مجلة القانون والاقتصادى العدد الثانى الجزء السادس

Information about مجلة القانون والاقتصادى العدد الثانى الجزء السادس

Published on June 6, 2016

Author: legallab7

Source: slideshare.net

Content

1. POSSIBLE REGULATORY APPROACHES FOR AUTHENTICATION OF ELECTRONIC MESSAGE A CRITIQUE OF THE CURRENT STATE OF EGYPTIAN LAW Walaa A. Arakeeb L.L.M, S.J.D (PhD) (USA) Faculty of Law – Tanta University

2. POSSIBLE REGULATORY APPROACHES FOR AUTHENTICATION OF ELECTRONIC MESSAGE A CRITIQUE OF THE CURRENT STATE OF EGYPTIAN LAW TABLE OF CONTENTS I. INTRODUCTION: THE ISSUE DEFINED FOR EGYPT II. DIFFERENT FORMS OF SIGNATURES AND LEGAL CONCERNS ASSOCIATED A. WRITTEN (―WET‖) SIGNATURE VERSUS ELECTRONIC (―DRY) SIGNATURE B. ELECTRONIC VERSUS DIGITAL SIGNATURES: LEGAL AND PRACTICAL IMPLICATIONS III. THREE POSSIBLE AUTHENTICATION MODELS AND APPROACHES FOR EGYPTIAN CONSIDERATION A. MODEL: NO REGULATION B. REGULATORY INTERVENTION MODELS (E.G., UTAH, THE EGYPTIAN ―E-SIGNATURE LAW,‖ UNCITRAL, AND THE EU DIRECTIVE) 1. The Technology-Specific Approach a. The American Bar Association's Digital-Signature Guidelines b. The Utah Digital Signature Act c. The Egyptian E-Signature Law d. UNCITRAL 2. Preference for Digital Signature (“Technology-Preferred”) a. EU Electronic-Signature Directive b. Electronic Transactions and Commerce Law No.2 of 2002 in Dubai C. REGULATORY MARKET-ORIENTED, ―HANDS-OFF‖ MODEL OR NEUTRAL APPROACH 1. The Pedigrees of Market-Oriented (Hands-Off) Solution in the U.S. 2. The U.S. Regulatory Approach Opts for the Hands-Off Model or Neutral Approach IV. THE EGYPTIAN E-SIGNATURE STATUTORY/REGULATORY APPROACH:

3. INHERENTLY FLAWED (CRITIQUE OF THE CURRENT STATE OF EGYPTIAN LAW) A. THE TECHNICAL RISK OF CHOOSING PKI TECHNOLOGY B. PKI TECHNOLOGY RENDERS A FALSE SENSE OF SECURITY C. THE MYTH OF NONREPUDIATION D. NONINTEGRATED LIABILITY SCHEME V. CONCLUSION

4. I. INTRODUCTION: THE ISSUE DEFINED FOR EGYPT Civil Law countries such as Egypt and United Arab Emirates traditionally have been statute/code- oriented. But today, both in Civil Law and Common Law countries,1 we live in a time when the legislatures have emerged even more so as the dominant force in setting public policy and translating it into law.2 For our present purposes, the commercialization of the Internet pushes countries and national law drafters to review their legal systems in light of new E-commerce applications and to come up with new statutory/regulatory approaches. Thus, it is not surprising for Egypt to try to respond legislatively and regulatory to the new legal issues raised by E-commerce through the promulgation of the E-Signature Statute no. 15 of 2004 and its Executive Regulations no. 109 of 2005 (collectively, the E-Signature Law) for the primary purposes of removing barriers to and fueling the growth of E-commerce in Egypt. In considering appropriate legislation/regulation devoted to removing barriers to E-commerce, another major issue that arises is the question of what type of electronic signature qualifies as a ―signature‖ that meets statutory and regulatory signature requirements. Unfortunately, there is no uniform answer to this question.3 Typically, legislation has taken one of three apparently inconsistent approaches: (1) only a digital signature/PKI (technology-specific) satisfies legal signature requirements; (2) an electronic signatures satisfies legal signature requirements only when it possesses certain security attributes with granting additional legal validity or preference to digital signature (technology-preferred); or (3) all electronic signatures (technology- neutral) satisfy legal signature requirements. Egypt followed the first category of legislation,4 which focused not only on the security attributes an electronic signature must possess in order to be enforceable as a signature under Egyptian Evidence Law (E.E.L.), but also on the authentication technology used to create the signature itself. Statutes falling within this first category authorize the use of only a specific type of electronic signature (i.e., a digital signature/PKI) and 1 See ROBERT A. HILLMAN, ET AL., COMMON LAW AND EQUITY UNDER THE UNIFORM COMMERCIAL CODE 1.01, at 1-2 (1985). 2 See ABNER J. MIKVA & ERIC LANE, LEGISLATIVE PROCESS 1 (1993). 3 See also Thomas J. Smedinghoff & Ruth Hill Bro, Moving with Change: Electronic Signature Legislation as a Vehicle for Advancing E-Commerce, 17 J. MARSHALL J. COMPUTER & INFO. L. 723, 763 (1999). 4 See Egyptian Electronic Signature Statute no.15 of 2004 [hereinafter E-Signature Law]; E-Signature Executive Regulations no. 109 of 2005 [hereinafter E-Signature Executive Regulations] [collectively E-Signature Law].

5. ignore the legal validity of a more general category of electronic signatures. II. DIFFERENT FORMS OF SIGNATURES AND LEGAL CONCERNS ASSOCIATED A. WRITTEN (―WET‖) SIGNATURE VERSUS ELECTRONIC (―DRY) SIGNATURE The basic principle of Egyptian Evidence Law (E.E.L.) no. 25 of 1968 and its amendments no. 18 of 1999 is that the claimant must provide evidence to substantiate his claim and the evidence must be relevant to the action.5 The judge may not deliver judgment based on his personal knowledge of the facts. The judge must decide based on the facts and evidence filed and the provisions in the laws. In the absence of any specific legal provisions, the judge will apply the Islamic doctrine of Sharia or a judgment based on customs and usage, if traditional Sharia Law is not applicable. There are two categories of documents under the Law of Evidence. One is an official document and the other is an unofficial document. Significant legal consequences have come out of a signature affixed on paper, but the concept of a signature has not been independently and adequately addressed under the E.E.L. rules. 6 There is an Egyptian scholarly consensus7 that signatures are the only basic element that is required to render a valid unofficial document (written evidence). The only statutory references concerning the signature definition have indicated the legal acceptable signing manners rather than exploring the essence of signature or the signing implications themselves.8 Article 14 of the E.E.L. has explicitly listed acceptable signing methods (i.e., handwriting, stamp, or thumbprint), where it presumes that an unofficial document has been issued by the purported signatory if he does not overtly deny whatever has been attributed to him.9 As a result, the definition of a signature remained overwhelmed by vagueness and ambiguity and was more related to its formalistic pedigrees than to 5 See Egyptian Evidence Law no. 25 of 1968 and its Amendments no. 18 of 1999 [hereinafter E.E.L.]. Section 1 provides, ―The creditor shall have to prove the obligation and the debtor shall have to prove acquittal thereof.‖ See also E.E.L. § 2 (―The facts which are wanted to be proved must be related to the lawsuit, produced therein and possibly acceptable.‖). 6 See, e.g., id. § 14. 7 See, e.g., ABD EL-RAZAK EL-SANHURI , EL-WASIT, EVIDENICE & OBLIGATION‘S CONSEQUENCES 180. 8 See E.E.L. § 14. 9 Id.

