October 10, 2000
John D Gregory
General Counsel
Ministry of the Attorney General (Ontario)
[NOTE: This memorandum was prepared as a personal recollection only. It is NOT the view of any government, or of the Canadian delegation to the UNCITRAL Working Group on Electronic Commerce.]
_______________________________________________________________
The Working Group on Electronic Signatures of the United Nations Commission on International Trade Law (UNCITRAL) met in Vienna from September 18th through 29th. At the end of the meeting it adopted a Model Law on Electronic Signatures (MLES). This memo sets out the highlights of the Model Law and the discussions leading to it.
In 1996 UNCITRAL adopted the Model Law on Electronic Commerce (MLEC), which removes legal barriers to the use of electronic communications and provides “functional equivalents” to the use of paper documents for legal purposes. The MLEC is the basis for Canada’s Uniform Electronic Commerce Act and thus of Ontario’s Electronic Commerce Act 2000, currently Bill 88.
The MLEC provides (in Article 7) that where the law requires a person to sign a document, that requirement is met if a method is used to identify the person and indicate his or her approval of the document, and if that method is as reliable as appropriate in the circumstances.. This is a very helpful rule in ensuring that electronic signatures can be used with legal effect. It is however very general. People signing documents electronically will want assurance at the time of signing that the method they are using is in law appropriately reliable for their circumstances, so that the signed document will be legally effective. Without case law on the subject, reliability and thus effectiveness was a matter of opinion, debate and uncertainty.
As a result, UNCITRAL asked the Working Group to develop further rules on electronic signatures, to help provide more certainty at the time of signature about the legal effect. The Working Group began its work in this topic in February 1997 and finished at the most recent meeting in September 2000. (The Model Law on Electronic Signatures has still to be approved by the Commission itself, meeting next June in Vienna. It is possible that the Commission will make minor changes to the text.)
The MLES has three main parts: on criteria for reliable electronic signatures; on duties of the three potential functions involved in an electronic signature (signatory, certification service provider, and relying party); and on the recognition of foreign electronic signatures and certificates supporting them. These are set in a framework of rules about the operation of other laws and the rights of the parties to make arrangements that would not follow the Model Law. In addition, UNCITRAL will adopt a Guide to Enactment that explains the history, structure and operation of the MLES and recommends ways for member states of the United Nations to incorporate it into their legal systems. The MLEC has a similar Guide, which is a mine of useful information. (A draft of the MLES Guide has been prepared by the Secretariat but not reviewed by the Working Group. A small part of the next meeting of the Working Group in New York in February-March 2001 will be spent finishing off the Guide for presentation to the Commission).
The MLES, like the MLEC, applies to commercial transactions only (Article 1). A footnote makes clear that “commercial” is to be given a broad meaning, to cover matters like the supply of goods and services, factoring and agency relationships, construction of works and engineering, licensing, investment and finance, and the carriage of goods. The nature of the parties is irrelevant: public authorities and not-for-profit organizations may be involved in such transactions. While broad, the scope provision is implies important limits. It would keep the rules of the Model Law from applying, for example, to uses of electronic signatures that were strictly internal to a corporation, and to many of their uses by public authorities. (If an enacting state chose to make its domestic law apply to more transactions than commercial ones – as Canada has done in the Uniform Electronic Commerce Act – then these cases would not necessarily be excluded.)
The MLES applies to a broader range of electronic signatures than does the MLEC. The MLEC applies only where the law requires a person to sign something. Signatures that have legal effect, e.g. by supporting contracts, but are not required by law, are not covered. The MLES has rules about the duties of parties to electronic signatures and about their recognition that apply whether the signatures are required by law or not.
There are two limits, however. First, the duties of signatories and certification service providers arise only where the electronic signature can have a legal effect. This is noted in the discussion of Articles 8 and 9 below. Second, the rules generally apply in a way that is commensurate with what the parties undertake. One size does not fit all (but some rules are mandatory nonetheless.) See the discussions under Articles 5, 8 and 9, and 12 below.
Article 3 ensures that the MLES does not prevent parties from establishing the reliability of electronic signatures by any means they choose. It recognizes that some legal rules may impose less demanding standards than others for signing electronically. It also preserves the rights of parties to choose and enforce between them standards higher than those that the general law might find “appropriate to the circumstances”.
