drt 6455 eCommerce Lawlesson 2 – Legal Security

MangementExample of An Act to Establish a Legal Framework for IT

associate professorfaculty of law

university of montrealuniversity of montreal chair

in e-Security and e-Business law www.gautrais.com

2

An Act to establish a legal framework for information technology (Quebec)

(L.R.Q. c-1.1)

3

Know your Law : Guide Respecting the Management of Technology-based documents - An Act to establish a legal framework

for information technology (R.S.Q., C-1.1) (11/2005)

Afin d’y voir clairGuide relatif à la gestion des documents technologiques

4

plan

1 – Legal change, new legislation … a guide

2 – Guiding Principles of the Act

3 – Managing technology-based documents in a secure manner

4 – Use of technology-based documents as evidence

5 – Legal Management of Digital Signature

5

1

6

2.1 illustrations of innovation

• New risks

• New technologies

•New advantages

•New inconvenients

•New objectives

• New words

• New laws

7

2.1.A new risks• Ignorance• Immateriality • Habits • Obscurity • Internationality • Identification of document attributes

–Confidentiality –Authentification –Non-repudiation –Disponibility–Integrity

8

2.1.B new technologies

• technology-based document

• Email = technology-based address

• Internet

• « Log »

• Identifier

• etc.

9

2.1.C new advantages

• Quick

• Efficient

• Transportable

• Immaterial

10

2.1.D new inconvenients

• Quick • Immaterial • New• Habit • Multiplicity • Effectivity

–Law is not clear (EX: 34) –34. « Where the information contained in a document

is declared by law to be confidential, confidentiality must be protected by means appropriate to the mode of transmission, including on a communication network. »

–Law is difficult to apply

11

2.1.E new objectives

• Remove barriers to eCommerce–EX: writing–EX: signature –EX: original

• Precise security–EX: email / SMS–EX: what’s means to be secure?

• protect people –EX: 29 AELFIT

12

identifier

etc…

transfer

documentation

certification

document

technology-based document

Life cycle

2.1.F new words

13

2.1.G new laws

• New

• Processual –EX: SOX

• Section 404 and Internal control

–EX: PIPEDA • Schedule 1

–EX: AELFIT

14

2

15

2-2-A Technological neutrality

• Law doesn’t favor one technology in particular –EX: Utah, Singapore, Italy, Portugal, Germany, etc. –EX: certification

• But law need to be a little prescriptive –Neutre doesn’t mean silence–Silence in laws

• EX: What’s the meaning of « Integrity »? • EX: 34 AELFIT

16

2-2-A Technological neutrality

• United Nations Convention on the Use of Electronic Communications in International Contracts (2005)

–8.1. A communication or a contract shall not be denied validity or enforceability on the sole ground that it is in the form of an electronic communication.

–9.1 Nothing in this Convention requires a communication or a contract to be made or evidenced in any particular form.

• AELFIT–5. The legal value of a document, particularly its capacity to produce

legal effects and its admissibility as evidence, is neither increased nor diminished solely because of the medium or technology chosen.

• Chinese Law–Article 7  The use of a data message as evidence may not be refused

solely on the grounds of its creation, transmission, receipt or storage in electronic, optical, magnetic or other similar fo

17

2-2-B Functional equivalent

• What are functions of paper and transpose them to electronic

–Document finding a criteria –writing transposable –Signature at each concept–Original –Copy

18

2-2-C integrity

• Main criteria which give some « Legal Value » to a document

–Evidence • Admissibility • Probative force

–But what it is?

19

writing

• AELFIT (L.R.Q. c. C-1.1) art. 5

• (2) A document whose integrity is ensured has the same legal value whether it is a paper document or a document in any other medium, insofar as, in the case of a technology-based document, it otherwise complies with the legal rules applicable to paper documents.

• (…)

• Where the law requires the use of a document, the requirement may be met by a technology-based document whose integrity is ensured.

20

2839.  The integrity of a document is ensured if it is possible to verify that the information it contains has not been altered and has been

maintained in its entirety, and that the medium used provides stability and the required

perennity to the information.

