Mr. Chairman, members of the committee, good morning. My name is Scott Lowry. I am president of Digital Signature Trust Company, a subsidiary of Zions First National Bank, Salt Lake City, Utah.
I would like to thank you for the opportunity to appear before this committee and to share with you our views on electronic commerce, electronic authentication and the potential need for federal legislation.
As you know, Utah was the first state to pass a comprehensive law enabling electronic commerce and digital signatures. Digital Signature Trust Company was formed to provide Certification Authority and Repository services for the State of Utah and elsewhere around the country.
I will begin with a quick overview of my comments, followed by a more detailed look at what we regard as the critical issues in the electronic commerce and authentication discussion.
My remarks today will focus on:
When personal computers first appeared on the horizon they were used primarily on a "standalone" basis. Individuals worked at their desktops, with little if any "electronic" interaction with other employees within their organization.
With the advent of network technology companies began to link their PCs together into what became known as local area networks or in the wonderful world of computer acronyms, LANs. Subsequent improvements in network technology allowed organizations to link far-flung operations and trading partners together on something known as a wide area network or WAN.
LANs and WANs have several things in common. For the purposes of this discussion the two most important elements they share are 1) the fact that they run over dedicated private lines (literally a dedicated line is installed from point A to point B) and 2) they have a network administrator who governs network access and security. As a result, the network administrator authenticates all network participants and controls access to the network via passwords or pin numbers issued by the administrator as a central authority. In short, life on a LANs and WANs is good.
Proving the theory nothing is forever, the Internet has changed everything. First, the Internet is truly global in nature. As a result companies not only have the capability of erecting local and wide area networks, but for the first time, global area networks or GANs are within their reach. National and international "communities of interest" can ban together to form "virtual" global networks. (The word virtual is used to highlight the fact that the network is not a permanent connection but rather a fleeting thing that only exists when the parties are connected via the Internet.)
For example, the US automobile industry, through the Automobile Industry Action Group (AIAG) is building a giant virtual private Intranet that will link all players in the automobile industry food chain, and facilitate the global adoption of EDI (electronic data interchange) among its members.
Secondly, the Internet runs on public networks as opposed to dedicated private lines. This greatly reduces the costs associated with Internetworking, and as a result, allows even the smallest of small businesses to go "on-line" with their customers and suppliers-
Finally, and perhaps most importantly within the context of today's discussion, the Internet does not have a network administrator or central authority to dole out passwords or pin numbers to control access or authenticate prospective users. It is this fundamental difference that leads us to the need for some form of authentication in electronic commerce. Absent a network administrator or some form of authentication technology, there is no way of knowing who is on the proverbial line with you.
Much has been written about the coming explosion in Internet-based commerce. In a recent Treasury Department report, the author predicted that by the year 2000 tens of billions of dollars of commerce would be conducted over the Internet. While predictions of Internet commerce may vary, the fact remains that even on the low side virtually all observers believe that huge volumes of business activity will migrate to the Internet by the turn of the century. Unfortunately, there are problems.
Perhaps the biggest roadblock to such an eventuality is security. The security and confidentiality of information passed between trading partners, and the security and certainty of knowing with whom one is or is contemplating doing business. As data security is mercifully outside the scope of today's discussion, we will turn our attention to the need to know with whom one is doing business.
In the paper world there are well-established customs and rules for determining the identity and veracity of potential trading partners. These include reliance on longstanding business relationships, personal visits to their place of business, industry references checks, etc. When it is impossible or impractical for parties to verify identities first hand, they typically turn to so-called "trusted third parties" to provide the assurances necessary to conduct business.
Practical examples of such reliance on trusted third par-ties would be signature guarantees for stock transfers and letters of credit, both of which are provided by financial institutions.
In the electronic world things are different. The sheer breadth and speed of the market makes most traditional mechanisms of establishing a trading partner's identity impossible. Deals and opportunities on the Internet will exist for seconds and minutes not days and weeks. The electronic market place will belong to those companies and countries that can build an electronic authentication framework capable of serving all comers accurately and efficiently.
The question becomes what will such an authentication framework look like and who is best suited to stimulate its development? State governments? The federal government? Or, perhaps private industry? Let us take a look first at the states.
At last review, 36 states have either passed or have some form of electronic commerce/digital signature legislation percolating through their legislative processes. These bills appear to come in two flavors: thick and thin. The thin versions take a minimalist approach to enabling and regulating electronic commerce. They do this by 1) recognizing electronic documents as original legal documents, thus satisfying the "in writing" requirements of various state statues of fraud; and 2) by recognizing various forms of electronic signatures as legally binding.
The thicker versions of the state laws not only recognize electronic documents and electronic signatures (generally digital signatures), but also attempt to design and regulate the infrastructure necessary to support electronic authentication and to apportion liability among the parties in the event of negligence or malfeasance,
While on one hand it is encouraging to see so many states taking an interest in the prospects for electronic commerce in their states, It is at the same time troubling. Disparate laws tend to lead to confusion in the market place, and in the absence of some unifying force, will likely slow down rather than speed up the pace of adoption of electronic commerce. For example, what law applies when Digital Signature Trust Company issues a digital certificate to a client outside the State of Utah?
In addition to such a current and very real question, one could easily envision states passing competing bills in an attempt attract e-commerce revenues that are sure to develop if the market is half as big as the experts are predicting. This would lead to a sort of regulatory arbitrage as industry participants play legislatures off against each other in a search for the lowest (regulatory) common denominator.
Given the uncertainty, ambiguity, and the potential for conflict inherent in the states' individual efforts, we would strongly recommend that the committee consider recommending over-arching federal legislation in the areas of electronic commerce and electronic authentication.
We would recommend that any legislation follow the "thin" model and seek only to legalize electronic documents and "acceptable" forms of electronic signatures.
We would recommend that the committee be prepared to iterate the law as the world's understanding of the issues and circumstances change.
We would recommend that as consenting adults, commercial parties be free to contract and apportion risk and liability as they may mutually agree.
We would recommend that the general thrust of the consumer protection laws be preserved in any federal legislation on this subject.
We would recommend that financial institutions, because of their unique understanding of authentication issues and the already heavily regulated nature of their business, be given special dispensation and exemption from emerging state laws.
Finally, as an example of how federal law can be used to accelerate or facilitate national objectives, one could draw a parallel between the construction of the federal interstate highway system and the challenges raised by the development of the national information infrastructure. If the interstate highway system had to be built, one mile at a time, one town, one city, or one county at a time, it would have never happened. And so it is with the information superhighway.
Mr. Chairman, this concludes my remarks. Once again I would like to thank you for giving me the opportunity to be here and I would be glad to answer any questions you or the other committee members might have.
For more information contact:
J. Scott Lowry
Digital Signature Trust Company
Kennecott Building, Suite 1452
One South Main St.
Salt Lake City, UT 84111
Home | Menu | Links | Info | Chairman's Page