSL draft which essentially adopts conflict of laws common law principles. Thus, there is a legislative gap and no certainty as to whether an electronic signature will be given full force and effect outside of the state on which it was affixed and what law will be used to determine its effect if it is recognized.

Finally, states that have considered or adopted the prescribptive model have uniformly looked to state licensing schemes to ensure trustworthiness. By contrast, Illinois is the only state to consider recognizing the role of non-governmental or private sector third-parties in establishing through accreditation the trustworthiness and security of an electronic authentication.

Albert Gidari, Esq.
(gidaa@perkinscoie.com)

John P. Morgan, Esq.
(morgo@perkinscoie.com)

Perkins Coie
1201 Third Avenue, 40th Floor
Seattle, WA 98101
+1 (206) 583-8888
+1 (206) 583-8500 (fax)