SPEAKERS CONTENTS INSERTS
Page 1 TOP OF DOC
THE FEDERAL ROLE IN ELECTRONIC AUTHENTICATION
WEDNESDAY, JULY 9, 1997
House of Representatives,
Subcommittee on Domestic and
International Monetary Policy,
Committee on Banking and Financial Services,
The subcommittee met, pursuant to call, at 10:05 a.m., in room 2128, Rayburn House Office Building, Hon. Michael N. Castle, [chairman of the subcommittee], presiding.
Present: Chairman Castle; Representatives Bereuter, Lucas, Kennedy, Flake, and Jackson.
Chairman CASTLE. If we can come to order. We appreciate everybody being here. Members will come and go as they want, I have no control over that, but you may rest assured that staff will duly note everything you say, and it will be processed and gotten out to everybody.
I will make an opening statement. If Mr. Flake arrives, he is certainly welcome to make an opening statement, after which we will turn and go through the entire panel. Each of you will testify, hopefully keeping your comments within some degree of reason, although we won't hold you strictly to the 5-minute rule, and then there will be questions from the Members who are here.
Page 2 PREV PAGE TOP OF DOC
''Soon'' is a word that always seems to be associated with electronic commerce. We keep hearing that soon the best way to shop for clothing, gadgets, even groceries, will be by using a computer. The best bargains in loans, electronic bill paying, mortgages and insurance will soon be available on-line. Soon, when this electronic marketplace is available to virtually everyone, it will be a worldwide market where Italian cookies or Swiss hiking boots are as cheap and easy to buy in the United States as they are in Europe.
Not everyone is delighted by this prospect, but it appears it is about to arrive soon. In this new world, the most important thing will be assurance that you are dealing with L.L. Bean or Chase Manhattan or Met Life and not some crook with a computer out to scam your card numbers or, in a scenario out of the recent movie ''The Net,'' steal your identity and ruin your life. From a merchant's point of view, it is equally important to be certain that the woman ordering five pairs of designer jeans is who she professes to be, and not a computer hacker with a fistful of stolen passwords.
That is why the subject of our hearing today is so important. None of these great, and perhaps not so great, technological breakthroughs can work unless we can easily and reliably prove and protect our identities in the electronic world of the near future. Today we can enter this world from a computer, but soon it will be available via our TV set and the click of a remote control button.
Electronic authentication can be as high-tech and hard to comprehend as an encrypted message that might take 1,000 high-powered computers 1,000 years to decipher, or it might be as apparently simple as signing your name on a special electronic tablet that translates your finger pressures and movements into such an encrypted message. It might employ other personal physical data, such as a TV snapshot of the iris of your eye, a palm print or voice print as its basis. Whatever form the signature, or authentication takes, it must be easy to use, reliable, safe, secure, and widely accepted.
Page 3 PREV PAGE TOP OF DOC
A number of individual States and foreign countries today have laws on the books recognizing one or more forms of electronic authentication. Unfortunately, there is a lot of disagreement among these laws about what can be recognized and how it will be regulated. We are here today to begin an inquiry into this area that we are told is absolutely essential to banking and commerce of the future. The first questions to answer are: Does Congress have a role to play with all these other jurisdictions already in the field; and, if so, what form should such legislation take?
We have a highly expert panel of witnesses to assist us in framing these questions and answers, and while we may not finally decide any of these questions today, we should leave here with a better understanding of the issues and our responsibilities. We will lead off with Mr. Paul Dorey, whose title is Global Head of Operational Risk Management for Barclays Bank in London, United Kingdom. He is appearing here on behalf of the Electronic Commerce Forum, a private sector group drawing its membership from a variety of companies interested in this field.
He will be followed by Daniel J. Greenwood, Esquire, Deputy General Counsel for the Information Technology Division of the Commonwealth of Massachusetts, who gets credit for having the longest title of anybody at the table today. He has an excellent perspective of the State legislative point of view, since he has been involved in producing an up-to-date digital signature law for Massachusetts and has surveyed the other State laws on the books and on the way.
Next, Andrew Konstantaras, Vice President and Counsel of Visa International, will share with us his perspective of the international implications of taking action now or waiting for more consensus to develop.
Page 4 PREV PAGE TOP OF DOC
P. Michael Nugent, Vice President and Associate General Counsel for Citibank will follow. He is an acknowledged legal expert in the field of information technology. We hope he can help make some of this complexity understandable for the Members and the public at large.
