Presentation and International Discussion
10 September 2000
San Francisco, California

The ILPF invites public comment on this report.
Please submit comments to admin@ilpf.org

REPORT

On 10 September 2000, members of the Internet Law & Policy Forum and international experts listed at the end of this Report met in San Francisco to hear the first public presentation on an ILPF-commissioned paper, An Analysis of International Electronic and Digital Signature Implementation Initiatives (the International Implementation Survey) ^[1]and to discuss legal and policy issues raised by the current proliferation of such initiatives. 

The International Implementation Analysis is the third ILPF-commissioned survey of digital and electronic signature efforts.   In 1997 in response to a growing number of differing state legislative initiatives within the United States, the ILPF introduced  Legislative Principles for Electronic Authentication (1997), http://www.ilpf.org/digsig/principles.htm, then issued a United States Survey (1998), http://www.ilpf.org/digsig/update.htm, to track continued state enactments.  In February 1999, the ILPF published a second survey, this one international in scope, http://www.ilpf.org/digsig/survey.htm, and issued International Consensus Principles, http://www.ilpf.org/digsig/intlprin.htm. ^[2]  The surveys and principles, particularly the International Consensus Principles, were intended to facilitate the creation of an environment for electronic authentication in which users could be assured of the protections of technological advances and recognition of signatures across state and national boundaries.

A growing number of governments are now passing electronic signature legislation ^[3]: The EU Directive has taken effect, a number of nations have adopted legislation, and work on the UNCITRAL model rules has progressed.  In addition, a number of entities - governmental, private industry, and combinations of the two - has begun to draft detailed specifications.  Accordingly, the ILPF again commissioned a survey, this time of "implementation" initiatives.  The term "implementation" initiatives was broadly defined to include almost any set of detailed criteria, most notably (1) standards for granting enhanced legal effects to a methodology and (2) certification or licensing requirements for service providers.

The ILPF commissioned this latest survey first to catalog as many implementation proposals, public and private, as could be identified, and then to see whether its International Consensus Principles, necessarily a set of high level statements, maintained validity in the context of detailed specificity inherent in many implementation schemes.

The following themes and observations emerged in the presentation and expert, international discussion of this International Implementation Analysis.

Chris Kuner opened the 10 September Session with an overview of the purpose of the International Implementation Analysis: to inventory and provide specific analysis of current implementation proposals globally.  The resulting detail is set out in Part III, the Appendix to the Analysis.  Mr. Kuner emphasized the proliferation of implementation initiatives and voiced his view that the number and kinds of differences among the proposals created a real risk to the use of electronic and digital signatures across borders.  The Analysis concludes:

With regard to the number of such implementation schemes, it can be seen from the table (Part III of this paper) that nearly all of the industrialized nations have at least initiated a national accreditation, certification, or standardization scheme for electronic signature products and services.  One must ask why so many nationally-based schemes are necessary, and why there is not more reliance on a few, larger-scale schemes that could be tailored for a region, or a particular legal system.  One could argue that competition will result among the schemes, leading to a "survival of the fittest", which may well be true to some extent; but at the same time, having nearly every country adopt its own implementation scheme for electronic signatures carries the risk of leading to a patchwork of inconsistent national systems that may well imperil international legal interoperability.

Stewart Baker then surveyed implementation initiatives against the ILPF Consensus Principles, and vice versa.  His "report card" for governments, reflecting a grading system ranging from "A", the highest rating, to "F" for a failing mark, on legislative electronic signature efforts taken as a whole, was as follows:

ILPF International Consensus Principle	Mark
Removing Barriers to Electronic Authentication	A
Respecting Freedom of Contract	B+
Making Laws Governing Electronic Authentication Consistent Across Jurisdictions	B
Avoiding Discrimination and Erection of Non-Tariff Barriers	C
Allowing for Use of Current or Future Means of Electronic Authentication (Technological Neutrality)	D
Promoting Market-Driven Standards	C

In particular, Mr. Baker noted that registration and licensing requirements can create a disincentive to cross border recognition unless the provider which seeks licensing is heavily capitalized and can comply with registration requirements in multiple jurisdictions.  He also noted his view that ISSE standards (Information Security Solutions Europe) reflected more government involvement than usual for an industry-led group.  Finally, Mr. Baker offered his opinion that the ILPF should be prepared to modify its International Consensus Principles on technological neutrality and non tariff barriers to allow for a more nuanced approach.  In his view, some specification of detail is necessarily a part of the legislative approach in many national laws, particularly for those nations which grant a higher level of legal presumption to some but not all kinds of electronic and digital signatures.

