Internet Law & Policy Forum: Bringing law, policy, business and technology together

The Internet Law & Policy Forum commissioned Steptoe & Johnson LLP to survey current legislative and regulatory efforts outside of the United States concerning digital and electronic signatures.^[1] This report provides a comparison and analysis of electronic authentication initiatives in jurisdictions outside of the United States, including international efforts at the United Nations Commission on International Trade Law (UNCITRAL), the Organization for Economic Cooperation and Development (OECD), and the European Union (EU).

This report complements, and in many respects builds on, the ILPF Survey of Electronic and Digital Signature Legislative Initiatives in the United States (the "ILPF US Survey"). The report assumes familiarity with digital signatures and electronic authentication generally; readers desiring more background should refer to the Background and Authentication Models sections of the ILPF U.S. Survey. For ease of reference, this report summarizes the legislative initiatives described herein in the same table format as the ILPF U.S. Survey.

ILPF and the authors seek public comment on this report, and welcome additional information and corrections concerning the initiatives discussed in this report. We particularly encourage readers to submit information about new legislative and regulatory initiatives that are not discussed in this report, as we intend to update the report on a regular basis. Any comments should be sent to the ILPF, intsurvey@ilpf.org. and to the authors of this report, Stewart Baker and Matthew Yeo.

As in the United States, however, there have been a large number of official studies and proposed legislative initiatives that have not yet come to fruition. Australia, Austria, Belgium, Colombia, Denmark, Hong Kong SAR, South Korea, and the United Kingdom are in the process of reviewing and adopting proposed legislation. Canada, Finland, France, Ireland, Japan, the Netherlands, and New Zealand have published reports, consultative papers or policy statements on electronic authentication issues, and other countries are in the process of preparing similar reports.^[3]

It is difficult to compare national approaches to electronic authentication legislation because so few countries have conceived of the purpose of such legislation in quite the same way. Some countries, like Germany and Japan, have, to date, focused only on the technical standards for the operation of a Public Key Infrastructure ("PKI"). Others, like Singapore and Malaysia, have spanned the entire range of issues associated with the legal effect of electronic signatures, the legal framework for the operation of a PKI, and the establishment of a regulatory apparatus to oversee Certificate Authorities ("CAs"). Indeed, one of the themes of this survey is that countries do not always agree on the required scope of electronic authentication legislation.

As discussed later in this report, several international initiatives are underway to harmonize national approaches to electronic authentication. These initiatives include the draft EU Directive on electronic authentication, the work of the UNCITRAL Experts Group in preparing Uniform Rules on electronic authentication, and a proposed international convention on electronic authentication. Thus, it appears increasingly likely that many of the issues discussed in this report will be addressed at the international level, perhaps even before they are taken up by national legislators.

In all likelihood, no single technology will prevail as the sole means of electronic authentication. Different technologies will likely be used in different settings and for different purposes. This diversity of authentication techniques, while generally promoting the expansion of electronic commerce, nonetheless poses a significant challenge for legislators, because not all technologies necessarily require the same legal infrastructure or may be accorded the same presumption of security and integrity. Many believe that the widespread use of digital signatures, for example, requires a legally established "trust infrastructure," or PKI, that defines the rights and obligations of the parties to an authenticated transaction, including the potential liability of CAs to third parties. Other technologies, such as voice authentication, may not require the same type of legally-defined trust infrastructure, although it is very hard to predict how any of these technologies will be used in widespread commercial practice and what their specific legal requirements will be.^[5]

For those legislators and policymakers who believe that the continued expansion of electronic commerce requires a known and reliable authentication mechanism with established legal consequences, the preference is usually to enact legislation that specifically addresses the use of digital signatures, and to save the issues raised by other authentication techniques for another day. At the same time, legislators and policymakers naturally fear that any attempt to codify a known authentication mechanism - namely, digital signatures - runs the risk of stunting the development of other authentication mechanisms, or at least of giving undue benefits to a technology that is itself only in the earliest stages of commercial use. Apart from these concerns and the general desire to avoid the rapid obsolescence of new legislation, there is also a concern among national legislators and policymakers that premature endorsement of a particular technology will set the country outside of the mainstream of technological and legislative developments internationally.^[6] For these reasons, "technological neutrality" in electronic authentication legislation has become an increasingly prevalent objective.

