Every form of trade requires trust and confidence among the participants. Electronic contracts are no different and, in fact, they pose special difficulties, i.e. electronic documents require other means of signing documents to replace handwritten signatures. A handwritten signiture is no longer applicable in the electronic realm. Business-to-business sales often require a business partner to sign a paper document before conducting business online. This level of trust must be maintained in the electronic forms of communication and documentation. A major concern when using electronic documents relates to the origination of the document. The ability to ensure the contracting partner's identity, what exactly is agreed upon, the transaction's exact content and when the transaction takes place are all components of trust between the partners.
With the dramatic increase in the use of electronic systems and the myriad infrastructures that support electronic commerce, it is easy to see how they are susceptible to a number of business risks. Samples of the potential risks are:
- Direct financial loss resulting from fraud
- Theft of valuable confidential information
- Loss of business opportunity through disruption of service
- Unauthorized use of resources
- Loss of customer confidence or respect
- Cost resulting from uncertainties
- Information being compromised
- Lack of assurance that all contracting parties know that everyone has signed the same contract
In 1999, to ensure consistency and legal validity for implementing electronic signatures for e-commerce, the European Union Commission adopted the EU Electronic Signature Directive (EU Directive). The European Union member countries were to have implemented the directive into their national laws by July 2001. This directive provides a coherent regulatory framework for electronic commerce at a European level to create the right conditions for online transactions. In one of its communications, which gave rise to the directive, the European Commission said, "The European Union simply cannot afford a divided landscape in a field so vital for the economy and society." In September of 2000, the United Nations Commission on International Trade Law (UNCITRAL) adopted legislation called the Model Law for Electronic Signatures (UNCITRAL Model Law). It offers a legislative guide to member countries on the framing of their national electronic signature legislation.
The UNCITRAL Model Law and the EU Directive both contend that in the near future, legal barriers to electronic authentication will be removed. Further, they provide parties the freedom to set the terms of authentication by contract subject, harmonization of the global legal framework applicable to authentication, technological neutrality and the marketplace to drive improvements in electronic authentication technologies and services.
Private and Public Sector Confidence
As indicated, building trust and confidence is essential to winning over businesses and consumers to electronic commerce. It implies the deployment of secure technologies, such as digital signatures, digital certificates and secure electronic payment mechanisms, and a legal framework to support these technologies. While implementing electronic signatures to do business on the Internet, many questions were raised from the private and public sectors. For example, many chief information officers (CIOs), chief executive officers (CEOs), chief technology officers (CTOs) and IT consultants are aware of the importance of the requirements of electronic or digital signatures in countries around the world where there are, or plans exist for, electronic commerce initiatives. However, they also would like to know how the legislation from various countries compares with or deviates from the UNCITRAL Model Law. The most frequently asked questions include:
- Which countries have enacted a national legislation regarding electronic signatures?
- Is there any difference between the UNCITRAL Model Law on Electronic Signatures and the EU Electronic Signatures Directive?
- Where can copies of national legislation on electronic signatures, the UNCITRAL Model Law and the EU Directive be found?
- Of what contents of the UNCITRAL Model Law and the EU Directive should organizations initiating or fulfilling trade be aware?
- If there is no national legislation on electronic signatures where the organization resides, when conducting business on the Internet, is it required to adhere to the laws established by the trading partner country?
- What are the required electronic signature technologies and international standards?
- Where can information on topics such as accreditation and certification authority requirements--applicable to the trade's initiating and fulfilling organizations--be found?
- What is the difference between an electronic signature and a digital signature?
- While adhering to the electronic signature law, how is it guaranteed beyond the shadow of a doubt that someone is a real person?
- What is the personal responsibility in maintaining a trusted system and maintaining a reasonably secure environment from intrusion and misuse?