Finally, we will hear from Mr. Scott Lowry, who is already engaged in electronic authentication, since he is President of the Digital Signature Trust Company, a subsidiary of Zions National Bank in Salt Lake City, Utah. Utah was the first State to pass legislation concerning digital signatures, and I hope we can learn about some of the practical lessons drawn from operating under this legislation.
Chairman CASTLE. With that we will turn to the panel. Mr. Dorey, you are our lead-off hitter.
STATEMENT OF PAUL DOREY, GLOBAL HEAD OF OPERATIONAL RISK MANAGEMENT, BARCLAYS BANK, LONDON, U.K., ON BEHALF OF THE ELECTRONIC COMMERCE FORUM
Mr. DOREY. Thank you very much, Mr. Chairman. Good morning, Mr. Chairman, and good morning Members of the subcommittee. As the Chairman kindly introduced, I am here before you today representing the Electronic Commerce Forum, of which Barclays is a founding member.
It is the view of this rather diverse base of industry members that we are really at the beginning of a new age of commerce, and the steps that we are going to take now are going to be critical in terms of the way that we form the future. And, Mr. Chairman, we very much appreciate the opportunity to speak at this hearing at this critical time.
Page 5 PREV PAGE TOP OF DOC
Within Barclays, we have a planning approach toward looking at future events, and what we have done, in fact, is looked at three potential scenarios. The first scenario we call ''chaos and uncertainty.'' It is a scenario where we continue with the ad hoc developments of today. They are made somewhat worse by the fact that vastly greater numbers of people will be carrying out these ad hoc activities over electronic commerce channels, and within the scenario, commerce actually fails to develop, and it fails to develop over electronic channels because of lack of certainty and uncertainty over trust and security.
The second scenario is one that we call ''standards sclerosis.'' This is taking the far extreme of the picture where people see that there is a desperate need for plenty of legislation, for plenty of regulation and for many, many standards, and at this point the benefits of efficiency and effectiveness that electronic commerce should be delivering just gets frozen in terms of enormous overhead.
The scenario we prefer, and the one we certainly hope will emerge, is the one of ''evolution.'' Evolution, we believe, is the balance of the need for certainty with the need for flexibility. Indeed, Mr. Chairman, I believe that you did express similar views back in 1995, when you became Chair of this subcommittee, and it is encouraging to know that others are coming to the same conclusions.
In April of this year, the European Commission produced their paper outlining the direction that the Commission believed electronic commerce would progress in within Europe. Last month the OECD, a group of experts on electronic commerce, produced their paper, and, of course, last week the Administration also produced a paper supporting similar views on this need for a balance of certainty and flexibility. I believe that this balance is particularly true for the subject of authentication in electronic commerce.
Page 6 PREV PAGE TOP OF DOC
Perhaps it might be useful to define what I personally understand by ''authentication.'' For me, it is knowing that an electronic message has arrived from an identified party, and that I can actually know who that party is. But then I need to have certainty of really knowing that the name is associated with a particular legal entity or a real legal person. And the final certainty in authentication is that of the message itself: Has it been altered in transmission? Is it actually the message that the individual meant to send? These certainties, we believe, are absolutely critical for commerce to succeed. People will not use untrusted platforms.
However, I would like to stress that the means of gaining this certainty is not just technology. There must be legal acceptance of the use of technology and confidence in terms of how that technology is operated, and those are two key stones that must be in place.
I actually believe that the strong role of the United States, that has led the world in the provision of electronic commerce technology, actually places your country, Mr. Chairman, in a very strong position in terms of influencing the way electronic commerce could be managed and taken forward. By this I mean not a centralized control, but actually giving others the tools that they need in order to help manage electronic commerce into the future.
One inhibitor to this, though, I believe, is the multiplicity of State laws on digital signatures; that clearly undermines certainty with the amounts of variety that is present. And in fact, in our discussions with the diverse membership of the Electronic Commerce Forum, we have come to realize that there are other issues; no technological solution will be the fixed way of achieving electronic authentication, and so any legislation, in fact, needs to be technology-neutral. New technologies will arise and will be adopted. As you mentioned in your opening remarks, Mr. Chairman, biometrics, although not in place at the moment, are clearly something that are going to develop in the future. When new technology does develop, we believe this shouldn't require any change in legislation.
