Saggi, Conferenze e Seminari 32. Reproduced with permission of Centro di studi e ricerche di diritto comparator e straniero, diretto da M.J. Bonell
Mads Bryde Andersen
Roma (April 1998)
|UNCITRAL, UNIDROIT, the International
Chamber of Commerce (ICC), and others should
develop additional model provisions and uniform
fundamental principles designated to eliminate
administrative and regulatory barriers and to facilitate
electronic commerce ..."
A framework for Global Electronic Commerce
a) The challenge
For several reasons, basic ingredients of private law have remained largely unaffected by new lifestyles and new technologies. Basic concepts like "declaration of will" and (to use the language of the Unidroit Principles, art. 1.9.4) "communication of intention", have a close relationship with human decision-making. Commercial codes are to a large degree founded in trade usages and commonly agreed patterns of thought. Concepts like "delivery", "passing of risk" and "non-fulfilment" are based upon practical concerns and contractual practice. There are numerous examples that generally applied contract clauses have become part of private law legislation of and -- on the other hand -- that such legislation makes reference to what is commonly practised or understood by parties to particular transactions. [page 1]
With this in mind, electronic commerce -- a concept which will be explained below at 2. -- clearly presents challenges to private law, as also indicated in the above passage from an important White House paper. When computers are used to create binding obligations - separated from the "intent" and "knowledge" of their holders (that is, the "liable party") - uncertainty may arise to what extend legal concepts like "declarations of will" and others are applicable, directly or by analogy. Difficult cases may occur if system errors cause that what is "said" by the system is not what is "meant" by its holder. Shall an "offer" or "acceptance" by the computer then be dealt with along the same lines as the offer and acceptance of an agent? Shall they be treated the as ordinary or sui generis declarations of will? Or should they be viewed as purely technical functions of a computer system, subject to a specific statutory or contractual framework?
There are not yet many commonly accepted answers to these questions. In their analysis it is also necessary to deal with the underlying technology. This in itself is difficult. Not only is the technology complex and rapidly changing, rule-making in the field of electronic commerce is only to some extent legal (by means of contracts and legislation), but to a large degree technical: When it comes to some of the critical issues, technical standards may even limit the possibilities of achieving sound legal results. And to add to this complexity, the border-less nature of that technology (by virtue of the Internet) means that rule-making in the field takes place at the same time in all countries and across various trades and businesses.
b) Object and scope
In this paper I will analyse some of these challenges as they face some basic concepts in private law, and in particular the Unidroit Principles of International Commercial Contracts. [page 2]
To set the frame, I will initially characterise digital technology in general and the notions of digital "messages" and "signatures" in particular (below at 2.). Upon that introduction, I will go into some of the basic concepts in the law of contract formation (below at 3.) in the light of these new technologies, also taking into account the way in which those concepts are being dealt with in the Unidroit Principles and in other international instruments (among them notably the 1996 UNCITRAL Model Law on Electronic Commerce).
At 4. I will comment on some of the problems of interpretation and incorporation in relation to digital messages -- a problem which has caused substantial discussions in the UNCITRAL working group on electronic commerce. After that, at 5., some remarks are made on the applicability of sales legislation -- and the Unidroit Principles -- on contracts regarding digital information follows. In 6., I will line up some issues that the paper has not dealt with. Finally, at 7., I will give my view on whether the digital challenge necessitates new legislation and perhaps also a rethinking of certain parts of the Unidroit Principles.
As indicated by this, the scope of this paper is first of all restricted to private law. With that limitation, the aim is not to analyse particular provisions of law in order to face the challenge presented by electronic commerce, but rather to point out some general concerns in certain type of rules -- mainly within the law of contracts and sales. The main purpose is thus analytical by nature: How do we manage -- conceptually and in the legal reasoning -- to carry the legal concepts aimed at the physical world into the digital world of electronic commerce? [page 3]
2. WHAT IS NEW IN ELECTRONIC COMMERCE?
a) Overview of the concept
The notion "Electronic Commerce" is a "buzzword", that is, a commonly used concept with no clear meaning but with a strong capability to associate itself with a subject area of current interest. In general terms, the concept deals with any kind of commerce (be it business-to-business, business-to-consumer, or business-to-administration) where computers or digital technology is used, irrespective of whether the technology is used as a medium for connecting the parties (see below at 3. on contract formation by computers), as the vehicle through which the transaction is completed (see below at 5. on contracts for digital information), or as the object of performance (as in contracts regarding Internet access etc., an area that I will not deal with here).
When it comes to private law, there seems to be three mainstreams of electronic commerce: [page 4]
The first one -- and the one most focused upon in the following -- deals with contract formation by computers, with or without the use of digital signatures and paper-less documents. Up until now, this area is the one that has attracted most legal attention, both at the national level (with a number of digital signature laws underway in numerous countries) and internationally (notably within the EU, the OECD and UNCITRAL).
