Legislating to facilitate electronic signatures and records: exceptions, standards and the impact on the statute book


Download 1.17 Mb.
NameLegislating to facilitate electronic signatures and records: exceptions, standards and the impact on the statute book
page1/12
A typeDocumentation
manual-guide.com > manual > Documentation
  1   2   3   4   5   6   7   8   9   ...   12



1998 UNSW Law Journal


LEGISLATING TO FACILITATE ELECTRONIC SIGNATURES AND RECORDS: EXCEPTIONS, STANDARDS AND THE IMPACT ON THE STATUTE BOOK

Mark Sneddon*


INTRODUCTION1

Many jurisdictions around the world are considering enacting legislation to facilitate electronic transactions, both commercial and with government. There are several models of this type of legislation, involving different degrees of legal and regulatory change, which are described in more detail below.

The simplest model of this type of legislation is essentially facultative. It seeks to remove legal obstacles to electronic transactions presented by existing form requirements for writing and signature and rules of evidence that might exclude or discriminate against electronic records or electronic authentication of records. It does this by providing that electronic records satisfy form and evidence requirements for writing and that the electronic authentication of records satisfies form and evidence requirements for signature. Most laws of this kind aspire to be technology neutral, that is, they do not seek to advantage or disadvantage any particular technology for electronic records or electronic authentication of records.

The simplicity of concept behind this type of law can disguise its potentially wide-ranging effect across the statute book and the difficulties in determining:

  1. the transactions to be included in the scope of operation of the law;

  2. the existing form requirements for manual signature and writing (if any) which should be excepted from the scope of the law because their underlying policy objectives would not be satisfied by electronic authentication methods and electronic records;

  3. the need for government agencies to have a managed process to implement the receiving, processing and issuing of electronic records with electronic authentication; and

  4. the need to set standards and process controls for the use of electronic records and electronic authentication to ensure that the policy objectives of existing form requirements and the administrative needs of government agencies are met; and to address the tension between the setting of standards and the desire to legislate in technology neutral terms, so as not to distort technical innovation or market development.

This article reports on a research project that was undertaken to evaluate the impact of a proposed facultative electronic transaction Bill2 on the statute book of the State of Victoria. The project analysed the effect of the Bill on existing requirements for both signature and writing on physical media, in a selection of the principal transaction-related statutes (and in a selection of their related subordinate legislation) in the Victorian statute book. The methodology, analysis and findings are described. Analysis and comment is provided in relation to issues 2 to 4 above. The discussion of the project is deliberately generalised so as to be relevant to most facultative electronic transaction statutes, not just the particular drafting of the proposed Victorian Bill.3

Part 1 of the article provides background description and analysis of electronic transaction law reform. In this Part, section A defines terms relating to electronic records and electronic authentication. Readers familiar with this material may wish to proceed to section B, which considers the fundamental legal and commercial issues that retard confidence in electronic transacting. Section C outlines the different types of legislation that can be enacted to deal with electronic transactions. Section D provides a brief account of facultative law reform work in Australia to date by the Federal and Victorian governments, including the relevant text of the proposed Victorian Bill.

Part 2 of the article describes the research project which was conducted into the effects of the proposed Victorian facultative electronic transaction Bill on a sample of Victorian Acts and regulations. This Part:

  • analyses the policy objectives underlying form requirements for manual signature and writing on physical media;

  • describes the methodology used to identify existing form requirements in a sample of Victorian Acts and regulations, and to classify those requirements by underlying policy objectives;

  • presents the findings of that analysis;

  • considers the appropriate types of exceptions to a facultative electronic transaction statute (including the setting of standards and process controls) to ensure that electronic authentication and electronic records satisfy the policy objectives underlying existing form requirements; and

  • considers options for the managed implementation of electronic transaction statutes in government agencies (including the setting of standards and process controls).

PART 1: ELECTRONIC TRANSACTION LAW REFORM

A. Definitions of Terms

This section briefly explains the concepts of electronic records, electronic authentication of records, message integrity and some particular authentication methods, including digital signatures based on public/private key encryption and supported by certification authorities. The description is necessarily brief and more detailed explanations can be found in other articles in this symposium and elsewhere.4
(i) Electronic Messages and Electronic Records

An ‘electronic message’ is a communication from one person or thing (in this context usually a computer) to another by electronic means. ‘Electronic record’ is the broader term, encompassing electronic messages but also including data records not intended to be sent to another, such as file notes, diary entries and accounts.
(ii) Authentication

‘Authenticate’ means to establish the genuineness, validity or credibility of a statement or reputed fact. For precise usage, it is necessary to identify the fact(s) or statement(s) sought to be authenticated. For example, in the context of electronic messages, the expression ‘sender authentication’ is often used. ‘Sender authentication’ commonly means authentication of the identity of the sender of a message and of that person’s intention to associate himself or herself with the content of the message. But it might mean authentication of some attribute of the sender instead of, or in addition to, the identity of the sender (for example a status such as a doctor or a licensed driver or an enrolled student, financial standing, or authority within an organisation to make the statements in the message). Other facts that may be authenticated are the identity of the computer that sent the message or the routing of the message.