Article 4 repeats a provision of the MLEC, that the rules fit into general principles of international commerce and good faith. Any gaps should be filled by reference to those principles. The Guide to Enactment to the MLEC (in para 43) sets out some of the likely content of those principles: to facilitate electronic commerce among and within nations; to validate transactions entered into electronically; to promote the implementation of new technologies; to promote the uniformity of law, and to support commercial practice.
Article 5 allows parties to any transaction to derogate from any of the rules in the MLES, except those that are a matter of mandatory rules of applicable law. This is what the Working Group called the “party autonomy” principle.
Article 5 represents a refinement of the operation of the MLEC. There, parties were not allowed to opt out of the Part of the Model Law that described the functional equivalents to paper documents, including the provision on electronic signatures mentioned earlier. However, if other law provided flexibility of form, that flexibility was continued in the MLEC. Further, Article 7 of the MLEC made relevant to determining the appropriate reliability of an electronic signature whether the parties to the transaction had any agreement about the method. Article 5 of the MLES essentially specifies that the only limits to opting out of the rules about electronic signatures are the mandatory rules of the law applicable to the transaction. The MLEC left open the possibility that other reasons for inappropriateness could be found to invalidate a method of electronic signature, even in the face of an agreement of the parties to use that method.
Reliability of Electronic Signatures
Article 6 is the keystone to establishing the reliability of electronic signatures for legal purposes. Paragraphs (1) and (2) restate the MLEC : the method of signatures should be as reliable as appropriate in the circumstances. (In the MLES, one also has to refer to the definition of « electronic signature » to find all parts of the MLEC’s provision.) Paragraph (3) sets out criteria for making that determination. If a signature shows the listed criteria, then it is to be treated as equivalent to a handwritten signature, i.e. it will meet a legal requirement that a document be signed. The criteria are these :
(a) « the signature creation data
are, within the context in which they are used, linked to the signatory and to
no other person »
Since an electronic signature is data in electronic form (definitions
are in Article 2 and were discussed at length by the Working Group), whatever
one uses to sign will be data. The
Model Law borrows from the European Union the term « signature creation
data » to refer to this; such data could include private cryptographic
keys, PINs, and biometric information used to sign.
For a signature to be reliable, the data have to point to one person, at
least within the context of the signature.
The qualification would allow the same signing code for more than one
person, but not where it is at all likely to be ambiguous.
(b) « the signature creation data
were, at the time of signing, under the control of the signatory and of no other
person »
People are safely presumed to control the means for creating a
handwritten signature – their signing hand.
Traditional cheque-signing machines present similar problems to
electronic signatures : they are acceptable often only because the relying
party has strong assurance that the purported signer will not repudiate the
signature. Banks often insist by
contract with the owner of the machine that any cheque signed by the machine
will not be repudiated by the owner. For electronic signatures (also created by
a kind of machine), the ability to control the use of the signing data is here
made part of the criteria for reliability.
No doubt some parties will make similar agreements among themselves to
support reliance in practice.
The Working Group discussed at length at several sessions the creation
of signatures by multiple parties, or on behalf of entities like
corporations. « Signatory »
is defined in Article 2 as « a person that holds signature creation data
and acts either on its own behalf or on behalf of a person it
represents. » This means that a
person signing on behalf of someone is the signatory and has the duties set out
in Article 8, and not the person on whose behalf the signature is created. The
duties and benefits of that person are to be decided under the general rules of
agency or other authority in the applicable law. If more than one person is authorized to sign on behalf of, say,
an employer, then they all (jointly? corporately?) have to control the
signature creation data sufficiently to satisfy paragraph (2).
(c) « any alteration to the
electronic signature, made after the time of signing, is detectable »
The next two paragraphs reflect a debate within the Working Group about
the extent to which a signature at law shows the integrity of the signed
document. Common law delegates
generally said it did not. Civil law delegations generally said it did. (No one doubted the need for a relying party
to know that the document was trustworthy; the debate applied only to the
function of a siganture to show that.) The compromise was to focus in one
paragraph on alterations to the signature, which could be understood to refer
to any doubt about the link between the signature and the document with which
it was linked, and in another with alterations to the document. The test in paragraph (c) is not that a
signature that is altered is invalid, but only that the alteration must be
detectable. Once detected, the change
may have a range of effects, largely within the judgment of the relying party,
since the relying party takes the risk if the signature is invalid.
