Digital
signatures The law and high-fidelity IP pipes David
G. Masse1
|
Text of a lecture given by the author at an international conference on e-commerce held in Montreal, Quebec on September 29, 1998 |
Table of Contents
[1] The
challenge of convergence in the telecommunications industry
[2] The digitization of information in all its forms and the advent of the Internet pose important challenges for many industries.
[3] In the analog world, the nature of a given type of information and the purpose for which it is intended define as a matter of necessity the form the information takes as well as the means of its production and transmission. Thus, analog television, radio, newspaper publishing, book publishing, photography, the telegraph and telephone industries, and many other information industries each developed analog techniques which, though sometimes closely related, ultimately developed into separate industries. In this analog world, competition is fairly segregated within each industry.
[4] We are now living in the midst of an incredibly exciting information revolution in which the digitization of information is imposing profound changes on the means of production and dissemination of information. Digitization does so essentially by shifting the means of production from disparate technologies to a common digital platform. Thus, for example, the Eastman Kodak Company2 faces new competitors in its imaging business as electronics manufacturers such as Casio3 and Sony4 bring new digital imaging products to the market which replace the analog photo-sensitive coated film chemical process with a light-sampling digital process.
[5] It is ironic that many digital cameras write their data to a chemically coated film medium almost indistinguishable in appearance from photographic film.
[6] What the digital imaging process obviates are the many chemical processes involved in producing and processing traditional photographic film. The digital process is therefore more efficient and eliminates much of the delay and cost associated with analog photography.
[7] In addition to the pure efficiency gains, the digital process provides the consumer with functionality not possible with analog photography, such as the ability to manipulate with relative ease the resulting images so as to produce new images and the ability to leverage the Internet in publishing images.
[8] In the result, the new digital technology, as market participants implement it, tends to pit enterprises exploiting traditional analog technologies against new competitors exploiting new digital technologies.5
[9] In
the case of the telecommunications industry the challenges of digital
communications
tend to put into question the basic economics of analog communications
while simultaneously presenting unparalleled opportunities for
innovation
and growth.
[10] Packet-switched
versus circuit-switched networks
[11] Data networks have been packet-switched virtually from their inception. The x.25 packet-switching protocol dates back to the mid-1970’s. Until the advent of the Internet and the broad dissemination of powerful computing platforms, the role of packet-switched data networks had been restricted to data processing systems, and the support of local and wide area networks (LAN’s and WAN’s).
[12] The Internet and the personal computer changed the equation radically. Packet-switched traffic already accounts for the majority of all telecommunications traffic, outpacing traditional analog voice traffic.6
[13] Nevertheless, analog voice telephony remains the backbone of modern telecommunications, even though the network actually carries a large quantity of packet-switched data. For example, packet-switched data travels on the analog circuit-switched voice network each time a consumer dials up the Internet from a residential telephone line. In addition, most traffic is converted to a digital format from the time it reaches the telephone company’s central office.
[14] To
understand the economic impact of the digitization of
telecommunications,
it is necessary to have a good understanding of digital information as
well as to understand the essential difference between packet-switched
data networks and analog telephony which relies on a circuit-switched
network
architecture.
[15] Analog
telephony
[16] Analog voice telephony is said to be circuit-switched because each time a call is placed, a physical electrical circuit is closed between the two telephones. Thus, each telephone call ties up a line or a circuit on the system. That circuit is 100% dedicated to the task of carrying the analog signal for the duration of the call. As in the case of virtually all analog processes, this basic physical arrangement of things historically dictated the entire structure of the telecommunications business.
[17] Because there are a finite number of telephone lines and telephone switches, because inter-city and international lines and call-handling facilities are even more limited, and because each session ties up one of a limited number of circuits, distance and time are today important factors limiting the availability of the system’s resources. The large demand for telecommunications services and the limited supply of network resources naturally gives rise to the pricing structure for local and long distance analog voice services.
[18] Just
as the physical constraints of supplying daily news in printed form
define
the newspaper industry all over the world,7
the physical constraints of analog voice communications similarly
define
the global telephone system.
[19] Packet-switched
networks obey different rules
[20] In order to appreciate the impact of packet-switched networks, it is first essential to understand digitization.
[21] The digitization of information is a very simple process. In its simplest expression, digitization is simply the presentation of information in a new language and the language is binary. That is, unlike our alphabet which is made up of 26 characters, and our numbering system which is made up of 10 characters, binary language is comprised of only two characters: "0" and "1".
[22] The great advantage of binary language is its overwhelming simplicity. The characters of binary language, known as "bits", while initially expressed as "1" and "0", can be expressed as well by the combination and alternation of any two distinct conditions. The presence of light and absence of light, a positive electrical charge and negative electrical charge, the peak of a wave and trough of a wave, and many other observable states of matter suffice to record and transmit information in binary language.
[23] Because binary language is so very basic, it is also extremely inefficient as a medium of expression. Although the letter "a" can be expressed with a single pencil stroke, its binary equivalent requires the use of at least seven bits and is written as "1100001". While the inefficiency of binary language makes it essentially unreadable to humans, it is an ideal language for machine communication.
[24] The interpretation of all binary data relies on protocols, or common agreements on the interpretation of bit sequences. The communication of digital information therefore relies on protocols as well. Packet-switching protocols provide that long binary messages are divided into smaller data chunks or packets. Each packet contains information about the packets to which the packet is related as well as transport information indicating where the packet is coming from and where it is going. The transmission protocol on which the Internet depends is called TCP/IP, which stands for Transmission Control Protocol/Internet Protocol.8 Instead of specially configuring the network to route information (which is what circuit switching does) TCP/IP stores the essential routing information in the message packets. The data then travels from node to node on the data network and computers interpret the routing information in the packets in order to deliver data packets to their intended destination.
[25] Where packet switching gains in efficiency over circuit switching is that any given line or pathway can accommodate a relatively large number of data packets. The amount of information that a pathway can carry is measured in bandwidth. The greater the bandwidth the greater the amount of information that a given pathway can carry. The effective bandwidth of a given medium (for example standard copper telephone wire) is also influenced by the efficiency of the information processing equipment sending and receiving information. For example, consider that the same copper telephone wires have grown in effective bandwidth dramatically with successive developments in computer software and hardware. Transmission speeds have thus increased steadily from 300 baud9 (considered speedy by some in the early 1980’s), to 56 kilobits per second with today’s modems and ultimately to 1.544 megabits per second incoming and 64 kilobits per second outgoing with Asymmetrical Digital Subscriber Line technology (“ADSL”) available today.10
[26] To provide a concrete example, it is estimated that with current digital compression technology, a standard telephone line can carry more than five simultaneous voice conversations once the transmission is converted from analog to digital.
