Digital Signatures and Global E-Commerce: Part I -- U.S. Initiatives.In December 1999, two paper-dependent Maryland businesses -- a law firm and an office equipment company -- executed the first lease agreement made official with a digitally signed Any message or key that has been encrypted with a digital signature. When a user's public key is digitally signed by a certification authority (CA), it is known as a digital certificate or digital ID. See digital signature and digital certificate. "electronic original." Using a digital certificate system supported by public key infrastructure (PKI (Public Key Infrastructure) A framework for creating a secure method for exchanging information based on public key cryptography. The foundation of a PKI is the certificate authority (CA), which issues digital certificates that authenticate the identity of ) technology, the law firm created the lease electronically, signed it with an electronic pen and pad, and sent it securely via the Internet to the office equipment company. There it was signed electronically again and stored in a repository as an "electronic original" document. Once stored, the digital document was protected from undetected change, although interested parties could view or print it. In one sense, the Maryland e-contract seems paradoxical since its purpose was to lease eight office copy machines to create paper documents. Moreover, the parties also had to sign a paper lease agreement since Maryland state law did not recognize digital signatures as legally binding (though new legislation is pending). On the other hand, the ability to execute legally binding business transactions without paper or physical signatures is a milestone in the development of e-commerce. The event is an example of major new initiatives -- both legal and technological -- occurring in the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. concerning digital signatures in a broader e-commerce business environment. Historically, commercial transactions have taken place by phone, fax, wire, and mail, with paper documents the end product of the transactions' official consummation. But when parties to business transactions migrate from paper to electronic recordkeeping, many questions surface. For example, when basic e-mail is the primary means of communication and document transfer among parties to the transaction, it is difficult to know which document version is the latest or what revisions have been approved. Moreover, in Web transactions, customers visit a particular site, read a contract for purchasing goods or services, then click the "I agree" button. In HTML HTML in full HyperText Markup Language Markup language derived from SGML that is used to prepare hypertext documents. Relatively easy for nonprogrammers to master, HTML is the language used for documents on the World Wide Web. format, that indication of agreement goes to a database but with no record of the question's text. Thus, at a later time, it becomes very difficult to prove exactly what was agreed upon Adj. 1. agreed upon - constituted or contracted by stipulation or agreement; "stipulatory obligations" stipulatory noncontroversial, uncontroversial - not likely to arouse controversy . Businesses need to address these new issues as they migrate their contractual agreements and transactions from paper to electronic formats. There is no question that e-commerce is the wave of the future. Consider that the U.S. government reportedly consummates at least 75 percent of its transactions electronically. Moreover, the federal government has made it mandatory that all agencies make their public documents available electronically and enable the use of digital signatures by October 2003. The private sector, which is moving very aggressively to embrace e-commerce, reports similar figures. E-commerce is among the most significant paradigm shifts A dramatic change in methodology or practice. It often refers to a major change in thinking and planning, which ultimately changes the way projects are implemented. For example, accessing applications and data from the Web instead of from local servers is a paradigm shift. See paradigm. in the history of commercial enterprises. Its benefits include opportunities to define and dominate new markets -- globally as well as nationally -- lower transaction costs Transaction Costs Costs incurred when buying or selling securities. These include brokers' commissions and spreads (the difference between the price the dealer paid for a security and the price they can sell it). , improve productivity, and gain greater market share. Today, businesses are reinventing themselves around e-commerce. For example, General Motors, the world's largest manufacturing company, aspires to be "the world's largest e-commerce company" by integrating information delivery into Web-connected cars and the many other aspects of its global businesses. Similar business initiatives abound throughout the world. Digital Signatures Digital signatures, a key component of e-commerce, are not new; they can exist in many different forms, including automated teller machines automated teller machine (ATM), device used by bank customers to process account transactions. Typically, a user inserts into the ATM a special plastic card that is encoded with information on a magnetic strip. and other computer systems that rely on personal identification numbers (PINs) as a means of authenticating business transactions -- technologies that are several decades old. A digital signature could comprise a smart card, a thumbprint, a retinal scan A retinal scan is a biometric technique that uses the unique patterns on a person's retina to identify them. It is not to be confused with another ocular-based technology, iris recognition. , a voice recognition test, or all of the above, depending on the transaction's nature and the security requirements surrounding it. A digital signature uses specially encrypted en·crypt tr.v. en·crypt·ed, en·crypt·ing, en·crypts 1. To put into code or cipher. 