51998AC0443

Opinion of the Economic and Social Committee on the 'Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions on ensuring security and trust in electronic communication - towards a European framework for digital signatures and encryption` (98/C 157/01)

On 10 October 1997 the Commission decided to consult the Economic and Social Committee, under Article 198 of the Treaty establishing the European Community, on the above-mentioned communication.

The Section for Industry, Commerce, Crafts and Services, which was responsible for preparing the Committee's work on the subject, adopted its opinion on 4 March 1998. The rapporteur was Mr Burani.

At its 353rd plenary session (meeting of 25 March 1998), the Economic and Social Committee adopted the following opinion by 101 votes to one, with one abstention.

1. General comments

1.1. The communication from the Commission successfully profiles electronic communication, which is a highly technical and specialized area. It is also necessary for users, and - above all - for public authorities and legislative bodies to grasp the technical aspects of this field.

1.2. Electronic communication via open networks such as the Internet has increased on a scale unimaginable until ten years ago, and the continuing development of such communication will probably be a major characteristic of society at the end of this millennium and the start of the next. The outlook for the future promises exponential growth. However, the practical application of electronic communication in various spheres of activity, and in particular in that of electronic commerce (), will depend on the removal of obstacles to its harmonious development.

1.3. The Commission has described these obstacles as insecurities typical to open networks: messages can be intercepted and manipulated, the validity of documents can be contested, personal data can be illicitly collected and communication used for illegal purposes. It is thus necessary to create a secure environment that will enable the establishment of an information society that will safeguard the public against misuse, and the development of electronic commerce on bases at least as assured as those which currently govern paper currency transactions in the business world.

1.4. The document under discussion deals with two tools that are fundamental to the provision of such assurance: digital signatures and encryption. The first guarantees the identity of the user and the origin of the message (authentication), while the second protects against illegal interference (integrity) and ensures the confidentiality of communications. The Commission wants to ascertain, with the support of all the parties involved, both the current situation and its potential development. The Committee welcomes this and asks the Commission to consult it on subsequent initiatives.

1.5. The European Parliament and the Council of Ministers have invited the Commission to take the necessary steps to provide measures to ensure the integrity and authentication of electronically transmitted documents. The Committee notes that other initiatives being prepared or already adopted by third countries and international organizations (OECD, UNCITRAL, etc.) should also be borne in mind.

1.6. The Committee also notes that the regulation of this area should be approached with a clear overall vision: on the one hand there is a need to proceed with flexibility so as not to hamper technological advances and their applications, while on the other hand the fundamental principles of the EU should be preserved: consumer protection, a level playing-field in terms of competition, free movement of services, and mutual recognition. Electronic communication constitutes a revolution on a scale at least equivalent to the industrial revolution of the last century. The legal and regulatory framework should draw on innovative ideas based on progress already accomplished and reasonable forecasts.

1.7. Existing legislation, which over the past two thousand years has evolved from Roman law, is based on paper documents. These will soon be replaced - to an extent which is yet to be gauged but will certainly be considerable - by electronic 'documents`. This is a radical change, which calls for a fresh approach not only to the question of the validity of contracts, but also to the validity of electronic documents exchanged between private individuals and with public administrations (tax, social security, public records, legal documents, etc.).

1.8. Public administrations in many countries have already adopted electronic communication as a means of exchanging information and documents both internally and with the public. As soon as a secure legal and regulatory framework is established, it must become possible to use electronic communication for acts of legal and administrative importance: this advance is perhaps even more revolutionary than the one which will be made in the field of private law.

1.9. It is thus necessary to establish a new legislative and regulatory framework based on the incorporeality of documentation. The individual Member States are largely responsible for private and administrative law, and a number of initiatives have been adopted or are being discussed. A brief, preliminary analysis reveals that guidelines and solutions often differ considerably. The Committee would alert the Commission and the Member States to the urgent need to achieve European-level harmonization of the basic concepts. The operational demands of the single market would soon reveal the serious disadvantages of having different legal and regulatory infrastructures in different countries; it would be extremely difficult to carry out harmonization a posteriori.

2. Introduction: The need for secure electronic communication ()

2.1. The Committee has studied the technical aspects of electronic communication, digital signatures and encryption. It compliments the Commission on having rendered a complex and specialist issue accessible to audiences not necessarily versed in science. The Committee does not propose to discuss these aspects, and its comments are thus restricted to operative and functional features that may call for regulatory or legislative intervention by the EU institutions.

