UNCITRAL Working Group on Electronic Commerc

Report on the meeting of February 2000

Background

In 1996 the United Nations Commission on International Trade Law (UNCITRAL) adopted the Model Law on Electronic Commerce, which offers member states of the United Nations methods to address barriers to the use of electronic communications in their commercial law. The Model Law, with a Guide to Enactment, can be found at http://www.uncitral.org/uncitral/zh/publications/publications.html .

The Model Law itself allows legal requirements for a person's signature to be satisfied by use of a method that identifies the person and indicates the person's approval of the signed text. The method must be as reliable as appropriate in all the circumstances. This is a very useful assurance that electronic documents may be signed electronically, and it leaves parties broad flexibility in the choice of technology or method. However, it gives very little guidance about which method will be considered appropriately reliable in different situations. Accordingly, the Commission tasked the Working Group on Electronic Commerce to develop rules to enhance the general rules on signature in the UNCITRAL Model Law.

When the Working Group commenced its work on electronic signatures, it was widely thought that some technologies would provide high levels of assurance of reliability. If such technologies could be described in law, then their reliability might be more easily recognized and signatures resulting from their use might be accorded legal status more readily. The focus was on digital signature technology in particular, that is, signatures created by public key cryptography and supported by certificates from a trusted third party as to the identity of the holder of the signing key. However, as market models of the use of digital signatures evolved before its eyes, as it were, the Working Group was inclined to devise rules that were technology neutral, i.e. that worked the same whatever technology was used to create the signature.

All the agendas, working papers and meeting reports from 1997 to 2000 for the meetings of the Working Group on Electronic Commerce regarding the Uniform Rules on Electronic Signatures can be found at http://www.uncitral.org/uncitral/en/commission/working_groups/4Electronic_Commerce.html.

This report describes each article provisionally adopted by the Working Group at its February 2000 meeting in New York and indicates how they are intended to operate. The articles may be revisited at the next meeting of the Working Group and by the Commission itself, so they are still some distance from being law anywhere in the world.

Draft Uniform Rules on electronic signatures

The draft Uniform Rules are organized to cover three principal objectives:

1. To facilitate and enhance the interpretation and application of Article 7 of the Model Law dealing generally with electronic signatures and specifically with technologies or processes that are used to fulfill a requirement for a signature and that have a high degree of reliability;
2. To establish rules for the conduct of certification authorities (identification supporters) and the content of certificates in connection with the use and reliance of digital signatures; and
3. To establish a legal foundation for cross-border recognition of certificates and digital signatures.
   

General Provisions (Scope) and Status of Certain Technologies

Although these Rules are intended to apply where electronic signatures are used in the context of commercial activities, they can also be applied to consumer transactions. However, these Rules are not intended to override any rule of law intended for the protection of consumers.

Article 6 is the heart of the Uniform Rules. A person may sign a data message effectively, i.e. meet a legal requirement that a text be signed, by using any method that meets the definition of electronic signature and that meets the reliability standard common to the Model Law and to paragraph 6(1). When combined with the definition of electronic signature, Article 6(1) restates the criteria of Model Law Article 7 for satisfying a requirement of law that a person sign a document.

Article 3 is the key to the technology neutrality of the Rules. Article 3 acknowledges that any signing method that meets those criteria will be considered as satisfying the requirement for signatures. If however the parties agree on stricter standards than needed to satisfy article 6(1), article 3 cannot be used to subvert that agreement later. The other qualification in article 3 is that a method that otherwise meets the requirements of applicable law can be given legal effect, even if it does not meet the article 6(1) test. Applicable law may well prescribe a lower standard of reliability than what a court might find necessary under article 6(1). Any method that meets that standard should have the effect that the applicable law would give it.

Members of the Working Group generally agreed that parties to transactions should be able to set their own standards for transactions affecting only themselves, subject to some limits. There has been considerable debate on those limits, however. Reference has been made to mandatory rules, or rules of public policy, or rules of ordre public, the latter being generally interpreted more narrowly than the English expression, "public policy". The current exception in Article 5 is a good deal broader than these, but leaves considerable room for party autonomy.