Singapore's Electronic Transactions Bill, enacted in June 1998, is a good illustration of the two-tier approach. The ETB draws a basic distinction between electronic records and signatures, on the one hand, and secure electronic records and signatures on the other. An "electronic signature" is any set of letters, numbers, or other symbols in digital form attached to, or logically associated with, an electronic record, and executed or adopted with the intention of authenticating or approving the electronic record. An electronic signature satisfies the requirement of a signature (with limited exceptions relating to wills, conveyances, and similar documents), and may be proved "in any manner." A "secure electronic signature," by contrast, is either a digital signature that comports with the ETB's digital signature standards or a "commercially reasonable security procedure agreed to by the parties." A secure electronic signature must be (1) unique to the person using it; (2) capable of identifying the person; (3) created through a means that is under the sole control of the person using it; and (4) linked to the electronic record in such a way as to confirm the integrity of the document. Documents that are authenticated by a secure electronic signature are entitled to a presumption of integrity, a presumption that the signature is that of the person with whom it is associated, and a presumption that the user affixed the signature with the intent of signing or approving the document. The ETB treats digital signatures as a type of secure electronic signature, and establishes a comprehensive regime for their use and regulation.

The draft EU Directive also illustrates the two-tier approach, although in a somewhat different manner.^[9] The essential distinction drawn in the draft Directive is between "electronic signatures" and "qualified certificates." An electronic signature is one that satisfies the four criteria described above with respect to the Singapore ETB (uniqueness, identity, security, and integrity). The Directive would prohibit Member States from denying legal effect to an electronic signature solely on the grounds that it is in electronic form. A "qualified certificate," by contrast, is a "digital attestation which links a signature verification device to a person, confirms the identity of that person," and that satisfies the technical requirements specified in Annex I of the Directive (mostly pertaining to the contents of a qualified certificate). Member States would be obligated to ensure that electronic signatures based on qualified certificates satisfy the legal requirement of a hand-written signature and are admissible as evidence in legal proceedings in the same manner as hand-written signatures, but only if the electronic signature was generated using a "secure signature creation device" (as defined in Annex III of the Directive).

At the international level, the UNCITRAL Working Group on Electronic Commerce has also adopted the two-tier approach in the most recent draft of the Uniform Rules on Electronic Signatures. The draft Uniform Rules distinguish between "electronic signatures," which are those that satisfy the relatively broad requirements of Article 7 of the UNCITRAL Model Law on Electronic Commerce, and a narrower category of signatures (provisionally called "enhanced" electronic signatures) that satisfy a higher standard or that are executed according to the terms of an agreement between the parties.^[10] Electronic signatures would satisfy any requirement for a signature "if the electronic signature is as reliable as appropriate for the purpose for which the electronic signature was used, in light of all the circumstances, including any relevant agreement." "Enhanced" electronic signatures, on the other hand, would be entitled to a presumption that the data message was signed, a presumption that it was signed by the person associated with the signature, and a presumption that the data message was unaltered.

The report further concludes that adoption of Article 7 of the UNCITRAL Model Law on Electronic Commerce, which creates broad standards for the recognition of an electronic signature, is the only legislative initiative required to create a framework for the use of different electronic authentication techniques. In this manner, the report specifically rejects the proposition that the widespread use of digital signatures and other electronic authentication methods requires a legal framework that allocates the rights, duties, and liabilities of the different parties to a secure electronic transaction.^[11]

The recommendation of the Australian Electronic Commerce Expert Group was adopted in the draft Electronic Transactions Bill released by the Attorney General in January 1999. Article 10 of the draft Bill would give broad effect to electronic signatures where the method used to create the signature "was as reliable as was appropriate for the purposes for which the information was communicated."

At least in common law jurisdictions, there is nothing about an "electronic signature" that is significantly different from a signature conveyed by a telegram, a telex, a facsimile, or by any of the other means that have been generally accepted in commercial practice and that are ordinarily accepted by most common law courts.^[12] Nonetheless, whether as a result of specific evidentiary problems or out of a general concern that courts will be reluctant to accept electronic signatures, several jurisdictions have chosen to clarify the legal validity of electronic signatures. Providing such clarification is also seen as an important reassurance to parties that might otherwise be reluctant to use electronic signatures in commercial transactions. As noted above, Australia and its constituent states intend to adopt some variant of Article 7 of the UNCITRAL Model Law, and New Zealand is also likely to base its legislation on Article 7.

The situation in civil law jurisdictions tends to be somewhat more complex, given the civil law's generally more prescriptive approach to methods of proof and authentication. A recent report by the French Conseil d'Etat reviewed the various circumstances under the Code Civil where a hand-written signature or original document is required, as well as the hierarchy of evidence that the law requires for proving the validity of a signature (ranging, depending upon the circumstances, from a notarized signature all the way down to a faxed or photocopied signature). The report concludes that the Code Civil does not readily accommodate electronic signatures, and must therefore be amended to recognize, under most circumstances, the functional equivalence of certain "trustworthy" (fiable) electronic signatures.^[13] Italy has already taken this step by establishing that digital signatures and electronic documents authenticated by a digital signature satisfy any form requirements and are accorded the same evidential weight as hand-written documents and signatures. In contrast to the French proposal, however, the Italian legislation only extends this benefit to digital signatures that are authenticated by licensed CAs.