2.2. Given that it is impossible to guarantee absolute and total security in electronic communication, the Committee notes that the greatest danger in this area is that of fraud, in all its various guises. There is no doubt that open networks (such as the Internet) are vulnerable on this count, at least until wide-scale and effective security measures are adopted. The Commission points out that important documents are exchanged on closed networks, access to which is reserved to users who already know one another and are bound by mutual trust.

2.3. Closed networks, which are completely legitimate, have developed independently of open networks, and use their own communications systems or the Internet. In economic terms, these are probably more costly to use than open networks, but they are opted for because of the greater security they provide. Any expansion in their use will thus depend on the reliability of open networks - the more reliable these are, the less incentive there will be to create new closed networks. Out of regard for contractual freedom, the Committee does not feel that regulation is required in this sector. One potential problem, however, could be that of doubts concerning the validity of proof of operations involving third parties in cases where these operations are not recognized and approved by a certification authority (see point 5 below).

2.4. The overall objective of the communication is not, however, simply to deal with the question of security. It is broader and more ambitious than that, and is actually aimed at:

- establishing a European framework for digital signatures;

- ensuring the functioning of the single market for cryptographic products and services;

- addressing the international questions raised by the global nature of the Internet;

- integrating cryptography into the framework of other European policies;

- enabling users to benefit from the possibilities offered by what the Commission terms the 'global` information society.

2.5. The Committee agrees with this framework for action and also draws attention to a matter which may appear self-evident, but which is sometimes overlooked once work is under way. This is the need for any European initiative to take into account the 'global` nature of electronic communication. The desire to do more, and better, than the rest could result in a counter-productive disparity of criteria. The Commission appears to have been guided by this approach; for its part, the Committee holds that Europe should take the lead in initiatives whenever this is possible, while bearing in mind what others are doing or have already done. Good results have been achieved through present and continuing international cooperation (), but the decision-making mechanisms used entail long timescales, while European regulation is required as soon as possible. This should thus be flexible enough to allow its adaptation to meet the requirements of international compatibility.

3. Authentication and integrity: digital signatures ()

3.1. A digital signature guarantees that a message originates from an identified and authorized sender (authentication) and that its content has not been altered during transmission either by a third party or accidentally (integrity) (). Digital signatures are based on a cryptographic system which uses a public key (known by all the users of a given system) and a private key (known only by the sender).

3.2. Secure digital signatures (and other alternative systems that are being tested) are an essential prerequisite for establishing the validity of contracts concluded using systems that preclude the exchange of paper documents; such signatures thus form the cornerstone of a new legal framework for business dealings concluded by means of electronic communication.

3.3. In closed systems, the validity of contracts concluded between parties is not an issue, since such systems will have evolved from a basis of mutual trust, which is founded on strict access conditions, transparency of security criteria and contractual freedom. Of the various techniques adopted it is worth noting that the field of financial services relating to electronic commerce has seen the creation of the SET (Secure Electronic Transaction) protocol (). This can be accessed, by means of a digital certificate, by holders of electronic payment cards or electronic cash cards wanting to purchase goods or services from operators participating in the system. Moreover, it should be remembered that strictly speaking SET is not a 'closed system`, but a 'payment-based open system`.

3.4. There is a need to guarantee legal recognition of the validity of contracts concluded on open networks, both as regards relations between the signatories and in respect of third parties. Some national legal systems have already recognized the validity of digital signatures, but only harmonized supranational legislation can ensure the expansion of electronic commerce at international level.

4. Confidential electronic communication: encryption ()

4.1. Besides the authentication and integrity of messages (see points 1.4 and 3.1), and in common with written communication, electronic communication also calls for confidentiality. This is an important requirement on closed networks and becomes vital on open networks. Encryption guarantees that the message cannot be understood by any party other than the sender and the recipient.

4.2. Underpinning the cryptographic system is the principle that only the sender can encrypt the message and only the recipient can decrypt it. Many 'ready-to-use` cryptographic products (according to the Commission document there are 1 400 varieties of these) are already available on the market. In any exchange of messages that require encryption and decryption, both the sender and the recipient must obviously possess compatible software.

