E-Commerce, Technology and Neutrality

Can the Law handle our Electronic Future?

(This article was originally published in the iTech Supplement of the Times of Malta in August 2002)

During the last few years the Internet has re-shaped what we understand with business, creating a whole new marketplace, trans-bordered with a click of a button. Innovations from the technology industry are constantly transforming the boundaries of present conceptions of trade, leaving the lawmakers trying to keep up with the e-commerce race. But can they?

Technology neutral frameworks have become a mantra to e-commerce legislators. Yet what is meant by 'technology neutral' is not always clear. Some advocate for the position that legislation should not address the special issues raised by any specific technology whilst others simply hold that legislation should not unfairly favour one technology over another. Attaining the technology neutrality ideal is not an easy task to accomplish.

E-commerce law has mainly evolved to address questions of integrity, availability, non-repudiation, confidentiality and authenticity of data communications, giving clear legal guarantees to businesses, and consumers alike, that the Internet is secure and can be trusted as a tool for electronic commerce. The recent exponential growth of electronic commerce has been the direct result of the optimism that many security problems can be solved through the use of encryption and digital signatures.

The benefits offered by ongoing advancements in technology are increasingly shifting paper based communications to digital ones, creating new legal issues that where not imaginable the day before. The writing and signature requirements are only a small part of the myriad of long-established legal principles that had to be revised.

Beyond Digital Signatures

Authentication techniques are one of the most evident obstacles posed to the technology neutrality ideal as e-commerce is hampered by the authentication problem.

Present security and authentication mechanisms in business applications heavily rely on digital signatures and Public Key Infrastructure (PKI). This does not mean that these methods are the only available. Creating a digital signature involves encrypting a numerical representation of an electronic message with a private encryption key, which the owner keeps secret; verifying a digital signature involves decrypting the encrypted data using a related public encryption key, which can be made widely available on-line.

The importance to the lawmaker in understanding the technology involved cannot be overstated. Some flaws in cryptography-related legislation can be partly attributed to inadequate technical knowledge on the part of policymakers. Legislators have largely focused on what digital signatures can accomplish but failed in keeping good track of new authentication techniques.

Surely, digital signatures will continue to play a significant role in the rise of electronic commerce but this should not mean that legislation should stop there. Technology-driven legislation that does not encompass the development of new authentication models could result in a stalemate where technology innovations are restrained by laws that are not geared towards the future. Such situation would mean that business models would not be allowed to evolve naturally in the electronic marketplace, hindering all the good prospects of growth that the Internet offers to a changing business world.

Laws should avoid driving the private sector in adopting only one particular technology for electronic authentication to the exclusion of other viable authentication methods.

Verifying the identity of a person is crucial for electronic commerce transactions. The provision of smart cards and other methods of biometric authentication, (such as retinal scans), are some of the options that are presently being considered both by the industry and various discussion fora. Whether these developing technologies will be as widespread as the use of digital signatures and encryption still remains to be seen. Even though such new methods are still rather expensive, when compared to the digital signature counterpart, laws should be capable of embracing them easily. Having technology neutral laws is one answer.

The need for consensus

Another serious problem threatening the growth of the Internet as a business enabler is the absence of internationally recognised legal standards. A digital signature, even though lawfully recognised in country A could well be considered as invalid in country B. Due to the fact that e-commerce knows no geographical boundaries, this can result in jeopardising the shift of the business world in the online dimension.

International proposals on the standardisation of e-commerce, such as the United Nations Commission on International Trade Law (UNCITRAL) Model Law on e-commerce, champion that rules should neither require nor hinder the use or development of authentication technologies. Present authentication methods will undoubtedly change over time. It is desirable not to have legislation that might preclude innovations or new technology applications.

The need for international consensus emerges from the concern that legislation addressing one particular form of electronic authentication may have the unintended consequence of inhibiting other appropriate authentication models. This would result in slowing down the development of other technologies that might be equal or superior to current methods of authentication.

Legislating technology

Technical standards and the law were never good friends. E-commerce is full of such examples, as it is quite difficult to draft laws that are inherently connected with technological standards when new standards are constantly developing so rapidly.

When a country is considering the adoption of an e-commerce and digital signature legislation, it has to ensure the creation a sound legal environment, where advances in technology do not raise uncertainties within the law itself. Different approaches have been suggested throughout the world.

Countries like Germany, Italy and Malaysia opted for what is known as a prescriptive approach. Such approach does not allow for other methods of security other than those specifically laid down in the law itself. Having the law technologically driven as in these countries means that heavy amendments would be required when new technology develops.

A contrasting approach is the minimalist approach as followed by the EU by adopting Article 7 of the UNCITRAL Model Law. Such technology neutral legislations exemplify the importance that it is better to deal solely with the legal effect of digital signature and e-commerce security in general rather than legislating on the technological issues themselves. Subscribers to this approach hold that introduction of new technology happens so fast, (or the legislators are too slow to keep up with it), that the law is always one step behind. This has the effect of causing uncertainties within the market itself.

The Maltese E-Commerce Act

Malta is only now starting to get into the grips that the promotion of e-commerce has to be identified as a desirable public policy goal.

The Maltese Electronic Commerce Act, enacted by Parliament earlier this year, is intended to be sufficiently flexible to meet new technological developments. It lays down a secure legal basis for the conduct of electronic commerce on a technology neutral basis.

The Act conforms to EC Directive 1999/93 on a Community framework for electronic signatures and draws on a variety of sources, including UNCITRAL Model Law on E-Commerce as well as various national legislations. It provides for both electronic signatures as well as advanced electronic signatures, as found in the EU Directive and Singapore legislation, amongst others.

Wisely, the Maltese legislator has opted to adopt laws that remove specific, well-defined barriers to e-commerce, thus allowing the electronic marketplace to evolve unfettered. Establishing a legal infrastructure that can accommodate new technologies without dramatic new legislation is fundamental.