29 January 1998
Source:
http://www.senate.gov/~banking/97_10hrg/102897/witness/mossburg.htm
Good morning, Mr. Chairman and members of the subcommittee. My name is Dick Mossburg. I am based at Ford Motor Credit Company's headquarters in Dearborn, Michigan where I am Associate Counsel for Government Affairs. I appreciate and welcome the opportunity to appear before the subcommittee this morning on behalf of the Electronic Commerce Forum of which Ford Motor Credit Company is a founding member.
Ford Motor Credit Company is the world's largest company dedicated to automotive finance with more than 8 million customers in 35 countries. Ford Credit is continuously seeking ways to improve the value of the services it delivers to customers. For that reason, we are very interested in the potential efficiencies that electronic commerce represents.
The Electronic Commerce Forum was begun in March 1996 as an informal gathering of interested legal, commercial, academic and government participants. The Forum provides a venue for open dialogue among leaders in the private sector, academia and key government officers, officials and staff from federal administrative agencies and the Congress. In addition, the Forum has the aim to help educate both the public and private sectors about emerging public policy issues and, we hope we are providing meaningful information and effective guidance concerning developments related to electronic commerce and their implication for business, consumers and society.
The Forum itself has developed a membership dedicated to the establishment and preservation of a flexible legal and regulatory environment that will allow the vast potential of the emerging electronic commerce infrastructure to be fully developed. This infrastructure will be required to effectively serve all users, while at the same time providing for appropriate consumer safeguards.
My testimony this morning will focus on the critical need to establish cogent, uniform national standards for electronic authentication including so-called digital signatures. I will also discuss two other important topics that are closely related to digital authentication: (1) the need to encourage competition among a broad spectrum of providers of electronic authentication services and (2) the establishment of a mechanism to support market regulation and oversight of this new world.
In a sense what has been termed "electronic commerce" can be viewed as a method by which business is transacted in a more direct and efficient way. However, it would not be correct to view electronic commerce merely as an alternative communication or trading channel. The many new technological applications such as smart cards, stored value cards, electronic money, biometric identification devices and the Internet itself enable the creation of entirely new products and services. After all, paper commerce developed over centuries. As the innovative use of paper documentation, such as standby letters of credit, greatly facilitated commercial transactions over vast distances, so too the application of digital authentication has the potential to greatly enhance and expand world trade.
Thus, I begin my presentation with the observation that digital authentication should not be viewed in a vacuum. On the contrary, it must be considered in the context of a rapidly developing global information-based economy that appears destined to coexist with the traditional industrial model. Shaping a new international electronic technology-based economy raises many significant issues that need to be considered. While digital authentication is a very important component of the emerging electronic architecture, it must be integrated with a host of new technological products, services and innovations. At this point, I feel compelled to dispel the mystery that seems to surround this topic. While digital authentication is certainly a significant innovation, it is in essence quite simple and unremarkable. Its purpose is to authenticate both the sender and message; (i.e., to provide proof to the recipient that the message stems from the sender, and that the message's contents have not been altered since leaving the originator). In the paper-based world, methods of authentication are straightforward and well-accepted. The ability to establish binding legal contracts between unaffiliated parties is clear when the transaction is documented on paper or, in the alternative, where the parties conduct their transactions face to face. In these physical world environments, identities of the parties are invariably firmly established and certain. Thus for any written correspondence involving business, legal, or monetary issues, the mark of authenticity provided by an individual's signature is required.
This is not the case, however, in the digital world. For example, while the Internal Revenue Service is attempting to persuade taxpayers to file their tax returns electronically, the IRS still must receive a signed paper copy of each individual's return before issuing a refund check. The reason is that the paper return contains a signature, but the electronic version currently does not.
In other words, the various existing and proposed electronic authentication methodologies represent a fundamental building block for electronic commerce itself . Digital authentication is the key to the widespread use and acceptance of electronic commerce. As such, the development and implementation of all viable forms of electronic authentication should not only be allowed, but should be actively promoted. In order to maximize creativity and innovation, it is vital that participation of the greatest number of responsible providers of authentication devices and services from a broad spectrum of industries be actively welcomed and encouraged.
