A few years ago, the United Nations Commission on International Trade Law (UNCITRAL) was reported here to be considering a project on identity management and trust services. That report outlined some of the legal and practical issues that these matters raise, and some of the options for going forward.
To nobody’s surprise, UNCITRAL did adopt a project on this topic, and its Working Group on Electronic Commerce has been considering it since 2017. A list of the principal policy documents and records of the Working Group’s discussions is here.
Recently the UNCITRAL Secretariat has released two Working Papers in preparation for the next meeting of the Working Group in April. The first, WP.157, is a set of draft provisions of some kind of legal instrument (type to be determined) on identity management (IdM) and trust services. The second, WP.158, is a commentary on the draft provisions that needs to be read with them.
The basic issue to be resolved in the project is trust among parties to e-commerce, domestic and global. Here is how the Secretariat puts it in WP.158 (para 3 -5):
- … One important component of online trust is the ability to identify each party in a reliable manner, especially in the absence of any prior in-person interaction. Over the years, various solutions have been suggested to address the need for online identification. This has led to a proliferation of methods, technologies and devices used to manage identity. Addressing the legal aspects of IdM at a global level has the potential not only to bridge these different solutions but also to encourage interoperability between IdM systems regardless of private or government operation.
- Several obstacles to the broader use of IdM and trust services exist. Some obstacles are of a legal nature, and include: (1) a lack of legislation giving legal effect to IdM and trust services; (2) divergent laws and approaches to IdM, including laws that are based on technology-specific requirements; (3) legislation requiring paper-based identification documents for entering into online commercial transactions; and (4) the absence of mechanisms for cross-border legal recognition of IdM and trust services.\
- The main objective of the work of the Working Group is to address these obstacles through the development of uniform legal rules. These rules serve several purposes: to increase efficiency; to lower transactions costs; to increase the security and legal certainty of electronic transactions thus establishing trust; and to bridge the digital divide.
The draft provisions of WP.157 contain a lot of options, for alternative scopes, approaches and wording. They can be hard to read in the absence of the guide in WP.158, and sometimes need the help of prior UNCITRAL working papers as well. For example, a lot of conceptual definitions were discussed at greater length in WP.150 in 2018.
While the main focus of the proposed IdM rules are international commercial transactions, the provisions have been drafted in a way that they could be used for domestic legislation as well. The closer the cross-border rules and internal rules resemble each other, the easier it is for business people to operate at both levels.
Further, the rules are aimed at “trade-related government services” as well (WP.157, draft article 1(2)). This refers mainly to communications among importers and exporters and the government agencies involved in approving their transactions, primarily the customs authorities. A harmonized IdM system would support the operation of a “single window” system, in which all documents required for import or export flow through one channel for review and approval.
Finally, the rules contemplate application to “physical and digital objects”, not just legal persons, a recognition of the importance of identifying the participants in the Internet of Things – though the commentary notes (WP.158 para 11) that objects cannot bear liability if things go wrong.
The definitions offered in the draft are sometimes subject to vigorous policy debates. The draft offers two versions of “identity”, for example: one that requires an identity to be unique to the subject of inquiry, and another that requires only that the subject be “sufficiently distinguished” to allow a transaction to proceed.
A key term is “level of assurance” – the degree of confidence that one may have in the identification and authentication processes. One has to look at the vetting process – how did a subject qualify for his/her/its identity credential – and the authentication stage – how sure are we that the person/entity offering the credential is the subject named in it? Deciding how to describe different levels of assurance, especially in ways that make different identification systems comparable for cross-border transactions, is a major challenge for the draft rules. These are two quite different questions, depending on different evidence, and one might argue that different levels of assurance could attach to each.
One could also ask if the credential was being used for the purpose for which it was issued, if that were limited.
The operational provisions of the draft rules do not spell out how one differentiates between what is needed for a level one credential, for example, and what might be needed for a level two or three. In addition, how closely can the level of assurance be tied to the legal effect of offering a credential at that level, in a text of such potentially broad application?