The second mainstream of electronic commerce deals with performance made by computers. This area which is still in its infancy (if we leave out those rules that have made stock trading by computers possible), comprises some fundamental issues regarding rights and obligations in transactions conducted over open electronic networks. This area not only includes the ambitious U.S. vision to create "A Uniform Commercial Code for Cyberspace" (one which currently is discussed as a proposal to include a new Chapter 2B on "Licenses" in the UCC), but also rules and technical infrastructures for digital payments with or without the use of credit cards.
The third area deals with the legal infrastructure for electronic commerce in a broader sense. This area comprises the question of what role governments should play in the building of the information infrastructure, content control on the Internet (to support good marketing practices and protect minors from harmful content), taxation and interception. The whole area of copyright protection -- an area with substantial contractual aspects -- also falls under this headline. Some of these issues are shortly summarised at 6. but not dealt with in depth in this outline.
b) What is "digital" technology?
The word "digital" comes from Latin -- digitus, finger -- and refers to one of the oldest tools for counting! When information is [page 5] stored, transmitted or forwarded in digital format, it is converted into numbers -- at the most basic machine-level as "zeroes and ones". With the incredible speed by which modern computers may process these "zeroes and ones" (by modern processors up to 1 billion calculations per second!), it has become relatively easy to "digitise" information that earlier was provided by other means. That explains why books, music, motion pictures and certain types of services are now available on the Internet and also why the net is often viewed as an information superhighway where all information is and should be available for everyone at all times.
The conversion of analog information into bits implies -- to use a popular expression introduced by Professor Negroponte at MIT's MediaLab, in his book Being Digital (1995) -- that atoms are replaced by bits. When material items convert into something immaterial, difficult legal issues arise. Does the laws of sales apply when the "product" is merely a number copied from A's computer to B's? And if so, when is the product delivered, and should it be taken back in case of restitution, cf. article 7.3.6. of the Unidroit Principles? As already said, some of these issues are dealt with below at 6.
c) Digital messages as documents
Digital technology also provides a powerful tool for creating, sending, storing, receiving and processing messages purported to have legal consequences. Apart from the problems of contract formation, cf. 3., digital documents provide for severe problems in relation to legal rules that require an original document to be presented, as it is the case with certain instruments of debts, cheques, and bills of exchange [page 6] and lading: No matter how the digital message is processed and forwarded, it is basically only a number, not a unique piece of paper.
Modern computer technology provides for solutions to all these problems. Both when it comes to the practical concerns caused by the lack of originality of digital messages, to the security of the authenticity and originality of the message (i.e. that it was made by its originator and not unintentionally altered), and when it comes to security for non-repudiation (i.e. that the originator cannot deny that he signed the message), an important solution is available by using digital signatures and trusted third parties.
d) Digital signatures
In a broad sense, a signature is a sign of its originator's intent to be bound by something. In the history of paper-based commerce, signatures have been used as one of the most commonly used methods for making a document binding upon its originator. Signatures are used for documents. There is no point in "signing" oral representations. In a world of oral representations, "intent" in different cultures has been established by such different means as wax seals, animal sacrifices, tribal objects among others. When we speak of digital signatures, the main question is how to provide a similar expression and evidence of intent and thereby making such signatures trustworthy for commercial purposes. [page 7]
To analyse the legal requirements for digital signatures it is tempting just to focus on the various features of paper signatures. But such an approach may limit the possibilities of using digital technology to support more powerful legal consequences than we are used to in relation to paper signatures, so that state-of-the-art technology is not used to the maximum benefits for all parties. For example, digital signature technology can also be used to create legal obligations by automation (as it is the case in so-called open-edi systems), to tailor specific signatures for specific transactions (which may be needed for electronic shopping applications on the World Wide Web), and not the least to support business transactions between parties with no prior knowledge of each other. To this should be added that digital technology has the capacity to provide a much higher security against fraud and unauthorised use than paper documents do.
The common core of all these solutions is the use of encryption algorithms. If two parties -- as the only parties in the world -- know how to encrypt and decrypt a message, doing so gives them security who the message originates from and that the message has not been altered during transmission. One of the classical examples of this is the so-called Caesar substitution: Every letter in the plaintext is replaced by the letter found a fixed numbers of steps forwards in the alphabet (repeating the alphabet after the last letter). That idea was used by Athur C. Clarke in his book "2001 - A Space Odyssey", where the name of the main character, HAL (a computer!) can be interpreted as an encrypted version of IBM.
Encryption systems of that kind are today characterised as symmetric because the procedure from plaintext to crypto-text is the same as when you go from crypto-text to plaintext. The "key", being the number of steps required, also indicates the number of steps to go backwards in order to decrypt the information: You use the same [page 8] process by replacing H with I, A with B, and L with M, as you do when you decipher the text. By using so-called asymmetric systems, however, two different yet matching keys are used. If the message is encrypted by one of these keys it can only be decrypted by the other key, and it is practically impossible to calculate that other key on the basis of the used key. Every user may then generate his own key pair and publish one of these -- known as the public key -- to be used by his present or future communicating parties, while at the same time keeping the other key, known as the private key, secret. Thereby parties can communicate together in a secure manner without ever before having met. Previously, they had to share a (one) secret key (because otherwise they would face the risk of having the key compromised by sending it over an insecure line, like the Internet). Now, they only need to communicate their public keys, while the secret keys are kept secret and never communicated.
