JILT 2000 (1) - Richard Wu
Electronic Transactions Ordinance – Building a Legal Framework for E-commerce in Hong KongRichard Wu On 5th January 2000, Hong Kong passed the Electronic Transactions Ordinance. The ordinance was the first piece of legislation passed by Hong Kong in the new millenium. It paves the way for the widespread adoption and use of digital signature, which is essential to the future growth and development of e-commerce in Hong Kong. This article will first examine the historical development of e-commerce legislation, with particular focus on digital signature and electronic signature legislation. It will compare the different approach adopted by different countries, in particular the US and the EU, such as the Uniform Electronic Transactions Act adopted by the US and Digital Signature Directive adopted by the EU last year. The article will then examine the key features of the Electronic Transactions Ordinance, such as legal recognition of digital signatures, adoption of asymmetric cryptosystem, establishment of a voluntary recognition system of certification authorities and creation of recognised certification authorities, establishment of Public Key Infrastructure, and obligation of secrecy. The article then highlights certain inadequacies of the ordinance, such as failure to deal with foreign certification authorities, failure to impose adequate legal sanctions on the subscribers of the certification authorities, failure to deal with insolvency of the certification authorities. The article concludes that the ordinance may be rendered obsolete easily by the fast changing technology. Moreover, the ordinance, a local law by nature, is inherently difficult to regulate e-commerce, which is essentially a global issue. The article proposes a flexible legislative approach should be adopted in future to make the Electronic Transactions Ordinance adaptable to the fast-growing e-commerce in Hong Kong. Keywords: Computer, software; 'millennium bug'; contract; sale of goods; supply of goods and services; classification of software as 'goods'; satisfactory quality; durability; fitness for purpose; description; goods sold by description. This is a Refereed Article published on 29 February 2000. Citation: Wu R, 'Electronic Transactions Ordinance – Building a Legal Framework for E-commerce in Hong Kong', 2000 (1) The Journal of Information, Law and Technology (JILT). <http://elj.warwick.ac.uk/jilt/00-1/wu.html>. New citation as at 1/1/04: <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2000_1/wu/> On 5th January 2000, Hong Kong passed the Electronic Transactions Ordinance[1]. The ordinance was the first piece of legislation passed by Hong Kong in the new millenium. It paves the way for the widespread adoption and use of digital signature, which is essential to the future growth and development of e-commerce in Hong Kong[2] The Hong Kong government only introduced the bill to its legislature on 14th July 1999 but in less than six months' time, the bill was passed into law. This reflects the determination of the Hong Kong government to establish a legal regime to cope with the fast-growing e-commerce in Hong Kong[3]. As one government official said: 'The Electronic Transaction Bill needed to be passed quickly to make sure Hong Kong can become a competitive player in the e-commerce world'[4]. In fact, it is estimated that the total amount of trade of goods and services in Hong Kong conducted over the internet will rise from US$60 million to US$2.4 billion by 2003[5]. E-commerce is not a new phenomenon in Hong Kong. It has been with Hong Kong for decades with the adoption of electronic data interchange (EDI) in Hong Kong. An explosive growth of E-commerce, however, did not take place in Hong Kong until recent years with the commercial application of internet and world wide web on a large scale. As e-commerce develops, it creates new challenges to the legal system of Hong Kong, which needs to develop a new legal regime to cope with this fast growing area of commerce. Before the passage of the Electronic Transactions Ordinance, a legal framework for e-commerce did not exist in Hong Kong. There is, however, a growing realization in Hong Kong in recent years that e-commerce can only achieve its full potential if there is a modern legal infrastructure that can support the growth of e-commerce. 