Column

Mutual Recognition of Methods of Authentication

This essay examines an international dimension of trust in electronic commerce: how to give legal recognition in one country to electronic documents from another. Recognition involves attributing legal status to electronic messages exchanged across borders. The usual phrase is “mutual recognition”. Mutual recognition means reciprocal recognition: A recognizes B’s e-documents because B recognizes A’s.

It is not logically necessary for cross-border recognition to be mutual. A could recognize B’s reliability standards and thus give effect to its documents even if B does not return the favour. However, in practice it is likely that a country that accepts another country’s standards does so because they reflect its own. Further, it is likely to be more politically acceptable to ensure that one’s own country gets the same treatment abroad as it is giving to foreign communications at home.

Different legal mechanisms may achieve that goal. Some of those legal mechanisms will apply to certain types of transactions (for instance, business to business (B2B), such as shipping manifests, or business to government (B2G), such as customs forms.) Other legal mechanisms will apply only to specific types of documents or data sets, or to specific types of trust services (e.g. electronic signatures). Some legal mechanisms will establish legal recognition regardless of the method or technology used, while others are technology specific.

With respect to legal form, some mechanisms are treaty-based and therefore may be directly legally binding (being “self-executing”), though other countries may need to legislate for treaties to have a domestic effect. Several countries’ laws on electronic signatures say expressly that if standards in an international treaty to which the country is a party contradict the rules set out in the statute, the treaty’s provisions prevail. For example, the Mongolian Law on Electronic Signatures, article 2, says, “If an international treaty to which Mongolia is a party is inconsistent with this law, then the provisions of the international treaty shall prevail.” (Some academic authorities suggest that this rule is rarely applied automatically, without supporting legislation.)

Other mechanisms favor harmonization of legal systems through the adoption of uniform laws. Still other mechanisms are based on memoranda of understanding and similar technical arrangements.

The UNCITRAL Model Law on Electronic Signatures provides that a state will not discriminate against an e-signature from a foreign state if the foreign signature is created by a method whose reliability is substantially the same as that of the state called on to recognize it. This phrase serves to indicate that legal recognition (mutual or not) can follow the general principle of technology neutrality. It is the effect of the system that counts, not its detailed operation. While it may be possible to spell out technological equivalences in detail, it is also possible to indicate functional equivalents of reliability standards that will allow for mutual recognition of one’s electronic communications though they are different in design or operation.

In that context, in my view the temptation to specify one technology to be used internationally should ideally be resisted in favour of technology neutrality. It is tempting to look for mutual recognition based on specific versions of specific technologies, since everyone can be largely certain of compatibility (though one should not underestimate the complexity of comparisons even there.) But technological specificity can be a barrier to innovation and efficiency.

Harmonization of legal regimes is a good start, but it does not take one all the way to mutual recognition.

Likewise, harmonization of paper trade documents is clearly worthwhile, and such harmonization often flows from membership in sector-specific trade or procedural agreements. But one still looks for reliable authentication of the source and integrity of the harmonized electronic documents.

How does one ensure consistency of standards for countries that one does not control? One looks to an international agreement. Several attempts have been made to harmonize standards for digital signatures (i.e. those based on dual-key cryptography), the technology recognized very broadly around the world. The focus is often on the operations of the “trusted third party,” the certification service provider, also known as the certification authority – CA. (The “third” party is one independent of both the signer and the person who wishes to rely on the signature.)

The policies and practices of these intermediaries are very detailed, because there are a lot of factors to consider in deciding who somebody is and whether a document has been altered.

Comparing these policies and practices in detail (known as “mapping” them against each other) involves reviewing whether each concept and step in one’s own system has an equivalent in the other – at the level of hardware, and software, and enrolment practice, and key and certificate management – and whether the total of all the concepts and steps is a system that is at a similar level of reliability. This takes a lot of work and a lot of judgment. There is work at the design stage in principle, and in practice at the application stage, i.e. when a person or transacting party must decide if it trusts the certificate that has been offered to it.

Considerable efforts have been made over the years to design “cross-certification” procedures for this purpose, with at best mixed success. European experts have worked for decades on technical standards, without definitive results, though the EU issued a directive on the subject in 1999 and a regulation in 2014.

The process usually involves comparing levels of assurance provided by different procedures or technical applications, so that country A’s levels match country B’s. For example, a frequent goal for such schemes is to describe four levels of assurance for certificates of digital signatures, from low or basic to high. One country’s level 2 certificate would then be recognized in another country for a purpose that required a level 2 certificate there. (Or one country’s level 2 certificate could be recognized as equivalent to another country’s level 3 certificate. There is no magic to the labels.)

But each country’s requirements – and each business’s requirements within the country – will depend on its own analysis of the risks of reliance, and its tolerance for risk in the circumstances. Different activities will present different risks. What A will rely on, B may find unreliable – whether A and B are individuals, trading partners or public authorities. Their judgment may also change over time.

How much does one trust other states to adhere to the agreed standards? Are their governments and regulatory systems honest and competent? Suppose the government changes: do the certificates stay reliable? It is arguable that cross-certification will work only where there is a very authoritative establishment and governance of a consistent standard by a very trusted body or group of bodies.