(d) « where a purpose of the legal
requirement for a signature is to provide assurance as to the integrity of the
information to which it relates, any alteration made to that information after
the time of signing is detectable. »
The provision is a standard provision for the characteristics of digital
signatures (those created using public key cryptography); it appears in the
federal government’s Bill C-6 in the criteria for a « secure electronic signature ». In Bill C-6 the notion of secure electronic
signature is used where the integrity of the signed document is more important
than in signatures at large. The
Working Group did not decide that this characteristic was needed for any
electronic signature to be reliable – unless preserving or showing the
integrity of the document is considered an essential function of a signature.
This was the civil law view, and civil law countries can be expected to have
this provision as part of its criteria for a signature reliable enough to have
the same legal effect as a handwritten signature.
Article 6 goes on in paragraph
(4)(a) to underline that one need not show all the qualities listed in
paragraph 6(3) for a signature to be reliable under 6(1) and thus meet a legal
siganture requirement. Article 3
arguably already has that effect.
Paragraph 6(4)(b) ensures that the finding of reliability under (3) is
challengeable in any event.
Paragraph 6(5) repeats the caveat
of Article 7 of the MLEC, that enacting states may carve out some kinds of
signature as exceptions to the general rule.
The Model Law does not tell states what signatures should be given
special treatment. It is open to
discussion whether the need for a carve-out is as strong when criteria for
reliability are clearer than they were in the mandatory rules is already
guaranteed. Perhaps enacting states
will find it clearer to list by statute the places where higher standards are
required.
Article 7 anticipates a short-cut
to reliability : the declaration by an authorized body that a particular
method of creating an electronic signature is reliable. This body may be in the public sector or may
be a private body authorized by the public authorities to give such
accreditation. Any such accreditation
must be in accord with recognized international standards, so that countries do
not get out of step with each other in the era of global communications.
The Working Group discussed whether
to define « recognized international standards. » While no definition was retained, the Guide
to Enactment of the MLES will point out that such standards may originate with
public or private bodies and may be « standards » adopted by official
standard-setting bodies, or guidelines.
No doubt there would be some kind of unofficial hierarchy in favour of
public standards, if an accreditation authority found that applicable standards
varied when it needed to decide about signing methods.
The traditional handwritten
signature has two parties : the person who signs and the person who relies
on the signature. Some electronic signatures will also have the same two
parties. However, many techniques of
signing electronically introduce a third function, that of a trusted third
party that assures the relying party that the electronic data (signature
creation data) are indeed controlled by the person whose signature purports to
be on the signed document. This is done
by way of « certificate ». The
Working Group borrowed another term from the EU Directive on Electronic
Signatures and called this person the « certification service
provider ». The Working Group
recognised that these three functions may be served by two people or by more
than three : two where the certification service provider is also the
relying party (as with Ontario’s Teranet system for electronic land
registration); four or more when the functions of the certification providers
are split or subcontracted among many businesses. The MLES imposes duties, or a code of conduct, on each of the
functions..
Article 8 sets out what the
signatory must do.
« Signatory » is defined in Article 2, as already noted. A person may be a signatory without actually
signing; the duties imposed by Article 8 apply from the mere holding of the
capacity to sign, the signature creation data, as it were. The main duty is to keep the signature
creation data confidential. If someone
else can get hold of them, then the person doing so can sign undetectably as
the legitimate holder of the data. If the data are compromised, the signatory
must notify anyone who reasonably might rely on the data. Even if the signatory has reasonable grounds
to think the data are compromised, it must tell the certification servic
provider, so that party may inform the public – or anyone likely to rely on the
certificate – that the data may no longer be reliable.
In addition, where there is a
certificate, the signatory has to ensure that the certification service
provider has accurate and up-to-date information about the signatory, and so
on.
Paragraph 8(2) says that a
signatory shall be liable for failure to comply with these obligations. It does not say what kind of liability
should be imposed, or whether any limits are appropriate. That was left to national law. Enacting states are by this paragraph simply
asked to ensure that there is civil liability to local standards. Earlier attempts to provide that liability
would extend to foreseeable losses, or be limited to out-of-pocket losses incurred
by a relying party, failed. Many
delegates thought that private law matters should be kept out of a Model Law.
Article 9 describes what the certification service provider (CSP) is to
do. Some of the obligations focus on
the certificate and some on making information available through the
certificate or otherwise, such as by an on-line statement of policy.
The basic rule is to operate in
good faith, do what you say you are going to do, and disclose any problems that
might devalue a signature. Again, the CSP is « liable » for failure
to comply with the rules, but without any details of the liability.
