Somewhat paradoxically, as an increasing number of states are enacting laws to authorize and regulate the use of digital signatures, the prospects for efficiently developing electronic commerce are harmed.
The possibility that 50 states may enact 50 different digital signature laws creates considerable uncertainty for multiparty, multijurisdictional transactions.
While federal preemption may be a solution, it would not resolve other issues that would arise in global electronic commerce.
The keys that are generated by a computer's software and applied to a message transmitted electronically may be viewed as a secure electronic envelope that must be properly opened before the message inside can be read. But there are degrees of security and authentication.
Tom may want to send a secure message to his mother. If he encrypts it with Mom's public key, Mom would then apply her private key-known only to her-to decipher the message. But this only assures Mom that the message has not been altered or read by anyone else. It does not establish that Tom sent the message.
Alternatively, if Tom uses his private key to encrypt the message, anyone can look up his public key and decipher it.
In neither of these examples is both the sender and the security of the message simultaneously authenticated.
However, if Tom encrypts the message with both his private key and Mom's public key, when Mom applies her private key and Tom's public key, both the identity of the sender and integrity of the message can be established. (See graphic.)
State laws or the rules that enforce them may define what a digital certificate authority, or CA, certifies, and establish the situations in which liability may attach. They may similarly determine the size and nature of transactions in which certified digital signatures may be used and the maximum amount of liability that CAs will assume.
The rules may also establish the life span of a particular electronic signature, the respective rights of the parties, the periods within which repudiation or rejection of a transaction may occur, the nature of the evidence that must be offered to prove the existence of an effective certificate, the obligations and rights of the CA, and the authority and obligations of any party from whom the CA receives its "root" certificate.
This last point raises the issue of the need for CA hierarchies and whether either law or practice will require a class of more trusted, super CAs to vouch for them.
In the absence of a specific electronic signature or certification law, bankers playing a role in these transactions would have to satisfy themselves that there is a sufficient legal predicate, certification agreement, and enforcement mechanism for them to certify the existence, use, and validity of an electronic signature.
In addition to the provisions that would normally be included in a written contract signed in the physical world (which operates under state commercial transaction laws, the Uniform Commercial Code, unclaimed property laws, the statute of frauds, jurisdiction and severability of liability), several areas should be addressed in a CA agreement.
These include: allocation of the various risks in the transaction; limitations of risk; bank regulatory and other supervisory concerns, limitations, or conditions; financial incapacity or insolvency of responsible parties; the cost of a certificate; care, maintenance, and protection of the certificate.
Also, instances under which the certificate may be revoked, suspended, or terminated; the circumstances in which particular certificates can be used and how long they are valid; the need for insurance to cover potential losses; indemnities, guarantees, and hold-harmless arrangements between contracting parties and their CAs; and disaster recovery procedures.
The commercial application of digital signatures and the potential liabilities of the parties under the Uniform Commercial Code and traditional theories of tort and contract law have been explored by prominent scholars and authors.
But the increasing involvement of banks in the new world of retail electronic commerce raises a host of other issues from a regulatory point of view.
For example, Zions First National Bank was awarded a contract to act as a key repository for signatures certified under Utah's landmark digital signature law. Zions has applied to the Office of the Comptroller of the Currency to establish a federally chartered trust bank to perform this and other functions.
Important fiduciary, safekeeping, law enforcement, security, and liability issues will arise for a key repository. Once a key that is used to generate a digital signature is transferred to any entity for safekeeping, it raises the possibility that the owner may claim that a transaction was electronically consummated in his or her name by someone who must have improperly appropriated the key.
No federal law directly governs these issues or imposes uniformity among the various jurisdictions whose laws may apply to them.
A similar consideration in the establishment of banks as CAs involves the concerns of regulators.
While a CA may optimally choose to contract away liability for defects in the certification process, the applicability of federal and state banking laws still must be evaluated.
The issuance of a certificate and custodianship of digital signature keys may in some ways be compared to the underwriting of insurance risks, a standby letter of credit, or a guarantee. In other ways, it may closely resemble the types of responsibilities that fiduciaries often undertake with respect to trusts or similar investment or advisory arrangements.
In situations where no specific banking law or regulation is directly applicable, any banking activity must still be measured against safety and soundness concerns.
Electronic payment transactions may also be governed by credit card and payment system rules, and perhaps even international laws, rules, treaties, or directives-raising the multiple-jurisdiction issue and related confusions.
Federal preemption would seem inevitable if the states are unable to achieve uniformity on their own. Until uniform commercial standards and rules applicable to the issuance and use of electronic signatures exist worldwide, the relationship between parties to an electronic transaction and the allocation of liability among them will have to spring from the draftsman's keyboard.