The Digital Signature Legislation Research Project
Research on electronic signatures legislation globally has been conducted and results published on web sites of several renowned legal counsels and researchers including Stewart Baker of Steptoe & Johnson LLP; Bert-Jaap Koops and Simone van der Hof of Tilburg University, Netherlands; and Juan Avellan, researcher at the Information Technology Law Unit, Queen Mary and Westfield College, University of London. However, there is limited information summarizing the electronic signature law implementation for all countries specifically in the following areas:
- Legal requirements for electronic signatures and handwritten signatures
- Definition of or limitation on liability for the sender, receiver or the certification service provider
- Geographic or procedural limitations that could prevent cross-border recognition of electronic signatures
- Provisions for preserving relevant electronic records
- Provisions for nonrepudiation
- Electronic signatures archived by the law enforcement authorities/agencies
- Provisions for shared secret signature of a corporation or other artificial legal entities
The Research Board of the Information Systems Audit and Control Foundation performed research, which included a survey on the issue, to provide CIOs, CEOs, CTOs, consultants, business architecture managers, system integrators and control professionals key information regarding the national legislation for selected countries and has highlighted some of the inputs from various ISACA chapters, academia and IT professionals that participated in the research and answered the survey.
The main focuses of the survey included:
- Providing a reference point on the status of electronic signatures legislation implementation in the selected countries and determining where additional information regarding specific country legislation on electronic signatures can be obtained
- Determining if the specific country legislation:
- Defines the requirements for electronic signatures the same as the legal requirements for handwritten signatures
- Recognizes foreign certificates and electronic signatures and determines if any geographic or procedural limitations prevents cross-border recognition of electronic signatures
- Defines or limits the liability of the sender, receiver or the certification service provider
Status of the Electronic Signatures Legislation Enactment
While the UNCITRAL Model Law was approved in September 2000 and the EU Directive required member states either to adapt or implement the EU Directive on or before July 2001, one of the most frequently asked questions today is: Which countries have enacted an electronic signatures law?
This research was based on a review of the legislation status of 70 countries between July and October 2001 and publications by Baker & McKenzie.1, 2 As depicted in figure 1, 50 of the countries reviewed have enacted some form of law that covers electronic and digital signatures. The remaining 20 countries either have legislation pending or do not have legislation pertaining to electronic or digital signatures.
A review of the EU member country laws notes that all have either incorporated the EU Directive in their existing country legislation or have developed new legislation based on the EU Directive. Besides country-specific electronic and digital signature law, some countries have enacted electronic and digital signature laws within their jurisdictions or boundaries. For example, as of October 2001, 48 of the 50 states within the US have enacted electronic signature laws, in addition to the National E-sign Law. The two states without electronic and digital signature laws are New Jersey and Massachusetts. In Australia, besides the Australia Commonwealth Electronic Transaction Bill 1999, Victoria and New South Wales have their own Electronic Transactions Bill. Similarly, in Canada, besides the Canada Bill C-6 (The Personal Information Protection and Electronic Document Act), British Columbia has enacted Bill 13-2001 The Electronic Transaction Act and Manitoba enacted Bill 31 Electronic Commerce and Information Act. Additionally, there is the Canada Draft Uniform Electronic Commerce, New Brunswick Electronic Transaction Act and Alberta Electronic Transaction Act, all pending legislation relating to digital signatures for e-commerce.
The following is a summary of the areas surveyed and the results:
- Legal requirements for electronic signatures and handwritten signatures--A review of the responses on legal requirements for electronic signatures and handwritten signatures reveals 84 percent indicate that on a high level, their country law treats electronic signatures the same as the handwritten signatures. Sixteen percent of the responses indicate that the respondents either do not have legal requirements specified for electronic signatures and handwritten signatures or are in the process of addressing this area.
- Definition of, or limitation on, liability for the sender, receiver or the certification service provider--Survey results regarding whether there are definitions or limitations on liability for the sender, receiver or certification service providers indicate 45 percent have laws that address this issue. The laws for the remaining countries either do not include the liability issue, relying on individual contractual agreements, or limit it to only one or two parties.
- Geographic or procedural limitations that could prevent cross-border recognition of electronic signatures--The results of the survey regarding geographic or procedural limitations indicated that 95 percent of the responses do not presently have a definition that would prevent cross-border recognition. A few of the responses from members of the EU countries indicate they only recognize certificate service providers within the EU or they have different requirements for certification service providers within EU countries as well as non-EU countries.