4.3. The proliferation of cryptographic systems makes software management by individuals more complicated if they have dealings with a number of different users. Besides this, cryptography in itself raises fundamental issues of the utmost importance. To begin with, the fundamental principles of the protection of privacy (and of copyright and business secrets) and protection of the business world from illegal interference demand that users have access to a cryptographic system which guarantees a high standard of secrecy or confidentiality for messages. Secondly, the public must be protected against use for illicit purposes, such as espionage, terrorism and criminal activities or other forms of illegal activity.

4.4. It thus follows that regulation of this area, harmonized throughout the Member States according to common principles, is essential. It should reconcile - as far as possible - seemingly opposing requirements. The Committee believes that everybody should have right of access to cryptographic systems, while acknowledging that this right must be qualified by society's need to protect itself against criminal or illegal activities of any type. The difficulty lies in setting such limits, which can vary not just from one country to another but also from one point in time to another, depending on political and social factors in a given country. It is clear that the problem can only be resolved by each individual Member State in accordance with principles of equity and proportionality. A further problem to be resolved is that of when people should be denied right of access and what action should be taken by the authorities, as part of a system that offers legal certainty and establishes guarantees to the public regarding the use of the information collected.

5. Certification Authorities (CAs) and Trusted Third Parties (TTPs) ()

5.1. The issues described above would entail the setting-up of a system capable of guaranteeing maximum reliability of digital signatures and cryptographic systems, as well as key exchange, key certification, and the confidentiality of messages, while still fulfilling the need to safeguard society against crime.

5.2. The problem of establishing a legal framework governing recognition, in respect of third parties, of digitally signed (and sometimes encrypted) documents that are sent via open networks has yet to be resolved at Community level. The Commission favours the setting up, in each Member State, of one or more legally recognized certification authorities (CAs), which would act as 'notaries` with whom users could deposit public keys.

5.3. A legally recognized CA would thus fulfil public law functions and could not - or should not - perform secondary functions or provide services typical of a TTP, which would fulfil a private role. As the Commission states, these two types of body should remain distinct and separate. The Committee endorses this approach; it still remains to be decided whether the CAs should be established as public bodies or publicly authorized private bodies. Since what is important is that their role be recognized and regulated, the Committee feels that the decision could be left to the individual Member States.

5.4. The Committee also wonders whether it is necessary to establish a CA for each and every case, or at least to extend their responsibilities to cover all those systems which already exist. Some systems (e.g. SET) have hundreds of thousands of participants, and will soon have millions; the depositing and management of individual keys would become extremely complicated and costly. The simplest and cheapest answer would probably be to grant those TTPs that can offer guarantees of integrity and experience the legal status of a 'private` AC.

6. Final comments

6.1. The Committee gives broad approval to the Commission's programme, which is complex, but well designed. So as not to go over areas with which it is already in agreement, the Committee would like to make certain additional comments that might benefit the current discussion.

6.2. In the area of interoperability (), the Commission encourages industry and international standards organizations to develop technical and infrastructure standards to ensure the secure use of networks. It is considering the possibility of adopting measures to support the work of European companies in this field. The Committee points out that the definition of standards would have repercussions on the competitiveness of European industry vis-à-vis those in third countries, and suggests that the Commission's actions should dovetail with the measures it has already provided for in its Communication on the competitiveness of the European information and communication technologies industries ().

6.3. There is also a need to develop a strategy for promoting the use of electronic communication by SMEs. Besides the various measures already proposed by the Committee in its Opinion on Electronic Commerce (), it would also be worthwhile providing SMEs with 'turnkey` solutions of the type piloted by TEDIS. Chambers of commerce and other trade organizations could play a decisive role in helping SMEs to penetrate the new technologies sector. At the same time, it must be pointed out that the drive to extend electronic communication should be accompanied by measures to sensitize SMEs to the risks and costs associated with using new technologies: as with any other innovation, decisions here must also be taken in a responsible way and with full knowledge of the positive and negative implications of the choices made.

6.4. One issue implicit to the communication, but not covered explicitly in it, is that of consumer protection and, more generally, the protection of all electronic communication players. This is a priority issue, and one that is somewhat intricate when viewed from the standpoint of international law. The relative security provided by electronic signatures are an incentive to distance selling. While the provisions of EU legislation and of other national laws incontestably apply to contracts between buyers and sellers in the same country, uncertainties can arise over contracts negotiated between residents of different Member States in cases where levels of protection differ. The situation becomes more complex when the buyer or seller is resident in a third country. The Committee believes that the rules on the validity of contracts concluded electronically should be provided with a European legal framework. It would also recommend resisting any temptation to apply the law of a third country; the numerous attempts being made to this end by authorities in third countries must be opposed.