6. reflecting the charged person‘s intention to approve and authenticate the written document. Based on the above, it is evident that whether official or unofficial, a document must be signed, stamped or thumb-printed, and copies of documents, whether official or unofficial, are not recognized unless the original is available. The original will only be legally considered original if it is also signed , stamped, or thumb-printed by the relevant party. The requirements in the existing E.E.L., cited previously, will make it risky to transact, sell, buy, communicate, acknowledge payments or forward payments through electronic means. In such cases, documents will not be considered signed since an electronic signature is not recognized under the E.E.L., as it does not bear the handwriting, rubber stamp, or thumb-print of the concerned party. Any document issued or transacted electronically may be considered as a copy or even draft and therefore cannot stand as evidence as there is no original to compare it to. As previously mentioned, there is nothing about electronic documents or electronic signatures in the E.E.L. The main problem lies in proving that a transaction has occurred or in establishing evidence to prove it. In addition, problems arise in proving contractual agreements where a concerned party denies the validity of a electronic contract. There is no legal uncertainty if both parties recognize the contract and admit the same. In other words, if both parties agree to the terms and conditions of a contract transacted electronically and recognize the same, the question of proof does not arise. The contract will therefore be valid and both parties will have to adhere to the agreement they have made through electronic means since each has mutually recognized this contract. The problem occurs when one party defaults or in the event of fraud, as then the question will arise and evidence of proof must be established. The absence of a default regulatory mechanism that regulates and gives value to electronic signatures and documents caused considerable hindrance to E-commerce growth in Egypt due to the electronically signed document had been seen as a mere copy or unsigned draft. B. ELECTRONIC VERSUS DIGITAL SIGNATURES: LEGAL AND PRACTICAL IMPLICATIONS Needless to say signatures are a vital element in commerce. In paper- based contracts, handwritten signatures legally bind parties and signify authentication. Handwritten signatures, however, cannot be made online. Consequently, their equivalent function had to be developed for the

7. Internet. Digital and electronic signatures now fill the role in cyberspace that handwritten signatures fill with paper-based contracts. These two types of signature are different, however, and it is important to distinguish them.10 Both terms ―digital signature‖ and ―electronic signature‖ caused much confusion to the Egyptian lawmakers because of the common misconception that they are synonymous. As a matter of fact, ―electronic signature‖ is a generic, technology-neutral term that includes all of the various methods by which one can sign an electronic record. Although all electronic signatures are represented digitally (i.e. as a series of ones and zeroes), they can take many forms and can be created by many different technologies. Examples of electronic signatures include: a name typed at the end of an e-mail message by the sender; a digitized image of a handwritten signature that is attached to an electronic document (sometimes created via a biometrics-based technology called signature dynamics or even voice record); a secret code or PIN (such as that used with ATM cards and credit cards) to identify the sender to the recipient; a code or ―handle‖ that the sender of a message uses to identify himself; and a unique biometrics-based identifier, such as a fingerprint or a retinal scan. 11 So, technically, an ―electronic signature‖ is ―data in electronic form which [is] attached to or [is] logically associated with other electronic data and which serve[s] as a method of authentication.‖12 Conversely, a digital signature13 is an electronic signature which has been encrypted using asymmetric cryptography. This sort of cryptography provides a level of certainty that the signature can easily be attributed to a particular individual and the data to which it is attached by providing a means of authenticating the signature. Whereas a digital signature is a means of verifying and authenticating a document by having a computer create a unique identifier through the application of encryption or encoding, a digital signature does more than ensure a means of identifying a specific signor: it also ensures that the signature is for a specific document and that the document has not been tampered with. A digital signature can be a type of E-signature. 10 See Edward D. Kania, The ABA's Digital Signature Guidelines: An Imperfect Solution to Digital Signatures on the Internet, 7 COMMLAW CONSPECTUS 297, 300 (1999). 11 See Doherty v. Registry of Motor Vehicles, No. 97CV0050 (Mass. Dist. Ct. 1997), available at http://www.loundy.com/CASES/Doherty_v_RMV.html. Id. 12 See Daniel J. Greenwood & Ray A. Campbell, Electronic Commerce Legislation: From Written on Paper and Signed in Ink to Electronic Records and Online Authentication, 53 BUS. LAW. 307, 309 (1997) (noting that more sophisticated authentication technologies will be available as technology continues to advance). 13 See W. Diffie & M.E. Hellman, New Directions in Cryptography, IEEE TRANSACTIONS ON INFORMATION THEORY, vol. IT-22, No. 6, Nov. 1976, at 644-54.

8. The legal implications of following both electronic and digital signatures simply lie in the legal acknowledgment of each technological and business approach. Legal systems that adopt a neutral technological approach and give a legal effect to electronic signatures have seen a signature as any name, sample or mark executed to reflect the signer‘s intent without any need for a particular form or employing certain technology. This flexible perception of a signature was reflected in defining or otherwise dealing with electronic signatures in some regulatory acts. For example, the UETA14 and the federal E-Sign Act15 focus upon the question of whether there is the intention to sign, and there is no mention of the identification function of the signature.16 Both legislative acts define an electronic signature as follows: ―‗Electronic signature‘ means an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.‖17 Both regulatory acts stipulate that electronic signatures cannot be denied legal validity or effect solely because they are not in written form.18 Taking the opposite stance, the EU Directive19 and the Egyptian E- Signature Law attributes no significance to the intent to sign but only deals with the identification function. They stipulate: ―electronic signature‖ means ―[w]hat is on an electronically written message in the form of letters, digits, codes, signals or others and has a unique identity that identifies the signer and uniquely distinguishes him/her from others.‖20 Furthermore, the Egyptian E-signature rules did not give legal effect to all kinds of electronic signatures, but they require electronic signature to adhere to technical and technological rules in which are identified in the executive regulations associated with this law. By exploring these regulations, it is not hard to find that they are 14 See UNIFORM ELECTRONIC TRANSACTIONS ACT § 2(8) (1999), available at http://www.nccusl.org [hereinafter UETA]. 15 See Electronic Signatures in Global and National Commerce Act, Pub. L. No. 106-229, 114 Stat. 464 (2000) (to be codified at 15 U.S.C. § 7006(5)) [hereinafter E-Sign Act]. 16 An electronic signature is a piece of data that results from the use of a process that satisfies the criteria established in the French civil code and by the 1999 European Directive. For more information, visit http://www.fast.caissedesdepots.fr/_en/annexes/glossary.asp. 17 Federal E-Sign Act §101 (g); accord UETA § 2(8); see also Robert A. Wittie & Jane K. Winn, Electronic Records and Signatures Under the Federal E-Sign Legislation and the UETA, available at http://www.law.washington.edu/Directory/docs/Winn/Electronic%20Records%20and%20Signatures.ht .m 18 See Michael Carlson, Will E-Sign Boost E-Commerce?, NW. FIN. REV., Sept. 9, 2000, available at http://www.faegre.com/articles/article_452.aspx. 19 See European Union Directive 1999/93/EC, A Community Framework for Electronic Signatures, 2000 O.J. (L 13), available at http://signatur.rtr.at/en/legal/directive.html [hereinafter Electronic Signature Directive]. 20 See E-Signature Law §§ 1(c), 14; see also Electronic Signature Directive § 5(2).