2. Historical Development of E-commerce Legislation E-commerce legislation is a very recent phenomenon, both on international and national levels. All 'e-commerce legislation' are concerned with the enforceability of e-commerce transactions. Most countries attempt to resolve this issue by way of what are commonly known as 'digital signature legislation' or 'electronic signature legislation'. The American Bar Association first developed a set of Digital Signature Guidelines to deal with legal issues arising from digital signatures (ABA Guidelines) in 1995. Since then, there has been an explosion of digital signature legislation and electronic signature legislation. The US state of Utah enacted the first digital signature legislation in the world by passing the Utah Digital Signature Act in May 1995 (the Utah Act). The ABA Guidelines and the Utah Act prove popular both at the national and international levels and they serve as models of digital signature legislation for many other US states and other countries in the world. They both focussed on digital signatures. However, subsequent 'e-commerce legislation' started to move from a focus on digital signatures specifically to a focus on electronic signatures generally. On the international level, the United Nations Commission on International Trade Law (UNCITRAL) adopted a Model Law on Electronic Commerce (the Model Law) in 1996 aiming at removing legal obstacles to the use of electronic and digital signatures. In the Model Law, it expressly provides that where the law requires the signature of a person, that requirement is met in relation to a data message if: a) a method is used to identify that person and to indicate that person's approval of the information contained in the data message; and b) that method was reliable as was appropriate for the purpose for which the data message was generated or communicated, in the light of all the circumstances, including any relevant agreement[6]. The Model Law, therefore, does not only deal with digital signatures but cover all forms of electronic signatures. In Hong Kong, the Electronic Transaction Ordinance enacted is basically a digital signature legislation. Unlike other Hong Kong legislation built on years of business practice and experiences, the Electronic Transactions Ordinance is unique in that it creates a new legal framework for a new business environment. It gives new legal meanings to such old concepts of 'signatures' and 'records'. It also defines the rights and obligations of various parties, some of which do not even come to existence before the passage of the law, e.g., recognized certifying authorities. The Electronic Transactions Ordinance is therefore highly symbolic as Hong Kong attempts to develop itself into a centre of e-commerce in China and Asia in the new millenium. As digital signature legislation is only a very recent phenomenon, the Electronic Transactions Ordinance is heavily influenced by other digital signature legislation, such as the Utah Act and the Model Law. In fact, 'e-commerce legislation' is an area where the international and US influences are great and traceable in many countries. For example, other Asian countries like Singapore and Malaysia adopted 'e-commerce legislation' modeled on the Utah Act and the Model Law[7]. 3. Key Features of the Electronic Transactions Ordinance 3.1 Legal Recognition of Digital Signature The ultimate aim of any digital and electronic signature legislation is to give legal recognition to electronic or digital signatures. All such legislation provide, in one way or another, that the use of an electronic or digital signature on an electronic record will be treated in the same manner as a handwritten signature on paper. The terms 'digital signature' and 'electronic signature' are, however, terms of art. For example, Smith B W and Tufaro P S (1998) defined the term 'digital signature' to mean authentication methods employing 'public key cryptography' and the term 'electronic signature' to encompass digital signatures as well as non-public key authentication methods[8]. In some countries, 'electronic signature' means any symbol or method executed or adopted with electronic means with an intention to be bound. The Uniform Electronic Transactions Act (UETA) approved in the US last year adopts this approach. It defines 'electronic signature' to mean an electronic record, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record'[9]. Other countries adopt a different approach to 'electronic signatures'. Under this approach, 'electronic signature' must possess certain attributes or meet certain requirements before they will be considered enforceable. For example, in the EU Directive on Digital Signature[ 10], it differentiates 'electronic signature' and 'advanced electronic signature'. 