The Myth of Non-Repudiation
The story of the commercial, professional and administrative uses of electronic communication is a search for trust. Who are we dealing with? How do we know? How certain can we be – or do we need to be? I have reviewed the basics in my column on Authentication and Trust .
Sometimes the search focuses on the technology that purports to offer trust. This can be described in terms of a specific technology, such as dual-key encryption in the framework of a public key infrastructure (PKI ), for example. At other times the focus attempts to be technology-neutral, setting out the characteristics of the trust-creation techniques (often a method of signature, though a signature is only one of many methods of authenticating an electronic record.)
A common formulation of the technology-neutral description is a four-part test originally developed by the National Institute of Science and Technology in the US and reproduced in essence in statutes around the world. Here is the version used in the United Nations Model Law on Electronic Signatures of 2001:
Article 6.3. An electronic signature is considered to be reliable for the purpose of satisfying the requirement referred to in paragraph 1 [to be as reliable as appropriate in the circumstances] if:
(a) The signature creation data are, within the context in which they are used, linked to the signatory and to no other person;
(b) The signature creation data were, at the time of signing, under the control of the signatory and of no other person;
(c) Any alteration to the electronic signature, made after the time of signing, is detectable; and
(d) Where a purpose of the legal requirement for a signature is to provide assurance as to the integrity of the information to which it relates, any alteration made to that information after the time of signing is detectable.
It is sometimes alleged that despite the functional description of this method, the requirement can be met only by a PKI system, one that uses a mathematical transformation (or ‘hash function’ ) of the signature data to allow the testing of the integrity of the signature and potentially of the signed text as well, i.e. to meet the last two criteria here.
Legal systems that set out these requirements generally describe a legal result for meeting them. Thus the UN Model Law rules above are part of a description on how one satisfies electronically a legal requirement that information be signed. If one has those characteristics, one satisfies the requirement (unless the contrary is shown). Meeting similar requirements for an ‘advanced electronic signature’ in the EU Electronic Signature Directive makes the signature the legal equivalent of a handwritten signature (Article 5). Using a ‘secure electronic signature’ under PIPEDA creates a presumption that the person purporting to sign the document did sign it. (See the Canada Evidence Act s. 31.4 for the ability to create presumptions by regulation, and the Secure Electronic Signature Regulations s. 5 for the presumption.)
Sometimes, however, the people devising the law, and particularly the technology, are more ambitious. There is a tendency among some engineers and marketing staff of e-signature vendors to call this result ‘non-repudiation’. If a record has the characteristic of non-repudiation, so it is said, the person alleged to have signed it or originated it will not be able to deny having done so. (In some cases the term is used to mean that the apparent sender cannot deny sending the message, or even that the intended recipient cannot deny receiving it.) It is easy to understand the attractiveness of such a characteristic for many legal documents, among others. Even the International Standards Organization (ISO) has its rules for non-repudiation services and principles
Some system designers went so far as to include in their coding for a digital signature a single bit that could be – like any binary object – turned on or off. (The concept has been part of the X.509 certificate that is a central part of many PKI models.) The principle was that turning the bit on would signify an intention to be bound by the digital signature that included it. The bit became known as the ‘non-repudiation bit’ or ‘NR bit’. In combination with dual-key encryption that tied the document created with one element of a key pair to the document opened with the other element of the pair, and a hashing function to ensure that the messages had not changed between signing and reading, this was thought to make the whole message non-repudiable.
We have here to some extent the divergence between engineers’ philosophy and lawyers’ reasoning that I explored last year in Lawyers, Engineers and Technology: A Case Study . Lawyers see different kinds of things at issue, or more things that can go wrong. It must be said that some of the technologists are getting the picture. A recent Request for comments (RFC), the expression of many of the technical standards applicable to e-communications, published by the Internet Engineering Task Force (IETF) distinguishes between ‘technical non-repudiation’ and ‘legal non-repudiation’.
“Technical non-repudiation”: Refers to the assurance a relying party has that if a public key is used to validate a digital signature, then that signature had to have been made by the corresponding private signature key.
“Legal non-repudiation”: Refers to how well possession or control of the private signature key can be established.
It is clear that the mathematical integrity of dual-key encryption is complete. It still works. Theoretical breaches have been made on some hashing algorithms, but not to the point of a practical attack. But even from a technical non-repudiation standpoint, that does not get one very far. One needs more than the math. Consider the factors as set out in the Model Law:
The signature creation data (the signing key and the reading key) are linked to the signatory (the purported signer) and to no other person. How do we know the link? Maybe the signatory told us. Maybe there is a ‘certificate’ attesting to the link. How trustworthy is the certificate? While its text may be reliable (being itself digitally signed), do we know how the certification authority issued it? How thoroughly did they test the assertions of identity and of control of the signing device? The Model Law sets out some criteria for trustworthiness of a certifier, but they are all in ranges of reliability.
