Universal Availability of Publications Core Programme

COPEARMS News
Issue 2, December 1997

C.R.I.D.

Authors: Michèle Ledger, Rosa Julia, Séverine Dusollier & Jean-Christophe Lardinois,
Deliverable D 4.2.8.
December 29, 1997

Document Identification

Authors : Michèle Ledger, Séverine Dusollier & Jean-Christophe Lardinois - CRID

Date of issue : December 29, 1997

Distribution : COPEARMS Internal

Description : Newsletter, Issue n° 2

Abstract :
This second issue of the newsletter addresses the recent legal developments in Europe and provides for an information of the progress of the identification systems. The following pieces of legislation are considered :

• Proposal for a European Directive on the Legal Protection of Services based on, or consisting of, Conditional Access

• Commission Communication "Towards a European framework for Digital Signatures and Encryption"

• Commission Recommendation on Transactions by Electronic Payments Instruments and in particular the relationship between issuer and holder

This newsletter also examines recent developments relating to the standardisation of identifiers and the German legal developments in the field of digital signatures and Certification Authorities in an addendum to the deliverable 4.2.1.  
 

Distribution List

I. Legal Developments

1. Proposal for a Directive on the Legal Protection of Services based on, or consisting of, Conditional Access

Following the adoption of the Green Paper on the « Legal Protection of Encrypted Services in the Internal Market »[1], the Commission has decided to propose the adoption of a new directive which would attempt to harmonise the legal protection of all services that depend on so called « conditional access » techniques such as encryption and electronic locks.

According to the Explanatory Memorandum, the proposal does not cover the circumvention of technological measures used in connection with the exercise of their rights (ECMS technology) since these issues were addressed by the Commission in "separate measures, as announced in the Commission Communication of 20 November 1996" (i.e. in the proposed directive on the harmonisation of certain aspects of copyright and related rights in the Information Society). However, the proposed directive on the harmonisation of certain aspects of copyright and related rights stresses on the other hand that the legal protection envisaged is complementary with the initiative already proposed by the Commission in the field of conditional access services and that the latter proposal addresses in fact harmonised protection against unauthorised reception of a conditional access service, which may or may not contain or be based upon intellectual property, whilst the proposed directive on certain aspects of copyright deals with the unauthorised exploitation of a protected work or other subject matter; such as unauthorised copying, making available or broadcasting.

As we have seen in Deliverable D4.2.2., the circumvention of technical systems of protection that protect an intellectual property right have been addressed separately in the Green Paper on copyright and related rights in the Information Society and will be the subject of separate measures, as announced in the Commission Communication of 20 November 1996.[2] Further, specific provisions have been adopted at international level and are introduced in the new WIPO copyright and related rights treaties[3]. In any event, if the technology does not restrict the uses relating to a work protected by copyright, a sui generis right or a related right, the protection envisaged in this proposed piece of legislation could provide a certain form of protection to any person wanting to use a technology the purpose of which would be restrict access and monitor use of non protected information.

The scope of the proposed legislation is wide enough to cover a number of « protected services » the provision of which are provided on the basis of « Conditional Access » as well as the provision of Conditional access to the above services as a service in its own right.

« Protected services » cover television and radio broadcasting services as well as Information Society services[4], whereas « Conditional Access » means any technical measure and/or arrangement whereby access to the service in an intelligible form is made conditional upon prior individual authorisation aiming at ensuring the remuneration of that service ».

Faced with the necessity to protect the provision of the above defined services that are based on Conditional Access techniques in view of the huge economic losses that could follow from their piracy, the commission has decided to suggest that Member States should prohibit on their territory the following activities[5] :

• the installation, maintenance, or replacement for commercial purposes, of an illicit device ;
  
• the use of commercial communications to promote illicit devices.
  
• the manufacture, import, sale or possession for commercial purposes of illicit devices ;
  
• Further, the sanctions taken by the Member states will have to be effective, deterrent and proportional to the potential impact of the infringing activity and they will have to ensure that service providers affected by the infringing activity can bring an action for damages and apply for an injunction and where appropriate, for the seizure of illicit devices[6].

« Illicit devices » are defined as meaning any equipment or software designed or adapted to enable the unauthorised access to a protected service[7].

As a result of the adoption of these provisions, Member States will not be entitled to restrict the provision of protected services, or associated services that originate on another Member State or restrict the free movement of conditional access devices[8].