'Electronic signature' is defined to mean 'data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication'. On the other hand, 'advanced electronic signature' is defined to mean an electronic signature which is uniquely linked to the signatory, capable of identifying the signatory, created using means that the signatory can maintain under his sole control and is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable[11]. The definition of 'advanced electronic signatures' illustrates the alternative approach to 'electronic signatures'. In other countries or states, they only give legal recognition to 'digital signature' and do not cover other forms of electronic signatures in their digital signature legislation. For example, in the Utah Act, it gives legal recognition to 'digital signatures', which is defined to mean 'a transformation of message using an asymmetric cryptosystem such that a person having the initial message and the signer's public key can accurately determine whether: a) the transformation was created using the private key that corresponds to the signer's public key; and b) the message has been altered since the transformation was made[12]. Under the Electronic Transactions Ordinance, a digital signature of a person satisfies a rule of law if that rule requires the signature of that person[13]. It is apparent that between digital signatures and electronic signatures, Hong Kong only gives legal recognition to the former. Under the ordinance, 'digital signature' is defined to mean 'an electronic signature of the signer generated by the transformation of the electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer's public key can determine: a) whether the transformation was generated using the private key that corresponds to the signer's public key; and b) whether the initial electronic record has been altered since the transformation was generated'[14]. One can easily see that this definition closely resembles its counterpart under the Utah Act. The primary reason why Hong Kong only gives legal recognition to digital signature, but not other kinds of electronic signatures, is that 'digital signature is currently the only technically mature technology that provides security service of a quality that satisfies the need for user authentication, ensuring the integrity and confidentiality of data and protecting non-repudiation of transactions'[15]. This policy choice is understandable as digital signature technology provides a secure means of authenticating electronic documents. As e-commerce is a relatively new phenomenon in Hong Kong, the ability to conduct e-commerce in a secure manner is of paramount importance in stimulating the widespread acceptance and growth of e-commerce in Hong Kong. On the other hand, as the Ordinance is drafted in such a 'technology-specific' style, it may mislead the local people and market to assume that only digital signature technology is worthy of trust and create unintended market distortions in the long run. By recognising only one form of electronic authentication (ie, digital signature), the Electronic Transactions Ordinance may have the unintended effect of precluding other methods of electronic authentication that may be appropriate, and inhibit the development of other electronic signature technologies that may be equal or even superior to digital signatures. In other words, by enshrining a specific technology, the Electronic Transactions Ordinance may have the counter-effect of reducing incentives for further improvements and innovations in other electronic signature technologies, which is potentially detrimental to the future development of e-commerce in Hong Kong. 3.2 Adoption of Asymmetric Cryptosystem Like most digital signature legislation, the Electronic Transactions Ordinance adopts an 'asymmetric cryptosystem'. This is in contrast to a 'symmetric cryptosystem'. The latter involves a single key known to the sender and recipient of a message and the same key is used by the sender of the message to encrypt a message and by the recipient to decrypt it. On the other hand, an 'asymmetric cryptosystem'[16] is an information system using a 'key pair' to encrypt and decrypt a message. A key pair means a private key and its mathematically related public key, where the public key can verify a digital signature that the private key generates[17]. The private key is the key of a key pair used to generate a digital signature[18] while the public key is the key of a key pair used to verify a digital signature[19]. Under the asymmetric cryptosystem adopted by the Electronic Transactions Ordinance, the digital signature is created in several steps. The sender first composes the message. The text of the message will be run through a 'hash function', which is basically a computer software[20]. The hush function will produce a 'hash result', which is essentially a combination of letters, numbers, and/or symbols. The 'hash result' generated is unique to the message of the sender. After creation of the 'hash result', the 'hash function' will encrypt the 'hash result' using the sender's private key. This will creates another 'hash result', which is the digital signature. This digital signature is unique to the sender's message. Upon receipt of the message, the recipient will verify the digital signature[21] by decrypting the digital signature with the sender's public key. He first creates a new 'hash result' using the same 'hash function' that created the digital signature. With the public