9. promulgated to endorse a particular type of asymmetric cryptography, which requires a developed system to mange the public keys which are refereed to as public key infrastructure (PKI) and entail a trusted third party known as a Certification Authority (CA). As a result, the Egyptian courts will be invited to judge the validity and the probative value of electronic signatures in the light of employed technology associated with questioned electronic signatures. III. THREE POSSIBLE AUTHENTICATION MODELS AND APPROACHES FOR EGYPTIAN CONSIDERATION A. MODEL: NO REGULATION The non-regulatory approach proposes a non-legislative action and waits for disputes to arise, leaving it to judges to transform the legal landscape. However, a great amount of U.S. state and national contract laws worldwide traditionally require the contracting parties to affix their signatures to an agreement as acknowledgment of assent to the contract's terms and in order to properly evidence it. For example, Article 60 of the E.E.L.,21 Statutes of Frauds22 and similar laws require certain agreements to be memorialized in a signed agreement as a formal requirement or to facilitate an evidence of contractual relation. A related problem raised by electronic contracts with unseen parties is the question of to whom an electronic signature, message or performance is attributed in law. Electronic forms of communication do not easily allow one party to verify the identity of another, or to know whether the person sending an electronic message or signature has the legal authority to bind the person or entity purporting to make the contract.23 As we previously articulated, a mere claim that electronic signatures can be conferred, the desired legal validity can been easily defeated by the simple E-commerce reality. Without a considerable amount of legal reform that grants electronic signatures and electronic documents equal legal standing with handwritten signatures and written documents, there are some great fears over the legality of E-commerce. Likewise, the need for laws governing electronic signatures comes from the benefits that electronic transactions can provide not only to contracting parties, 21 E.E.L. art. 60. 22 The UCC's Statute of Frauds provision, sec. 2-201, requires ―some writing sufficient to indicate that a contract for sale has been made ... and signed by the party against whom enforcement is sought.‖ Section 2-209 also requires a written signature. 23 See Holly K. Towle, Advanced Issues in Drafting and Updating Online Contracts and Website Disclaimers, 563 PLI/PAT 427, 435 (1999).

10. but also to the world economy as a whole. Without regulatory intervention, contracting parties are not taking full advantage of electronic transactions due to the uncertainty associated with the new electronic medium.24 By employing the non-regulatory approach, a certain degree of uncertainty has always remained regarding the legal validity of electronic commerce. Part of this uncertainty is based on the fact that the statutes of many states and countries, Egypt one of them, require certain contracts to be signed by the obligated party. Additionally, the shortcomings of the E- commerce non-regulatory approach may reflect negative ramifications whereby preventing formalistic judges from validating electronic signatures. Judges might prefer the simple calculus that a signature means paper and ink, perhaps out of electronic commerce ignorance or out of blind application of traditional rules. Courts might also be uncomfortable with the fact that properly executed electronic signatures can satisfy all the underlying concerns for document integrity, authenticity, and the signers‘ intent to bind them. Commentators seem equally willing to acknowledge that courts have generally been sensitive to changing technology, insofar as they have not been willing in the past to apply the spirit of the signature requirement, rather than formally adhering to its literal dictates and, therefore the need for regulatory interference was called for.25 B. REGULATORY INTERVENTION MODELS (E.G., UTAH, THE EGYPTIAN ―E- SIGNATURE LAW,‖ UNCITRAL, AND THE EU DIRECTIVE) While there was a general consensus that electronic signatures should be accorded the same validity as handwritten signatures through some regulatory interventions, there was little agreement on how to achieve this goal.26 Yet a quick look at the electronic signature legislation currently enacted or under consideration reveals that while there is agreement on where we ultimately want to go (validating, facilitating and promoting E- commerce), there is little agreement on how to get there. 24 See Sarah Wood Braley, Comment, Why Electronic Signatures Can Increase Electronic Transactions and the Need for Laws Governing Electronic Signatures, 7 LAW & BUS. REV. AM. 417, 418 (2001). 25 Id. 26 See Smedinghoff & Bro, supra note 3, at 513; see also By Lance C. Ching, Electronic Signatures: A Comparison of American and European Legislation, 25 HASTINGS INT'L & COMP. L. REV. 199, 201 (2002) .

11. In clarifying that electronic signatures meet signature requirements, statutes have differed greatly regarding fundamental issues associated with what qualifies as a signature. The regulatory approaches chosen by the various governments differ greatly on a major point.27 Some governments such as Egypt have chosen a detailed regulatory approach that promotes certain technologies and employs rigid certification requirements.28 Other governments follow a system of securing an evidentiary presumption that shall be given to electronic signatures that possess certain security attributes (secured electronic signature).29 The rest leans toward a minimalist approach (hands-off) that authorizes electronic signatures under limited circumstances. An unfortunate result of this wave of incompatible legislation is that a developing country such as Egypt is left with much uncertainty regarding the appropriateness of its chosen regulatory approach in its environment. 1. The Technology-Specific Approach The technology-specific approach practically focuses on a digital signature that is generated via public-key cryptography and employs rigid certification requirements. As a result, legal validation is granted only to electronic transactions implementing a specific technology and a certain authentication business model.30 a. The American Bar Association's Digital-Signature Guidelines The first group to attempt a comprehensive approach to electronic- commerce-reform legislation was the Information Security Committee of the Electronic Commerce Division of the Section of Science and Technology of the American Bar Association..31 27 See Lance C. Ching, Electronic Signatures: A Comparison of American and European Legislation, 25 HASTINGS INT'L & COMP. L. REV. 199, 201 (2002) 28 Id. 29 See, e.g., Electronic Transactions and Commerce Law in Dubai no.2 of 2003, available at http://www.ibls.com/ibls-internet-law-document.aspx?d=1462 (last visited January. 18, 2007) 30 See Jane K.Winn, The Emerging Law of Electronic Commerce, in HANDBOOK ON ELECTRONIC COMMERCE, at 9., available at http://www.law.washington.edu/Directory/docs/Winn/Handbook_on_Electronic_Commerce_Winn.pdf (last visited Mar.20, 2007). 31 One of the first detailed statements of the technology-specific approach is contained in the ABA Digital Signatures Guidelines, which were published in 1996. INFO. SEC. COMM.,. For an overview of arguments supporting a more technology-specific approach, see generally Smedinghoff & Bro, supra note 3. For a critique of such provisions as unfair and economically inefficient, see generally Carl Ellison & Jane K. Winn, Comment P994312 to the Fed. Trade Comm’n, Mar. 26, 1999, Regulating the Use of Electronic Authentication, Procedures by U.S. Consumers in the Global Electronic Marketplace, available at http://www.ftc.gov/bcp/icpw/comments/revwin1.htm.

