Content Blocking Working Group
Content Blocking Report: Now Available
The Internet Law & Policy Forum commissioned a
in 1996 to examine the trends in global content regulation and
technological developments designed to address content issues by
blocking or providing user-enabled filtering. The report is
work-in-progress and appears on this site. The working group process
disclosed that, despite the reach of the Internet and its power to
collect and distribute information, there is no systematic collection
or examination of Internet content regulation.
Accordingly, the ILPF is expanding its working group to now
conduct a global inventory of Internet content regulation. The goal
of this effort is to amass, on a country-by-country basis, the laws
and regulations that specifically encompass Internet content
regulation. ILPF seeks to create a network of correspondents that
will voluntarily advise the Internet community through the auspices
of ILPF of emerging content regulation, enforcement activities
related to content laws and links to sites that address content
issues. Digital copies of any pertinent laws or regulations will be
archived and made available to the global Internet community.
Correspondents are invited to provide their analysis of the
particular laws or rules.
ILPF will continue to examine the trends in Internet content
regulation and plans to report on the "State of Internet Content
Regulation" annually. Periodic summaries of information received
will be provided on this site.
Individuals, groups, and organizations may submit information regarding content blocking
regulations via our ILPF Content Blocking Working Group
Survey of State Electronic & Digital Signature Legislative
The Full Report and the appendices are available in .pdf
The Internet Law & Policy Forum ("ILPF")
commissioned Perkins Coie to survey
current legislative efforts
by individual states in the United States and drafting committees
concerning digital and electronic signatures to assist the ILPF
Digital Signature Working Group in considering model state legislation.
This report provides a state-by-state comparison of electronic
authentication initiatives and a summary and analysis of trends.
The terms of reference of the Working Group and project schedule
are available on ILPF's web site. The text
of all of the state initiatives and related resources have been
collected on ILPF's web site as well. ILPF seeks public comment
on this report, particularly in regard to the categorization of
state initiatives, information on any new initiatives, or corrections
to the report. Any comments should be forwarded for consideration
to the ILPF via its web site or to the authors of this report,
John P. Morgan
and Albert Gidari.
Legislators are faced with unique and fundamental policy choices
regarding the role of government in the development of electronic
commerce. Recognizing that government must play a role in enabling
electronic commerce by removing traditional barriers, nearly every
state has sought to eliminate barriers caused by traditional writing
and signature requirements by drafting legislation designed to
permit the authentication of documents and signatures through
electronic means. In the electronic environment, however, the
authentication of documents and signatures is considerably more
difficult than in the traditional written environment. An original
message may be virtually indistinguishable from a copy, and the
potential for fraud is heightened by the ease of alteration.
New challenges, therefore, arise in determining government's function,
if any, in solving problems unique to electronic authentication
such as issues of data integrity, non-repudiation, evidentiary
standards, choice of technology, liability standards, contractual
freedom, consumer protection, and cross-border recognition of
electronically signed documents.
In the international arena, numerous governments and organizations
have called for private sector leadership in developing electronic
commerce principles rather than premature government regulation.
However, these policy initiatives also recognize that government
may serve an essential facilitating role by eliminating barriers
and providing a broad legal framework to protect the interests
of the public.
In the United States, 40 states either have considered or enacted
electronic authentication laws. Thirteen states have initiated
task forces to study the various impacts of electronic commerce
and traditional writing and signature requirements. See
Appendices A & B. Although the numbers suggest that
there has been a flurry of substantive activity, in fact, most
legislation has been narrow in scope. While 21 states have proposed
31 laws that encompass public and private sector communications
("general" laws), only ten states have enacted 13 such
laws. Instead, most legislative activity has involved laws that
have a "limited" transactional scope; that is, laws
that apply only in a government or narrow private sector context
such as the use of electronic signatures by health care providers
or for motor vehicle registration. Indeed, twenty-eight states
have introduced 48 limited statutes. Of these, 23 states have
enacted 36 limited laws. See Appendices B & C.