If the intention of the electronic signer is sought to be authenticated, it must be recognised that a person may have one or more of a number of possible intentions in applying an electronic authentication method to a record, just as a person manually signing a written record may have one of a number of possible intentions (for example to indicate authorship of the record, to adopt the content of a record as binding upon the signer, to verify the content of the record made by another, to indicate that the record has been completed properly, to indicate that the signer has seen the record).5
(iii) Electronic Signatures

Used broadly, an ‘electronic signature’, in relation to an electronic record, is any means of electronic authentication of the identity of a person and of the intent of that person to be associated with that record. The term ‘electronic signature’ has no universally accepted meaning and is variously defined in different statutes.

A range of electronic authentication methods, of varying security and reliability, is available for a person to authenticate an electronic record. Examples include a typed name at the end of an email, a personal identification number and the swiping of a magnetic stripe card (EFTPOS), inserting a chip card in a reader, typing passwords, transmitting a digitised form of a manual signature, encryption of the message using a secret key, and biometric identifiers (fingerprint, face, voice recognition, retinal scan and signature dynamics such as the speed and pressure of the person’s manual signature)). Other methods will be developed over time.
(iv) Authentication and Symmetric and Asymmetric Encryption

Encryption of a message may be achieved using a secret ‘symmetric’ key or code, symmetric because it is known only to both the sender and intended recipient. In that case, presumptive authentication is achieved by the recipient reasoning that, if the message can be decrypted using the key and assuming the security of the key was not compromised, the message was sent by the other person who knows the key.

Encryption of a message may also be achieved using ‘asymmetric key encryption’. This relies on the generation of a pair of different keys which are mathematically related but which (in the current state of cryptography) cannot be derived from one another. The keys have the property that a record encrypted with one key can only be decrypted using the other paired key. One key in the pair is kept private to the key holder and the other is published to the world together with information identifying the key holder to whom the paired private key belongs. If the private key holder encrypts a message with that private key, the message can be successfully decrypted only with the paired publicly available key. If the recipient of a message can successfully decrypt the message using the public key, then the recipient can assume that the message was encrypted using the paired private key and, on the assumption that the private key holder has kept the private key secret, that the message was encrypted by the identified private key holder.

Both systems of authentication are based on the assumed non-compromise of a key.
(v) Message Integrity

‘Message integrity’ means that the form of the message received is the same as that sent. Currently, the best available means of ensuring message integrity in open networks is digital signatures, which use asymmetric encryption of message fingerprints (one way hash functions).
(vi) Digital Signatures

‘Digital signatures’ are a particular type of electronic signature and are based on public/private key encryption.

Instead of encrypting the whole message with the private key, the sender can use a widely available hash algorithm to compute a unique hash value (a long character string) for the message. Any change in the content of the message, no matter how small, will produce a change in the hash value. The private key can be used to encrypt that hash value. The encrypted hash value is the digital signature to that message, tying together the private key with that particular message’s content. (The message itself need not be encrypted and can be sent ‘in the clear’ with the digital signature appended.)

The recipient of the message can independently compute the hash value of the message sent in the clear. The recipient can then decrypt the digital signature using the sender’s public key to determine the sender’s calculated hash value. If the two hash values disagree, the message has been altered since it was digitally signed. If they match, then the recipient is assured of message integrity and authentication of sender identity.
(vii) Certification Authorities

Certification authorities are a necessary part of a private/public key infrastructure. These bodies:

  • keep a record of the public key and link that key to the identity of the private key holder;

  • issue certificates certifying that the public key belongs to the stated person/entity (a sender may include the certificate with a message);

  • maintain a Certificate Revocation List (checkable on-line) containing information on compromised or revoked private key/holder links; and

  • may issue certificates about other attributes of key holders such as credit rating, membership or access status.