Page 7 PREV PAGE TOP OF DOC
But as I stated in my introduction, the challenge of the development of electronic commerce is actually this need for both certainty and also flexibility, and we believe the best approach to this would be what we would call ''cooperative regulation.'' In cooperative regulation, Government plays the role of creating the legal framework, which enables the many players in electronic commerce to create and maintain more generic standards and best practices that would be required for trusted operation.
So, in conclusion, and on behalf of the Electronic Commerce Forum, I very much appreciate the chance to address you here this morning, and, of course, I am happy to answer questions.
Chairman CASTLE. Thank you, Mr. Dorey.
STATEMENT OF DAN GREENWOOD, DEPUTY GENERAL COUNSEL, INFORMATION TECHNOLOGY DIVISION, COMMONWEALTH OF MASSACHUSETTS
Mr. GREENWOOD. Thank you, Mr. Chairman, Members of the subcommittee. I also appreciate very much the opportunity to testify this morning and to participate in this very important hearing on the role of Federal authentication legislation. I have submitted my remarks for the record, so in the interest of time, I would just like to hit quickly what the highlights are.
As you mentioned, I am the Deputy General Counsel for the Information Technology Division in the Commonwealth, and as you said, I suppose that is the longest title. One thing State governments know how to do on the benefits scale is to give titles, I suppose, so we like that. But honestly, in that capacity, my law practice basically brings me in contact with information technology issues every day, and a major focus of the information technology strategy in the Commonwealth of Massachusetts has been looking at ways, as a government, we can leverage on-line technologies to reduce costs and also to enhance our service quality to citizens and businesses. And the dual track is to promote the use of electronic commerce technologies, of which electronic authentication is key in the private sector as well.
Page 8 PREV PAGE TOP OF DOC
The question is how does a government best promote electronic commerce? Our view, in summary, is from a legislative perspective, at this stage we would favor very incremental and targeted legal reforms, particularly in legislation, and those enactments are to have a focus which is promarket, and really targeted to known legal obstacles we can say exist to the use of electronic commerce technologies today.
A key way that we found in the Commonwealth to promote these technologies is to use them through procurement, particularly with other States. We believe that with the Federal Government, we can exercise a great deal of market-making influence; and furthermore, with filing requirements, registration requirements and other transactions the citizens and businesses do with State governments, and with all levels of government, to the extent we are making these transactions available over the Internet and setting standards, that also has an influence on the market. Hopefully, if we get it right, a positive influence on the market.
Another principle that we tried to apply is to use the same technologies and business practices in the Commonwealth of Massachusetts that we see as developing in the private sector, so that from the point of view of a citizen or a business, they will have to use the same kinds of techniques, the same sort of installed base of technology to do their transactions with a public or private entity. We think that is going to be a critical way that the public sector can promote electronic commerce, and certainly not impede it through setting conflicting requirements.
Just very quickly, a couple other things we are doing in the Commonwealth that have brought us in direct contact with some of the issues that arise, including legal issues, with electronic authentication, our primary one is with the registry of motor vehicles. The citizens of Massachusetts can now renew their vehicle registration, they can pay a traffic citation, order a vanity license plate. We accept a credit card over the Internet, and it automatically updates a back-end database and takes care of their transaction, and that is all secured through a point-to-point encrypted link. This happens beneath the notice of user, who is using a web browser, and in that particular case, we found that the technology does not require authentication because it only requires that we keep the data confidential so the credit card is not compromised.
Page 9 PREV PAGE TOP OF DOC
The subcommittee would probably be interested to know we have another pilot with banks, who will be making filings with our Division of Banks over the Internet, and that will be authenticated by use of a digital certificate, a public key certificate issued by a certificate authority that we have a relationship with.
In general, in terms of legal reform, we feel that the most pressing need is to target existing statutory and regulatory requirements that certain transactions be evidenced by a writing or a signing, especially where those requirements indicate written on paper, signed in ink, when there is no longer any policy reason for being specific as to that medium. In the Commonwealth of Massachusetts, we discovered some 4,515 requirements just in our own general laws, and that is common in other State laws and certainly in Federal law and regulation as well. We think coming up with technology-neutral ways to phrase that, such as a electronic signature, would be preferable, and we look forward to workingI see my time has expiredworking with the subcommittee in the future to offer whatever assistance we can. And at this time I would be happy to answer any questions. Thank you.
Chairman CASTLE. Thank you, we appreciate that. I am sure there will be questions later on.