Under the proposed EU Directive, Member States will be obligated to "ensure that an electronic signature is not denied legal effect, validity and enforceability solely on the grounds that the signature is in electronic form...." Significantly, however, the EU Directive adopts a relatively high standard for which "electronic signatures" benefit from this requirement of non-discrimination. The proposed Directive requires that an electronic signature (1) is uniquely linked to the signatory; (2) is capable of identifying the signatory; (3) is created using means that the signatory can maintain under his sole control; and (4) is linked to the data to which it relates in such a manner that any subsequent alteration of the data is revealed. This is a significantly more prescriptive and stringent standard than Article 7 of the UNCITRAL Model Law, and, at least at present, would appear to require the use of digital signature technology. Thus, the draft EU Directive will allow Member States to set a fairly high threshold for the types of electronic signatures that are not to be discriminated against because of their electronic form.

At first glance, the EU provision would appear to require the Member States to accept electronic signatures that satisfy the Annex II and Annex III criteria (whatever they turn out to be) in any situation where a hand-written signature is required by national law, including conveyances of real property, the formation of wills, and other such documents. Given that most Member States will want to retain at least some of these traditional signature requirements, the presumption accorded to qualified certificates appears exceptionally broad. At the same time, Article 1 of the Directive states that the Directive does not address "the conclusion and validity of contracts and other non-contractual formalities requiring signatures." This appears to be a significant exception to the requirement of granting legal equivalence to qualified certificates, and one that would permit Member States to retain many traditional writing requirements. Thus, it is unclear how these two provisions will interrelate.

Under the Singapore Electronic Transactions Bill, documents that are signed by a secure electronic signature are entitled to a presumption of integrity, a presumption that the signature is that of the person with whom it is associated, and a presumption that the user affixed the signature with the intent of signing or approving the document. Significantly, the ETB does not limit these presumptions to electronic signatures that are confirmed by licensed CAs; the presumption also applies to any "commercially reasonable security procedure agreed to by the parties" and that satisfies the general criteria for uniqueness, identity, security, and integrity.

The Malaysian legislation provides that a digital signature confirmed by a licensed CA is entitled to a presumption that the signature belongs to the listed subscriber and that it was affixed with the intention of signing the message.

Some jurisdictions have concluded that electronic signatures, even ones that satisfy heightened standards of security and reliability, should not benefit from any special presumptions or powers. As the recent Australian report concluded, these sorts of presumptions "may involve incorrect guesses about efficient and fair business practices across a range of commercial contexts and may have serious unintended consequences.... The law should not seek to place addressees of electronically signed data messages in a better position that addressees of manually signed paper-based messages. Accordingly, at this stage legislated attribution rules should not go beyond restating the common law."

Somewhat surprisingly, whether or not a particular country "requires" licensing of CAs is not always clear. Article 4(3) of the Malaysian legislation, for example, appears to require any certificate authority confirming the validity of a digital signature in Malaysia to be licensed by the Controller of Certificate Authorities, on pain of criminal prosecution. At the same time, Article 13 provides that a digital signature will not be denied legal effect simply because it was confirmed by an unlicensed CA. The paradoxical result is that the legislation would apparently accept the legal validity of a digital signature confirmed by an unlicensed CA, but then subject that CA to criminal prosecution. Thus, it is simply not clear whether Malaysia's licensing scheme is truly "mandatory."

The Italian legislation, as well as the recently-published draft implementing regulations, establishes a mandatory licensing scheme for all CAs, although this result is evident more by implication than by express provision. CAs are obligated to register with the Italian Authority for Information Technology in Public Administration (AIPA), and must comply with extremely specific (and generally quite stringent) financial and technical standards. For example, CAs must have a registered share capital of approximately U.S. $7.5 million, and must satisfy character and fitness requirements similar to those imposed on bank personnel.

Germany's licensing system is at least nominally voluntary, in that it permits "the application of [unlicensed] digital signature procedures ... insofar as digital signatures ... are not legally required under the [digital signature] law." At the same time, the law and the associated draft technical regulations clearly contemplate that all CAs will be licensed by the national "root" CA, and at least one commentator has observed that the stated intent of German officials is to create a de facto mandatory licensing regime.^[15]

The Singapore Electronic Transactions Bill, while not requiring CAs to be licensed, imposes a number of requirements on CAs without regard to whether they are licensed. For example, all CAs, licensed or unlicensed, must either issue a Certification Practice Statement or abide by the statutorily-prescribed requirements for issuing a digital certificate. Additionally, all CAs must comply with statutory standards for disclosing material information about a certificate and the procedures for revoking or suspending a certificate. As noted above, Singapore provides certain presumptions of attribution and intent both to licensed CAs and to others who satisfy the prescribed criteria, but only permits licensed CAs to state liability limitations in their certificates.