The process of encrypting plaintext by use of the secret key can be used as a way to sign the message digitally. The digital signature is a unique number produced on the basis of the signer's secret key and the plaintext and with the use of a secure encryption algorithm. When the addressee uses the public key of the signer (originator) to recover the plaintext, he can verify the identity of the signer and thereby the originality and authenticity of the message. Not only documents in [page 9] digital formats can be verified that way, but also payment orders and other manifestations of will.
e) Trusted third parties
Even though the strongest encryption technology were to be applied, encryption does not solve the problem that digital documents (that is, messages and signatures) are basically exact numbers and copies thereof. The answer to that problem, however, is simple and by nature classical: Instead of attaching the legal consequences to the media, a trusted third party is nominated as one who will keep track of rights and obligations.
The use of trusted third parties to overcome the "dematerialisation" of the paper-document, is well-known within the financial sector. Since the early 1980's, a number of Securities Centers have been established in numerous countries to replace paper-based stock and bond trade and provide for the real-time on-line trade that we have become so dependant upon in the financial markets of today. Trusted third party technology is also planned to be used in the so-called BOLERO project in which paper-based bills of lading are planned to be replaced by a central data base to which notice shall be made on the transfer of these documents, and indeed also in the Preliminary Draft Unidroit Convention on International Interests in Mobile Equipment. [page 10]
It should be borne in mind, however, that trusted third party solutions only work in open environments, if their powers to establish rights and obligations are authorised legally. Therefore, legislators face a task of providing the necessary legal framework for such paper-less infrastructures.
As indicated by the above remarks, there are numerous technical solutions to the problems presented by digital technology. As it has been said: The answer to the machine is in the machine. The interesting question is to what extend the implementation of these solution can be made on the basis of existing laws and concepts, or whether changes may be needed in order to provide for the necessary security, predictability and trust. So far, the only conclusion on that question has been made in relation to paper-less documents. Whether similar legal initiatives may be deemed necessary in other regards, is the focus of the subsequent remarks.
3. CONTRACT FORMATION
a) The problem defined
As said at the beginning of this paper, some of the most basic concepts of private law are challenged when contracts are entered into by computers. This challenge meets at least two types of rules and underlying concepts: On one hand you have rules with concepts that point to a subjective state of mind of the party under obligation (like "knowledge" and "intent"). On the other hand you have concepts that point to an objective situation, for example one whereby a message undergoes some kind of transformation (is sent, received, encrypted or [page 11] decrypted etc.). This applies to concepts like "receipt", "dispatch" and others, see below at d.
The first problem, and indeed the most fundamental and the most difficult one to cope with, does not only touch upon the requirements of subjective intent according to existing rules of contract law -- cf. below at b. -- but also on the rules in the making regarding digital signatures, below at c.
b) Subjective concepts
In relation to the first group of so-called subjective concepts of contract law, the challenge posed by electronic commerce depends on what legal functions those concepts have within each legal rule. Most jurisdictions require some kind of subjective intent in order for contractual obligations to occur. Therefore, the applicability of this concept is of a fundamental importance in relation to digital messages. Furthermore, in some jurisdictions, the knowledge of a party bears certain legal consequences, e.g. in relation to the withdrawal of offers. That, for example, is the case in the Nordic contract laws.
According to the Nordic Contract Laws, an offer may be revoked until the time that the offeree has obtained knowledge of it (different, art. 2.4. of the Unidroit Principles according to which revocation can take place until the offeree has dispatched an acceptance, and likewise CISG art. 16). If A's computer has forwarded an EDI offer to B's computer, and A subsequently wants to withdraw that offer, A has that possibility until B has gained actual knowledge of the offer. In the case of a fully automated EDI system, B might not even get knowledge of the offer until B has completed the order, at what time B may suffer a substantial loss for his costs induced by the transaction. There has been substantial discussion in Danish contract law about how to find an equivalent to this knowledge criteria and so far no firm conclusion has [page 12] been found. If the point is not dealt with by the parties in an EDI trading partner agreement, it is my view that B (or a person who duly represents B) only obtains knowledge of the message, when B gets actual knowledge of it. Until that point, the message may be withdrawn with the effect that no contract has been concluded. However, can it be established that A has in any way been negligent in maintaining his computer system and if that negligence has caused the error, A may be liable in tort (but not in contract) for losses suffered by B.
The Unidroit Principles use different terms to express subjective intent of the obliging party. Article 1.9.4. refers to "communication of intention" in its definition of what a "notice" is. In relation to acceptance, the word "assent" is used (cf. article 2.6.1.). When it comes to the manner of formation where contracts are concluded in other ways than by the acceptance of an offer, the Principles speak of "conduct of the parties that is sufficient to show agreement" (cf. article 2.1.).