STATEMENT OF ANDREW KONSTANTARAS, VICE PRESIDENT AND COUNSEL, VISA INTERNATIONAL
Mr. KONSTANTARAS. Thank you, Mr. Chairman and Members of the subcommittee, for giving me this opportunity to speak to you today about electronic authentication. I have submitted some testimony that I will not be reading today, but I would like to hit the highlights.
Page 10 PREV PAGE TOP OF DOC
I would like to raise a couple of points. I would like to talk about the context in which electronic authentication is used, because I think that is critical for us to keep in mind as we look at different legislative approaches to address the issues raised by electronic commerce and electronic authentication. I would like to tell you a little bit about what Visa is doing right now and around the world with respect to digital signatures, and I would like to conclude with what we would like help on.
You asked the question, does Congress have a role to play? I think the answer is yes, and I would like to briefly describe what we would like you to be able to do for us. As we move into the information age, we are being bombarded with new words, new technologies that are very confusing. There is HTTP, there is FTP, there is the Internet, TCPIP. I mean, it goes on and on. It is an alphabet soup, and it can be very confusing, and when the technologists have a hard time keeping up, you can imagine what the average consumer is faced with when they are looking at all of these complex issues.
When legislatures look at these issues and try to incorporate these new technologies, it can be very difficult, and what I am afraid has happened in some jurisdictions is that the technology is in front of the policy, and that the technology is being confused, and the policy is getting lost, and I would like to talk about the way that we think it would be helpful to be considering the issues of electronic authentication.
Aside from the fancy cryptography and all the other cryptographic methods that are used, electronic authentication is about authentication, and we do that today. We have, in our wallets, all sorts of authenticating devices. We have our driver's license; we have our credit card, our Visa card; we have possibly a gym club membership, a library card. All of these individual devices authenticate something about us, and we can use them in various environments.
Page 11 PREV PAGE TOP OF DOC
The electronic authentication is analogous to those types of authenticating devices that we use too. There will be many different types of them, and there will be different uses for those electronic authentications. The problem that is happening at the State level and in other countries is that they are trying to solve the entire gambit of electronic authentication at the same time, and it is important to look at the context in which the application is being used.
For example, when you are using your Visa card, your Visa card is not saying that I am Andrew Konstantaras. That is not what that card is used for. That card is used to associate me with an account that I have with the bank. That type of focused authentication is very different than what you use with your driver's license that gives you permission to drive on the roads. If you try to solve the problems of general purpose identification all at once, you are going to place barriers in front of some of the very good uses of electronic authentication.
For Visa, we are using electronic authentication in the context of confirming that the merchant is who they say they are, and the cardholder is, in fact, the authorized user of that account. The use of the Visa card in the Visa context is done by agreements between the cardholders and member banks that issue the cards, and between the merchants and their banks who allow them to accept those cards. In that private system, we have rules and conditions for using those cards.
We would like to be able to use the electronic authentication to increase the security for our cardholders and for our merchants. That is a very different type of use than some of the general public use that is being considered by a lot of the legislation in States and international environments. We would like Congress to help us to bring some clarity and allow the marketplace to use some of these security mechanisms in a manner that will provide security for merchants and cardholders.
Page 12 PREV PAGE TOP OF DOC
You asked the question, soon; electronic commerce is coming soon. It is certainly on everybody's tongue. I am happy to say that I believe electronic commerce is now. SET, the secure electronic transaction protocol has been finalized. Transactions are occurring all over the world as we speak using the electronic commerce protocol that Visa and MasterCard have put together. This protocol uses electronic authentication, and we hope legislatures would not issue laws that would cripple electronic commerce by making electronic authentication impractical to use.
Thank you for your time.
Chairman CASTLE. Thank you very much, Mr. Konstantaras.
STATEMENT OF P. MICHAEL NUGENT, VICE PRESIDENT AND ASSOCIATE GENERAL COUNSEL FOR TECHNOLOGY AND INTELLECTUAL PROPERTY, CITIBANK
Mr. NUGENT. Mr. Chairman, Members of the subcommittee, good morning. My name is Mike Nugent. I head up the Technology and Intellectual Property legal area for Citibank and work a lot in this area of electronic authentication. In fact, it has become one of the hottest areas for Citibank.
I welcome this opportunity to talk about electronic authentication, and we congratulate the subcommittee, for tackling this issue so early on. It is worthy of exploration.