The signature creation data were, at the time of signing, under the control of the signatory and of no other person. How can a person seeking to avoid repudiation by the signatory prove that? How effective is the ‘control’? Does the signatory know if his or her system has been hacked? Access to the mathematically secure system is usually by user-ID and password, much more vulnerable methods than the signatures themselves.
The last two conditions, about detectability of alterations to the signature or the signed information, are ‘easier’ to satisfy, if one has a good hashing method.
A lawyer might question the ‘technical definition’ on its use of the word ‘assurance’. How sure does one have to be before one has assurance? The question is similar to that posed to legal duties to ‘ensure’ that something happens. How sure must one be before one has ‘ensured’ something? (Ultimately for legal purposes it is a judge who has to be sure, or who has to be persuaded that the degree of assurance attained was reasonable.) Information security systems are frequently expressed as attaining particular levels of assurance, which is to say that some assertions are more sure than others. This is not surprising or problematic, except when one uses terminology that suggests certainty.
Thus when faced with a ‘technical’ assertion of non-repudiation based on the presence of an NR-bit, one might respond, ‘I did not create that bit’, or ‘The bit did not come from my machine’, or ‘I was not using my machine at the time’, or ‘I did not know that my machine would create that bit’. The presence of the bit does not deal with any of these challenges.
Some statutes went down that path for a while too. Utah’s Digital Signature Act (1995) was a pioneer. It provided that the use of a digital signature from an approved system created a presumption that the person identified in a certificate as associated with that signature intended to be bound by the document (s. 46-3-401(3)). This presumption drew criticism on the ground that many computer users would not know if their system was working well, and might lose control of it. The nightmare headline: ‘grandma chooses weak password, loses house’. The Utah statute was later repealed in favour of the less demanding but more flexible Electronic Transactions Act.
Looking back to RFC 4949, the definition of legal non-repudiation ‘refers to how well possession or control of the private signature key can be established.’ This sounds like a sliding scale, and so it is. Some systems and configurations establish the control of the signing system better than others. Some cases will have better evidence than others.
However, there is a lot more going on in any attempt to give legal effect to information (say a document) than this. There are many grounds on which people may repudiate the alleged legal consequences of a document that appears to bear their signature or otherwise to be attributed to them – or even if attribution is admitted or proved. Some go to the creation itself, some to the consequences. Consider these examples:
- I did not intend the legal consequences of creating that NR-bit (or that document)
- I was not of full legal capacity at the time;
- I was under age
- I was drunk
- I was mentally incapable of forming a legal relationship
- I was under duress
- The legal consequences of the document are not as alleged
- Some other law (Consumer protection? Form requirements?) invalidates the document
- The transaction is illegal and thus unenforceable
- I made a mistake of law
- I made a mistake of fact.
No technical information, no functional requirement can put a text beyond repudiation. Just as the form of a signature tells you almost nothing about its legal effect, so too the technicalities of its creation or the creation of the text do not produce any automatic legal result. And the reverse is also true: one never has to have ‘non-repudiation’ in order to get one’s evidence of attribution or of effect believed. One needs to persuade a court on a balance of probabilities, or perhaps beyond a reasonable doubt, but those are matters of judgment, not of compliance with a technical standard. And even finding technical compliance requires judgment.
Non-repudiation is a matter of degree. Are some methods of attribution better than others? Of course. Are some compilations of evidence of capacity, intention and action likely to persuade a court that the purported author of a document did create it, send it, receive it, or even be bound by its content? Certainly. But only in hindsight can one say that the document could not be repudiated, because a court has so held. Non-repudiation is not a characteristic that can be built in from the outset; it is not a characteristic at all, it is a goal, a result.
The RFC mentioned earlier has absorbed that note of caution. In what it calls a ‘tutorial’, it says this:
Non-repudiation service does not prevent an entity from repudiating a communication. Instead, the service provides evidence that can be stored and later presented to a third party to resolve disputes that arise if and when a communication is repudiated by one of the entities involved.
One wonders in the face of this lesson why such an absolute word continues to be used. But one sees the term used to this day. See this security device from Spyrus that ‘offers enhanced confidentiality, integrity, and nonrepudiation’. (page 2) Can the non-repudiation be ‘enhanced’? If so, what does it mean?
Authentication, confidence and security are all matters of degree. One never has them 100 percent; one has more or less of them, and one needs more or less of them for different purposes. Non-repudiation, while like them in practice, has the disadvantage of being framed as an absolute, and its form often tempts people to use it as an absolute, a characteristic one has or does not have. In this usage, non-repudiation is a myth, and too misleading to leave in lawyers’ or engineers’ vocabulary.
[The end of this article links to some other useful sources on the topic.]
Great article! (And that’s coming from an engineer ;)
Some more background for folks interested in link below.
The conclusion of the article below is that that
our only hope is to use trusted-computer systems
to be able to use the words non-repudiation.
Not sure if that requires Trusted Networks or not, or
if truly trusted communication can be accomplished somehow
just using trusted computers thus avoiding the issue
of falsifying/creating data in transit problem.
[McCullagh & Caelli, ‘Non-Repudiation in the Digital Environment’ (2000)]