2. Computer Science codes in electronic messages that allow the recipient to verify the sender's identity, thereby establishing trustworthiness trustworthiness Ethics A principle in which a person both deserves the trust of others and does not violate that trust in commercial transactions. Digital signatures link a person's identity to a specially encrypted "private key" issued to only one bearer. The private key is used to electronically sign a communication, which another party can open with a "public key." A certificate authority maintains the public key and also issues and verifies the digital certificates that validate the identity of each person in the e-commerce transaction. Several software vendors, large and small, supply the core technologies, which are frequently proprietary. It is very difficult to certify digital signatures in a PKI environment where a mix of vendor products and certificate authorities is involved. Each vendor, for instance, has its own certificate issuance validation and revocation The recall of some power or authority that has been granted. Revocation by the act of a party is intentional and voluntary, such as when a person cancels a Power of Attorney that he has given or a will that he has written. protocols. The U.S. E-Sign Act In July 1996, the United Nations Commission on International Trade Law The United Nations Commission on International Trade Law (UNCITRAL) was established by the United Nations General Assembly in 1966 "to promote the progressive harmonization and unification of the law of international trade. adopted a "Model Law on Electronic Commerce." In retrospect, it was a forward-looking piece of lawmaking law·mak·er n. One who makes or enacts laws; a legislator. Also called lawgiver. law  mak , given that the Internet -- the principal vehicle for global e-commerce -- was just beginning to mushroom throughout international business. In reviewing this law in the April 1997 Records Management Quarterly (the predecessor of The Information Management Journal), this author predicted that it would spawn To launch another program from the current program. The child program is spawned from the parent program. (operating system) spawn - To create a child process in a multitasking operating system. E.g. similar legislative initiatives throughout the world -- and it has. During the last few years, many nations have enacted new digital signature/e-commerce laws, including the United States. On June 30, 2000, President Clinton signed into law the Electronic Signatures in Global and National Commerce Act The Electronic Signatures in Global and National Commerce Act (ESIGN, Pub.L. 106-229, 14 Stat. 464, enacted 2000-06-30, ) is a United States federal law passed by the U.S. -- the "E-Sign Act." The measure grants electronic signatures the same legal status as those written in ink on paper, making it easier, faster, and less expensive to conduct business online. Moreover, the law promotes both domestic and international e-commerce by clarifying the legal significance of commercial transactions in electronic form. The E-Sign Act became effective on October 1, 2000. For his part, President Clinton hailed the new law in the most glowing terms: "Soon, vast warehouses of paper will be replaced by servers the size of VCRs," he said. This may or may not reflect what the law will actually mean for businesses during the next few years. To aid in discussion, it is important to understand the E-Sign Act's main features: * The law's design removes impediments IMPEDIMENTS, contracts. Legal objections to the making of a contract. Impediments which relate to the person are those of minority, want of reason, coverture, and the like; they are sometimes called disabilities. Vide Incapacity. 2. to businesses developing e-commerce initiatives found in existing U.S. statutes. Where existing laws require original records or documents bearing authenticated au·then·ti·cate tr.v. au·then·ti·cat·ed, au·then·ti·cat·ing, au·then·ti·cates To establish the authenticity of; prove genuine: a specialist who authenticated the antique samovar. signatures to support business transactions, the new law creates a legal environment to overcome these. The law's ultimate intent, of course, is to enhance U.S. competitiveness through the widespread use of new technologies. * The law provides businesses the option of accepting digital signatures and choosing what kind they will be (e.g., digital certificates, dual key encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. , passwords, or other types). * More specifically, the law states that an electronic signature is whatever two entities agree it is. An e-signature can simply be a typed name that individuals attach to an e-mail message or anything up the ladder of technology sophistication so·phis·ti·cate v. so·phis·ti·cat·ed, so·phis·ti·cat·ing, so·phis·ti·cates v.tr. 1. To cause to become less natural, especially to make less naive and more worldly. 