Computer-to-computer communication is now used to initiate and execute a substantial and growing number of business and financial transactions. Therefore, the problem of authenticating identity and the "signature" of parties using computers to effect a transaction in order to validate that transaction has become critical. The National Institute of Standards and Technology that adopted a digital signature standard in 1994 has recognized the importance of this. In addition, the Information Security Committee of the Section on Science and Technology of the American Bar Association issued draft digital signature guidelines last year. Similarly, the Bar Association's Section of Science and Technology is presently embarked on a project to accredit "cyber notaries" on the international level.
Within the last two years a number of new security standards have been developed to enhance the safety of currency equivalents, credit and payment devices used on the Internet. Examples of these efforts include OTP (Open Trading Protocols) a recently announced standard for credit card transactions on the Internet, endorsed by more than one dozen software developers, hardware manufacturers and financial institutions as well as the SET (Secure Electronic Transaction) protocol used by Visa, MasterCard and American Express. Many of the most recent advances in and applications of digital authentication have focused on, and been applied to, financial transactions. As a result, some have publicly advocated that Federal law should be amended to specifically empower FDIC insured depository institutions to use electronic authentication in their businesses. In so doing, banks and their affiliates would be exempt from any registration or licensing requirements or fee limitations imposed by operation of state law. But according banks--or any particular industry group or segment--such protected status would be tantamount to the creation of a national monopoly for electronic authentication. As is the case in the paper-based world where written signatures are used for myriad purposes--including financial and nonfinancial transactions--so too in the digital realm. Since it can be made more efficient and reliable, ultimately, we believe that digital authentication could supplant written signatures as the preferred method of determining document authenticity. It would therefore be unreasonable to favor one industry or group as the preferred electronic authenticator.
Indeed, market forces may determine that for certain types of transactions (e.g., electronic letters of credit and funds transfers) banks may well be the electronic authenticator of choice. However for a broad range of other types of business transactions, the use of banks to authenticate the validity of communications would be wholly inappropriate. For example, Ford should be free to use any acceptable certification authority to authenticate electronic communications, orders and contracts with its automobile dealers or parts suppliers. For such transactions, Ford may even elect to "self-authenticate."
Digital authentication has the potential to increase efficiency and reduce costs. However if Federal law forces authentication to be funnelled through a limited number or type of institutions, these promised efficiencies and cost savings would be lost. As a result instead of stimulating the development of electronic commerce, its growth will be stifled.
As everyone involved in commercial activities can agree, we find ourselves operating in a world that is constantly changing. The application of electronic commerce is rapidly altering the way in which we conduct business on both the wholesale and retail levels. There is a compelling need therefore to have uniform rules governing the operation and conduct of electronic commerce. However, recent advances in electronic and digital technology severely test the ability of the most diligent government policymakers, regulators and legislators to remain knowledgeable. Moreover, these rapid developments easily outdistance the traditional legislative and regulatory process. Therefore, all too often laws, regulations and rules designed to stimulate and encourage commerce have, on the contrary, become outdated at best, impediments at worst. As President Clinton said this past summer when he released the Administration's paper entitled "A Framework for Global Economic Commerce":
While much activity has taken place in the United States during the past several years, developments outside the United States have also proceeded quite rapidly. As noted in the Administration's paper on global electronic commerce, "[i]nternationally, the United Nations Commission on International Trade Law (UNCITRAL) has completed work on a model law that supports the commercial use of international contracts in electronic commerce. This model law establishes rules and norms that validate and recognize contracts formed through electronic means, sets default rules for contract formation and governance of electronic contract performance, defines the characteristics of a valid electronic writing and an original document, provides for the acceptability of electronic signatures for legal and commercial purposes, and supports the admission of computer evidence in courts and arbitration proceedings."
Given the size and importance of the U.S. market, we believe it is logical and imperative that the United States should be actively involved in the development of uniform global standards for electronic authentication. Notwithstanding its position in the world, developments outside the United States will proceed apace irrespective of what is done in this country.
However, before the United States can play a significant role internationally, it is necessary to examine the wisdom of the current multiplicity of state laws. The lack of uniform nationwide rules may inhibit our country's ability to influence developments beyond its borders. As a result, it may be appropriate to consider the establishment of a federal standard or guidelines.