- Provisions for preserving relevant electronic records--Fifty-three percent of the responses indicated that the country law has provisions for preserving relevant electronic records with stipulated requirements. The remaining 47 percent indicate that either the law in their country has made no specific reference in this area or the law indicates requirements but no specifics.
- Provisions for nonrepudiation--Eighty percent of the responses indicated that the country law contains provisions that will support nonrepudiation. The remaining 20 percent responded that this was either not defined in the law or not specifically provided.
- Electronic signatures archived by the law enforcement authorities/agencies--Of the survey responses, only the Latvia (Europe) law states that the State General Archive will keep the archives of electronic documents, while all other records regarding issue and usage of certificates will be kept by respective service providers. The remaining countries indicated that the country law does not stipulate electronic signatures records archived by the law enforcement authorities or agencies.
- Provisions for shared secret signature of a corporation or other artificial legal entities--Thirty-three percent of those surveyed indicated that country law had provisions for not permitting shared secret for signature of a corporation or other artificial legal entities. The remaining 67 percent of the respondents indicated that the country law either made no specific references on shared secret for signature or it has not been defined.
The UNCITRAL Model Law and the EU Directive attempt to reduce legal barriers to using electronic technology to sign contracts. There is a variety of differences among the existing digital signature laws. For example, some country laws only require electronic signatures while other laws only recognize digital signatures, some provide that electronic signatures are admissible as evidence in any legal proceedings in relation to questions of communication authenticity or data integrity, others do not address whether electronic signatures are admissible as evidence in a court of law. Some laws do not have specific regulations addressing certification authorities and allow voluntary schemes for certification authorities.
The EU Directive provides that certification authorities may limit their liability and stipulate a financial cap for transactions affected or limit the use of their certificates. Foreign certification authorities within the EU member states are recognized within EU member states. However, some EU members do not recognize foreign certificates issued outside the EU member states for cross-border transactions. Digital signatures in EU member states must meet a long list of requirements before being considered as equivalent to a handwritten signature.
If a digital signature is used as the legal equivalent of a handwritten signature, especially in cross-border electronic commerce, careful legal review and advice about the national laws, with special focus on multiple jurisdictions, is recommended strongly. In addition to each respective national law, the state or provincial laws also must be reviewed. If the country in which the trading partner resides does not have a digital signatures law, contractual agreement should address the legal perspective for the use of digital signatures.
Finally, it is critical that the legal requirements for the business partner's jurisdiction and the local jurisdiction be clear in the law or a separate contractual agreement. Due diligence ensuring a trusted environment for the use of digital signatures for document signing is required. If digital signatures and certification authorities are subject to conflicting legal and technical requirements in different jurisdictions, it may be difficult or close to impossible to use digital signatures in cross-border transactions.
When implementing digital signatures, one must take into consideration that there are costs associated with the implementation of a digital signature system. Some of the costs are: establishing and utilizing certificate authorities, maintaining a repository of signer certificate-related information, software and hardware support of digital signature administration, the verification process and the trusted environment, the hardware securing a subscriber's private key and the purchasing of certificates for issuance.
1 Baker & McKenzie, APEC E-COM Legal Guide, Global E-Law Alert, Global E-Commerce Law, www.bmck.com/Australia/australia_encryption.htm
2 Baker & McKenzie, APEC E-COM Legal Guide, Global E-Law Alert, Global E-Commerce Law, www.bmck.com/ecommerce/canada-t.htm
Lily Shue, CISA, CCP
has over 20 years of experience in the IT audit and security profession. She is currently manager of IS security at Sony Electronics Inc., USA, responsible for corporate information security. Shue received ISACA®'s President's Award in 1998 and the ISACA John Lainhart Common Body of Knowledge Award the following year. She has served on the Information Systems Audit and Control Foundation's Research Board from 1993 to the present. In that capacity, she contributed to the development of ISACF's Control Objectives for Net Centric Technology (CONCT) and served as project leader for the foundation's VPN research project.
The Information Systems Audit and Control Foundation (ISACF) recently completed a research project on digital signatures. The project will result in a book, Electronic and Digital Signatures: A Global Status Report, which will be available for ISACA members as a complimentary download on ISACA's web site, www.isaca.org/@member, or for purchase in hard copy through the ISACA Bookstore, www.isaca.org/bookstore.