2. , so long as the parties to the transaction agree. The law states than an e-signature may be "an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record." * Finally, the law marks a major effort to harmonize existing state laws on digital signatures. Currently, a total of 45 states have laws that recognize some form of digital or electronic signatures, and the remainder have legislation pending. One of the biggest problems in implementing global e-commerce solutions is the plethora of existing laws and regulations relating to relating to relate prep → concernant relating to relate prep → bezüglich +gen, mit Bezug auf +acc commercial transactions throughout the world. The E-Sign Act will go a long way towards harmonizing the legal environment for e-commerce in the United States. Conversely, the E-Sign Act does not * define what constitutes a legitimate, safe, secure digital signature -- matters that will be addressed in future regulations. In fact, the E-Sign law gives regulatory agencies regulatory agency Independent government commission charged by the legislature with setting and enforcing standards for specific industries in the private sector. The concept was invented by the U.S. the authority to develop specific criteria for the accuracy, integrity, and accessibility of electronic records. * grant any special status to electronic records per se; it merely removes the impediments in existing law to conducting business electronically. In this sense, the law may be characterized as media neutral. E-records will be subject to the same legal scrutiny as physical ones. * prescribe any specific technology; rather, the law is technology-neutral. While neutrality is legally appropriate, it places the burden on businesses to determine the best technologies and practices to support their own e-commerce initiatives. * provide broad authority or mandate for businesses to convert records from paper to electronic format. The law implicitly recognizes that paper records will be a medium for business recordkeeping for some time to come. In fact, in business-to-business (B2B (Business to Business) Refers to one business communicating with or selling to another. See B2B e-commerce, B2C and B2G. B2B - business to business ) e-commerce environments, many firms lack the technology infrastructure to implement e-commerce solutions. In business-to-consumer (B2C (Business to Consumer) Refers to a business communicating with or selling to an individual rather than a company. See B2B. ) e-commerce environments, the E-Sign Act recognizes that many households lack personal computers with access to the Internet. Thus, the law contains various provisions to protect consumers. For example, the law expressly requires the consumer's consent prior to consummation of electronic transactions effectuated by means of digital signatures. Some commentators take exception to President Clinton's optimistic op·ti·mist n. 1. One who usually expects a favorable outcome. 2. A believer in philosophical optimism. op statements concerning the new law's virtues. Benjamin Wright, a Dallas-based attorney and editor of The Law of Electronic Commerce, states, "What Congress did was much more symbolic than substantive. The law has not changed, because the law has always said that a signature is a symbol adopted with someone's intent to comply. It could be an X, a thumbprint, or even your company letterhead. The legal issue has always hinged on what you intend." For a document to be found legally binding in court, an appropriate party must be able to authenticate (1) To verify (guarantee) the identity of a person or company. To ensure that the individual or organization is really who it says it is. See authentication and digital certificate. (2) To verify (guarantee) that data has not been altered. that it was in fact signed by the person who claims to have signed it. Moreover, it must be demonstrated that the document is "trustworthy" -- that it has not been altered in pursuit of some malicious purpose. These principles have long existed in both paper and computerized recordkeeping environments, and they remain embodied in the E-Sign law. Public Key Infrastructure Technology The term "public key infrastructure technology" refers to software functionality that provides for the authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. and security of electronic commercial transactions. Although many smaller software companies provide PKI functionality in proprietary products, Microsoft has incorporated it in the Windows 2000 operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. . Since more than half of business desktops are expected to run Win2000 by 2003, the technology infrastructure for e-commerce will be much more pervasive than it is now. The three major components of PKI functionality are: 1. A registration authority -- This functionality validates e-signatures and other essential components of transactions and instructs the certificate authority to create a digital certificate. 2. A certificate authority -- This functionality creates a certificate and a public encryption key that travels with the e-documents from sender to recipient. The recipient uses the certificate and encryption key to ensure that the signer actually sent the documents and that they have not been improperly altered. This provides a documented chain of custody The movement and location of physical evidence from the time it is obtained until the time it is presented in court. Judges in bench trials and jurors in jury trials are obligated to decide cases on the evidence that is presented to them in court. to verify the integrity of the documents and the e-signatures on them. Digital signatures should be unique for every document and should be electronically "sealed" so they cannot be altered without detection, even by the originator. 3. A digital repository -- This capability, usually a directory or database, stores digital certificates, certificate users, and revocation lists. All companies using digital signatures and other e-commerce measures need to decide how secure their transactions must be. Most observers say that a signature text block on an e-mail message will suffice for only the simplest transactions. For large businesses, it is generally agreed that digital certificates used with e-signatures will provide the appropriate security protection, particularly for major transactions. Moreover, when it comes to big transactions, there has always been a signed paper document to make it official, even for deals that originate online. The key point, however, is that businesses must decide how to secure e-commerce transactions, as well as how to retool re·tool v. re·tooled, re·tool·ing, re·tools v.tr. 1. To fit out (a factory, for example) with a new set of machinery and tools for making a different product. 