At the present time, more than 30 state legislatures are developing or voting on digital signature laws similar to the statute enacted in Utah over two years ago. Utah was the first state to recognize legally the validity of digital signatures as an acceptable substitute for, and alternative to, written signatures. In so doing, the Utah legislature attempted to provide a regulatory framework for certification authorities, which I will refer to later. The Utah Digital Signature Act provides for a safe harbor against most liability for those who qualify as certification authorities trusted third parties. However, the Utah approach is technology specific since it is based upon (and recognizes only) public key-based digital signatures.
Unlike conventional cryptography that uses the same key to encrypt and decrypt information, public key cryptography uses a pair of keys one private or secret, and one public to encrypt and decrypt electronic communications. A digital signature is created by a private key and verified by a public key. A sender uses a private key to encrypt an electronic message or document, thereby by "signing" it.
The recipient (or any other third party) can verify the digital signature by using the sender's public key to decrypt the communication. This verifies that the sender was indeed the originator of the message or document, and that the communication has not been subsequently altered, provided only the sender has the private key that created the digital signature. With an appropriately trusted operation, the originator cannot summarily disown his/her signature. When combined with a digital time stamp, the communication can be proved to have been sent at a definite time.
However, the use of a digital signature as an authenticating tool is limited by the ability of the recipient to determine the authenticity of the public key used to verify the signature. Processes and organization structures are emerging to allow public keys and digital signatures to be validated by a certificate attesting to the validity of the key, issued by a certification authority ("CA") which ties the public key listed on a certificate to the originator's private key. A CA can be either a private or public entity that acts as a trusted third party attesting to the validity of an electronic document.
In this way the responsibility for trust is assumed by an objective third party not involved in the transaction or subject matter of the communication. Over time, we anticipate that there will develop a global relationship network of certification authorities; thus CAs in each country can be linked together to provide secure electronic commerce on a worldwide basis. This is only one of many methods that can assure electronic authentication of communications and documents; however, it is the only method recognized under the Utah Digital Signature Act. On the other hand, California's digital signature statute is drafted in a more technologically neutral fashion. Recent regulations implementing this new law, proposed by the California Secretary of State, restrict electronic transactions with state agencies to digital signatures created by "acceptable technologies." Two types of signature technologies that will be specifically authorized are: (1) public key cryptography (the technology exclusively recognized under Utah law) and (2) signature dynamics technology. Signature dynamics is defined a "measuring the way a person writes his or her signature by hand on a flat surface and binding the measurements to a message through the use of cryptographic techniques."
The rules as proposed, however, contemplate acceptance of other technologies, provided they comply with the following criteria:
It should be noted that technologists worldwide are working on other ways in which electronic communication can be identified and authenticated. These include biometric identifiers such as thumbprints, hand geometry, voiceprints, retinal scans and the aforementioned signature dynamics. Despite certain problems with development, particularly with respect to the reproducibility of measurement, many observers see signature recognition or the more complex technology of signature dynamics as potentially a highly acceptable alternative to digital signature. Consumers may find this particularly straightforward, since it is the predominant means of identification used in many transactions today.
Many states have enacted digital signature laws of very limited application. For example, at the present time, the statutes of Arizona, California, Delaware, Iowa, Minnesota, New Mexico, Virginia and Wyoming recognize digital signatures only in connection with communications with or between governmental entities. They do not apply to purely commercial or retail transactions.
Given the conflicting developments under current and proposed state laws, now would seem to be a propitious time to consider enacting overarching federal standards. In this connection, we believe that the following fundamental requirements should be embodied in any electronic authentication legislation considered by Congress:
However as stated earlier in my testimony, we believe that the most critical element of all is the recognition that any entity that possesses the technical capability and has the requisite financial resources should not be barred from offering or providing electronic authentication services and methodologies, consistent with the criteria listed above. Congress should recognize that the provision of alternatives to paper based signatures should not be the exclusive providence of any single industry. As a result, Federal legislation which embodies overarching standards must not be industry specific. So long as any reputable firm is able to provide electronic authentication services consistent with Federal standards, they should be permitted to do so. In other words, consistent with the need to provide appropriate consumer safeguards, the free market should determine which forms and what providers of electronic authentication will be acceptable. Electronic authentication should not become the exclusive preserve of one industry or industry segment.
