Security and Confidence in Electronic Commerce: Certification Authorities
Isabel HERNANDO <firstname.lastname@example.org>
The creation of a stable regulatory framework for new "information society" services is fundamental in a well-functioning international market. It is recognized that these new online services will become a source of economic growth and employment. However, an appropriate regulatory framework has to be put in place in order to provide an international, or at least a pan-European level playing field. One of the key elements for the development of these services, especially the online financial and business transactions, will be digital signatures.
In this paper, attention will be given to the legal aspects related to the use of digital signatures in electronic commerce, specifically those resulting from the identification and liability of certification authorities.
The objective of this paper will be to identify in this legal context the potential schemes and real obstacles and their effects resulting from differences in legal concepts and implementation in an international regulatory environment.
It is recognized currently that new online transactions taking place in an "open system" will become a source of economic growth and employment. However, in order for the international market to function correctly, it is essential that there should be put in place a stable, harmonized regulatory framework at an international or at least pan-European level.
One of the key elements for the development of these services, especially with regard to online financial and business transactions, will be digital signatures, which should ensure that electronic transactions are carried out in terms of authenticity, confidentiality, integrity, and nonrepudiation safeguards.
One of the difficulties encountered when using digital signatures is that of ensuring that the identity of a person who holds a pair of encryption keys is accurately known. This service is offered by trusted third parties called certification services (CSs). CSs, also referred to as certifiers, offer a means of certifying and guaranteeing that a public key belongs to the supposed owner
The objective of this paper will be to determine the legal context of certification services, specifically their identity and liability, and the possible regulatory schemes and their consequences as a result of differences in legal concepts and their implementation in an international environment (1).
The identification of the CSs that can operate in an online economic framework is a first step toward achieving international harmony. However, the difficulties in effecting integration do not present themselves with the dilemma of recognizing private or public CSs. With respect to the latter, and leaving aside the possible problems deriving from safeguarding free competition, their existence is accepted without further ado. On the contrary, the difficulties of homogenization arise when attempting to establish a standard operating framework in the private sector and when trying to fix the limits for the recognition of certificates issued by foreign certification services.
In the private sector, the creation of a standard operating framework calls for a harmonious solution to the problems raised by the two following issues:
In practically all current laws and legislation on digital signatures, as well as in the Directive Proposal and in the UNCITRAL project (2), there is recognition of the existence of entities or authorities of certification authorized by a competent agency or authority (3).
The function that these authorities are called upon to provide is that of establishing the probity and efficiency of the certification service. From this point of view, usually, bodies that are recognized as licensing entities are public administration agencies subject to administrative law or independent accreditation entities recognized by the State, similar in their structure to the data protection agencies. (4)
In any case, the entity nominated to authorize the activities of the CS, in accordance with its functions, would perform the duties of monitoring and providing information on the observance of the minimum requirements legally established for the granting of licenses.
It is accepted that the economic activity constituted by digital certification and, consequently, the acquisition of the corresponding authorization, cannot be limited to persons or groups already subject to professional codes of conduct (notaries, banks, attorneys) but that it must be open to all those entities that comply with the minimum standards established in a specific law. (5)
From the perspective of Electronic Commerce, these minimum standards should perform a double function. On the one hand, they should allow for the interoperability of the different participants in the Global Electronic Market and, on the other hand, they should provide sufficient security to protect citizens from any fraudulent and inappropriate conduct on the part of the CSs and from the damages resulting from the inappropriate issuing of certificates.
In response to these needs, in the UNCITRAL project and in the various laws already existing, criteria have been established that include standards of a technical and economic-legal nature, plus rules relating to personnel that, as a minimum, the CSs would have to meet in order to be licensed. (6)
The selection and administration of personnel is one of the basic criteria for the concession of licenses (7). According to these criteria, the CSs would be obliged to provide the following proofs:
In this second section, the criteria for authorizing CSs would be centered on the following aspects:
In this category, the minimum criteria would correspond to the following requirements:
Finally, the licenses issued by the licensing authority may be of a variable nature. A request for the license would be effected in writing with the payment of a fee (through the public service).
