Digital signatures and global e-commerce: Part I – U.S. initiatives
Stephens, David O
In December 1999, two paper– dependent Maryland businesses – a law firm and an office equipment company – executed the first lease agreement made official with a digitally signed “electronic original.” Using a digital certificate system supported by public key infrastructure (PKI) technology, the law firm created the lease electronically, signed it with an electronic pen and pad, and sent it securely via the Internet to the office equipment company. There it was signed electronically again and stored in a repository as an “electronic original” document. Once stored, the digital document was protected from undetected change, although interested parties could view or print it.
In one sense, the Maryland e-contract seems paradoxical since its purpose was to lease eight office copy machines to create paper documents. Moreover, the parties also had to sign a paper lease agreement since Maryland state law did not recognize digital signatures as legally binding (though new legislation is pending). On the other hand, the ability to execute legally binding business transactions without paper or physical signatures is a milestone in the development of e-commerce. The event is an example of major new initiatives both legal and technological – occurring in the United States concerning digital signatures in a broader e-commerce business environment.
Historically, commercial transactions have taken place by phone, fax, wire, and mail, with paper documents the end product of the transactions’ official consummation. But when parties to business transactions migrate from paper to electronic recordkeeping, many questions surface.
For example, when basic e-mail is the primary means of communication and document transfer among parties to the transaction, it is difficult to know which document version is the latest or what revisions have been approved. Moreover, in Web transactions, customers visit a particular site, read a contract for purchasing goods or services, then click the “I agree” button. In HTML format, that indication of agreement goes to a database but with no record of the question’s text. Thus, at a later time, it becomes very difficult to prove exactly what was agreed upon. Businesses need to address these new issues as they migrate their contractual agreements and transactions from paper to electronic formats.
There is no question that e– commerce is the wave of the future. Consider that the U.S. government reportedly consummates at least 75 percent of its transactions electronically. Moreover, the federal government has made it mandatory that all agencies make their public documents available electronically and enable the use of digital signatures by October 2003. The private sector, which is moving very aggressively to embrace e-commerce, reports similar figures.
E-commerce is among the most significant paradigm shifts in the history of commercial enterprises. Its benefits include opportunities to define and dominate new markets globally as well as nationally – lower transaction costs, improve productivity, and gain greater market share. Today, businesses are reinventing themselves around e-commerce. For example, General Motors, the world’s largest manufacturing company, aspires to be “the world’s largest e-commerce company” by integrating information delivery into Web– connected cars and the many other aspects of its global businesses. Similar business initiatives abound throughout the world.
Digital Signatures
Digital signatures, a key component of e-commerce, are not new; they can exist in many different forms, including automated teller machines and other computer systems that rely on personal identification numbers (PINs) as a means of authenticating business transactions – technologies that are several decades old. A digital signature could comprise a smart card, a thumbprint, a retinal scan, a voice recognition test, or all of the above, depending on the transaction’s nature and the security requirements surrounding it. A digital signature uses specially encrypted codes in electronic messages that allow the recipient to verify the sender’s identity, thereby establishing trustworthiness in commercial transactions.
Digital signatures link a person’s identity to a specially encrypted “private key” issued to only one bearer. The private key is used to electronically sign a communication, which another party can open with a “public key.” A certificate authority maintains the public key and also issues and verifies the digital certificates that validate the identity of each person in the e-commerce transaction. Several software vendors, large and small, supply the core technologies, which are frequently proprietary. It is very difficult to certify digital signatures in a PKI environment where a mix of vendor products and certificate authorities is involved. Each vendor, for instance, has its own certificate issuance validation and revocation protocols.
The U.S. E-Sign Act
In July 1996, the United Nations Commission on International Trade Law adopted a “Model Law on Electronic Commerce.” In retrospect, it was a forward-looking piece of lawmaking, given that the Internet the principal vehicle for global e-commerce – was just beginning to mushroom throughout international business. In reviewing this law in the April 1997 Records Management Quarterly (the predecessor of The Information Management Journal), this author predicted that it would spawn similar legislative initiatives throughout the world – and it has. During the last few years, many nations have enacted new digital signature/e-commerce laws, including the United States.
