|
FEATURE |
Stage III of the Review of the Electronic Transactions Act
The article details the scope of the final stage of review of the Electronic Transactions Act.
As outlined in the February 2004 Consultation Paper issued by the Attorney-General’s Chambers and the Infocomm Development Authority (‘IDA’), the last stage of the review of the Electronic Transactions Act (‘ETA’) will encompass principally electronic signatures and certification authorities.
The Stage III consultation paper has not yet been released but it is anticipated that it will cover the following areas:
• whether amendments to the ETA are necessary to accommodate new technologies relating to secure electronic signatures;
• whether amendments to the definition of related terms such as electronic record, electronic signature and digital signature are required;
• what should be the approach to the regulation of certification authorities1 eg should an accreditation scheme be adopted instead of a voluntary licensing scheme; and
• possible approaches to the recognition of foreign certification authorities.
Some miscellaneous areas like Part III (Liability of network service providers) and Part XI (Government Use of Electronic Records and Signatures) will probably also be included in the consultation.
Background Considerations
The main areas outlined above need to be covered because:
(a) the ETA provides that Public Key Infrastructure (‘PKI’) based digital signatures verified by reference to a public key listed in a certificate issued by a licensed or recognised Certification Authority (‘CA’) or a government entity are automatically considered to be ‘secure electronic signatures’. The ETA gives such ‘secure electronic signatures’ the additional benefit of two presumptions, namely that (a) the secure electronic signature is the signature of that person to whom it correlates; and (b) the secure electronic signature was affixed by that person with the intention of signing or approving the electronic record. The ETA does not give the same benefits to new technologies like biometrics, which are already in use or planned to be used by government agencies, such as immigration and law enforcement and some financial institutions.
(b) the ETA was enacted before the UNCITRAL Model Law on Electronic Signatures 2001 (‘ML 2001’) was adopted. The definitions used in ML 2001 are similar but not identical and the main difference is that the ETA contains a definition for a ‘digital signature’ which is PKI specific.2 ML 2001 is not PKI-specific. The UNCITRAL Working Group IV (Electronic Commerce) is also working on a new electronic contracting draft convention which may necessitate further changes to the ETA to keep it in line with international developments. This electronic contracting draft convention will hopefully be finalised in October 2004 but may spill over to April 2005.
(c) it is not compulsory for a CA to be licensed in Singapore, and Singapore’s voluntary scheme is supposed to mitigate ‘over-regulating and stifling the CA industry and e-commerce that are in their budding stages’. However, only two CAs in Singapore have been licensed since the ETA came into force. One closed down on 14 June 2002 leaving currently only one licensed operating CA in Singapore, Netrust Pte Ltd, to be regulated by the Controller of Certification Authorities (‘CCA’). These regulatory overheads may be excessive given the current market for PKI.
(d) although the ETA provides that the Minister may by regulations provide that the CCA may recognise CAs outside Singapore, no such regulations have been passed yet. Parties can still expressly agree to use foreign digital signatures as a security procedure and such foreign digital signatures will qualify as secure electronic signatures. However, this presumes that the parties have already agreed previously to use the foreign digital signatures and this thus cannot apply to new contractual relationships being formed for the first time.
Other International Developments
One of the main reasons for the review is also to ensure that Singapore’s legislation remains relevant as a result of changes in the market. The IDA has commissioned a study3 to analyse the current state of adoption of PKI in the USA, EU, Hong Kong, Japan and Australia, the factors behind the lack of widespread adoption of PKI worldwide and the potential impact on secure e-transactions in the future. The consultants will also provide an assessment of the current authentication technologies (standards and frameworks) in use and evaluate their adequacy in meeting marketplace demands (for government users, industry users, and consumers) for the next five years and provide a detailed analysis of Singapore’s framework for regulating CAs against the other countries listed above. It is hoped that the results will be available in time for the IDA to incorporate the findings into the Stage III consultation paper.
Canada
and Malaysia are also planning on reviewing their own electronic transactions
legislation and will be watching closely Singapore’s own review.
In the meantime, it is worthwhile looking at the Australian IT Security Forum’s Position Statement on the ‘Best Use of PKI’ which was recently released at APECTEL 30. The AITSF noted that ‘The overwhelming experience of PKI in practice is that it delivers most value when used for automating paperless routine transactions between parties who have an existing business relationship.’ Rather than general purpose certificates, the AITSF advocates the use of ‘Scheme-based PKI’ ie the deployment of multiple digital certificates in various forms, tightly coupled with (or embedded in) specific types of applications. It does not write off the use of PKI as PKI can still offer unique benefits enabling, for example, businesses to reduce the cost of investigation, forensics and dispute resolution since ‘it is the only security technology that provides certainty of origin and integrity of electronic documents, over long periods of time, where multiple parties are involved’ and to enable totally paperless but secure transactions since ‘digital signatures and certificates are machine readable, allowing the credentials of the sender to be bound to the message and verified automatically on receipt’.
In short, PKI still has its benefits and should not be thrown out just because the market has not adopted it wholeheartedly. However, the ETA should certainly be refreshed to take into account international developments (eg at UNCITRAL), new technologies (like biometrics and RFID), and to perhaps reduce the regulatory burden on CAs and Registration Authorities and thus the costs (eg by reducing the requirements for strict face-to-face proof of personal identity as part of the registration process and replacing it with automatic registration based on existing membership rules and status).
Current Status
The Stage III consultation paper will hopefully be released soon and the public is likely to be given a two month period to submit their responses. Eleven responses were received for the Stage I consultation which closed on 15 March 2004 and the Stage II consultation closed on 25 September 2004.
Ken Chia
Baker & McKenzie.Wong & Leow
E-mail: ken.chia@bakernet.com
Endnotes:
1 A CA is a trusted third party which issues digital certificates that certify the electronic identities of users and organisations. Before issuing a digital certificate, the CA performs an identity verification on the user or business entity. The CA acts like a trusted electronic notary, telling everyone who the valid users are and what their digital signatures should look like.
2 ETA definition of digital signature: Electronic signature consisting of a transformation of an electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer’s public key can accurately determine — whether the transformation was created using the private key that corresponds to the signer’s public key; and whether the initial electronic record has been altered since the transformation was made.
3 See IDA Tender Notice IDA (T)-395.