2. Commission Communication « Towards a European Framework for Digital Signatures and Encryption »

1. In an effort towards ensuring secure electronic communications, the Commission has just issued a Communication which advocates a mutual recognition of digital signature and some minimum rules to be set up regarding Certification Authorities (CA) and certificates.

2. Digital signatures are recognised in the Communication as playing an essential role for ensuring the authentication of the data source, i.e. the origin of the data as well as ensuring data integrity which is the assurance that all data transmitted are complete and unchanged. It also recognises Certification Authorities (CAs) as necessary partners in the process of achieving secure electronic transactions.

   The central task of CAs in this context is to authenticate the ownership and characteristics of a public key through issuing a certificate containing the key as well as other details such as the algorithm to be used or the certificate expiry date.

   Mutual recognition of electronic commerce certificates issued by foreign CAs is necessary. National structures must be complemented by a co-ordination mechanism at European level. CAs will also have to submit themselves to data protection rules contained in the data protection directive when gathering, processing, transferring and ensuring the security of personal data.

   The communication further highlights the difficulties linked to the lack of legal recognition of digital signatures as one of the reasons why so few companies are currently offering services in this area and is promising to evaluate the possibility of providing for the harmonisation of the different national provisions to support international mutual recognition of digital signatures.

   CAs will act as managers of keys by creating keys and identifying their owners which will also lead to the creation of public key directories. Such directories will provide information on the key owner, its validity period and any other relevant information. An additional task could be to carry out time-stamping services which are services that provide proof of the exact time of certain actions such as the time of creation or receipt of a document.

   The Commission recognises that there is no uniform legal framework specifying the requirements for CAs which will prove detrimental to the mutual recognition of CAs. It therefore considers it necessary to set up a common legal framework at Community level establishing principles for the activities of CAs. Examples of such fields of harmonisation are given and include compliance with data protection legislation, reliable identification of person so as to ensure the identification of key owners, minimum insurance coverage, technical components (no further detail given), the prohibition to have « self certification » of the CA.

   Common technical requirements for digital signatures products are also regarded as essential requirements, and not as technical details which should be left to standardisation bodies.

   Liability is also considered as a necessary field of harmonisation if CA services are to be widely developed and accepted. It is proposed to establish a legal catalogue of requirements as a basis for the contractual duties as specified in the contract between the CA and the user. It is also considering the relevance of introducing special rules of liability covering the relationship between the CA and third parties (such as the recipient of the digitally signed message or another CA) and errors made by the licensing authority.

   Recognising the differing legal concepts behind signatures and their forms and procedures in the Member States and the difficulties of applying legal practices that have developed in the field of declarations of intent to electronic communications, the Commission is asking Member States to examine whether existing legal provisions could be applied to electronic communications. Member States are also urged to consider appropriate rules to ensure the non repudiation of digital signatures. The Commission also recognises that special rules are necessary for the treatment of references (i.e. reference to documents that are not part of the electronically transferred data). Ensuring equivalent legal effects to digital signatures throughout the European Union is concerning their use as evidence in legal proceedings and equivalence to the written form is also highlighted in the Communication.

   Future regulatory actions will be governed by the following considerations:

   • Regulation must be flexible enough to react to technological developments;
     
   • Regulation should not restrict the contractual freedom of the parties;
     
   • Voluntary schemes, mandatory licensing schemes or even non-licensed but highly regarded private or public organisations may be suitable solutions to ensure trust in CAs ;
     
   • In the context of the licensing solution, a distinction must be drawn between the procedures and conditions governing the establishment of a CA and the conditions imposed on the different services provided by the CA. ;
     
   • In any event the EU will have to provide for the coexistence of licensed and unlicensed CAs.

   The second part of the Communication concerns encryption. After having retraced the economic and societal importance of encryption, including its importance for the protection of intellectual property rights, the Communication examines the existing regulation in the European Union and the OECD and comes to the conclusion that any regulation on use of encryption would lead to « preventing law abiding companies and citizens from protecting themselves against criminal attacks » whilst it would not « prevent totally criminals from using these technologies ». Although the Commission recognises the complexity of the issues surrounding the use of encryption and the differing national opinions on the issue, the following policy orientations in the area of encryption have been put forward :

   Although criminal investigations may be hindered because of the use of encryption, it is recognised that the widespread use of encryption will also reduce crime ;