Once the previously mentioned criteria had been checked, the licensing entity could authorize the CS to operate without restriction or, on the contrary, it could opt to grant a license subject to a series of specific limitations, as, for example, the following:
Noncompliance with these limitations by the CS would bring about the annulment or suspension of the license and would have a direct effect on the liability of the CS that would be deemed to be an unauthorized entity in the Electronic Market.
With respect to the certification services that operate outside of a governmental system or other system for implementing a public key infrastructure, and bearing in mind any outstanding or pending legislation, the harmonization between sovereign states would not depend upon the prohibition of such services to participate in the Electronic Market. This prohibition would suppose, on the contrary, the generation of new conflicts on the basis of International Treaties which exist already, (for example, article 59 of the Treaty of Union in relation to the free trade in services) and of national dispositions in the matter of free competition (Defense of Competition). (13)
International homogenization, to our way of thinking, supposes the acceptance, in commercial practice, of these certification services in coexistence with the authorized certification services. Specific acknowledgment in this respect is given in the UNCITRAL Project in the following terms: "Any person who, or entity which, as an ordinary part of its business, engages in issuing certificates in relation to cryptographic keys for the purposes of digital signatures." (14)
However, the acceptance of these entities does not mean that their certification businesses could be conducted in a way such as to generate an unreasonable risk of losses on the part of subscribers to their certificates, or for third parties depending on their reliability, or for other CSs.
For the activities of unlicensed CSs to be included within the embryonic development of the Electronic Market, in which it is necessary to generate a feeling of security and confidence among the different participants, they must be legally regulated. In this sense, with a view to achieving harmonization, Sovereign States can fix the minimum operational criteria necessary for unlicensed CSs.
With regard to the criteria themselves, these can be specified in similar terms to the technical, personnel and economic standards established for the licensed CSs. On the other hand, this comparability of requirements would not imply an assimilation of both types of entities since the differences would be maintained at various levels in regard to which the following are worth mentioning:
The issue here concerns the validity of certificates issued by foreign CSs that are not established locally as CSs in the country in which they intend to be active (15).
The systems of effectiveness which are proposed at the level of international harmonization are those referred to as reciprocal certification and reciprocal recognition.
According to this system, governments arrange between themselves to regulate the scheme for granting validity to foreign certificates, following criteria that respond to international principles of reciprocity of recognition (16) and of equivalence in matters of security (17).
This recognition, in its various forms, would be put into effect through Bilateral or Multilateral Agreements, with the exception of those countries belonging to the EEC and the EEA respectively where, in the absence of a Directive of standardization of security procedures, the aforementioned international principles would remain directly expressed in their national laws.
This institutional intervention, which in itself does not ensure harmonization as a consequence of the diversity of interpretations of the concepts of reciprocity and equivalence within each State, can coexist truly in the same country with the second of the certification systems which is described below.
This second system of effectiveness makes it possible that national CSs authorize and guarantee certificates issued by a foreign CS (18). The levels of accreditation that have been identified are various and they are determined in relation to the degree of liability that the national CS is disposed to assume with respect to the possibility of a defective foreign certificate. (19)
Certainly, the possibilities encountered are numerous. Thus, a national CS might guarantee, amongst other things, the aspects listed below, in order of diminishing liability:
This system, in contrast with the former, constitutes a regulated system for the attribution of liability to a national CS and makes it possible for certifying entities to establish general agreements for mutual recognition.
The civil liability of CSs is the fundamental problem to be dealt with in the matter of digital signatures. Certainly, clarification of the minimum rules that govern civil liability would contribute towards the acceptance of the services of certification entities and would prevent the creation of barriers to international communication. In this sense, harmonization, once the nature of liability has been clarified, affects both the content and the limits permitted.
