Legislative Principles for Electronic Authentication & Electronic Commerce

The Internet Law & Policy Forum ("ILPF") convened a working group in Washington, D.C., on October 23-24, 1997, to draft a set of legislative principles for electronic authentication of signatures. ILPF convened the working group after completion of a comprehensive survey of state laws and initiatives in the United States that disclosed a patchwork of inconsistent state regulation and the absence of any standard for the cross-border recognition of electronic signatures.

The ILPF-sponsored meeting yielded broad consensus among participants that states should act to remove barriers to electronic transactions that arise from uncertainties related to signature requirements. The working group also agreed that it was important for states to harmonize electronic authentication rules and regulations.

The working group underscored as fundamental the need to preserve -- and for states to respect -- the ability of parties to agree on their own requirements for electronic transactions and signatures. And, as between parties in different states, cross-border recognition and enforcement of electronic transactions and signatures were felt to be paramount, especially given the global nature of electronic commerce.

ILPF provides a neutral forum for objective examination of issues that affect the growth of the Internet economy. This working group was comprised of experts in electronic authentication from federal and state government, academia, and the private sector, including several representatives of certificate authorities in the United States and internationally. Reports were received on the progress of other electronic authentication initiatives including reports from representatives of, or participants in, the National Conference of Commissioners on Uniform State Laws, the American Bar Association, the International Chamber of Commerce, the United Nations Commission on International Trade Law, the World Wide Web Consortium, and CommerceNet.

ILPF's draft principles are intended to facilitate the creation of a predictable legal environment for electronic commerce based on recognition of electronic authentication of signatures and records. ILPF will take public comment on the draft principles via its web site at over the next 30 days.

CONSENSUS PRINCIPLES:

There was strong consensus among the working group for the following core principles for electronic authentication of electronic transactions and signatures. The commentary is provided for further illumination of the principles.

REMOVE BARRIERS TO ELECTRONIC TRANSACTIONS AND SIGNATURES

States should identify and eliminate barriers to electronic transactions that arise from uncertainties related to the recognition of electronic signatures. Specifically, states should address the formal writing and signature requirements in law, regulation and policy in any branch of government to ensure that, where appropriate, electronic signatures and records are recognized.

RECOGNIZE EQUIVALENCY OF SIGNATURE AND RECORD REQUIREMENTS

Electronic signatures and records should be treated as the equivalent of traditional signatures and records if they are sufficiently reliable for the purpose for which the signature or record is required.

HARMONIZE LAWS GOVERNING ELECTRONIC SIGNATURE

States should harmonize the laws relating to the use and recognition of electronic signatures. Harmonization is essential to the growth of electronic transactions and the establishment of a predictable legal environment.

ENSURE THE CROSS-BORDER RECOGNITION AND ENFORCEMENT OF ELECTRONIC TRANSACTIONS AND SIGNATURES

States should avoid the exclusion of signatures authenticated in other jurisdictions and refrain from imposing unnecessary or impeding processes that delay recognition of electronically authenticated signatures originating in other jurisdictions.

RECOGNIZE INTERNATIONAL TRADE IMPLICATIONS THAT ARISE FROM STATE ELECTRONIC AUTHENTICATION LAWS

States should avoid using electronic authentication laws to erect non-tariff trade barriers to electronic commerce. Such barriers can arise when, for example, a law imposes unnecessary process delays for recognizing electronic signatures.

RESPECT FREEDOM OF CONTRACT AND PARTIES' ABILITY TO VARY PROVISIONS BY AGREEMENT

Electronic authentication laws should permit any party to an electronic transaction, including a certificate authority, to vary the terms of any electronic authentication law, rule or regulation by mutual agreement.

ALLOW FOR USE OF CURRENT OR FUTURE AUTHENTICATION MEANS

Electronic authentication means should not be "locked in" through legislative fiat but rather should allow for changing market standards and applications for existing and future technologies. "Means" includes both the use of business practices and authentication technology. States should anticipate that authentication means will change over time and avoid legislation that might preclude innovation or new applications.

STANDARDS SHOULD BE DETERMINED BY THE PRIVATE SECTOR AND BE MARKET DRIVEN

The private sector should determine the standards for electronic authentication. The government maintains its traditional role in consumer protection and fraud prevention. When government acts as a participant in the marketplace, it should avoid market distorting effects to the maximum extent possible when it chooses electronic authentication requirements for its transactions. The same principle applies when government acts as a regulator. This principle also applies to accreditation of authentication means. As a general rule, accreditation is preferred to government licensing, which if used at all, should be consistent with or rely on private sector practices to the maximum extent possible.

FOR FURTHER DISCUSSION:

The following principle was viewed as an important contribution, but still in need of further refinement and discussion.

MAINTAIN "TECHNOLOGY NEUTRAL" APPROACH TO ELECTRONIC AUTHENTICATION

There was some disagreement about how to define the term "technology neutral." There was consensus that states should avoid laws that force the private sector to adopt a particular technology for electronic authentication. The impact of this principle on those laws that recognize only the use of an electronic authentication means that relies on public key infrastructure (PKI) was a significant concern. For the most part, it was agreed that PKI, where enacted, should not preclude other methods of authenticating signatures where appropriate. It was important for many participants that states understand that PKI is not synonymous with electronic authentication and that there are and will be numerous means to authenticate signatures that will be sufficiently reliable for a given purpose and that do not rely on PKI.