Authentication and Trust – Some Preliminary Thoughts
Before giving legal effect to any piece of information, people want to know whether the information can be trusted. What is this information? Where does it come from? How sure must they be of the answers to those questions?
At a basic level these are not even legal questions. They are not addressed particularly to the content of the information, though the content can help answer them. They are about the medium and not the message. They are questions of authentication.
Authentication questions apply to information in any form and in any medium. Electronic documents do not need ‘more’ or ‘better’ authentication than documents on paper. However, they do sometimes present novel difficulties in answering the underlying questions. Some of the difficulties are inherent in the medium, and some arise only because we are less familiar with electronic media than with paper. Centuries of widespread literacy have built norms of prudence into our thinking for paper records. People are still learning what is prudent with electronic records, and the evolution of the technology keeps changing the answers.
This column will review some of the issues that authentication presents for information in electronic form and some of the solutions that have been found or proposed for them. Subsequent columns will explore some of them in more detail.
I will start, like a typical lawyer, with two qualifications to what I just said, that these are not legal questions. By that I mean that one does not even begin legal analysis of a text before knowing whether to bother, whether the text itself is reliable. Who cares what it means if I can’t trust it? However, one element of trust is knowing whether one can prove the reliability if there is a dispute. Thus the law of evidence is relevant to what one will consider satisfactory authentication. What is prudent depends to a large degree on what is provable.
Furthermore, the content can be relevant because the law sometimes imposes requirements of form on particular kinds of document before legal effect can be given to them. A common example is a will, which must in much of the common law world at least be in writing, signed by the testator in the presence of two witnesses. In essence, the law declares that the content is so important, or the risk of error or fraud is so great, that formal safeguards must be used. Being confident, or being able to prove, that a will is complete and accurate and originates from the testator is not good enough authentication. (One could further qualify those statements with respect to holograph wills and some other rules about disposition on death, but one resists the digression.)
Authentication here describes the activity of the person who is thinking of using or relying on the document, and not that of its creator. Sometimes the term is used otherwise. Article 1 of the Uniform Commercial Code, for example, defines a signature as an action taken with present intent to authenticate the record. We can take that to mean to provide evidence by which the eventual relying party can determine the source of the signed record, in order to trust it – in short to authenticate it, in our usage.
These issues are of course not matters of first impression. One could conceive of many of the discussions about the law of e-commerce and e-government as questions of appropriate authentication. An interesting overview of the Principles of Electronic Authentication in Canada, developed by a team of public sector and private sector experts, was published by Industry Canada in 2004. I have gone on at length about it in “Electronic Legal Records: Pretty Good Authentication?” and in“Authentication Rules and Elecctronic Records”, (2002) 81 Can. Bar Rev. 529.
How much authentication?
Trust is relative. How much does one have to trust something in order to consider it authenticated? In the absence of a legal standard, such as for wills as mentioned, it is up to the user, the relying party, to decide when he, she or it is satisfied. As a rule, the relying party takes the risk of inauthenticity, whether negligent or fraudulent (assuming that the fraudster cannot be found or is judgment proof), so that party gets to set the standard – which may vary from user to user.
Time for a TRA – a threat-risk analysis. No surprises here: what are the chances that the document is not genuine, who is likely to want to corrupt it, how easy would it be for an attacker to do so, how much do I lose if the document is not good, how much do I gain if it is good? It is a security-oriented cost-benefit analysis. So some knowledge of computer security is essential to an effective TRA, though one may substitute trust in the party with whom one is dealing, or at least in a history of uncontested transactions. Pretty good authentication may be enough.
Different uses of information may require different levels of assurance. Likewise different security techniques may justify different levels of assurance in their products. An authentication policy may prescribe the use of particular methods to get access to or to rely on particularly sensitive information..
Trust may change over time. What was secure last year may not be secure next year. Attacks only get better, they don’t get less effective. What one demands in order to authenticate a document may evolve too.
It is said that one cannot establish trust through the same channel of communications that is used to convey the information to be trusted. That would amount to saying ‘trust me because I am who I say I am’. As a result, people rely on communications by separate channels, independent evidence of identity or reliability, or intermediaries to certify trustworthiness, to build a base for authentication.