I have a prepared statement. I would like to submit that for the record, and today I want to summarize some key points.
Page 13 PREV PAGE TOP OF DOC
Citibank joined with a number of other banking and non-banking financial institutions and trade associations in organizing a group called the Ad-Hoc Committee for Electronic Authentication. I believe we have the longest name for the groups dealing with this area. Our goal is to establish national uniformity in legal and regulatory regimes governing electronic authentication.
We are here for a very, very specific purpose. We have taken this on because we have a great interest in using electronic authentication in our electronic commerce and Internet products and because we do business in the United States and 98 foreign countries. In our view, national uniformity is essential to the successful development and use of electronic authentication by financial institutions. It is our view that electronic commerce won't happen without electronic banking, and electronic banking, particularly Internet banking, won't happen without electronic authentication, and in turn electronic authentication won't happen unless we have some sort of national uniformity in this area.
Why is this important? The business of banking is becoming the business of technology. Electronic commerce has the potential to change the way everybody does business. According to one study released last month, on-line banking users will total about 2.1 million by the year 2000, and we think that is an extremely conservative number. Some of our own strong marketers are talking that kind of numbers just for Citibank. Worldwide the figure is expected to quadruple, according to some reports, from 10 million to 40 million, and some say electronic commerce will be a $300 billion industry by the year 2000. While no one knows for sure what is going to happen over the years, it is increasingly evident that the global use of electronic commerce will change commerce as we know it.
Page 14 PREV PAGE TOP OF DOC
A key issue for the financial institutions is what role are we going to play. We believe that unless there is Federal legislation that facilitates a uniform legal structure for electronic authentication by financial institutions in this country, there may be no role. In turn, electronic authentication is fundamental to the conduct of Internet banking and electronic authentication. Without uniformity, electronic authentication will not happen, and without electronic authentication, Internet banking and electronic commerce will slow down.
In the world of electronic commerce, parties transact business over large, open networks like the Internet. They don't know each other prior to these transactions. In order to transact business, parties on both sides, the user and provider, have to identify and verify; they have to authenticate who they are dealing with to ensure that the messages sent were not tampered with during the transmission, to make sure the messages sent have been sent by those purporting to send them, and ensure the identity on the other side is in fact the identity it says it is. All of this is accomplished by electronic authentication. It is a cryptographic techniqueand that is importantthat allows the user to; one, authenticate the identity of or information associated with a sender of a document; two, determine that a document was not altered, changed or modified during the transmission to a recipient; and/or three, verify that a document received was sent by the identified party claiming to be the sender. These are simple and necessary functions.
Why is Federal legislation necessary or desirable? Well, financial institutions put priority on a governance regime for electronic authentication that is consistent from State to State. This goal is threatened by a burst of State legislation that is producing a quilt of conflicting and inconsistent State laws. While the States should be commended for stepping into the breach and considering and enacting regimes for the licensing and regulation of electronic authentication, the resulting disparate State regulatory regimes we are seeing crop up concerns us as we try to offer nationwide electronic banking and commerce services over the Internet. I think all of us can agree that the Internet and commerce conducted over the Internet transcends State boundaries. As a result, anything short of uniformity will hinder the ability of financial institutions to provide these products and services and will impede interstate and electronic commerce.
Page 15 PREV PAGE TOP OF DOC
What are the States doing? A number of States have enacted or are considering laws dealing with electronic authentication and these laws are affecting financial institutions. By my count, there are about 14 States with laws in place overall. Eight of these State laws affect government transactions, and five, maybe six depending on your interpretation, affect banks. Even more startling, there are another 16 State bills affecting banks that are very serious.
The States all have varying approaches, the 16 plus the 14, regarding such matters as registration of certificate authorities, the need for national banks to register, the definition of ''digital signature'' and the ''minimal content'' and technological scope of digital certificates. Some States provide that electronic authentication must be accomplished through public key cryptography. Still others maintain that mere digitized or ''electronic signatures,'' are OK. However, in our view, these latter methods, these technology-neutral methods, will lead to incompatible and non-interoperable authentication systems, as well as less secure, less trustworthy and possibly rogue authentication systems that could undermine the safety and soundness of the Nation's banking and commerce system. This in turn, we think, could lead to inefficiency and problems of interoperability in our Nation's payment systems.