2839 CCQ

21

2-2-D writing

• Examples of laws requiring a writing form–13 (4) Copyright Act –19 Consumer Protection Act (Ontario)–Consumer Protection Act (Quebec)

• What are writing functions (see UNCITRAL eCommerce Model Law with Guide to Enactment (1996))

22

writing48. In the preparation of the Model Law, particular attention was paid to the

functions traditionally performed by various kinds of “writings” in a paper-based environment. For example, the following nonexhaustive list indicates reasons why national laws require the use of “writings”: (1) to ensure that there would be tangible evidence of the existence and nature of the intent of the parties to bind themselves; (2) to help the parties be aware of the consequences of their entering into a contract; (3) to provide that a document would be legible by all; (4) to provide that a document would remain unaltered over time and provide a permanent record of a transaction; (5) to allow for the reproduction of a document so that each party would hold a copy of the same data; (6) to allow for the authentication of data by means of a signature; (7) to provide that a document would be in a form acceptable to public authorities and courts; (8) to finalize the intent of the author of the “writing” and provide a record of that intent; (9) to allow for the easy storage of data in a tangible form; (10) to facilitate control and sub-sequent audit for accounting, tax or regulatory purposes; and (11) to bring legal rights and obligations into existence in those cases where a “writing” was required for validity purposes.

23

writing

• UNCITRAL Model Law criteria: article 6usable for subsequent reference

• As in Ontario • And in REC (est of Canada) • As in United Nations Convention on the Use of

Electronic Communications in International Contracts (2005)– 9.2. Where the law requires that a communication or a contract

should be in writing, or provides consequences for the absence of a writing, that requirement is met by an electronic communication if the information contained therein is accessible so as to be usable for subsequent reference.

24

writing

French Law (March 12th, 2000)

http://www.legifrance.gouv.fr/citoyen/jorf_nor.ow?numjo=JUSX9900020L

Art. 1316-1. - L'écrit sous forme électronique est admis en preuve au même titre que l'écrit sur support papier, sous réserve que puisse être dûment identifiée la personne dont il émane et qu'il soit établi et conservé dans des conditions de nature à en garantir l'intégrité.

25

writing• Problem with usable for subsequent reference Criteria

–EX: arbitration clause (2640 CCQ)–EX: CPA–No way to be aware (criteria number 2)

• Problem with integrity criteria too • Problem with distinct criterias. de critères distincts

–Integrity–Usable for subsequent reference–Visible Form (UK)–Record (UETA)

26

2-2-E signature

• 2827 CCQ: A signature is the affixing by a person, to a writing, of his name or the distinctive mark which he regularly uses to signify his intention. .

• Limitations concerning biometry usage in AELFIT ART. 44

- No obligation - Finality - Destruction - Transparence to the Information Access Commission (CAI) - Etc

27

signature

Electronic signature: is it reliable ?

Is it legal ?

28

signature

Difficult to say

because definition is not so clear

because contract decline every liability 2

1

29

signature

liability is a legal concept

30

signature

signature is too …

31

signature

1) Identity of signatory

2) Intention to sign

32

signature

United Nations Convention on the Use of Electronic Communications in International Contracts (2005)

9. 3. Where the law requires that a communication or a contract should be signed by a party, or provides consequences for the absence of a signature, that requirement is met in relation to an electronic communication if:

• (a) A method is used to identify the party and to indicate that party’s

• intention in respect of the information contained in the electronic communication;

33

signature

• Same in Quebec and Civil Code of Quebec (1994) (2827 CCQ)

• Ontario et Electronic Commerce Act (2000)• British Columbia et Electronic Transaction Act (2001) • China

– Article 2  All references to an "electronic signature" in this law are to electronic data that are contained in or attached to a data message and are used to identify the signatory and indicate its endorsement of the contents of such data message.

But there’s an other criteria

34

signature

United Nations Convention on the Use of Electronic Communications in International Contracts (2005)

9. 3. and(…) (b) The method used is (…) :(i) As reliable as appropriate for the purpose for which the electronic communication was generated or communicated, in the light of all the circumstances, including any relevant agreement;

35

signature

Ontario and Electronic Commerce Act

(…) • (a) the electronic signature is reliable for the

purpose of identifying the person; and• (b) the association of the electronic signature

with the relevant electronic document is reliable.

36

signature

British Columbia and Electronic Transaction Act

(…) • 21 (d) prescribing records or classes of records for which

a requirement under law for the signature of a person must be satisfied by an electronic signature and proof that, in view of all the circumstances including any relevant agreement and the time the electronic signature was made,

• (i)  the electronic signature is reliable for the purpose of identifying the person, and

37

signature

Uniform Electronic Transaction Act (USA)

“the use of security procedures is simply one method for proving the source or content of an electronic record or signature. A security procedure may be technologically very sophisticated, such as an asymetric cryptographic system. At the other extreme the security procedure may be as simple as a telephone call to confirm the identity of the sender through another channel of communication. It may include the use of a mother's maiden name or a personal identification number (PIN). Each of these examples is a method for confirming the identity of a person or accuracy of a message.”

38

signature

Reliability ?

security procedure ?