Security and the Role of Governments. Not surprisingly, participants agreed that the need for security of online information would only increase as use of the Internet increased.  One participant emphasized the importance of security for e business.  As explained, the Internet was designed as a free network for widespread sharing of information.  To use so fundamentally open a network for commercial applications such as e commerce would require the technical ability to close or block access to that portion of the network used by a business to conduct its own transactions and communications -  much the concept of a virtual private network.  In this speaker’s view, this need to limit access would be contrary to the original nature of the Net and would ultimately require technical solutions beyond the applications level to make electronic authentication work as a network "access limiting device". 

Participants noted that the need for security has been a strong justification for government action in the marketplace.  Government designation of the specifics of implementation can be seen as necessary and appropriate to ensure a level of security and trust essential for consumers to embrace electronic commerce, to designate a technology in order to assure widespread use and lower cost, to structure a legal framework which reflects cultural preferences, to regulate (or license) providers of certificate services to consumers, or to set some legally-required levels of duty.  Other participants, however, saw a higher level of government involvement in the marketplace as an attempt to create a need for authentication, particularly for consumers, and pull an industry into a current vacuum in the marketplace.  The danger of such an approach, noted one participant, is that governments have a tendency to require the design of a Ferrari when a simple and less costly truck would do the job.  

A difference of opinion about the appropriate role of government in creating trust is not new.  The issue has been fundamental and dialogue has been ongoing, from the beginning of the international conversations on electronic signature legislation.  One of the ILPF International Consensus Principles favored a more limited role for governments:

Standards for use of electronic authentication methods or technologies should be market-driven to meet user needs.

COMMENTARY: Governments should avoid laws that force the private sector to designate a particular technology for electronic authentication.  Standards (for example, for technical interoperability) should evolve in response to needs in the commercial market, not by the requirement of government.

Significantly, participants noted one way to balance a purely market-driven approach with a stronger role for government. Appropriate government regulation might be a matter of timing. The most effective sequence might be to grant wide party autonomy to closed systems allowing this market segment to develop on its own.  Closed systems are beginning to expand, particularly within an industry, for example, banking, but also for non-industry-specific online exchanges across national boundaries.  Speakers urged that these private solutions be allowed to flourish and provide experience to guide further government intervention.   The flourishing of "closed" systems would be the "key in the ignition" to drive widespread, cost-effective use of electronic signatures forward. The aggrieved consumer was seen as the wrong starting place from which to consider the role of the government because existing consumer laws are so complex, consumer applications have not yet developed, and consumer protection often calls forth a most zealous response.

The Need to Distinguish between Technical and Legal Standards. Participants noted the dialogue on implementation and standards was often confused by a failure to distinguish standards which are proposed to resolve technical issues from those which could be used to specify legal effect.  Crafting details necessary to designate the kinds of authentication methodologies entitled to a higher level of legal effect without hindering users’ ability to move to more advanced technology remains a challenge.  Using detailed standards developed for technological purposes as determinants of legal effect was seen as particularly harmful to technological neutrality, party autonomy and cross border legal interoperability.

In this context, one participant argued for a minimalist approach as the strongest protection for users of digital and electronic signatures.  Drafting legislation and regulation with the highest level of abstraction possible would allow courts to exercise maximum discretion to give recognition to a signature user’s choice of methodology and intent to be bound.  This participant gave voice to the view that too many regulatory requirements would deter rather than encourage the use of electronic signatures.

