On the Friday before Christmas the Law Commission released Electronic Commerce Part 3: Remaining Issues (ECom 3). This report follows the introduction into Parliament last November of the Electronic Transactions Bill.
One of the key areas addressed in the bill is the use of digital signatures. First, the bill provides that a legal requirement for a signature can be met by an electronic signature where there is adequate identification and reliability and the recipient consents to the use of an electronic signature either expressly or by their conduct.
Second, the bill contains a "presumption about reliability of electronic signatures". This section of the bill is based on articles 6(3) and (4) of the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Signatures released in September last year. The articles are drafted in technologically neutral terms but reflect what happens in a public key infrastructure (PKI) environment when creating and using an electronic signature. However, unlike the UNCITRAL Model Law, the bill does not contain any provisions relating to one of the key components of PKI, the certificate authority.
A recent article in the IEEE Computer Society’s magazine Computer examined the role of the public key infrastructure (PKI) in meeting the security functions necessary for e-commerce. The article examined whether PKI is necessary for e-commerce, given the availability of other security technologies. It refers to the fact that e-commerce sites are happy to take orders, whether or not buyers use PKI. This may be true in basic consumer transactions. The seller does not need a certificate, as the credit card issuer provides the seller with the assurance that payment will be made. From the customer’s perspective, if the goods do not arrive or if they are other than they were represented to be, the customer can simply stop payment.
The picture changes dramatically, however, as soon as the transaction has lasting effects. If the communications are part of an ongoing relationship, or if the terms of sale allow payments to be delayed, or if there is any question of a warranty or service contract, the parties have a much greater interest in identifying and authenticating each other.
The Computer article also looked at technical hurdles to widespread use of PKI. The first difficulty considered was that of interoperability. Each PKI vendor, for instance, has its own certificate issuance, validation and revocation processes. There are also often differences in authentication policies and in the way that private keys are managed from vendor to vendor.
In Techlaw’s view this issue is likely to be resolved by the industry and therefore there is no benefit from addressing this issue through legislation. There are a number of standards currently in development and several vendors have formed the PKI Forum to promote cooperation and standardisation (see www.pkiforum.org).
Another difficulty considered was whether users can trust the certificate authority. The user must be confident that the certificate authority is itself trustworthy, while the certificate authority needs to use trustworthy software, procedures and human resources to ensure that the security of its own systems cannot be compromised.
The UNCITRAL Model Law tackles these "trust" issues by placing various obligations on signatories, certificate authorities and relying parties and imposing liability on each party where they fail to meet those obligations. For example, the certificate authority must make certain disclosures to the users in relation to its policies and procedures and it must comply with the policies and procedures disclosed.
This is the area where the current proposed legislation falls short. Providing for the use of electronic signatures may not be enough without an effective form of third-party authentication. New Zealanders, as "early adopters", may be happy to rely on PKI purely on industry assurances and standards. However, without legislative support, it is possible that traders from other countries may not want to deal with us.
In ECom 3, the Law Commission examines the role of the certificate authority but makes no recommendation as to whether the UNCITRAL Model Law provisions relating to certificate authorities should be enacted. In Techlaw’s view, a more assertive approach is required.
Parkinson is a partner in Clendon Feeney’s technology law team. This article, together with further background comments and links to other web sites can be downloaded from www.clendons.co.nz. Questions and comments are welcome to Averill Parkinson.