The liability of CSs can be contractual and noncontractual depending on the existing legal relationship between the parties. (20)
Contractual liability is that which exists between the CS that issues a certificate and the subscriber to the same. The rights and obligations of both parties are determined by the agreement subscribed to by the same, in the certificate and, according to the individual case, in the certification practice statement (CPS).
Freedom of action, the principle that governs these agreements, is linked to the liability system applicable to the CSs, about which there would appear to exist a consensus in demanding that the activity of the CSs be subject to a set of minimum binding contractual requirements.
Noncontractual liability is the liability that the CS has for the damages or losses caused to third parties that have placed their trust in a certificate issued by the CS.
The first issue that is raised at the international level concerns the legal nature of this liability. Certainly, an initial option is to apply a regime of objective liability (either strict, or non-negligence).
According to this system of liability, the damages procured as a consequence of the use of the certificate would be compensated for independently of the professionalism of the CS in having issued the certificate except for the wrong use on the part of the users or for being put to a different purpose from the one stated. This system, to our understanding, would be the most appropriate of those possible, for the following reasons:
The second option consists in applying to the CS the traditional liability regime for negligence in which the injured party is obliged to provide proof of negligence on the part of the CS. This system, which comes up against the difficulty and scarcity of means faced by the plaintiff in trying to prove negligence on the part of the CS, is moderated through the application of the refutable presumption of liability.
This system, which is the one adopted by the UNCITRAL Project (21), means that all actions or omissions on the part of the CS determining the recoverable damage shall always be deemed to be liable unless their author (CS) can establish that it has acted with the due care and diligence called for by the pertinent circumstances in the specific case.
There would appear to exist a consensus to the fact that, as much as with contractual liability as with noncontractual liability, the content of the liability will be determined in accordance with the content of the certificate and of the CPS of the CS.
The content and type of certificate determine the level of liability that is applied to the CS. Certainly, in the electronic market there exist different types of certificates, from those which solely confirm that the identification contained in the record maintained by the CS coincides with the name of the user and his e-mail, to those which provide all kinds of security measures concerning the identity of the subscriber. This last kind of certificate is the one that is used in electronic commerce for applications in electronic banking, for the exchange of electronic data (EDI) and for transactions over a certain value (22).
Efforts aimed at achieving harmonization are related to these last types of certificates, given that their basic components must necessarily be fixed in specific laws. These elements, whose existence can generate potential conflicts with legislation on data protection, would be the following: (23)
Finally, it is accepted that the standard of quality of the service and of liability that governs the relation between the CS and its clients is determined by the certification practice statement (CPS), consisting of the following basic components (24):
This declaration, which can take the form of a contract or of public information directed to all the interested parties, is considered to be essential as much for the subscriber to the certificate as for the third party that carries out transactions on the basis of the issued certificate, trusting in the appearance of security given by the CPS of the CS. Moreover, a set of minimal fixed obligations on the part of the CS can be inferred from both documents.
Within the sphere of harmonization, there has been analysis of the possibility of establishing a minimum standard of liability that would affect contractual liability as much as noncontractual liability.
In the first place, it is suggested that the CS be obliged to comply with a set of minimum obligations that would be independent of the free will of the parties involved and that, if observed, would permit the CS the exclusion of its liability if this were to be alleged.
According to the UNCITRAL project, in its two versions (25), the CS, through the act of issuing the certificate, would effect a declaration confirming the following aspects:
The second of the prohibitions proposed is inspired by the principles of UNIDROIT concerning International Commercial Contracts (26). Thus, it is proposed that the clause that limits or excludes the liability of the CSs could be invoked if is estimated gravely unjust or prejudicial in relation to the purpose of the contract. (27)
The third of the exemptions of liability prohibited relates to the situation of loss or damage procured by the intentional conduct of the CSs or of its agents. This prohibition is, moreover, contained within the national laws on civil liability and in article 18 of the Model Law of UNCITRAL on International Credit Transfers (28).
With respect to exemptions of liability on the part of the CSs and to the quantitative limits of the compensation, the criteria that are being considered in order to bring about a harmonized environment are numerous.
