Security and Privacy
Legislative Principles for Electronic Authentication
& Electronic Commerce
The Internet Law & Policy Forum ("ILPF") convened
a working group in Washington, D.C., on October 23-24, 1997, to
draft a set of legislative principles for electronic authentication
of signatures. ILPF convened the working group after completion
of a comprehensive survey of state laws and initiatives in the
United States that disclosed a patchwork of inconsistent state
regulation and the absence of any standard for the cross-border
recognition of electronic signatures.
The ILPF-sponsored meeting yielded broad consensus among participants
that states should act to remove barriers to electronic transactions
that arise from uncertainties related to signature requirements.
The working group also agreed that it was important for states
to harmonize electronic authentication rules and regulations.
The working group underscored as fundamental the need to preserve
-- and for states to respect -- the ability of parties to agree
on their own requirements for electronic transactions and signatures.
And, as between parties in different states, cross-border recognition
and enforcement of electronic transactions and signatures were
felt to be paramount, especially given the global nature of electronic
ILPF provides a neutral forum for objective examination of issues
that affect the growth of the Internet economy. This working group
was comprised of experts in electronic authentication from federal
and state government, academia, and the private sector, including
several representatives of certificate authorities in the United
States and internationally. Reports were received on the progress
of other electronic authentication initiatives including reports
from representatives of, or participants in, the National Conference
of Commissioners on Uniform State Laws, the American Bar Association,
the International Chamber of Commerce, the United Nations Commission
on International Trade Law, the World Wide Web Consortium, and
ILPF's draft principles are intended to facilitate the creation
of a predictable legal environment for electronic commerce based
on recognition of electronic authentication of signatures and
records. ILPF will take public comment on the draft principles
via its web site at over the next 30 days.
- There was strong
consensus among the working group for the following core principles
for electronic authentication of electronic transactions and signatures.
The commentary is provided for further illumination of the principles.
- REMOVE BARRIERS TO ELECTRONIC TRANSACTIONS
- States should identify and eliminate barriers to
electronic transactions that arise from uncertainties related
to the recognition of electronic signatures. Specifically, states
should address the formal writing and signature requirements in
law, regulation and policy in any branch of government to ensure
that, where appropriate, electronic signatures and records are
- RECOGNIZE EQUIVALENCY OF SIGNATURE AND RECORD REQUIREMENTS
- Electronic signatures and records should be treated
as the equivalent of traditional signatures and records if they
are sufficiently reliable for the purpose for which the signature
or record is required.
- HARMONIZE LAWS GOVERNING ELECTRONIC SIGNATURE
- States should harmonize the laws relating to the
use and recognition of electronic signatures. Harmonization is
essential to the growth of electronic transactions and the establishment
of a predictable legal environment.
- ENSURE THE CROSS-BORDER RECOGNITION AND ENFORCEMENT OF ELECTRONIC TRANSACTIONS AND SIGNATURES
- States should avoid the exclusion of signatures authenticated
in other jurisdictions and refrain from imposing unnecessary or
impeding processes that delay recognition of electronically authenticated
signatures originating in other jurisdictions.
- RECOGNIZE INTERNATIONAL TRADE IMPLICATIONS THAT ARISE FROM STATE ELECTRONIC AUTHENTICATION LAWS
- States should avoid using electronic authentication
laws to erect non-tariff trade barriers to electronic commerce.
Such barriers can arise when, for example, a law imposes unnecessary
process delays for recognizing electronic signatures.
- RESPECT FREEDOM OF CONTRACT AND PARTIES' ABILITY
TO VARY PROVISIONS BY AGREEMENT
- Electronic authentication laws should permit any
party to an electronic transaction, including a certificate authority,
to vary the terms of any electronic authentication law, rule or
regulation by mutual agreement.
- ALLOW FOR USE OF CURRENT OR FUTURE AUTHENTICATION
- Electronic authentication means should not be "locked
in" through legislative fiat but rather should allow for
changing market standards and applications for existing and future
technologies. "Means" includes both the use of business
practices and authentication technology. States should anticipate
that authentication means will change over time and avoid legislation
that might preclude innovation or new applications.
- STANDARDS SHOULD BE DETERMINED BY THE PRIVATE SECTOR AND BE MARKET DRIVEN
- The private sector should determine the standards
for electronic authentication. The government maintains its traditional
role in consumer protection and fraud prevention. When government
acts as a participant in the marketplace, it should avoid market
distorting effects to the maximum extent possible when it chooses
electronic authentication requirements for its transactions. The
same principle applies when government acts as a regulator. This
principle also applies to accreditation of authentication means.
As a general rule, accreditation is preferred to government licensing,
which if used at all, should be consistent with or rely on private
sector practices to the maximum extent possible.
- FOR FURTHER DISCUSSION:
- The following principle was viewed as an important contribution, but
need of further refinement and discussion.
- MAINTAIN "TECHNOLOGY NEUTRAL" APPROACH TO ELECTRONIC AUTHENTICATION
There was some disagreement about how to define the
term "technology neutral." There was consensus that
states should avoid laws that force the private sector to adopt
a particular technology for electronic authentication. The impact
of this principle on those laws that recognize only the use of
an electronic authentication means that relies on public key infrastructure
(PKI) was a significant concern. For the most part, it was agreed
that PKI, where enacted, should not preclude other methods of
authenticating signatures where appropriate. It was important
for many participants that states understand that PKI is not synonymous
with electronic authentication and that there are and will be
numerous means to authenticate signatures that will be sufficiently
reliable for a given purpose and that do not rely on PKI.
This Digital Signature list is maintained by
All rights reserved.