 Cross Border Issues and the Need for Mutual Recognition.   Agreeing on rules for mutual recognition of signatures across borders^[4]  was seen by many participants as the next important step, but as Chris Kuner noted, even the term "mutual recognition" has different meanings.  To some, mutual recognition is more limited. Recognition is only granted if the regulatory scheme from which the signature originates has certain shared characteristics with the regulatory scheme under which mutual recognition is sought.  For example, a country which requires licensed providers may only recognize a foreign signature if the foreign provider is similarly licensed in its "home" jurisdiction.  Similarly, any mutual recognition scheme should recognize cultural differences, sometimes deeply ingrained.  For others, mutual recognition means giving recognition to any foreign signature methodology as long as the methodology is valid in the home jurisdiction, without regard to the similarities or differences between legal frameworks.   A third kind of mutual recognition would give effect unless the rules of the home jurisdiction were "profoundly" different.

Efforts are under way in some regions to identify such profound differences and construct the terms of recognition. One participant gave the EU credit for an intra-European model of mutual recognition and suggested that the evolution of that system would provide a valuable model.  All agreed that a workable system of mutual recognition would be essential to the growth of cross border electronic commerce.

ILPF’s latest commissioned survey, An Analysis of International Electronic and Digital Signature Implementation Initiatives, documents and analyzes a proliferation of standards and licensing initiatives to implement legal recognition of digital and electronic signatures. The level of government participation and intervention in the marketplace reflects differences in goals and culture but at the same time, threatens to create a world in which a user cannot choose a signature methodology or level of security which matches the particular need and may not expect recognition of any choice beyond national or regional boundaries.

Participants at the 10 September Session offered three suggestions for governments to balance the legitimate need for implementation details against the potential excesses of those actions.  Governments could

1. Allow the marketplace for and use of authentication technologies in closed systems to develop further before structuring legislative and regulatory requirements based on perceived consumer needs,
2. Recognize the difference between standards designed for technological interoperability and those which define legal effects; and
3. Actively seek to define the terms of broader mutual recognition.

The members of the ILPF wish to express their thanks to Messrs. Kuner and Baker for their work on the International Implementation Survey and to the international experts listed below for their contributions to a better understanding of this most complex but important topic.

Participating ILPF Members Oracle Corporation
Genuity Inc.
Verisign
UBS Warburg
Network Solutions, Inc.
Securify, Inc.
Bell Canada
Fujitsu Limited.
Telus Corporation
@Nifty
Fujitsu, Ltd.
British Telecom
Visa International
Schlumberger Limited
GE Information Services
NEC, USA

Experts Stewart Baker, Steptoe & Johnson
Rosa Barcelo, Morrison & Foerster
Mark Bohannon, Software and Information Industry Association
Roland Brandel, Morrison & Foerster
Mauricio Devoto, CENIT
Peter Ferguson, Industry Canada
Emily Frye, iWitness, inc.
Brian Hengesbaugh, US Department of Commerce
Dr. Ulrich Sandl, Federal Ministry of Economics and Technology, Germany
Mariana Silveira, National Center for American Free Trade
Brian Smith, Mayer Brown & Platt
Graham Smith, Bird & Bird
Yoshitaka Toui, MITI, Japan
Kristen Tsolis, The Naval Postgraduate School
Shinje Watanabe, NTT DATA Corporation
TomohikoYamakawa, InfoCom Research Inc

[1] The International Implementation Analysis was undertaken jointly by Chris Kuner of the Brussels Office of Morrison and Foerster LLP and Stewart Baker of the Washington DC office of Steptoe & Johnson LLP.

[2]   In addition, a Joint Keidanren/ILPF Workshop on Electronic Signatures and Authentication, November 1999 in Tokyo, Japan brought international expert attention to Japanese legislative proposals, http://www.ilpf.org/workshop/keidanren.htm.

[3] See, for example, the Draft Revised Inventory of Approaches to Authentication and Certification in a Global Networked Society, DSTI/ICCP/REG(2000)1 for an inventory of OECD member country approaches to authentication.

[4]   The term "cross-border" has several meanings in this context.  Cross border issues may arise within  national boundaries.  For example, in both Canada and the United States, areas of law effected by legal recognition of non traditional signatures, for example the laws of evidence (in non-national courts) and contract law may be reserved to provinces or states, respectively.  "Cross border" is also used to mean "international", that is, a transaction or communication between actors "in" or legally identified with two separate nations.  The EU represents a special subset of "cross border" issues because although those issues are international, they are governed by relevant treaty provisions if the actors are within EU member states.