12. The drafters of the Guidelines were very concerned about the potential for fraud in electronic commerce. This potential for fraud is due to the malleability of digital information and the transmission of this information over unsecured networks, such as the Internet. There are two security problems with using digital information over unsecured networks. One problem, which is sometimes called "document authentication,"32 is the difficulty in proving that an electronic record has not been altered. This is because of the malleability of digital information and the inability to distinguish a digital "original" from a digital "copy." The second problem, which is sometimes called "signer authentication," is the difficulty in reliably identifying the senders and the attributing of an electronic record to them. Because electronic records lack the ordinary indicia of authentication, such as a manual signature in ink physically adhered to paper, and because of the relative ease with which one person can impersonate another over an unsecured network like the Internet, it is frequently difficult to reliably identify the sender of an electronic record. Due to these concerns, the Guidelines offer general principles concerning the adoption of a public-key infrastructure in order to resolve some of the legal uncertainty surrounding the technology.33 The Guidelines focused on the use of the digital signature (PKI) as a method of satisfying legal requirements that information be contained in a "writing" or that the writing be "signed." b. The Utah Digital Signature Act Utah's Digital Signature Act (the "Utah Act") was the first electronic commerce legislation, and it adopted public-key cryptography very similar to the American Bar Association Guidelines. The Utah Act was actually "developed in collaboration with the Information Security Committee of the Section of Science and Technology of the American Bar Association."34 c. The Egyptian E-Signature Law 32 Document authentication is similar to the security service of message integrity which provides assurance that the information signed has not been altered. See . SEC. COMM., AM. BAR ASS‘N, PKI ASSESSMENT GUIDELINES 305 (Public Draft for Comment, June 18, 2001), available at http://www.abanet.org/scitech/ec/isc/pagv30.pdf. 33 See Winn, supra note 30, at 1240. 34 Id.

13. As pointed out above, when a document is used as evidence in judicial or administrative procedures in Egypt, it has to meet certain requirements in order to have the probative value of an unofficial document.35 For example, the contract filed before an Egyptian court must be in the original version and it must contain the signatures of obligated persons, if the transaction‘s value exceeds L.E. 1000. This evidence rule operates as a default rule that fulfills the absence of other contradictory consensual agreement between contracting parties.36 The problem confronted in the Egyptian legal system is that in a data message in the electronic- commerce world no traditional patterns of signature would appear; therefore, and according to the Egyptian legal system, a traditional signature requirement is missing from an unofficial document. An Egyptian court, as a civil court that is known for strictly abiding to statutes, will be reluctant to confer this electronic document any probative value equal to a signed written document. Past experiences within the Egyptian judicial system suggest that the Egyptian judicial system can not actively respond to technological changes without legislative guidance. For example, it took the Egyptian courts more than a decade to confer facsimile copies some probative value. In light of the absence of legislative guidance, facsimile copies have been granted probative value lower than that legally assigned to signed written documents (unofficial documents) and on equal footing with the principle of evidence by writing.37 The advent of the Internet commercialization has placed considerable pressure on the Egyptian legal system to recognize the validly and the probative value of electronic signatures. Recently, Egyptian lawmakers realized the urgent need for new legislative guidance devoted to removing legal barriers to E-commerce. The main mission assigned for this law is to address what type of electronic signature qualifies as a signature in Egyptian evidence law (i.e., meets statutory and regulatory signature requirements in the context of unofficial documents). But however clear the mission was, the legislative approaches were varied in addressing this type of question. Egyptian lawmakers have identified three inconsistent regulatory approaches: (1) all electronic signatures satisfy legal signature requirements; (2) electronic signatures satisfy legal signature requirements only when they possess certain security attributes; and (3) only digital signatures satisfy legal signature requirements. The question of 35 See E.E.L. § 14. 36 See E.E.L. § 60. 37 Id. § 62.

14. which regulatory approach has been followed by the Egyptian E- Signature Statute needs to be addressed in light of cautious legal scrutiny to the law rules. By exploring the Egyptian E-Signature Statute, it is easy to recognize that article 18 was the central legislative provision that allows the setting of security attributes that must be associated with electronic signatures in order to be valid in light of evidence rules.38 An electronic signature is legally effective as a written signature affixed to an unofficial document only if it is: (1) unique to the person using it and capable of identifying the signatory;39 (2) under the sole control of the person using it;40 and (3) linked to the data in such a manner that if the data is altered, the signature is invalidated.41 Furthermore, the law requires that generated electronic signatures must utilize technological and technical requirements which are endorsed in the Executive Regulations no. 109 of 2005.42 The legislation focuses not on the security attributes an electronic signature should possess in order to be enforceable as a signature, but rather on the technology used to create the signature itself. As articulated in the previous Part of this article, public-key cryptography can be used in near-endless creative ways.43 But the Egyptian E-Signature Law contemplates using it in a particular way by promoting a joint digital-signature policy, a PKI-asymmetric cryptography, and employing rigid certification requirements. This technology-specific approach in the Egyptian E-Signature Law is clearly demonstrated in articles 1444 and 15.45 These two articles are considered the cornerstones of the national law that confers electronic signatures and electronic writings legal validity equal to written signatures and traditional writings. The law strictly requires electronic signatures and electronic wirings to comply with technical and technological rules that were drawn by the associated Executive Regulations in order to be considered as valid as traditional writings and manuscript signatures. So, the Egyptian statute falls within this technology-specific category, authorizing the use of only a specific 38 See E-Signature Statute § 18. 39 Id. Art. 1(a). 40 Id. Art. 1(b). 41 Id. § 18(c). 42 Id. §§ 14 & 18. 43 See RONALD J. MANN & JANE K. WINN, ELECTRONIC COMMERCE at 350 (2d ed. 2005). 44 See E-Signature Statute § 14. 45 Id. § 15.

