Comments on Consultation Paper on the Review of the Electronic Transaction Ordinance

Introduction

1.　As a consumer advocate, the Council will confine its views, within the perspective of promoting consumer protection and competition, in relation to the following issues:

• legal recognition of other forms of electronic signatures, construed as covering "delivery by electronic means" under the legal requirement of delivery by "post or in person"; and
• the operation of the voluntary recognition scheme of certification authorities.

Legal recognition of other forms of electronic signature

2.　The Council supports the proposal by the Government to consider other forms of authentication, such as personal identification number (PIN) to be acceptable under the ETO as an acceptable form of signature. The Council also supports the Government's position of examining other means of authentication, such as biometrics, in the future, as the technology becomes more mature and related institutional support emerges in the market.

3.　Notwithstanding the Council's support for the proposal to recognize PIN under the ETO, and even though PIN has been commonly used in banking transactions, an issue does arise as to the different safeguards that will apply as between PIN and digital signatures.

4.　The current provisions of the ETO and the Code of Practice provide for safeguards in the establishment and maintenance of digital signatures through a trusted third party, i.e. the recognized 'certification authority'. A certification authority, due to the various obligations under the Code of Practice, auditing requirements, and the supervision of the Director of Information Technology Services, is able to ensure an appropriate degree of trustworthiness over a digital signature for consumers.

5.　However, notwithstanding the legal recognition that will be given to PIN, there is not a similar degree of oversight for any companies creating and maintaining a data base of PIN for transaction purposes. For example, the Code of Practice for recognized certification authorities sets out detailed obligations as to

• the publishing of information for public knowledge regarding matters such as liabilities limitations on liability, rights and obligations of the recognized certification authority (Part 4);
• the maintenance of a trustworthy system, in terms of maintaining a specified minimum standard of security controls over its operation (Part 5);
• abiding by advertising standards, for certification services, that are decent, honest and truthful, fair and not misleading and that claims shall be capable of independent substantiation (Clause 15.1);
• the regular provision of an up to date and independent audit report regarding the trustworthiness of the certification system (Part 12).

6.　The absence of similar requirements imposed on parties who maintain data bases of PIN for transaction purposes, means that while PIN will have the same legal recognition as digital certificates issued by a certification authority, there will not be the same safeguards.

7.　The consultation paper notes at paragraph 8 that "With proper management it [PIN] can be considered for acceptance as a form of electronic signatures for satisfying the signature requirement under law in specified cases where the level of security offered by it is commensurate with the risk of the service involved".

8.　This suggests that some legislative standards should be set with regard to the proper management, i.e. creation, storage and use of PIN, for satisfying the legal signature requirement.

9.　The consultation paper also notes that it is unlikely that a third party which collects the biometrics of subscribers on a community wide basis for the purpose of authenticating the identity of subscribers in electronic transactions would emerge in the short future. While this might be the case, the government could consider whether it should take the initiative and assist in the development of alternative authentication systems by

• indicating generic criteria for biometric authentication systems to follow, as distinct from existing digital signatures to ensure that as biometric authentication systems are developed, they follow certain standards and are developed along lines that provide equally appropriate safeguards for users, whatever their technological basis; and
• providing the Information Technology Services Department (ITSD) with a role of granting a license to any party that meets basic criteria in regard to safeguards, as found in the ETO. The certification that this entails will facilitate a level playing field for different technologies to compete with digital signatures by providing the suppliers of alternative services with a similar level of authority as digital signatures.

Legal Requirement of Delivery By "Post Or In Person"

10.　The Council agrees that it is more efficient to add a new schedule to the Ordinance so that the Secretary may, by subsidiary legislation, specify in the new schedule legal provisions under which the requirement of "delivery by post or in person" will be automatically construed as covering "delivery by electronic means".

11.　The Council suggests that in the future, as issues arise with regard to how provisions on electronic contract formation should be legislated, that the document by the United Nations Commission on International Trade Law, "Legal Aspects of Electronic Commerce, Electronic Contracting: Provisions for A Draft Convention" can be used as a base for consideration of appropriate measures.

Operation of Voluntary Recognition Scheme of Certification Authorities (CA)

12.　The Council agrees that the assessment report prepared by a qualified and independent person approved by the Director of ITSD should focus on matters regarding the trustworthiness of the certification service, including technical aspects and procedural issues.

13.　The consultation paper suggests that self-declaration by an authorized person of the CA concerned, with regard to their compliance with other provisions (e.g. trade practices issues) should be adequate. However, having regard to the nature of such matters it may also be necessary for the Director of ITSD or a designated agency to collect information about complaints on individual CAs regarding other 'non trustworthiness' issues, which can be taken into consideration in annual reviews of CAs.

14.　The Council also supports the proposal that the Director of ITSD should be given the authority to ask a recognized CA to furnish an assessment, to be prepared by a qualified person, when there are or will be major changes in elements related to the trustworthiness of the system.

Exemptions from certain provisions

15.　The Council notes that the current provisions of the ETO provide exemptions for the Postmaster General from some legislative provisions. In particular, exemption from the provisions that allow for the Director of ITSD to revoke or suspend recognition of certificates issued by the Postmaster General.

16.　The existence of the exemptions provides a degree of certainty for clients of the Postmaster General, insofar as the stability digital signatures is concerned, that could translate into a competitive advantage for the Postmaster General over other recognised CAs.

17.　The Council suggests that the Government should closely monitor the development of the market for electronic signature services by recognised CAs to assess:

• whether it is likely that privately operated CAs are a viable concern; and
• whether the exemption currently provided to the Postmaster General is contributing to any failure in this regard.