FEDERAL TRADE COMMISSION
ESIGN Study--Comment P004102
March 16, 2001
VeriSign is pleased to submit these comments in response to the Commission's public notice requesting comment on the Electronic Signatures in Global and National Commerce Act.(1) VeriSign, Inc., headquartered in Mountain View, California, is the world's largest provider of Internet trust services, offering domain name registration services, authentication, validation, and payment services.
Congress recognized the value of establishing the legality of electronic records and signatures in the modern economy through enactment of the Electronic Signatures in Global and National Commerce Act ("ESIGN") last year. Section 101(c)(1)(C)(ii) of ESIGN requires that to send legally required information to consumers electronically consumers must consent in a manner that reasonably demonstrates that they can access the information. Section 105(b) of ESIGN instructs the Federal Trade Commission and the Secretary of Commerce to report to Congress regarding this requirement.
VeriSign's primary interest in this proceeding stems from offering leading market technologies that effectively provide verification of identity and assure the integrity of the content of e-mail messages and Internet Web traffic for businesses and consumers. These technologies may be directly applied to the communications contemplated by ESIGN.
For electronic records, signatures, and notices to have legal effect for section 101(c)(1)(C)(ii), they should establish that consumers have received, opened, and can read the communication. This requires several key characteristics¾authentication/verification, confidentiality, and data integrity/non-repudiation. These are essential to establishing that the consumer in question is the person entering into an agreement and that the consumer intends to and is technologically able to enter into the agreement and to access the information relevant to the agreement. Use of authentication methods, such as Public Key Infrastructure ("PKI"), that provide these characteristics should conclusively meet the criteria required by section 101(c)(1)(C)(ii). These methods are particularly valuable as demonstration of consumer consent to a one-time electronic agreement (as opposed to ongoing receipt of electronic notices). ESIGN provides a legal framework for electronic records and signatures that ultimately will be fulfilled by the adoption and use of technologies that possess these characteristics.
The wide adoption of PKI or similar infrastructure will dramatically reduce and perhaps eliminate the need for the consumer consent provision being evaluated by the Commission. While PKI is becoming common in B2B transactions, such a framework has not yet been widely adopted in the consumer marketplace. Although Congress directed the FTC and DOC to report regarding ESIGN implementation by June 30, 2001, not enough time has elapsed to provide much in the way of meaningful information. Of course, ultimately, the marketplace will determine which technologies succeed or fail. There may, however, be an important role for government to play in providing incentives and leadership in the adoption of technologies that provide the important characteristics present in PKI.
I. THE PUBLIC POLICY RATIONALE FOR § 101(C)(1)(C)(ii) OF ESIGN IS TO ENSURE THAT CONSUMERS CAN ACCESS LEGALLY REQUIRED INFORMATION THEY RECEIVE ELECTRONICALLY.
Congress directed the FTC and the Secretary of Commerce to submit a report to Congress within 12 months after the date of the enactment of ESIGN on the benefits and burdens to consumers on electronic commerce of requiring consumer consent under § 101(c)(1)(C)(ii). This section allows electronic information to be provided or made available to a consumer if: (1) a business obtains affirmative consent from the consumer to receive information electronically; and (2) the consumer consents in a manner that reasonably demonstrates the consumer's ability to access the electronic record. This section was drafted in order to ensure that consumers who agree to receive a legally required document electronically can in fact open, read, and retain the records that they will be sent electronically.(2)
The consumer consent provision was drafted to ensure that the critical characteristics associated with the provision of notices through the non-electronic traditional postal services would exist in the electronic world.(3) These characteristics, which often are described as identification/authentication, confidentiality, data integrity, and non-repudiation, should exist in the electronic world at least to the same level as in the non-electronic environment. Authentication/verification is the validating of the identity of the parties in communications. For legally required disclosures, it allows a company to know that the communication reaches its intended recipient. In the non-electronic world, there exist levels of reliability, supported by statutory and judicial recognition, that if a notice is sent through the U.S. Postal Service to an address provided by a consumer, that notice will reach the consumer. Confidentiality ensures that the information sent to the consumer is not intercepted or altered during transmission. In the non-electronic world, confidentiality is assumed if a communication arrives in a sealed envelope at the consumer's residence. Finally, non-repudiation/data integrity ensures that information has not been altered prior to receipt and that it is legally valid and non-revocable. In the non-electronic world, non-repudiation and data integrity are established through a sealed envelope as well as a signature on a communication and a postmark. These characteristics are similarly established in notary situations where documents are verified by notaries. In the non-electronic world, such hierarchies of higher levels of assurance exist in exchange for non-repudiation integrity.
A requirement of obtaining consumer consent prior to sending legally required notices would be satisfied if a system were in place that had a level of certainty that notices reach their destination having satisfied these important characteristics.
II. THE MOST EFFECTIVE MEANS OF PROVIDING IDENTIFICATION AND AUTHENTICATION, CONFIDENTIALITY, DATA INTEGRITY, AND NON-REPUDIATION IS THROUGH A PUBLIC KEY INFRASTRUCTURE FRAMEWORK.