15. type of electronic signature (i.e., a digital signature PKI) and ignoring the general category of electronic signatures that validate other commercially reasonable business authentications models. d. UNCITRAL During the prior development phase of E-commerce, governments‘ attention was focused on ―building trust‖ in electronic data systems. At that time, offering E-commerce services presented important questions about the legal validity of electronic documents and separate, complex issues of identification and authentication. The Model Law on Electronic Commerce developed in 1996 by the U.N. Commission of International Trade Law (UNCITRAL E.C. Model) recommended legislative language to make it clear that a document cannot be denied legal effect as a writing or as an original solely because it is in electronic form.46 As for electronic signatures, the law requires a method that is used to identify that person and indicate their approval of the information contained in data message.47 The method should be reliable as was appropriate for the purpose for which the data message was generated or communicated, in light of all circumstances.48 In a more advanced phase, harder questions are presented by implemented technological requirements associated with signatures. In a number of countries, Egypt one of them, policy-makers seek to create a strict environment of trust for both E-commerce and E- government. The adoption of the technology-specific regulatory approach was a preferred model to provide legal certainty in E-commerce,49 being heavily influenced by the 2001 UNCITRAL Model Law on Electronic Signatures(UNCITRAL E.S. Model) that was the most common model for this approach.50 This UNCITRAL model bases ―digital signatures‖ on public-key cryptography (PKI). PKI involves a branch of applied mathematics that enables the transformation of messages into an unintelligible form and, once a ―key‖ is applied, translates them back into the original form. Setting up PKI is a way to reliably link users and their cryptographic keys and to provide confidence that a user‘s public key has 46 See the UNCITRAL Model Law on Electronic Commerce with Guide to Enactment, U.N. Doc. A/CN.9/SER.A/1996, with additional Article 5 as adopted in 1998, available at http://www.uncitral.org/english/texts/electcom/index.htm (last visited June 22, 2007). 47 Id. § 7 (a). 48 Id. § 7 (b). 49 See the UNCITRAL Uniform Rules on Electronic Signatures ―Consultation Paper,‖ available at http://www.justice.gc.ca/en/ps/ec/ures.html (last visited January 14, 2007). 50 Id.

16. not been tampered with and that the cryptographic techniques used are sound. One means of doing so is to establish a certification procedure administered by Certification Authorities (CAs). These CAs may be operated by government agencies or licensed to private entities according to clearly defined rules. The objective is to ensure valid identity in transactions between two parties.51 2. Preference for Digital Signature (“Technology-Preferred”) Another category of E-signature legislation attempts to provide a legal preference to documents signed with a ―digital signature‖ that implements PKI technology.52 Although the preference may be worded in technology-neutral-sounding language, in practice it favors PKI digital signatures. a. EU Electronic-Signature Directive When the EU ESD was enacted in 1999, it firmly rejected the claims by some member states to impose licensing requirements on any organization wishing to offer services to support the use of digital signature certificates. It tried to diminish the significance of the split between member states favoring technology-specific laws, and those favoring technology-neutral laws, as well as to address what had become by then the better known shortcomings of digital-signature technology used within PKI as a system for online authentication.53 Eventually as a comprise solution, the EU ESD decided to provide three levels of electronic signature: a general notion of electronic signature that may consist of any technology the parties choose to use for that purpose; an ―advanced‖ electronic signature that purports to be a technology- neutral description of a highly secure form of authentication, but which in reality is merely an abstract description of a digital signature used within a PKI system; and a ―qualified‖ electronic signature, that is a digital signature created with a private key stored on a ―secure signature creation device‖ which consists of a smart card or some similar means of storing private-key data outside the computer used to sign a document similar to the Egyptian model.54 51 See generally JANE K. WINN & BENJAMIN WRIGHT, THE LAW OF ELECTRONIC COMMERCE § 3.06[c] ( 3d ed. 1998, Supp. 1999-2). 52 See Section 15 to India‘s Information Technology Act of 2000, available at http://www.cca.gov.in,and Part V of Singapore‘s Electronic Transactions Act. 53 See Jane K. Winn & Yuping Song, Can China Promote Electronic Commerce through Law Reform? Some Preliminary Case Study Evidence (May 8, 2006), available at http://ssrn.com/abstract=901849. 54 Id.

17. b. Electronic Transactions and Commerce Law No.2 of 2002 in Dubai Electronic signatures in Dubai are regulated by the Electronic Transactions and Commerce Law no. 2 of 2002, which was published in the Official Gazette on February 16, 2002 (the ―ETCL‖), and which creates the legal framework for electronic commerce transactions in Dubai. The ETCL sets forth several regulations aimed at supporting electronic transactions, and notably recognizes the validity of electronic signatures. In what perhaps is something of a hyperbole, Dubai‘s law announced that it accomplishes unprecedented objectives relating to electronic commerce by the creation of a new category of "secure electronic records" and "secure electronic signatures" to establish the trust necessary to facilitate and promote electronic commerce. After reviewing certain concepts underlying the Dubai law, the author has concluded that while Dubai‘s law succeeds in establishing (or at least reconfirming for any skeptics) the legal legitimacy of electronic records and electronic signatures, its establishment of special categories of electronic records and signatures and evidentiary presumptions attached to these special categories may, in fact, hinder the growth of electronic commerce.55 It seems that the drafters of the Dubai law attempted to avoid favoring a particular business model or technological approach. However, the drafters unintentionally slipped into same Egyptian legal dilemma by unintentionally promoting the PKI model of authentication. Nevertheless, it sought to establish legal solutions before a problem had been identified that clearly required such efforts.56 In addition, the established CA industry may not have sufficiently evolved to a point where legislative intervention is needed either to promote the industry itself or to protect the users of the services being provided by the industry. However, the case for granting such a presumption to secure digital signatures has not been well established. It well may cause unneeded confusion. As of to date, no court in the world has applied such a preference, and it is unknown how it will work in practice.57 55 In the United Arab Emirates (UAE), the federal Electronic Transaction and Commerce Law no. 1 of 2006 has followed same approach concerning secure record and electronic signature. 56 See Jane K. Winn, Islamic Law, Globalization and Emerging Electronic Commerce Technologies (Feb. 10, 2003), available at http://ssrn.com/abstract=877768 (last visited January 22, 2007). 57 See Benjamin Wright, Electronic Authentication in Sri Lanka: Technology, Law & Policy (September 2003) (unpublished report

18. C. REGULATORY MARKET-ORIENTED, ―HANDS-OFF‖ MODEL OR NEUTRAL APPROACH A mere electronic signature-neutral (or ―hands-off‖) model refers to any symbol, mark, or method, accomplished by electronic means, executed by a signer with the present intent to be bound by a record or to authenticate a record, may stand on par to a conventional signature. Unlike the technology-specific approach, under this approach the signature is defined broadly to encompass any symbol, sound, process or encryption of a record in whole or in part executed or adopted by a person or the person's electronic agent with the present intent to authenticate a record. To this effect, "electronic signature" is a generic, technology-neutral term that includes all of the various methods of authentications by which one can "sign" an electronic record. Although all electronic signatures are represented digitally (i.e. as a series of ones and zeroes), they can take many forms and can be created by many different technologies. Examples of electronic signatures include: a name typed at the end of an E-mail message by the sender; a digitized image of a handwritten signature that is attached to an electronic document; a secret code or PIN to identify the sender to the recipient; a code or "handle" that the sender of a message uses to identify himself; a unique biometrics-based identifier, such as a fingerprint or a retinal scan; and a digital signature created through the use of PKI asymmetric cryptography. The Hands-Off Model strives to grant the same baseline validity to electronic signatures already possessed by conventional writings. It does not designate a valid particular mode of authentication technology. And it doesn‘t refer to a particular mode or authentication as more valid, or enforceable, than any other competing technology. As a result, this approach only attempts to place an electronic contract on the same minimum level of validity as that of a written contract.58 By employing a ―neutral or hands-off‖ model, national E-commerce legal frameworks will not designate a specific authentications technology in order to render a valid signature, but it will rather be based upon the principle of letting the market determine the appropriate authentication technology upon its needs.59 prepared for the Sri Lankan Government, under sponsorship of the United States Agency for International Development). 58 See Stephen Mason, Electronic Signatures in Practice, 6 J. HIGH TECH. L. 148, 152 (2006). 59 See Winn, supra note 56.