[27] Packet-switched networks are so economically efficient at transmitting information that they tend to eliminate the bottlenecks that have traditionally driven telecom costs. In a digital world, distance ceases to be a very significant cost factor. That is in part why there is no incremental cost for a consumer who accesses the Louvre museum’s web site over the Internet, whereas a telephone conversation with a Louvre employee from the same telephone line for the same period of time would incur substantial long distance charges.
[28] The
tremendous efficiency of packet-switched networks results directly from
the openness of the network. All data flows are bits, all bits
are
the same and all are equally open and readable. They must remain
open and readable or the network will cease to function.
[29] The
essential openness of data packets poses important challenges, however
[30] Packet-switched networks derive their extraordinary efficiency by minimizing the infrastructure needed to allow communications to occur. The network relies on its openness to achieve its ends: binary data packets must be easily inspected by each node encountered on their trek across the wired and networked globe so that they can be handed off in the probable direction of their intended destination.
[31] At the present time, the business community relies, without much, if any, concern, on point-to-point voice communications over the telecom infrastructure. The needs of identification, integrity, confidentiality and authentication are met quite well by the analog nature of the system. The circuit-switched nature of the telephone system performs most of the task both of ensuring the integrity and authenticity of our transmissions: the number assigned by the local telephone company authenticates the terminal end of the communication (i.e., for a single residential telephone line, the physical address at which the line terminates) and the voice of the person to whom we are speaking does the rest, as we verify the subtleties of tone, inflection and intonation of the speaker against the voice of the person we remember. The integrity and confidentiality of the message we hear is vouched for by the logical coherence of speech, and our knowledge that (except for party lines still found in some rural and cottage areas) the interception of our conversation is technically somewhat difficult and is in fact quite unlikely.
[32] As the business community began to use the telecom infrastructure increasingly for data communications in the late 1970's, in large measure it transferred to its data communications the trust developed through long reliance on the telecom system for voice communication, without giving much thought to the fundamental differences between voice and data communication. The source of our existing faith and trust in the integrity of the telecom infrastructure stems from our long collective experience in analog voice communications.
[33] In data communications however, the traditional authentication and verification tools we employ no longer work for us: our bits and bytes look and sound pretty much like everyone else's bits and bytes. We are able to verify that our message was received integrally in a point-to-point data communication by periodically transmitting bits back to the sender for verification against the bits originally sent, but we have no way of knowing precisely who the reply is coming from. Thus, taking the most prevalent example of data communications failure, every day, clerks in businesses all over the world transmit faxes to the wrong destination by inadvertently keying in the wrong telephone number. No one is the wiser until the intended recipient denies receiving the message. Even then, we assume that the machine failed in some way, rarely considering that the message is now in the wrong hands. Nevertheless, the risks inherent in point-to-point switched data communications have not generated much, if any, attention and concern.
[34] Open packet-switched networks are quite another matter however. In the case of the open network, anything goes. Communications can be diverted, copied, altered, replayed, rerouted, etc., etc., etc. We have no lingering familiarity and trust of open networks and though our data communications in open networks most often start with a point-to-point telephone link, there the similarity ends. Experts tell us that this new medium is quite insecure.
[35] For the Internet to perform a role as an appropriate medium for the exchange of the valuable digital records which will one day form the backbone of e-commerce, there must be a way to make sure that the senders and recipients of 1's and 0's are known with some degree of reliability and that some mischievous spirit can't easily alter the sender's sequence of 1's and 0's on their way to the recipient.
[36] Simply
securing the Internet to make it work more like the analog telephone
network
is not sufficient to accomplish the type of messaging integrity that
the
eventual information infrastructure demands. A point-to-point,
circuit-switched
communications network like the existing phone system succeeds in
supplying
a degree of authentication (restricted to the registered owner of the
telephone
line) but does little or nothing to vouch for the authenticity and
integrity
of digital records.
[37] The
role of cryptography and digital signatures
[38] A digital record, unlike an analog message, derives its singularity not from its physical nature, but merely from the sequencing of its bits. A string of bits, just like a sentence written in any other character set, must always be interpreted in order to yield its meaning. Even ASCII11 text, which, in some ways, is the lowest common denominator of digital information, must be interpreted if it is to reveal its meaning. If the sequence of “1”’s and “0”’s is disturbed, the string is altered, and the resulting meaning will be changed, perhaps lost. This alteration, when it occurs, is most often unintentional, but sometimes may be malicious.
[39] When digital information is created, used and stored in a closed environment like a typical local area network, the risk of alteration can be managed and contained. When the same information is transmitted in open networks such as those that make up the Internet as we know it, controls are absent and the data becomes relatively vulnerable.
[40] In order to ensure that IP12 networks meet our expectations in terms of reliability and fidelity, steps must be taken to shield the data itself from interference. In addition to shielding the data, special steps must be taken to authenticate it.
[41] The bits themselves must always remain ones and zeroes, but the sequence in which they appear may be manipulated at will.
[42] At one end of the manipulation spectrum, it is not very difficult to alter a string of bits representing ASCII text to change the message “a,b,c” to “c,b,a”. At the other end of the spectrum, it is child’s play to redistribute the bits randomly and thereby destroy their meaning without hope of recovery. In between those two extremes lies a world of possibilities.
[43] Throughout
recorded history, man has manipulated the sequence of written
characters
to mask the meaning of his messages. The art of doing so is
called
cryptography.
[44] Flavours
of cryptography
[45] Cryptography has largely remained in the realm of state security throughout the ages. As we will see, it is only now emerging from the shadows, to serve a useful role in everyday life. Although cryptography is, and probably always will be, the exclusive preserve of advanced mathematics, some understanding of cryptography is essential in order to appreciate the role it can play in bolstering digital information so that it can play a more significant role in society.
[46] Until fairly recently, cryptography came in one dominant flavour: symmetrical cryptography. A cryptographic system is said to be symmetrical when the key that is used to encrypt data is also used to decrypt it. The encryption key and the decryption key are both the same.
[47] In the mid nineteen-seventies, researchers13 at the Massachusetts Institute of Technology invented a method of asymmetrical cryptography. In asymmetrical cryptography, encryption keys come in pairs. Each key of a key-pair is different from the other key in the key-pair, although the keys are mathematically related to each other. The mathematical relationship between the keys is such that the following holds true:
[52] The technique of the digital signature lies at the heart of large-scale data authentication.14 It is a technique with many subtleties and it lends itself, in various guises, to some very interesting authentication possibilities. It is therefore important to understand how a digital signature is made. One way to acquire an understanding of digital signatures is to consider the following simple example.
[53] Let us say that Alice and Bob wish to exchange e-mail messages over the Internet and that they wish to have a high degree of assurance that the messages they exchange are confidential and authentic. Alice and Bob each have personal computers on which e-mail software and public key encryption software have been installed. They have each generated an encryption key-pair. In each case they have carefully kept secret one key of the key-pair (which for this example we will call their respective private keys), while they have exchanged the other key of the key-pair with each other. The keys that they have exchanged we will call their public keys. Once this public-key exchange is complete, Alice has her key-pair as well as Bob’s public key and Bob has his key-pair as well as Alice’s public key.
