The European Union has begun a public consultation on online authentication in the context of its review of its Electronic Signature Directive of 1999.
An early assertion in the press release is this: “difficulties in verifying people's identities and signatures are a significant factor holding back the development of the EU's online economy.”
Is this true, in your view or in your experience? How often is identification of the other party to a transaction, or authentication of an identity one already knows, a concern, compared to, for example, the solvency of the party, the quality of the goods offered, the reliability of the services offered, or the availability of a remedy if something goes wrong?
For B2C e-commerce, most of the useful authentication is done through credit cards. The issuers of the cards provide all the authentication needed. In North America, the ability to charge back to the merchant the amounts paid on a failed transaction is a useful consumer remedy. That practice is not widely available elsewhere in the world.
I suspect, but would welcome knowledgeable input, that B2B transactions have means of authenticating that work in practice, but have the issues mentioned above without the credit card remedy.
I had thought that the review of the E-Signature Directive was prompted by a widespread failure to follow it, in that its ‘advanced electronic signature’ was not being much used, because it’s too complicated. It is easier in practice and for legal purposes to prove who one is dealing with (i.e. to authenticate) than it is to prove that one has complied with the technological standards required to qualify as an advanced electronic signature.
An additional problem is that qualifying as an AES only gets you to being the equivalent of a handwritten signature, i.e. there is no presumption of identification or of consent of the party that has created the AES. (By contrast the statute and regulations about Canada’s secure electronic signatures give a presumption of attribution and of admissibility as evidence to the signed document.)
How important is this consultation? Is it more important to make the AES rule more flexible than to worry about large scale authentication?
I can see an argument that communications with the public sector – in either direction – may have more demanding authentication rules. Would you agree with that?