II. AUTHENTICATION MODELS
A variety of authentication models have been considered or enacted
by the states. The vast majority of all legislative initiatives
enacted by state legislatures were electronic signature laws while
only a handful have enacted digital signature laws.
While the distinction between an electronic and digital signature
is an important one, the terms frequently are used interchangeably.
For purposes of consistent analysis here, "electronic signature"
means any identifiers such as letters, characters, or symbols,
manifested by electronic or similar means, executed or adopted
by a party to a transaction with an intent to authenticate a writing.
A writing, therefore, is deemed to be electronically signed if
an electronic signature is logically associated with such writing.
In contrast to an electronic signature, a "digital signature"
is an electronic identifier that utilizes an information security
measure, most commonly cryptography, to ensure the integrity,
authenticity, and nonrepudiation of the information to which it
corresponds. Cryptography refers to a field of applied mathematics
in which digital information may be transformed into unintelligible
code and subsequently translated back into its original form.
In public key cryptography or asymmetric cryptography, an algorithmic
function is used to create two mathematically related or complementary
"keys." One key is used to code the information while
the other is used to decode it. Cryptography can be used to ensure
the confidentiality of data (i.e., encryption) and to verify the
authenticity and integrity of transmitted data. The advantage
of public key cryptography is that it allows the confidential
transmission of information in open networks where parties do
not know one another in advance or share secret key information.
In an open network context, public key encryption depends on the
public and private use of these complementary algorithmic keys.
The "public" key is associated with a particular party
and is made readily available in a directory. A trusted third
party or certification authority can authenticate the relationship
between a public key and its owner thereby ensuring public confidence
in the use of the readily available key. This public key is then
used to encrypt a message or data to be sent to the person associated
with the key. The recipient of the encrypted message then uses
his or her "private" key to decrypt the information.
The "private key" is so named because it must remain
secret in order for the process to be secure, for while the public
key of a particular party is known to the public, only the private
key can be used to decrypt. With strong encryption, it is virtually
impossible to derive the private key from its public counterpart.
In the context of "digital signatures," the process
essentially is reversed. First, a signer uses a "hash"
function to create a compressed form of the message to be sent.
This "message digest" is unique to the message and
can be used subsequently to verify the authenticity of the document
once received. Before sending the document electronically, the
signer applies the private key to the message digest thereby encrypting
it and creating a secure digital signature. The document may
then be sent (perhaps encrypted with the receiver's public key)
along with the digital signature. Upon receipt, the digital signature
can be decrypted with the signer's public code and the message
digest can be used to verify the contents of the electronic document.
The creation of an open public cryptographic system has commonly
been referred to as public key infrastructure ("PKI").
Thirty-three of 49 electronic signature statutes introduced (23
of 28 states) were enacted. Nearly all of these laws were
in scope. With respect to digital signature laws, only ten of
21 initiatives introduced (7 of 14 states) were enacted. Florida,
New Hampshire, and Oregon have approved legislation for both.
See Appendices B & E.
Most of the electronic and digital signature initiatives fall
into three categories: prescriptive, criteria-based, and signature
enabling. See Appendix D. The prescriptive states delineate
specific PKI schemes for digital signatures and typically have
"general" applicability. Utah's model is predominant
among the prescriptive states, accounting for ten of the 18 states
using a prescriptive PKI digital signature approach. The criteria-based
states recognize the authentication of digital or electronic signatures,
provided the signatures satisfy certain criteria of reliability
and security. California is the leading model and has been uniformly
followed by states utilizing the criteria-based approach. The
signature enabling states take the most modest approach by recognizing
electronic signatures and documents in a manner that is parallel
to traditional signature and writing laws. These laws are
in that they adopt no specific technological approach or criteria.
Massachusetts has taken the representative lead in this area.
These various approaches are discussed in more detail below.
A. Prescriptive Approach
The prescriptive approach is a comprehensive effort that seeks
to enable and facilitate electronic commerce with the recognition
of digital signatures through a specific regulatory and statutory
framework. It establishes a detailed PKI licensing scheme (albeit
voluntary), allocates duties between contracting parties, prescribes
liability standards, and creates evidentiary presumptions and
standards for signature or document authentication.
