March 27, 2001 The Honorable Donald S. Clark Digital Signature Trust Co., ("DST") welcomes the opportunity to respond to your request for comments on the ESIGN Act in general, and the specific provisions governing consumer consent or confirmation under that law. DST is one of the world's premier providers of online identification solutions for secure communications and electronic commerce. Established in 1996, DST was founded in response to the nation's first digital signature law, the Utah Digital Signature Act. DST is a subsidiary of Zions First National Bank, one the nation's best managed and highest performing banks in its class. As a result of its strict policies and procedures, inherited from its financial legacy, DST offers a level of risk management and risk absorption unequaled in the marketplace. DST's focus is on the implementation of Public Key Infrastructures (PKI) offering a variety of solutions including: certification authority, directory, token and time stamp software technologies. DST also provides consultation services to help customers decide which system is most appropriate for their implementation as well as assists conversions to alternate systems with little to no interruption of service. DST believes that digital signatures and PKI are integral parts to the creation of binding electronic transactions and the records that support those transactions. Our involvement with the development of electronic solutions provides DST with a unique perspective on the challenges faced by businesses and consumers as both groups move from traditional paper-based transactions to those conducted either totally or partially through electronic means. General Issues 1. How does the requirement of section 101(c)(1)(C)(ii) of the ESIGN Act, that businesses allow consumers an opportunity to provide consumer consent or confirmation of consent electronically prior to providing consumers electronic versions of information, affect electronic commerce? How will electronic commerce be affected in the future by this requirement? At the present time, it is premature to say how this requirement of ESIGN ultimately affects electronic commerce since the level of such commerce is relatively low and businesses are just beginning to deploy applications that address these issues. Systems are currently being designed to meet the consent requirement but we believe it is far too early to say that any particular approach is being taken. We are aware of several examples where credit card companies have already begun obtaining Section 101 consents and we expect that businesses will continue to experiment with various approaches to compliance. One possible effect of the consumer consent requirements is a tendency for business to err on the side of being overly conservative on the reading of this provision. Businesses may be prone to take simpler approaches to assure compliance, even if these may not provide the richness of experience for the consumer, which is available if more robust technology is used (e.g., simple e-mail or html pages as opposed to use of system-integrated, interactive techniques.) 2. What statutory changes, if any, should be made to the ESIGN Act to assist businesses and consumers in domestic and/or international business markets in implementing and adapting to the consumer consent and consent confirmation provisions under section 101(c)(1)(C)(ii) of the Act? As you are probably aware, state law (in the form of the Uniform Electronic Transactions Act or, "UETA") has taken a different approach to the issue of consumer consent (i.e., UETA does not specify a particular process for establishing consent and simply requires that the parties agree to conduct transactions by electronic means.) Some commentators have suggested that these differences in UETA have created potential traps for unwary consumers. See, e.g., Hillebrand and Saunders "E-Sign and UETA: What Should States do Now?" 5 Cyberspace Lawyer Jan. 2001; http://www.consumerlaw.org/e_sign.html. Given that the specific consent requirements have already removed a degree of flexibility, we believe that Congress should exercise significant restraint and refrain from imposing any additional burdens under 101(c)(1)(C)(ii) until further experience is gained with respect to practices used to obtain consumer consent. It may also be wise to reconsider the approach adopted by Congress in ESIGN and change the statute to reflect the decisions made by the drafters of UETA. 3. What, if any, are the benefits and burdens to consumers and electronic commerce resulting from the affirmative consent provisions in the statute? Do any such benefits outweigh any burdens? As you know, the ESIGN Act authorizes the use of electronic notices in lieu of paper notices in most communications with a consumer. We believe that not only does the move from paper to electronic notices improve efficiency and lower costs for all participants, it also provides a growing number of customers the information they want in the form and manner that they want to receive it. The consent provisions of ESIGN have been justified on the basis that consumers are protected through the Act's affirmative consent provision by assuring that consumers will have the ability to receive, keep and use such electronic notices. As is often the case when new processes and procedures for doing business begin to be deployed, participants in public policy debates are grounded in past historical events (which do not always produce relevant analogies). These "precedents" are then used to determine the kinds of potential harms that consumers need to be