19. 1. The Pedigrees of Market-Oriented (Hands-Off) Solution in the U.S. Since the 1980s, political support for strong regulatory regimes has eroded in the United States.60 One aspect of the embrace of market- oriented solutions to social and economic issues is the complex system of diverse and numerous private standards-developing organizations.61 As ANSI reports, ―The U.S. standardization infrastructure . . . reflects a basic national belief that society will benefit and innovation and creativity will flourish in a system that is free from centralized government control but strengthened through essential government participation.‖62 In this context, ―essential‖ signifies limited to the bare essentials, with government deferring to the market to define a feasible authentication standard and, instead of the direct exercise of leadership by the public sector, leveraging the market-pull effect of government procurement to promote adoption of specific standards.63 The National Technology Transfer and Advancement Act of 1995 (NTTAA) directs U.S. government agencies to use standards developed by voluntary-consensus bodies whenever available in lieu of government- developed standards to accomplish its regulatory and administrative objectives. These limitations on the role of government in setting standards reflect concerns that if government intervention is not carried out effectively, it will inhibit economic growth by raising costs without any corresponding increase in benefits.64 If regulation is not designed properly, it will definitely hurt the economy and cause the consumer to pay higher prices for goods and services, especially in an undiscovered frontier such as authentication technologies.65 Also, the United States‘ inclination to let the market lead is visible in its approach to reforming 60 See Thomas O. McG L. REV. 1463, 1528-32 (1996). 60 See Thomas O. McGarity, The Expanded Debate over the Future of the Regulatory State, 63 U. CHI. L. REV. 1463, 1528-32 (1996). 61 See AM. NAT‘L STANDARDS INST., UNITED STATES STANDARDS STRATEGY (2005); AM. NAT‘L STANDARDS INST., OVERVIEW OF THE U.S. STANDARDIZATION SYSTEM (2005). 62 Id. 63 See also Jane K. Winn, Standard Developing Organizations as a Form of Self-Regulation (July 25, 2006), available at http://ssrn.com/abstract=924008 (last visited January 23, 2007). 64 See John D. Graham, Office of Mgmt. & Budget, Executive Office of the President, An Overview of the U.S. Regulatory System (Jan. 15, 2002), available at http://www.whitehouse.gov/omb/inforeg/pres_mgmt_regulatory_state.html. 65 See Winn, supra note 56, at 6.

20. commercial law to accommodate innovations in the technology of online markets.66 2. The U.S. Regulatory Approach Opts for the Hands-Off Model or Neutral Approach The Hands-Off or Neutral Model has gained the wide approval of the U.S. federal legislature with the passage of the Electronic Signatures in Global and National Commerce (federal E-Sign) Act on June 30, 2000.67 The E-Sign Act was enacted at the federal level to strengthen the public's confidence concerning the legal validity of electronic contracts by creating uniform federal legislation.68 The E-Sign Act states that signatures procured electronically shall not be rendered invalid solely because they are in electronic form. This Act also provides that certain methods of creating electronic signatures, such as using more advanced signature procedures or employing more stringent security measures, will not hold greater legal validity than signatures procured by other means.69 The E-Sign Act is technology-neutral in that no procedure or process regarding electronic signatures can have a greater legal effect, enforceability or validity than a different procedure or process.70 The Act preempts all inconsistent state laws71 but allows states the choice to instead adopt the similar Uniform Electronic Transactions Act (UETA) as approved by the National Conference of Commissioners on Uniform State Laws (NCCUSL). Similar to the federal E-Sign Act, UETA ensures that a signature is not denied legal enforceability solely by virtue of being in electronic form.72 The U.S. lesson should lend itself to the Egyptian scene, as the Egyptian E-Signature Law appears to be ineffective at promoting the growth of electronic commerce in Egypt till present. If the Egyptian government 66 See Jane K. Winn & Brian H. Bix, Cyberpersons, Propertization, and Contract in the Information Culture: Diverging Perspectives on Electronic Contracting in the U.S. and EU, 54 CLEV. ST. L. REV. 175 (2006). 15 U.S.C. §nd National Commerce Act of 2000, § 106(5),in Global aElectronic Signatures67 (5) (2000).7006 68 JONATHAN D. HART, LAW OF THE WEB: A FIELD GUIDE TO INTERNET PUBLISHING 204 (2003). 69 15 U.S.C. § 7001(a). 70 Id. 71 UNIF. ELEC. TRANSACTIONS ACT of 1999 § 1-21, 7A pt.1 U.L.A. 225-26 (2002) [hereinafter UETA] (Uniform Electronic Transactions Act Official Text as approved and recommended by the National Conference of Commissioners on Uniform State Laws on July 29, 1999). 72 UNIF. ELEC. TRANSACTIONS ACT of 1999 § 1-21, 7A pt.1 U.L.A. 225-26 (2002) [hereinafter UETA] (Uniform Electronic Transactions Act Official Text as approved and recommended by the National Conference of Commissioners on Uniform State Laws on July 29, 1999).

21. continues to actively promote the adoption of PKI digital-signature technologies through legislative incentives, it may push businesses and individuals in Egypt to incur significant costs with illusionary security and negligible benefits in return. The law appears to have been enacted in order to control the behavior of certain technology service providers but without regard to the actual needs of businesses and individuals trying to use other authentication technologies. In this infant stage of E-commerce in Egypt, there is no need for a framework for authentication and legislation that inhibits rather than encourages migration to more effective authentication technologies more carefully tailored to meet actual individual and business needs in the Egyptian market. The current adopted governmental policy only forces Egyptian businesses to invest in outmoded or flawed technology, or alternatively force Egyptian consumers and businesses to contract out of the protection of the legal umbrella by embracing other workable authentications that may efficiently meet their needs, E-commerce awareness, and their financial conditions.

