Carl Ellison
Intel Corporation
Security Technology Lab
2111 NE 25^th Ave
Hillsboro OR 97124
www.pobox.com/~cme
cme@acm.org

U.S. Perspectives on Consumer Protection in the Global Electronic Marketplace ­ Comment P994312 to the Federal Trade Commission March 26, 1999 - Final Version

Regulating the Use of Electronic Authentication Procedures by US Consumers in the Global Electronic Marketplace

Summary

1. Shortcomings of the technology currently in use

2. Moral hazards created by laws that shift risks to consumers

3. Broad scope for risk allocation by contract in business-to-business environments

4. Limited scope for risk allocation by contract in business-to-consumer environments

5. Promote the development of better technology through loss allocation rules

6. Realistic standards for consumer behavior in conducting online transactions

7. Risk intermediaries can manage risks that consumers are protected against

8. FTC regulations should cap consumer liability while remaining silent on technology issues

9. FTC regulations should require offshore merchants to comply with US law or avoid US consumers

Summary

The technology is not yet in place for reliable online authentication of consumers over the Internet. This problem will not be resolved in the near future, and the law governing consumer online transactions should recognize the importance of this problem. Any law that shifts the risk of fraud or error losses from online transactions away from technology providers and online merchants to consumers creates a moral hazard problem and will produce economically inefficient outcomes. In the business to business context, the parties should be permitted wide scope to allocate risks by contract. Recently enacted or proposed laws that assign the risk of unauthorized use of an authentication procedure to a party as a result of adopting that procedure create a risk of unfair surprise, however. These laws may involve shifting evidentiary presumptions or liability limits for certain parties such as certification authorities. No risk-shifting provisions by law or private agreement should be enforceable unless the adopting party can be expected to understand that there are specific risk-shifting consequences associated with adopting an authentication procedure.

In the consumer context, the risk of misunderstanding any risk-shifting consequences for adopting an authentication procedure are even greater than in the business to business context since such a rule is directly contrary to the rules that now apply in other similar consumer transactions. Consumers should not be bound by unauthorized use of an online authentication procedure unless, after full disclosure in plain language of the risks involved, the consumer has agreed to be bound. In light of the potential for overreaching by technology providers and online merchants in securing such prior agreements, the scope for such agreements should be sharply limited by statute. Fraud and error losses associated with online transaction technologies should be allocated to technology providers and online vendors in order to provide incentives for investment in the further improvement of the technologies in use. Liability standards based on appropriate consumer use of online transaction technologies should be based on how consumers in fact are likely to use the technology, not based on the assumption consumers should do whatever is necessary to offset the current shortcomings of the technology. Technology vendors and online merchants should be encouraged to work with risk intermediaries, such as banks or other financial services companies, who can apply principles of risk management to manage fraud and error losses associated with online transactions.

FTC consumer protections in this area should follow the model of FRB Regulation Z and Regulation E in mandating disclosure, procedures for consumers to evidence acceptance, and caps on total consumer liability for use of electronic attribution procedures. FTC consumer protections in this area should follow the model of SEC Release 33-7516 in requiring offshore merchants wishing to do business with US consumers to comply with US consumer protection law, or to restrict access to their online transaction functions to individuals who identify themselves as not being in the US.

Regulating the Use of Electronic Authentication Procedures by US Consumers in the Global Electronic Marketplace

This submission is made in response to the Federal Trade Commission notice requesting academic papers and public comment regarding US perspectives on consumer protection in the global electronic marketplace published in the Federal Register on December 16, 1998 (64 Fed. Reg. 69289). Jane K. Winn is associate professor, Southern Methodist School of Law, Dallas, Texas 75275. She is co-author of The Law of Electronic Commerce (3^rd ed. 1998) and has published many papers on legal issues of electronic commerce that are available from my website at www.smu.edu/~jwinn. Carl Ellison is a Senior Security Architect for Intel Corporation and previously for CyberCash, Inc. He has published a number of papers in the security area, is an inventor on five patents with others applied for and is especially active, currently, in research into the proper use of Public Key cryptography and certification for access control..