Other issues the States have addressed in different ways include such matters as defining minimum requirements for trustworthy authentication systems. Some of the States actually have State agencies going in and saying what is the standard for software, hardware and personnel. States differ on disclosures to consumers and subscribers. States differ on minimal financial resources for certificate authorities providing electronic authentication services. They differ in obligations and liabilities of certificate authorities and the rules applicable to the suspension and revocation of certificates; procedures for maintaining and keeping revocation lists; recordkeeping; property rights; and keys that have been issued; and State agency rights to revoke, terminate or suspend certificates that are being used in electronic commerce.
Page 16 PREV PAGE TOP OF DOC
The problem is that if there are 50 State regimes governing electronic commerce by financial institutions, the implementation of secure electronic banking and commerce over the Internet will become costly and inefficient. It may well also conflict with Federal agency guidelines on security and technology. Fifty different regimes will diminish the likelihood of uniform electronic banking and commerce, which by their very nature are interstate in nature. Fifty different regimes will reduce the incentive for new market entrants to offer electronic commerce and banking products and services. Fifty regimes will confuse consumers doing business over the Internet and will result in different legal protections, commercial standards, and levels of security, depending on where you live.
Finally, if the States require national banks acting as certificate authorities to establish themselves within a State, to register or establish an office or agent, there are sensitive issues raised as a result regarding interstate banking, unitary taxation, and so forth.
There is also a competitiveness issue here. Foreign countries are allowing electronic authentication without a variety of intra-country rules and regulations. They thus facilitate commerce and the competitiveness of their financial institutions and companies. Europe is looking to harmonize national laws and digital signatures and certificates. For the U.S. financial services industry to compete, it needs uniformity and simplicity at home.
What could or should legislation do? We have seven things, and I will quickly go through these.
Page 17 PREV PAGE TOP OF DOC First the legislation should permit, give recognition and effect to the use of electronic authentication by financial institutions. It should do the same when parties dealing with financial institutions and financial institutions themselves seek to indicate authorization, authentication or verification of acts or transactions.
Second, the legislation should be optional. It should allow financial institutions, broadly defined to include most players in the Nation's payment system, to elect to be covered.
Third, it should not purport to allocate obligations and liabilities between users and providers of electronic authentication. That should be left up to the parties to establish by contract and to existing commercial and consumer protection law.
Fourth, to protect financial institutions from competing or conflicting requirements under State law, the legislation should provide for Federal uniformity as to registration, licensing and regulation of use of electronic authentication by financial institutions.
Fifth, it should put the banking agencies in charge of oversight of these activities by financial institutions to ensure the protection of safety and soundness.
Sixth, it should not affect existing consumer protections. Leave the Truth In Lending Act, Electronic Funds Transfer Act and other statutes and regulations intact and see how they work.
Page 18 PREV PAGE TOP OF DOC Seventh, it should require a review by bank regulators of existing bank regulations to see if it makes sense as applied to electronic commerce transactions, and also an international study to see how this is all going to work between and among countries.
These measures reflect a minimalist, market-oriented approach and are consistent with protection of the public. These measures will boost on-line banking and electronic commerce. There is something that the Congress can do to help this industry.
Finally, and quite important, these measures are consistent with the Clinton Administration's policy announced last week on global information infrastructure. The very first principle of the White House policy is, quote, ''The private sector should lead.'' That is precisely what electronic authentication legislation, as we envision it, would help ensure. The second and third principles of the Administration's policy are that, quote, ''Governments should avoid undue restriction on electronic commerce,'' and, quote, ''Where Government involvement is needed, its aim should be to support and enforce a predictable, minimalist and simple legal environment for commerce.'' These are exactly the goals of electronic authentication legislation as we see it. Thank you.
Chairman CASTLE. Thank you, Mr. Nugent.
STATEMENT OF J. SCOTT LOWRY, DIGITAL SIGNATURE TRUST COMPANY, ZIONS BANK, SALT LAKE CITY, UT
Mr. LOWRY. Mr. Chairman, Members of the subcommittee, good morning. My name is Scott Lowry. I am the President of Digital Signature Trust Company, a subsidiary of Zions First National Bank in Salt Lake City, Utah. I would like to thank you for the opportunity to speak to the subcommittee and share with you our views on electronic commerce, electronic authentication and the potential need for legislation.
Page 19 PREV PAGE TOP OF DOC
As you know, Utah was the first State to pass a comprehensive law enabling electronic commerce and digital signatures. The Digital Signature Trust Company was formed to provide certification authority services for the State of Utah and elsewhere throughout the country.