Clearly the closer a group of countries can come to adopting a common standard for authentication, the less they need to compare and evaluate similar or not-quite-similar systems (policies and practices), and the more confidently they can recognize other members’ signatures or (more likely) digital certificates.

It can be noted here that the Eurasian Economic Union (EAEU), being Russia and several other members of the Commonwealth of Independent States, has been developing its “transboundary trust environment” for several years. (See its Declaration of 6 December 2018 – in Russian, despite its URL – notably article 2 on developing cross-border space of trust, mutual recognition of legal importance of digital processes and services.) In short, even with similar and closely cooperating states with community institutions, the task is difficult.

Moreover, UNCITRAL’s Working Group on Electronic Commerce is exploring identity management and trust services, but a legal framework will not likely be available to interested governments for some years. A first draft of a set of rules was considered at the meeting of the Working Group in November 2019 and a second draft was published for the meeting planned for April 2020, now deferred.

Ways forward?

It may be that some progress may be made on a smaller scale, rather than by seeking a global formula for mutual recognition that is more specific than the ideal of equivalent reliability.

  • The EAEU system spoke mainly of doing public sector (G2G) trusted communications in the early years. Maybe that is a workable limitation to explore somewhere. Governments might exchange public signing keys directly with each other, avoiding technical questions about the practices of certification authorities. They could also build in other practical authentication measures so as not to put all their eggs in the same digital basket. For small number of countries and small number of communicators e.g. customs to customs, this might work.
  • As noted earlier in Slaw.ca columns here, here and here, several trade-related treaties provide for at least the option of electronic documents. As a rule, the treaties themselves do not contain authentication procedures. However, it may well be that trading documents are signed with a digital signature and transmitted from a source or by a method that officials in the destination country are willing to accept, based on this provision.
  • Just as Customs offices are encouraged by international instruments (such as the Kyoto Convention on customs administration) to make decisions on inspections and border crossing procedures based on an assessment of the risks presented by different kinds of shipment, so too those offices and others involved in trade approvals (inside or outside a Single Window) may judge that some electronic communications from known sources with familiar contents present little risk of forgery or mistake and thus decide to give them legal effect. Trust is never an all-or-nothing question. Trust management is a form of risk management.
  • It may be that government-based authentication systems are considered most trustworthy – and if private parties are relying on government-issued authentication, such as national identity cards, to obtain signature creation data, their certificated signatures can be more persuasive not only at home but in neighbouring countries. The European Union’s Electronic identification, authentication and signature regulation (eIDAS) works largely in this way for this purpose. The eIDAS regulation also has detailed technical specifications for “advanced” and “qualified” electronic signatures which are not generally used across national boundaries even in the EU.
  • There may be potential in private authentication systems that parties could buy off the shelf, or subject to adaptation to needs, that would operate in the same way in more than one country. Private vendors are offering full-service PKIs, all elements supplied, for a price. Numerous businesses in developed countries are now using DocuSign or Adobe signatures, which come with their own authentication technology and procedures. Certificates are recent additions to such services. Transacting parties in different countries may use the same technology, or they use technology from different vendors whose reliability is nevertheless held to be substantially the same. It may be wise for legislators to leave room for such private systems as they evolve.
  • Domestically, some systems can be established so that the relying party can also be the certification service provider. For example, the province of Ontario in Canada allows lawyers to submit land transfer records electronically to the land titles register. They do this with a digital signature issued by the operator of the land titles system – which confirms their status as lawyers with the Law Society. The signatures may not be used for any other purpose. This reduces the risk of misidentification and unexpected or irremediable loss outside the system and can let transactions proceed. It may be harder to do this across a border, but treaty-based standards might allow it in certain fields of activity.
  • Some countries already provide in their e-commerce laws something like this (from Mongolia’s Law about Electronic Signatures):

Article 17. Certificate of digital signature abroad
17.1 A certificate issued in accordance with the relevant legislation of Mongolia may be used in Mongolia.

This could work in more than one way. It could involve inviting a foreign (presumably closely related) certification service provider to harmonize its standards and practices with Mongolia (or other country with a similar provision), at least for certificates to be used in Mongolia. Presumably, some Mongolian regulator would have to decide in an authoritative way that the foreign certificate was in practice issued in accordance with Mongolian law. This might be done without engaging in a full-scale cross-certification of a CSP’s entire range of services.

Another way it could work, for example under the Azerbaijan rule in its Law about electronic signature and electronic document, article 16, is that the foreign entity applies for a certificate in the country of destination of the documents (and perhaps goods or services). If necessary, the operating documents themselves could be altered to suit the standards of their destination. That process could in some cases be easier and cheaper than setting up testing systems to support mutual recognition.

Such a workaround would be feasible only where the volume of trade was enough to justify the reformatting, but that is also true of a mutual recognition scheme.