This submission will address issues raised by the use of electronic authentication procedures by consumers in situations where traditional written signatures are not possible. [I/we] argue that the use of electronic authentication procedures by consumers should be regulated in substantially the same manner as authorization to use a credit card or to make an electronic funds transfer is now regulated under US consumer protection law. The FTC should use its powers under Section 5 of the Federal Trade Commission Act to control unfair and deceptive trade practices to overrule any contrary state or federal laws that might otherwise apply. The FTC should also follow the model recently adopted by the Securities and Exchange Commission for extraterritorial application of US securities law to online transactions affecting US parties so that US consumers' reasonable expectations regarding electronic contracting will be protected in the global electronic marketplace.

1. Shortcomings of the technology currently in use

The technology is not yet in place for reliable online authentication of consumers' identity in transactions over the Internet. Many vendors are developing technologies that may eventually create solutions to this problem. Promising technologies include the use of public key cryptography to create digital signatures. While these technologies are very powerful solutions to specific problems, a reliable infrastructure for Internet commerce requires that these specific solutions be built into applications, which in turn must run in operating systems, which must in turn be networked. At each step in the process, it is possible that the implementation of the technology will be flawed. Having elements of a secure network, such as digital signature verification, pin or password access controls, or a firewall, is not the same as having a secure system. It is at the level of integrating all these elements into widely used, interoperable systems where critical shortcomings exist in today's Internet electronic commerce infrastructure.

Even when today's problems are solved, there will be new threats to Internet electronic commerce security that will have to be addressed. The security of a computer system can never be absolutely guaranteed. Information system security is defined with reference to the known threats the system can withstand. As security technologies improve, threats become more sophisticated as well, making the preservation of the security of a system a moving target. The law governing consumer transactions in the global electronic marketplace should allocate risk for fraud and error in online transactions in light of the fact that the security of the networked information systems supporting that market is a major issue today and in the future that defies any simple or lasting resolution.

While technologies such as public key cryptography, which is used in the creation of digital signatures, are capable of creating a very powerful association between the key used to sign a document and the signed document, that is only one small piece of the puzzle that must be solved to provide consumers with appropriate online authentication procedures. Products available to consumers today normally require the consumer to store the private key on the hard drive of a personal computer without any better security than a password to control access to the key. See the Verisign FAQ regarding security for digital signature keys at https://www.verisign.com/repository/PrivateKey_FAQ/index.html. The private key is normally stored on the hard drive of the computer in encrypted form, where the encryption is performed by password. This form of security is vulnerable to a brute force attack which is accomplished by attempting to decrypt the private key with passwords from a dictionary of likely passwords or generated according to the password rules for that system. If the consumer has chosen a password that is easy to guess, which is often the case, then it need not be a very time consuming process but even if such an attack might be time consuming, it is not difficult to imagine that a malfeasor employed in a computer service organization might perform such brute force attacks on computers that are in the shop for service. It would be more difficult for malfeasors to access the key used in the consumer's authentication procedure if the systems for controlling access stored the key on a separate token such as a smart card or required a biometric identifier. Even such more sophisticated access controls may be defeated by attacks such as virus software running on the consumer's computer but not under the consumer's control and without the consumer's knowledge. It is possible that in the future, consumers will have the option of using more sophisticated authentication procedures that require the use of a physical token, a remembered password and a biometric identifier. Until such interfaces have been developed and widely disseminated, there will remain serious questions about how reliably the use of an authentication procedure such as a digital signature can be associated with an act of a particular human being. This is especially true for private keys kept in personal computers that are not kept under lock and key with 24 hour surveillance.

There are also serious issues about the security of the computing environments within which such systems are to be used. In Trust in Cyberspace, a study published by the National Research Council in 1999, a study committee composed of academic and industry experts in computer security found that the current level of understanding of network information system security is partial and fragmentary, and that principles that are beyond controversy are often not observed in the design and implementation of network information systems today. The authors of this study conclude that considerable research is needed to find workable solutions to the problems endemic in networked computer systems today and new incentives need to be created to encourage adherence to those solutions once they have been identified. In the face of this much uncertainty about what the appropriate standards are for participants in electronic commerce systems with regard to security, the FTC must be ready to disregard self-serving allegations of industry representatives that claim that solutions to these problems exist today.