On the whole, 18 states have adopted or considered PKI-based digital
signature laws. Of these, 14 states have addressed digital signatures
alone while four states have considered giving effect to both
electronic and digital signatures. See Appendix E.
California may also be included in this latter category with
the recent promulgation of proposed regulations by the Secretary
of State that approve of PKI and digital signature use.
The leading model for the prescriptive approach is the Utah Digital
Signature Act. Utah Code § 46-3-101 et seq.
Utah's digital signature law originally was enacted in 1995 and
significantly amended in 1996 by Utah Senate Bill 188. This legislation
was influenced heavily by the efforts of the American Bar Association
Information Security Committee (the "Security Committee").
Over a four-year period, the Security Committee had sought to
draft a model law for digital signatures. However, given the
diverse views on several key areas such as a subscriber's duty
of care, the Security Committee produced the Digital Signature
Guidelines (the "Guidelines") in the summer
of 1995 in lieu of a model law. The Utah Digital Signature Act
and the Guidelines have been very influential in shaping
other states' legislative initiatives (together
The Utah/Guidelines model attempts to delineate a comprehensive
scheme for the recognition of digital signatures in a PKI environment
utilizing state-licensed certification authorities ("CAs").
The model can be divided into four main categories: (1) licensing
of CAs; (2) issuance, suspension, and revocation of certificates
issued by CAs; (3) duties, warranties, and obligations of licensed
CAs, subscribers, third parties, and key repositories; and (4)
rules regarding the recognition and validity of digital signatures.
Some key attributes of these areas include:
- Regulatory authority is vested with the Secretary of State
or other agency and may serve as a CA;
- "Voluntary" licensing scheme for CA--unlicensed
CAs lose evidentiary presumptions of authenticity and civil liability
- CAs liability limited by certificate statements; statutorily
liable only for direct, compensatory reliance damages;
- A digital signature is self-authenticating if (1) it is verified
as valid by a public key listed with a licensed CA; (2) it was
affixed with the intention of signing a message; and (3) the recipient
has no knowledge of either a breach of duty by the subscriber
or does not rightfully hold the private key affixed to the message;
- Writing requirements are met if (1) the message bears a digital
signature and (2) that signature is verified by a valid licensed
- Auditing and bonding requirements for CAs;
- Cross-border recognition for states whose licensing or authorization
requirements are substantially similar if the Secretary
of State recognizes the CAs by rule; and
- Subscribers have a duty of reasonable care in control of private
keys and must indemnify CAs.
Although the Utah/Guidelines model has received considerable
attention, it has not, in fact, been widely followed. Seven states
have considered but not adopted the Utah/Guidelines
model: Hawaii, Maryland, Michigan, New York, Rhode Island,
Vermont, and Virginia. Although incorporating most of the model,
draft legislation in Virginia and Hawaii notably deleted the cross-border
recognition provision. Numerous other states have adopted or
considered Utah's definition of a digital signature without adopting
the model itself. Minnesota and Washington are the only states
to enact the Utah/Guidelines model with some variation.
See Appendices C & D. For example, Washington has
enacted legislation that allows the parties, with some exception,
to alter the terms of the statute by contract.
B. Alternatives to the Prescriptive-PKI Model
The Utah/Guidelines model likely has not had more impact
due to its inherently regulatory and prescriptive nature. By
selecting PKI as the baseline for electronic authentication, the
model may be viewed as technology-forcing. Although it is ostensibly
"voluntary," the favorable liability limits and evidentiary
presumption associated with state licensing likely will impair
alternatives. No presumptions or liability limits are afforded
to other technological solutions that may have comparable or superior
security or trustworthiness. For this reason, many states have
sought legislative alternatives that more broadly address electronic
authentication and have more flexibility. Generally, these alternatives
utilize a technology-neutral approach and eschew any specific
liability regime in order to avoid market-distorting effects in
the emerging technology fields of electronic commerce.