Providing information to consumers electronically yields both consumer convenience and significant economic efficiencies. Ideally, the use of electronic notifications will become as accepted and commonplace as, and in many instances will replace, paper notices currently provided using the postal service. Likewise, technology will be widely adopted such that there will be no justification for the consumer consent provision in 101(c)(1)(C)(ii). PKI proves that the consumer has received, opened, and can read the communication. The technologies for such a framework exist in PKI technologies, but have not been widely adopted in the consumer marketplace.
Currently, most consumer electronic communications occur through traditional e-mail supported in some instances by secure sockets layer ("SSL"). These communications are potentially limited, depending on the security required in the transaction, in satisfying the above-mentioned consumer protection characteristics. For example, it is possible that unsecured e-mail could be intercepted by others or that the communication not reach its intended recipient. PKI, however, permits the achievement, including assurance, of receipt. PKI provides the "gold standard" to assure all of three primary characteristics of secure communications.
PKI uses technology known as public key cryptography to manage electronic certificates that are assigned to individuals. After a one-time registration process in which the individual obtains a digital certificate, the certificate can be used for any subsequent communications or transactions by that individual. A consumer's use of a certificate in a PKI framework obviates the need for consumer consent that they can access records prior to sending legally required information. Digital certificates provide a technical means of ensuring the authentication/verification of the identity of the consumer who is intended to receive or be bound by an electronic communication. These certificates also assure achievement of confidentiality; that is, the information sent to a consumer is not intercepted or altered during its transmission. Data integrity is provided through encryption technologies in which only the intended recipients ultimately are able to decrypt information intended for them. Finally, non-repudiation is provided through PKI by ensuring proof of integrity and origin of the data that can be verified by a third party.(4) Non-repudiation services can also be provided as important legal evidence in the event of a dispute between parties.
The Commission in its notice asks whether software programs that enable consumers to provide electronic consent are readily available and whether such technologies verify that electronic consent is transmitted by the specific persons entitled to receive electronic information.(5) VeriSign PKI software products are generally available to the public. Individual users with access to the World Wide Web may obtain a 60-day trial Class 1 certificate through the e-mail features of many commercial mail clients and Internet browsers, including Netscape and Microsoft Internet Explorer. Such software products provide all of the characteristics of identification/authentication, confidentiality, and data integrity/non-repudiation at a level that if widely adopted by consumers would limit, if not eliminate, the need for prior consent and demonstration of the ability to access the records.
III. A PKI INFRASTRUCTURE HAS NOT BEEN WIDELY DEPLOYED AND ADOPTED IN THE CONSUMER MARKETPLACE.
In the five months since ESIGN took effect, the marketplace has not changed significantly with respect to consumer adoption of PKI technologies and other security technologies. VeriSign believes that evaluation of the impact of the consumer consent requirement of ESIGN on electronic commerce can occur after more experience has accumulated.
Since the enactment of ESIGN, consumers and e-commerce vendors alike have been and continue to educate themselves as to the best means of working within section 101(c)(1)(C)(ii). Companies are still in the process of examining varying approaches to achieving their identification and authentication needs. Five months is insufficient time to adequately evaluate progress in this area.
ESIGN is "technologically neutral" in part because Congress did not want to be in a position of determining the winners and the losers in the marketplace.(6) Congress, however, recognized that technology neutrality should not act as an impediment to the adoption of these important technologies.(7) It is critical that "technological neutrality" not prove to be a disservice to consumers and the economy by discouraging or delaying the adoption of available proven systems that work well for consumers and online businesses alike. Indeed, it is undeniable that certain types of authentication technologies are more secure than others.
A wide-scale PKI deployment solely for certain types of consumer consent provisions may be slow in developing. There do exist different levels of PKI for different types of security. For example, VeriSign offers consumers affordable Class 1 certificates at no charge for the first two months. Such certificates provide more than satisfactory security for most types of legally required notices. Adoption of higher levels of PKI may not currently make economic sense to satisfy the legally required notices in relatively low dollar value transactions. There may, however, exist other important reasons that higher levels of PKI should be widely deployed.
IV. GOVERNMENT SHOULD BE A LEADER IN FURTHERING THE ADOPTION OF DIGITAL SIGNATURE TECHNOLOGIES.
ESIGN does permit technology choices in government acquisition of security technologies.(8) This gives government a good opportunity to promote widespread adoption of a public key infrastructure. Early adoption of PKI is not likely to result from the consumer consent provisions of ESIGN. Rather, PKI will be adopted through broad deployments for such large-scale programs as driver licensing, payment of taxes, or protection of personal health information.(9) As evidenced in the recently released GAO report on PKI technology, which we attach as part of the record, the federal government is increasingly using and promoting PKI technology for many electronic government applications ranging from the protection of health care information to patent applications.