2. Moral hazards created by laws that shift risks to consumers

A moral hazard is created when a party with the power to control the magnitude of losses incurred has no incentive to minimize losses because that party also has the ability to force someone else to bear the costs of its failure to act. A moral hazard is created in the electronic contracting context when one party capable of controlling the overall rate of fraud or error losses arising in connection with online transactions has no incentive to take the necessary steps to reduce the rate of loss, but instead is permitted to externalize the costs of its inaction on some other party.

In the global electronic marketplace for consumer transactions, the relevant players are the technology providers, the online merchants and the consumers. Technology providers and online merchants clearly have the ability to influence the rate of investment in security and research to improve security. Those who have input into decisions that will directly affect the overall rate of fraud and error losses related to the use of electronic authentication procedures should also bear the liability for failing to take action to control those losses. The classic market failure problems faced by consumers in other types of transactions will arise here and prevent a market-based movement to develop adequate security for online consumer transactions: information asymmetries, problems of collective action and unequal bargaining power. The only risks that should be placed on consumers are risks that consumer can realistically be expected to control, and all other risks should be allocated to more sophisticated parties within the electronic commerce marketplace. Where there are risks of loss due to factors that are beyond the ability of any of the parties to control in the short term, liability should be directed to those parties that can manage those losses through pooling risks and adjusting price terms, or formal insurance schemes.

3. Broad scope for risk allocation by contract in business-to-business environments

In the business to business context, the law should permit the technology providers, and online merchants and their customers to negotiate whatever system of warranties or indemnities the parties feel is commercially reasonable. The ususal constraints provided by contract law , deceptive trade practice law or similar bodies of law should permit businesses to protect their interests adequately, without any need for intervention to revise the law to benefit of one business party or the other.

Many recent or proposed changes in commercial law to accommodate electronic commerce do not fit into this pattern, however. As a result, the FTC may need to consider acting within its authority to prevent unfair and deceptive trade practices outside the consumer context. Statutory provisions that shift the risk of an unauthorized use of an authentication procedure from one party to a commercial transaction who would bear the loss under current law to a different party merit particular scrutiny. These rules take the form of shifting evidentiary burdens to favor one of the contracting parties, or of liability limits for parties providing specific electronic commerce services, such as certification authorities.

For example, based on the February 1, 1999 Electronic Commerce Rules: Nimmer/Ring Proposals for changes to the text of proposed Uniform Commercial Code Article 2B, Section 2B-116 governing attribution procedures (available at http://www.law.upenn.edu/library/ulc/ucc2b/nimmer299.htm), the drafting committee for UCC Article 2B voted to make the risk of unauthorized use of an attribution procedure depend on whether the party identified by the procedure had agreed to be bound by its use, or had by some other means indicated an intention to be bound by the use of the procedure, but only if the attribution procedure is commercially reasonable. The requirement of commercial reasonableness is meant to be a limit to the ability of one party to impose on another party the requirement that an unreasonable attribution procedure be used. Having an objective standard by which authentication procedures are measured before their unauthorized use can trigger liability for the party whose authentication procedure was used is an important limit on the ability of relying parties to shift liability for fraud or error losses to another party, but it fails to address a more fundamental problem with this kind of risk-shifting rule.

