UNCITRAL Uniform Rules on Electronic Signatures
Consultation Paper

The Government of Canada wants to know what you think of proposed new rules on electronic signatures being developed by the United Nations Commission on International Trade Law (UNCITRAL).

Why do we need rules on Electronic Signatures?

One of the hardest questions about electronic documents is to know where they have come from. That question is often answered for paper documents by a signature that identifies its source. The UNCITRAL Model Law on Electronic Commerce, completed in 1996, provides that a legal requirement for a person's signature is met (a) if the person uses a method that identifies that person and indicates his or her approval of the electronic text, and (b) if the method is as reliable as was appropriate for the purposes for which it is used, having regard to all the circumstances, including the existence of any agreement.

This is a very useful provision for two reasons: first, it is flexible, allowing for a range of technology depending on the uses to which the message is being put; and, second, it acknowledges that parties to signed documents will often be able to agree on what technology can be used to indicate identity. States in the process of removing legal barriers to electronic commerce have found the Model Law useful.

However, legal rules designed to accommodate flexibility may be difficult to interpret with certainty. How does one know, when using a particular method to sign an electronic document, whether that method is appropriately reliable?

In its current electronic signatures project, UNCITRAL is attempting to extend the value of the Model Law by preparing rules that provide more certainty when particularly reliable technology is used for signing. The starting point has been digital signatures (those created with public key cryptography) since it is the best known of the possible high-tech methods at this time.

This approach has the added appeal (beyond removing statutory barriers) of helping to address specific concerns raised by a particular technology and provide certainty when using that technology. How far the new rules could be extended to technologies of similar capabilities is an open question at the Working Group. The desirability of doing so is generally admitted.

 WP.82 and September Meeting of UNCITRAL Working Group on Electronic Commerce

Last February, the UNCITRAL Working Group on Electronic Commerce held a meeting to develop uniform rules on electronic signatures. A report by the Canadian Delegation dated July 1999, providing background on this work and on this meeting in particular, can be found at http://canada.justice.gc.ca/Commerce/index_en.html under the heading "Consultation Papers and Reports".

The Working Group proposes to develop rules or provisions in three principal areas:

1. The interpretation and application of Articles 7 (signature) and 13 (attribution of a data message) of the Model Law when dealing with electronically signed messages, particularly when using digital signature technology.
2. Standards of conduct of certification authorities (identification certifiers) and the content of certificates in connection with the use of and reliance on data messages signed using digital signature technology, as well as the conduct of parties who use digital signature technology to sign data messages and of those who rely on signed data messages.
3. A legal foundation for cross-border recognition of certificates and digitally signed documents.

This September, the Working Group will review the latest draft Uniform Rules on Electronic Signatures, found in Working Paper WP.82, which can be found at http://www.uncitral.org/uncitral/en/commission/working_groups/4Electronic_Commerce.html under Preparatory Documents and Working Group on Electronic Commerce. A brief summary of WP.82 now follows; however, please refer to WP.82 to read the specific language and rationale of the articles:

Summary of Draft Uniform Rules on
Electronic Signatures (WP.82)

Legal Effect of using Electronic Signature Technology

Article 1

These Rules apply only in the context of commercial relationships and do not override any consumer protection laws.

Article 2

Definitions:

1. An "electronic signature" is data which identifies the signature holder in relation to the message and indicates approval of the message.
2. An "enhanced electronic signature" imposes more specific reliability requirements on its creation and use than an "electronic signature".
3. A "certificate" is issued by the information certifier (certification authority) and identifies the person who holds the signature device.
4. The "data message" is the information generated, sent, received or stored.
5. A "signature holder" is the person for whom an enhanced electronic signature has been created and affixed to a data message.
6. An "information certifier" provides the identification services used to support electronic signatures.

Article 3

The Rules are not meant to alter the legal effect of methods of signature which satisfy the requirements of Article 7 of the UNCITRAL Model Law on Electronic Commerce.

Article 4

The Rules should be interpreted with regard to three considerations: first, their international origin; second, the need to promote conformity in their application; and third, the observance of good faith in electronic commerce.

Article 5

Parties can agree to derogate from the rules provided that the variations do not have adverse effects on the rights of third parties.

Article 6

A data message that uses an enhanced electronic signature is presumed to be signed.

Article 7

Where an enhanced electronic signature is used in relation to a data message, or a method is used which provides a reliable assurance as to the integrity of the information from the time when it was first generated in its final form, then it is presumed that the data message is an original (that it, the integrity of the data message has been maintained).