Significantly, the EU draft Directive prohibits Member States from requiring licensing of CAs. (This provision, if adopted, will likely have a significant effect on the Italian and, to a lesser extent, the German regulatory schemes.) At the same time, the Directive allows Member States to adopt voluntary licensing schemes, provide that those schemes are "objective, transparent, proportionate, and non-discriminatory."

Interestingly, the two benefits that accrue to "qualified certificates" under the Directive - legal equivalence to a hand-written signature and the right of the issuing CA to limit its liability - do not turn, and in fact may not turn, on whether the CA is licensed or accredited. The sole requirements are that the CA satisfy the standards for qualified certificates in Annex I, the operational standards for CAs set forth in Annex II, and, with regard to legal recognition, the standards for "secure signature creation devices" set forth in Annex III. In practice, however, there may be very little distinction between satisfying these standards and becoming licensed or accredited. With regard to Annex III, for example, the Member States are continuing to debate how individual CAs would certify their compliance with the relevant standards. The proposals on the table range from self-certification by the CA to elaborate testing and certification mechanisms administered by national governments and/or the European Commission. Others have proposed that appropriate industry organizations would have the power to certify compliance with the Annex III standards. Similar certification issues are raised by the Annex II standards concerning the operational requirements for CAs.^[16] Depending on how these issues are resolved, a CA that wanted to assure the legal equivalence of its electronic signatures might have no practical choice but to undergo one or more testing and accreditation processes.

While the apparent assumption in many jurisdictions has been that the government will act as the licensing or accreditation authority (whether as part of a mandatory or voluntary regime), there is growing recognition that private sector organizations, or other types of standards bodies, may be better suited to this role. The Netherlands, for example, recently established a voluntary "TTP Chamber" that brings together government and commercial representatives. The TTP Chamber serves, in effect, as a standards-setting organization for the use of electronic signatures in the Netherlands, and CAs are strongly encouraged (but not required) to join. The Netherlands adopted this approach, in part, because it concluded that an organization of this nature would be better equipped to respond to rapidly changing market and technological forces.^[17]

These jurisdictions differ on whether licensing or accreditation is a prerequisite to a limitation on liability. Singapore and Malaysia only permit licensed CAs to state liability limitations in the certificates that they issue. The EU would permit any CA that issues a "qualified certificate" to limit the permissible uses of that certificate or to specify its maximum value. As discussed above, the draft Directive would permit unlicensed CAs to issue qualified certificates, but the practical reality is that most CAs that issue qualified certificates will be licensed or accredited under voluntary schemes.

Some jurisdictions have chosen not to address the liability issues associated with an open PKI. Germany, for example, has so far avoided any effort to legislate liability provisions for the operation of a PKI, and has actively opposed the liability limitation provision of the draft EU Directive (which, if adopted, would compel Germany to allow CAs to limit their liability). Many German lawyers and policymakers believe that existing principles of liability under German law adequately address the issues raised by an open PKI, and oppose the introduction of a system that is based on strict liability and that would permit CAs to state liability limitations. The recent Australian report noted the debate surrounding liability limitation provisions, and concluded that it would be premature to address the issue until "the technology develops and market issues and failures emerge...." Neither the Italian legislation nor the recent French report addresses liability issues.

At this stage, then, it is hard to identify a strong international consensus on the liability aspects of an open PKI. Some countries apparently believe that allowing CAs to limit their liability is a prerequisite to the widespread use of electronic authentication, while others believe that such a limitation is either unnecessary or premature. This lack of consensus may prove to be a significant obstacle to the formulation of international standards on electronic authentication, whether by means of the UNCITRAL Uniform Rules or an international convention.

The extent to which electronic authentication legislation recognizes and accommodates closed systems is a function of several different factors. For example, legislation that requires licensing of all CAs or that establishes other types of requirements for unlicensed CAs is likely to impose a significant burden on closed systems, because it may require the CA to become licensed in multiple jurisdictions or to abide by standards that are different from those to which the parties have agreed. As discussed above, while only Italy has apparently imposed a licensing requirement for all CAs, several jurisdictions have adopted legislation that creates a de facto mandatory licensing regime or that imposes standards on unlicensed CAs. These provisions run the risk of significantly increasing costs for the operators of closed systems.

At the simplest level, the most important accommodation for closed systems is to state that the standards and requirements established by electronic authentication legislation or policies do not affect the terms of private agreements concerning the use of electronic signatures. To date, no jurisdiction has made this statement explicitly, although it may be implicit to some degree in legislation that does not require licensing of CAs. This is not to say that legislation can, or should, treat closed systems equally. As discussed above, several jurisdictions have adopted certain presumptions that apply only to electronic signatures authenticated by licensed CAs, or to electronic signatures that satisfy statutorily-prescribed criteria. Similarly, the right of a CA to limit its liability will often depend on whether or not it is licensed or accredited. In practice, these distinctions should not have a significant effect on closed systems, because these are precisely the types of issues that can be addressed by contract among the parties. What is important is that legislation not preclude these types of agreements among parties.