6.5. The discrepancies between consumer protection levels in different parts of the world (and also between different EU countries) cannot be ironed out in the short term. Until they are, consumers and all other users must be informed that 'European protection` or 'national protection` may not be valid in contracts negotiated with suppliers in third countries or other EU countries. Similar observations could also be made regarding provisions on copyright, civil liberties, freedom of opinion and morality (pornography, etc.).

6.6. Tax laws, and VAT in particular, constitute a thorny issue. In principle, governments are likely to staunchly oppose any agreement or law that might result in a loss of revenue, or systems which facilitate tax evasion. The Committee wonders whether the plans for EU harmonization (), under which VAT is levied on the basis of the buyer's country of residence, can be applied to electronic commerce, particularly as far as third countries are concerned.

6.7. The global nature of the Internet adds a new dimension to the problem of fraud and the campaign against organized crime. Codes of criminal law differ considerably in this field, and sometimes the area is simply not covered. Europe should act, in conjunction with the EU measures already in operation, () to promote a resolute move towards international harmonization and cooperation of a type not limited to the most important countries involved. Within the EU, adequate training should also be provided to organizations - in particular Europol - whose task it is to combat crime.

6.8. In conclusion, an extremely intricate legislative and regulatory framework, covering a vast range of activities, is required if electronic communication is to be adopted in place of written communication. In addition to a programme of initiatives, the Commission has outlined a timetable for actions to be taken. The Committee obviously welcomes the good intentions this demonstrates, but wonders whether it will be possible to respect all the deadlines laid down, especially those which depend on international agreements.

6.9. Finally, as a first step, the scope of any EU or Member State legislative or regulatory action needs to be established. The Committee believes that, apart from the regulations needed to ensure legal certainty for contracts and to remove any national regulations which are an obstacle to interoperability, the accent should be on self-regulation (codes of conduct). This should be the case particularly as regards compatibility of new systems with their forerunners, ensuring that closed and open systems comply with the same regulations and security standards, and a level playing field for players in the various countries. Public authority intervention should be confined to monitoring operation of the systems and their compliance with the general principles of the single market.

6.10. The Committee puts forward the following suggestions as practical guidelines for future - and in some cases urgent - Commission initiatives:

- the definition of 'signature` in current laws, regulations and procedures should be extended to include the concept of electronic signatures;

- the use of an electronic signature must be a spontaneous, explicit and verifiable act, over which the signatory has complete visual and operative control. This requires a clear and uniform definition, but one that is sufficiently flexible to include signatures given using existing and future technologies;

- relatively soon, all citizens should be able to obtain a device (e.g. bank card, social security card) enabling them to sign electronically, with a personalized national registration number and of course a centralized database;

- as soon as possible, public authorities should be in a position to provide and accept electronic documentation; access could be provided through terminals installed in public institutions, at least initially;

- it is necessary to ensure mutual recognition of certification authorities at a global level;

- the confidentiality of correspondence is guaranteed in virtually all constitutions of democratic countries, and exceptions to this rule are established by law; electronic communication should be protected in the same way and in accordance with the same criteria.

Brussels, 25 March 1998.

The President of the Economic and Social Committee

Tom JENKINS

() OJ C 19, 21.1.1998, p. 72.

() See the Communication, Section I, pp. 1-2.

() See the Communication, Section IV, 1.2(iii), p. 16.

() See the Communication, Section II, pp. 2-3.

() For a more detailed description of the (somewhat complex) technical aspects, see the Communication itself, and Annexes 1 and 2 in particular.

() In SET, not only is the integrity of the message guaranteed and the signature authenticated, but the message is also encrypted (see point 5.2 below).

() See the Communication, Section III, pp. 9-11.

() See the Communication, Section II, 2, pp. 3-6.

() See the Communication, Section IV, 3, pp. 18-19.

() OJ C 73, 9.3.1998, p. 1.

() OJ C 19, 21.1.1998, p. 72.

() OJ C 296, 29.9.1997.

() OJ C 251, 15.8.1997.