Security and Privacy
An Analysis of International Electronic and Digital Signature Implementation Initiatives
Presentation and International Discussion
10 September 2000
San Francisco, California
The ILPF invites public comment on this report.
Please submit comments to firstname.lastname@example.org
On 10 September 2000, members of the Internet Law & Policy Forum and
international experts listed at the end of this Report met in San Francisco to
hear the first public presentation on an ILPF-commissioned paper, An Analysis of International Electronic and
Digital Signature Implementation Initiatives (the International Implementation Survey) and
to discuss legal and policy issues raised by the current proliferation of such
International Implementation Analysis
is the third ILPF-commissioned survey of digital and electronic signature
efforts. In 1997 in response to a
growing number of differing state legislative initiatives within the United
States, the ILPF introduced Legislative
Principles for Electronic Authentication (1997),
http://www.ilpf.org/digsig/principles.htm, then issued a United States Survey
(1998), http://www.ilpf.org/digsig/update.htm, to track continued state enactments. In February 1999, the ILPF published a
second survey, this one international in scope,
http://www.ilpf.org/digsig/survey.htm, and issued International Consensus
Principles, http://www.ilpf.org/digsig/intlprin.htm.  The surveys and principles, particularly the
International Consensus Principles, were intended to facilitate the creation of
an environment for electronic authentication in which users could be assured of
the protections of technological advances and recognition of signatures across
state and national boundaries.
growing number of governments are now passing electronic signature legislation
: The EU Directive has taken effect, a number
of nations have adopted legislation, and work on the UNCITRAL model rules has
progressed. In addition, a number of
entities - governmental, private industry, and combinations of the two - has
begun to draft detailed specifications.
Accordingly, the ILPF again commissioned a survey, this time of
"implementation" initiatives. The term "implementation" initiatives was broadly defined to include almost any set of
detailed criteria, most notably (1) standards for granting enhanced legal
effects to a methodology and (2) certification or licensing requirements for
The ILPF commissioned this latest survey first to catalog as many implementation
proposals, public and private, as could be identified, and then to see whether
its International Consensus Principles, necessarily a set of high level
statements, maintained validity in the context of detailed specificity inherent
in many implementation schemes.
following themes and observations emerged in the presentation and expert,
international discussion of this International Implementation Analysis.
Presentation of the International Implementation Analysis
Kuner opened the 10 September Session with an overview of the purpose of the International Implementation Analysis:
to inventory and provide specific analysis of current implementation proposals
globally. The resulting detail is set
out in Part III, the Appendix to the Analysis.
Mr. Kuner emphasized the proliferation of implementation initiatives and
voiced his view that the number and kinds of differences among the proposals
created a real risk to the use of electronic and digital signatures across
borders. The Analysis concludes:
With regard to the number of such implementation schemes, it can be
seen from the table (Part III of this paper) that nearly all of the
industrialized nations have at least initiated a national accreditation,
certification, or standardization scheme for electronic signature products and
services. One must ask why so many
nationally-based schemes are necessary, and why there is not more reliance on a
few, larger-scale schemes that could be tailored for a region, or a particular
legal system. One could argue that
competition will result among the schemes, leading to a "survival of the
fittest", which may well be true to some extent; but at the same time,
having nearly every country adopt its own implementation scheme for electronic
signatures carries the risk of leading to a patchwork of inconsistent national
systems that may well imperil international legal interoperability.
Baker then surveyed implementation initiatives against the ILPF Consensus
Principles, and vice versa. His "report
card" for governments, reflecting a grading system ranging from "A", the
highest rating, to "F" for a failing mark, on legislative electronic signature
efforts taken as a whole, was as follows:
|ILPF International Consensus Principle
|Removing Barriers to Electronic Authentication
|Respecting Freedom of Contract
|Making Laws Governing Electronic Authentication Consistent Across Jurisdictions
|Avoiding Discrimination and Erection of Non-Tariff Barriers
|Allowing for Use of Current or Future Means of Electronic Authentication (Technological Neutrality)
|Promoting Market-Driven Standards
particular, Mr. Baker noted that registration and licensing requirements can
create a disincentive to cross border recognition unless the provider which
seeks licensing is heavily capitalized and can comply with registration
requirements in multiple jurisdictions.
He also noted his view that ISSE standards (Information Security
Solutions Europe) reflected more government involvement than usual for an
industry-led group. Finally, Mr. Baker
offered his opinion that the ILPF should be prepared to modify its
International Consensus Principles on technological neutrality and non tariff
barriers to allow for a more nuanced approach.
In his view, some specification of detail is necessarily a part of the
legislative approach in many national laws, particularly for those nations
which grant a higher level of legal presumption to some but not all kinds of
electronic and digital signatures.
Discussion: Themes and Observations
Security and the Role of Governments.
surprisingly, participants agreed that the need for security of online
information would only increase as use of the Internet increased. One participant emphasized the importance of
security for e business. As explained,
the Internet was designed as a free network for widespread sharing of
information. To use so fundamentally
open a network for commercial applications such as e commerce would require the
technical ability to close or block access to that portion of the network used
by a business to conduct its own transactions and communications - much the concept of a virtual private
network. In this speaker’s view, this
need to limit access would be contrary to the original nature of the Net and
would ultimately require technical solutions beyond the applications level to
make electronic authentication work as a network "access limiting device".
noted that the need for security has been a strong justification for government
action in the marketplace. Government
designation of the specifics of implementation can be seen as necessary and
appropriate to ensure a level of security and trust essential for consumers to
embrace electronic commerce, to designate a technology in order to assure
widespread use and lower cost, to structure a legal framework which reflects
cultural preferences, to regulate (or license) providers of certificate
services to consumers, or to set some legally-required levels of duty. Other participants, however, saw a higher
level of government involvement in the marketplace as an attempt to create a
need for authentication, particularly for consumers, and pull an industry into
a current vacuum in the marketplace.