Thirty-one states have or are considering 58 statutes that address
electronic signature or electronic authentication standards.
See Appendix E. Fifty-five of these initiatives representing
29 states may be divided between the criteria-based and enabling
categories. See Appendix D.
1. Criteria-Based Approach
The predominant model for criteria-based laws is the "California"
authentication standard. Akin to an evidentiary standard, the
California model incorporates some requirements into the definition
of an electronic signature in order to satisfy security and trustworthiness
concerns. An electronic signature is legally effective if it
- Unique to the person using it;
- Capable of verification;
- Under the sole control of the person using it;
- Linked to the data in such a manner that if the data is changed
the signature is invalidated; and
- In conformity with regulations adopted by the appropriate
state agency usually the Secretary of State.
Cal. Gov't Code § 16.5(a) (1995). Prior to the model's
enactment, the California legislature explicitly considered and
rejected the Utah/Guidelines model, in part, due to concerns
of market distortion and technological neutrality.
The California criteria-based approach has proven quite flexible
for various state legislators. The broad criteria may apply both
to electronic and digital signatures since it is designed to lay
the requirements for trustworthiness and security. For example,
the California Secretary of State has recently published its Proposed
Digital Signature Regulations, in which it adopts two acceptable
technologies: PKI digital signatures and signature dynamics.
Indiana has adopted the California criteria as a prerequisite
for the recognition of digital signatures. Illinois is considering
the criteria as a basis for evaluating whether an electronic signature
may be deemed "secure." The first four elements of
the California standard also have been used in legislation from
New Hampshire, Rhode Island, and Virginia as optional criteria
that the trier of fact may consider when evaluating the
authenticity of an electronic signature.
On the whole, 11 states have 19 initiatives that incorporate the
criteria-based approach. Ten states have adopted the California
standard into law. See Appendix D. Nine of the enacted
laws, California's among them, are "limited" in scope.
See Appendix A. Georgia, Kansas, New Hampshire and
Virginia have enacted "general" statutes that use the
California criteria-based approach. Electronic signature laws
enacted in Georgia and Kansas are unique because the criteria
is incorporated into the definition of an electronic signature.
2. Signature-Enabling Approach
The remaining legislative initiatives fall within the signature-enabling
category. The "general" laws permit any electronic
mark that is intended to authenticate a writing to satisfy a signature
requirement. See Appendix D. The net effect of this
approach is to give legal recognition to both digital and electronic
signatures for statutory and common law writing and signature
An early example of this approach is Florida's Electronic Signature
Act of 1996, Fla. Stat. § 1.01 (1996 Fla. H.B. 942).
The key elements of the operative terms are:
- The word "writing" includes handwriting, printing,
typewriting and all other methods and means of forming letters
and characters upon paper, stone, wood, or other materials. The
word "writing" also includes information which is created
or stored in any electronic medium and is retrievable in perceivable
- "Electronic signature" means any letters, characters,
or symbols, manifested by electronic or similar means, executed
or adopted by a party with an intent to authenticate a writing.
A writing is electronically signed if an electronic signature
is logically associated with such writing.
- Unless otherwise provided by law, an electronic signature
may be used to sign a writing and shall have the same force and
effect as a written signature.
Massachusetts also is representative. Massachusetts has put forward
the most modest position regarding electronic authentication due
to similar concerns voiced in California regarding the potential
for market distortions and the need for technological neutrality.
Massachusetts, however, does not adopt any particular authentication
criteria like California in removing signature and writing barriers.
Massachusetts' draft legislation provides, in part:
Section 1. Definitions.
As used in this chapter, the following terms have the following
"Record" means information that is inscribed on a tangible
medium or that is stored in an electronic or other medium and
is retrievable in perceivable form. The term "record"
includes, without limitation, electronic records and written records.
"Signed" or "signature" includes electronic
and digital signature methods.
Section 2. Electronic Records and Signatures.