39

signature

contract decline its liability

40

41

signature

information = oxygen

42

signature

If no liability = no security

43

2-2-F original• AELFIT (L.R.Q. c. C-1.1) ART. 12

12.  A technology-based document may fulfil the functions of an original. To that end, the integrity of the document must be ensured and, where the desired function is to establish

1) that the document is the source document from which copies are made, the components of the source document must be retained so that they may subsequently be used as a reference ;

 2) that the document is unique, its components or its medium must be structured by a process that makes it possible to verify that the document is unique, in particular through the inclusion of an exclusive or distinctive component or the exclusion of any form of reproduction ;

 3) that the document is the first form of a document linked to a person, its components or its medium must be structured by a process that makes it possible to verify that the document is unique, to identify the person with whom the document is linked and to maintain the link throughout the life cycle of the document.

44

original

a) source document = integrity

Signed contract

45

original

b) Single document = integrity + application

Bill of lading

46

original

c) First form of a document linked to a person = integrity + application

Will

47

3

48

2-3 Managing Technology-based document in a secure manner

• Transfert

• Retention

• Accessibility

• Transmission

49

transfert

• Definition: to change a technology-based document from one medium to an other. • Example: an enterprise numerize sums of papers on a couple of CD.

• Legal conditions: –1) documentation with WHO – WHAT – HOW; –2) ensure integrity.

50

Retention

•Definition: to store documents so that they can be found later. • Examples:

–a consumer buys a product online. –For administrative or taxation reasons, an entreprise need to retain

large number of documents, something for 3 or 6 or 10 years. • Legal Conditions :

–1) Désignate an assigned person, within the organization, for security matters or sub-contract to a trird-party service.

–2) Ensure that documents kept are:• Complete • Available throughout the time thay are retained.

–3) Ensure that the assigned person who modifies a retained document, and thus knowingly, compromise the integrity of the document, explains in the document itself:

• WHO• WHAT • HOW • WHEN

51

consultation • Definition: To make a document presented in intelligible form to the authorized persons. • Examples:

–PIPEDA / all Privacy protection acts–Securities Act

• Legal Conditions : –intelligible, legible. –Freedom to choice paper or electronic –Organization of confidential documents access

• Limiting access• Identifying an assigned person;• Ensuring it is impossible to do an extensive search;• Setting up a secure system;• Respecting conditions about confidential document.

52

transmission • Definition: To send a document from one person to an other. • Example:

–Email –EDI–SMS

• Legal Conditions: For a sent document to have the same validity as the received document:

–Ensure integrity + documentation –Assume that a technology-based document is sent when the sender has

no more control on it. (For example, with a transmission slip) –Assume that a technology-based document is received when it is

available to the recipient. (For example, with a acknowledgement of receipt) –Ensure that a technology-based document with confidential information

• Used an appropriate method• Transmission is documented

53

4

54

2-4 evidence

evidence = integrity + identity

2 presumptions1) Environment

2) Document from entreprise and State

55

evidence

• Is an email admissible?

56

• Not sure…

–  Bélanger c. Future Électronique, 2005 QCCRT 0570

–  Citadelle, Cie d’assurance générale c. Montréal (Ville), 2005 IIJCan 24709 (QC C.S.)

–  Vandal c. Salvas [2005] IIJCan 40771 QC. C.Q.

AELFIT

57

• Regulation help

–  articles 63 and f…

63. A multidisciplinary committee shall be formed to promote the harmonization, both at the national and international levels, of the technical processes, systems, norms and standards established for the purposes of this Act. To that end, the Government shall, after consultation with the Bureau de normalisation du Québec, call upon persons from the business community, the information technology industry and the scientific and technical community, persons from the public, parapublic and municipal sectors and persons belonging to the professional orders, all of whom must have expertise in the field of information technology

AELFIT

58

conclusion

59

principle 1: documentation

transmission

confidential documents

retention

transfert

improve evidence

60

2.5 Legal Management of Digital Signature

Image available at

pst.libre.lu/mssi-luxmbg/p1/data-enc.gif

61

2.5 Legal Management of Digital Signature

• 3 main legislative attitude – Minimalist

• UK– Prescriptive

• Singapore• Portugal • Hungary• Hong Kong• Malaysia • Italy • Germany

– Hybrid • Quebec• France • Etc.

62

2.5 Legal Management of Digital Signature

• Substantives elements – Certificate – Documentation

• Policy• CPS (Certification Practice Statement)

– Participants • Signatory • Relying Party • Certification authority • And others (as auditor / accreditator / etc.)

– Liability

63

2.5 Legal Management of Digital Signature

• Procedural elements– Entities Responsible for Controlling the

Certification Process• Auditor • Accreditator • Certificator • Etc.

– Documentation • External Assessment Documentation • Internal Assessment Documentation

64

ex. of complexity