On June 30, 2000, President Clinton signed into law the Electronic Signatures in Global and National Commerce Act – the “E-Sign Act.” The measure grants electronic signatures the same legal status as those written in ink on paper, making it easier, faster, and less expensive to conduct business online. Moreover, the law promotes both domestic and international e-commerce by clarifying the legal significance of commercial transactions in electronic form.
The E-Sign Act became effective on October 1, 2000. For his part, President Clinton hailed the new law in the most glowing terms: “Soon, vast warehouses of paper will be replaced by servers the size of VCRs,” he said. This may or may not reflect what the law will actually mean for businesses during the next few years. To aid in discussion, it is important to understand the E-Sign Act’s main features:
* The law’s design removes impediments to businesses developing e-commerce initiatives found in existing U.S. statutes. Where existing laws require original records or documents bearing authenticated signatures to support business transactions, the new law creates a legal environment to overcome these. The law’s ultimate intent, of course, is to enhance U.S. competitiveness through the widespread use of new technologies.
* The law provides businesses the option of accepting digital signatures and choosing what kind they will be (e.g., digital certificates, dual key encryption, passwords, or other types).
* More specifically, the law states that an electronic signature is whatever two entities agree it is. An e-signature can simply be a typed name that individuals attach to an e-mail message or anything up the ladder of technology sophistication, so long as the parties to the transaction agree. The law states than an e-signature may be “an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.”
* Finally, the law marks a major effort to harmonize existing state laws on digital signatures. Currently, a total of 45 states have laws that recognize some form of digital or electronic signatures, and the remainder have legislation pending. One of the biggest problems in implementing global e-commerce solutions is the plethora of existing laws and regulations relating to commercial transactions throughout the world. The E-Sign Act will go a long way towards harmonizing the legal environment for e-commerce in the United States.
Conversely, the E-Sign Act does not * define what constitutes a legitimate, safe, secure digital signature – matters that will be addressed in future regulations. In fact, the E-Sign law gives regulatory agencies the authority to develop specific criteria for the accuracy, integrity, and accessibility of electronic records.
* grant any special status to electronic records per se; it merely removes the impediments in existing law to conducting business electronically. In this sense, the law may be characterized as media neutral. E-records will be subject to the same legal scrutiny as physical ones.
* prescribe any specific technology; rather, the law is technology– neutral. While neutrality is legally appropriate, it places the burden on businesses to determine the best technologies and practices to support their own e-commerce initiatives.
* provide broad authority or mandate for businesses to convert records from paper to electronic format. The law implicitly recognizes that paper records will be a medium for business recordkeeping for some time to come. In fact, in business-to-business (B2B) e-commerce environments, many firms lack the technology infrastructure to implement e-commerce solutions.
In business-to-consumer (B2C) e-commerce environments, the E-Sign Act recognizes that many households lack personal computers with access to the Internet. Thus, the law contains various provisions to protect consumers. For example, the law expressly requires the consumer’s consent prior to consummation of electronic transactions effectuated by means of digital signatures.
Some commentators take exception to President Clinton’s optimistic statements concerning the new law’s virtues. Benjamin Wright, a Dallas– based attorney and editor of The Law of Electronic Commerce, states, “What Congress did was much more symbolic than substantive. The law has not changed, because the law has always said that a signature is a symbol adopted with someone’s intent to comply. It could be an X, a thumbprint, or even your company letterhead. The legal issue has always hinged on what you intend.”
For a document to be found legally binding in court, an appropriate party must be able to authenticate that it was in fact signed by the person who claims to have signed it. Moreover, it must be demonstrated that the document is “trustworthy” that it has not been altered in pursuit of some malicious purpose. These principles have long existed in both paper and computerized recordkeeping environments, and they remain embodied in the E-Sign law.
Public Key Infrastructure Technology
The term “public key infrastructure technology” refers to software functionality that provides for the authentication and security of electronic commercial transactions. Although many smaller software companies provide PKI functionality in proprietary products, Microsoft has incorporated it in the Windows 2000 operating system. Since more than half of business desktops are expected to run Win2OOO by 2003, the technology infrastructure for e-commerce will be much more pervasive than it is now.
The three major components of PKI functionality are:
1. A registration authority – This functionality validates e-signatures and other essential components of transactions and instructs the certificate authority to create a digital certificate.