To the extent that legislation addresses the legal effect of electronic signatures, it is also important to ensure that the legislation accords at least a minimum degree of legal recognition to electronic signatures used within closed systems, such that they can be proven in court in accordance with whatever standards would ordinarily apply. Of those jurisdictions that have addressed the legal effect of electronic signatures, only Italy would appear to deny legal effect, or at least not to affirmatively grant legal effect, to electronic signatures used within unlicensed closed systems. As noted above, the draft EU Directive would prohibit Italy and other Member States from denying legal effect to an electronic signature solely on the grounds that it is in electronic form, which would provide at least some legal clarity to the use of electronic signatures within closed systems. Moreover, signatures that are verified by a "qualified certificate" within a closed system and that are executed with a "secure signature creation device" would be entitled to legal equivalence to a hand-written signature.^[22]

From the standpoint of closed systems, it is also important that legislation recognize the legal effectiveness of signatures that establish some authority or attribute of the signer, rather than the signer's personal identity. Although this issue is not unique to closed systems (because there may very well be a market for various kinds of "authority certificates" on open systems), electronic signatures that are used within a closed system are considerably more likely to certify authority than identity. In a secure electronic payment system, for example, the signature confirms the signer's authority to use a particular credit card number, but does not necessarily establish the signer's identity. Electronic signatures may also be used in hardware and software components to identify a device or to prevent copyright offenses, and industries that rely on these techniques would like such signatures to have evidential weight.

The draft EU Directive raises a particular concern, in this regard, because it requires qualified certificates to be linked to "the unmistakable name of the holder or an unmistakable pseudonym." Because the Directive would only obligate Member States to give full legal effect to qualified certificates, the result is that Member States would apparently not have to give legal effect to non-identity certificates in judicial proceedings even if they otherwise satisfied the requirements for a qualified certificate. Similarly, Singapore defines a "secure electronic signature" as one that, inter alia, is capable of identifying the signer. The effect of these provisions will be to make it more difficult, if not impossible, to establish the legal validity of non-identity certificates and to enforce transactions that are authenticated by non-identity certificates.

One of the greatest risks posed by the current flurry of legislative interest in electronic signatures is that national legislation will actually inhibit the use of electronic signatures in international commerce. There are two distinct but closely interrelated ways in which this could happen. First, if electronic signatures and the CAs who authenticate them are subject to conflicting legal and technical requirements in different jurisdictions, it may be difficult or impossible to use electronic signatures in many cross-border transactions, simply because the conditions for their use have not been satisfied in one or more jurisdictions. These are substantive conflicts that many believe give rise to the need to harmonize international standards.

The second way in which legislation can inhibit the use of electronic signatures in international commerce (and the subject of this section) is the means by which national authorities grant recognition to foreign electronic signatures and certificates. So far, every jurisdiction to consider the matter has incorporated some assessment of the standards adhered to by the foreign CA, so the issue is inextricably related to the broader question of conflicting national standards. At the same time, legislation may also impose other geographic or procedural limitations that prevent cross-border recognition of electronic signatures.

Licensing requirements are a pivotal issue. To the extent that a jurisdiction requires a CA to be licensed, or to adhere to particular standards notwithstanding its status as a licensee, this could be construed to mean that any CA that issues a digital certificate in that jurisdiction - or that even confirms the validity of a digital certificate to someone in that jurisdiction - is required to abide by those conditions.^[23] This raises the possibility that a CA would have to obtain licenses in many different jurisdictions, which would certainly be costly and could very well be impossible in particular circumstances, if licensing conditions were not substantially the same.

The Malaysian legislation, for example, could be interpreted to require any CA operating in Malaysia to be licensed. As discussed above, however, the legislation also contains provisions that appear to recognize the legality of unlicensed CAs. Thus, it is simply not clear whether an unlicensed foreign CA would be subject to possible criminal prosecution for issuing or validating a digital certificate in Malaysia. The Malaysian legislation also provides that the Controller of Certificate Authorities may recognize CAs "licensed or otherwise authorized by governmental entities outside Malaysia that satisfy the prescribed requirements." Thus, to the extent that Malaysia would recognize foreign CAs at all, it would only do so for regulated foreign CAs - thereby denying recognition to unlicensed CAs or CAs from jurisdictions that have chosen, as a matter of policy, to forego any licensing scheme for CAs.