2. their computer applications to accept and store them. Finally, PKI functionality must be supported by interoperability among the many disparate computing environments currently installed in multinational businesses throughout the world. The lack of common standards among competing PKI technologies and validation processes could retard the deployment of e-commerce applications among multinational companies. E-commerce and Records Retention The E-Sign Act contains provisions that directly address the issue of retaining electronic records in e-commerce environments, an issue of high interest to RIM professionals. The act states that "any requirement to retain a contract or record is met by retaining an electronic record of the information in the contract or record." The law provides three key tests for the legal acceptability of electronic records as a retention medium in e-commerce transactions: 1. The record must accurately reflect the information contained in the original contract or transaction. 2. The record must remain accessible to those entitled by law to access it, for the period required by law. 3. The record must be capable of being accurately reproduced, whether by printing or otherwise. If these criteria are not satisfied, the electronic record's legal validity may be denied. For information management professionals, the central issue is whether the organization's e-commerce applications -- and the electronic records that comprise them -- can demonstrably de·mon·stra·ble adj. 1. Capable of being demonstrated or proved: demonstrable truths. 2. Obvious or apparent: demonstrable lies. comply with these requirements. It is also important that any computer data supporting e-commerce applications be retained or destroyed under authority of an officially sanctioned records retention program. All e-commerce data should be scheduled for retention based on periods that meet business needs and comply with the law. Such retention periods should be implemented by integrating data purge functionality consistent with approved retention periods into the software environment supporting the applications. Information professionals should work with data owners and information technology specialists to ensure that such purge functionality has been properly incorporated into e-commerce applications. Data purge functionality would generally need to be applied at the repository levels for various categories of business processes, customer groups, and specific types of transactions. Global E-commerce Initiatives Many things need to be in place before international businesses can fully exploit the tremendous opportunities presented by e-commerce. Multinational companies need a global commercial code that addresses the many complicated issues raised by e-commerce, including, among others, customs duties Tariffs or taxes payable on merchandise imported or exported from one country to another. Customs laws seek to equalize the charges imposed by other countries, furnish income for the federal government, and preserve the financial stability of domestic industries. , taxation matters, exchange rates, and product inspection requirements. The global initiatives related to these matters and their relevance for information RIM professionals in multinational companies will be examined in subsequent columns. REFERENCES Briody, Dan. "Digital Signatures Create Market Potential." InfoWorld, 24 July 2000. Hulme, George V George V, king of Great Britain and Ireland George V (George Frederick Ernest Albert), 1865–1936, king of Great Britain and Ireland (1910–36), second son and successor of Edward VII. . "E-Signatures: Ties That Bind." Informationweek, 3 July 2000. Jones, Jennifer Jones, Jennifer orig. Phyllis Isley (born March 2, 1919, Tulsa, Okla., U.S.) U.S. film actress. She played leads in minor films from 1939 before coming to the notice of David O. Selznick, who cast her in The Song of Bernadette (1943, Academy Award). and Margaret Johnston. "Digital Signature Bill Enables E-commerce." InfoWorld, 19 June 2000. King, Julia and Lee Copeland Lee G. Copeland is a leading Seattle architect and urban designer. He served as Dean of the University of Washington College of Architecture and Urban Planning from 1972 to 1979 and thereafter as Dean of the University of Pennsylvania Graduate School of Fine Arts (now the School of . "GM Retools for E-Commerce That Goes Well Beyond Cars." Computerworld, 17 April 2000. Montana, John C. "Developments in the Law of Electronic Commerce." The Information Management Journal, January 2000. Stephens, David O. "Electronic Recordkeeping Provisions in International Laws." Records Management Quarterly, April 1997. Wilde, Candee. "Legally Binding E-Documents Move Closer to Reality." Informationweek, 6 March 6, 2000. Williams, Robert and Randolph Kahn. "The E-Sign Act." KMWorld, September 2000. David Stephens, CRM (Customer Relationship Management) An integrated information system that is used to plan, schedule and control the presales and postsales activities in an organization. , CMC (Common Messaging Calls) A programming interface specified by the XAPIA as the standard messaging API for X.400 and other messaging systems. CMC is intended to provide a common API for applications that want to become mail enabled. 1. , FAI, is vice president for the records management consulting Noun 1. management consulting - a service industry that provides advice to those in charge of running a business service industry - an industry that provides services rather than tangible objects firm of Zasio Enterprises Inc. He has been a consultant in the field of records management for more than 18 years and has published books and articles about information management in the United States and abroad. The author may be reached at dostephens@zasio.com. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion