Information Security Committee (ISC)
American Bar Association
Section of Science & Technology
Summary of the
Workshop on Consumers and Public Key Infrastructure (PKI)
Patent & Trademark Office - Crystal City, VA
April 8, 1999
· Mark Budnitz, Professor of Law, Georgia State University
· Harold Burman, Executive Director of Advisory Committee on Private International Law, US Department of State Legal Advisors Office
· Alan Davidson, Staff Counsel, Counsel for Center for Democracy and Technology
· Margot Freeman Saunders, Managing Attorney, National Consumer Law Center
· Richard Guida, Chair of Federal PKI Steering Committee
· Jane Larimer, General Counsel, National Automated Clearing House Association
· Teresa Peters, Legal Policy Analyst, Organization for Economic Co-operation and Development
· William Schooler, Health Care Financing Agency
· David Solo, Director of E-Commerce and PKI Security, Citigroup Corporate Information Security Office
· Shari Steele, Director of Legal Services, Electronic Frontier Foundation
· Jack Walsh, Bell Atlantic (Data Securities Group)
Electronic commerce has undergone tremendous growth in recent years. As more and more consumers go on-line to engage in various electronic transactions, it becomes more critical than ever to understand the issues that affect consumers transacting business in a secured electronic environment. On April 8, 1999, the American Bar Association's Information Security Committee (ISC), of the Section of Science and Technology, held a day-long conference in Crystal City, VA with a panel of consumer, government, and industry representatives to examine consumer issues related to digital signatures and secure electronic commerce. The primary objective of the meeting was to identify and address a preliminary list of ISC-developed consumer issues, with a view to including an updated set of consumer issues (and positions) in the PKI Evaluation Guidelines being prepared by the ISC. An agenda of the issues that provided the initial framework for the workshop is available online at http://www.abanet.org/scitech/ec/isc/ConsumerIssues-199904PTO.shtm.
The issues considered included private key management, legal presumptions, restrictions on certificate use, minimum CA capability standards, personal information privacy, risk and liability, disclosures and notices, international issues, and continuity of records. Conference participants were cautioned about the risks of being shortsighted in addressing legal and technical PKI consumer issues. Continued discussion and examination of these issues are needed to fully appreciate their many dimensions. The PKI marketplace is in its infancy, and the products and services available to consumers are only beginning to be deployed. Furthermore, there are not yet demonstrable instances of consumer injury resulting from the use of PKI. Thus, it was stressed that it is premature to implement PKI-related consumer regulations.
One constantly repeated theme is worth repeating again: "Analysis of PKI consumer issues should proceed from analysis of the underlying transaction or application, not from the mere use of PKI technology in the transaction."
The Information Security Committee of the American Bar Association expects to conduct a follow-up consumer workshop in approximately six months to further advance the meaningful consideration and resolution of these issues. Meanwhile, the Information Security Committee is addressing consumer issues within its draft PKI Evaluation Guidelines. The private sector as well as regulators are encouraged to collaborate in this initiative, particularly given the administration's encouragement of industry self-regulation.
Private Key Management
Proper safekeeping of subscribers' private keys is an indispensable element of a trustworthy public key infrastructure (PKI). Panelists noted the fact that effectively managing private keys involves both technical and policy considerations. On the technical end, education is necessary to advance consumer understanding of the underlying risks and technology of PKI. Panelists discussed various methods for safekeeping private keys, such as PIN codes, smart cards, and biometrics. Regarding the disclosure of the security regime, the general view was that it would not be appropriate to impose a universal disclosure rule used in both high- and low-value transactions. Rather, most panelists believed that the appropriate level of disclosure and the apportionment of risk among the subscriber, the relying party, and the certification authority should depend on the nature of the underlying transaction. One panelist representing consumer interests suggested that certification authorities should bear all the risks in transactions involving digital signatures, claiming that certification authorities are better positioned to assess such risks than are consumers. This view was not generally shared by the other participants.
In terms of policy, panelists stressed the importance of considering existing laws when creating and implementing legislation on digital signatures. Several members of the panel argued that there are already numerous consumer laws on the books, and it would be inappropriate to layer redundant legislation and regulations on top of them. One panelist noted that since Regulation E is applicable to both paper and electronic transactions, redundant laws would only create confusion (particularly for consumers) and unnecessarily burden business and government.
Although consumer education is important, one panel member cautioned that it is unlikely that every consumer can be educated about every material aspect of electronic commerce, especially in light of the fact that such comprehensive consumer education has not occurred for other technologies used by consumers. Policymakers must be cautious about overlegislating in response to the introduction of new and innovative technologies. Instead, policymakers' objectives should be to help consumers access and use such technologies to the extent that they offer cost-effective benefits to consumers. There was general agreement among the panelists that policymakers should strive to strike a balance, providing sufficient laws to protect consumers but not hindering developing technology with overly burdensome restrictions. There was disagreement, however, about precisely where this line should be drawn. PKI industry representatives in the audience cautioned that developing technology will be stunted if policymakers burden PKI service providers with all or a significant portion of the liability risks; other participants suggested that merchants could assume these risks entirely or jointly with certification authorities.
Legal Presumptions Regarding Digital Signatures
The ABA Digital Signature Guidelines, the Utah Digital Signature Act, and the Washington Digital Signature Act all provide that a digital signature issued according to current legal standards is rebuttably presumed to be valid; that is, if the subscriber wishes to repudiate the signature's validity in a particular instance, then the subscriber has the legal burden of proving that the signature was no longer valid in that instance. The discussion centered on the question of whether a legal presumption of validity overburdens the consumer or discourages consumer use of digital signatures. "It depends on the transaction involved" was a theme to which the discussion often returned. Although typical hypothetical examples tend to cast "poor Aunt Millie" in the role of a subscriber who could be devastated by a rebuttable presumption of signature validity, in fact the subscriber could be a sophisticated business and the relying party a consumer, or both parties businesses. The panel also addressed the issue of who should bear a loss when none of the parties to a transaction is negligent. One panelist felt that a certification authority should be treated like a credit card company, always bearing the risk of loss unless it can prove that some other party was at fault or otherwise negligent in a given situation. Others noted that drawing an analogy between certification authorities and credit card companies is inaccurate, because credit card companies are involved in each transaction. Credit cards are subject to a credit limit which, when reached, can prevent further transactions. Certification authorities, by contrast, typically have little or no involvement with the transactions conducted using certificates or ability to limit them.
In addition, participants discussed whether it is proper for the relying party to have to assume the risks when both the subscriber and the certification authority have acted reasonably. It was suggested that this burden should be considered part of the relying party's cost of doing business. One audience member proposed treating PKI as a security system; the relying party would pay an insurance premium, and the risk of loss would then be allocated to the insurance company. Currently, the insurance industry is struggling to collect data on the risks associated with the use of digital signatures.
Restrictions on Certificate Use
Restrictions on certificate use may be comparatively easy to implement when certificates are used exclusively in closed systems. However, it was noted that certificates can "leak" out of closed communities and that user and business needs often require using them beyond the boundaries of a closed community. One possible way to better manage certificate use, panelists noted, is for users to obtain multiple certificates for use in distinct types of transactions (restricted-use certificates). Another way would be to use "attribute certificates" although attribute certificates may complicate certificate management.
Much of the discussion on certificate use restrictions considered the critical need to educate software vendors on the necessity to create software that supports internationally recognized standards, such as X.509. Certificate standards are not fully and consistently adhered to. For example, one panelist noted that some client software that uses the same key pair for both S/MIME encryption and digital signature functions will accept a certificate that is clearly restricted to signature use only, and then use that certificate's public key for encryption of replies back to the sender. This violates the x.509 (v.3) standard. Panelists agreed that it is critical to demand better (and conforming) client software from vendors. One panelist went so far as to suggest that one way to accomplish this is to choose software only from those companies that comply with such standards. And yet, as a practical matter, such a choice may not be viable today. One participant noted that Appendix D of the current version of the ISC's PKI Evaluation Guidelines contains proposed criteria for software vendors, and suggested reflecting panel's discussions in that Appendix.
Minimum Capability Standards
Panelists also considered whether minimum capability standards should be set for certification authorities and, if so, who should set them. The consensus among the panelists and audience was that such requirements should vary depending on the specific use intended for the digital certificates a particular certification authority issues, considering variables such as transaction type, industry application, or maximum potential loss to users or relying parties. High-value, more critical uses of PKI should possibly be subject to some type of minimum standards; low-value uses require fewer standards or none at all. There was broad general agreement that if the industry could not establish minimal technical standards and compel compliance with them through guidelines such as the PKI Evaluation Guidelines, some type of governmental licensing standards may become necessary. Suggestions concerning who should set such standards ranged from the federal government to representative bodies from specific industries that have deployed PKI. The federal government would most likely be called upon to fulfill this role for any ubiquitous "federal ID" digital signature mechanism it seeks to implement. But even then, there may be a viable role for industry based standards.
One panelist noted that consumers ultimately would not care much about specific technical or legal standards but would instead rely on perceived trustworthiness of specific certification authorities. In other words, consumers might simply assume that a certification authority has already adopted suitable standards to protect them. Finally, a suggestion was made that perhaps the current minimum requirements for certification authorities being developed within the European Community might serve as de facto standards for European certification authorities with global operations. There was no consensus on this issue.
Personal Information Privacy
The panel and audience appeared to agree that a certification authority that solicits personal information from a user should pose its questions in a clear and easy-to-understand manner. Some participants urged that certification authorities should ask consumers for authorization to use consumer's personal information, explain how such information will be used, and provide the consumer with opt-out provisions. One consumer advocate stated that lower-income and less educated consumers may need greater privacy protections.
Another panelist noted the importance of considering the international dimension of privacy issues. For example, the European Privacy Directive, which became effective in October 1998, takes a top-down approach to regulating privacy, with specific rules set by the European Union governing body concerning how companies should treat consumers' personal information. The United States, however, has generally taken the approach of encouraging self-regulation, in the form of voluntarily posted privacy policies. It was noted that the United States hopes to have an agreement with Europe by mid 1999 to harmonize privacy issues and that otherwise serious trade conflicts could result that may also affect PKIs.
One of the most important areas of consumer protection involves the provision of adequate notices and disclosures. Panelists agreed that such notices or disclosures from companies may help consumers make better informed decisions about e-commerce transactions. They also agree that companies could help consumers by apprising them of the existence of such notices or disclosures at the time a consumer enters into an on-line agreement and by allowing consumers to view the agreement's entire contents at that time.
The panel also discussed the submission of on-line electronic forms by consumers. Because errors may occur between the time that an electronic form (template) is presented to the consumer and the time that the data is submitted and subsequently received by the vendor, one panelist proposed that vendors should request confirmation of important information either by regular mail or by digitally signed e-mail and that consumers correct any inaccuracies. (It should be noted that the most material information submitted in a certificate application generally becomes actual certificate content, and subscribers can confirm the accuracy of certificate contents when they receive their certificates).
Notices and disclosures provided to customers should generally be transaction-specific and should provide consumers with sufficient information to make an informed decision, while at the same time not overwhelming the consumer with a surfeit of detailed information that obscures the core message. An audience member noted the extreme difficulty in striking such a balance. The example cited was that of the Social Security Administration, which was criticized both for providing the public with too much detailed information and later, after simplifying its disclosures, with failing to provide enough.
Some participants suggested that, to ensure the proper amount of disclosure, vendors should include additional interactive responses for consumers capable of communicating certain critical information, at key points in an electronic interaction. Other panel members urged serious consideration of how frequently the consumer is asked to provide on-line responses during a transaction, suggesting that maintaining a good user experience is equally essential to a successful transaction as making disclosures and obtaining responses. Consumers are less likely to engage in electronic transactions if they are required to expressly agree to (or take time to reconfirm) terms for each transaction. Also, a one-time transaction may require different treatment than a series of ongoing transactions.
Given the relatively borderless nature of electronic commerce, harmonization among jurisdictions will greatly facilitate e-commerce, particularly for consumers. For instance, unlike common law jurisdictions (such as in the United States), civil law jurisdictions (such as Quebec) may require specific proof that consumers have express knowledge of the terms that they accept. Additionally, Quebec requires notices to be in French and understandable to the consumer. Some civil law jurisdictions also constrain the incorporation of documents by reference, instead requiring all text to appear fully integrated into each operative document. One person noted that the X.509 certificate standard inherently requires incorporation by reference of "object identifiers," certificate distribution points, and other information incorporated by reference.
The panel and audience generally agreed that it is unnecessary to create a separate body of international consumer protection laws for e-commerce transacted over the Internet. If a particular country does not want certain international or country-specific consumer protection laws to apply to transactions involving its citizenry, then that country should have the choice to opt out of such laws, based on underlying economic factors (such as the desire to encourage foreign business investment where local markets are too small to warrant localized products and services). One audience member noted that international issues are currently perhaps less important than other PKI issues, such as some of the other issues addressed in this memo.
Continuity of Records
The final discussion focused on what would happen to the records of consumers when a certification authority dissolves or reorganizes in bankruptcy, or is acquired by another organization. One panelist noted that any prior contractual restrictions on a consumer's personal data become void upon the bankruptcy sale of the consumer data as a valuable asset. However, other participants noted that existing laws such as banking regulations and Section 365(n) of the Bankruptcy Code might protect consumers' records in such a sale. It was also noted that some certification authorities include procedures in their agreements for the winding down or transfer of business.
About the Information Security Committee
The Committee explores legal and information security aspects of electronic commerce and other issues related to information technology. The Information Security Committee is a collaboration of lawyers, government policy and management professionals, information technology and security professionals, auditing practitioners, notaries from various legal systems, trade facilitation experts, and others.
For further information regarding the Information Security Committee, contact Michael Baum, Chair, ISC firstname.lastname@example.org or Ruven Schwartz, Vice Chair, ISC email@example.com. Information about the activities and membership in the Section of Science and Technology and the American Bar Association is available from Manager, Section of Science and Technology, American Bar Association, 750 North Lake Shore Drive, Chicago, IL 60611 USA, Tel: (312) 988-5599, Fax: (312) 988-5628, E-mail: Kowalskya@staff.abanet.org.