Unless the party who has agreed or otherwise adopted an authentication procedure for use in electronic commerce understands that this implies accepting responsibility even for unauthorized use of the procedure, such a risk-shifting rule creates a problem of unfair surprise. The problem of unfair surprise is particularly acute when the relying party understands the agreement to use an authentication procedure will shift responsibility for unauthorized use but the other party does not. Section 201 of the Restatement (Second) of Contracts indicates how such problems of unfair surprise should be addressed under general principles of contract law. Section 201 provides that where the two contracting parties each attach a different meaning to an agreement, the court will give the contract the interpretation given by one of the contracting parties if that party did not know there were two different interpretations, but the other did. In the electronic commerce context, where the party whose authentication procedure was used without authorization did not know the law would impose liability for unauthorized use once that party had adopted the authentication procedure, but the relying party was aware of the such consequences, the relying party's expectations should not be given legal effect. The relying party should be required to eliminate the possibility of such differences in interpretation arising by conspicuously disclosing in plain language to the other party the consequences of adopting an authorization procedure as a condition precedent to forcing the other party to pay for unauthorized transactions.

The use of electronic authentication procedures as a signing device in online transactions is similar to the use of mechanical signature machines used by businesses to sign checks. The law of negotiable instruments generally provides that the drawee bank must be able to show that its customer signed the check. UCC 3-401. Because it would be difficult after the fact to show who was actually operating a check machine if the customer claimed that the check machine had been used without authority, banks will not accept checks signed by machine unless the bank's customer agrees to be liable for any check signed by the machine. At some point in the process of purchasing the signing machine and signing the bank's form agreeing to accept responsibility for all checks signed by machine, the bank's customer is likely to realize that owning a signature machine is a risky proposition. It would be hard for the bank customer not to understand the legal consequences of signing the agreement to be liable for all checks signed by the machine, even if the use of the machine is not authorized. If businesses are to be bound contractually even by the unauthorized use of electronic authentication procedures, there should be an equivalent opportunity for the principal of the business to make an informed, intentional assumption of that risk.

While the bank customer who chooses to use a mechanical signature machine has some simple, obvious, and effective options with regard to safeguarding the machine, a consumer using a digital signature stored on the hard drive of a personal computer has few alternatives regard to safeguarding the signature keys. A mechanical signature machine can be locked up whenever not actually in use to sign documents. By contrast, locking up a personal computer whenever the digital signature function is not needed is utterly incompatible with its normal use. Personal computers are often left turned on for extended periods of time and left unobserved while turned on. Personal computers in homes or small businesses are often routinely used by many different individuals. Not only are personal computers subject to attacks by viruses, some software support programs make copies of large amounts of information from the customer's system in order to analyze the problems the customer is experiencing. The same software can be used to make unauthorized copies of specific applications and data files without the consumer's knowledge or consent. Consumers have little or no control over who has access to their personal computer if they take their computer into the shop for repairs, and little or no way to find out if their digital signature keys have been tampered with while their personal computer was in the shop.

4. Limited scope for risk allocation by contract in business-to-consumer environments

Under current consumer protection laws such as Federal Reserve Board Regulations Z and E, no consumer can be held liable for the unauthorized use of a credit card or for an unauthorized electronic funds transfer unless the consumer accepted the credit card or access device such as an ATM card or debit card and the rules concerning liability for unauthorized use were disclosed to the consumer. Even when these two criteria have been met, the consumer's potential liability for unauthorized use of the credit card, debit card or ATM card still is limited by statute. 12 C.F.R. 226.12 (b) and 12 C.F.R. 205.6

One of the most important steps the FTC can now take to safeguard reasonable consumer expectations in the global electronic marketplace is to require that the use of electronic authentication procedures by consumers are subject to protections equivalent to those provided by Reg Z or Reg E. The FTC should provide equivalent safeguards regarding the procedures that technology vendors or online merchants must follow before a consumer may agree to be bound by any unauthorized use of an electronic authentication procedure, and should provide equivalent limits to the total amount of liability for unauthorized use a consumer can be asked to bear under any circumstances.