All these challenges may inspire some policy makers to review the desirability of a simpler form of signature, or even the removal of a signature requirement entirely. The United Nations Centre for Trade Facilitation (UN/CEFACT) reviewed many alternatives to signatures in its Recommendation 14, originally published in 1979 and updated in 2014 to reflect current practices and technology. This text encourages states to reduce as much as possible the instances where any kind of signature is required, noting the desirability of other forms of authentication. Annex B.2 of Rec. 14 lists several electronic alternatives to handwritten signatures, without stating any preference among them for particular purposes.

From this list one may draw at least two conclusions: first, that a detailed mapping of one system against another can be complex, since so many different goals are being sought by each system. Each user, almost, and certainly each industry and each country, may have its own evaluation of the risks it is subject to, the risks it is willing to support, and the acceptability of somebody else’s assurance of trustworthiness.

The second conclusion, more optimistic, is that there may be flexibility in finding at least some elements of a system that one can be comfortable accepting from elsewhere.

Summary

At this stage mutual cross-border recognition of electronic signatures is an ambition rather than a reality in much of the world, even in advanced e-commerce regimes. Countries may be party to many of the international instruments on harmonizing trade practice standards, but those to which they are a party often contain little detail about how those standards may be met electronically. When they do provide detail, the detail may sometimes make the systems too cumbersome to work in practice, so shortcuts are taken – or international transactions do not happen.

And yet …

Today, international electronic transactions do take place, in great number. What explains the volume of global e-commerce transactions, despite the lack of a widely recognized mutual recognition method? Here are some possible explanations.

  • Authentication is not done by signature but by document. As noted elsewhere, several factors help authenticate documents that do not depend on the details of the identity of the originator or technical compliance with security procedures. These factors may include contextual details of the transaction itself and its history.
  • Authentication may not be mutual but unilateral.
  • The principal means of authentication is by means of payment. Consumers and small businesses identify themselves, and more important their solvency, by credit card – and the card issuer authenticates the holders for its purposes. Larger businesses use recognized bank payment systems like SWIFT. If the money is secure, identification is less important.
  • Businesses make other arrangements, such as Trading Partner Agreements, by which they agree ahead of time what will be satisfactory authentication for each transaction (as contemplated by article 7 of the UNCITRAL Model Law on Electronic Commerce).
  • Mutual recognition schemes try to solve the problem of high-value transactions between strangers. Such transactions may simply not be as common as the problem statement presumes. Transactions among strangers are for low value – within the risk of error – and high-value transactions are with known parties or those where a one-off rather than systemic confirmation is arranged.
  • Trust is a multi-factor system. No one element needs to carry all its weight.
  • Trust is built on a sliding scale and is not mechanical. Pretty good authentication may suit the purposes of transacting parties. Trust management is a form of risk management – and each party may have its own risk tolerance and risk evaluation, and some parties will transact where others do not – but enough do that global volumes are high (though it is worth verifying if it is “high” as a percentage of overall trade.)

[This column has been adapted from part of a report on the regulatory framework for e-commerce in the Central Asia Regional Economic Cooperation (CAREC) project, made to the CAREC Institute and the Asian Development Bank.]

Comments

  1. Is there a role for the blockchain (distributed ledger technology) in mutual recognition questions? How would that work? Who gets to contribute the blocks to the chain? Why are the digital signatures of the contributors exempt from the challenges of any digital signature system? Who runs that system?

    I am willing to learn what I currently don’t understand about this topic. What I think I may understand is set out in two Slaw columns: Is the Blockchain Too Expensive?, and Blockchain Legislation: Too Soon?

  2. A few excerpts from Professor Patrick Murck’s article “Who Controls the Blockchain” published in Harvard Business Review, April 19, 2017:

    “In a blockchain transaction, you don’t have to trust your counterpart to perform their obligations or properly record transactional data, since these processes are standardized and automated, but you do have to trust that the code and the network will function as you expect. And just how immutable are blockchain ledger entries if the network becomes politicized? As it turns out, not very.
    …The blockchain is truly an innovative approach to governance for networks and machines. But we must resist the temptation to anthropomorphize code and misapply machine governance to social systems. Code is law for machines, law is code for people. When we mix up these concepts, we wind up with situations like The DAO [Decentralized Autonomous Organization].

    The power of blockchain technology is that it can algorithmically enforce private agreements and community principles at a global scale by shifting the cost of trust and coordination to the network. This is what allows blockchains to create new markets where they couldn’t exist before, whether for political or for economic reasons. To do this, we have to be able to trust the blockchain, and to trust that no one controls it.”

  3. Thanks, Verna. I think that Professor Murck is saying what Professor Carla Reyes has written as well – sources in my second blockchain article above – that blockchains are themselves governed, and there are good questions to be asked about how they are governed.

    One may ask if the governance of blockchains becomes yet another intermediary in transactions – an intermediary of a different sort, but possibly less transparent than current ones, and less subject to known (and democratically determined) rules of conduct.

    I discussed the DAO mentioned by Professor Murck in my 2016 Slaw article on smart contracts. That article raises a few other governance and policy questions that still merit consideration, including in discussions about authentication and thus mutual recognition.