Regulatory Approaches to Trust & Identity
A taxonomy of e-signature regulatory models
There are three different types of electronic signature legislation
worldwide, offering different degrees of legal certainty with respect
to security technology, and fundamental trade-offs with respect to
freedom of choice.
- Technology-neutral (aka Light Touch) laws have little or nothing to
say on the merits of particular security technologies, but instead tend
to bestow broad equivalence on documents, whether in electronic or
paper form. Technology neutrality puts the onus on users, designers and
service providers to select authentication technology on a risk-managed
basis, agreeing on what is fit for purpose. The United Nations
Commission on International Trade Law (UNCITRAL) drafted a model
Electronic Commerce law which has informed technology-neutral
legislation around the world. Some analysts bemoan a lack of legal
certainty under these types of laws, although in most jurisdictions,
contract law allows for 'scheme rules' to adequately manage e-commerce
risks. Examples include the U.S., Canada and Australia.
- Two-tier laws recognize that the intrinsic characteristics of some
authentication technologies provide for better risk management; these
laws, therefore, provide stronger legal presumptions to users of
approved technologies. UNCITRAL's Uniform Rules on Electronic
Signatures characterize 'enhanced signature' technologies in terms of
their ability to ensure integrity of content as well as identity of
origin. Today, only public key technologies qualify. Users under these
laws remain free to agree on any other authentication technology that
suits their purposes, and to manage their legal risks via contract.
Two-tier laws have been enacted by the European Commission, Japan, Hong
Kong and Singapore.
It should be noted that UNCITRAL's deliberations on the pros and cons
of enshrining 'special treatmen' for enhanced signatures have been long
and hard. See also the Guide to Enactment.
- Prescriptive legislation goes so far as to deny legal rights to
electronic transactions unless they are secured using an approved
technology, typically government-licensed PKI. Further, there can be
legal sanctions against operating unlicensed certificate authorities in
these places. Critics say prescriptive legislation can stifle
innovation and restrict free trade. Examples include the U.S. state of
Utah, Malaysia, Italy, South Korea and India.
See also Survey of International Electronic and Digital Signature Initiatives
by the Internet Law and Policy Forum (quite old now but an excellent
starting point) and the excellent directory of e-commerce initiatives
at the law firm McBride Baker & Coles.