Regulatory Approaches to Trust & Identity


A taxonomy of e-signature regulatory models


There are three different types of electronic signature legislation worldwide, offering different degrees of legal certainty with respect to security technology, and fundamental trade-offs with respect to freedom of choice.

  • Technology-neutral (aka Light Touch) laws have little or nothing to say on the merits of particular security technologies, but instead tend to bestow broad equivalence on documents, whether in electronic or paper form. Technology neutrality puts the onus on users, designers and service providers to select authentication technology on a risk-managed basis, agreeing on what is fit for purpose. The United Nations Commission on International Trade Law (UNCITRAL) drafted a model Electronic Commerce law which has informed technology-neutral legislation around the world. Some analysts bemoan a lack of legal certainty under these types of laws, although in most jurisdictions, contract law allows for 'scheme rules' to adequately manage e-commerce risks. Examples include the U.S., Canada and Australia.

  • Two-tier laws recognize that the intrinsic characteristics of some authentication technologies provide for better risk management; these laws, therefore, provide stronger legal presumptions to users of approved technologies. UNCITRAL's Uniform Rules on Electronic Signatures characterize 'enhanced signature' technologies in terms of their ability to ensure integrity of content as well as identity of origin. Today, only public key technologies qualify. Users under these laws remain free to agree on any other authentication technology that suits their purposes, and to manage their legal risks via contract. Two-tier laws have been enacted by the European Commission, Japan, Hong Kong and Singapore.

    It should be noted that UNCITRAL's deliberations on the pros and cons of enshrining 'special treatmen' for enhanced signatures have been long and hard. See also the Guide to Enactment.
  • Prescriptive legislation goes so far as to deny legal rights to electronic transactions unless they are secured using an approved technology, typically government-licensed PKI. Further, there can be legal sanctions against operating unlicensed certificate authorities in these places. Critics say prescriptive legislation can stifle innovation and restrict free trade. Examples include the U.S. state of Utah, Malaysia, Italy, South Korea and India.

See also Survey of International Electronic and Digital Signature Initiatives by the Internet Law and Policy Forum (quite old now but an excellent starting point) and the excellent directory of e-commerce initiatives at the law firm McBride Baker & Coles. Focus Areas: BPEL | DITA | ebXML | IDtrust | OpenDocument | SAML | UBL | UDDI
OASIS sites: OASIS | Cover Pages | | AMQP | CGM Open | eGov | Emergency | IDtrust | LegalXML | Open CSA | OSLC | WS-I