In a certificate, the CSP must
identify itself and state who has « control of the signature creation data
at the time when the certificate was issued ». There was some debate whether the CSP could know, possibly some
time after the signatory signed up for its service, who really controlled the
key. It was acknowledged in discussion
that « control » here means no more than « holds » in the
EU Directive; it refers to the person who is entitled to use the signature
creation data.
The Working Group seemed to assume
that certificates would be issued with respect to signature creation data, well
before the signatory actually signed anything.
It remains to be seen if these criteria for certificates can be complied
with when certificates are issued after the signature has been created, when a
potential relying party presents a certificate to the CSP after receiving the
signature and the certificate,
Paragraph 9(1)(d) sets out what the
CSP must make available elsewhere than in the certificate. Certificates are small, electronically; they
do not have the bandwidth for this kind of information. The CSP is not required
to maintain a recovation control list (9(1)(e) – and Article 5), but if such a
list is not maintained, that must be disclosed to a relying party
(9(1)(d)(v)(vi)).
Among the other requirements of a
CSP is that it must use trustworthy systems (9(1)(f)). Section 10 of the MLES says what this might
mean. It is a non-exhaustive and
optional list of factors that can support the integity of the signed
document. The factors focus on the
« systems, procedures and human resources » of the CSP. They include the financial resources of the
CSP, the quality of hardware and software, the process for issuing
certificates, the frequency of audit of the CSP’s procedures, and the
possession of any accreditation of the reliability of its practices. Other factors may be considered as well, or
even instead of, these factors. There
was some debate whether this list should merely go into the Guide, but
eventually it was thought more likely to be helpful in the text of the Model
Law itself.
Article 11 requires the relying
party to take reasonable steps to verify the reliability of an electronic
signature, and where there is a certificate available, to verify the status of
the certificate and to comply with any limits on the value or nature of
tranaction stated in the certificate.
If the relying party does not do these things, it must « bear the
consequences » of not doing so. In
this case it is not a question of making the relying party liable for
anything. If it relies on an invalid
signature, it may have a cause of action against those who did not ensure the
integrity of the signature system (i.e. the other two parties to the
signature). If however it does not take
the steps in Article 11, it may not have an action against anyone; it may bear
the consequences of its negligence, which is to have a worthless communication,
even if it has laid out money in reliance on the signature. On the other hand, relying on the signature
without following the steps of caution in this Article may have no harmful
consequences at all; the signature may be genuine and valid, even if the
relying party does not check. So
liability is not the proper sanction here.
It should be noted that the
obligations of all parties to an electronic signature will be commensurate with
the technology they choose to employ and the purpose for which the signature is
used. Not all legal purposes require
the same level of reliability. Someone
using a « low-level certificate », as the Working Group called it,
would not have the same obligations as someone whose certificate purported to
be highly reliable. This result is
assured particularly by Article 5 on party autonomy, and its parallel in
Article 12 on recognition, discussed below.
It is also reinforced by the opening words of Articles 8 and 9. Article
8 starts « where signature creation data can be used to create an
electronic signature that has legal effect » , in order to cut out those
certificates that are not really legal signatures at all. The usual example
given in the meeting was « browser certificates », used by computers
to identify themselves. There may be a
legal effect of such an identification, but it is not that of a signature. Article 9 has similar language :
« Where a certification service provider provides services to support an
electronic signature that may be used for legal effect as a signature ».
Article 12 was much discussed at
the recent meeting, as it had not received much attention in earlier
meetings. The focus is on recognition,
not of any specific process like « cross-certification », in which
the foreign certificate is certified in turn by a domestic CSP. The basic
principle is non-discrimination.
Paragraph 12(1) prohibits taking regard of the place where a certificate
or signature originated in deciding to give them legal effect in the enacting
state. The English version of the Model
Law says « geographic location » - the apparently redundant
« geographic » is a kind of code to indicate that one could indeed
take account of factors in a place that might make signatures or certificates
coming from that place unreliable. Only
the geography (or nationality or residence) where the signature or certificate
originated was an illegitimate factor in judging reliability.
Paragraph 12(2) deals with the
principles for recognizing foreign certificates, and 12(3) applies to foreign
signatures. The rule is essentially
that a receiving state has to give the same legal effect to a signature or
certificate from offshore than it would to domestic signatures or certificates,
if the system in the state of origin is « substantially equivalent »
to that in the receiving state. The meeting heard from technical experts that
total equivalence was perhaps impossible to achieve between systems, but that
substantial equivalence was a workable test.
