24 September 1997
Source: The American Banker
By Thomas P. Vartanian
Fried, Frank, Harris, Shriver & Jacobson
Financial fraud depends heavily on perpetrators' ability to hide their identities or assume those of others. Because the Internet is a medium for anonymous communication, it has been and will continue to be a breeding ground for innovation in electronic fraud.
Proponents of electronic commerce seek to limit this risk through the use of digital certificates and similar methods of electronic authentication and verification. This raises a complex question for the trusted third parties, many of which may be banks, that certify the issuance and use of public keys in the digital signature arena: What does it mean to certify that a specific public key represents X in a world where the identification of X is an imprecise science?
Authentication must be the starting point in any electronic network transaction. Lacking the customary modes of physical identification, the parties to a faceless transaction in cyberspace need proof from a third party that each party is who he or she purports to be.
In the physical world, the verification of identity plays a central role in a wide range of commercial and governmental applications: passports and immigration; the receipt of Social Security and other federal or state financial benefits; applications for credit cards or driver's licenses; and the establishment of and access to a bank or brokerage account.
Fraud is widespread in many of these areas because identities can be assumed, camouflaged, and invented with relative ease.
In 1996 Congress attempted to address the complexities of identity verification in the context of immigration and employment eligibility. It seriously considered the establishment of a national verification system. Business groups opposed it as a burdensome intrusion on employers. Ethnic and civil liberties groups opposed it because it was seen raising serious privacy issues and facilitating discrimination.
The law that was enacted, Public Law 104-208, merely required the implementation of three pilot programs to test the effectiveness of workplace verification.
The legislative record, including hearings on July 9 by the House Banking Committee's subcommittee on domestic and international monetary policy, underscored the numerous pitfalls built into the identification process and the need for a sense of legal certainty in order to nurture the growing electronic commerce business.
The fact that primary identification documents, such as birth certificates and Social Security cards, may be easily counterfeited complicates electronic authentication because issuance of digital certificates will in part depend on the presentation of such documents. Indeed, there is today no standard methodology under law to authenticate an identity with legal certainty.
Some states, such as Utah, attempt to resolve the issue of certificate authority liability by establishing specific standards of conduct and performance. But even then, such laws exculpate certificate authorities only if they satisfy their obligations under the law, which may include confirming that the subscriber is the person to be listed in the certificate.
Multiparty and multistate transactions complicate the issue further, particularly because state digital signature laws are not uniform.
Though authentication is important in business-to-business transactions - and perhaps easier because of the familiarity between companies that are constantly dealing with each other digitally - it is critical to the creation of successful consumer electronic commerce. Given the importance and difficulty of identification in the borderless world of cyberspace, the time may be appropriate to consider national identification verification standards.
Today, if a financial institution opens an account for a customer it must determine how to authenticate the customer's identity. While federal law requires the institution to establish ownership of the account, it does not yet dictate how that should be achieved.
The Federal Reserve Board is drafting rules to interpret and codify a bank's "know your customer" obligations. There are, of course, the conventional means of identification (driver's license, passport, Social Security number, employee identification), checked against credit bureau information and followed by a mailing to the stated address. But the primary documents may themselves be forged. And who, if anyone, certifies them? And under what procedures?
Though current authentication procedures often work effectively enough, they may not be sufficient for electronic commerce, where many of the traditional attributes of physical identification are not present. Moreover, given the fundamental differences in the time, volume, and velocity of transactions in cyberspace, the dynamics and risks of authentication can change dramatically.
In the digital world, if the role of a certificate authority is to electronically match a person with a cryptographic key or set of keys, it makes sense to establish a universal methodology for doing so-even though it is understood that given the imperfection in the underlying systems, absolute verification of an identity may not be possible.
When it comes to the execution of electronic transactions, a certificate authority may not be in a position to control unauthorized use of a valid certificate issued to X. For example, Y may borrow or steal X's personal computer, which carries a digital certificate for executing transactions in X's name.
What actions should a certificate authority be required to take in this imperfect system to certify that X's public key actually is being used by X? To allow the electronic marketplace to operate effectively and efficiently, at a minimum certificate authorities must be able to achieve some level of certainty that if they have prudently conducted the due diligence required, they cannot be held responsible for fraud or malfunctions. National Identification Verification Standards-NIVS-would underscore that there should be only a limited range of actions for which a certificate authority should be held responsible in an electronic transaction.
These standards eventually would need to be truly universal because of the globality and borderlessness of cyberspace. Moreover, such standards could level the playing field vis-a-vis the different levels of trust that might otherwise be accorded certificate authorities of various sizes, financial capacity, name recognition, and national origin.
What should the elements of these national verification standards be? The more that the system relies on primary "root" documentation (paper or electronic) certified by the originator, the greater the certainty, albeit imperfect, that the certificate authority can achieve.
The adoption of an integrated certification data base accessible to all certificate authorities must also be explored. A network that will allow each certificate authority to cross-reference digital certificates and confirm the issuance of multiple certificates to the subscriber will allow the digital signature market to function more efficiently and safely.
From a legal point of view, a digital certificate is a form of warranty. Warranties ascribe and allocate rights in a transaction, a business that commercial banks happen to understand quite well. But a digital certificate is not meant and should not be viewed as unlimited insurance for the use of the certificate or the successful completion of an electronic transaction facilitated by that certificate.
In that regard, the adoption of these standards might facilitate the development of a national market for certificate authority errors-and- omissions insurance. It might also facilitate the creation and operation of what one observer has called "cybernotaries."
Without uniformity in the authentication process, the efficiencies of certificates and the effectiveness of electronic commerce will be undercut.