Where it can provide leadership in adopting and utilizing these technologies, the government should continue its efforts toward adoption of a PKI infrastructure. For example, government can lead in avoiding market fragmentation resulting from multiple competing standards for PKI solutions by steadfastly encouraging interoperability of government PKI systems. Likewise, the suggestion in the GAO report of the development of PKI policy and guidance that would promote federal government use of PKI should be considered. Such leadership by the government ultimately will result in use of PKI in providing consumers with legally required notices. The GAO report recommends the establishment a government-wide framework beyond existing pilot programs to provide agencies with greater direction for implementing PKI technology.
V. ESIGN'S PREEMPTION STANDARD WITH RESPECT TO CONSUMER NOTIFICATION CREATES CONFUSION IN THE MARKETPLACE.
Finally, the Commission asks for additional issues that should be considered during the study as well as what improvement Congress could make to the statutory language of § 101(c)(1)(C)(ii). Preemption of state law as it relates to the consumer consent provisions of this section is the subject of considerable uncertainty. This raises the possibility that different consumer consent requirements could apply to e-commerce agreements and notices. Such an outcome in the borderless electronic environment may prove unworkable. Differing standards may also prove to be an impediment to adoption of PKI or similar secure technologies. We describe the uncertainty below.
Section 101(b)(1) of ESIGN leaves state consumer notification requirements intact. To the extent that a state has adopted the 1999 model Uniform Electronic Transactions Act ("UETA") or a modified version of UETA or other law that is consistent with ESIGN, this state law will apply, establishing the legal consumer notification requirements. §§ 102(a)(1) and 102(a)(2)(A).
UETA provides that evidence of an agreement between parties may be inferred from the context and the surrounding circumstances, which may include the parties' conduct in a transaction. § 5(b). UETA requires neither the type of affirmative consumer consent nor certain disclosures mandated in ESIGN. Transactions conducted in states that have adopted the model UETA would not be required to follow the ESIGN consent provision, but rather would be required to follow the laws and regulations within those states.(10)
UETA, in one form or another, has been adopted in 23 states and is being considered by more than 20 other states during the 2001 legislative session. As a result, the fact that ESIGN's consumer disclosure provision may not apply and would be superseded by state consumer notification requirements gives rise to some degree of continuing non-uniformity on a national level.
Further uncertainty about what law applies in this context is present in states that adopt the Uniform Computer Information Transactions Act ("UCITA"). UCITA provides substantive procedural and attribution rules governing commercial electronic contracts for computer information or informational rights in computer information, including specific notice requirements for different types of consumer transactions such as mass-market licenses (section 209). UCITA's consumer disclosure requirements differ based on the type of transaction. In this context, clarification of what law applies to consumer notices would be helpful.
While the use of PKI and similar technologies will likely become commonplace and may ultimately entirely replace paper notices in the postal service world, effective technologies need to be adopted to ensure authentication, confidentiality, and non-repudiation. The most effective means of ensuring that consumers receive legally required information is through a public key infrastructure framework.
Where government recognizes an important policy objective, it should act. While ultimately the marketplace will determine which technologies succeed or fail, there may be an important role for the government to play in providing incentives for the adoption of such technologies, which would provide the important characteristics present in PKI.
1. 66 Fed. Reg. 10011 (Feb. 13, 2001).
2. 146 Cong. Rec. S5230 (daily ed. June 15, 2000) (statements of Sens. Hollings, Wyden, and Sarbanes).
3. "At the heart of these provisions is the concern--shared by many in the industry as well--that electronic communication, e-mail, is not as reliable or as ubiquitous as traditional first-class mail. Until advances in electronic mail technology eliminate such concerns and until the vast majority of Americans are comfortable using the technology of the New Economy, consent to use electronic records requires special care and attention." 146 Cong. Rec. S5216 (daily ed. June 15, 2000) (statement of Sen. Wyden).
4. A more detailed description of how these technologies work is set forth in the attached GAO study entitled "Information Security: Advances and Remaining Challenges to Adoption of Public Key Infrastructure Technology" Report to the Chairman, Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations, Committee on Government Reform, House of Representatives (Feb. 2001). OMB has identified categories of transactions that could require security assurances provided by PKI. Included are "transactions in which the party is fulfilling a legal responsibility that, if not performed, creates a legal liability." Report at 20.
5. 66 Fed. Reg at 10013, questions 25 & 26.
6. The legislative history reveals that this provision was "intended to prevent a state from giving a leg up or impos[ing] an additional burden on one technology or technical specification that is not applicable to others. " 146 Cong. Rec. S5285 (daily ed. June 16, 2000) (statement of Sen. Abraham).
7. The legislative history further reveals, however, that the provision was not intended "to prevent a state...from developing, establishing, using or certifying a certificate authority system." Id.
8. Sections 102(b), 104(b)(4).
10. 146 Cong. Rec. S5221-22 (daily ed. June 15, 2000) (statement of Sen. Leahy).