[54] Alice intends to send a message to Bob: “Please meet me at the market at 4 this afternoon”. Her e-mail program calls on the encryption program. She elects to encrypt the message (for privacy reasons) and to append her digital signature to it (for authentication purposes). She has the choice of doing either, or both. The encryption software first takes the message and distills a ‘hash’ value of it using an encryption algorithm. A hash function is a one-way encryption-based function, which calculates a kind of digital fingerprint for any given message. Let’s say that the hash value of the message “Please meet me at the market at 4 this afternoon” is “4496”. The nature of a hash function is (a) that it operates in one direction only, so that it is impossible to recreate the original message starting from its hash value, and (b) that a change of as little as one bit of the original message will produce a very large change in the message’s hash value. It is practically impossible for even slightly different messages to generate identical hash values. The software then encrypts the original message text using Bob’s public key. It then encrypts the hash value of the message using Alice’s private key. The encryption of the hash value with Alice’s own private key is referred to as her digital signature. The encrypted messages may then be sent to Bob over the Internet, or by an equally insecure method.
[55] During transit over the Internet, curious eyes at will can inspect the messages. Alice is very popular and her public key is very widely available. In fact, it has been published in directories that are widely available. Her private key is a deep secret known only to her. Bob’s private key is similarly known only to him. Thus, while anyone in possession of Alice’s public key can decrypt the hash value of the message and obtain “4496” (since, having been encrypted using Alice’s private key it can be readily decrypted using her public key), they are incapable of making head or tail of the message itself since they have no access to Bob’s private key. Nor can they recover the text of the original message by manipulating its hash value.
[56] Bob receives the messages in due course. Like Alice, Bob’s computer has an e-mail program that is integrated with an encryption program similar to Alice’s. When Bob attempts to read Alice’s message, a number of things happen. First, Bob is prompted for the passphrase of his private key that he supplies. Using Bob’s private key, the software then decodes the message and obtains “Please meet me at the market at 4 this afternoon”. Because Bob wants to be sure that the message truly comes from Alice (Bob is also very popular and women are always trying to trick him into meeting them at the market by masquerading as Alice), he requests that the software verify Alice’s digital signature.
[57] The encryption software in Bob’s computer first takes the message “Please meet me at the market at 4 this afternoon” and distills a ‘hash’ value of it using the same hashing algorithm as that employed in Alice’s encryption software. The message yields a value of “4496”. The software then uses Alice’s public key and attempts to decrypt the encrypted message hash received from Alice. The decryption succeeds and yields the original hash value “4496”. The two hash values are then compared and found to be identical. The software then proclaims on Bob’s computer screen a message that reads “Good digital signature from Alice”.
[58] As a result of the basic principles at play in asymmetrical cryptography, it is possible to conclude in the above example that the message sent by Alice to Bob was authentic and has not been tampered with en-route for the following reasons:
[63] In order to perform their quality assurance magic, public key cryptography and digital signatures must rely on the existence of an infrastructure designed to permit public keys to be widely disseminated with a high degree of assurance. Digital signatures work very effectively to protect digital records in otherwise insecure environments. In order to work well however on a large-scale basis, it is necessary for all users to know, with a relatively high degree of assurance, the public keys of the persons with whom they wish to exchange authenticated data. Without reliable access to the author’s public key, there is simply no way to encrypt or to verify a digital signature.
[64] Public key infrastructures (or simply “PKI”) are the amalgam of software, standards and institutions which, taken together, allow for the dissemination of the encryption software and the dissemination and management of public keys. It is beyond the scope of this paper to explain in detail the functioning of public key infrastructures15 or to mention all of the companies that offer public key infrastructure related products. The description that follows is merely intended to give a rough idea of the breadth of the implementation of this technology at this time.
[65] Reduced to its simplest expression, a public key infrastructure comprises the following:
[75] A legal signature plays a role in the world of analog documentation that is in many respects functionally similar to that played by digital signatures in the world of digital records.
[76] The presence of a signature on a document offered as evidence, while not a universal determinant of admissibility and evidentiary weight, has generally been recognized by western legal systems as playing an important role.
[77] The legally recognized signature is necessarily bound closely with the rules of documentary evidence and the fundamental notion of originality as a measure of admissibility. It is therefore important to have a general understanding of the rules of evidence as they apply to the admissibility of signed records.
[78] The rules of evidence under Quebec Civil Law as in force under the old Civil Code of Lower Canada in relation to the requirement for a signed original document were derived from the old English Statute of Frauds. Those rules predicated the admissibility of the written evidence of a contract on the production of an original document signed by the party against whom the contract was to be invoked.43
[79] Quebec authors agree that as a matter of civil law, a signature must be inscribed manually, by the hand of the signatory.44 Unlike the precise rules which defined the written instrument, Quebec’s civil law did not define precisely what constituted a signature. This allowed the courts some latitude in interpreting the rules on the relatively rare occasions when they considered the question. Jean-Claude Royer summarizes the state of the former law and jurisprudence in the following way:
[80] "L'absence de définition de la signature dans le Code civil du Bas-Canada a également permis à la jurisprudence québécoise de faire preuve de souplesse dans l'interprétation de cette notion. Ainsi, les tribunaux ont reconnu la validité de la signature apposée au moyen d'une croix ou d'une marque en présence d'un témoin."45[81] The willingness of Quebec courts to adopt a more practical and liberal approach to signatures than that espoused by doctrinal authors is not that different from the pragmatic approach taken by courts in the United States.46 It should not be surprising however that the courts approached the matter in the same way since in both cases the law here and in most other jurisdictions in the United States and Canada evolved from the same British source.47
[82] According to the authors of Quebec’s civil law doctrine, the most important roles played by the signature are, first and foremost the identification of the signatory, and secondly, the manifestation of the signatory’s willingness to be bound by the document bearing the signature.
[83] The principle is clear and easy to understand. The problem that arises once one ventures from the world of pen and ink, is how does one sign a digital record?
[84] The problem is much more subtle and complicated than it appears to be at first blush. A simple answer would be to have the signatory sign a blank sheet of paper, scan the image of the signature and paste the scanned image of the signature into the digital record. Simple enough.
[85] The reality is that a scanned signature looks as if it does the job, but the role of the scanned signature is purely superficial.
[86] In order to understand why a scanned signature doesn’t rise to the occasion as a solution to the problem, one has to look beyond the signature and understand the interplay between the signature and the document on which it rests.