(viii) Public Key Authentication Framework

It is expected that there will be many certification authorities and these authorities will need either to certify each other in a hierarchical structure with a root authority, or cross-certify each other across a flatter structure. The licensing and regulation of certification authorities, the relationship structure of authorities, the existence and powers of a root authority, policies for cross-certification and for issuing certificates and the forms of certificates are all matters that are dealt with in a ‘Public Key Authentication Framework’. Standards Australia has proposed such a framework for Australia.6 The Federal Government has established such a framework for digital signature use by and with Federal Government agencies.7 The National Office for the Information Economy has recently released a Discussion Paper on Establishment of a National Authentication Authority.8
B. Basic Legal and Commercial Issues in Electronic Transactions

There are many legal issues in electronic transactions but the principal issues which are retarding user confidence in conducting transactions electronically and which could be remedied by appropriate law reform are as follows:
(i) Doubts as to the Legal Efficacy of Electronic Records and Electronic Authentication.

Preferably, electronic records and electronic authentication should be as effective as written messages and manual signatures, including for contract formation. This means that they should:

  • satisfy legal form requirements for writing, signature and originals;

  • be admissible in evidence; and

  • satisfy statutory record retention requirements.

(ii) Uncertainty of Application of Existing Legal Rules

This includes the time and place of receipt of electronic messages.9
(iv) Risk of Fraud and Error in Electronic Messages

This is sometimes described as the ‘non-repudiation’ issue. As in paper-based transactions conducted at a distance, there are risks that a message has not in fact been sent by the apparent sender, that the message may have been altered in transit, and that the apparent sender therefore may repudiate the message, leading to loss if the message has been relied upon by a recipient. The technical management of these risks requires a technical means to reliably authenticate the message sender’s identity and the sender’s intent to approve or otherwise associate himself or herself with the message content and to guarantee message integrity. The legal allocation of risk of loss caused by unauthorised or altered messages as between the apparent sender and the recipient in paper-based transactions is determined by the general law of agency and, in some cases, by contract between the parties. The same legal mechanisms will operate for electronic transactions and, in some law reform models, are supplemented by new legal rules.10
C. Types of Electronic Transaction Law Reform

Three types of electronic transactions law reform can be distinguished:11

(i) Facultative laws

These are intended to make electronic records as legally effective as written records and electronically authenticated records as legally effective as manually signed records. Laws of this type deal with issue 1 above and sometimes with issues 2 and 3. These laws can be sub-divided into those that:

  • are technology neutral, that is they do not seek to advantage or disadvantage any particular technology for electronic records or electronic authentication of records. While the laws may set minimum standards for acceptable electronic records or authentication systems, these standards are not tied to any particular technology. Because of the commitment to technology neutrality, the same legal consequences are assigned to all electronic records or authentication systems which meet the minimum standards.

  • distinguish between different technologies for electronic records or signatures for the purpose of attributing different legal consequences to the different types. As the ECEG Report notes, these laws involve two elements: (a) a means of distinguishing different types of electronic records or signatures; and (b) the assigning of certain legal consequences to only those electronic records or signatures which meet the definition or standards.12

(ii) Laws which Regulate Particular Authentication Technologies and Infrastructures.

Most, if not all, laws in this group regulate some aspect of digital signatures based on public and private key encryption and the supporting public key authentication framework (PKAF), for example:13

  • the establishment of a national peak body which may set standards and policy for a national PKAF and be a root certification authority;

  • licensing and regulation of certification authorities;

  • cross-certification between authorities, including cross-border; and

  • allocating or limiting the liability for unauthorised or altered messages between key owners, recipients who rely on certificates and certification authorities.

(iii) Laws which Extend or Adapt Existing Regulation of Transactions to Cover Electronic Transactions

Examples include laws concerning electronic transactions in the context of taxation, industry licensing and regulation, privacy, consumer protection, law enforcement and interception of communications.
This article is concerned with facultative law reform of type (i).
D. Facultative Electronic Transaction Law Reform in Australia

(i) Federal Attorney-General’s Expert Group on Electronic Commerce

The Federal Attorney-General’s Expert Group on Electronic Commerce presented its report, Electronic Commerce: Building the Legal Framework on 31 March 1998 (the ECEG Report).

The ECEG Report recommends federal legislation to remove existing legal obstacles to electronic transactions and to reduce the legal uncertainty surrounding the use of electronic messages and electronic signatures for transactions. The ECEG Report recommends that the legislation should be broad in its operation, covering all data messages in trade and commerce and all data messages used in transactions with government (for example tenders, permit applications, filing, benefits processing), subject to the development of some categories of exceptions (possible examples include wills, negotiable instruments, some consumer transactions).

