This chapter examines the role of law reform in promoting the development of technical standards for the authentication of parties engaged in Internet commerce. Law reforms intended to improve the security of Internet commerce can only succeed if they address business, technical and legal issues simultaneously. The EU has used commercial law reform and formal standard development to coordinate work on authentication standards, while the US has allowed the market to determine what type of authentication technology is appropriate and has left the development of standards to private consortia. While the EU approach may solve collective action problems more effectively, the US approach may discover end user requirements and may allow business judgments about risk to inform the law more effectively. Neither approach has yet resolved the authentication problems facing businesses engaged in online commerce.
TopIntroduction
In 2006, businesses engaged in Internet commerce face a fundamental challenge when trying to implement strong authentication technologies because of the absence of widely accepted standards for the reliable authentication of transacting parties in Internet commerce. For more than a decade, governments have struggled unsuccessfully to create legal frameworks within which businesses can implement strong authentication technologies, and still enjoy the global reach and efficiency of Internet markets. The creation of such frameworks requires the simultaneous resolution of legal, business and technical issues, a result that none of the electronic commerce enabling legislation enacted to date in either the US or EU has managed to achieve. This paper will analyze the strengths and weaknesses of the different approaches taken by the US and EU in recent years, and will suggest what regulatory strategies might succeed in this area in the future.
The problem of authentication is fundamental to online commerce. Actions taken in online environments can most easily be traced back to particular computer equipment and software, but responsibility for commercial transactions must be attributed to individuals and organizations in the material world, not to computers or software. In order to establish a connection between some action taken online, and individuals and organizations that can be held legally accountable, a system of authenticating computer users must be found. When electronic commerce was based on mainframe computers, and network connections were limited, the scope of the authentication problem was limited. With the commercialization of the Internet in the 1990s and the use of insecure public networks for commercial transactions, the magnitude of the problem of online authentication for commercial transactions increased rapidly. The problem of authentication has so far defied the efforts of developers to produce an effective technological solution that can be widely implemented. Different governments at different times have tried to use “technology-forcing” legislation (Miller 1995) to push technology developers and transacting parties to focus more attention on the problem of authentication, although none have yet succeeded. The question of whether it is possible to develop authentication technologies that can meet the needs of parties using the Internet for commercial transactions is a very real one, but for the purposes of this paper, it will be assumed that such a solution is in theory possible even if it might be prohibitively expensive to implement in the near term.
Assuming that some collective solution to the problem of authentication in Internet commerce is technologically feasible, although it is not yet clear what that solution is, then the question with regard to the regulation of commerce is what form of legal regulation would be most compatible with widespread adoption of such a solution. Standards for authentication technologies are necessary to achieve interoperability and permit transacting parties to enjoy the positive network effects created by the ubiquitous nature of the Internet. Developing appropriate standards for authentication technology has proven to be a monumental task, and even if appropriate standards can be developed, substantial collective action problems must be resolved in order to achieve their widespread adoption. The US has opted to allow market forces to resolve these problems, while the EU has opted for a more regulatory approach to deal with them.