Identity management rules
Chapter III of the draft instrument set out the rules for determining the reliability of methods of IdM, which is the heart of the project.
The first provision deals with the standard UNCITRAL principle of “functional equivalence”: how does an electronic document do what existing rules require of a paper document? The answer, given in two alternative formulations, is that the electronic IdM meets the requirement for paper IdM if “a reliable method” is used that verifies the relevant attributes “in accordance with the same level of assurance.” While this is right in principle, it does not help much in deciding whether the method used was reliable.
Article 9 allows one to consider any agreement between the parties or certification by a trusted authority in making that determination.
Article 10 sets out criteria by which reliability may be presumed. These provisions – all currently in square brackets, meaning all very tentative – present a kind of catalogue or checklist of factors to consider. . It will be noted that they are in principle independent of a “paper standard” of reliability; they stand on their own, though they can be used for the comparative purposes of article 8 as well.
1. (a) [Description of the minimum set of appropriate rules on how IdM systems should work, including on audit, insurance, certification, liability, termination, and other issues relevant for determining the level of assurance];
(b) [Description of mechanisms to ensure and verify that participants follow the rules]; and
(c) [Description of mechanisms to ensure publicity of the compliance of the IdM system with the minimum set of appropriate rules].
The extent to which the Working Group plans to fill in these provisions with actual operational standards is not clear. In any event, the resulting text will probably be technology neutral, in that it will not require the use of any particular technology in order to achieve its legal results. In an era of quickly evolving technology – such as the use of mobile devices for payment, and distributed ledgers – this traditional UNCITRAL policy is still important.
Since these are presumptions only, parties can adduce other evidence of reliability, or of unreliability.
These articles are described in WP.158 as “ex post” rules, in that they apply to determine reliability of an IdM method after the method has been used. Article 11 describes an “ex ante” rule, namely a determination by a body authorized by the state adopting IdM legislation that a particular method is reliable – at least to satisfy the functional equivalence rule in article 8, if not the general application presumptions of article 10. Any such determination must be made in accordance with “recognized international standards”, in part to maintain the credibility of the rules and in part to facilitate cross-border recognition of the results in international transactions.
Chapter III also deals with the obligations and liabilities of “IdM system operators” such as certification authorities. Their obligations are set at a high and abstract level to start:
Article 12. 1. An IdM system operator shall:
(a) Attribute the relevant identity credentials to the appropriate person;
(b) Ensure the online availability and correct operation of IdM processes.
“Appropriate” and “correct” are not defined in the text.
The other obligation of an IdM system operator is to notify relevant persons if it becomes aware of any significant breach of security or loss of integrity of the IdM system. Likewise, “users” of the IdM system (another undefined term, but probably meaning subjects of IdM and contracting parties) must notify the IdM system operator of any compromises they know or suspect.
IdM system operators are to be liable – or to “bear the legal consequences” – for damages caused by failure to comply with the obligations. The Working Group will discuss if the liability requires a finding of negligence or intention. However, the operators may limit their liability with respect to the value of transactions using their system or by compliance with applicable IdM standards, contractual limits, or systems rules – unless the operators were grossly negligent or wilfully misconducted themselves.
The Secretariat reminds readers of WP.158 (in para 63) that the degree to which operators of a PKI certification authority should be allowed to limit their liability is controversial. The whole point of certification is to avoid loss to those who rely on certificates, so if the certificates themselves disclaim liability, what good are they? Previous UNCITRAL publications are noted on this issue.
The notes in WP.158 point out that the liability rules as drafted apply to a public sector IdM operator (para. 59) but might be different for one that performs different functions such as certifying foundational identity rather than only transactional identity. The intention is that the IdM rules will apply only to transactional identity, leaving foundational identity to others (usually the state.)