In the case of Italy and Germany, both geography and standards pose potential obstacles to cross-border recognition. The Italian legislation limits cross-border recognition to foreign CAs that satisfy "equivalent requirements" and that are from another EU Member State or from a member state of the European Economic Area ("EEA"). Thus, foreign CAs outside of the EU and EEA cannot be recognized. Similarly, the German legislation recognizes foreign certificates so long as the issuing CA is from an EU or EEA Member State and has demonstrated "an equivalent level of security." Because Germany has adopted extremely stringent technical standards for the use of digital signatures - for example, by requiring that private keys be stored on smart cards - many foreign CAs will be unable to demonstrate "an equivalent level of security." The German legislation also provides that foreign CAs may be recognized pursuant to an international agreement.

In time, both the Italian and German provisions are likely to be overtaken by whatever cross-border provision the EU ultimately adopts in its electronic authentication directive. At present, the draft EU Directive provides that a Member State must recognize a foreign CA if (1) the foreign CA has been accredited under a voluntary licensing scheme established by a Member State; (2) a CA established in a Member State guarantees the foreign CA's certificates to the same extent as its own; or (3) the foreign CA is recognized by an international agreement between the EU and a third country or countries. This provision is significantly more accommodating than the German and Italian legislation, but would still require a foreign CA either to become accredited in a Member State or to enter into a cross-certification arrangement with an accredited CA (absent an applicable international agreement to the contrary).

The problem of cross-border recognition directly implicates the broader question of whether the international community should adopt international standards concerning electronic authentication, and the means by which it should do so. Divergent national standards, as well as other types of regulatory obstacles, are likely to cause a significant drag on the use of electronic signatures in global electronic commerce. Uncertainty concerning the legal effect of electronic signatures, conflicting licensing regimes, conflicting operational and technical requirements for CAs, uncertain liability exposure - all of these factors are likely to impede the cross-border use of electronic signatures. Several initiatives are underway to develop international standards to overcome these obstacles.

The most significant of these initiatives, and one that has been discussed throughout this paper, is the EU draft Directive on Electronic Signatures. If adopted in its present form, the Directive would obligate the 15 members of the European Union to enact national legislation implementing the Directive's requirements by January 1, 2001. The Directive would harmonize national policies concerning electronic authentication and the recognition of electronic signatures across a diverse range of national legal systems. Although the Directive is not yet final, it has already had a significant impact on those Member States that are actively considering electronic authentication legislation. Some countries have apparently decided to await the final outcome of the Directive before considering national legislation. At the same time, there remain significant differences of opinion over the Directive - including, for example, the means by which CAs would certify their compliance with the Annex II and Annex III standards - so it is by no means certain what the final contours of the Directive will be.

In December 1996, UNCITRAL adopted the Model Law on Electronic Commerce to create a general framework for paperless transactions. As discussed above, Article 7 of the UNCITRAL Model Law establishes a broad, criteria-based standard for the recognition of electronic signatures as equivalent to hand-written signatures, and that provision has proven influential in several jurisdictions.

Building upon that work, the UNCITRAL Working Group on Electronic Commerce is now developing uniform rules that relate more specifically to electronic signatures and the operation of certificate authorities. As discussed above, the current draft of the UNCITRAL uniform rules adopts the two-tier approach to electronic authentication legislation, giving legal effect to a broad class of electronic signatures while granting more specific presumptions to electronic signatures that satisfy more stringent criteria. The Working Group continues its consideration of uniform rules for the operation of certificate authorities, including issues related to liability, operational requirements for CAs, and standards for cross-border recognition.

Recently, the Working Group has also started to consider an alternative draft set of uniform rules, WP.80, which would limit itself to a minimal set of requirements designed to give legal effect to electronic signatures. WP.80 is, in fact, part of an effort to bridge some fairly significant differences of opinion among the countries participating in the UNCITRAL talks. As of this writing (early February, 1999), it is impossible to predict whether WP.80 or some other initiative will be sufficient to hold the UNCITRAL talks together and produce a final set of rules.

While the UNCITRAL process has proven extremely worthwhile, its objective is to develop uniform rules that governments may consider - but are by no means obligated to adopt - when drafting national legislation. In contrast, an international convention would bind signatories to recognize the principles and requirements contained in it. The United States Government has circulated an early draft of such a convention, and several other governments have expressed support for the idea.

In conjunction with the Ottawa Ministerial meeting on electronic commerce, held in October 1998, the OECD issued a comprehensive inventory of electronic authentication legislation and policies in the OECD member countries, and adopted a Declaration on Authentication for Electronic Commerce. The principles set forth in the Declaration generally encourage electronic authentication policies that minimize government regulation, support technological neutrality, and recognize party autonomy.^[24] The Declaration also recognizes "the potential impact that diverse national solutions for electronic authentication could have on the development of global electronic commerce," and encourages countries to "take a non-discriminatory approach to electronic authentication from other countries."