[87] Signatures derive their legal role from the nature of the signing process. The signature itself has been shown to be a very personal trait intimately linked to the personality of the signatory. The pressure applied to the writing instrument varies not only from individual to individual, but also from one part of the same individual’s signature to another, and the variance is relatively consistent and predictable from signature to signature. The ink used has a chemical and spectrographic signature of its own, and the interaction between the ink and the paper indelibly alters the structure of the paper and of the ink. The paper itself is unique in its own right. All of the foregoing factors combine to ensure that each signed document tends to vouch for its own integrity.
[88] In cases where a litigant denies his or her signature, scientific analysis can be brought to bear and is often very helpful in determining, with a reasonable degree of certainty, the authenticity or falsity of the document and of the signature it bears.
[89] The foregoing rules apply in a general way in the world of analog records, but they fail to apply altogether in the digital world.
[90] The notion of the essential originality of paper documents is a manifestation of the molecular bond between information and the medium in which it is expressed. The originality of any given document is that which we rely upon to authenticate the information it contains. The most striking examples of this are of course bank notes. Paper currency as we know it exploits a number of physical traits of paper and ink so as to authenticate the intrinsic value that the bank note represents. The atoms which comprise the document attest to its source and hence to its authenticity.
[91] As we have seen, in the realm of evidence, the atomic singularity and the molecular bond between ink and paper coupled with the intrinsic and intensely personal nature of the manual signature tend to authenticate any given signed document.
[92] The rules of evidence recognize these features and predicate the admissibility of evidence on them.
[93] Digital publishing is the first method for creating and disseminating information in which the information is not inextricably bound to a physical medium. For the very first time, information can be separated from the medium in which it rests and be transferred to other media. As long as the series of “1”’s and “0”’s is faithfully reproduced, digital information loses none of its initial quality. A given text, image or sound can be copied any number of times, using a variety of different techniques and recording and storage media, without suffering a degradation of its content in any respect. The concept of quintessential, molecular, atomic, originality that is the hallmark of the paper document is therefore not a feature of digital information.
[94] The absence of essential originality is a quality that presents substantial challenges when one attempts to establish the authenticity of a digital record. The reality of the digital document is that a bit, is a bit, is a bit. There is nothing to distinguish one bit from another. All are absolutely identical. The only thing that distinguishes one digital record from another, is the order in which the bits are presented.
[95] The scanned signature that is pasted into a digital record fails therefore to play the role we naturally expect it to. Authenticating digital content requires that additional special care be taken in the production and preservation of information.
[96] The courts have already had to struggle with adapting the rules of evidence to the reality of digital documents. They have evolved an approach to the problem in which the reliability stemming from the notion of originality is replaced by the reliability of the information system that produces the digital records.48
[97] Thus, if one is able to prove to the satisfaction of the court that the information typed on the keyboard is the same as that which is printed out and offered in evidence, the courts will generally be prepared to admit the digital record in evidence.
[98] To date the courts have not had to deal with the admissibility of digital records carried in open networks. Most cases have dealt with the production of digital records created in closed and centrally administered information systems. Because e-commerce is destined to flourish in open networks, and because of the growing volume of transactions combined with the fragility of data in open networks, there is a growing realization in the legal community that both the law and information systems must evolve in a way that increases the certainty that digital records will receive a legal treatment consistent with their traditional analog counterparts.
[99] Quebec civil law has recently undergone a major reform designed to adapt it to the reality of the coming millenium. In 1994 Quebec’s new civil code came into force. Among the fruits of the law reform were a number of changes to the rules of evidence.
[100] Quebec now has a small suite of articles dedicated to deal with the admissibility of digital records in civil cases. In addition, the reform ushered in a new definition of what constitutes a legal signature. These rules are designed to address the challenges posed by digital records. Unfortunately, the reform ended and the civil code came into force just before the Internet came to the fore as the central force shaping the development of the coming information age. It is not clear whether the new rules in Quebec’s Civil Code are up to the challenge as analog business practices are shifted to the World Wide Web.49
[101] As for the specific provision dealing with the definition of a legal signature, it reads as follows:
[102] "2827 C.c.Q.[104] Quebec civil law doctrine is divided on its assessment of this aspect of the reform. Certain authors side with the commentary of the Justice Minister upon the introduction of the reform and see this article as a softening of the legal requirements which favours new means of signing digital records.50 Others like Jean-Claude Royer on the other hand believe that the new provision serves to restrict the flexibility that already existed under the former rules:[103] A signature is the affixing by a person, on a writing, of his name or the distinctive mark which he regularly uses to signify his intention.."
[105] "L'O.R.C.C. a proposé une définition large mais imprécise de la signature, Celle-ci est définie par l'Office comme l'apposition par une personne de son nom ou de toute marque par laquelle elle manifeste son consentement. Le législateur québécois n'a pas suivi cette recommandation de l'O.R.C.C. L'Article 2827 du Code civil du Québec définit la signature comme suit:[108] Whether one or the other school turns out to be right on this issue may be somewhat moot however. Under the new rules of evidence under Quebec’s civil code, the role of the signature no longer goes to the question of admissibility of a record,52 it now only goes to weight.53 In the case of digital records, the whole issue of whether a record is signed ceases to be significant since the evidentiary value of a digital record is the same whether or not the record is signed. Although here again the authors are divided on the question,54 some conclude that digital records are not accorded the same status as paper records. Jean-Claude Royer states:[106] [...]
[107] Le législateur québécois a préféré donner une définition plus restrictive de la signature. Il est douteux que la signature au moyen d'une simple croix soit encore admise. Une croix n'est pas une marque personnelle distinctive, même lorsqu'elle est utilisée de façon courante."51
[109] "415 - Preuve contraire - Comme les autres écrits prévus aux articles 2831 à 2834 du Code civil du Québec, le document reproduisant les données d'un acte juridique sur support informatique peut être contredit par tous les moyens. Cette règle s'applique, même si l'inscription informatisée a été effectuée au moyen d'une carte magnétique permettant d'identifier son auteur. Il est vrai que la signature électronique peut être comprise dans la définition de la signature énoncée à l'article 2827 C.c.Q. Cependant, le document n'est pas un acte sous seing privé, il est exclusivement réglementé par les articles 2837 à 2839 du Code civil du Québec."55[110] It is indeed quite unfortunate that article 2839 C.c.Q. establishes in the case of the digital record, a rule of evidence which for all intents and purposes relegates the digital record to the lowest rank of evidentiary weight. Unlike a signed document, a digital record, even if it were found to be signed by application of the new article on the meaning of a signature, could be contradicted by any means.56
[111] This new rule negates the fundamental principle of the rules of documentary evidence to the effect that testimony is inadmissible to contradict the terms of a valid written instrument.57 Thus if a contract is signed on paper, the parties’ testimony tending to contradict the terms of the contract will not be admissible, but if the same contract is evidenced by a digital record, testimony contradicting its terms will be admissible.58
[112] In the result, Quebec’s civil law rules as they relate to the proof of digital records offered as evidence of the formation of a contract are most likely less favorable to the development of e-commerce than the old century-old rules were.59 It is fairly clear that the new rules of evidence are not consistent with the recommendations contained in the UNCITRAL model law developed by the United Nations to serve as a guideline to nations wishing to eliminate the legal bias in favour of written documents.60
[113] The
law in most jurisdictions is undergoing a similar effort to adapt its
institutions
to the coming digital age. The work of UNCITRAL is echoed in the
similar work being carried on by the Uniform Law Conference of Canada61and
the National Conference of Commissioners on Uniform State Laws62
in the United States.