This is readily seen in the widespread use of SSL (secure socket layer) certificates for secure web communications. Web browsers come loaded with certificates that the browsers’ creators consider reliable, and secure web sites offer those certificates to people dealing with the site to show that the site is operated by those who purport to operate it. The data transmitted is also secured during transmission. SSL allows authentication to be automated, which in turn permits mass e-commerce. SSL is not perfect, but it is good enough for most purposes.
Identity and data authentication
To rely on a document, one needs to know that both parties have a common text – that the data are authenticated – and one needs to know who one is dealing with – that the identity is authenticated. These present separate questions. Data authentication is arguably simpler, a matter of hashing (taking a ‘digital fingerprint’ of the information), though degrees of security are available, as usual.
It is common to distinguish among identification (establishing who someone is in the first place), authentication (proving that a person is who he or she purports to be, once you know the possibilities – in other words, the relying party knows the ‘right’ answer already) and authorization (giving the authenticated person appropriate access to programs or information).
Identity authentication usually relies on evidence of what the person to be authenticated knows (such as a password or access code), or has (such as an ATM card or cryptographic token) or is (such as biometric data or distinctive handwriting). These days security concerns tend to lead to demands for ‘two-factor authentication’, which ideally should mean two types of factors from these three different types of authentication methods. If identity is to be certified by a trusted third party, then that certifying authority will want to use more than one method of verification for greater security.
Identity authentication raises a couple of legal policy issues and a big technical one..
First, authentication may not require a signature. A signature is one method of authentication, but where the law does not expressly require a signature (and it usually does not), then no part of an electronic communication need ‘be’ a signature. However, there must be a way for the relying party to authenticate the source of the information. I will not change my legal position based on information when I do not know where or who the information comes from.
Second, authentication of identity may raise privacy issues. There is at least a potential tension between precise authentication and the control of personal information. That is why the Ontario government is required, in setting up ‘public facing’ authentication systems for transactions between the government and the public, to prepare not only a TRA but a PIA – a privacy impact assessment, to ensure that no more personal information is being sought than necessary, and that the information is protected against misuse (Government of Ontario Policy for Public Facing Identification, Authentication and Authorization, Version 8.1, April 2010, section 3. page 4.). This topic is dealt with as Principle 4 of the Industry Canada Principles referred to above.
The Ontario system, and others like it, attempts to design a single, readily understandable way for a person to identify himself or herself to the government, without making that single sign-on technique serve as a single key to all the personal information that the government holds on the individual. Such a key would present too much risk of abuse. An additional layer of authentication is needed for the individual to access or transact with particular departments or programs.
The technical issue about identity authentication arises from the benefit of having identification systems be interoperable. Websites can be known by SSL certificates. How are individuals identified? Is one certification system as good as another? Can one transmit trust across systems? What standards exist? These questions have been around for a while; there was debate about standards for ‘cross-certification’ in public key infrastructure (PKI) systems in the 1990s. Renewed efforts are being made to develop such standards in ‘federated identity management’ projects.These projects are in principle technology neutral, that is they do not rely solely on PKI technology, though PKI is a part of them.
One hopes that the very complex and painstaking work on federated identity management will produce an authentication system that will be transparent and easy to use for the originators and users of the records that it applies to.
Public records
Authentication issues take on a new dimension in the public sector. (I have speculated about some of these issues here.) Private sector communications may set authentication methods and allocate the risk of faulty authentication by contract. Public bodies often require information from people against their will, without any contract. Must the technology for authentication and the resulting risk allocation be prescribed by statute? Other techniques exist, including the use of authorized technology and mandatory enrollment in the communications system.
Even more interesting questions arise when the communication comes from government to the citizen (including business interests). How does one prove that a document is ‘official’? To some extent this is still identity authentication, where the desired identity is the state, because the state is presumed to be sufficiently trustworthy as to its documents. Seals and the signatures of public officials have performed that authentication function on paper. The Evidence Act in many jurisdictions makes such documents self-authenticating. Ontario’s section 29 is an example.
What happens electronically? Here are four responses, most of them works in progress, worth keeping an eye on.
The unique identifier for authentication: The electronic record contains a unique identifier that links to the appropriate file in a secure government data base. The user of the record can readily verify the information in it with the official source. This reduces the temptation for the producer of the record to falsify its contents. This method is used in Ontario for electronic certificates of corporate status and of corporate leadership. It is also used to authenticate electronic writs of seizure and sale (writs of execution), in which case the unique identifier that links to the court’s file is also designated to be the seal of the court.