   It is accepted that regulation of encryption will render criminal activities using encryption methods more difficult even though the extent of this is not easy to measure ;

   • The industry and users strongly demand the possibility of remaining anonymous when conducting electronic commerce activities on the Internet;
     
   • If at all required, regulation should be limited to what is absolutely necessary and should distinguish between the various key types ;
     
   • Any regulation should not hinder the international availability, interoperability and choice of various encryption products and services ;
     
   • Existing regulation on traditional forms of lawful access to data and communication could be examined in order to possibly applying it to access to encrypted data and communication ;
     
   • The international relations remains the problem of introducing any national key escrow/recovery regulation ;
     
   • Lastly any specific national regulation could have secondary effects on the free circulation of persons

   Lastly, the Commission recognises the absolute importance of ensuring interoperability between different encryption and digital signature applications and systems. The Commission therefore encourages industry and international standards organisations to develop technical and infrastructure standards for digital signatures and encryption to ensure secure and trustworthy use of networks and respect privacy and data protection requirements.

3. Commission Recommendation of 30 July 1997 concerning transactions by electronic payment instruments and in particular the relationship between issuer and holder[9]

The issuer of a electronic payment instrument will therefore be liable to the holder for the malfunction of the payment system integrated in the ERMS, even if this latter is not monitored by the issuer himself.

II. Developments of Standardisation of identifiers

I. The CISAC CIS Plan

According to the last CISAC progress on ISO activities, the process for standardisation of identifiers for audio-visual works (ISAN identifier), musical works (ISWC identifier) and Still Pictures File (JPEG) is processing well.

Moreover, a good co-ordination of management of information for identification of content has been done in MPEG activities (Moving Pictures and Audio).

1. ISAN

As a result of the last meetings between Audio-visual Producers organisations, Authors organisations and Book Industry organisations, a consensus has been achieved on the following topics :
• scope of the number
  
• construction of the number
  
• basic definitions such as : audio-visual work, composite work, episode, etc...

Several issues need to be clarified for the next meeting, planned in December 1997, such as :

• administration of the ISAN system and agencies
  
• qualified registrants and rules
  
• supporting information : final list of data to be registered for each work declared in the ISAN Database
  
• acess and users of the ISAN system

2. ISWC

At the last meeting in London (May 1997), it has been decided to focus on the music work and postpone to May 1998 decision on works to be done related to textual works.

This decision will depend on the progress of the DOI system (Digital Object Identifier) developed by the International Association of Publishers (see infra).

Next step for ISWC standardisation is the approval of a draft proposed by CISAC, CISAC has been recognised by the ISO group to represent the main interested parties concerned by the musical works (May 1998).

3. JPEG

The JPEG group has established a draft International Standard for Still Picture Interchange file Format (SPIFF).

This draft includes the definition of a licence plate to identify and register all file containing intellectual creations

4. MPEG

The data structure to be used to handle information for identification have been defined and agreed by representatives of the communication industry.

Next steps will be on protection of content and watermarking techniques.

Concrete achievement of a draft standard (MPEG4 V1) to integrate all kind of identifiers for all type of contents should be approved by ISO at the end of 1998.

II. THE D.O.I. system (Digital Object Identifier)

Developed and tested over the last year, the DOI system is now being used by a dozen U.S and European publishers in a pilot program that has been running since July.

During the few months of prototyping DOI usage, several application opportunities have been explored, such as :

• A reader of one article was linked to related material including similar articles, or books

• A reader was given the choice to see the full text of an article, see the Table of Contents of the journal in which the article appeared, subscribe to the journal, purchase a book, or order the content for later delivery

This system not only provides a unique identification for all digital content, but also a way to link users of the materials to the rights holders themselves to facilitate automated digital commerce in the new digital environment.

The DOI system has three parts : the identifier, the Directory and the database.

1) The identifier

The DOI is made up of two components :

• the first element, the prefix, is assigned to the publisher by the Directory Manager
  
• the second element, following a slash mark, is the suffix . This is the designation assigned by the publisher to the specific content being identified.
  
The suffix can follow any system of the publisher's choosing, and be assigned to objects of any size - book, article, abstract - or any file type - text, audio, video, image or software- .

2) The Directory

The power of the DOI system is its role as a routing system.

Because digital content may change ownership or location over the course of its life, the DOI system involves a central directory.

When the object is moved to a new server or the copyright holders sells the product line to another company, one change is recorded in the directory and all subsequent readers will be sent to the new site.