Even more clearly than in the business-to-business context, there exists a real possibility that the consumer will not understand that adopting an electronic authentication procedure entails accepting liability for unauthorized uses of that procedure. Given the current underdeveloped state of technology now available to consumers wishing to adopt an electronic authentication procedure, and the likelihood that consumers will not appreciate the shortcomings of those procedures, it is unclear how consumers could ever make an informed, rational choice to accept liability for unauthorized use of an authentication procedure. In order to avoid creating incentives for overreaching by technology providers or online merchants, the FTC should require any party who wishes to rely on an electronic authentication procedure to insure that the other party has received and has been given an opportunity to review a statement in plain language of the risks associated with the use of the particular electronic authentication procedure. The standard for plain language disclosure could be drawn from the SEC Plain English Disclosure Rule, SEC Release No. 33-7497 (1998). Where the risks associated with the use of a procedure are not known by any of the parties proposing to use the technology, that fact should be disclosed. Once the consumer has had an opportunity to review the disclosure, the consumer should be required to take some affirmative action to accept responsibility for the use of the electronic authentication procedure. Even once a consumer has accepted such a responsibility, however, the FTC should impose a dollar limit on the total liability a consumer may face for unauthorized use of a particular electronic authentication procedure.

5. Promote the development of better technology through loss allocation rules

In Trust in Cyberspace, the Computer Science and Telecommunications Board of the National Research Council point out both the deteriorating level of security in network information systems now in use, and a lack of effective market-based incentives for remedying the situation. Designing effective security solutions adds time to the development of applications, which is contrary to the current business practices of the software industry which rushes to ship applications as soon as possible to capture or retain market share. Effective security also places heavy demands on system resources, degrading the performance of applications. End users have little appreciation of security issues, and are therefore reluctant to pay a premium for products that include superior security characteristics. The clearest standards for "trustworthiness" for networked information systems were developed with reference to highly sensitive military applications where the investment of resources in improving security was not subject to the same cost/benefit constraints that the development of secure commercial information systems are. These problems are unlikely to be resolved at any time in the near future, and represent a clear failure of market-based incentives to produce an optimal security infrastructure for global electronic marketplaces.

Under these circumstances, consumers should not be asked to bear risks of potentially devastating losses as a result of entering into online transactions when consumers have little or no ability to influence the most important factors that would cause the loss to occur. If technology providers and online vendors are forced to bear the risks associated with the use of an immature technology, then at a minimum, the current shortage of market-based incentives to promote the development of an adequate security infrastructure for electronic commerce would not be exacerbated. It is possible that shielding consumers from most liability for unauthorized use of authentication procedures will actually promote greater investment in this area, which would be a distinct improvement over the current state of affairs. This kind of loss allocation rule has caused credit card and debit card service providers to develop highly sophisticated technology to control fraud and error losses in those industries, and a similar outcome should be encouraged here.

If liability for unauthorized use of authentication procedures is assigned to the technology providers and the online merchants, the prices at which technology providers and online merchants offer goods and services can be adjusted upward to reflect the best estimates of sophisticated parties as to the likely magnitude of fraud and error losses. Any such price increase would be a de facto insurance premium collected from all consumers.

In 1998, the Forrester Group estimated 8.7 million individuals in the US engaged in $8 billion in retail Internet transactions, or about 1% of all retail sales in the US. By 2003, these figures are expected to rise to 40 million individuals conducting $108 billion in transactions or 6% of all retail sales. Almost all retail Internet commerce is currently conducted through the use of credit cards. Under Regulation Z and its Official Staff Interpretations, the card issuer and the online merchant cannot contest the cardholder's claim that a charge is unauthorized if the merchant did not have access to the actual physical credit card. This nearly absolute protection for consumers has not had a chilling effect on Internet commerce, but has created a highly workable system in which the merchant and card issuers have adapted their business models to take account of these loss allocation rules.

6. Realistic standards for consumer behavior in conducting online transactions

Any standard that imposes liability on consumers for negligence or failure to safeguard access to an authentication procedure should be based on a realistic assessment of how consumers can actually be expected to use technology. In practice, this means that consumers should be encouraged through marketing campaigns or disclosures to take appropriate precautions, but failure to take those precautions consistently should not be sanctioned with more than nominal liablity.