Three broad aims underlie the ECEG Report:

  • Functional Equivalence: as far as possible, paper-based commerce and electronic commerce should be treated equally by the law;

  • Technology Neutrality: the law should not discriminate between forms of technology; and

  • Facilitation of International Harmonisation and Standards: by broadly following the framework of the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce with some amendments.

Following these aims, the ECEG Report does not try to pick technological winners or prescribe detailed rules for particular technologies, such as digital signatures relying on asymmetric public key encryption and certification authorities. In other jurisdictions which have legislated to give digital signatures some legal preference over other authentication methods, such as Utah and Malaysia, the legislation has had to be highly prescriptive as to standards in order to responsibly confer preferential legal benefits and the market has so far been reluctant to utilise these prescriptive regimes. On the contrary, certification authority businesses have emerged in jurisdictions without prescriptive and preferential legal rules.

The ECEG Report follows the framework of the UNCITRAL Model Law on Electronic Commerce and recommends the adoption of provisions based on the Model Law with some amendments and omissions. The main recommendations of the ECEG Report are as follows:

  • Legal Effect: Information, records, signatures, messages and contracts are not to be denied legal effect solely on the ground that they are in electronic form.

  • Writing: Information in the form of an electronic data message is sufficient to satisfy any legal requirement that information be in writing.

  • Signature: Where the law requires the signature of a person, that requirement is met in relation to an electronic data message if a method is used to identify that person and to indicate their approval of the contents of the message and that method is as reliable as is appropriate for the purpose (such as a password, PIN or digital signature).

  • Originals: Legal requirements for information to be presented or retained in its original form are satisfied by an electronic form of that information which can be displayed and which reliably assures the integrity of the information.

  • Evidence: Information in the form of an electronic data message is not to be denied admissibility in evidence on the sole ground that it is a data message.

  • Record Retention: Legal requirements for retaining records (for example under tax or corporations law) can be satisfied by retaining electronic data messages subject to satisfying conditions of reliability and identification of place, time and date of origin and receipt.

  • Time and Place of Dispatch and Receipt: Rules are proposed to make certain when and where electronic messages are sent and received (for example at an Internet service provider’s server, in an electronic mailbox or when read).

  • Forged Signatures and Altered Messages: The common law position applies that a person is bound by a message which is sent by that person or with their authority. Following the principle of functional equivalence with paper-based commerce, no special legislative rules are created to presume the attribution of a message to the apparent sender and the non-alteration in transit of data messages.

After a period for public comment, the Federal Government decided that the report generally provided a sound basis for the development of legislation. However, the Government decided that this legislation should not be federal, partly because of doubts over the constitutional power to enact such legislation under s 51(v) of the Constitution. Instead, the Government decided to develop a uniform model law for enactment in all Australian jurisdictions in consultation with the States and Territories through the Standing Committee of Attorneys-General.14
(ii) Victorian Electronic Commerce Framework Bill

In 1997, the Victorian Minister for Multimedia established the Electronic Business Framework Group within the Office of Multimedia in the Department of State Development Victoria. The Group proposed that Victoria enact an Electronic Commerce Framework Bill (ECFB).15 A Discussion Paper outlining the content of a draft Bill was made available for public comment in July 1998.16 Following the comment period and further consultation within government, it is likely that the Bill will be redrafted and Cabinet approval sought for introduction into Parliament.

The main effect of the Bill is to provide that electronic signatures, subject to some exceptions, satisfy legal form requirements. The principal provisions in the Discussion Paper draft of the Bill are as follows:

3. Definition

In this Act, ‘electronic signature’, in relation to a person, means a process applied by the person to a document in electronic form:

(a) by which the document is authenticated by that person; and

(b) which contains an acknowledgment that the document is being signed.

4. Electronic signature instead of manual signature

(1) Where, by or under an Act or law, the signature of a natural person is required in relation to a matter, the electronic signature of the person in relation to that matter is, in the absence of evidence to the contrary, deemed to satisfy the requirement.

(2) The mere requirement for ‘writing signed by a person’ is not by itself sufficient to exclude the operation of sub-section (1).

(3) Unless an Act or law expressly authorises the use of an electronic signature, sub-section (1) does not apply to a requirement by or under an Act or any rule of law relating to:

(a) the creation, execution or revocation of:

(i) a will, a codicil or any other testamentary instrument; or

(ii) a trust; or

(iii) a power of attorney; or

(b) an affidavit or declaration; or

(c) the disposition or acquisition of an interest in real property; or

(d) process in a court, subject to a rule of the court to the contrary; or

(e) a negotiable instrument; or

(f) a prescribed document or a document belonging to a prescribed class of documents.