Article 8

An authority of the State may designate the use of a specific technology to sign a data message and may specify its legal effects, including the fact that it has been signed, who is presumed to have signed it, and the fact that the data message has maintained its integrity.

 Obligations of the users of the technology

Article 9

The signature holder must exercise due diligence in the representations made that are relevant to the issuance of a certificate. The signature holder is also responsible for notifying the appropriate persons if its signature had, or might have been, compromised. The signature holder is responsible for retaining control of the signature device and for avoiding unauthorized use of the signature. With respect to joint holders, the duties are joint and several. Signature holders may be liable for failure to fulfill their duties, but that liability is limited to foreseeable losses.

Article 10

A person is only entitled to rely on an electronic signature to the extent that such reliance is reasonable. Whether reliance is reasonable depends on the nature of the transaction the signatures is intended to support. It also depends on whether steps were taken to determine the reliability of the signature, and whether the relying party know, or ought to have know, that the signature was compromised or revoked. Any agreement between the parties, trade usage, and any other relevant factors may also be considered.

Article 11

A person is only entitled to rely on a certificate to the extent that such reliance is reasonable. Whether reliance is reasonable depends on the restrictions placed on the certificate. It also depends on whether the relying party took appropriate steps to determine the reliability of the certificate, such as verifying a certificate revocation list. Any agreement between the parties, trade usage, and any other relevant factors may also be considered

Article 12

An information certifier must take reasonable steps to ascertain the accuracy of the information or facts certified in a certificate. "Accessible" means that information must be provided by which the relying party may ascertain the following: (1) the identity of the information certifier, (2) that the person named in the certificate is the holder of the signature referred to in the certificate, (3) that the keys are a functioning pair, (4) the method used to identify the signature holder, (5) limitations on the purposes or values for which the signature may be used, and (6) whether the signature is valid and has not been compromised. There must be means by which notice may be given of compromised signatures and a revocation system. The information certifier must exercise due diligence in collecting information and issuing, suspending or revoking certificates. Systems, procedures and human resources used must be trustworthy.

Cross-border recognition

Article 13

A certificate is deemed to be legally effective regardless of where it was issued and the State where the issuer had its place of business. Certificates issued by a foreign information certifier are recognized as legal equivalent to those issued by a domestic information certifier if the practices provide a level of reliability equivalent to that provided domestically. Recognition of equivalence may be published through bilateral or multilateral agreements. Factors to be considered in determining equivalence include: financial and human resources; trustworthiness of hardware and software; procedures for processing of certificates and retention of records; availability of information subjects identified in certificates and to potential relying parties; auditing by an independent body; confirmation by the state, accreditation body or certification authority of qualifications of information certifier; availability of recourse to the courts; and the potential for discrepancy between the law applicable to certification authority and the law of the enacting State.

Questions

1. Do you agree that uniform rules would be useful in the three areas mentioned above?
2. Do you think it would appropriate to include in the Rules a provision (like Article 8) that acknowledges the right of a state to designate a particular technology for the purposes of signature and to allocate particular legal effects to its use (such as meeting a signature requirement, or showing attribution of a data message or its integrity).

   A number of provisions in the Uniform Rules cite four criteria of technologies which are used to created enhanced electronic signatures. To qualify as a technology that results in the creation of an enhanced electronic signature, the technology must be
   
   (i) unique to the signature holder,
   (ii) capable of being used only by the signature holder to sign the data message,
   (iii) capable of being used to identify objectively the signature holder in relation to a data message, and
   (iv) capable of determining that the data message has retained its integrity.

   Electronic commerce legislation introduced recently by a number of states (Canada, Singapore, Illinois, California, the EU, and others) have given special legal effect to electronic signatures that meet these four criteria. Are these four criteria appropriate and sufficient for the purposes of giving specific legal effect to signed documents?

3. Are there particular duties or obligations that you think should be included with respect to Certification Authorities, holders of signature devices and relying parties? What are the appropriate consequences for breach of these duties or obligations?

We would appreciate receiving your views on these proposed Uniform Rules and on these questions in particular. Please send your comments by September 2, 1999, to

Joan Remsu
Senior Counsel
Public Law Policy Section
Department of Justice
284 Wellington Street, Room 5215
Ottawa, Ontario
K1A 0H8

joan.remsu@justice.gc.ca

Telephone 613-946-3118
Fax 613-941-4088