(a) Where the law requires information to be in writing, that
requirement is met by a record. In any legal proceeding, a record
shall not be inadmissible in evidence on the sole ground that
it is an electronic record. Any duplicate record that accurately
reproduces the original record shall be admissible in evidence
as the original itself unless in the circumstances it would be
unfair to admit the duplicate in lieu of the original.
(b) Where the law requires a signature of a person, that requirement
is met by that person's electronic signature. Where any rule
of law requires a signature to be notarized or acknowledged for
filing, that rule is satisfied by an electronic signature that
meets standards established by the secretary of the commonwealth.
(c) This section shall not apply:
(i) when its application would be inconsistent with the manifest
intent of the parties;
(ii) when its application would involve a construction of a rule
of law that is clearly inconsistent with the manifest intent of
the law making body or repugnant to the context of the same rule
of law, provided that the mere requirement that a record be "in
writing" or "written" shall not by itself be sufficient
to establish such intent.
Massachusetts' approach also differs from Florida's in its use
of a "record" to address writing and signature requirements,
which derives from the United Nations Commission on International
Trade Law 's Model Law on Electronic Commerce ("UNCITRAL
Model Law") and is consistent with language used by the National
Conference of Commissioners on Uniform State Laws ("NCCUSL")
in revising the Uniform Commercial Code ("UCC") Articles
2B and 4B.
On the whole, 27 states have or are considering the enabling approach.
Twenty-two states enacted legislation of which five had "general"
applicability. The bulk of the initiatives considered remain
in the "limited" class. See Appendix D.
In general, all of these states are silent regarding such issues
as certification authority standards, cross-border recognition,
and liability issues. The marketplace and existing laws are left
to resolve unanswered questions. Although electronic signatures
are recognized, no evidentiary presumptions attach to the use
of either electronic or digital signatures. This is in sharp
contrast to those states that have addressed digital signatures
alone. Thus, this approach is merely "enabling" in
that the policy objective simply is to remove writing and signature
barriers without endeavoring to facilitate any form of development.
C. Hybrid Approach
Of all the legislation introduced over the past two years, only
Florida, Illinois, New Hampshire, and Oregon authored electronic
authentication statutes that addressed both electronic and digital
signatures. All four give general recognition to electronic signatures
and authorize digital signatures in varying degrees of specificity.
The comprehensive draft legislation being circulated by the Illinois
Attorney General Commission on Electronic Commerce and Crime falls
between the Massachusetts and Utah/Guidelines model approach
and incorporates aspects of California's criteria-based model.
The Illinois draft gives broad recognition to electronic signatures,
adopting many provisions of the UNCITRAL Model Law. The legislation
creates a new category of electronic signature based on the California
criteria model called "secure electronic signatures."
Signatures that qualify are accorded rebuttable evidentiary presumptions
regarding the genuineness and integrity of the signature. Parties
to a transaction may select from a security procedure that is
defined by the statute or one that is commercially reasonable
and agreed to by the parties.
The "secure status" of a secure electronic signature
may be challenged (1) by evidence indicating either that a security
procedure authorized by the statute is generally not trustworthy
or a security procedure agreed to by the parties is not commercially
reasonable or implemented in an untrustworthy manner, or (2) by
evidence suggesting that the relying party's reliance was not
reasonable. Factors affecting the "reasonableness"
of a recipient's reliance upon a signature also may be considered,
including the relying party's knowledge, course of dealing, and
trade usage. The security procedure authorized by the statute
is the use of digital signatures. Electronic records that are
signed with digital signatures may constitute a secure electronic
record if the digital signature is created and verified by a valid
certificate that is considered trustworthy.
The Illinois draft is more flexible and less restrictive than
the Utah/Guidelines model in creating a PKI scheme, allocating
presumptions, and authorizing the use of digital signatures.
The Secretary of State is authorized to take several steps to
ensure the quality of certificates issued including the adoption
of certain security standards for CAs, voluntary licensing, and
third party accreditation. Compliance with the Secretary of State's
quality control measures will give rise to a rebuttable presumption
of trustworthiness, but a default rule also permits trustworthiness
to be found by the trier of fact. Like the Utah/Guidelines
model, the ultimate burden of going forward with some evidence
(burden of persuasion) is placed upon the party challenging the
integrity of the record or the genuineness of the signature.
