Electronic Signature Legislation

Contents

A) Introduction

B) Requirements for e-commerce

C) Legislative approaches
1) Prescriptive
2) Criteria-based
3) Signature-enabling

D) Electronic Transactions Act 1999 (Cth)

E) Trust and the role of third parties
1) Public key infrastructure
2) Certification authorities
3) Key security and allocation of risks

F) Discussion

G) Recommendation

Bibliography

Abbildung in dieser Leseprobe nicht enthalten

Electronic Signature Legislation

A) Introduction

As technology develops and the use of computers continues to increase, businesses and people will enter into increasing numbers of contracts based more and more on electronic communications. Electronic commerce though is a broad term that encompasses electronic data interchange (EDI), on-line retailing, and electronic funds transfer (ETF) among other types of transactions.

This paper is intended to discuss the need of a more detailed legislation for the Australian Electronic Transaction Act (Cth) 1999 (ETA) in relation to digital signatures. The Key question of this assignment is, if the details of an electronic signature framework should be specified by statute, left to regulation by administrative agencies or simply left to the marketplace.

Firstly I will describe the different legislative approaches of jurisdictions around the world. Then I’ll have a closer look at the Australian ETA and try to classify them in one of the categories. An analysis of the ETA follows and I will point out the advantages and disadvantages of this Act. Following is a discussion about which legislative approach – explained earlier – is preferable and if there is need for a more detailed legislation for Australia. Furthermore the issues of trust and the rule of third parties in relation to digital signatures are debated. A very important issue in this context involves the allocation of liability and risk of persons using digital signatures, including certification authorities. At the end I recommend the most suitable approach for the Australian Federal Government.

B) Requirements for e-commerce

In a paper-based world, a signature is probably the most important mechanism for improving reliability and reducing the risk of repudiation. To facilitate e-commerce a mechanism is required to reliably and securely prove the origin, receipt, integrity of information. Furthermore it is needed to identify the parties involved and to associate those parties with the contents of the communication. If the mechanism achieves these goals parties involved in transactions are enabled to assess any associated risk – such as there is a likelihood of the transaction being able to be successfully completed, whether it can be repudiated or challenged, and whether the recipient will have legal recourse in such circumstances. The crucial factor is trust, which is an important element of any commercial transaction and one that is traditionally established over time.

The main issue for e-commerce is how to build confidence in electronic transactions on open networks between parties that have no pre-existing relationship^[1]. Cryptography has been the traditional answer to this issue of ensuring authenticity. But there have been considerable concerns about the legal status of electronic authentication methods.

C) Legislative approaches

A number of jurisdictions have already enacted legislations having the purpose of promoting electronic commerce, or at very least, legitimising certain technology that is generally identified as electronic signature technology, including specifically digital signature technology. According to the Internet Law and Policy Forum (ILPF) and the report of the Electronic Commerce Expert Group for the Commonwealth Attorney-General^[2] there are three categories of approaches to legislation^[3].

1) Prescriptive approach

ILFP describes the prescriptive approach as ´[…]a comprehensive effort that seeks to enable and facilitate electronic commerce with the recognition of digital signatures through a specific regulatory and statutory framework. It establishes a detailed PKI licensing scheme (albeit voluntary)´^[4]. Furthermore it establishes rules for: recognition and validity of digital signatures; on licensing of certification authorities; on issuance, suspension and revocation of certificates; on reliance limits and issues of liability; and on duties, warranties and obligations of licensed certification authorities, subscribers, third parties and key repositories^[5]. These schemes are helpful in clarifying what amounts to a valid electronic signature^[6].

The leading model for this approach is the Utah Digital Signature Act, which was enacted in 1995^[7] and the German Digital Signature Law 1997^[8]. Furthermore the digital signature law of Italy, Spain and France, and Brazil's OAB draft, follow the prescriptive model at some regulatory level^[9].

The disadvantage of this approach is that it institutionalises a particular technology and discourages research and development in other technologies. Furthermore it also requires constant changes to the legislation as new technologies become commercially acceptable^[10], which implicates costs.

2) Criteria-based approach

This approach has a criteria based definition of a signature, i.e. the definition of what constitutes a legally effective signature incorporates the requirements that the signature must fulfil in order to satisfy security and trustworthiness concerns. But this approach prefers not to rely on licensing schemes in favour of allowing the marketplace to control the particular software and protective schemes the parties adopt. California’s digital signature regime represents this category^[11].

To constitute an acceptable electronic signature under the California Digital Signatures Bill, the signature has to be unique to the person using it, capable of verification, under the sole control of the person using it, linked to data in such a manner that if the data are changed, the signature is invalidated and adheres to the appropriate rules and regulations^[12].

