TIIME 2015 Session 34: Legal Crash Course
Convener: Patrick van Eecke
Tag: eIDAS, e-Signatures
Notes
I want to discuss a new kind of framework that has been set up for public services.
In Europe you can't do anything when it wasn't put into law, whereas in the US it's usually the other way around. The standard of the European commission is written in English, and lawyers are writing for lawyers, E.g. the EU directive on e-signatures - why was it changed in 1993? Reasons: legal ambiguities.
There was a kind of introduction between that directive and the legal effect of electronic signatures.
- Handwritten vs. electronic signatures,
- Scanned handwritings,
- Authorisation
You can use all of that but you have to convince a judge that it's as good as the handwritten version.
Qualified electronic signature: you have to follow certain requirements
- If the electronic signature meets those requirements, then every court in Europe has to give it the same recognition
- DigiNotar example (for generating electronic signatures, and it got hacked, all certificates had to be revoked)
- In a world of trust services we have electronic signatures, but also many others
Regulation: 910/2014 (eIDAS regulation)
- The European Commission first wanted not to focus on electronic signatures alone, but to also do time stamps, electronic messages
- Now we have to add another art in that piece of legislation: eIDs (plastic cards) - some governments resist to issue them, but Germany, Spain etc. have them already
- Use to identify yourself physically in the public, also to access public services online
- EU: great initiatives, but they don't work together. We as single market want to make sure that someone going to Spain for holiday, that that person has to get in touch with Spanish authorities, Belgium identity card cannot be used for Spanish services (yet) -- problem: EU wants an open market
- eID principle of mutual recognition of electronic identification
- EU member states are not obliged to accept ID cards from other member states. Austria: has decided that's good for us, any other member state should accept our ID cards. Problem: different levels of trust/security in eID between different countries.
- 2 opportunities for NGO's / 1 - they can also make use of the system voluntarily / 2 - governments issue eID themselves, public authority issue
- UK: not going to do that, not in culture/tradition. Governments can point to private companies who are issuing documents, those documents can be used for identification for government services as well
- timeline: 17.09.2014 Entry into force of the regulation / 18.09.2015 voluntary recognition of eIDs / 1.7.16 - date of application
eID out of scope
- Member states are not obliged to have an ID scheme or to notify their eID schemes
- Notified eIDs are not necessarily ID cards
- No "EU database" of any kind
- No "EU eID"
- No coverage "soft IDs (e.g. Facebook); only "official eID"
Discussion: is it possible to use it in Denmark/Sweden?
We have the regulation, although when you read the regulation it's quite detailed - these are just the basic principles, currently implemented (secondary legislation)
eID: 4 implementing acts already published (more detailed level of how to implement the rules of the regulation) - implementation acts (e.g. governments should use English language to cooperate)
Advice: Do not stick to the regulation, read also the implementations!
TRUST SERVICES
- Any electronic service normally provided for remuneration
- consisting in the creation, verification, validation, handling and preservation of electronic signatures, seals, time stamps, electronic delivery services, website authentication, certificates (incl. certificates for electronic signature and for electronic seals)
Why the electronic identity provider is not at the same time trust (service?) / Identification chapter of regulation, and trust service chapter are totally separated - why?
- Because there are two units in the European commission. They put together both chapters, and I preferred 2 different acts because they both don't have anything to do with each other.
I also regret that trusted third party is not covered: the trusted archival services: We now create electronic documents etc. and none of us knows how to keep them - we are in need of market operators that archive these documents, and that can be trusted - even after 10 or 20 years. Apparently the European commission decided that the market is not ready yet.
Q: Is it a closed list?
A: Trusted service providers: closed list, European commission can review every year if another/ a new one can be added to the list.
The certificate service provider needs to keep the certificate for 30 years.
Difference between directive and regulation:
- Directive: when it came to obligations for actors in the field limited to those who claimed they were qualified service providers
- Regulation: also introducing to (normal) service providers, lower level of requirements
Trust services: strong liability
- Trust service provider: you'll be held reliable if something is wrong, but the other party needs to prove that you did something wrong
- Liability increases when (...)
Security requirements
- Breach notification duty within 24 hours notification of the supervisor (in every country installed)
Qualified trust services - philosophy
- normal or qualified seal
- normal or qualified time stamp
Legal affects:
- eSeal/eSignature - companies can now use eSeals on documents - you can use eSeal and then have to decide if you're using normal or qualified
- time stamp
- link to standards: establish reference numbers of standards - European commission will look at them, publish them in official journal of EU
- eDocuments
- eDelivery
Implementing acts:
- Commission Implementing Regulation (EU) 2015/806, 22 May 2015
- Commission Implementing Decision (EU) 2015/1505
- Commission Implementing Decision (EU) 2015/1506
Q: Would it be better for people to take action before implementing?
A: stake holders: we can't wait, if we wait we won't have sufficient time to take all the necessary measures. Now organizations say: let's prepare now, then well have competing advantage when the implementing comes out.
Website authentication:
- only talks about qualified certificates: for website authentication shall meet the requirements laid down in Annex IV
- no legal effects
Using qualified website certificate doesn't bring any additional legal effects! Commission just wanted to add it, increasing the level of security, hoping the market would pick up.
On the 27th of November a new version came out - this one is probably the final version.