1. COMP.SEC.100
  2. 4. Law and Regulation
  3. 4.9 Trust without paper

Trust without paper

When moving from a traditional office to a paperless environment, and especially as electronic commerce developed, the need grew to transfer traditional methods of ensuring the authenticity and integrity of information (e.g. signatures, seals and ink) into a form that could be used in fully electronic and networked environments. Information security researchers and industry developed several new methods (often PKI-based) intended to address these needs. This in turn created needs to reform regulation, broadly of three kinds. The first type concerns the acceptance of electronic documents as evidence in court proceedings. Matters of this kind have been well managed in legislation, with advanced forensics providing support. The second type concerns the legal validity of communication conducted in electronic form. The third type relates to rights and obligations in identification and trust services.

PKI (Public key infrastructure)

A public key system is a structure based on cryptology. It enables trust that the private keys of individuals or machines are indeed under the control of those entities. This is achieved by binding public keys, which are mathematically linked to private keys, to the identity information of the entities by means of certificates (see Public key management in a later module). Using a private key, an entity can, with the support of the PKI structure, prove its identity by creating a digital signature. Certificates are themselves signatures created within the same system (cf. Section 19 of the Act mentioned in Problem 1).

As early as 1996, the United Nations officially encouraged all states to enable electronic commerce relationships. Many states simultaneously adopted various laws and regulations designed to enable different kinds of transactions, commercial relationships, administrative reporting, court proceedings, etc. The context for many of them was digital signatures and trust services.

The legal validity of digital communication not related to commerce has developed more slowly. Such topics include, for example, the administration of an estate of a deceased person and the transfer of ownership of real estate. Many of these are still subject to formal requirements that make handling the matter through electronic communication impossible.

Open in another tab the Act on strong electronic identification and electronic trust services. A: Check at the end of Section 1 whether the law applies to intranet user accounts granted by Tampere University. B: Examine the concepts defined in Section 2. The term trust is not among them. Using the search function, check whether the Act uses the term trust other than as the initial part of a compound word (trust service and trust network).

Read Section 27 of the Act, which has the succinct title: Restrictions to the identification means holder’s liability for unauthorized use of the identification means. The question is also long: Which of the following constitute sufficient conditions for a consumer A, linked to a public key by a certificate, to deny a signature made by someone else that is verified with that key?

  1. The signature relates to a document that does not concern A.
  2. A can demonstrate that they have acted with due care.
  3. A has not disclosed the signature key to anyone.
  4. A’s signature-creation device is broken or lost.
  5. As soon as the case became known, A requested revocation of the certificate.

Electronic signatures and trust services

Alongside modern e-commerce, identity services emerged, particularly those that bind a person’s identity to a specific public key in a PKI by means of a certificate. As the technical standards for such trust services began to take shape, two legal questions arose for anyone wishing to provide or use these services:

  • To what extent does a digital “signature” correspond in legal effect to a traditional handwritten signature on paper?
  • What is the nature of the rights and obligations of the persons involved in maintaining and using these systems?

The development of Finnish legislation illustrates the first question. In 2003, the Act on electronic signatures entered into force. It was replaced in 2009 by the Act on strong electronic identification and electronic signatures. Subsequently, in a major revision in 2016, the name of the Act was changed to Act on strong electronic identification and electronic trust services. Thus, after the first six years, the focus of the Act shifted from signatures to what they are primarily intended for, namely identification. There are other strong methods for this (such as online banking credentials), which is why supplementation of the Act was necessary. The following seven years led to generalising signing into trust services. The background is an EU Regulation from 2014. The concept of non-repudiation, important in information security terminology, does not appear in the Act or in the EU Regulation. Nevertheless, it is useful to observe from the legal text that advanced signatures, and also strong identification, provide precisely non-repudiation, subject to certain limitations (cf. Problem 1).

The question of the rights and obligations of persons participating in trust services is considerably more complex.

What is the nature of the liability of a certification authority towards a relying party, what constitutes sufficient care in this operating model, and what kinds of harm can be anticipated in error situations? The range of possible problems is broad. At one extreme, there is the collapse of the system if the root certificate is compromised and this is not detected, or if the authentication mechanism is faulty. At the other extreme, there are random, albeit recurring and perhaps unavoidable, cases where a certificate is incorrectly issued to the wrong person.

What kinds of liabilities are borne by the signer using their certificate, or by the relying party verifying a signature made with it? Early policy debates focused largely on the extent to which signatures should bind the signer—especially where the person may have lost control of the signature-creation device. This is an old legal problem, encountered with payment orders and similar signing machines or stamps, which have been and continue to be used in companies, financial institutions, medical practice, etc. Today, much of the discussion appears to focus on laws regulating specific use cases, such as the regulation of electronic payment services.