Similarly, it would be appropriate to permit private sector providers and users of electronic authentication services to undertake the establishment of norms of behavior, including delineating the rights, rules and responsibilities of all affected parties. This would encourage ease of entry for new products and services as well as comprehensively address many outstanding issues on a global basis.
This is especially true during the early developmental stages of a new industry or technology when customs and uses have not been firmly established. As Federal Reserve Board Chairman Alan Greenspan recently observed, "as technological forces alter banking rules and regulations, the regulatory burden is becoming obsolete, outmoded and inhibited." Given the strong incentives of the users and providers of electronic technology to regulate behavior in Cyberspace, the real question is not if a market or activity should be regulated, but what level of government regulation is necessary or desirable. The Administration's paper recognizes the limited role of government in this regard when it states, "governments should encourage industry self-regulation wherever appropriate and support the efforts of private sector organizations to develop mechanisms to facilitate the successful operation of the Internet." And, as Chairman Greenspan recently observed in discussing the history of the U.S. banking system, "government regulation can undermine the effectiveness of private market regulation and can itself be ineffective in protecting the public interest." Over time, market experience and experimentation will provide the framework within which laws can be developed and applied.
There would seem to be two essential requirements for a new cooperative regulatory regime for the electronic commerce industry: (1) support for ease of entry to the market for new products, (assuming reasonable and affordable access to the new products by both individual consumers and commercial entities), and (2) a formalized oversight structure which facilitates problem-solving by institutionalizing continuous interaction and dialogue among experts in the private, public and academic sectors.
Clearly, interdependent federal regulations must also be consistently applied and harmonized with developing international norms. The action of the U.S. Commerce Department, which issued licenses to Microsoft and Netscape to export Internet software containing sophisticated encryption capabilities for use by foreign financial institutions, is indicative of this need. Issuance of export licenses should enable these leading U.S. software firms to be competitive with foreign software providers who were able to attract customers simply by adding this heretofore export restricted encryption technology to U.S. made products.
An important policy objective inherent in any national legislation governing electronic authentication is the need to delineate clearly the roles and responsibilities of all relevant parties. Of primary concern in this regard is the liability of parties using digital signatures and other electronic authentication methodologies. Should there be a limitation on a party's liability for an unauthorized transaction that occurs due to the breakdown in encryption or a fraudulent use of a digital signature? Certificates guaranteeing signatures will have varying levels of trust defined by the assertion made by the certifier. The level of trust, and in consequence the liability adopted by a certifier should be laid down in the contract for service and encouraged through market forces.
We believe that, as is the case for written signatures, digital authentication will be used for a wide variety of purposes. Thus, the requisite disclosures concerning adoption and limitation of liability should be explicitly provided, especially with respect to retail transactions. Clearly the employment of any method of electronic authentication should not compromise or undermine existing consumer protections. Thus, when consumers rely on digital authentication, they should be entitled to have the same notification, disclosure, right of recission and limitation of liability protections that are applicable to similar transactions in the paper-based world. We note that many providers of electronic communication services currently recognize the need to advise consumers who are about to transmit proprietary information over the Internet whether or not such information is protected by encryption. We fully expect that, if for no other reason than to establish consumer confidence, certification authorities will adopt similar disclosure policies.
Recent developments in electronic commerce warrant review of the current system of governmental supervision, regulation and oversight. Historically regulators have been able to regulate by reason of their power to allow access to market entry. Those entities who were unwilling or unable to comply were simply denied entry or confined to very limited activities or functions.
Increasingly, it appears that the regulatory framework must be modified from one focusing on particular corporate charters and industry segments to one that facilitates entry to the market for new products and services. Barriers to affiliation have become irrelevant. There should be a shift away from separately regulating activities of various components of the emerging electronic commerce industry toward a cooperative regulatory system that assures that the diverse participants in electronic commerce can compete responsibly in the new electronic environment.
The world we face is therefore one of unprecedented change, potentially developing into a new age of global commerce. Electronic commerce is at a finely balanced stage requiring, at the same time, both consistency and certainty, as well as flexibility.
On behalf of the Electronic Commerce Forum, I appreciate the opportunity
to have appeared before you this morning. At this time, I would be most happy
to answer any questions.