key of the signer and the 'hash result', the message recipient needs to determine for himself two matters. First, whether the digital signature was created with a private key that matches the public key; and secondly, whether the new 'hash result' generated is identical to the original 'hash result' created by the sender and encrypted into the digital signature. If the private key and public key correspond to each other and the two 'hash results' are identical, the message recipient can verify that the message has not been altered after it was sent by the sender. The advantage of this 'asymmetric cryptosystem' is obvious. It allows electronic transactions to take place as one person can use his private key to encrypt a message that can be checked against by another person using his public key. With such a system, businessmen can do business with one another online by using digital signatures to establish their identities. 3.3 Establishment of a Voluntary Recognition System of Certification Authorities (CA) and Creation of Recognised Certification Authorities (RCA) Unlike some Asian countries which imposes a mandatory registration system on all CAs[22], Hong Kong adopts a voluntary recognition system. As one Hong Kong government official explained, CAs are free to apply for recognition on a voluntary basis but only those CAs which have achieved certain objective standards will be 'recognised'. In other words, 'unrecognised' CAs may operate in Hong Kong side by side with RCA. Their activities and their relationship with their clients will, however, be governed by common law[23]. Under the Electronic Transactions Ordinance, a digital signature is only recognised if it is supported by a certificate issued by a RCA[24]. Therefore the RCAs are of pivotal importance in the Electronic Transactions Ordinance. In fact, a substantial portion of the ordinance is devoted to various aspects of the RCAs, such as their recognition, liabilities and issue of certificates[25]. Under the Electronic Transactions Ordinance, regulatory authority is conferred on the Director of Information Technology Services, a government official, to 'recognise' CAs[26]. The law also specifies certain matters that the Director of Information Technology Services needs to consider in any application for recognition by a CA. These include financial status of the CA, its arrangements to cover potential liability, its system, security arrangements and standard used to issue certificates, whether the CA and its responsible officers are 'fit and proper persons' and the 'reliance limits' set by the CA for its certificates[27]. The Ordinance also gives powers to the Director of Information Technology Services to revoke or suspend the recognition of a CA[28]. For example, the Director of Information Technology Services may revoke or suspend the recognition of a CA if it fails to operate in accordance with the 'certification practice statement', comply with the code of practice, use a trustworthy system[29] or to comply with any provisions of the ordinance[30]. The Ordinance also makes detailed provisions for the operations of a RCA. For example, a RCA must use a trustworthy system in performing its services to issue or withdraw certificates and publish in a repository[31]. A RCA must also maintain an on-line and publicly accessible repository[32]. Moreover, a RCA need to comply with a code of practice, which will be issued by the Director of Information Technology Services and specifies the standards and procedures for carrying out the functions of a RCA under the ordinance[33]. In fact, a code of practice has been drafted and issued to the public for consultation. Under the Ordinance, every RCA need to issue and maintain an up-to-date 'certification practice statement' (CPS)[34], which is a statement issued by the RCA to specify the practices and standards that the RCA employ in issuing certificates[35]. It must also notify the Director of Information Technology Services of any changes to its practices as set out in its CPS[36]. The CPS is the principal document that defines the standards, practices and responsibilities of the RCA and it determines the liability standards of the RCA. One unique feature of the Electronic Transactions Ordinance is that it makes the Post Office a RCA for the purpose of the ordinance and it may perform the functions of a CA[37]. This can be seen as an attempt by the Hong Kong government to take the initiative in the establishment of RCA in Hong Kong as the business of CA is novel to Hong Kong and it is uncertain whether the Hong Kong businessmen have interest in this new business. The main benefits of 'recognition' of CA is that the RCAs will be afforded significant limitations on its potential legal liabilities by the Electronic Transactions Ordinance. For example, the RCAs shall not be liable for loss caused by reliance on false or forged