The electronic notary: The notary is a public officer whose main function is authentication, or providing evidence for authentication by others. To date Canadian notaries do not function electronically, though Quebec has been working on a system for civil law notaries for some time. Some American states have authorized this practice, however, and the Uniform Law Commission last month adopted theRevised Uniform Law on Notarial Acts. The Uniform Act still leaves some decisions on technology to governments, at least if they choose to intervene.
The electronic apostille (and register): Under the Hague Conference on Private International Law’s Convention on the Abolition of All Forms of Legalization, member states may authenticate public documents for use in other member states by use of a certificate called an apostille. Though the Convention dates from 1961 (and now has about 100 member states – though not yet Canada), it does not require apostilles to be on paper. The Hague Conference has been working (with the National Notary Association in the US) to develop a system of electronic apostilles, and a few countries have started producing them. The prospect raises issues of common vs proprietary technology, compatibility of systems, credibility of the electronic certification of the certifiers, and the like.
The report of the June 2010 meeting of the Hague Conference’s workshop series underlines (in paragraph 3) the benefit of supporting the e-apostille with an e-register – which functions like the unique identifier system mentioned above. Some countries are working only on the e-register. The Convention requires a register, but in practice no one has recourse to it, since that would require international correspondence. An electronic version promises much easier use and is likely to change the practice of apostille-based authentication as a result.
Tying authentication to privacy again: the Conference recommends (in paragraph 5a) that the numbers that the Convention requires to be on the apostilles be generated randomly, or at least not sequentially, to make it difficult for someone to ask for details about an apostille without having the actual apostille in hand. This reduces the risk of inappropriate discovery of personal information in the public document underlying the apostille.
Authentication and Preservation of State Electronic Legal Materials Act: The Uniform Law Commission has also been developing uniform legislation on state primary legal material in electronic form, such as statutes and regulations, administrative codes and registers, and case law. Ontario and Canada give ‘official’ status to their online statutes and regulations, in that they can be cited in court. However, both the Legislation Revision and Consolidation Act, R.S.C. 1985, S-20, section 31and the Legislation Act, 2006, section 34 in Ontario make the ultimate official version the one on paper in the hands of the appropriate legislative authority. In practice lawyers and courts in Canada seem content to rely on online versions of case law, whether the courts’ web sites or CanLII -– pretty good authentication in the circumstances.
One could also mention in the public sector the various questions of Justice system authentication – e-filing, e-service, e-records and orders, as well as the e-decisions just referred to. These questions will have to await another column (perhaps by another author, though I did a brief exploration in “The Law Goes Electronic”, [2009] Annual Review of Civil Litigation.). The paperless practice of law raises lots of authentication questions too, but that issue is well in hand in Slaw already.. Those hungering for more will want to attend the Canadian Forum on Legal Technology in Ottawa next month.
There is a bit of judicial authority that information on an ‘official’ web site is more readily admissible in court than information would be from a private site. ITV Technologies Inc v WIC Television Ltd at paragraphs 16 and 17. The main challenge to such information would probably not be its authentication but its nature as hearsay, which takes us beyond our topic.
Authentication for the longer term
Authentication is not just a matter of ‘legal effect’. The reliability of a document can affect the acquisition or retention decisions of a librarian or archivist. Those professions as well as lawyers need to consider authentication over time, as well, not just a one-off decision. Some legal documents need to be reliable for a long time e.g. deeds of land or wills, and official documents like statutes or treaties. This may affect whether one relies on electronic versions at all, as well as the cost of different media and of keeping all information constantly not only readable but verifiable with changing technology. The National Archives of Canada used to have, and may still have, a policy not to accept digitally signed electronic documents, because the certificates supporting the signatures would not be valid for long enough to allow for authentication in the foreseeable future.
Conclusion (until next time)
Authentication is a cornerstone of the legal world, online as well as offline. It thus produces issues in almost all fields of activity, private and public. It is not all about signatures, or about encryption. It is about risk management for evolving technology in a world of multiple uses by multiple users. It is therefore a topic that we will be able to, indeed have to, explore again. Your suggestions for refining the conceptual framework presented here would be welcome for that enterprise.
Comments are closed.