The challenge for these concepts posed by electronic commerce is that computer systems can be programmed to dispose in ways that very much resemble the ways humans dispose but with no immediate human intent. By programming computer systems to dispatch and receive binding digital messages without (immediate) human interference, it is possible to establish contractual obligations with no immediate assent or agreement. Substantial advantages in terms of efficiency may be obtained by such fully automated systems for electronic data interchange (EDI) not the least because the automation in itself enables transactions to be made precisely at the size and exactly at the time needed for the particular transaction (so-called just in time production). But if there is a computer error, where is the subjective state of mind? Since the computer has no mind of its own, the only "intent" one can find is, strictly speaking, the mind of the computer [page 13] programmer and in many cases he or she would not have reasonable possibilities to avoid the error.
In my opinion, the answer to that question should not be deduced from conceptual reflections on where the actual or latent will is, but rather on a pragmatic approach: When parties conclude agreements by use of computers, they have preliminarily -- that is before the actual contract is made -- made certain agreements on how to contract. The contents of these agreements should be in focus. This approach -- which indeed applies to Danish law -- is in full accordance with article 2.1. of the Unidroit Principles, according to which a contract may be concluded "... by conduct of the parties that is sufficient to show agreement".
The critical, and in some instances doubtful, point is of course what, under this rule, is "sufficient" to show agreement. If this is not cleared out in an EDI Trading Partner Agreement, the answer to that question must be dealt with as one of interpretation, where -- as also set forth in article 4.3. of the Unidroit Principles -- regard shall be had to all the circumstances, including preliminary negotiations between the parties, practices which the parties have established between themselves, the conduct of the parties subsequent to the conclusion of the contract, the nature and purpose of the contract, commonly meanings and usages.
This also implies that the rules on validity of contracts -- cf. Chapter 3 of the Unidroit Principles -- should apply to messages that due to errors in transmission are received with another content than [page 14] intended by the sender. This implies that under the Unidroit Principles, article 3.6., such errors are considered to be mistakes, that may be relevant under article 3.5. of the Principles (if the mistake was of such importance that a reasonable person in the same situation as the party in error would only have concluded the contract on materially different terms or would not have concluded it at all if the true state of affairs had been known).
c) Attribution of digital signatures
Just as digital signature technology provides a powerful tool for creating legal rights and obligations, that technology may also be used unintentionally to create unforeseen rights and obligations. This may be the case in the event of erroneous identification of a person or erroneous attribution of a public key to a person (which indeed give rise to difficult issues of liability in relation to the person or authority certificating the identity of the key holder). But more generally, the value of a digital signature depends on the possibility of the holder of the private key to escape from the legal obligations imposed by fraudulent use of his key.
This issue is among the more controversial ones in the discussions on digital signature legislation. Is a signature which is made by use of the holder's private key, eo ipso a binding signature? In that [page 15] case, the law (or contract) may establish an irrebuttable presumption that the holder of the said key would be deemed to be the signer of a data message to which that digital signature was affixed. Alternatively, digital signature laws might create a rebuttable presumption, as it has been suggested in the latest working group report from the UNCITRAL Working Group on Electronic Commerce (A/CN.9/446 of 11 February 1998):
(1) As between the holder of a private key and any person relying on a digital signature, the holder is not bound by the message if he did not sign it.
(2) If the key holder has not exercised reasonable care to prevent the relying party from relying on the unauthorised use of the digital signature, he is liable to compensate the relying party for harm caused to him. The relying party is only entitled to such compensation if he had sought information from the certification authority or otherwise exercised reasonable care to establish that the digital signature was not that of the holder.
The discussions on these issues still go on. It may well be that in the end distinctions are made between different kinds of digital signatures and signature purposes, for example so that various legal consequences apply in relation to various levels of security performed by various algorithms and taking into account the corresponding variations in the costs of digital signatures. It may also be necessary to take into account the different circumstances under which digital signatures are used. The same standard should not necessarily be used for purely commercial transactions between long-term trading partners and for the submission of tax declarations to public administrations.
In the second group of "objective" concepts we find the notion of receipt (and dispatch) in relation to digital messages -- a question which is also significant under the Unidroit Principles. Under the Principles, receipt (or in the wordings of the Principles, the fact the [page 16] message "reaches" the addressee) bears legal consequences in relation to the effective nature of an offer (article 2.3.1.), rejection of offers (article 2.5.), the calculation of the period where the message can be accepted (article 2.8.), and in relation to the withdrawal of offers (article 2.9). Due to the important effects of this concept, article 1.9. states that the message "reaches" a person "when given to that person orally or delivered at that person's place or business or mailing address".