digital signatures supported by certificates issued by them if the RCAs have complied with all material requirements of the ordinance and the code of practice[38]. Moreover, the RCAs may specify in their certificates 'reliance limits'. These 'reliance limits' set up as a cap on their legal liabilities and they are not liable in excess of the amounts specified in the 'reliance limits' for any loss caused by reliance on any information that the RCAs are required to confirm but which are misrepresented on their certificates[39]. The RCAs may even specify different reliance limits in different certificates[40]. These limitations of liability will not apply only if the misrepresented facts were due to the negligence of the RCAs or made intentionally or recklessly by the RCAs[41]. Such liability apportionment provisions are not uncommon in other digital signature legislation, in particular those based on the 'Utah Act model'. There are sound policy reasons behind such provisions. If no limit is imposed on potential legal claims, the CAs may spend much time and resources to confirm the identity of every party intending to rely on the certificates issued by them so as to avoid or minimise the potential legal liabilities This will slow down the transaction speed and increase the transaction cost, which do not serve the efficiency and cost-reduction goals of e-commerce. Moreover, if the CAs need to bear the risk of unlimited legal liability, they may try to absorb such risk by increasing the price of their certificates to an uneconomically high level. This is again not serving the cost reduction goal of e-commerce. It may even deter businessmen to enter the new business of CA, no matter how potentially lucrative they are. On the other hand, the Electronic Transactions Ordinance may be criticised for lack or insufficient protection of interests of consumers relying on the certificates issued by the RCAs to conduct electronic transactions. In attempting to minimize or limit the liability or exposure of the RCAs, the Ordinance shifts an immense liability burden onto consumers who conduct electronic transactions through the RCA[42]. On the whole, the RCAs established under the Electronic Transactions Ordinance need to meet detailed statutory standards, and the Ordinance is highly prescriptive of the RCAs and the certificates issued by them. This reflects a 'regulatory' approach that consider certification services are too important to be left unregulated completely and government regulation is essential to an orderly development of the RCAs in Hong Kong. 3.4 Establishment of Public Key Infrastructure Like most digital signature legislation, the Electronic Transactions Ordinance establishes the Public Key Infrastructure (PKI). In the PKI, a person applies and pays for the issue of the key pair, to wit, a public key and a private key, by a CA. Once the person has a key pair, CA will issue a certificate to confirm his identity. CA will then place this certificate in a repository, where it can be viewed by anyone to whom the subscriber may send a digitally signed message. Since the PKI established under the Electronic Transactions Ordinance is one based on the 'Utah Act model', it is an 'open PKI' system. There are two popular models of PKI, namely 'open PKI' and 'closed PKI' systems[43]. The 'open PKI' system is, however, heavily criticized by some as a business model which cannot serve the goals of e-commerce (Biddle C B;1997). Under an open PKI system (upon which the Electronic Transactions Ordinance is premised), the users needs to obtain a certificate from a CA. After that, they can use their public keys for many purposes. This model assumes that many parties, not knowing each other at the time of issue of the certificate, rely upon the certificate of the user to conduct electronic transactions. Winn (1998) vividly described the open PKI system as a 'stranger to stranger' system. In other words, the parties to business transactions conducted under an open PKI system can have no prior relationship other than the current transaction and the certificate issued by CA to the user is the whole foundation of trust upon which the transaction is based. It is no coincidence that a statutory presumption exists in the Electronic Transactions Ordinance to the effect that the information contained in the certificate is correct unless it is proved to the contrary[44]. On the other hand, users in a closed PKI system need to obtain different certificates for different groups of people whom they desire to conduct electronic transactions. In other words, they use one certificate for one type of electronic transactions. The major difference between closed and open PKI systems lies in their abilities to manage legal risks. Under an open PKI system, it is relatively easy for a user's certificate to be used to 'sign' document digitally and enter into electronic