According to the November 1998 Nilson Report on US retail payment payment systems, credit cards accounted for 21.12% by dollar volume and 17.99% of transaction volume of retail payments in the US, and debit cards accounted for 2.78% and 3.69% respectively. Regulation Z shelters the consumer cardholder from all liability in excess of $50 for failure to safeguard the credit card, and Regulation E provides a sliding limit to liability that begins at $50, and in almost all cases ends at $500. The development of these payment systems have not been stifled by the imposition of liability limits under consumer protection law, although providers of these services have been forced to make large investments in continually improving the security of their systems.

Too often technology developers use the requirement that consumers take whatever steps are necessary to guarantee that no third parties can gain access to authentication procedures as a sort of default category where unresolved issues regarding the security of consumer applications can just be dumped. For example the Verisign Certificate Practice Statement provides:

4.1.1 Holder Exclusivity; Controlling Access to Private Keys

Unless otherwise permitted by this CPS, each certificate applicant shall securely generate his, her, or its own private key, using a trustworthy system, and take necessary precautions to prevent its compromise, loss, disclosure, modification, or unauthorized use. It is understood that subscribers (and certificate applicants) will generally use non-VeriSign products that provide appropriate protection to keys. See https://www.verisign.com/repository/CPS/CPSCH4.HTM.

There are no systems that remain trustworthy when exposed to normal consumer Internet use and software acquisition. There are research projects trying to create so-called "trusted computing bases," but none has succeeded. Some systems are shipped today with the label "trusted," but none could protect a consumer's data and software in such an environment.

Consumers should not be required to offset the inadequacies of the technology by adapting their manner of interacting with the technology. The only appropriate standard of care that consumers should be held to is one based on a realistic assessment of what individual consumers can actually be expected to do on a regular basis with the actual technology that is now available. If consumers do not today have the technology available to meet the kind of standard imposed by the Verisign Certificate Practice Statement, then assigning liability to consumers for failure to meet this standard will impose potentially significant losses on random consumers.

7. Risk intermediaries can manage risks that consumers are protected against

Given that the risks of unauthorized use of authentication procedures in online contracting may be significant and are unlikely to be eliminated in the near future, this creates a business opportunity for risk intermediaries to accept responsibility for the risk of authorized transactions and to charge transacting parties for this service. This is one of the primary services being provided today by the credit card industry in supporting retail Internet commerce, and it could be extended to transactions not involving credit cards as a payment device. Financial services intermediaries and others are now preparing to provide online transaction risk management services. It seems apparent that a market-based solution based consistent with sound consumer protection principles will be available to technology developers and online merchants in the near future. The development of these professional risk management services will eliminate any basis for changing current law to shift liability from technology providers or online merchants through changes in evidentiary rules or through liability limits for specific service providers such as certification authorities. The FTC should not hesitate to enact consumer protection regulations that bring electronic contracting using electronic authentication procedures into line with consumer protection regulations governing credit and debit cards for fear of creating a market failure.

8. FTC regulations should cap consumer liability while remaining silent on technology issues

The FTC should use its power as protector of consumer interests in the national economy to override any state laws that attempt to shift online transaction risks to consumers, and should follow the Reg Z and Reg E models by mandating disclosure, consumer acceptance, and caps on maximum possible consumer liability. The FTC should also remain silent as to the technology to be used for online transactions, or the business model associated with the use of the technology so that the competition in the business to business marketplace can work to produce the most effective electronic commerce solutions. This model of clear, mandatory consumer protections combined with silence regarding the technology or business model used to provide services including those protections has worked well in the consumer payments fields to promote ongoing improvements in the security of the payment system infrastructure.

9. FTC regulations should require offshore merchants to comply with US law or avoid US consumers

The FTC should follow the SEC's model for determining whether a transaction with a US consumer should be subject to US law even if this results in the extraterritorial application of US law to an online merchant. See SEC Release No. 33-7516 Re: Use of Internet Web Sites To Offer Securities, Solicit Securities Transactions, or Advertise Investment Services Offshore. If online vendors do not wish to be subject to US consumer protection laws, the online vendor should take steps to make clear to prospective customers that it is not offering anything to US consumers and to take steps to restrict access to those portions of its website to individuals who must identify themselves as not being in the US.