The Principles do not, however, take into account the different channels by which a digital message may reach the recipient. Contrary to paper messages, digital messages are not forwarded as physical items to publicly known letter-boxes. The forwarding of the digital message consists of a number of copies performed by the sender, the recipient and the computer systems in use. When a message is dispatched by A's PC, it is first made at the RAM-memory of the PC itself, then at the server to which the PC is connected, then further on to the routers and servers that the Internet is made of, until -- hopefully -- it (or actually the small data packages that the message consists of according to the Internet protocols) is received by B's system, where similar procedures are effected the reverse way.
This particular way of communication gives rise to at least the following problems:
i. What address? Electronic addresses are of a much more flexible nature than addresses in the real world: An individual may have a number of different e-mail addresses that he or she uses for different purposes. Within a commercial or public organisation, the number of electronic addresses is much higher than the number of employees. What address should then be the one that causes the legal effect of a "notice" etc.? [page 17]
According to article 15, subparagraph 4, of the UNCITRAL Model Law on Electronic Commerce, a data message is deemed to be received at the place where the addressee has its place of business, unless otherwise agreed between the originator and the addressee. It is furthermore stated that if the addressee has more than one place of business, the place of business is that which has the closest relationship to the underlying transaction or, where there is no underlying transaction, the principal place of business. If the originator or the addressee does not have a place of business, reference is to be made to its habitual resistance.
The provision should be read in light of article 15, subparagraph 2, according to which the addressee can designate an information system for the purpose of receiving data messages. If he has done so, receipt occurs at the time when the data message "enters the designated information system" or -- if the data message is sent to an information system of the addressee which is not the designated information system -- "at the time when the data message is retrieved by the addressee".
The Unidroit Principles do not contain a similar provision. It is therefore a question of interpretation, what is a person's mailing address in regard to electronic mail. This question is most difficult in regard to parties with no prior contact. In the absence of an agreement between the parties, the main rule must be that only such electronic addresses that the addressee has made specific notification of (for example on letterheads or business cards or by appearing in commercial directories) can be viewed as "mailing addresses" in the sense of article 1.9.3. of the Unidroit Principles. This conclusion is in accordance with article 6.1.8. of the Principles on payment by funds transfer, according to which payment may be made by transfer to any financial [page 18] institution in which the obligee "has made it known" that it has an account.
ii. What format? When the message is transmitted from A to B, it is made subject to a number of subsequent transformations. The Internet protocols subdivide each message into packages which are then forwarded separately from A to B. Furthermore, the message may itself be subject to encryption to maintain confidentiality towards third parties (by encrypting the whole message into crypto-text) or to make it possible for the receiving party to validate the origin and the integrity of the message (by using digital signature technology). The question then is, what format a message must appear in to have "reached" the addressee.
The answer to that question must take into account the basic interests underlying any rule of notice: The recipient must be in a position to read the notice and act on it, since it may impose legal obligations upon him. As a main rule, the message must be forwarded in a readable format, if it shall be considered "reached" by the addressee. If the addressee must decrypt the message or otherwise subject it to a time-consuming technical procedure in order to read it, the time of receipt may be postponed with the time necessary to complete such a procedure.
iii. What system? At the point where A's digital message reaches B, it is not at all clear what "receipt" shall mean from a technical point of view. In regard to electronic mail, the receipt of electronic mail comprises at least the following steps: First a copy of the message is forwarded to a mail server to which the recipient has access. Secondly, a command is given by the recipient to access the message on this server. This step often implies that the message is copied to the recipient's own system, e.g. to his PC, but not necessarily. And third, the [page 19] recipient transforms the received bits to readable text, e.g. by displaying it on the screen or by making an outprint.
According to one viewpoint, the mere receipt of a message on the mail server constitutes "receipt", regardless of whether the recipient has accessed the server, and regardless of whether such access is subsequently precluded, e.g. because of technical breakdowns or unexpected behaviour by the service provider. This viewpoint sees receipt at a mail server in the same way as receipt of the notice of a registered letter from the post office where -- at least according to Danish law -- the main rule is that the notice itself does not imply receipt of the letter. Another viewpoint maintains the analogy between registered letters end electronic mail and argue that receipt does not take place until the message is available at the recipient's own system.
In my opinion, a combined approach should be applied. According to this, receipt occurs when the message becomes accessible for the recipient, regardless of whether the recipient has actually made endeavours to access the message and whether it subsequently becomes inaccessible due to computer breakdowns etc. In the case of such a breakdown, the message must be regarded as "received", even though the addressee did not read it before it was deleted.
4. INTERPRETATION OF DIGITAL MESSAGES
a) General remarks
There is a widespread consensus that digital messages shall not be discriminated upon on the mere basis that they are digital messages. That principle is indeed the cornerstone of the UNCITRAL Model Law on Electronic Commerce -- expressly stated in article 5 of that model law -- but the principle also applies in numerous other legal [page 20] texts, among them article 11 of CISG and article 2.1. of the Unidroit Principles.