[114] The
future of legal signatures in a digital world
[115] The challenge of enabling large-scale e-commerce in all its guises requires that a means be found to shift virtually all aspects of analog commerce into a virtual guise.
[116] The means of digitizing most features of every day commerce is relatively straightforward. Commerce generally relies quite heavily on paper trails of one variety or another and the nature of the digital medium is such that the digital equivalent of a given process will be much richer in terms of useful information content and accessibility.
[117] One evident exception to this principle is the commonplace signature.
[118] We have seen that digital signatures share some interesting features with legal signatures in the sense that they can be fairly readily and intimately related to an individual and they serve to authenticate digital content with a high degree of assurance.
[119] It is therefore very tempting to seize digital signature technology and the public key infrastructure that supports them and press them into service to support both legal signatures and the broader contractual framework that e-commerce naturally thirsts for. In addition to the desire to enlist digital signatures in this way, digital signatures have features that surpass the analog signature in many important respects. For example, they authenticate the content with which they are associated far more intrinsically and integrally and, combined with encrypted content, they actually serve to secure the content against disclosure to unintended readers.
[120] These features of digital signatures have led to a fairly extensive and broadly based movement in legal circles both in North America and Europe to design a paradigm within which digital signatures not only serve as the basis to transpose legal signatures and contracting into the digital medium, but actually go beyond what is currently done with pen and ink by proposing to venture into the realm of non-repudiable contractual instruments supported in part by a scheme of virtual notarization.63
[121] At this early stage of development of digital networks we are close to a virtual big bang. By this I mean that we are at a moment in time when digital information is in its infancy, and like the cosmic big bang in which the animal, vegetable and mineral world we know is all compressed into one undifferentiated soup of elementary matter, the tools available to us to shape the digital communications future are to a large extent also in an undifferentiated state. Thus digital signatures, contractual paradigms, biometrics, authentication, rules of evidence, network communication protocols, signatures, packet standards, directories, and other nascent features and tools are all tightly and closely packed together. The professionals in search of digital tools, including telecom network engineers, lawyers, software designers, e-commerce managers, cryptographers, law enforcement professionals, social scientists and many others, are all being thrown together in this tightly compressed universe and wires are being crossed.
[122] Everyone is trying to use these undifferentiated digital tools to achieve their particular purpose. In this way, a single attempt is being made to craft a public key infrastructure that will serve the needs of all constituents.
[123] It is important to provide just one example of this phenomenon that concerns lawyers and the telecommunications industry.
[124] The legal community is focussing substantial resources on the application of public key infrastructures in the areas of the law of evidence and the law of contract in order to assist in providing a substantial legal foundation for the development of e-commerce.
[125] In this vein, the American Bar Association’s Section of Science and Technology has been developing a comprehensive legislative approach designed to give rise to a public key infrastructure which can serve as a robust platform for e-commerce in open networks. The most important contribution to the development of this type of public key infrastructure is a document entitled Digital Signature Guidelines.64 The Digital Signature Guidelines define in great detail a system that is an amalgam of law and technology designed to provide a legal and technological framework for e-commerce. This objective is stated in the document in the following way:
[126] “These Guidelines seek to establish a safe harbor - a secure, computer-based signature equivalent - which will (1) minimize the inci-dence of electronic forgeries, (2) enable and foster the reliable authentication of docu-ments in computer form, (3) facilitate commerce by means of computerized communi-ca-tions, and (4) give legal effect to the general import of the technical standards for authen-ti-cation of computerized messages.”65[127] The intent of the guidelines is to assist the drafting of digital signature legislation and its interpretation.
[128] The State of Utah is one of the jurisdictions that has enacted a digital signature statute along the lines suggested by the Digital Signature Guidelines. The Utah Digital Signature Act66 implements a scheme of regulation for the licensing of certification authorities and provides a statutory framework which defines the process which must be followed when a subscriber applies to a certification authority for the certification of a public key. Certification authorities are not required to obtain a license under the Act to operate in the State of Utah, but unlicensed certification authorities and their subscribers do not benefit from the presumptions afforded to digital signatures under Part IV of the Act.
[129] Under the provisions of Part IV, a message digitally signed with the aid of a private key whose corresponding public key is certified by a licensed certification authority is deemed to be a document which satisfies writing and signature requirements and that the subscriber’s signature is valid. In this sense, the entire public key infrastructure envisioned by and regulated under the statute is destined to support contracting in open networks.
[130] This relatively narrow focus on legal signatures and hence on legally binding digital instruments neglects the important role that digital signatures have to play in building high fidelity IP networks. Not only does it neglect that role, it places substantial obstacles in the path of that type of development, as we will see below.
[131] Fortunately,
as time moves inexorably forward, as more and more communities of
interest
become aware of the immense potential of the digital age and strive for
ways to harness digital tools, the digital universe slowly expands, and
with that expansion should come the differentiation which is essential
to proper and efficient development.
[132] High
fidelity IP pipes and the law
[133] We have seen that open IP networks do not inherently provide reasonable assurances in relation to the authenticity and integrity of the information they carry. One challenge facing the telecommunications industry as traditional networks are digitized, is to afford to consumers the same level of quality in terms of integrity and authenticity as that offered by current analog voice networks, and to do so in a highly efficient and cost effective manner consistent with open IP data networks. Digital networks which deliver this type of high quality assurance might be said to provide high fidelity communications services. Spoken in more colloquial terms, the challenge for the telecommunications industry is to develop revenue producing, cost effective, high fidelity IP pipes.
[134] Doing so inevitably means that some form of large-scale data integrity system will need to be deployed. Because of the incredible promise of scalability inherent in public key cryptographic techniques, public key infrastructures are most likely the key enabler in the establishment of high fidelity IP pipes.
[135] In order to deliver on the promise, protocols and standards must evolve which place the emphasis on efficient utilization of bandwidth, efficient access to interoperable directories, seamlessly easy management of encryption key pairs, uncompromising user friendliness and simplicity at the front end of the client application.