Paragraph 6(3) is the new provision that allows the Uniform Rules to supplement the general rule in the Model Law. The paragraph describes the characteristics of electronic signatures that are considered to be reliable under paragraph (1) and therefore to meet a legal requirement that a data message be signed.

The first criterion of paragraph 6(3) supports the identification function of the signature. The means of creating the signature has to be linked only to the purported signer. This deals with the identification of the name; the ownership of the device must be linked to the purported signer under the next sub-paragraph.

The criteria on integrity attracted ardent debate in the working group. Some people thought that a function of a signature is to ensure integrity of the signed text. Others thought that was only the effect of some electronic technology and should not have to be met by any electronic signature. The criteria adopted represent a compromise. Those who focussed only on the link between signature and text have one sub-paragraph, about detecting any alteration to the electronic signature. The integrity school of thought has another sub-paragraph. Detectability of alterations to the signed text is a criterion for a reliable and thus legally effective signature, where a purpose of the legal requirement for a signature in the first place is to provide assurance as to the integrity of the signed information. Different legal systems will take different views on this point.

Paragraph 6(4) contains two qualifications to the rule of (3). The first qualification repeats that the special route to reliability of signature in paragraph 6(3) does not prevent anyone from showing reliability in any other way. The second qualification is what is left of the debate about the character of the rule in paragraph (3). Some people thought that 6(3) should give a presumption of reliability, subject to evidence to the contrary. Others were not comfortable with presumptions, in part because they seem to be matters of civil procedure beyond the scope of the Uniform Rules. Although paragraph (3) is phrased as a legal rule, paragraph (4)(b) turns it into a kind of presumption, since it makes it subject to contrary evidence.

Article 7 allows for even more certainty about the legal effect of an electronic signature. Rather than having to prove in each case that a method of signing was as reliable as appropriate, the enacting States may set up or authorize bodies that can determine that particular signing methods satisfy article 6. Some enacting States may have this determination made by a state authority, others by private bodies.

Some concern was expressed that permitting the establishment of an officially recognized effective signature might impede the development of other technologies, because signers would want to use the safe approved method. However, the article does not limit the number of methods that may be determined to be reliable. In addition, there was advantage to having determinations of reliability done under proper testing conditions by experts, rather than by a court based on evidence that happens to be available to it in a particular case.

For the purposes of harmonization, however, it is important that the determinations be made according to recognized international standards.

Standards of conduct -- Articles 8 to 11

Article 8 begins a series on the responsibilities of the three potential parties to an electronic signature: the signer or signatory, the relying party, and the new party in the middle, the supplier of certification services. The Rules do not require that an electronic signature be created in a way that needs a trusted third party. The provisions about certificates are drafted to apply only when and if a certificate is used.

Traditionally the law has placed on the relying party the burden of showing that a signature was genuine. The Uniform Rules do not change that rule directly. However, they do spell out for the first time in this context the conduct required of all three parties and the general legal consequences of their failure to do so. While these articles do not shift the ultimate burden of proof, the new standards of conduct may give legal remedies to other parties if a party does not live up to them.

Paragraph 8(1)(a) requires the signatory to use reasonable care to avoid unauthorized use of its signature device. What constitutes reasonable care will no doubt depend to some extent on purported scope and reliability of the signature device and on its cost. Paragraph (1)(b) requires notice of compromise or possible compromise to be sent to any person who ... [provides] services in support of the electronic signature. The rule has been expanded in its technology neutral form so that the notice must be sent to potential relying parties. This extension may be a challenge in practice, since one's computer may in theory offer the potential to do business with anyone in the world.

Paragraph 8(1)(c) applies only where a certificate, of any level of assurance and issued at any price, supports the electronic signature. The requirements here make the signatory responsible for giving accurate information to go into the certificate and to support all other material representations relevant to the certificate.

Paragraph 8(2) says what happens to a signatory who does not meet the standard of conduct of paragraph (1). The signatory shall be liable under whatever law applies in the circumstances. This minimal rule arguably requires enacting states to impose at least some kind of liability on such signatories. The working group was unable to agree on a firmer standard than this.