transactions. This makes the consequences extremely severe if the user's key is compromised. Under a closed PKI system, if the user's certificate is improperly used to enter into an electronic transaction, the legal consequences to the user, the contracting party and the CA are much more limited. This is because the CA and members of a particular group within a closed PKI system may enter into agreements with each other that define their rights and responsibilities vis-à-vis each other and allocate the legal risks within such a system contractually. In other words, the potential legal risks and liabilities are reduced substantially in a closed PKI system because the number of potential users and potential purposes of the certificates are much more limited compared to an open PKI system. In reality, open and closed PKI systems share more common attributes than differences. Although the Electronic Transactions Ordinance adopts an open PKI system, it incorporates some features of a closed PKI system. For example, all RCAs must issue CPS[45]. They may also specify reliance limits in their certificates[46]. These features serve to 'close' or narrow down the exposure of legal liabilities of the RCAs. In the case of an open PKI system, because there is a lack of contractual privity between the parties, legislative intervention is considered necessary to predetermine the legal rights and obligations of the RCA and other parties. Such legislative approach is clearly adopted by Hong Kong in the Electronic Transactions Ordinance. In an open PKI system, it regulates rights and allocate risk between the parties by public law but in a closed PKI system, it regulates such matters by private contract. One may ask whether a closed PKY system is more efficient than an open PKI system in creating a flexible PKI system for the future growth and development of e-commerce in Hong Kong. Moreover, if the lack of contractual privity between RCA and other parties provides the rationale for legislative intervention in the Electronic Transactions Ordinance, one may wonder whether such legislation intervention can be dispensed with if a closed PKI system, which allows for creation of contractual privity between the parties, is adopted by Hong Kong. With the rapid growth of e-commerce, many people raised concerns regarding use of personal data collected in the course of conducting electronic transactions. As neither digital signatures nor PKI guarantee privacy to users, the Electronic Transactions Ordinance imposes an obligation of secrecy by prohibiting persons having access to any information in the course of performing a function or for the purposes of the ordinance to disclose such information to any other person. Any person contravening such prohibition shall be subject to fine or even imprisonment[47]. 4. Inadequacies of the Ordinance The Electronic Transactions Ordinance is inadequate in several aspects. For example, it does not deal with the issue of foreign CAs. In other words, it remains unclear whether certificates issued by foreign CAs are recognized in Hong Kong. This is unsatisfactory as if such certificates are not recognized, e-commerce conducted on a cross-border basis will be unnecessarily limited in scope. The Ordinance, while requiring the RCAs to use a 'trustworthy system', does not require the subscribers of the RCAs to use 'trustworthy system' to protect or use their private keys. Without such a requirement, the security of digital signature afforded by the Ordinance may be undermined. The subscribers may disclose the private key to other unauthorized individuals by inadvertence. They may also commit human errors in creating messages and digital signatures. Moreover, the computers hardware and software that the subscribers use for converting messages into electronic forms and creation of digital signature may also commit mechanical errors (Jueneman and Robertson,1998). All these affect the security and reliability of digital signature system adopted by the Electronic Transactions Ordinance. Without any statutory obligations imposed, however, no legal liability may be imposed on the subscribers when such scenarios occur[48]. Moreover, the implicit assumption under the Electronic Transactions Ordinance on regulation of RCA and issue of digital certificates issued by them is that most of the electronic transactions undertaken on the internet are of the 'high-value' type. In other words, the value of the electronic transactions is high compared to the cost and money of obtaining a certificate from the CAs. This may be true in the case of 'business-to-business' e-commerce, but is not necessarily so in retail transactions. For example, electronic transactions of some goods, such as books, may not justify the cost of a RCA certificate. Under the Electronic Transactions Ordinance, the RCAs may issue different classes of certificates