Although, as a main rule, the interpretation of digital messages follow the same principles as the interpretation as other messages, some of the special characteristics of digital technology may imply a somewhat different approach. Due to the lack of "intent" behind each message, the technical circumstances for the message hardly play any role. On the other hand, the actions taken by the parties -- as individuals -- upon the "conclusion" of the contract (i.e. their behaviour in relation to shipment of goods and payment of prices) should generally be given more careful consideration.
b) Incorporation by reference
When contractual clauses are incorporated by reference and not fully expressed in a written document, doubt may arise as to the legal conditions under which such information may legally be regarded as part of that document. These legal issues are known in the context of paper-based communications, e.g. by use of INCOTERMS-clauses and other legal text that are widely known and accepted world-wide, and therefore presumed to be known by all parties involved. The issue of incorporation by reference presents two problems in relation to electronic commerce. First, as already mentioned, there are no general practice for what should be incorporated into digital messages, how and to what effect. Secondly, the technical possibilities of incorporating provisions into EDI messages are more limited in relation to paper messages, according to prevailing standards presently with a maximum of 64 characters.
The need to incorporate larger messages into shorter EDI-messages is perhaps most predominant in relation to such messages that certify the identity of the holder of a public key, cf. above on the [page 21] application of digital signatures. Certification functions for digital signatures may very well give rise to severe claims for damages since such signatures can be used for high volume transactions. There is therefore a need for a certification authority (often referred to as the CA) to spell out what liabilities the CA accepts, and under what conditions. Such rules are frequently published in so-called "Certification Practice Statements" of many pages, and from the CA's point of view there is a need to give them contractually binding effect towards third parties.
At the 32nd session of the UNCITRAL working group on electronic commerce, a new provision was proposed for the UNCITRAL model law on electronic commerce. The rule, which merely expresses the general principle of non-discrimination enshrined in article 5 of the Model Law, states that "Information shall not be denied legal effect solely on the grounds that it is incorporated by reference in a data message." It is clear that this provision does not provide a solution to the general question of how messages can be incorporated with legal effect. That issue, however, proved to be too complicated to harmonise, and harmonisation solely in regard to "electronic commerce" might not be adequate.
5. DIGITAL INFORMATION AS PERFORMANCE
One of the basic questions in computer contract law has long been whether the laws of sales -- in the U.S., the UCC.; at the international level, the CISG; and within the Nordic contest the uniform Nordic sales laws -- should apply in regard to computer software. Most commentators seem to agree that the media-part of a computer system (diskettes, chips etc.) falls within the sales act, and it seems also to be the predominant view that the sales laws generally apply to [page 22] standardised software packages, whereas general principles of contract law apply to bespoke (tailor-made) software.
The discussions on the applicability of the sales laws have not focused on the communicative aspects of computer software in particular and digital information in general. The fact that information cannot be "worn out" gives the concept of defects a unique character. Furthermore, the philosophy behind the remedies for defects etc. may be difficult to apply, bearing in mind that at least the software aspects of a computer system are seldom -- if ever -- free of defects. The inadequacy of the law of sales appears perhaps most significantly when applied to the "purchase" of data from a database. Such data can be duplicated basically with no costs, and the "transfer" in itself can be based on various media; via diskette, through lines of telecommunication or in other technical fashions. This leads to new problems concerning delivery, the redelivery and, indeed, the financing of such goods and services.
Less consensus appears in respect to the information aspects of the system, e.g. those that resembles the program with e.g. a book. The concept of moveable points to something that are either "here" or "there". Furthermore, physical phenomena can be worn out etc. Quite contrary, information and ideas can be copied endlessly with no loss of quality. This gives the concept of defects a unique character. [page 23]
Under the Unidroit Principles, this question only seems to have relevance in relation to article 22.214.171.124. on restitution in the case of termination of contracts. Since, however, the article takes into account the situation where restitution "is not possible or appropriate" -- in which case it provides that "allowances should be made in money whenever reasonable" -- the Principles do not present any obstacles in that regard.
6. OTHER ISSUES
a) Problems of evidence
Apart from being the manifestation of intent of the signing parties, signatures can serve other legal functions. First, they are used as evidence that there was intent by the signing party. With a written signature you can prove that the document was seen and accepted by the signer. Expert evidence is seldom needed in such cases. Second, the signature may fulfil certain formal requirements provided by case law, statute or contract. Although different, these two functions may serve identical purposes. Formal requirements usually aim at ensuring that the signer intended to do what he manifested by his signature. For most practical reasons, however, the fact the parties live up to the terms of a contract is in itself good evidence that it was also conclude by them. When no third party considerations have to be taken into account, the signature merely works as a well-known symbol that the parties have (finally) agreed to conclude a contract. [page 24]
In relation to the laws of evidence, there is an important distinction between written signatures (by which the originator is physically in touch with the medium of the signed document) and symbolic signatures (by which the originator only provides a set of symbols in order to ascertain his content to the document but without necessarily manipulating the document by hand). Both kinds of signatures can be copied, but with different consequences. When a written signature is copied, the copy loses some characteristics. On the other hand, the evidential value of paper-signatures is limited. The signature does not establish persuasive evidence that the message was not changed after the signature was made. The paper signature is basically a way to establish that the signer had the document before him and intended to accept it. But since his intent to do so may be proven in various ways, the signature is not necessarily the ultimate means to do so.