Trust services rules
The draft instrument then turns to “trust services”. A trust service is “an electronic service that provides a certain level of reliability in the qualities of data” (article 4(j)). Trust services mentioned in the text are electronic signatures, electronic timestamps, electronic archiving, electronic registered delivery services, website authentication and electronic escrow. The Secretariat asks (in para 70) if the assurance of integrity of the electronic text should be including among trust services, given that in its Model Laws, integrity has been an element of an “original” document but not expressly called for in e-documents generally. Should it be separated out for attention here?
The Secretariat also asks if trust services should expressly include electronic seals (para 71 – 74) and electronic proofs of presence (para 82).
The provisions dealing with each of these services say that a legal requirement to provide them is met if “a reliable method is used” to perform the relevant function. The rules about signatures and archives contain additional language drawn from the UNCITRAL Model Laws on Electronic Signatures (re signatures) and Electronic Commerce (the writing requirements, re archiving.)
As in the previous chapter on IdM, the trust services chapter sets out the basis for presumptions of reliability. The rules in this case are taken from the Model Law on Electronic Signatures that have influenced a lot of legislation around the world. A footnote points out that the language in WP.157 is still restricted to signatures, but that it can be modified to apply to all the trust services described in the chapter.
Article 15 1. A method is presumed to be reliable for the purpose of satisfying the requirement referred to in article 14 if:
(a) The signature creation data are, within the context in which they are used, linked to the signatory and to no other person;
(b) The signature creation data were, at the time of signing, under the control of the signatory and of no other person;
(c) Any alteration to the electronic signature, made after the time of signing, is detectable; and
(d) Where a purpose of the legal requirement for a signature is to provide assurance as to the integrity of the information to which it relates, any alteration made to that information after the time of signing is detectable.
There is a good deal of writing available that points out the difficulties of applying some of these rules even to signatures, or of achieving the standards described. However, they are not a bad start for the Working Group’s discussions.
It may be of interest that the Secretariat distinguishes between levels of assurance, a notion applied to identity management, and levels of reliability of trust services. (para 83, 84) “Identity credentials offering a high level of assurance could be used for trust services with different levels of reliability”, and thus the concepts and language should be kept distinct.
Article 10 of the Model Law on Electronic Signatures lists several factors of reliability (“trustworthiness”) of those who certify the identity of users of electronic signatures, considering their “systems, procedures and human resources”. To date the Working Group has not moved to apply these to trust services generally, but something similar may be developed in the future.
The remaining provisions of Chapter IV on trust services resemble those of Chapter III on identity management: “ex ante” rules on determination of what methods of providing trust services are reliable; obligations of trust services providers and rules about their liability and the limits to it.
The draft instrument concludes with a provision on legal recognition of foreign IdM and trust services, being essentially a non-discrimination rule: foreign assertions are to be given the same legal effect as domestic ones, based on the same criteria. This too was influenced by the Model Law on Electronic Signatures.
The final article requires specified authorities, public or private, engaged in this area, e.g. those that give ex ante approval to IdM or trust methods, to cooperate with their foreign counterparts, notably on certification principles and practices, the determination of levels of assurance (IdM) and reliability (trust services), and on discussion of recent developments affecting any of these topics.
Setting standards and rules for authentication systems has long been a challenge, and much debate has flowed and many rules have been devised about them over the past couple of decades. There was some concern as UNCITRAL approached this topic that it could involve many years of ultimately inconclusive effort.
UNICTRAL’s resolve so far is to adhere to its usual principles of e-communications laws and to avoid getting tied up in specific rules for specific situations. It learned in preparing all its model laws, and notably in the recent Model Law on Electronic Transferable Records, that there is virtue in simplification, and that some knotty problems (like uniqueness for transferable records) can disappear with a proper understanding of their purpose and context.
The documents discussed in this note are the first concrete steps towards a global legal regime on IdM and trust services, taken with an awareness of European Union precedent (notably the Electronic Identity Management and Signature – eIDaS – Regulation) and other regional documents. The debate will be lively and probably long.
Based on what we have seen in the working documents, it is fair to say, “so far, so good.” (If you disagree, or want to propose a better way, feel free to use the Comments below to do so.)