protected from. In the case of electronic transactions, consumer advocates claim (and ESIGN requires) that something more than a user's affirmative act to engage in electronic transactions is needed. That "something more" includes a demonstration of affirmative consent that has not been withdrawn and disclosure of certain rights before the consent is given (e.g., right to receive notices in paper, how to withdraw consent and any consequences of doing so, and how contact information can be updated). More problematic is the notion that consumers must be informed of hardware and software requirements, and that the manner of obtaining electronic consent must "reasonably demonstrate" that the consumer can access the information in the format that will be used to provide that information in the future. This kind of statutory drafting is a veritable treasure trove for disputes. While such requirements are not insurmountable, they do create a tendency for those obligated to comply to take the safest and simplest course for compliance which may not be in either the user's or the vendor's best interest. (For example, it is probably far more simpler to give the user all transactional documents, including required ESIGN disclosures, in paper form rather than creating online storage and retrieval systems which may trip-up the provider on compliance issues.) DST believes that market forces will continue to drive firms to provide services to users in a way that meets the needs of all customers, including those that may not fit the popular notion of the "typical" user of online services. For example, Internet users earning less than $25,000 a year make up the Web's fastest growing population, Nielsen//NetRatings says. The low-income group grew 46 percent -- 4.3 million to 6.3 million -- from February 2000 to February 2001. "As the cost of personal computers and Internet access continues to drop, the doors have opened for lower income groups to tap into the Web," said T. S. Kelly, director of Internet Media Strategies for NetRatings. In comparison, the Web's largest demographic group by income, the 30 million users who earn between $50,000-$74,999, jumped 42 percent in the same period. Business Issues 1. Describe in detail the method used to obtain electronic consumer consent. DST is a certification authority that issues digital certificates to consumers. DST uses a combination of online and off-line processes to interact with its customers during the certificate issuance process. While DST itself is not directly engaged in online transactions that require written notice because of "statute, regulation, or other rule of law," DST has committed to provide its customers with electronic notice. Prior to and separate from E-SIGN's consent requirements, DST implemented a process of providing certificate applicants with e-mail notices. When a DST customer initially enrolls with DST, she enters her e-mail address. Immediately upon application submission, DST sends a confirmation e-mail to the e-mail address provided by the applicant. The use of the applicant's e-mail serves a dual purpose in the DST system. In addition to providing electronic notice it also helps to "identify and authenticate" the individual (also known as I&A). In the event the e-mail message bounces back, DST declines the application. Part of the registration process also involves the delivery (by first class mail or to a confirmed phone number) of an activation code and the URL of a designated web page at which the applicant must enter the activation code. Demonstration of ability to access the information on the web is established when the applicant enters her activation code to receive a certificate. DST is also considering implementing the provisions of ESIGN that require the certificate subscriber to consent electronically, or confirm consent electronically, in a manner that demonstrates the consumer can access information in the electronic form that will be used to provide the information that is the subject of the consent. One problem this language creates is that DST already has the ability to establish that the customer receives notice. DST also has means to obtain the consent to receive notices electronically. DST feels that both can be performed separately, and it is unnecessary that the acts of consent or confirmation be tied to a demonstration. The remaining questions of this section regarding written notices and the pros and cons of electronic notices are generally not relevant to DST's business model. DST was created to take advantage of electronic commerce opportunities and most of its processes have been designed to be primarily online and use electronic processes to the greatest extent possible. Conclusion DST believes that a legislative and regulatory environment that offers both compliance flexibility and protection from demonstrable abuses of participants' rights best serves consumers and businesses. Given that we are in the early days of online commerce, it is premature to legislate approaches to disclosure prior to the development of these systems. It is also somewhat presumptive and protectionist that a "remedy" is created and imposed prior to any "problem" having arisen. While businesses and users will continue to explore new and creative ways to transact business, legislators and regulators should act with restraint and permit these electronic commerce systems to evolve to meet the needs of both businesses and their customers. Thank you again for the opportunity to comment and we look forward to participating in the April 3 roundtable. Sincerely, Thomas J. Greco |