On the other hand, there is a fundamental incompatibility between the extremely high degrees of mathematical probability on one side, and the flexible -- and all but exact -- rules of evidence on the other. Most lawyers will prefer to have a "back-door" out of even the most clear-cut doctrines of evidence. This feeling, together with the difficulty for most lawyers to grasp the complex technical encryption principles, leads to an understandable tendency for lawyers to maintain the possibility to decide problems of evidence based on considerations of a much looser nature than the sharp mathematical framework of this powerful technology.
b ) Security issues
Contract laws often sometimes make certain presumptions as to the security of the means of communication by which obliging messages are dispatched and received. In its definition of Time of acceptance, article 2.7. of the Unidroit Principles makes reference -- among [page 25] other things -- to "the rapidity of the means of communication employed by the offeror". Article 2.8. provides a specific rule for acceptance times by means of "instantaneous communication".
In regard to such rules, the question can be raised whether Internet communication is a "rapid" way to communicate and whether it provides for "instantaneous communication". Such questions, however, can hardly be answered generally. The Internet itself is not a network but a network of networks the speed and security of which entirely depends on who operates the part of the net involved in the communication. When a particular message is sent from A to B, it may often reach B within seconds, but if the net is overloaded at the time of communication, it may take hours or perhaps days.
As it often the case for questions of that kind, an answer to the question of rapidity or simultaneousness cannot be given generally but must take into account the technical features of the communication in question as well as the involved transaction.
c) Content control
Like any other information vehicle, the Internet is occasionally being used to transmit illegal or harmful information. The efficiency by which such transmission can take place and the fact that it may ultimately reach end users of a minor age have raised the question of "censorship" towards Internet communication. In the United States this has led to the adoption of a Communication Decency Act which has recently been partly overturned by the Supreme Court of the United States. Europe has so far taken a more reluctant attitude. A European commission working party on illegal and harmful content on the Internet has suggested that the issue should be dealt with by self-regulation bodies ("soft law"). The working party is presently [page 26] considering whether this approach has been sufficiently efficient. Work is also being done at the OECD level.
d) Encryption and interception
Another important issue is the question of interception. The need for businesses and individuals to secure communication by encryption and the need for governments to be able to intercept communication has created a confrontation between two valid interests. The balancing of these fundamental interests has already given rise to political discussions in various forums as well as to some legislative initiatives. In its April 1997 Guidelines on Encryption Policy, the OECD has taken a reluctant attitude towards encryption legislation. So far no requirements are being put on member states to restrict the use of products that can be used for encryption in any way. But the international political discussion continues. The question has subsequently been dealt with at numerous ministerial conferences and diplomatic meetings.
7. HOW DO WE MEET THE CHALLENGE?
a) The role of academics
As a law professor facing the question presented in the title of this paper, it is reasonable first to ask what role academics should play towards the challenges that faces private law by the digital technology. From the foregoing comments, it should be clear that this technology in itself necessitates new forms of analysis in the borderland between law and technology. Academics who engage in the legal aspects of contract formation by computers etc. cannot do so without some understanding of the underlying technology and with a clear understanding of the basic concepts behind private law in general and [page 27] contract law in particular. Since, furthermore, such dual knowledge is not always available at legislators and administration, a close co-operation between academia and administrations is needed and, to a large extent, practised.
b) A role of legislators
The question whether legislators take up the challenge of electronic commerce and legislate for it should in my opinion be answered on a need to have basis. At least in the Nordic countries, contract laws are among those most seldom revised, and for good reasons. As indicated at the beginning of this paper, they are based upon general and fundamental principles and intended to apply to various different transactions.
As indicated above, there are, however, some areas where legislation is needed. If a common framework shall grow up for the use of digital signatures in open networks, some general rules on the legal consequences attached to such signatures should be made, not only at the national level but also internationally. Work to that effect is taking place within UNCITRAL, the EU and in various other international bodies. Furthermore, if paper-less documents shall be put to use to replace negotiable instruments, a special framework therefore is needed. Such a framework is already in place in relation to stocks and bonds traded on stock exchanges in various countries, and the laws underlying these systems provide a useful guidance for how similar systems could be made in other areas.
c) A need to revise the Unidroit Principles?
The answer to this, last, question could in my opinion be made brief and clear: No. Firmly established in the common core of private law, the Unidroit Principles do not open up for more uncertainty in [page 28] relation to electronic commerce, than the general principles of private law do. As indicated in this article, a number of articles from the principles -- which were clearly not drafted with Internet communication in mind! -- do leave open some uncertainties in relation to communication in electronic commerce. But these uncertainties can clearly be overcome by using well-known means of interpretation. [page 29]
1. See art. 1.8. of the Unidroit Principles according to which the parties are bound by any usage to which they have agreed and by a usage that is widely known to and regularly observed in international trade by parties in the particular trade concerned - except where the application of such a usage would be unreasonable.