Article 9's standards of conduct for suppliers of certification services are fairly straightforward but generally also flexible. The first rule is that the supplier will do what it says it will do in issuing and managing certificates. It is hard to find fault with such a standard, and the supplier controls its responsibilities by its representations.

The next three rules are all imposed subject to standards of reasonableness. This allows for certificates that offer different levels of assurance. Paragraph 9(1)(c) specifies the minimum content of a certificate. In it the supplier must enable a relying party (the beneficiary of these rules of conduct) to ascertain readily the identity of the supplier, which should not be difficult. Further, the relying party must be able to ascertain that the person identified in the certificate had control of the signature device at the time of signing.

The provisions in paragraph 9(1)(d) touch matters, which may be provided in or outside the certificate. Other possible sources of such information are web sites or certification policies and practice statements of the suppliers of certification services. One of the reasons that this list is longer than the list in (1)(c) is that certificates may be quite limited in size.

The supplier must announce any limit on the value or the type of transactions supported by its certificates, and also any limits on its own liability. It must maintain a method for the signatory to report possible compromises and to let relying parties find out the status of certificates. The final requirement is to use trustworthy systems, procedures and personnel. What may be trustworthy is discussed in draft article 10.

Article 10 has not been adopted yet, but its language was discussed at the Working Group meeting. The factors of trustworthiness speak for themselves in most cases: quality of equipment, resources, audits, transparency of procedures, compliance with applicable laws. There is no prescribed level at which the presence of or satisfaction of a particular factor gives a certificate acceptable trustworthiness. That will depend on what the relying party is going to use the certificate for, and also on a combination of the factors rather than on any one of them. It is an open list, in that other relevant factors must also be considered.

The third party to an electronic signature is the person who wishes to rely on it, called the relying party. The Uniform Rules focus on this person's reliance that the electronic signature will satisfy a legal requirement that a document be signed. The person who relies on a signature takes the risk of its validity in most legal systems. One purpose of the Uniform Rules is to reduce the risk by making the standards of conduct of other parties more predictable and by spelling out the legal effect of using certain signing techniques. The Rules do not however shift the risk itself.

This affects the formulation of article 11. The basic rule is that the relying party must act reasonably in relying on an electronic signature. However, the article does not impose civil liability on the relying party for failure to act reasonably. Rather, it says only that a relying party shall bear the legal consequences of its failure. Those consequences may include the invalidity of the signature. However, it is also possible that even if the relying party does not act reasonably, the signature may be valid, or not disputed. The Uniform Rules do not deny validity to a signature that is otherwise valid, because of the conduct of the relying party. Sometimes taking a risk will pay off, and no principle of public policy prevents this result.

Recognition of foreign signatures and certificates

An article on the recognition of foreign signatures and certificates appeared in the text before the working group but was not discussed at the February 2000 meeting. Some provision based on it is likely to be part of the final Uniform Rules. The basic elements are non-discrimination based on the country of origin of a signature or certificate, and criteria for giving similar estimates of reliability to foreign and to local certificates.

Guide to Enactment

One of the purposes of the Uniform Rules is to provide guidance to member states on acceptable rules for giving legal effect to electronic signatures. Guidance is sometimes appropriately in the form of model legislation such as the Uniform Rules. However, sometimes explanations are better given only as explanations. That is the role of the Guide to Enactment to the Model Law on Electronic Commerce. Once the text of the Uniform Rules has been completed, the Working Group will consider a draft guide.

Conclusion

The Uniform Rules, as provisionally adopted by the Working Group, represent a balance between detailed standards of conduct and allocations of liability, as contemplated in the earliest working papers, and mere guidelines for desirable or prudent conduct in electronic commerce. They are technology neutral. The legal and educational effect of the work done should make the Rules succeed in their primary purpose, to reduce barriers to international trade in the age of information.

It is anticipated the Working Group will complete the Uniform Rules and Guide to Enactment at its next session in September 2000. The Commission will meet in June and July of this year to consider the progress of the Working Group at its last meeting and to confirm the exact dates of the Working Group's next meeting. The next meeting is tentatively scheduled for September 19 to 30, 2000.

Joan Remsu, Senior Counsel, Justice Canada
Head of the Canadian Delegation
June 12, 2000