Drt 6455 eCommerce Law lesson 2 – Legal Security Mangement Example of An Act to Establish a Legal...
Transcript of Drt 6455 eCommerce Law lesson 2 – Legal Security Mangement Example of An Act to Establish a Legal...
drt 6455 eCommerce Lawlesson 2 – Legal Security
MangementExample of An Act to Establish a Legal Framework for IT
associate professorfaculty of law
university of montrealuniversity of montreal chair
in e-Security and e-Business law www.gautrais.com
2
An Act to establish a legal framework for information technology (Quebec)
(L.R.Q. c-1.1)
3
Know your Law : Guide Respecting the Management of Technology-based documents - An Act to establish a legal framework
for information technology (R.S.Q., C-1.1) (11/2005)
Afin d’y voir clairGuide relatif à la gestion des documents technologiques
4
plan
1 – Legal change, new legislation … a guide
2 – Guiding Principles of the Act
3 – Managing technology-based documents in a secure manner
4 – Use of technology-based documents as evidence
5 – Legal Management of Digital Signature
5
1
6
2.1 illustrations of innovation
• New risks
• New technologies
•New advantages
•New inconvenients
•New objectives
• New words
• New laws
7
2.1.A new risks• Ignorance• Immateriality • Habits • Obscurity • Internationality • Identification of document attributes
–Confidentiality –Authentification –Non-repudiation –Disponibility–Integrity
8
2.1.B new technologies
• technology-based document
• Email = technology-based address
• Internet
• « Log »
• Identifier
• etc.
9
2.1.C new advantages
• Quick
• Efficient
• Transportable
• Immaterial
10
2.1.D new inconvenients
• Quick • Immaterial • New• Habit • Multiplicity • Effectivity
–Law is not clear (EX: 34) –34. « Where the information contained in a document
is declared by law to be confidential, confidentiality must be protected by means appropriate to the mode of transmission, including on a communication network. »
–Law is difficult to apply
11
2.1.E new objectives
• Remove barriers to eCommerce–EX: writing–EX: signature –EX: original
• Precise security–EX: email / SMS–EX: what’s means to be secure?
• protect people –EX: 29 AELFIT
12
identifier
etc…
transfer
documentation
certification
document
technology-based document
Life cycle
2.1.F new words
13
2.1.G new laws
• New
• Processual –EX: SOX
• Section 404 and Internal control
–EX: PIPEDA • Schedule 1
–EX: AELFIT
14
2
15
2-2-A Technological neutrality
• Law doesn’t favor one technology in particular –EX: Utah, Singapore, Italy, Portugal, Germany, etc. –EX: certification
• But law need to be a little prescriptive –Neutre doesn’t mean silence–Silence in laws
• EX: What’s the meaning of « Integrity »? • EX: 34 AELFIT
16
2-2-A Technological neutrality
• United Nations Convention on the Use of Electronic Communications in International Contracts (2005)
–8.1. A communication or a contract shall not be denied validity or enforceability on the sole ground that it is in the form of an electronic communication.
–9.1 Nothing in this Convention requires a communication or a contract to be made or evidenced in any particular form.
• AELFIT–5. The legal value of a document, particularly its capacity to produce
legal effects and its admissibility as evidence, is neither increased nor diminished solely because of the medium or technology chosen.
• Chinese Law–Article 7 The use of a data message as evidence may not be refused
solely on the grounds of its creation, transmission, receipt or storage in electronic, optical, magnetic or other similar fo
17
2-2-B Functional equivalent
• What are functions of paper and transpose them to electronic
–Document finding a criteria –writing transposable –Signature at each concept–Original –Copy
18
2-2-C integrity
• Main criteria which give some « Legal Value » to a document
–Evidence • Admissibility • Probative force
–But what it is?
19
writing
• AELFIT (L.R.Q. c. C-1.1) art. 5
• (2) A document whose integrity is ensured has the same legal value whether it is a paper document or a document in any other medium, insofar as, in the case of a technology-based document, it otherwise complies with the legal rules applicable to paper documents.
• (…)
• Where the law requires the use of a document, the requirement may be met by a technology-based document whose integrity is ensured.
20
2839. The integrity of a document is ensured if it is possible to verify that the information it contains has not been altered and has been
maintained in its entirety, and that the medium used provides stability and the required
perennity to the information.