[136] At the present time, and for the reasons mentioned above, the law is intruding in many facets of public key infrastructure theory. This intrusion is well meant and is intended to assist public key cryptography in delivering the promise it holds for facilitating many aspects of e-commerce. We have seen that the law has its own challenges in finding a means to transpose its rules of evidence into the digital realm and that the incredible promise immanent in public key infrastructures is being enlisted in that endeavour.
[137] In the current undifferentiated state of development, a sufficient distinction is not being made between the needs of the law and the needs of the telecommunications infrastructure.
[138] To provide one concrete example of the inconsistencies that result, consider that Netscape Communications Inc. which has a very large share of the market for web browsers, has chosen to use digitally signed messages as one of the primary vehicles for public key exchange. Thus, in order to propagate one’s public key as broadly as possible so as to facilitate high fidelity e-mail exchanges, one should configure one’s browser to sign all one’s messages. This is an arbitrary solution, and other routes could be imagined to accomplish the purpose, but the fact is that this is the vehicle used by a very large segment of the installed browser base. If one signs all one’s messages in order to facilitate high fidelity communications, can it be said that any of one’s messages are signed in a legal sense? Is it reasonable to conclude that any of those messages are signed in a legal sense?
[139] The answer is that it is unlikely that any court would conclude that a digitally signed message in that kind of environment constituted a valid legal signature since the necessary element of intention is missing or impossible to prove.
[140] Similarly, if one chooses to encrypt and sign all of one’s messages simply to achieve a reasonable degree of high fidelity in one’s digital communications, should one have to consider the implicit liability shouldered arbitrarily under the terms of a classic digital signature statute?67
[141] It is now increasingly appreciated that the legal consequences sought to be attached to digital signature technology for the purpose of serving as an enabler of e-commerce tend to give rise to inappropriate risk management models for baseline network communications which in turn lead to uneconomic results. The uneconomic features in the form of less manageable risks generating higher costs of service in turn have a substantial negative impact by impeding the commercial deployment of public key infrastructure products.
[142] Consider for instance the following. The leading public certification authority today remains Verisign Inc. In order to comply with the legal imperatives set forth in the American Bar Association’s Digital Signature Guidelines, consumers who wish to have their public key certified by Verisign Inc. are expected to read, understand and accept Verisign Inc.’s Certification Practice Statement. The Certification Practice Statement is a relatively dense legal treatise that attempts to describe the liabilities of the parties to the certification of a public key.68 The very notion of certification in relation to public keys arises from the legal imperative of identifying the individual who owns a key pair. The need to identify the flesh and blood owner stems from the implicit assumption that the person’s digital signature will be used to support a legally binding transaction.
[143] An efficient data communications medium shouldn’t be primarily about signing contracts, and using it shouldn’t require the user either to understand or much less to adhere to a complicated scheme of legal responsibility. Requiring the consumer to do so, leaving aside the interesting legal debate as to whether the attempt can be predictably successful before the courts,69 is not likely to spur the widespread adoption of digital identities and public key management services by the public.
[144] Another manifestation of the legal imperative is in the phenomenon of cross-certification. If public key cryptographic techniques and digital signatures are to be used to build a commercial assurance level, high fidelity public digital network, it is evident that a great number of certification authorities will have to be enlisted to provide key management services. This is so simply because if the system is to work appropriately, as it is presently conceived, the task of identifying each individual and establishing a reliable link between the individual and his or her public key requires out-of-band verification if it is to have any real meaning. An out-of-band-verification is necessarily an analog process involving human contact and some degree of immediacy.70 This in turn implies geographic limitations. If this holds true, and if one assumes that not all certification authorities will be under the authority of a single entity, then some means has to be found for each certification authority to recognize and endorse, the public key certificates issued by other certification authorities.
[145] As presently conceived, certification authorities cross-sign each other’s certificates and an elaborate scheme is supposed to evolve in which the trust which is presumed to result from the initial act of certifying a given individual’s public key is vectored by cross-certification from one end of the public IP network to the other. In order for that bit of magic to occur, there has to be some way to concatenate not only certificate chains but also the certification practice statements of each participating certification authority. Because any given certification practice statement determines the degree to which a resulting certificate is worthy of trust,71 a given certification authority will be reluctant to endorse the certificates issued by another certification authority until it is satisfied that the respective certification practices are compatible and are likely to remain so. Enter the cross-certification agreement.
[146] While there will likely always be a need for a norm for cross certification, the legal imperative of attempting to vector trust through the communications network for the purpose of supporting a framework for legally binding contracts and legal signatures unnecessarily complicates the process. It also burdens the system with the specter of legal liability for all participants.
[147] The
legal community’s desire to leverage digital signature technology
in the
service of the law therefore exhibits the unintended result of raising
substantial obstacles in the path of the very technology that it seeks
to promote and exploit.
[148] Conclusion
[149] There is a growing awareness that law reform efforts designed to eliminate traditional paper-centric obstacles to e-commerce need to be “technology neutral”. Refer for example to the discussion on electronic signature statutes in the current status report on the work of the Uniform Law Conference of Canada’s committee on electronic commerce.72
[150] This awareness is due in no small part to the overwhelming complexity of attempting to develop a legislative and normative consensus on the topography of a system which gives legal effect to digital signatures. The marriage between the communications technology and the law is simply not likely to work. Both systems obey different rules, are designed to accomplish different ends and are essentially dynamic systems that are required to adapt to the needs of their respective missions over time. In the case of the legal system, its rules are adaptive and reflexive in the sense that the law generally adapts to social developments after the fact and in a cautious and conservative way. The rules governing telecommunications on the other hand serve an enabling purpose and are precursors of social development.
[151] The desire to blend and harmonize technology and the law in the pursuit of a legally valid digital signature is by no means dead. Efforts are continuing in North America and Europe to achieve this goal.73
[152] If one were to prioritize the different steps needed to be taken to build a robust infrastructure for e-commerce, the very first would be to develop a high fidelity interoperable digital network. Such a network would be based on a public key infrastructure whose features would be entirely geared to maximize efficient communications: Spartan public key certificates susceptible of being carried on smart cards, a neutral risk allocation scheme which does not discriminate in favour or either senders, receivers or intermediaries, and which would focus on high fidelity communications among devices, rather than on vectoring trust between remote individuals for the purpose achieving the legal objective of facilitating the formation of contracts.
[153] In essence, the most important contribution that public key infrastructures have to make relates to the operation of a communications system and not to the legal fabric of e-commerce or that of society. It’s not about finding a way to trust a remote individual with whom I have no prior contact and signing a legally binding contract with her, it’s about communicating valuable digital information to a person or entity I already know, and likely trust, through a collection of wires, waves and devices about which I have no clue and to which I have to find some way to entrust my communication. We are talking about mechanics, not people, about machine level interaction and data exchanges, not about trust and contracts.