I, too, have submitted written testimony to the subcommittee and for the record, would like that recorded. In the interest of time, I will summarize what I think are the important points of that testimony.
First, let's look at the state of legislation in the individual States around the country. At last review, 36 States have either passed or have some form of electronic commerce/digital signature legislation percolating through their legislative processes. These bills appear to come in two flavors, ''thick'' and ''thin.''
The ''thin'' versions take a minimalist approach to enabling and regulating electronic commerce. They do this by; one, recognizing electronic documents as original legal documents, thus satisfying the ''in writing'' requirements of various State statutes of fraud; and two, by recognizing various forms of electronic signatures as legally binding.
The ''thicker'' versions of the State laws not only recognize electronic documents and electronic signatures, generally digital signatures, but also attempt to design and regulate the infrastructure necessary to support electronic authentication and to apportion liability among the parties in the event of negligence or malfeasance.
Page 20 PREV PAGE TOP OF DOC On the one hand, it is encouraging to see many States taking an interest in the prospects for electronic commerce in their States. It is at the same time troubling. Disparate laws tend to lead to confusion in the marketplace, and in the absence of some unifying force, will likely slow down rather than speed up the pace of adoption of electronic commerce. For example, what law applies when Digital Signature Trust Company issues a digital certificate to a client outside the State of Utah? Today we don't know.
In addition to such current and very real questions, one could easily envision States passing competing bills in an attempt to attract commerce revenues that are sure to develop if the market is half as big as the experts are predicting. This would lead to a sort of regulatory arbitrage as industry participants play legislatures off against each other in a search for the lowest regulatory common denominator.
Given the uncertainty and ambiguity and the potential for conflict inherent in the States' individual efforts, we would strongly recommend that the subcommittee consider recommending overarching Federal legislation in the areas of electronic commerce and electronic authentication.
We would recommend that any legislation follow the ''thin'' model and seek only to legalize electronic documents and acceptable forms of electronic signatures.
We would recommend that the subcommittee be prepared to iterate the law as the world's understanding of the issues and circumstances around electronic commerce change.
We would recommend that as consenting adults, commercial parties be free to contract and apportion risk and liability as they may mutually agree.
Page 21 PREV PAGE TOP OF DOC
We would recommend that the general thrust of the consumer protection laws be preserved in any Federal legislation on this subject.
We would recommend that financial institutions, because of their unique understanding of authentication issues and the already heavily regulated nature of their business, be given special dispensation and exemption from emerging State laws.
Finally, as an example of how Federal law can, in fact, be used to accelerate or facilitate national objectives, one could draw a parallel between the construction of the Federal interstate highway system and the challenges raised by the development of the national information infrastructure. If the interstate highway system had to be built one mile at a time, one town at a time, one county at a time, it would have never happened. We believe the same is true with the information superhighway. It needs Federal assistance, and it needs it now.
I would like to make one final distinction that perhaps has not been made by the rest of the panelists. I think we should look at bifurcating the market and potential legislation into commercial and retail markets. We tend to believe that retail markets are some distance away and that commercial applications for this technology are here today and need help. And I would remind people of the adoption of ATM technology, that after 20-some years, we had, I think, a 65 percent adoption rate. And we talked to people in our organization about the fact that we do not have people outside of our banks with placards saying, ''Give me my digital signature.'' On the other hand, we do have companies who want to get in the business today.
Chairman CASTLE. That is funny, I have people picketing my town hall meetings talking about having their electronic authentication and such, so I am surprised to hear you say that.
Page 22 PREV PAGE TOP OF DOC Chairman CASTLE. Let me start with the basic question a couple of you at the end raised. Is there anyone hereand by the way, I can't have everybody speak to every question I ask, or we will never get them in in 5 minutes, but is there anyone here who does not agree with the premise that at some point, as Mr. Lowry said, there should be overarching Federal legislation versus State-by-State? Normally, I am a State-type person, but I can see in this case a valid argument for perhaps Federal legislation someday. Is there anyone here who would either disagree with that or would like to define it in some different way?
Mr. GREENWOOD. Well, yes, I guess I challenge the basic assumption that there is a need for overarching comprehensive Federal legislation of electronic commerce and authentication, but I don't think the question is whether this should be State or Federal, I think the question is what is the appropriate role of the States and the Federal Government in developing a consistent and coordinated legislative and regulatory policy framework that is going to promote and support electronic commerce?