2. A certificate authority – This functionality creates a certificate and a public encryption key that travels with the e-documents from sender to recipient. The recipient uses the certificate and encryption key to ensure that the signer actually sent the documents and that they have not been improperly altered. This provides a documented chain of custody to verify the integrity of the documents and the e-signatures on them. Digital signatures should be unique for every document and should be electronically “sealed” so they cannot be altered without detection, even by the originator.
3. A digital repository – This capability; usually a directory or database, stores digital certificates, certificate users, and revocation lists.
All companies using digital signatures and other e-commerce measures need to decide how secure their transactions must be. Most observers say that a signature text block on an e-mail message will suffice for only the simplest transactions. For large businesses, it is generally agreed that digital certificates used with e-signatures will provide the appropriate security protection, particularly for major transactions. Moreover, when it comes to big transactions, there has always been a signed paper document to make it official, even for deals that originate online. The key point, however, is that businesses must decide how to secure e-commerce transactions, as well as how to retool their computer applications to accept and store them.
Finally, PKI functionality must be supported by interoperability among the many disparate computing environments currently installed in multinational businesses throughout the world. The lack of common standards among competing PKI technologies and validation processes could retard the deployment of e-commerce applications among multinational companies.
E-commerce and Records Retention
The E-Sign Act contains provisions that directly address the issue of retaining electronic records in e-commerce environments, an issue of high interest to RIM professionals. The act states that “any requirement to retain a contract or record is met by retaining an electronic record of the information in the contract or record.” The law provides three key tests for the legal acceptability of electronic records as a retention medium in e-commerce transactions:
1. The record must accurately reflect the information contained in the original contract or transaction.
2. The record must remain accessible to those entitled by law to access it, for the period required by law.
3. The record must be capable of being accurately reproduced, whether by printing or otherwise.
If these criteria are not satisfied, the electronic record’s legal validity may be denied.
For information management professionals, the central issue is whether the organization’s e-commerce applications – and the electronic records that comprise them can demonstrably comply with these requirements. It is also important that any computer data supporting e-commerce applications be retained or destroyed under authority of an officially sanctioned records retention program. All e-commerce data should be scheduled for retention based on periods that meet business needs and comply with the law. Such retention periods should be implemented by integrating data purge functionality consistent with approved retention periods into the software environment supporting the applications. Information professionals should work with data owners and information technology specialists to ensure that such purge functionality has been properly incorporated into e-commerce applications. Data purge functionality would generally need to be applied at the repository levels for various categories of business processes, customer groups, and specific types of transactions.
Global E-commerce Initiatives
Many things need to be in place before international businesses can fully exploit the tremendous opportunities presented by e-commerce. Multinational companies need a global commercial code that addresses the many complicated issues raised by e-commerce, including, among others, customs duties, taxation matters, exchange rates, and product inspection requirements. The global initiatives related to these matters and their relevance for information RIM professionals in multinational companies will be examined in subsequent columns.
REFERENCES
Briody, Dan. “Digital Signatures Create Market Potential.” InfoWorld, 24 July 2000.
Hulme, George V. “E-Signatures: Ties That Bind.” Informationweek, 3 July 2000.
Jones, Jennifer and Margaret Johnston. “Digital Signature Bill Enables E-commerce.” InfoWorld, 19 June 2000.
King, Julia and Lee Copeland. “GM Retools for E-Commerce That Goes Well Beyond Cars.” Computerworld, 17 April 2000.
Montana, John C. “Developments in the Law of Electronic Commerce.” The Information Management Journal, January 2000.
Stephens, David O. “Electronic Recordkeeping Provisions in International Laws.” Records Management Quarterly, April 1997.
Wilde, Candee. “Legally Binding E-Documents Move Closer to Reality.” Informationweek, 6 March 6, 2000.
Williams, Robert and Randolph Kahn. “The E-Sign Act.” KMWorld, September 2000.
DAVID O. STEPHENS, CRM, FAI
David Stephens, CRM, CMC, FAI, is vice president for the records management consulting firm of Zasio Enterprises Inc. He has been a consultant in the field of records management for more than 18 years and has published books and articles about information management in the United States and abroad. The author may be reached at dostephens@zasio.com.
Copyright Association of Records Managers and Administrators Inc. Jan 2001
Provided by ProQuest Information and Learning Company. All rights Reserved