The OECD is continuing its work in this area through a workshop on authentication issues to be held in California in June 1999.

In addition to UNCITRAL and the OECD, a number of other international organizations have been involved in international electronic authentication issues:

[1] This report will adopt the reasonably well-established distinction between "digital signatures," i.e., the process of authenticating an electronic record with an asymmetric cryptosystem using the signer's private key, and the broader category of "electronic authentication" techniques that may include digital signatures, biometrics, signature analysis, or other methods. This latter category is sometimes referred to as "electronic signatures."

[2] The Russian legislation, adopted in 1995, contains only minimal provisions concerning digital signatures. The relevant portion of the legislation states: "The legal force of a document stored, processed and transmitted by means of automated and telecommunications systems may be confirmed by an electronic digital signature. The legal force of the electronic signature shall be recognized where the automated information system contains technical-programme means making it possible to identify the signature in the regime established for the use thereof. ... The right to certify the identity of the electronic digital signature shall be exercised under license. The rules for the issue of licenses shall be determined by [Russian Federation] legislation." See Russian Federation Information Act, No. 24-FZ, adopted by the State Duma on January 25, 1995. (Available in the Westlaw RUSLEGISLINE database, 1995 WL 139853). So far as the authors were able to determine, there have been no subsequent developments in Russia concerning electronic authentication.

[3] It is important to note that a number of countries have adopted legislation or launched initiatives that relate solely to the use of electronic signatures in the public sector. The Argentine legislation relates solely to the use of digital signatures in the "National Public Sector," which generally includes the government and state-owned companies. Canada has established the "Government of Canada Public Key Infrastructure" for use of digital signatures in government business, and Australia has recently created a similar entity known as "Gatekeeper." While these and other public-sector initiatives are of interest, this report focuses primarily on legislation that affects the commercial use of electronic authentication techniques.

[4] Indeed, in the past year, there have been a significant number of announcements concerning the commercial availability of biometric authentication technologies. Some online merchants are already using voice recognition and fingerprints, for example, as a means of authentication. See, e.g., Rob Fixmer, "Tiny New Chip Could Pit Protection of Property Against Right of Privacy," The New York Times, September 28, 1998. In January 1999, the Intel Corporation announced that its new microprocessor, the Pentium III, would have the ability to transmit a unique serial number over computer networks, including the Internet. While this serial number authenticates a processor - not a person - it will nonetheless facilitate online authentication. Thus, it appears that there are several different directions in which authentication technologies are headed.

[5] It seems likely, however, that even biometric techniques will require some sort of trust infrastructure - as with cryptographic keys, some trusted third party must confirm the relationship between a particular biometric feature and a particular person or attribute of a person. Thus, it may very well turn out to be the case that the legal issues raised by the operation of a trust infrastructure are fairly generic to all authentication technologies.

[6] As the recent Australian report observed, "Australia needs to be aware of international trends and developments in relation to electronic signature legislation before considering an appropriate regulatory framework for electronic commerce. Since the use of these authentication methods will relate to both domestic and international transactions, without this awareness Australia could find itself creating an unnecessary impediment to electronic commerce by the introduction of commercially restrictive or unworkable legislation or legislation which adopts a radically different approach to that taken in other jurisdictions."

[7] Because of the brevity of the Russian legislation, it is unclear whether Russia falls into this category.

[8] As a recent report by the French Conseil D'Etat observed, "Il est sans doute préférable de s'en tenir dans le code civil à la reconnaissance des effets d'une signature électronique fiable authentifiant un message électronique, sans aborder les modalités du procédé de certification. Le parti inverse, retenu par l'Allemagne dans sa récente loi ... présente l'inconvénient majeur de faire peser un risque d'obsolescence sur le dispositif légal, compte tenu de l'evolution rapide des techniques." See Internet et les réseaux numériques (July 2, 1998), available at www.internet.gouv.fr. Similarly, in January 1999, the Australian government released a draft Electronic Transactions Bill and an accompanying explanatory report, which noted that "There appears to be an international trend away from legislation that prescribes the use of, or gives legislative advantages to, specific types of signature methods such as digital signatures. It is more appropriate for the market to assess appropriate signature products than have legislation specifying acceptable technologies."

[9] It is important to note that, as of this writing (February 1999), the EU Member States and the European Commission are actively negotiating the terms of the EU Electronic Signatures Directive. It is by no means certain whether these negotiations will succeed and, if they do, what the final provisions of the Directive will be. Thus, while our discussion of the EU Directive in this paper is based on the most recently available information, the draft Directive is not final and could change as negotiations proceed.