2. In the U.S. Presidential Report, A Framework for Global Electronic Commerce, quoted at the chapeau of this paper, a number of issues in Electronic Commerce are highlighted: Financial issues (customs and taxation, electronic payments), Legal issues ("Uniform Commercial Code" for electronic commerce, intellectual property protection, privacy, security) and Market Access Issues (telecommunications infrastructure and information technology, content, technical standards). The document suggests a number of principles for global electronic commerce: 1. The private sector should lead, 2. Governments should avoid undue restrictions on electronic commerce, 3. Government involvement should mainly support and enforce a predictable, minimalist, consistent and simple legal environment for commerce, 4. Governments should recognise the unique qualities of the Internet, and 5. Electronic Commerce over the Internet should be facilitated on a global basis. The 1996 UNCITRAL Model Law on Electronic Commerce consists of one general part dealing with application of legal requirements to data messages and communication of data messages, and a specific part dealing with carriage of goods. It is still subject to discussions within UNCITRAL whether other parts will follow as the work continues. Indeed, even the 1994 UNCITRAL Model Law on International Credit Transfers could be viewed as dealing with electronic commerce.
3. If one insisted that there is always an original version of such a number, its "original" version would have to be the medium on which it was first manifested. This, hardly usable, criterion would most often point to the RAM unit of the computer system of the originator, i.e. a media of a substantially different nature than the paper media we are used to handle. And that media would even have a rather short life-span: When the originator generates the message (for example by encrypting it or extracting a hash value from it), and when he subsequently downloads it to a hard medium (for example a disk), he is - technically speaking - only creating copies of the message, a hundred per cent identical to the "original" document (number).
4. As an illustration of how asymmetric crypto systems works, one may conceptually visualise the secret key as a means to translate the message from English into an artificial language only known by the key holder. The secret key is the dictionary by which the message is translated from English into the artificial language, while the public key is the adverse dictionary that translates the message back into English. Being the only holder of the dictionary of the artificial language (the secret key), the recipient of the encrypted information, who generates plain English text by using the "public" dictionary, is certain that the text was generated by the sender. Thereby, non-repudiation is provided. In principle, it may be possible to reverse engineer from one key (the public key) to the other (the secret key), namely by going through all the words of the "public" dictionary, one by one, but this method will be too time-consuming if sufficiently large keys are used.
5. Public key encryption systems are very slow because they demand substantial computer resources. This impediment can be overcome by generating a fingerprint, a so-called hash value. Hash values are used as input for the generation of the signature, rather than the message itself. A hash value is calculated by use of an agreed, publicly known mathematical algorithm. By use of that function, a bit-string with a certain, fixed length, typically somewhere between 64 and 160 bits (as short as possible to avoid overhead), is created so that it is practically impossible to find two different messages with the same hash value. Furthermore, given a hash value, it is practically impossible to recover any message with that hash value.
6. There are a number of standard EDI trading partner agreements available. One of the most thorough documents is the American Bar Association Model EDI Trading Partner Agreement with Commentary. Another example is the EDI Association standard electronic data interchange agreement (2nd edition august 1990) published by the British EDI-Association. These contracts are all published in Reams, Kutten & Strehler, Electronic Contracting Law (1995-96 edition), appendix A.
7. The UNCITRAL Model Law on Electronic Commerce provides for a different and somewhat harder attitude, see article 13. If the message originates from an information system programmed by the originator to operate automatically, an addressee is entitled to regard it as being that of the originator and to act on that assumption if he properly applied a procedure previously agreed to by the originator (for example by reading his e-mail or decrypting the message under an agreed encryption algorithm) or the message resulted from certain actions that enabled such access. However, the addressee is not entitled to regard the message as that of the originator, if he knew or should had known that the transmission resulted in any error in the data message as received. As indicated below, this problem of "attribution" is presently subject to much debate in relation to the various proposals for digital signature laws.
8. In the Nordic countries, the main impact of the sales act in consumer sales concerns the statutory warranties. Outside such purchases, e.g. in a commercial setting, the main difference is the one year statute of limitation which applies unless an unequivocal exclusion hereof exists. In Anglo-American computer law, the discussion regarding the applicability of the laws of sales appears mainly to be a question whether computer software in general - and standard software in particular - should be considered as goods or services.
9. See for a further discussion my (Danish) books, Edb og ansvar (1988) at p. 331 and subseq., and Lærebog i edb-ret (1991) at p. 455 and subbiq. That particular standpoint, however, is presently subject to much debate. See e.g. Jacob Nørager-Nielsen at the Nordic Legal Meeting in Reykjavík, August 1990 (Proceedings vol. 1, at p. 285), and Ellen-Kathrine Thrap-Meyer, Forbrukerkjøp og edb ("Consumer purchases and computers"), published as Complex 5/1989 from the Norwegian Research Center for Computers and the Law.