22. IV. THE EGYPTIAN E-SIGNATURE STATUTORY/REGULATORY APPROACH: INHERENTLY FLAWED (CRITIQUE OF THE CURRENT STATE OF EGYPTIAN LAW) The Egyptian E-Signature Law and its Executive Regulations can be classified as a technical law in nature, since they do not only deal with the legal validity of electronic signatures in a great part, except in a few articles,73 rather, its purpose is to provide the conditions for a secure infrastructure for the use of PKI authentication business model that relies on a trusted third party like certification authority (CA),74 in order to render a valid electronic signature. This PKI authentication business model can be a valuable technology of authentication under some circumstances. But to enshrine it in legislation is a unwise regulatory approach as it may raise some legal and technical concerns as following: A. THE TECHNICAL RISK OF CHOOSING PKI TECHNOLOGY Under the Egyptian strategy, control of a subscriber‘s private key becomes all- important. In other words, ―all the eggs are placed in one basket - the private key,‖ while eggs are distributed among many baskets in written signature, says Mr. Benjamin Wright in his argument against Utah‘s technology-specific legislative approach, 75 which is similar to the Egyptian technical approach. He added further that public-key cryptography does not reduce risk in the signing of an electronic document. It transfers risk. It can be very effective in showing whether a particular document was signed with a certain private key. But this transfer of risk does not necessarily result in the elimination or even the reduction of risk. Risk simply shifts onto the private key. That key becomes the object of any criminals who want to cheat the subscriber or relying parties. They will try tricking a subscriber into revealing the key or temporarily surrendering control of it. They will endeavor to compromise the software that controls the key and its functions. Or they will steal and unlock the device, such as a smart card, in which a user stores the key.76 B. PKI TECHNOLOGY RENDERS A FALSE SENSE OF SECURITY 73 See, e.g., E-Signature Statute §§ 14-18. 74 See Jane K. Winn, US and EU Regulatory Competition and Authentication Standards in Electronic Commerce (May 22, 2006), available at http://ssrn.com/abstract=901324. 75 See Benjamin Wright, A Cyberspace Perspective: Eggs in Baskets: Distributing the Risks of Electronic Signatures, 15 J. MARSHALL J. COMPUTER & INFO. L. 189, 195 (1997). 76 Id.

23. According to the Egyptian approach, certification by a PKI certification authority can give a false sense of security. Here is a first-hand story. The author received an E-mail from a client during the winter holidays, saying that the client was sending a greeting through a greeting card website. The author clicked on the URL in the E-mail and was taken to a reasonably professional-looking website called FriendGreetings.com.77 He was then presented with a familiar box indicating that in order to access the greeting he needed to download code which had been signed with a certificate from a well-known certification authority, VeriSign. The box indicated that the code was signed by a company named AtlasMedia, Inc. The author could have clicked on the company name, although the author had never heard of this company.78 He chose not to click on the company name. Instead, he clicked to indicate he wished to install the code. When the code installed, his virus-checking software alerted him that a worm named ―WORM_FRIENDGRT.A‖ had been passed to his computer.79 Being curious, the author repeated the process through the FriendGreetings.com website. In the box showing that the code had been signed by AtlasMedia, Inc., using a certificate from VeriSign, the author clicked on the link for the company named AtlasMedia, Inc. It led to a simple but professional looking corporate website having several pages about a company claiming to be a promotions and communications firm. On the "contacts" page the company showed an address in Dubai.80 VeriSign no doubt followed its usual procedures in issuing a PKI certificate to AtlasMedia. But, evidently, the certificate belonged to a fake company with a fake name and probably a fake address in Dubai. Under the Egyptian model, one may note that a PKI certificate like this certifies only that a PKI key pair is associated with a name, but it says nothing about the quality of that name or the reputation of the people behind it.81 A crook can foil the Egyptian-invented PKI system simply by inventing a bogus name and requesting a certificate in association with that name. Moreover, the certificate does not inform a relying party 77 See Friendgreetings.com, http://searchportal.information.com/index.mas?epl=00520018UVsPWVALXVUMVV8FSgwDXQVT FFIGQV4PBkYbW1dZFwRqXQYFDlwH. 78 See BENJAMIN WRIGHT , BUSINESS LAW & COMPUTER SECURITY: ACHIEVING ENTERPRISE OBJECTIVES THROUGH DATA CONTROL, at 80 (2003). 79 See http://securityresponse.symantec.com/avcenter/venc/data/friendgreetings.html, (last visited June 22, 2007). 80 See Wright, supra note 57, at 82. 81 Id; see also E-Signature Executive Regulations § 20 (providing that nothing related to the quality of that name or the reputation of the people possessing this digital certificate).

24. whether the name is the famous trade name the public knows and trusts or not. For example, PKI certificates make no distinction between the famous brand ―Vodafone in Egypt‖ 82 and the bogus name ―Vodofone in Egypt.‖83 C. THE MYTH OF NONREPUDIATION Not only does the Egyptian E-Signature law and its Executive Regulations shift risk to the private key, but also it concentrates the risk there by endorsing the non-repudiation principle.84 By employing the non-repudiation principle, the Egyptian rules give recipients strong technical and legal reasons (extraordinary legal and technical evidence) to expect that if a document is signed with an author‘s private key then the author is legally responsible for the document. Articles 985 and 1086 of the E-Signature Law‘s Executive Regulations provide that a document signed with a verified digital signature is normally presumed to be signed by the person owning the relevant private key (so long as his public key is certified by a licensed CA. Also, an electronic signature is as valid and linked to a specific signatory as if it were written on paper, if it meets two requirements. First, the message must bear a valid electronic signature certificate issued by a certified CA.87 Second, the electronic signature must have been "verified by the public key listed in a certificate" that was validly issued by a licensed CA at the time the digital signature was created.88 If an electronic signature verified and validated with reference to ITIDA or any other entrusted certificate CAs, the non-repudiation principle would be legislatively turned on.89 As a result, the purported signatory cannot deny the attributed verified digital signature, then an electronic contract formed by affixing a digital signature to an electronic record containing a statement of the terms of the agreement should create an obligation that is "legal, valid and binding," and enforceable according to its terms. It is obviously that the concept of "non-repudiation" has been creeping into the governing rules of digital signature in Egypt, which confused the distinction between a legal conclusion and a technological function in a way that demonstrates the impact of the PKI authentication g. (last visited June 22, 2007).Egypt Home Page, http://www.vodafone.com.eVodafoneSee82 83 See Id. 84 See Hisham M. Abd El-Wahab, Technical and Legal Presentation over the Validity of Electronic Signature, www.electronicsignature.gov.eg (last visited June 22, 2007 ). 85 See E-Signature Executive Regulations § 9. 86 Id. § 10. 87 Id. § 9 (1). 88 Id. § 9 (2). 89 Id. § 7.