As reasons for the exclusion of liability, the following circumstances are suggested:
Finally, it is suggested that the level of compensation be established according to the following parameters (30):
1 See Communication from the Commission to the European Parliament , The Council, The Economic and the Committee of the Regions Ensuring Security and Trust in Electronic Communication, (COM (97) 503). Commission Green paper: Legal Protection for encrypted services in the internal market, Consultation on the need for community action (COM(96)76)
2 Draft Uniform Rules on Electronic Signatures, UNCITRAL (A/CN.9/437; A/CN.9/WP.71; A/CN.9/WG.IV/WP.73), art. 7 (a). Proposal for a European Parliament and Council Directive on a Common Framework for Electronic Signatures, December, 1997.
3 See Ian TAYLOR, "Licensing of Trusted Third parties for the provision of encryption services," JILT, 30-V-1997
4 There exists no single criterion of designation and the possibilities are numerous, for example: transnational or intergovernmental bodies, such as the European Commission, or international bodies, such as the WWW consortia. However, those organizations could provoke conflicts of international effectiveness.
5 See T.S. BARASSI, "The Cybernotary: Public Key Registration and Certification and Authentication of International legal Transactions," http://www.intermarket.com/ecl/cybrnote.html
6 UNCITRAL Project, A/CN.9/437/p.39-50 y 90-97; A/CN.9/WG.IV/WP.71, p.18-45 y 57-58; A/CN.9/WG.IV/WP.73, p.47-48. Art. 4, Directive Proposal, cit.
7 UNCITRAL Project, art.8 and Directive Proposal, cit., art. 4 (4) (b).
8 Utah Law on Digital Signature (1996) p.(2), art. 46-3-201 (b), http://www.state.ut.us/ccjj/digsig/dsut-egs.htm , Italian Law, n. 59, 15_III-1997, art. 8 http://www.notariato.it y art.10 Ordinance of German Digital Signature into force 1-IX-1997
9 Utah Law, art. 46-3-201. German Federal Law on Digital Signature 22-VII-1997, art. 3 (4)
10 German ordinance, art. 13
11Utah Law, art.46-3-201, Italian Law, art. 8(3)(a)
12 Italian Law, art.8 (2)
14 See Carl M. ELLISON, "Establishing Identity without certification authorities", 22 July 1996, http://www.clark.net/pub/cme/usenix.html
15 Art. 17 of UNCITRAL project states the principle that foreign entities should not be discriminated against, provided that they meet the standards set forth domestic certification authorities. Directive proposal, cit., art. 7(1).
16 Italian Law, art. 8
17 German Law, art 3(15) and UNCITRAL project, art 19
18 Art. 18 UNCITRAL Project and art. 7 (2) Directive Proposal, cit.
19 A/CN.9/437, p.78-83
20 About liability, A.M. FROOMKIN "The essential role of Trusted Third Parties in Electronic Commerce," 75 Oregon L. Rev.49(1996); Bradford BIDDLE, "Misplaced priorities: The Utah Digital Signatures Act and Liability Allocation in a Public Key Infrastructure," 33 San Diego Law Review (1996)
21 UNCITRAL project, art 10(2) and art 6 (3), (4) Directive Proposal, cit.
22 See, concerning certificates, Dr. J.K.OMURA, "Digital Signatures and Certificates," http://www.cylink.com/products/security/digsig
23 UNCITRAL project, art. 8; German Law, art.3(7); art. 5 Directive Proposal
24 UNCITRAL project, art. 8 and art. 4 (4) (g) Directive proposal. See, S. CHOKHANI y W. FORD, "The certificate policy and certification statement framework", 3 November 1996, http://csrc.ncsl.hist.gov/pki
25 UNCITRAL project, art. 10 versions A and B
26 Principles, art. 7 (1) (6)
27 In this context, consumer protection laws could apply against the liability exemptions
28 UNCITRAL Model Law on International Credit Transfers (19949
29 In any case, attention will be given to consumer protection laws
30 UNCITRAL project, art.12