[154] Until technology and the law part company74 and the technologists are freed to focus on solving the purely technical problem of building an efficient network of high fidelity IP pipes, it is not likely that we will see any truly significant build-out of e-commerce.
[155] On the other hand, the existence of a global high fidelity data communications network would provide a sound foundation on which to build a superstructure designed to address the need for features like legally binding signatures. An overlay of digital signature technology might certainly contribute to the solution, though one can easily imagine a variety of other means that might address the need in a more natural and efficient way. Technology such as a marriage of biometrics and digital watermarking75 specifically designed as a legal signature tool and used against the backdrop of a high fidelity IP network could be a possible solution. Many others could no doubt be imagined and developed. In a mature IP world, one would expect to see a range of competing legal signature tools and technologies, each providing a viable and acceptable alternative means of signing documents in a legally valid way.
[156] As a final thought, it is important to consider that the law has not historically shown itself to be hostile to the advances in technology which have mandated that outdated legal concepts be adapted to changed circumstances.
[157] The courts in most North American jurisdictions have demonstrated a willingness to admit digital records into evidence without requiring that technology as sophisticated as digital signatures be employed to vouch for the integrity of the evidence. This same consideration applies to legal signatures. Courts have already indicated that the mundane PIN76 may suffice as a signature, to the extent that one is required, in interactions between banks and their customers through the use of automated teller machines.
[158] To
the extent that a high fidelity IP network arises, the baseline level
of
quality assurance it will provide will contribute the degree of
stability
and predictability that the law demands when it determines whether
litigants
before a court have entered into a binding legal relationship as a
result
of the exchange of digital communications. On the other hand, if
the law continues to intrude on the development of public key
infrastructures
as it has done in the recent past, it is almost certain that the
development
of high fidelity IP networks will be slowed, possibly to a significant
extent.
[159] End
Notes
1. The author is a lawyer,
member of the Quebec Bar Association and Senior Legal Counsel and
Assistant
Corporate Secretary of Bell Canada
and
BCE
Inc. The views expressed in this paper are those of the
author
alone and are not to be attributed to Bell Canada or BCE Inc. or their
affiliates.
2. Carl GUSTIN, Pictures
In The Digital Economy, in Blueprint to the Digital Economy
– Creating
wealth in the era of e-business, Don TAPSCOTT, Alex LOWY and David
TICOLL, Natalie KLYM eds., McGraw-Hill, New York, N.Y.,
1998.
See Kodak’s web site at http://www.kodak.com/.
3.http://www.casio.com/digitalimaging/
4. http://www.ita.sel.sony.com/technology/feature/cameraguide.html
5. To appreciate the
challenges
facing an incumbent analog industry, consider the recent developments
in
Eastman Kodak’s long history in the imaging business:
http://www.kodak.com/aboutKodak/kodakHistory/milestones97toDate.shtml
6. Data traffic already
made up more than half of the traffic on the public network in North
America
by late 1996. John ROTH, The Network is the Business, in Blueprint
to the Digital Economy – Creating wealth in the era of e-business,
Don TAPSCOTT, Alex LOWY and David TICOLL, Natalie KLYM eds.,
McGraw-Hill,
New York, N.Y., 1998.
7. David MASSE, The
ABC's Of Authentication - A Is For Atom, B Is For Bit And C Is For Care,
at paragraph 8 and following, in The Official Version - A
National
Summit To Solve the Problems of Authenticating, Preserving and Citing
Legal
Information in Digital Form, a summit conference held in Toronto,
Ontario
in November, 1997 organized under the auspices of the Canadian
Association
of Law Libraries available at http://www.callacbd.ca/summit/auth-masse.html.
8. For a description of
TCP/IP as well as a short history of the development of the Internet,
see
Jean-Claude GUÉDON, La planète cyber –
internet
et cyberespace, Gallimard, 1996.
9. Nicholas Negroponte
points
out in Being Digital that the term baud (named for Emile
Baudot,
a Telex pioneer) and bits per second are not exactly equivalent
measurements
of bit transmission speeds, but are so close to each other that they
can
essentially be used interchangeably. Nicholas NEGROPONTE, Being
Digital,
Vintage Books, New York, N.Y., January 1996, p.22
10. Nicholas NEGROPONTE,
Op. Cit., at p. 27.
11. The term
“ASCII” stands
for American Standard Code for Information Interchange. The ASCII
standard
is a table defining, in binary form, 128 standard characters comprising
the alphabet, punctuation, the number set and certain control
characters
such as carriage returns, line-feeds and the like.
12. In this context,
“IP”
stands for Internet Protocol, not intellectual property.
13. Ron Rivest, Adi Shamir
and Len Adleman. They put the “RSA” in RSA Data
Security Inc.
See http://www.rsa.com.
14. By large-scale data
authentication the author means that the infrastructure necessary to
permit
it would be ubiquitous, on a national, international and even global
scale.
In other words, all publishers and authors of legal information would
have
the choice of digitally signing their published data if they wished to
do so, and that all readers would be able to verify the digital
signatures
related to the data they receive, if they chose to do so.
15. For the reader who
wishes
to acquire a deeper knowledge of the working of public key
infrastructures
the author suggests the following materials: Michael FROOMKIN, The
essential role of trusted third parties in electronic commerce 75
Oregon
L. Rev. 49 (1996) available online at http://www.law.miami.edu/~froomkin/articles/trusted.htm;
C. Bradford BIDDLE, Misplaced Priorities: The Utah Digital
Signature
Act and Liability Allocation in a Public Key Infrastructure, 33 San
Diego L. Rev., available in an earlier version at http://www.SoftwareIndustry.org/issues/1digsig.html;
Andrew FERNANDES and David MASSE, Economic Modelling and Risk
Management
in Public Key Infrastructures, text of a conference given by the
author
at the RSA Data Security Conference on January 31, 1997 in San
Francisco,
formerly available online at http://chait-amyot.ca/docs/pki.html and
currently
at http://www.masse.org
and
at
http://www.cryptonym.com
16. http://www.netscape.com
17. http://www.microsoft.com/security/
18. http://www.eudora.com
19. http://www.pegasus.usa.com/
20. http://www.pgp.com
21. http://www.entrust.com/
22. http://www.rsa.com
23. http://www.ibm.com/Security/
24. http://www.netscape.com/assist/security/index.html
25. http://www.microsoft.com/security/
26. Information Week, E-commerce
gets real, December 9, 1996.
27. http://www.bbn.com
28. http://www.certco.com/
29. http://www.civiclink.com/
30. http://www.cybertrust.com
31. http://www.cybertrust.gte.com/products/
32. http://www.internet.ibm.com/commercepoint/
33. http://www.netdox.com/
34. http://www.openmarket.com
35. http://www.terisa.com
36. http://www.verisign.com
and in particular http://www.verisign.com/smime/nsemail.html
37. [November 2000: At the
time of writing, the Bell Emergis OnWatch service was described at
http://www.public-key.com/index.html.
