Identifying E-Filers Through Strict Security Measures: Why?
[Sarit Mizrhi assisted in the preparation of this column.]
As discussed abundantly in previous posts, numerous court systems worldwide have begun harnessing the power of modern technology in general (and online dispute resolution (ODR) mechanisms in particular) due to the many benefits it stands to offer to the judiciary. Essentially, information and communications technologies have proven to enhance court performance in several manners, such as by reducing trial delays, increasing the efficiency of the judicial system and thus ultimately access to justice, as well as increasing the level of confidence that citizens have in the legal system. As is well documented, one technological process that presents court systems with these various benefits is that of electronic case filing, which has been implemented in a number of jurisdictions throughout the country and the world.
However, while the benefits enumerated embody some of the most crucial goals of many legal systems, the integration of technology into this domain is not without its risks if implemented incorrectly. Not only does it impose risks such as potential violations to privacy as well as evidentiary issues, but it also presents other threats such as informational security risks. It is upon this last threat that the present blog post will concentrate, specifically as it pertains to the methods used to identify individuals who seek to file their court cases electronically.
In general, there are four different methods that are currently employed by Canadian e-filing systems to identify individuals. The first consists of a user name and password with prior verification, where the court system personally verifies the identity of an individual, either in person (as is the case in British Columbia), by filling out a physical form requesting personal information and presenting it at a specified location (as is the case for the Saskatchewan Court of Appeals) or through encryption keys, prior to providing them with an access code that enables the creation of a user name and password. The second technique is by merely allowing the creation of a user name and password without prior verification of the identity of the individual, such as by filling out an online form requiring certain personal information and then receiving an automatic email with a temporary password enabling the individual to access the system (as is the case for the Alberta Utilities commission). The third method is through the provision of specified information relating to the case being filed via an online form, some of which may be publicly available (as is the case for the Tax Court of Canada). The final technique is identification through e-mail address which does not entail any verification more complex than merely matching up the e-mail address from which a document was sent and the name typed in the e-mail in question with the information of the case (as is the case for the New Brunswick Energy & Utilities Board). For more information on which system is used by which courts, readers are invited to consult a study we recently published on the Cyberjustice Laboratory’s website (the study is in French).
Those who are more familiar with electronic signatures might be surprised to notice that we did not address what the Personal Information Protection and Electronic Documents Act (PIPEDA) refers to as a “secure electronic signature”, i.e. digital signatures. This is because, to our knowledge, no Canadian Court currently uses this method of authentication for e-filing purposes.
This might seem shocking to some. After all, digital signatures are usually seen as the most secure means of identifying and authenticating a person. In fact, while the security risks associated with each of the four methods currently being used by Canadian courts vary greatly (from the use of email addresses, which is the least protective of informational security, to the use of user names and passwords with previous verification, which offers much greater security), none of these methods offers more security than digital signatures.
So how, some may ask, can the courts use e-filing systems that seem to offer so little security? Email addresses, for example, are easily spoofed, while passwords are often easy to guess. Furthermore, the use of online forms creates the risk that third parties that have access to basic information regarding a case (i.e. docket number) file documents while claiming to be one of the parties. Should we not, therefore, request the use of digital signatures or, at least, the use of user names and passwords with previous verification?
We would answer this question with another: Why should we hold e-filing to a higher security standard that current filing practices? Everyday, thousands of documents are filed with Canadian courts without any form of identification other than the name printed on a motion or other court document. Even when the name is signed, the court has no way of comparing the signature to ensure its validity since, at least in Quebec, courts do not keep a signature database for comparison purposes.
While preparing our study, we found that the number of security breaches regarding court documents had not risen significantly with the advent of e-filing. The best example of this is the e-filing system put in place by the former Commission des lésions professionnelles in Quebec (now part of the newly formed Tribunal administrative du travail). Using this system, anyone can file a document electronically if he or she knows the case number. Although the risks associated with this system seem incredibly high, the number of recorded false filings is… 0. That’s right, event though there are no real security safeguards in place, no one has ever filed a false document.
Security is often seen as the Achilles’ heel of ODR platforms and other technological solutions developed for the courts. For this reason, there seems to be a need, within the legal community, to overcompensate in order to ensure high security standards for court information. While this is a laudable goal, it implies holding information technology to a higher standard than paper, and then criticising those charged with implementing said technologies for not living up to said standard.
If a document can be faxed, we should be able to send it by email without its author having to jump through security hoops. In the same vein, if a paper document can be filed by simply depositing said document in a box at the courthouse, there is no reason to impose strict security authentication for e-filing platforms…
Thanks for being the voice of reason on this issue. As a corporate solicitor, I often run into resistance to using electronic signatures on contracts based on the nebulous idea of the security risks involved. Yet contracts are regularly signed, scanned, and shared over email, no one ever knowing what any counterparty’s signature should look like and, even if they did, not having the necessary technical skills to detect a forgery anyhow.
The bottom line though is it doesn’t really matter because it’s hard to understand how a rogue could possibly gain by forging a contract or signature (if it was even possible). There’s not much of value in that for anyone but one of the parties to the contract. Plus, if it happened, it would be easy to prove the forgery. It’s the same thing with court documents.
Do you think there would be value in the law societies organizing and authenticating some sort of electronic signature for members of their respective bars?
From the Law Society of Upper Canada’s Technology Task Force Report to Convocation in May, 2000: “Momentum is developing in the private sector and among individual law societies to provide electronic certification. … PKI is a law society issue for four reasons. First, PKI is a core function because law societies issue and police the credentials of lawyers and in an online communications environment law societies should continue to do so. Second, PKI is an independence issue because in the absence of the law societies creating a national PKI infrastructure, the private sector will, and this, inevitably, will result in a loss of independence. Third, certifying authorities must be trustworthy: law societies are endowed with that public trust by legislation and should maintain that trust relationship in the online environment. Fourth, PKI is a public interest issue because the public is inexorably opting in favour of e-commerce, and clients need the ability to conduct business electronically: it is in the public interest that law societies facilitate clients doing business on line with each other, and with businesses, and governments. In doing so, they should be able to access the services of their counsel securely and with trust. A PKI infrastructure sponsored by lawyers will do this.”
From a Law Society of Upper Canada Advisory Services Report about “Technology”, in May 2001: “… the Federation of Law Societies of Canada is implementing “trusted digital credentials” which are a combination of a digital certificate and an authentication of professional status (i.e. the certificate identifies you as a lawyer). The program is called Juricert(tm) (see http://www.flsc.ca) The Juricert program provides: a. Systems for professionals, their staff and clients to obtain trusted digital credentials, b. Systems and practices for membership associations to participate in the authentication, and c. Access to a set of safe, PKI-secured third party applications that use these Trusted Digital Credentials.”