Certificates are to be compared to like certificates, rather than
appraising the general practices of a CSP or the whole range of certificates
from a CSP.
The meeting discussed what might be
meant by « foreign signature ».
This was not a concept readily applied to handwritten signatures. A draft reference to signatures subject to
the laws of a foreign state was deleted, because of a general reluctance to
interfere with the determination of applicable law. The final wording is « an electronic signature created or
used outside the [enacting state] ».
Whether it is possible to identify such a signature will depend on the
facts of the case.
Paragraph 12(4) proposed in draft a
number of factors on which the reliability of foreign certificates or
signatures might be judged. After
discussion, it was decided that the criteria for trustworthiness and
reliability elsewhere in the Model Law would suffice, and the principle of
non-discrimination in paragraph 12(1) meant that special factors should not be
created for foreign matters. Finally
paragraph 12(4) authorizes reference to recognized international standards
(meaning the same as it will under Article 7, no doubt) and « any other relevant factor »
Paragraph 12(5) says that an
agreement between foreign parties to use particular signing methods among
themselves shall be recognized in the enacting state, between the parties. The wording of Article 5 on party autonomy
was thought possibly insufficient to guarantee foreign recognition of such
agreements, so the rule was made express here.
The paragraph helps ensure that parties that agree to use less reliable
methods of signature will not be held to the standards of more reliable
signatures. Paragraphs (2) and (3) also
speak of giving foreign certificates or signatures the same legal effect as
domestic ones, not more, so flexibility at home leads to flexibility abroad.
The Model Law on Electronic
Signatures is a modest but real contribution to the development of law on the
subject. Its rules are themselves
consistent with international practices.
Enacting them as law may help the users of electronic signatures to
avoid uncertainty.
Naturally any such implementing legisation in Canada would have to be
harmonized with our existing law. The most obvious example would be the
discussion in Article 6 of standards of reliability, when we in Ontario (and
most of Canada) will not be requiring that valid electronic signature meet a
separate test of reliability. The
provisions about the duties of the parties to an electronic signature and about
recognition of foreign signatures may be more helpful to us. With a Model Law, unlike a treaty or
convention, enacting states can pick and choose and amend and ignore as they
see fit.
The Guide to Enactment should be
considered in detail in deciding to implement the Model Law. Some of the matters dealt with in the Guide
might be put into legislation here.
There is no firm criterion about what is in the Guide and what is in the
text of the Model Law. We would have to
consider what would be most useful to the parties to electronic signatures, and
to the courts and arbitrators who have to interpret the enacting statute.
Reports of all the meetings of the UNCITRAL Working Group can be found
at http://www.unictral.org/english/sessions/wg_ec/index.html.
The text approved by the Working Group is in the report of the September
meeting: http://www.unictral.org/english/sessions/
unc/unc-34/483e.pdf. The draft Guide to Enactment is in WP.86 and
WP.86.1, both on the site mentioned. The final text of the MLES and the Guide
will be on the UNCITRAL site as well in due course, after approval by the
Commission.
The next page is an unofficial chart of the likely effect of the MLES.
Model Law on Electronic Signatures
The scope of signatures
I: Legally required signatures
· proved by any means – 6(1)
· proved under 6(3)
B. Party autonomy – 5, 6(4)
· may or may not be objectively reliable
· subject to mandatory rules
· may be higher or lower standard than in A
· parties may opt out of or vary duties in 8, 9, 10, 11 as well
II. “Legally effective” signatures, not required by law
· parties intend to bind each other (or have other legal effect)
· signatures will be used as evidence of source and intent
· the new Model Law probably intends to “protect” the parties to these signatures, especially the relying parties, e.g. by applying Articles 8 through 11 to them
· such signatures may become “required”, and thus have to meet Article 6 standards, for use in evidence, at least where documents have to be signed to be admitted, or possibly for use with public authorities.
· if there is any chance that parties will want later to use these signatures for a purpose that requires a signature, then they may have to design their signature processes from the outset to be capable of doing so.
III. “Non-signature” signatures
· e.g. browser certificates – really just labels, no “intent to sign”
· Q: do these ever turn into legally effective/required signature?
· Arguably these should not even fall into definition of “signature”
[All rules and standards are adaptable to the purpose for which signatures or certificates are created, except in applying paragraph 6(3) and mandatory rules of applicable law.]
[The Model Law on Electronic Commerce applies only to class I – legally required signatures ]