[Sarit Mizrhi assisted in the preparation of this column.]
As discussed abundantly in previous posts, numerous court systems worldwide have begun harnessing the power of modern technology in general (and online dispute resolution (ODR) mechanisms in particular) due to the many benefits it stands to offer to the judiciary. Essentially, information and communications technologies have proven to enhance court performance in several manners, such as by reducing trial delays, increasing the efficiency of the judicial system and thus ultimately access to justice, as well as increasing the level of confidence that citizens have in the legal system. As is well documented, one technological process that presents court systems with these various benefits is that of electronic case filing, which has been implemented in a number of jurisdictions throughout the country and the world.
However, while the benefits enumerated embody some of the most crucial goals of many legal systems, the integration of technology into this domain is not without its risks if implemented incorrectly. Not only does it impose risks such as potential violations to privacy as well as evidentiary issues, but it also presents other threats such as informational security risks. It is upon this last threat that the present blog post will concentrate, specifically as it pertains to the methods used to identify individuals who seek to file their court cases electronically.
In general, there are four different methods that are currently employed by Canadian e-filing systems to identify individuals. The first consists of a user name and password with prior verification, where the court system personally verifies the identity of an individual, either in person (as is the case in British Columbia), by filling out a physical form requesting personal information and presenting it at a specified location (as is the case for the Saskatchewan Court of Appeals) or through encryption keys, prior to providing them with an access code that enables the creation of a user name and password. The second technique is by merely allowing the creation of a user name and password without prior verification of the identity of the individual, such as by filling out an online form requiring certain personal information and then receiving an automatic email with a temporary password enabling the individual to access the system (as is the case for the Alberta Utilities commission). The third method is through the provision of specified information relating to the case being filed via an online form, some of which may be publicly available (as is the case for the Tax Court of Canada). The final technique is identification through e-mail address which does not entail any verification more complex than merely matching up the e-mail address from which a document was sent and the name typed in the e-mail in question with the information of the case (as is the case for the New Brunswick Energy & Utilities Board). For more information on which system is used by which courts, readers are invited to consult a study we recently published on the Cyberjustice Laboratory’s website (the study is in French).
Those who are more familiar with electronic signatures might be surprised to notice that we did not address what the Personal Information Protection and Electronic Documents Act (PIPEDA) refers to as a “secure electronic signature”, i.e. digital signatures. This is because, to our knowledge, no Canadian Court currently uses this method of authentication for e-filing purposes.
This might seem shocking to some. After all, digital signatures are usually seen as the most secure means of identifying and authenticating a person. In fact, while the security risks associated with each of the four methods currently being used by Canadian courts vary greatly (from the use of email addresses, which is the least protective of informational security, to the use of user names and passwords with previous verification, which offers much greater security), none of these methods offers more security than digital signatures.
So how, some may ask, can the courts use e-filing systems that seem to offer so little security? Email addresses, for example, are easily spoofed, while passwords are often easy to guess. Furthermore, the use of online forms creates the risk that third parties that have access to basic information regarding a case (i.e. docket number) file documents while claiming to be one of the parties. Should we not, therefore, request the use of digital signatures or, at least, the use of user names and passwords with previous verification?
We would answer this question with another: Why should we hold e-filing to a higher security standard that current filing practices? Everyday, thousands of documents are filed with Canadian courts without any form of identification other than the name printed on a motion or other court document. Even when the name is signed, the court has no way of comparing the signature to ensure its validity since, at least in Quebec, courts do not keep a signature database for comparison purposes.
While preparing our study, we found that the number of security breaches regarding court documents had not risen significantly with the advent of e-filing. The best example of this is the e-filing system put in place by the former Commission des lésions professionnelles in Quebec (now part of the newly formed Tribunal administrative du travail). Using this system, anyone can file a document electronically if he or she knows the case number. Although the risks associated with this system seem incredibly high, the number of recorded false filings is… 0. That’s right, event though there are no real security safeguards in place, no one has ever filed a false document.
Security is often seen as the Achilles’ heel of ODR platforms and other technological solutions developed for the courts. For this reason, there seems to be a need, within the legal community, to overcompensate in order to ensure high security standards for court information. While this is a laudable goal, it implies holding information technology to a higher standard than paper, and then criticising those charged with implementing said technologies for not living up to said standard.
If a document can be faxed, we should be able to send it by email without its author having to jump through security hoops. In the same vein, if a paper document can be filed by simply depositing said document in a box at the courthouse, there is no reason to impose strict security authentication for e-filing platforms…