2839 CCQ
21
2-2-D writing
• Examples of laws requiring a writing form–13 (4) Copyright Act –19 Consumer Protection Act (Ontario)–Consumer Protection Act (Quebec)
• What are writing functions (see UNCITRAL eCommerce Model Law with Guide to Enactment (1996))
22
writing48. In the preparation of the Model Law, particular attention was paid to the
functions traditionally performed by various kinds of “writings” in a paper-based environment. For example, the following nonexhaustive list indicates reasons why national laws require the use of “writings”: (1) to ensure that there would be tangible evidence of the existence and nature of the intent of the parties to bind themselves; (2) to help the parties be aware of the consequences of their entering into a contract; (3) to provide that a document would be legible by all; (4) to provide that a document would remain unaltered over time and provide a permanent record of a transaction; (5) to allow for the reproduction of a document so that each party would hold a copy of the same data; (6) to allow for the authentication of data by means of a signature; (7) to provide that a document would be in a form acceptable to public authorities and courts; (8) to finalize the intent of the author of the “writing” and provide a record of that intent; (9) to allow for the easy storage of data in a tangible form; (10) to facilitate control and sub-sequent audit for accounting, tax or regulatory purposes; and (11) to bring legal rights and obligations into existence in those cases where a “writing” was required for validity purposes.
23
writing
• UNCITRAL Model Law criteria: article 6usable for subsequent reference
• As in Ontario • And in REC (est of Canada) • As in United Nations Convention on the Use of
Electronic Communications in International Contracts (2005)– 9.2. Where the law requires that a communication or a contract
should be in writing, or provides consequences for the absence of a writing, that requirement is met by an electronic communication if the information contained therein is accessible so as to be usable for subsequent reference.
24
writing
French Law (March 12th, 2000)
http://www.legifrance.gouv.fr/citoyen/jorf_nor.ow?numjo=JUSX9900020L
Art. 1316-1. - L'écrit sous forme électronique est admis en preuve au même titre que l'écrit sur support papier, sous réserve que puisse être dûment identifiée la personne dont il émane et qu'il soit établi et conservé dans des conditions de nature à en garantir l'intégrité.
25
writing• Problem with usable for subsequent reference Criteria
–EX: arbitration clause (2640 CCQ)–EX: CPA–No way to be aware (criteria number 2)
• Problem with integrity criteria too • Problem with distinct criterias. de critères distincts
–Integrity–Usable for subsequent reference–Visible Form (UK)–Record (UETA)
26
2-2-E signature
• 2827 CCQ: A signature is the affixing by a person, to a writing, of his name or the distinctive mark which he regularly uses to signify his intention. .
• Limitations concerning biometry usage in AELFIT ART. 44
- No obligation - Finality - Destruction - Transparence to the Information Access Commission (CAI) - Etc
27
signature
Electronic signature: is it reliable ?
Is it legal ?
28
signature
Difficult to say
because definition is not so clear
because contract decline every liability 2
1
29
signature
liability is a legal concept
30
signature
signature is too …
31
signature
1) Identity of signatory
2) Intention to sign
32
signature
United Nations Convention on the Use of Electronic Communications in International Contracts (2005)
9. 3. Where the law requires that a communication or a contract should be signed by a party, or provides consequences for the absence of a signature, that requirement is met in relation to an electronic communication if:
• (a) A method is used to identify the party and to indicate that party’s
• intention in respect of the information contained in the electronic communication;
33
signature
• Same in Quebec and Civil Code of Quebec (1994) (2827 CCQ)
• Ontario et Electronic Commerce Act (2000)• British Columbia et Electronic Transaction Act (2001) • China
– Article 2 All references to an "electronic signature" in this law are to electronic data that are contained in or attached to a data message and are used to identify the signatory and indicate its endorsement of the contents of such data message.
But there’s an other criteria
34
signature
United Nations Convention on the Use of Electronic Communications in International Contracts (2005)
9. 3. and(…) (b) The method used is (…) :(i) As reliable as appropriate for the purpose for which the electronic communication was generated or communicated, in the light of all the circumstances, including any relevant agreement;
35
signature
Ontario and Electronic Commerce Act
(…) • (a) the electronic signature is reliable for the
purpose of identifying the person; and• (b) the association of the electronic signature
with the relevant electronic document is reliable.
36
signature
British Columbia and Electronic Transaction Act
(…) • 21 (d) prescribing records or classes of records for which
a requirement under law for the signature of a person must be satisfied by an electronic signature and proof that, in view of all the circumstances including any relevant agreement and the time the electronic signature was made,
• (i) the electronic signature is reliable for the purpose of identifying the person, and
37
signature
Uniform Electronic Transaction Act (USA)
“the use of security procedures is simply one method for proving the source or content of an electronic record or signature. A security procedure may be technologically very sophisticated, such as an asymetric cryptographic system. At the other extreme the security procedure may be as simple as a telephone call to confirm the identity of the sender through another channel of communication. It may include the use of a mother's maiden name or a personal identification number (PIN). Each of these examples is a method for confirming the identity of a person or accuracy of a message.”
38
signature
Reliability ?
security procedure ?
