Mr. Chairman and members of the Subcommittee, my name is Bob Kramer and I'm Chairman of the Electronic Commerce Working Group and the Electronic Authentication Committee of the Coalition of Service Industries. I also manage public policy issues relevant to wholesale and international banking for the Bank of America. I appreciate this opportunity to relate to you the work that the Coalition of Service Industries has done in the area of electronic authentication.
The Electronic Commerce Working Group is made up of 25 member companies and trade associations, representing an extremely broad sample of service companies actually doing business on the Internet. The Electronic Authentication Committee (EAC) was formed by the Working Group to develop a proposal for federal legislation to establish a national frame work for the authentication of commitments made electronically that could be used as a basis for seeking reciprocity internationally. The EAC is composed of representatives from: the American Council of Life Insurers, the American Express Company, Arthur Andersen Knowledge Enterprises, AT&T, Bank of America, Citicorp, the Consumer Bankers Association, EDS, Hewlett Packard, IBM, the National Association of Insurance Brokers, the National Retail Federation, NCR, and the Securities Industry Association.
I believe the other members of this panel have adequately explained why federal legislation is needed. Briefly put, the myriad of different, sometimes conflicting, state and foreign standards that are under development could impose significant compliance costs on those companies seeking Certification Authority status on a national or international basis. At worst, conflicting standards could impede the development of national Certification Authorities, or severely limit the ability of CAs to operate across state or national borders.. The efficiencies of electronic commerce can only be realized in a regulatory environment that encourages rather than stifles the geographic breadth and architectural openness of the Internet.
I'd like to focus on the Electronic Authentication Committee's efforts to craft a proposal for federal legislation, and explain how we came to some of our conclusions. The EAC has worked intensely since January to develop a proposal for a federal electronic authentication framework; we have called upon the legal and technical expertise of our member companies and consulted with experts in the US government and European Commission; we have also informally discussed these issues with other private sector groups such as the American Bar Association. Throughout this process, we have painstakingly developed a consensus among our very different members on each of the issues relevant to the establishment of a framework. And I would like to stress that this is a work in progress, that we have NOT yet developed a final proposal. Consequently, what I discuss here today is subject to additional amendment prior to its final release, hopefully before the end of this year.
The members of the EAC have agreed upon a number of basic principles:
Allow me to focus on two aspects of these principles.
First, after much debate, the group decided that an explicit federal licensing regime was appropriate, rather than self-certification or voluntary compliance, for two reasons:
1. - Since limits on liability were deemed necessary for the creation of a viable CA market, some form of licensing regime was considered necessary to identify absolutely which CAs were compliant with federal requirements, and therefore eligible for the limits to liability specified under the statute.
2. - There are early indications that many EU and other foreign governments which enact similar legislation will rely on a licensing regime, as Germany has. They, in turn, will be more comfortable in extending reciprocity to governments with similar frameworks, an important element of which would be licensing. Until a multilateral agreement is negotiated, reciprocity is the most likely way of obtaining international recognition of US practices.
Second, this framework creates a parallel vehicle for companies wishing to obtain a nationally recognized CA license, but does not discourage the development of state law in this area. In fact, we would argue that states are the laboratories from which the federal standards board will draw much of its information and ideas. By allowing many sets of standards to co-exist, our proposal lets the market decide the most effective. Since the UCC process takes a minimum of three years, federal legislation is needed to address this issue now, but federal standards can be corrected to conform with standards when and as they are adopted uniformly by the states.
The scope of this proposal only covers transactions between private parties, e.g. company-to-company, company-to-customer, individual-to-individual. Transactions between governments or between governments and individuals are not addressed.
Our proposal is structured to take advantage of existing federal agencies, and minimize new bureaucracy.
Designated federal regulatory agencies will authorize regulated institutions to issue electronic certificates in connection with authorized activities as part of their overall licensing or chartering responsibilities. These agencies will monitor compliance as a part of their overall compliance review responsibilities. The Commerce Department will be empowered with similar authority for any entity wishing certification authority. These agencies will have the responsibility to develop administrative procedures for the certificate issuance and compliance review processes, but not for setting standards.
An Electronic Authentication Standards Board (EASB), comprised of representatives from the private sector, including companies engaged in electronic commerce, will have sole responsibility for developing standards not specified in the statute covering the operational, archival, procedural, security, disclosure and other requirements for regulated CAs and such agents as they designate, including repositories. The Board will determine definitions and requirements for certificates and for electronic signatures associated with such certificates.
An Interagency Electronic Authentication Review Committee, comprised of representatives of the relevant federal agencies, will be responsible for approving -- but not amending -- standards issued by the EASB, and for assuring their uniform implementation at the agency level.
From time to time, the EASB will advise Congress regarding new technologies that require modification of this Act. The EASB would provide standards for new authentication technologies as they become economically viable. In addition, the Board will have the authority to review the implementation of these standards by the designated federal agencies and shall have the responsibility to advise the Interagency Electronic Authentication Review Committee on these matters. In the EASB, we have a flexible mechanism to adapt the Federal CA regime to changing market conditions and developments in technologies.
CAs must be licensed by an authorized federal agency in order to receive the benefits of limited liability specified in this Act. The licensing process and requirements should be transparent, minimal and non-discriminatory to promote the growth of a robust authentication industry. The EASB will define the terms and conditions with which licensed CAs must comply in order to ensure the safety and soundness of electronic commerce.
The Committee strongly believes that disclosure is an important element in developing consumer confidence in electronic commerce. Consequently, the CA is responsible for disclosing in a clear and transparent manner: its own identity, the identity of the repository, and the terms and conditions of certification, including the reliance limit for the issued certificate, and any other limitations on liability for CAs and repositories. The EASB will determine the specifics under which this information and other information will be disclosed to the subscriber and other transacting parties.
Under our proposal, the licensed CA is not liable for any losses in excess of $500 per certificate issued. However, the issuing CA and accepting subscriber may establish by agreement a reliance limit in excess of $500 per certificate. A CA also may limit the functional scope of any certificate it issues.
Except to the extent that losses are caused by a CA's criminal acts, a licensed CA is not liable for losses in excess of the amount specified in the certificate as its recommended reliance limit. If a subscriber does not take prudent measures to protect his or her private key, the CA is not held liable for loss due to any negligence with regard to the issuance or maintenance of the certificate. The statute would restrict CA liability to direct, compensatory damages only, and excludes punitive, economic, or pain and suffering damages.
Like many of the other proposals reviewed here today, the EAC believes that commercial parties should be free to contract and apportion risk and liability as they may agree upon. However, offsetting the needs of CAs for liability protection, are the needs of third parties, the consumers of electronic services, for a generally available and certain minimum transaction-based reliance amount. We feel our proposal provides a compromise that will allow the market to develop. However, there is no magic about $500, and our proposal allows for the adjustment of this figure as the market evolves.
In summation, I would like emphasize just a few general points. First, our proposal envisions a federal CA infrastructure that co-exists with and complements state authentication law, and yet provides national standards as the basis for international negotiations. Second, the proposal provides a flexible mechanism through which the private sector maintains ongoing responsibility for setting standards in response to changes in market conditions and technology. Finally, I would like to again mention that this proposal is still evolving, and that we are looking for opportunities to discuss it with other private and public sector groups interested in these issues.
Mr. Chairman, this concludes my prepared remarks, I would be happy to answer any
questions you or your colleagues might have. Thank you.
Home | Menu | Links | Info | Chairman's Page