Different from the prescriptive model the criteria-based model itself does not deal with technologies or methods which might satisfy these objective criteria’s. Rather, California has also enacted the Californian Digital Signature Regulations, which set out how various technologies can satisfy these requirements, designating these as “acceptable technologies”. Therefore this model is regarded as being technologically neutral and has proven quite flexible for various state legislators^[13]. The advantage of this model is that the criteria can be expressed in technologically neutral language. But comparing the criteria-based approach with the prescriptive model the criteria have to be stated in broad, general terms, and not as detailed as in a comprehensive legislation. This therefore limits the scope for specifying detailed legal consequences of specific technology. This leads to some grey areas in the law^[14].

[...]

^[1] Electronic Commerce Expert Group 1998, Electronic Commerce: Building the Legal Framework, Report to the Attorney-General, Canberra, 3.1.2-.31.3, http://www.ag.gov.au/agd/WWW/rwpattach.nsf/VAP/(CFD7369FCAE9B8F32F341DBE097801FF)~11+Feb+ECEG+FULL+DOC+31+March+1998.html/$file/11+Feb+ECEG+FULL+DOC+31+March+1998.html.

^[2] Electronic Commerce Expert Group 1998, Electronic Commerce: Building the Legal Framework, Report to the Attorney-General, Canberra, http://www.ag.gov.au/agd/WWW/rwpattach.nsf/VAP/(CFD7369FCAE9B8F32F341DBE097801FF)~11+Feb+ECEG+FULL+DOC+31+March+1998.html/$file/11+Feb+ECEG+FULL+DOC+31+March+1998.html .

^[3] A. Gidari, J.P. Morgan and P. Coie, Internet Law and Policy Forum, Survey of Electronic and Digital Signature Legislative Initiatives in the United States, 12 September 1997, p.2; URL: http://www.ilpf.org/groups/digrep.pdf .

^[4] A. Gidari, J.P. Morgan and P. Coie, Internet Law and Policy Forum, Survey of Electronic and Digital Signature Legislative Initiatives in the United States, 12 September 1997, p4; URL: http://www.ilpf.org/groups/digrep.pdf .

^[5] Electronic Commerce Expert Group 1998, Electronic Commerce: Building the Legal Framework, Report to the Attorney-General, Canberra, 3.2.6, http://www.ag.gov.au/agd/WWW/rwpattach.nsf/VAP/(CFD7369FCAE9B8F32F341DBE097801FF)~11+Feb+ECEG+FULL+DOC+31+March+1998.html/$file/11+Feb+ECEG+FULL+DOC+31+March+1998.html..

^[6] Forder, J. and P. Quirk (2003). Electronic Commerce and the Law, John Wiley & Sons Australia, Ltd, p. 100.

^[7] Electronic Commerce Expert Group 1998, Electronic Commerce: Building the Legal Framework, Report to the Attorney-General, Canberra, 3.2.2-3.2.6, http://www.ag.gov.au/agd/WWW/rwpattach.nsf/VAP/(CFD7369FCAE9B8F32F341DBE097801FF)~11+Feb+ECEG+FULL+DOC+31+March+1998.html/$file/11+Feb+ECEG+FULL+DOC+31+March+1998.html.

^[8] Forder, J. and P. Quirk (2003). Electronic Commerce and the Law, John Wiley & Sons Australia, Ltd, p. 100.

^[9] Rendeze, A. D. Pedro, The Possible Laws on Digital/Electronic Signature - On the Proposed UNCITRAL Model, http://www.cic.unb.br/docentes/pedro/trabs/laws.htm.

^[10] Forder, J. and P. Quirk (2003). Electronic Commerce and the Law, John Wiley & Sons Australia, Ltd, p. 100.

^[11] Implemented by amendments to the California Government Code, section 16.5 and the Digital Signature Regulation; URL: http://www.gcwf.com/articles/digsig.htm .

^[12] Electronic Commerce Expert Group 1998, Electronic Commerce: Building the Legal Framework, Report to the Attorney-General, Canberra, 3.2.2-3.2.29, http://www.ag.gov.au/agd/WWW/rwpattach.nsf/VAP/(CFD7369FCAE9B8F32F341DBE097801FF)~11+Feb+ECEG+FULL+DOC+31+March+1998.html/$file/11+Feb+ECEG+FULL+DOC+31+March+1998.html.

^[13] A. Gidari, J.P. Morgan and P. Coie, Internet Law and Policy Forum, Survey of Electronic and Digital Signature Legislative Initiatives in the United States, 12 September 1997, p 7-8; URL: http://www.ilpf.org/groups/digrep.pdf .

^[14] Forder, J. and P. Quirk (2003). Electronic Commerce and the Law, John Wiley & Sons Australia, Ltd, p. 100.