39
signature
contract decline its liability
40
41
signature
information = oxygen
42
signature
If no liability = no security
43
2-2-F original• AELFIT (L.R.Q. c. C-1.1) ART. 12
12. A technology-based document may fulfil the functions of an original. To that end, the integrity of the document must be ensured and, where the desired function is to establish
1) that the document is the source document from which copies are made, the components of the source document must be retained so that they may subsequently be used as a reference ;
2) that the document is unique, its components or its medium must be structured by a process that makes it possible to verify that the document is unique, in particular through the inclusion of an exclusive or distinctive component or the exclusion of any form of reproduction ;
3) that the document is the first form of a document linked to a person, its components or its medium must be structured by a process that makes it possible to verify that the document is unique, to identify the person with whom the document is linked and to maintain the link throughout the life cycle of the document.
44
original
a) source document = integrity
Signed contract
45
original
b) Single document = integrity + application
Bill of lading
46
original
c) First form of a document linked to a person = integrity + application
Will
47
3
48
2-3 Managing Technology-based document in a secure manner
• Transfert
• Retention
• Accessibility
• Transmission
49
transfert
• Definition: to change a technology-based document from one medium to an other. • Example: an enterprise numerize sums of papers on a couple of CD.
• Legal conditions: –1) documentation with WHO – WHAT – HOW; –2) ensure integrity.
50
Retention
•Definition: to store documents so that they can be found later. • Examples:
–a consumer buys a product online. –For administrative or taxation reasons, an entreprise need to retain
large number of documents, something for 3 or 6 or 10 years. • Legal Conditions :
–1) Désignate an assigned person, within the organization, for security matters or sub-contract to a trird-party service.
–2) Ensure that documents kept are:• Complete • Available throughout the time thay are retained.
–3) Ensure that the assigned person who modifies a retained document, and thus knowingly, compromise the integrity of the document, explains in the document itself:
• WHO• WHAT • HOW • WHEN
51
consultation • Definition: To make a document presented in intelligible form to the authorized persons. • Examples:
–PIPEDA / all Privacy protection acts–Securities Act
• Legal Conditions : –intelligible, legible. –Freedom to choice paper or electronic –Organization of confidential documents access
• Limiting access• Identifying an assigned person;• Ensuring it is impossible to do an extensive search;• Setting up a secure system;• Respecting conditions about confidential document.
52
transmission • Definition: To send a document from one person to an other. • Example:
–Email –EDI–SMS
• Legal Conditions: For a sent document to have the same validity as the received document:
–Ensure integrity + documentation –Assume that a technology-based document is sent when the sender has
no more control on it. (For example, with a transmission slip) –Assume that a technology-based document is received when it is
available to the recipient. (For example, with a acknowledgement of receipt) –Ensure that a technology-based document with confidential information
• Used an appropriate method• Transmission is documented
53
4
54
2-4 evidence
evidence = integrity + identity
2 presumptions1) Environment
2) Document from entreprise and State
55
evidence
• Is an email admissible?
56
• Not sure…
– Bélanger c. Future Électronique, 2005 QCCRT 0570
– Citadelle, Cie d’assurance générale c. Montréal (Ville), 2005 IIJCan 24709 (QC C.S.)
– Vandal c. Salvas [2005] IIJCan 40771 QC. C.Q.
AELFIT
57
• Regulation help
– articles 63 and f…
63. A multidisciplinary committee shall be formed to promote the harmonization, both at the national and international levels, of the technical processes, systems, norms and standards established for the purposes of this Act. To that end, the Government shall, after consultation with the Bureau de normalisation du Québec, call upon persons from the business community, the information technology industry and the scientific and technical community, persons from the public, parapublic and municipal sectors and persons belonging to the professional orders, all of whom must have expertise in the field of information technology
AELFIT
58
conclusion
59
principle 1: documentation
transmission
confidential documents
retention
transfert
improve evidence
60
2.5 Legal Management of Digital Signature
Image available at
pst.libre.lu/mssi-luxmbg/p1/data-enc.gif
61
2.5 Legal Management of Digital Signature
• 3 main legislative attitude – Minimalist
• UK– Prescriptive
• Singapore• Portugal • Hungary• Hong Kong• Malaysia • Italy • Germany
– Hybrid • Quebec• France • Etc.
62
2.5 Legal Management of Digital Signature
• Substantives elements – Certificate – Documentation
• Policy• CPS (Certification Practice Statement)
– Participants • Signatory • Relying Party • Certification authority • And others (as auditor / accreditator / etc.)
– Liability
63
2.5 Legal Management of Digital Signature
• Procedural elements– Entities Responsible for Controlling the
Certification Process• Auditor • Accreditator • Certificator • Etc.
– Documentation • External Assessment Documentation • Internal Assessment Documentation
64
ex. of complexity