[10] The standards for an "enhanced" electronic signature under the UNCITRAL Uniform Rules are provisionally the same as the Singapore ETB, namely, that the signature (1) is unique to the signer; (2) can be used to identify the signer; (3) was created using a means under the sole control of the signer; and (4) is linked to the data message in such a way that any change in the data message after signing would be revealed. The Working Group is continuing its consideration of this matter, however, and this definition is by no means settled. It is also important to note that the UNCITRAL Working Group is currently considering an alternative approach to the Uniform Rules, based on a significantly shorter draft that would limit itself to issues related to electronic signatures. The most recent draft of this shorter approach, UN Doc. A/CN.9/WG.IV/WP.80 ("WP.80"), would retain the distinction between electronic signatures and enhanced electronic signatures.

[11] A report recently issued by the New Zealand Law Commission appears inclined to take the same approach, although seeks comment on whether legislation should play any further role in facilitating electronic authentication.

[12] There are, of course, numerous situations in the common law where a traditional hand-written signature is required. The Statute of Frauds, for example, typically requires a contract for the sale of land to be in writing and executed with a hand-written signature in order for it to be enforced.

[13] The French report states that "cette fiabilité est conditionnée par le respect des exigences suivantes: (1) intégrité - elle est liée aux données qu'elle authentifie et, elle est créée dans des conditions qui permettent la conservation des données et le respect de leur intégrité; et (2) imputabilité - elle est imputable au signataire qu'elle identifie." Unlike the Italian legislation, this definition neither requires the use of public key cryptography nor depends upon whether the signature is authenticated by a licensed CA. As the report later observes, "toute signature électronique fiable doit être admise en preuve même si elle est assortie d'un certificat délivré par un tiers certificateur non accrédité."

[14] As discussed below, another critical issue in the debate over Annex III is who would determine compliance with the Annex III standards, e.g., national governments, industry bodies, or the European Commission.

[15] See Draft of the Digital Signature Ordinance, translation and commentary by Christopher Kuner, available at www.kuner.com. To take one example of how the German legislation effectively mandates licensing, Section 13(4) states that, if a CA's license is withdrawn of revoked, the CA "shall ensure transfer of the activity to another certification authority or winding up of the contracts with the owners of the signature keys." The clear implication of this provision is that if a CA no longer has a license, it can no longer have customers. If licensing is voluntary, however, why would the loss of a license result in what amounts to an obligation to cease doing business?

[16] For example, Annex II requires CAs to "demonstrate the reliability necessary for offering certification services." Naturally, this raises the question "demonstrate to whom?"

[17] Along the same lines as the Dutch model, a recent discussion paper issued by the Australian National Office for the Information Economy proposed the creation of a "National Authentication Authority" that would not serve as a root CA, but that would develop industry codes of practice and issue "quality labels" to best practice organizations and systems.

[18] See, e.g., Legislating Market Winners: Digital Signature Laws and the Electronic Commerce Marketplace, available at www.w3journal.com/7/s3.biddle.wrap.html

[19] If legislation permits CAs to limit their liability, however, it would seem that the market would quickly determine the appropriate range of certificate values and their corresponding costs to users. If there is demand for high value certificates with correspondingly high liability limitations, a CA would presumably charge the holder of the certificate an amount that includes an appropriate risk premium and thereby internalize its costs. Similarly, if there is demand for low value or even "no value" certificates which many believe will be the most widespread use of digital signatures the CA would limit its liability to an appropriately small amount (and perhaps forego liability altogether), and the cost to the user would be reduced. The only real hazard of this market driven approach is that third parties will have to be diligent in confirming the validity of a certificate, and the acceptability of any liability limitation it contains, in light of the nature of the transaction. As the value of a transaction increases, however, it seems presumptively more reasonable to impose those duties on third parties. Moreover, if it turns out that the risks for third parties remain too great, they will not accept high value certificates and no market for these certificates will emerge.

[20] The Japanese ECOM Guidelines are less clear, stating in paragraph 2.2 that "Each certification authority should define in its [Certification Practice Statement] its level of responsibility and compensation for losses resulting from its breach of obligation, taking into account any applicable regulations and other factors." This would appear to permit CAs to limit their liability, although this result is not entirely clear.

[21] The draft UNCITRAL Uniform Rules adopt a similar scheme. As of this writing, however, the UNCITRAL Working Group had not yet had a chance to consider the liability issue fully.

[22] However, as discussed above, a closed-system CA seeking to benefit from the presumption of legal equivalence under the EU Directive may need to undergo certification processes with respect to the Annex II and Annex III standards.

[23] There are, of course, significant conflicts of laws and jurisdictional issues related to the power of a national government to exercise authority over a foreign CA under these circumstances.

[24] For example, the Declaration recognizes that "transacting parties may select appropriate mechanisms which meet their needs for authentication in conducting electronic commerce, including particular authentication technologies, contractual arrangements and other means of validating electronic transactions, and that they can use judicial and other means of dispute resolution to prove the validity of those transactions."