The DOI remains reliable and accurate because the link to the associated information or source of the content is easily and efficiently changerd

3) The database

Information about the object that the user has access to in response to a DOI query is maintained by the publisher.

The DOI can also serve as an agent and in the future (planned for 1998 development), the system will also be used to automate transactions.

One might say that, in the future, this unique and persistent identifier is envisioned as an enabler for processing some routine transactions such as document retrieval, clearinghouse payments, and licensing.

For more details about the Digital Object Identifier : http://www.doi.org

ADDENDUM: THE GERMAN SITUATION

1. Introduction

This addendum to D.4.2.1. (Introduction to the legal acceptance of digital documents and electronic signatures and trusted third party services) seeks to provide an overview of legal acceptance of digital documents and digital signatures according to German law. Because Germany is currently, with Italy, the only Member State which has a specific regulation on digital signatures and Certification Authorities (CAs), we have decided to consider the German situation in a separate document.

The addendum begins with a general presentation of the legal requirements concerning contracts and evidence. Following this, a broader description of the new Digital Signature Law will be given. In this context four main issues will be analysed: definitions, licensing, duties and obligations and liability. In a few cases, we will contrast with other laws or projects of law, specifically with Community proposals.

Requirements of contract law and evidence law

In an ERMS several contracts will be entered between the following actors: First; author and producer, second; producer and distributor and, third; distributor and end user. Of these three agreements only the last contract will be entered into and performed electronically.

Contract law (for this last agreement) enjoys the principle of freedom of form[10] which means that for validity purposes, the contract can be performed in any way (including electronic form). However, for evidentiary purposes[11], the contract needs to be proved in order to be enforced. Under German law documentary evidence has more evidentiary weight than the other types of evidence. Therefore, it is important for the electronic contract to qualify as a document an thus, to be accepted as such in court. By using a digital signature and digital certificates to perform the contract, such a requirement might be satisfied.

The Digital Signature Act (DSA) was introduced on August 1,1997[12], with the objective of establishing general conditions under which digital signatures are deemed secure and forgeries of digital signatures or manipulation of signed data can be reliably ascertained. Following the adoption of this act, pursuant to article 16; an ordinance[13] containing the legal provisions for the implementation of § 3-15 (eg. grant, withdrawal, revocation of licence, validity periods of signature key certificates, details of the obligations of the CAs,..) has been proposed.

The DSA does not establish an equivalence between a hand written signature and digital signature neither as a matter of the law governing contracts and licences nor as a matter of evidence.However, because Article 3§1 (2) if the DSA provides that the application of other digital signature procedures is optional insofar as digital signatures according to the act are not required by legal provisions, it can be concluded that by setting out the general conditions for the operation of digital signatures, the law seems to have recognised equivalence, when the technical conditions (which ensure authenticity and integrity of the messages) provided in the Act and the Ordinance are fulfilled. In case of dispute, courts will probably accept electronic documents sealed with a digital signature as documentary evidence. Additionally, the DSA will contribute, through providing a legal framework for the operation of digital signatures and in particular for CAs, towards building mutual trust between parties involved in an electronic contract

2. Main Provisions

After having defined digital signatures, certification authorities, certificates and time stamp certificates (1), the DSA provides detailed provisions on the conditions to be fulfilled by licensing CAs (2), as well their duties and obligations (3).

(1) Definitions

1. For the purposes of this Act "digital signature" shall mean a seal affixed to digital data which is generated by a private signature key and establishes the owner of the signature key and the integrity of the data with the help of an associated public key provided with a signature key certificate of a certification authority or the authority according to §3 of this Act.

2. For the purposes of this Act "certification authority" shall mean a natural or legal person who certifies the assignment of public signature keys to natural persons and to this end holds a licence pursuant to § 4 of this Act.

3. For the purposes of this Act "certificate" shall mean a digital certificate bearing a digital signature and pertaining to the assignment of a public signature key to a natural person (signature key certificate) or a separate digital certificate containing further information and clearly referring to a specific signature key certificate (attribute certificate).

4. For the purposes of this Act "time stamp" shall mean a digital declaration bearing a digital signature and issued by a certification authority confirming that specific digital data were presented to it at a particular point in time.

As we can see from article 2, the Act has shown a definite choice for a certain type of technology: public key encryption with use of digital certificates issued by CAs. Provided this is used, the two main functions of signatures will be satisfied: establishing the owner of the signature key and integrity of the data.

