Congress is mulling over legislation today to create a national framework for authenticating people's identities when they shop online or send documents over the Net.
Touted as an important security component for robust e-commerce, digital certificates and signatures help confirm that an online document hasn't been tampered during transmission and that Net users' identities are authentic. But the various digital authentication systems under consideration by states and Congress bring up a complicated web of problems--from privacy concerns and legal liability to technology interoperability issues.
The Senate Commerce Committee is holding hearings today about one of five digital authentication bills that have been introduced since last year.
If passed, Sen. Spencer Abraham's (R-Michigan) Government Paperwork Elimination Act would require within three years that agencies put more forms online and then set up systems to accept digital certificates, which verify the accuracy of a person's digital signature and are protected by public-private key encryption.
For example, using a "private key," an attorney could attach her encrypted digital signature to an email message, which gives the recipient access to her "public key." The recipient then uses the public key to access the attorney's digital certificate to confirm the attorney's name, law firm affiliation, and contact information. The identity information would have been provided by the attorney to a third party firm or government agency, which is supposed to verify her identity.
Abraham introduced his bill to set up an infrastructure that would allow people to conduct government-oriented business online, such as renewing a driver's license or filing for permits. The bill doesn't favor any one technology and directs the Commerce Department to set up standards for digital signatures compatible with the private sector and state approaches.
"By providing individuals and companies with the option of electronic filing and storage, this bill will reduce the paperwork burden imposed by government on the American people and the American economy," Abraham said today in a statement. "It will allow people to move from printed forms they must fill out using typewriters or handwriting to digitally-based forms that can be filled out using a word processor."
Digital certificates and signatures are not to be confused with state and federal proposals regarding "electronic signatures," which aim to establish the legality of signed electronic documents. An electronic signature could be a digital signature, a digitized image of a handwritten signature, a personal identification number, or simply a name typed at the end of an email message. But Abraham's legislation encompasses both electronic signatures and digital certificates.
The prevalence of digital certificates and signatures could increase the security of legal and e-commerce transactions, intensifying the pace of information exchanges and decreasing the use of paper. But how to best verify a person's ID before issuing them a certificate and the framework for setting up trusted third-part certificate authorities are just some of the challenges inherent in setting up these systems.
However, privacy advocates worry that if not carefully crafted, legislation could lead to the onerous creation of a national identification card that would contain the most sensitive data about a person.
Groups such as the Center for Democracy and Technology want any legislation that establishes digital authentication systems to include clear privacy protections.
The consequences of mishandled certificate data could lead to identity fraud, the group says. In addition, if a federal proposal were to set up a single certificate authority, then personal information, financial or health records, and credit transactions would be dangerously centralized, the CDT stated.
"We're concerned that [a government-led system] could lead to a national ID card, and the government could trace everything you do online and tie it all together," said Ari Schwartz, a policy analyst for the CDT.
"The Abraham bill stops the government from being a single certification authority, which is good," he added. "We want it stated that the certificate authorities will be held liable" if they breach a person's privacy or hand out a certificate without adequately verifying someone's ID.
The CDT says legislation should encourage various certificate authorities and not favor particular technologies, industries, or certificate providers; it also should not always tie identity into certificates. Moreover, digital authentication systems should adopt fair information practice principles, such as not passing on data without the knowledge and consent of the subject.
There also are legal liability issues surrounding digital certificates and signatures.
"If you lose your private key, should you be liable for any messages sent if someone stole your private key? A lot of the legislation puts a burden on the signer to protect the private key," said Thomas Smedinghoff, an attorney with McBride Baker & Coles's information technology and electronic commerce department and chairman of the electronic commerce division for the American Bar Association.
"The other set of issues is from the certification authority side," he added. "What if an impostor gets a digital certificate saying they are [Microsoft CEO] Bill Gates? What is the liability of the certification authority for issuing an erroneous certificate?"
Abraham's bill states that government agencies must "accept a certificate only from a trusted third party that, in accordance with commercially reasonable standards, accepts liability for and is insured against negligent issuance or handling of certificates."
The Clinton administration has asked Congress to hold off passing any digital certificate and signature legislation until some of these issues can be hammered out by private industry and government agencies. In October, Commerce Department general counsel Andrew Pincus, who also is testifying today, told a House committee not to pass uniform legislation governing digital certificates and signatures.
Still, with e-commerce on the rise, industry is moving forward with some plans.
For instance, in June, the National Automated Clearing House Association launched a pilot test to develop rules, guidelines, and business practices for banks to issue digital IDs for their customers.
Hewlett-Packard, which makes e-commerce security products, testified in favor of the bill today.
"To date, we have no commensurate declarative U.S. position on the development of [digital] signatures beyond the general principles of technology neutrality state in the White House framework paper of last year," Scott Cooper, HP's manger for technology policy, stated in testimony before the committee. "[Abraham's bill] will significantly help to fill this void."
But the Clinton administration's Pincus told the committee today that it will be hard for the government to comply with Abraham's legislation as it does battle with the Year 2000 problem.
"It's not only realistic but necessary," Abraham's communications director, Joe McMonigle, countered after the hearing.