Uncertainty in these matters has led certificate issuers to seek ways to limit or otherwise rationalise their liability. The usual strategy—concluding contracts containing limitations—has a significant problem. Forming a contract between the issuer and the relying party typically requires communication of an offer and acceptance between them. However, most systems are designed to enable trust without continuous intervention where the user would be presented with new terms of use each time they encounter a new certificate issuer.

The technology community attempted to address these concerns by including data fields in certificates intended to communicate the limits of trustworthiness and intended use. This strategy encountered various legal challenges. In practice, certificates are usually placed in rarely visited corners of the user interface. Moreover, a large proportion of end users whose machines rely on these certificates would likely not understand the rather technical information presented in them. Under these circumstances, the possibility of creating an enforceable limitation of liability between the certificate issuer and the relying party has been questioned.

Legislators and legal experts have addressed the matter through various recommendations and subsequently through legislation. These laws, often titled with terms such as digital or electronic signature, typically adopt some combination of the following policy measures:

  • requiring the acceptance of electronic signatures as legal evidence;
  • defining as legally valid those electronic signatures that meet certain minimum technical characteristics ensuring authentication and integrity;
  • providing that electronic signatures cannot be denied validity solely because they are in electronic form, while leaving open the possibility of denying equivalence for other reasons;
  • imposing on certificate issuers a duty of care towards relying parties;
  • reversing the burden of proof so that a person who has suffered damage due to the issuer’s negligence no longer needs to prove the negligence; instead, the issuer must demonstrate that their conduct was not negligent;
  • creating a regulatory framework for developing more demanding technical and non-technical standards of care for the certification business;
  • allowing certificate issuers to limit their financial liability by including a limitation in the certificate, regardless of whether the relying party sees this limitation;
  • allowing certificate issuers to exclude liability for certain uses by including an exclusion in the certificate, regardless of whether the relying party examines this exclusion.

There are some differences between states in the implementation of these measures. Not all have adopted all of them, and many are subject to several additional conditions or limitations. A recurring theme is the reluctance of legislators to reduce the rights provided by consumer protection laws.

Some laws on certificates are general in nature, while others address only specific areas, such as public administration. In some cases, legislation delegates subject-specific powers to a regulatory body to issue more detailed provisions and/or technical standards. Examples of such bodies in Finland include the Digital and Population Data Services Agency and the Cybersecurity Centre under Traficom. The former inherited certification authority duties from the then Population Register Centre.

The above has focused on the three parties in a certificate system, but there is also a fourth: the party that chooses which certification authorities should be trusted by default. This role is routinely performed, for example, by browser vendors. This is likely unavoidable, since most end users have no practical way of distinguishing between good and bad certification authorities. This raises the question of what kind of duty of care such selectors of default certification authorities may owe to end users.

A cybersecurity professional should at least observe from the above that developing an application platform involving multiple parties may require a detailed understanding of regulation and formal requirements.

Choice of law: electronic signature and trust service

The nature of electronic signatures and trust services inevitably creates conflicts of law when the parties are in different states. How should one proceed when the certificate issuer is in state A, the certificate holder (and the person making signatures with it) is in state B, and the relying party is in state C? The latter may find it difficult to assess whether a signature made in B is valid in C when it is based on a certificate signed in A. Furthermore, the purpose of the signature under consideration may be to confirm a contract transferring ownership of real estate located in a fourth state D. The question of the legal binding nature of the signature will almost certainly be answered by reference to the law of state D, without regard to states A, B or C. The state in which immovable property is located is usually the only one with enforcement power in a potential ownership dispute.

If the case concerns a simple contract in which neither the signer nor the relying party is a consumer, European courts should be able to recognise formal validity if it satisfies the requirements of the law chosen by the parties, that is, the law of B or C or possibly the law of the habitual residence of one of the parties. With respect to consumers, European courts would consider such a cross-border contract valid only if it is valid under the law of the consumer’s place of residence.

Determining the applicable law for limitations of liability is also complex. Consider again a certificate issuer in state A. How can they rely on the limitation of liability provided by the digital signature law of their own state when the above-mentioned third party in state C brings an action against them for negligence? Liability for damages may well be determined according to the law of state C, particularly in cases where the injured party is a consumer. In other words, the value of liability exclusions or limitations granted by law becomes questionable when contractual relationships cross borders.

Posting submission...