(2) Licensing CAs

From the various options that were open for the establishment of CAs, the German legislator has chosen the mandatory licensing scheme. According to §4, a certification authority shall require a licence from the competent authority. Licences shall be granted upon application. The other options could have been the negative licence (any person is free to provide encryption services provided they satisfy the pre-licensing conditions) or accreditation arrangements. The Commission's recent Communication Towards A European Framework for Digital Signatures and Encryption has stressed the fact that mandatory licensing schemes are a possibility but that voluntary schemes such as non-licensed but highly recognised private or public organisations might as well be considered as a trusted CA.

The applicant will receive a licence provided he possesses the necessary reliability: proof of specialised knowledge (the persons engaged in the operation of the certification authority have the necessary knowledge, experience and skill) and guaranteed compliance with legal provisions applicable to the operation of such an authority. The proposed ordinance contains detailed description of the application for licence procedure including costs. Unlike the Utah Digital Signature Act, the German Act does not contain a detailed description of objective conditions to satisfy.

(3) Duties and Obligations

The DSA provides, inter alia, for the following obligations:
• § 5 provides that the CA will have to reliably establish the identity of persons applying for a certificate as well as information concerning professional status.

• The CA must issue certificates and take measures to prevent undetected forgery or manipulation of data as well as to ensure confidentiality of private signature keys.

• The CA will notify the applicants of the measures necessary to support secure digital signatures and their reliable verification.

• contains an obligation concerning the invalidation of certificates where the owner of a signature keys request it, when the certificate was obtained through false statements in respect of § 7. It should be noted that the DSA does not address the issue of whether the CA should be required to provide a full 24H service for invalidating certificates.

(4) Liability

Unlike others laws or proposals, the DSA does not address liability issues. Legal comments argue that the regulation has been postponed until more consensus has been achieved about which kind of rules should be established. Therefore, at the moment; the general liability rules shall apply. In case of tort liability, this means that a with fault liability regime will be applicable.

As described above; the CA has the obligation to issue certificates and to constitute a database of revoked certificates. Therefore, the CA should assume responsibility for the accuracy, the updating and completeness of its certificates and database vis a vis both its own subscribers of certificates and third parties relying on these certificates who have suffered a damage as a consequence of a wrongful certificate. In our view, the criteria of duty of care is a good one. However, because of the technical issues surrounding the certification process, it will be very difficult for consumers to prove the lack of care of the CA in the issuance of a certificate. Consequently, we suggest that onus probandi should be reversed. This means that it should be sufficient for the damaged subscriber and third party to assert that the CA did not exercise sufficient care in the carrying out of his obligations and it will be up to the CA to evidence the contrary by proving the satisfaction of the requirements set out in the DSA and Ordinance.

3. Conclusions

According to German law, the use of electronic means to enter contracts between the distributor and the end-user does not raise special problems but some doubts: First; will the parties involved in such electronic contracts trust the system and feel confident about the security ? Second, as a matter of evidence, will the electronic document be regarded and valued as documentary evidence?.

In our view, the implementation of the DSA, will provide a positive answer to the above questions: First, the contracting parties in an electronic transaction concerning protected works will be confident that by using a digital signature and a digital certificate issued by a licensed CA, they have a much more trustworthy system than ever before and, second; the document issued using these techniques will have the same evidentiary value as a documentary evidence. Indeed, the DSA provides a secure system. Our fear is that the system introduced, by imposing so strict conditions to become a CA, will refrain business from engaging in CA activities. On the other hand, from the point of view of consumer protection, the law should deal with the liability questions we identified above..

Overall, the DSA is a good starting point towards achieving security in electronic communications.

Notes

1. COM(96) 76 final of 6 March 1996
   
2. See Newsletter, issue No 1
   
3. See Deliverable D.4.2.2
   
4. See article 1 of the Proposal
   
5. See article 3 of the Proposal
   
6. See article 4 of the Proposal
   
7. See article 1 of the Proposal
   
8. See article 2 of the Proposal
   
9. (97/489/EC), OJ L208, 02/08/97, p.0052
   
10. EC Commission, The Legal Position of the Member States with respect to Electronic Data Interchange, Final Report, September 1989, p.170
    
11. ibidem, p.64
    
12. Federal Act Establishing the General Conditions for Information and Communication Services
    
13. Adopted and entered into force on November 1st, 1997