25. business model on the Egyptian evidence and contract long standing rules. This might be contributed to the persistence of the technical saga that digital signatures are the "next big thing" in electronic contracting.90 On the other hand, and from a legal point of view, the terminology surrounding repudiation is not particularly uniform within legal systems and communities, so a clear lexigraphic distinction needs to be clarified. 91 For example, when discussing evidence of the transactions, the term "non-repudiation" essentially means that the parties to a transaction cannot deny their participation in the transaction. From an Egyptian legal point of view, non-repudiation is the principle that keeps a binding party to a transaction from disclaiming or denying its signature and, as a result, the obligations arising from a transaction.92 Basically, both official and unofficial documents are presumed valid, however non-repudiation is a legislative reward that‘s only granted to official documents as a result of its strict creation formality. While official documents can only be challenged by fraudulent defense, unofficial documents can be a subject to denial in addition to fraud defenses by obligated parties.93 The legal anachronism is while the initial goal of the Egyptian E- Signature Law is to place electronically signed records on par with conventionally signed documents (unofficial), regulated certified digital (cryptographic) signatures offer a level of security and evidentiary presumptions above the assigned average to regular unofficial documents. Under article 9 of the Executive Regulations associated with the E- Signature Law, the purported signatory is legally and technically presumed to have signed a message if the owner is a "subscriber of a valid certificate, and the digital signature was verified by ITIDA or other entrusted third party by reference to a public key listed in the certificate . . . ."94 The legal shortcoming of this article is that the endorsed presumption can not be rebutted upon showing of sufficient evidence when the document was digitally signed and verified by ITIDA. The 90 See Winn, supra note 56, at 371. 91 Id. at 371-72; see also BLACK'S LAW DICTIONARY 1306 (7th ed. 1999) (citing the discussion of historical terminology inconsistencies surrounding the term found in P.S. ATIYAH, AN INTRODUCTION TO THE LAW OF CONTRACT 294 (3d ed. 1981)); cf. E. ALLEN FARNSWORTH, CONTRACTS 8.21 (6th ed. 2004). 92 See Susanna Frederick Fischer, Saving Rosencrantz and Guildenstern in a Virtual World? A Comparative Look at Recent Global Electronic Signature Legislation, 7 B.U. J. SCI. & TECH. L. 229, What Trust Is in These Times? Examining the Foundation ofD. Scott Anderson,see also;231 (2001) Online Trust, 54 EMORY L.J. 1441, 1449 (2005). 93 See E.E.L. § 29. 94 See E-Signature Executive Regulations § 9.

26. defrauded author will not technically or legally be able to challenge the presumed perfection of the enacted Egyptian authentication business model, because he will be arguing against a presumed technically valid and perfectly secure authentication business model from the Egyptian point of view. Furthermore, the defrauded author will be precluded from a privilege of denying the digital signature that attached to unofficial electronic document while paper-based counterparts always can be denied.95 Impliedly the rules assumed that an author is not denying a mere signature, but he is arguing against a presumed technically valid and perfectly secure authentication business model that is enshrined by the Egyptian E-Signature Law. As a result and the same as for official documents, forgery will be the only viable defense against digitally signed documents.96 Applying the myth of non-repudiation renders absolute, undeniable electronic unofficial documents which are not on par with the probative value conventionally assigned to traditional unofficial documents.97 By setting its sights on the endorsed non-repudiation in the Egyptian E-Signature Law, the rules may cause Egyptian E-commerce implementers to chase unrealistic goals. The Egyptian implementers will waste efforts seeking unattainable technical perfection and overestimated probative value, bypassing other, easier alternative authentication business models which were simply adequate to PKI and do not contradict with the Egyptian evidence rules. D. NONINTEGRATED LIABILITY SCHEME The Egyptian E-signature Law and its Executive Regulations are premised on an "open system" or "open loop" model of PKI.98 The open PKI model envisions that subscribers will obtain a single certificate from an independent, licensed third-party CA that certifies that subscriber's identity.99 Certificate holders will then use that certificate to facilitate transactions with potentially numerous merchants or other individuals in order to intensify trust in all national or foreign E-commerce players.100 As discussed above, the Egyptian PKI scenario implicates considerable security breaches that can trigger substantial liability risk. Egyptian legislators, enamored with what digital signatures can potentially 95 See E.E.L. § 29. 96 Id. 97 Id. 98 The terminology ―open PKI‖ and ―closed PKI‖ is not meant to imply open networks or open standards versus closed networks or proprietary technology, but rather to describe specific business models. See WINN & WRIGHT, supra note 51, § 3.03. 99 See MANN & WINN, supra note 43, at 358; see also C. Bradford Biddle, Legislating Market Winners: Digital Signature Laws and the Electronic Commerce Marketplace, 34 SAN DIEGO L. REV. 1225, 1235 (1997). 100 Id.

27. accomplish, have attributed this risk to flaws in the existing legal regime that must be addressed legislatively. This conclusion is wrong. The liability exposure faced by CAs under the endorsed Egyptian PKI model is the product of a business model that cannot internalize the costs of the inevitable fraud that will result under any public key based system. The resulting liability problem is unlikely to be solved at all in the open PKI model, and certainly cannot be solved with any one-size-fits-all legislative solution, even if it is an Egyptian model. Private keys will be expropriated, and third parties will rely on apparently valid but fraudulent documents and suffer losses. The aggregate losses could be quite sizable, judging from analogous contexts: Credit card fraud in online transactions could have cost businesses as much as $60 billion in 2005, according to research firm Financial Insights, despite the efforts of Visa and MasterCard in offering dedicated solutions to reduce online card fraud.101 Who will bear losses that stems from unauthorized digital signature use? There are three primary choices: 1) the relying party; 2) the individual whose key was used to sign the document; or 3) the Egyptian operator (CA) who performed the initial digital authentication process.102 Under the Egyptian rules, if an individual has unauthorized usage of her key, he or she bears unlimited liability as a consequence of article 10 of the Executive Regulations.103 So, if a subscriber, named "Ali," for example, has his key stolen or compromised resulting in losses totaling L.E. 25,000 prior to revocation of his key, Ali (the purported signer) only bears the loss. The E-Signature Law and its Executive Regulations don‘t consider how a defrauded individual can present a court with "clear and convincing" evidence to overcome the technical and legal presumption that an electronic document signed with his digital signature was in fact not signed by him. Obviously, this liability outcome does not comport with well-established consumer protection principles placed in the Egyptian Trade Law no. 17 of 1999 (compare with the article 528- imposed drawee (bank) liability for forged checks, or the fact that the drawer (consumer) cannot be bound by a fraudulent handwritten signature).104 Moreover, no rational consumer would agree to accept this level of risk in marketplace transactions. The benefits of having a digital 101 See ePaynews.com, Statistics for General and Online Card Fraud, http://www.epaynews.com/statistics/fraud.html (last visited Dec. 12, 2006). 102 See E-Signature Law § 4(a). 103 See E-Signature Executive Regulations § 10. notesupra,RIGHTW&INNWsee also;3(a)40-UCC § 3ee alsosEgyptian Trade Law § 528;See 104 51, § 7.02.

28. certificate simply do not outweigh the very real possibility of facing extraordinarily large unreimbursed losses. Could the loss fall on the relying party? The goals of a PKI would be undermined, and an opportunity for fraudulent collusion would be presented, if the relying party bears the risk.105 Yet if the subscriber and the relying party do not bear full liability under this scenario, where else would the loss fall under the current Egyptian E-signature Law? On the CA? The straightforward understanding of article 14 of the E-Signature Law‘s Executive Regulations dictates that licensed CA

Related presentations


Other presentations created by legallab7