The important distinction between the Illinois draft and the
model is that the presumptions generically apply to secure electronic
signatures rather than digital signatures exclusively.
There are no express CA auditing or bonding provisions and the
Secretary of State is not authorized to serve as a CA. CA liability
is not statutorily limited but may be limited by the CA's certification
statements. Subscribers have a duty of care (reasonableness)
in holding their private keys secure. CAs have a similar duty
to use trustworthy methods and may be bound by certain warranties.
Like the Washington law, the Illinois draft also has a blanket
authorization to vary its terms by agreement, the only other legislative
initiative to do so.
NCCUSL also is drafting its Uniform Electronic Transactions Act.
The current draft adopts many of the initial enabling provisions
of the UNCITRAL Model Law that give legal recognition to electronic
signatures and documents (records). In addition, the NCCUSL draft
has adopted the Illinois concept of a "secure electronic
record" and "secure electronic signature" and utilizes
the California criteria as a litmus test before according any
evidentiary presumptions. Its definition of "security procedure"
is broad and encompasses the familiar UCC concept of commercial
reasonability. Unlike the Illinois draft however, the NCCUSL
draft makes no attempt to facilitate the development of the prescriptive
digital signature/PKI model by linking evidentiary presumptions
with digital signatures. The determination of "security"
with its associated presumptions stands independently. Overall,
the NCCUSL draft endeavors to be more technology-neutral.
There is no uniformity in state approaches to electronic authentication.
States have been most active in deciding appropriate authentication
standards for limited transactions with government or discrete
areas of private law such as medical records. No electronic authentication
model has come to dominate the legislative marketplace and experimentation
This report finds that legislative efforts have been focused predominantly
on enacting limited electronic signature laws as opposed to general
laws. In the "general" class of statutes, seven states
have enacted legislation adopting PKI with three using the
model; four states have enacted legislation utilizing the
model of which two use the criteria permissively; and five states
have enacted signature- enabling legislation. See Appendix D.
This contrasts sharply with the 36 limited laws enacted of the
48 proposed during the same time period. See Appendix
As evidenced by the hybrid approaches of NCCUSL and Illinois,
the recent trend is toward legislation that: (a) at a minimum,
enables electronic commerce by recognizing that the primary objective
of electronic authentication is the removal of barriers associated
with traditional writing and signature requirements and (b) establishes
evidentiary presumptions in favor of the electronic signature
user based on security and trustworthiness standards. The pattern
suggests that as security measures increase and provide a heightened
indicia of trustworthiness, stronger evidentiary presumptions
The trend analysis also reveals what is absent from the various
state initiatives. For example, only the prescriptive model addresses
cross-border recognition of electronic or digital signatures.
The Utah/Guidelines model only recognizes digital signatures
originating in states that have "substantially similar"
authentication and licensing standards and that are recognized
by the state regulatory authority by rule. Florida is the only
state with a prescriptive statute that requires less and authorizes
reciprocity. Additionally, no state initiative addresses choice
of law or choice of forum issues with the exception of the NCCUSL
draft which essentially adopts conflict of laws common law principles.
Thus, there is a legislative gap and no certainty as to whether
an electronic signature will be given full force and effect outside
of the state on which it was affixed and what law will be used
to determine its effect if it is recognized.
Finally, states that have considered or adopted the prescribptive
model have uniformly looked to state licensing schemes to ensure
trustworthiness. By contrast, Illinois is the only state to consider
recognizing the role of non-governmental or private sector third-parties
in establishing through accreditation the trustworthiness and
security of an electronic authentication.
The Full Report and the appendices are available in .pdf
Albert Gidari, Esq.
John P. Morgan, Esq.
1201 Third Avenue, 40th Floor
Seattle, WA 98101
+1 (206) 583-8888
+1 (206) 583-8500 (fax)
This Digital Signature list is maintained by
All rights reserved.