or certificates with different 'reliance limits'[49]. However, it remains uncertain what pricing policy the RCAs will adopt in issuing the certificates. If they charge a high fee for their certificates, it may induce people to use digital certificates for only limited type of transactions and purposes. If the fee is unreasonably high, it may even deter people from using the PKI system altogether and the growth of e-commerce in Hong Kong will be stifled. Furthermore, as the RCAs play an important role in the PKI system, it is foreseeable that as e-commerce grows in Hong Kong, more and more businessmen and consumers will depend on RCAs for their electronic transaction in future. As a result, the insolvency of RCA can have confidence implications on the business community and society similar to the failure of banks or other financial institutions. The Electronic Transactions Ordinance, while containing detailed provisions on different aspects of the RCAs, does not have any specific provisions dealing with the insolvency of the RCAs. As with other digital signature legislation, the Electronic Transactions Ordinance suffers from two fundamental problems. First, the changing nature of the digital signature technology has the potential of rendering the Ordinance obsolete within a short span of time. Secondly, the Electronic Transactions Ordinance, being a local law in nature, is inadequate to cope with the regulation of e-commerce which is basically a global issue (Swindell and Henderson,1998). Moreover, while the goal of laying a legal foundation for e-commerce is laudable, the Electronic Transactions Ordinance is rather conservative in its approach. When the Utah Act was enacted as the first 'digital signature legislation' in the world in 1995, it adopted a regulatory and technology-specific approach. The legislative approach to 'e-commerce legislation', however, has been changing rapidly since then. As time moves on, a minimalist, non-regulatory and technology-neutral stance is increasingly popular (Greenwood,1999). Judging from this perspective, Hong Kong is lagging behind the international trend in adopting a regulatory and technology-specific digital signature legislation. In fact, Biddle (1997) argued that all digital signature legislation should be abandoned altogether because they impose a particular view of e-commerce. To cope with the ever changing demands of e-commerce, Hong Kong needs to adapt its legal system constantly. In this regard, the Hong Kong government has promised to review the Electronic Transactions Ordinance eighteen months after its passage to see whether any amendments are necessary according to market needs and technological developments (Ip I,2000 ). It is hoped that with a more flexible legislative approach, the Electronic Transactions Ordinance can serve as a vehicle for advancing e-commerce in Hong Kong. Footnotes 1. Ordinance No.1 of 2000. 2. Ip I, 2000 'Electronic Signature Recognition Bill Opens Door for e-commerce' Hong Kong Standard 6 January. 3. Many other Asian countries have passed 'e-commerce legislation' in recent years. For example, Malaysia passed the Digital Signature Act in 1997 and Singapore passed the Electronic Transactions Bill in 1998. 4. Ip I, 2000 'Electronic Signature Recognition Bill Opens Door for e-commerce' Hong Kong Standard 6 January. 5. Dow Jones International News 2000, 'HK Electronic Commerce to Reach US$2.4 Billion by 2003 –HK Govt.' 7 January. 6. UNCITRAL Model Law (1996), article 7. 7. Malaysia passed the Digital Signature Act in 1997 and Singapore passed the Electronic Transactions Bill in 1998. 8. Smith B W and Tufaro P S (1998)'To certify or not to certify: The OCC opens the door to digital signature certification' 24 Ohio Northern University Law Review 813. 9. Uniform Electronic Transactions Act, s2(8). 10. It was adopted on 30th November 1999 at the Council of Telecommunications, European Union. 11. EU Directive on Digital Signatures, article 2. 12. Utah Code Ann (1995), s.46-3-103(10). 13. Electronic Transactions Ordinance (2000), s.2. 14 . Electronic Transactions Ordinance (2000), s.2. 15. See the Hong Kong Government's Response to Comments made by the Hong Kong Computer Society, LC paper No.CB(1)297/9-00(04). 16. Under section 2 of the Electronic Transactions Ordinance, 'asymmetric cryptosystem' means 'a system capable of generating a secure key pair, consisting of a private key for generating a digital signature and a public key to verify a digital signature'. 17. Electronic Transactions Ordinance (2000), s.2. 18. Electronic Transactions Ordinance (2000), s.2. 19. Electronic Transactions Ordinance (2000), s.2. 