No Remedy for Disappointed Trust – The Liability Regime for Certification Authorities Towards Third Parties Outwith the EC Directive in England and Germany Compared
Abstract
In history the seal was replaced by the hand written signature. With the dawn of the digital age the days of the hand written signature are now also numbered. Fairly soon electronic data communication will render paper superfluous, and hand written signatures will be replaced by their 'unequal sisters' ? the electronic signature, also called digital signature.
This paper will look at one of the legal aspects uniquely connected with electronic signatures ? the liability of certification authorities (CA). Since our new signatures will consist only of a binary code somebody must link this code with our identity. This function is performed by CAs, stating both the identity and binary code in one electronic document called certificate. The question of liability arises when, intentionally or negligently, a binary code is linked to a non-corresponding identity. This study does not deal with the legal relation between CA and certificate holder, but with the largely unsolved, or not sufficiently solved, problems of professional liability for the provision of information towards third parties. In other words, this paper focuses on the liability regime which applies between a CA, and a third party who uses the certificate to validate the identity of a certificate holder intending to transact with the third party.
The European Union has introduced minimum liability rules for a group of certificates which are supposed to have a very high security standard, thus potentially increasing the confidence of the third party regarding the certificate. We will, however, learn that the vast majority of certificates are governed solely by national liability rules. So far the elaboration of these liability regimes have been largely neglected and underestimated by academic writers in England and Germany. Due to its practical significance, an urgent explanation and elaboration is thus needed. The concern of this paper will, therefore, be to explore the liability regimes for certificates outside the scope of the EU regulations.
The first section deals with the comprehension of technology and usage of electronic signatures, which is a necessary prerequisite. The second section will provide an introduction to the issue of liability. It in order to distinguish the liability regimes applicable to different categories of certificates in the EU, this section will also briefly outline the legal framework created by the EC Directive. The third section will initially identify relevant English liability rules before exploring whether such rules are suitable and sufficient to cover the special liability situation in which a CA and a relying party may find themselves. The same process of exploration and evaluation will be applied to the German liability rules in the fourth section. The fifth section will compare the results produced by such an exploration and evaluation of the English and German system.
The paper reaches the following initial conclusions: there are many (perhaps too many) minor and major obstacles in both German and English law which question the success of any claim by a relying party. A strong liability regime (which would particularly enhance confidence in 'non-qualified' certificates, and generally in electronic communication and commerce) is practically not in existence! If the present laws are applied, the question of whether to boost e-commerce through consumer confidence or through low legal obstacles for businesses operating in the respective market seems to be decided in clear favour of the latter one. It is doubtful whether this decision was intended, since relying parties could be deprived of any legal protection.
This paper is, therefore, convinced of the need to find a balance between both conflicting interests, since somebody who takes up trust, as a CA does, must prove reliability (also) through liability. On the other hand, however, businesses must be enabled to protect themselves against the risk of liability in an indeterminate amount to an indeterminate group.
Since the existing laws in both countries contain many uncertainties and obstacles, (making a success of a relying party's claim unlikely) this paper suggests the introduction of a special tortuous liability rule, which eliminate the two main obstacles for a successful claim:
the burden of proof imposed upon the relying party; and
the threat of liability in an indeterminate amount, to an indeterminate class, which is owed to the open character of the Internet.
To deal with the first obstacle it may be sufficient to reverse the burden of proof. The CA is in a (much) better position to prove that it has not acted negligently, since it is familiar with technology and its own organisational structure. In order to tackle the second obstacle, two equally important measures may be suggested. On the one hand, there might be introduced a new statutory tort, subjecting the CA to liability for non-qualified certificates similar to the EC Directive. The courts would no longer be troubled by the notion of liability in an indeterminate amount, to an indeterminate class while establishing a duty of care (England), or a protective effect of the certification contract towards relying parties (Germany), since liability is imposed by statute. This, however, would solve the legal, but not the factual problem of liability in an indeterminate amount, to an indeterminate class. Therefore, to enable businesses to manage effectively the enormous liability risk one may expressly permit by statute exemption and limitation clauses which intend to limit the liability to a certain amount per annum and/or per series of incidences, coupled with a minimum amount of liability, which would cover ordinary incidences and would prevent abuse of these exemption clauses.
A call for harmonisation (on an European level) might be premature, since one must first consider the other jurisdictions within Europe.
The author is aware of the fact that he can only offer a first glance on the whole topic, due to the scope of the paper and the unexplored nature of the issue.