This Bill is clearly in the class of facultative laws for electronic transactions and is technology neutral.17
(iii) Unresolved Issues in Facultative Law Reform for Electronic Transactions18

There are several outstanding issues in facultative electronic transaction law reform, of which three are addressed in this article:

  • Scope (Inclusive and Exclusive): The determination of the inclusive scope of facultative electronic transactions laws and of exceptions to such laws have proved very difficult all over the world.19 The Electronic Commerce Expert Group recommended that facultative legislation should have a broad inclusive scope, applying to data messages in trade and commerce or with government. But the Group recognised and recommended that further work was needed as to the exceptions that should be specified from the scope of the legislation.20

  • Technology Neutrality and Standards: The Electronic Commerce Expert Group recommended that legislation should be based upon the principle of technology neutrality, recognising that in a number of instances, such as electronic signatures, pursuing neutrality will necessarily limit the ability to ascribe specific legal consequences to the use of the mechanisms.21 This recommendation precludes favouring particular technologies. But it leaves unaddressed the issue of standards and process controls that may be imposed to satisfy particular legislative policy requirements as to form or record-keeping or particular needs of government administration.

  • Managed Implementation for Government Agencies: Government agencies need to receive, process and issue a wide range of records to a wide range of persons. They need a mechanism for setting standards and process controls as to the types of records and electronic authentication processes which they will receive and process and which they will issue.


  1   2   3   4   5   6   7   8   9   ...   12

Share in:

Related:

Legislating to facilitate electronic signatures and records: exceptions, standards and the impact on the statute book icon21 cfr part 11; Electronic Records; Electronic Signatures

Legislating to facilitate electronic signatures and records: exceptions, standards and the impact on the statute book iconAbstract The Human Proteome Organisation (hupo) Proteomics Standards...

Legislating to facilitate electronic signatures and records: exceptions, standards and the impact on the statute book iconConfiguring Electronic Health Records

Legislating to facilitate electronic signatures and records: exceptions, standards and the impact on the statute book iconElectronic Records Research 1997: Resource Materials

Legislating to facilitate electronic signatures and records: exceptions, standards and the impact on the statute book iconElectronic Records Research 1997: Resource Materials

Legislating to facilitate electronic signatures and records: exceptions, standards and the impact on the statute book iconRequirements for Electronic Records Management Systems (erms) draft – 4/19/02

Legislating to facilitate electronic signatures and records: exceptions, standards and the impact on the statute book icon2. Critical Success Factors for an Archival Electronic Records Program

Legislating to facilitate electronic signatures and records: exceptions, standards and the impact on the statute book iconFound in the book, "Kentucky Records," Volume LL

Legislating to facilitate electronic signatures and records: exceptions, standards and the impact on the statute book iconAbstract: The impact load stresses of the straight impact and the...

Legislating to facilitate electronic signatures and records: exceptions, standards and the impact on the statute book iconElectronic Book Readers

Legislating to facilitate electronic signatures and records: exceptions, standards and the impact on the statute book iconNo part of this book may be reproduced in any form or by any electronic...

Legislating to facilitate electronic signatures and records: exceptions, standards and the impact on the statute book iconWas the nebraska statute void for vagueness?

Legislating to facilitate electronic signatures and records: exceptions, standards and the impact on the statute book iconBacr/bcs standards for Cardiac Rehabilitation 2002 Coding System...

Legislating to facilitate electronic signatures and records: exceptions, standards and the impact on the statute book icon*This study guide must be turned in the day of your final. Bring...

Legislating to facilitate electronic signatures and records: exceptions, standards and the impact on the statute book iconThis course is correlated with the national iste nets (National Educational...

Legislating to facilitate electronic signatures and records: exceptions, standards and the impact on the statute book iconElectronic Media Electronic Story Archive 1994 to

Legislating to facilitate electronic signatures and records: exceptions, standards and the impact on the statute book iconElectronic Warfare Operator Operated overland and ocean radar, infrared...

Legislating to facilitate electronic signatures and records: exceptions, standards and the impact on the statute book iconUser Manual for electronic upload of vsat activation / Surrender...

Legislating to facilitate electronic signatures and records: exceptions, standards and the impact on the statute book iconThis agreement is made on the date written above our signatures between

Legislating to facilitate electronic signatures and records: exceptions, standards and the impact on the statute book iconThis agreement is made on the date written above our signatures between




manual


When copying material provide a link © 2017
contacts
manual-guide.com
search