20. Under section 2 of the Electronic Transactions Ordinance, 'hash function' is defined as 'an algorithm mapping or transforming one sequence of bits into another, generally smaller, set as the hash result, such that 'a record yields the same hash result every time the algorithm is executed using the same record as input; it is computationally not feasible for a record to be derived or reconstituted from the hash result produced by the algorithm; and it is computationally not feasible that two records can be found to produce the same hash result using the algorithm.'. 21. Under s.2 of the Electronic Transactions Ordinance, 'to verify a digital signature' means to determine that the digital signature was generated using the private key that corresponds to the public key and that the message has not been altered since its digital signature was generated. 22. For example, in Malaysia, all CA that issue certificates must register under the Digital Signature Act. 23. See Hong Kong Government's Response to Comments made by the Hong Kong Computer Society , LC Paper No.CB(1)297/99-00(04). 24. Electronic Transactions Ordinance (2000), s.2. 25. Electronic Transactions Ordinance (2000), sections VII to X. 26. Electronic Transactions Ordinance (2000), s.21. 27. Electronic Transactions Ordinance (2000), s.22. 28. Electronic Transactions Ordinance (2000), ss.24-26. 29. 'Trustworthy system' is defined under section .2 of the Electronics Transactions Ordinance to mean 'computer hardware, software and procedures that: a) are reasonably secure from inclusion and misuse; b) are at a reasonable level in respect of availability, reliability, and ensuring a correct mode of operations for a reasonable period of time; c) are reasonably suitable for performing their intended functions; and d) adhere to the generally accepted security principles. 30. Electronic Transactions Ordinance (2000), s25. 31. Electronic Transactions Ordinance (2000), s.37. 32. Electronic Transactions Ordinance (2000), s.45. 33. Electronic Transactions Ordinance (2000), s.33. 34. Electronic Transactions Ordinance (2000), s.44. 35. Electronic Transactions Ordinance (2000), s.2. 36. Electronic Transactions Ordinance (2000), s.44. 37. Electronic Transactions Ordinance (2000), ss.34 and 35. 38. Electronic Transactions Ordinance (2000), s.42. 39. Electronic Transactions Ordinance (2000), s.42. 40. Electronic Transactions Ordinance (2000), s.41. 41. Electronic Transactions Ordinance (2000), s.42(3). 42. For similar criticism on such liability apportionment provision in US digital signature legislation, see Smedinghoff T J and Bro R H (1999) 'Moving with change: Electronic Signature Legislation as a vehicle for advancing e-commerce' 17 John Marshall Journal of Computer and Information Law 723. 43. Greenwood D J (1998) 'Risk and Trust Management Techniques For an 'Open but Bounded' Public Key Infrastructure' 38 Jurimetrics Journal 277. 44. Electronic Transactions Ordinance (2000), s.32. 45. Electronic Transactions Ordinance (2000), s.44. 46. Electronic Transactions Ordinance (2000), s.41. 47. Electronic Transactions Ordinance (2000), 48. There is similar oversight in the ABA Guidelines. See Jueneman R R and Robertson R J Jr. (1998) 'Biometrics and Digital Signatures in Electronic Commerce' 38 Jurimetrics Journal 427. 49. Electronic Transactions Ordinance (2000), s.41. Biddle C B (1997) 'Legislating Market Winners: Digital Signature Laws and The Electronic Commerce Marketplace' 34 San Diego Law Review 1225. Dow Jones International News (2000), 'HK Electronic Commerce to Reach US$2.4 Billion by 2003 –HK Govt.' 7 January. Ip I, (2000) 'Electronic Signature Recognition Bill Opens Door for e-commerce' Hong Kong Standard 6 January. Electronics Transactions Ordinance (2000) Ordinance No.1 of 2000, Legal Supplement No.1 to the Government of The Hong Kong Special Administrative Region Gazette, 7 January 2000. Greenwood D (1998) 'Risk and Trust Management Techniques For an 'Open but Bounded' Public Key Infrastructure' 38 Jurimetrics Journal 277. Greenwood D (1999) 'Establishing a commercial framework for electronic signatures: the Millenium Digital Commerce Act', Electronic Banking Law and Commerce Report, April. Hong Kong Government's Response to Comments made by the Hong Kong Computer Society, LC paper No.CB(1)297/9-00(04). Jueneman R R and Robertson R J Jr, (1998) 'Biometrics and Digital Signatures in Electronic Commerce' 38 Jurimetrics Journal 427. Smedinghoff T J and Bro R H (1999) 'Moving with change: Electronic Signature Legislation as a vehicle for advancing e-commerce' 17 John Marshall Journal of Computer and Information Law 723. Smith B W and Tufaro P S (1998) 'To certify or not to certify: The OCC opens the door to digital signature certification' 24 Ohio Northern University Law Review 813. Swindell C and Henderson K (1998) ' Legal Regulation of Electronic Commerce', Journal of Information, Law and Technology 1998(3). UNCITRAL Model Law on Electronic Commerce with Guide to Enactment (1996) General Asembly Resolution 51/162. Winn J (1998) 'Open Systems, Free Markets and Regulation of Internet Commerce' 72 Tulane Law Review. |