The service is now provided by BCE Emergis Inc. (http://www.emergis.com)]
38. http://www.xcert.com/
39. http://www.xcert.com/software/sentry/ca/index.html
40. http://www.cost.se
41. http://eurosign.com/
42. http://www.r3.ch/
43. David MASSE, La
preuve
des inscriptions informatisées, in Congrès du
Barreau
du Québec (1997), Quebec Bar Association continuing legal
education
service, 1997, pp. 438, ff. Also available online at http://www.masse.org/cic97bar.htm,
at paragraphs 45 and following.
44. Pierre TRUDEL, Guy
LEFEBVRE,
Serge PARISIEN La preuve et la signature dans l'échange de
documents
informatisés au Québec, Les Publications du
Québec,
Québec, 1993, p. 64.
45. Jean-Claude ROYER, La
preuve civile, 2ième édition, Les Éditions
Yvon
Blais, no 332, à la p. 188; citing Borris v. Sun
Life
Assurance Co. of Canada [1944] B.R. 537; Bédard v. Gauthier
(1941) 79 C.S. 288; Brousseau v. Rochon (1916) 22 R.L.
n.s.
458; Toupin v. Vézina (1900) 9 B.R. 406; Giguère
v. Brault (1894) 6 C.S. 53; A. NADEAU and L. DUCHARME, La
preuve
en matières civiles et commerciales, in Traité de
droit civil du Québec, t. IX, Montréal, Wilson &
Lafleur, 1965, no 131; P.B. MIGNAULT, L'autorité judiciaire,
6 R.L. n.s. 145.
46. David MASSE, Op. cit.,
La
preuve des inscriptions informatisées, p. 482; http://www.masse.org/cic97bar.htm,
at paragraphs 198 and following.
47. The English Statute
of Frauds. See David MASSE, Op. cit., La preuve des
inscriptions
informatisées, note 12 on p. 438; http://www.masse.org/cic97bar.htm,
at paragraph 45, note 13.
48. See David MASSE, Op.
cit., La preuve des inscriptions informatisées on pp. 452 and
following;
http://www.masse.org/cic97bar.htm#p95,
at paragraphs 95 and following.
49. See Pierre TRUDEL, Guy
LEFEBVRE, Serge PARISIEN, Op. Cit., pages 65 and following.
50. Pierre TRUDEL, Guy
LEFEBVRE,
Serge PARISIEN, Op. Cit., pages 65 and following.
51. Jean-Claude ROYER, Op.
cit., no 332, at p. 188.
52. Article 1235 C.c.B.C.
53. Article 2828 C.c.Q.
54. David MASSE, Le
cadre
juridique en droit civil québécois des transactions sur
l'inforoute,
(1997) 42 McGill L.J. 403. Also available in a previous edition at http://www.masse.org/aqd95.htm.
55. Jean-Claude ROYER,
Op.cit.,
p. 231.
56. Article 2839 C.c.Q.
57. Article 2863 C.c.Q.
58. Jean-Claude ROYER, Op.
cit., no 409, p. 229 to the effect that article 2863 C.c.Q. does not
apply
in the case of the digital record and the same author at nos 1511 and
following,
pp. 919 and following on the admissibility of evidence contradicting
the
terms of a valid written instrument.
59. See David MASSE, Op.
Cit., La preuve des inscriptions informatisées, at
paragraph
105.
60. Ibid., at paragraphs
147 and following: http://www.masse.org/cic97bar.htm#p147
61. See the ULCC web site
at http://www.law.ualberta.ca/alri/ulc.
A recent status report from the working group on electronic commerce
may
be found at http://www.law.ualberta.ca/alri/ulc/current/eee98il.htm.
62. Drafting committee
working
on the Electronic Transactions Act. See the NCCUSL web site at http://www.nccusl.org/
and the work of the drafting committee at http://www.webcom.com/legaled/ETAForum/.
63. See for instance the
description of the role of the cybernotary given by the CyberNotary
Committee of the American Bar Association’s Section of
Science and
Technology which is available at http://www.abanet.org/scitech/ec/cn/cybernote.html
64. The Digital
Signature
Guidelines are available online, without charge, from the American
Bar Association’s Section of Science and Technology at http://www.abanet.org/scitech/ec/isc/dsg-toc.html.
65. Information Security
Committee of the Section of Science and Technology of the
American
Bar Association, Digital Signature Guidelines, p. 30.
66. Utah Digital
Signature
Act, Utah Code Annotated Title 46, Chapter 3 (1996), available
online
at http://www.commerce.state.ut.us/web/commerce/digsig/act.htm.
67. See C. Bradford
BIDDLE,
Op. cit. as well as Andrew FERNANDES and David MASSE, Economic
Modelling
and Risk Management in Public Key Infrastructures, Op. Cit. in
relation
to the legal liability of participants in a public key infrastructure.
The Utah Digital Signature Act, Utah Code Annotated Title 46,
Chapter
3 (1996), is a good example of a classic digital signature
statute.
See the discussion above on the legal presumptions which flow from the
Utah act.
68. Verisign Inc., Certification
Practice Statement, available at http://www.verisign.com/repository/CPS/intro.html.
69. Consider for instance
the considerable reluctance shown by Quebec courts to find that
consumers
were bound by the terms of notices printed on parking stubs or on
notice
boards.
70. For an example of an
out-of-band verification process, see the requirements for a Verisign
Class
3 public key certificate at http://www.verisign.com/.
71. For the simple reason
that the certification practice statement describes the verification
and
due diligence process carried out by the certification authority in
establishing
the link between the subscriber and his or her public key.
72. http://www.law.ualberta.ca/alri/ulc/current/eee98il.htm
73. Juan Andres AVELLAN,
John
Hancock in Borderless Cyberspace: The Cross-Jurisdictional Validity of
Electronic Signatures and Certificates in Recent Legislative Texts,
38 Jurimetrics J. 301 (1998).
74. On the lighter side,
one can’t help wondering in a cynical and whimsical way whether
the present
entanglement of the law with digital communications is due to the
coining
of the term “digital signature”. The very expression is
almost tailor-made
to attract lawyers to information technology like bears to honey.
Although one can’t blame the technologists for coining the
term.
After all, the word signature does have a fairly wide range of meanings
and is quite appropriate in a technological setting. For instance
nuclear explosions leave measurable traces observable as infrared or
chemical
signatures. On second thought, if lawyers had to be enticed to
meddle
with technology by the coining of a term, information technology most
surely
turns out to be a better place for their intrusion than nuclear physics.
75. For a description of
digital watermarking, see David MASSE, The
ABC's Of Authentication - A Is For Atom, B Is For Bit And C Is For Care,
Op. Cit. at paragraphs 76 and following.
76. Personal
identification
number.