Regulatory Approaches to Trust & Identity
A taxonomy of e-signature regulatory models
There are three different types of electronic signature legislation worldwide, offering different degrees of legal certainty with respect to security technology, and fundamental trade-offs with respect to freedom of choice.
- Technology-neutral (aka Light Touch) laws have little or nothing to say on the merits of particular security technologies, but instead tend to bestow broad equivalence on documents, whether in electronic or paper form. Technology neutrality puts the onus on users, designers and service providers to select authentication technology on a risk-managed basis, agreeing on what is fit for purpose. The United Nations Commission on International Trade Law (UNCITRAL) drafted a model Electronic Commerce law which has informed technology-neutral legislation around the world. Some analysts bemoan a lack of legal certainty under these types of laws, although in most jurisdictions, contract law allows for 'scheme rules' to adequately manage e-commerce risks. Examples include the U.S., Canada and Australia.
- Two-tier laws recognize that the intrinsic characteristics of some
authentication technologies provide for better risk management; these
laws, therefore, provide stronger legal presumptions to users of
approved technologies. UNCITRAL's Uniform Rules on Electronic
Signatures characterize 'enhanced signature' technologies in terms of
their ability to ensure integrity of content as well as identity of
origin. Today, only public key technologies qualify. Users under these
laws remain free to agree on any other authentication technology that
suits their purposes, and to manage their legal risks via contract.
Two-tier laws have been enacted by the European Commission, Japan, Hong
Kong and Singapore.
It should be noted that UNCITRAL's deliberations on the pros and cons of enshrining 'special treatmen' for enhanced signatures have been long and hard. See also the Guide to Enactment.
- Prescriptive legislation goes so far as to deny legal rights to electronic transactions unless they are secured using an approved technology, typically government-licensed PKI. Further, there can be legal sanctions against operating unlicensed certificate authorities in these places. Critics say prescriptive legislation can stifle innovation and restrict free trade. Examples include the U.S. state of Utah, Malaysia, Italy, South Korea and India.
See also Survey of International Electronic and Digital Signature Initiatives
by the Internet Law and Policy Forum (quite old now but an excellent
starting point) and the excellent directory of e-commerce initiatives
at the law firm McBride Baker & Coles.