The danger of such an approach, noted one participant, is that
governments have a tendency to require the design of a Ferrari when a simple
and less costly truck would do the job.
difference of opinion about the appropriate role of government in creating
trust is not new. The issue has been
fundamental and dialogue has been ongoing, from the beginning of the
international conversations on electronic signature legislation. One of the ILPF International Consensus
Principles favored a more limited role for governments:
Standards for use of
electronic authentication methods or technologies should be market-driven to
meet user needs.
should avoid laws that force the private sector to designate a particular
technology for electronic authentication.
Standards (for example, for technical interoperability) should evolve in
response to needs in the commercial market, not by the requirement of
participants noted one way to balance a purely market-driven approach with a
stronger role for government. Appropriate government regulation might be a
matter of timing. The most effective sequence might be to grant wide party
autonomy to closed systems allowing this market segment to develop on its
own. Closed systems are beginning to
expand, particularly within an industry, for example, banking, but also for
non-industry-specific online exchanges across national boundaries. Speakers urged that these private solutions
be allowed to flourish and provide experience to guide further government
intervention. The flourishing of
"closed" systems would be the "key in the ignition" to drive widespread,
cost-effective use of electronic signatures forward. The aggrieved consumer was
seen as the wrong starting place from which to consider the role of the
government because existing consumer laws are so complex, consumer applications
have not yet developed, and consumer protection often calls forth a most
The Need to
Distinguish between Technical and Legal Standards.
Participants noted the dialogue on implementation and standards was
often confused by a failure to distinguish standards which are proposed to
resolve technical issues from those which could be used to specify legal
effect. Crafting details necessary to
designate the kinds of authentication methodologies entitled to a higher level
of legal effect without hindering users’ ability to move to more advanced
technology remains a challenge. Using
detailed standards developed for technological purposes as determinants of
legal effect was seen as particularly harmful to technological neutrality,
party autonomy and cross border legal interoperability.
this context, one participant argued for a minimalist approach as the strongest
protection for users of digital and electronic signatures. Drafting legislation and regulation with the
highest level of abstraction possible would allow courts to exercise maximum
discretion to give recognition to a signature user’s choice of methodology and
intent to be bound. This participant
gave voice to the view that too many regulatory requirements would deter rather
than encourage the use of electronic signatures.
Cross Border Issues and the Need for Mutual
Agreeing on rules
for mutual recognition of signatures across borders was seen by many participants as the next
important step, but as Chris Kuner noted, even the term "mutual recognition"
has different meanings. To some, mutual
recognition is more limited. Recognition is only granted if the regulatory
scheme from which the signature originates has certain shared characteristics
with the regulatory scheme under which mutual recognition is sought. For example, a country which requires
licensed providers may only recognize a foreign signature if the foreign
provider is similarly licensed in its "home" jurisdiction. Similarly, any mutual recognition scheme
should recognize cultural differences, sometimes deeply ingrained. For others, mutual recognition means giving
recognition to any foreign signature methodology as long as the methodology is
valid in the home jurisdiction, without regard to the similarities or
differences between legal frameworks.
A third kind of mutual recognition would give effect unless the rules of
the home jurisdiction were "profoundly" different.
Efforts are under way in some regions to identify such profound
differences and construct the terms of recognition. One participant gave the EU credit for an intra-European model of
mutual recognition and suggested that the evolution of that system would
provide a valuable model. All agreed
that a workable system of mutual recognition would be essential to the growth
of cross border electronic commerce.
Conclusions and Recommendations
ILPF’s latest commissioned survey, An Analysis of International Electronic and
Digital Signature Implementation Initiatives, documents and analyzes a
proliferation of standards and licensing initiatives to implement legal
recognition of digital and electronic signatures.
The level of government participation and intervention in the marketplace
reflects differences in goals and culture but at the same time, threatens to
create a world in which a user cannot choose a signature methodology or level
of security which matches the particular need and may not expect recognition of
any choice beyond national or regional boundaries.
at the 10 September Session offered three suggestions for governments to
balance the legitimate need for implementation details against the potential
excesses of those actions. Governments
the marketplace for and use of authentication technologies in closed systems to
develop further before structuring legislative and regulatory requirements
based on perceived consumer needs,
the difference between standards designed for technological interoperability
and those which define legal effects; and
seek to define the terms of broader mutual recognition.
members of the ILPF wish to express their thanks to Messrs. Kuner and Baker for
their work on the International Implementation Survey and to the
international experts listed below for their contributions to a better
understanding of this most complex but important topic.
Participating ILPF Members
Network Solutions, Inc.
GE Information Services
Stewart Baker, Steptoe & Johnson
Rosa Barcelo, Morrison & Foerster
Mark Bohannon, Software and Information Industry Association
Roland Brandel, Morrison & Foerster
Mauricio Devoto, CENIT
Peter Ferguson, Industry Canada
Emily Frye, iWitness, inc.
Brian Hengesbaugh, US Department of Commerce
Dr. Ulrich Sandl, Federal Ministry of Economics and Technology, Germany
Mariana Silveira, National Center for American Free Trade
Brian Smith, Mayer Brown & Platt
Graham Smith, Bird & Bird
Yoshitaka Toui, MITI, Japan
Kristen Tsolis, The Naval Postgraduate School
Shinje Watanabe, NTT DATA Corporation
TomohikoYamakawa, InfoCom Research Inc