And it is useful to take a look at the existing jurisprudence and ask whether or not we can do it within the broad contours of the existing system. Contract law today is largely a matter of State law. The question of whether a particular person has, in fact, performed a transaction or signed a contract or has been, you know, authenticated often comes down to an issue of evidence when the things go to court and are tried in the State court, under State rules of evidence. That, too, is a matter of State rules, and the notion there ought to be a Federal law which governs or just preempts State contracts and State rules of evidence I sense is going to have to be looked at very, very closely.
Page 23 PREV PAGE TOP OF DOC
Nonetheless, I guess I would agree, though, that the Federal legislation is going to be desirable at some point in the future, and my suggestion would be that we take a wait-and-see approach as the technology develops and as the market develops.
I would like to briefly make a comment on what I think the balance ought to be between having these solutions developed in the private sector versus attempting to having to regulate a market into existence.
Chairman CASTLE. Let's take a couple of brief comments so we can keep going with the questions.
Mr. DOREY. If I can make an international comment here, global electronic commerce is the final goal and will, in fact, be the full marketplace development of electronic commerce. This means that at some point there will need to be a means of recognizing digital signatures between nations. The idea of having to subrecognize within individual States, without any overarching national view, strikes me as very difficult to achieve. So, speaking from an international perspective, we would see a strong advantage in a Federal law here.
Chairman CASTLE. Let me change subjects for a minute because I do want to get into some other things.
I know that I can call L.L. Bean or somebody and give them a MasterCard number or Visa numberwhatever it may beand, you know, they take it down, and I don't know what verification they have on that. It is a telephone call. They send me my product. That is at the consumer level.
Page 24 PREV PAGE TOP OF DOC
Are we talking aboutwith electronic authenticationare we talking about something that is a greater safeguard than exists today? What risks are these companies taking in assuming I am who I say I am and where they are sending their product or whatever they may be? I don't understand. As we go to this new level where we start doing things over a computerI am talking retail, and I realize you deal with commercial, and that is where the growth is right nowbut ultimately we represent people who are worried about their own home usage or whatever it may be. I am sort of interested as to how this applies to computers and the next step beyond what we seem to be doing?
Mr. LOWRY. I think there is a tendency, because of the sort of visceral response everyone has to the word ''Internet,'' to try and make computer systems infinitely more secure than the paper systems that already exist today. This notion of putting one's credit card on the Internet tends to scare people to death, but they leave receipts on restaurant tables. Those receipts go in the garbage. They are looked at by anyone who wants to see them. They freely give their credit card over the phone to people they have never met before or even really know who they are talking to. So, I think it is really this newness of the Internet, the uncertainty of the medium has caused us to erect a number of barriers that may be irrational at this point in time.
A good example we all suffered through recently is the Social Security Administrations problem. If you look at the paper system the Social Security Administration has in place today, any notion that that is a secure system is absolutely absurd, and the system they put in place over the Internet was orders of magnitude more secure than the paper system they continue to use. But, again, simply because the word ''Internet'' was interjected into the process, the flags went up.
Page 25 PREV PAGE TOP OF DOC
Chairman CASTLE. We will let Mr. Konstantaras have the final comment on this and then go to the next questioner.
Mr. KONSTANTARAS. I would like to take a different perspective on that. I think the Internet is a different type of environment. Just last month there was someone in California who, through the Internet, stole approximately 200,000 credit card numbers and was caught by the police.
It is a dangerous place to be able to do commerce. The way it works when you are doing mail order, telephone order, and you call up and you say, ''I want to buy something,'' there are some mechanisms that are used. There is an address verification method used where they ask for an address, and they can run it against that and make sure that they match. But in that environment, what we call the ''mode dough environment'', the merchant is taking a risk by taking that order, because if the cardholder says, ''It wasn't me'', you know, that is a valid challenge, because the card itself was not presented.
And that is an important distinction in the Visa system. What we are trying to do with SET, electronic commerce protocol that we have developed, it is using digital signatures and electronic authentication to bring the security up to the level where the merchant can say, ''Yes, I know that the equivalent of the card, basically, was there because of the technology that was used''; and the cardholder can say, ''Yes, I know, in fact, that this is Nordstrom's that I am talking to.''
So, it is a bit different from people leaving receipts on tables. One of the things, you know, if you leave a receipt on a table or garbage can, there are a limited number of people that can get at that. When you post something on the web, you have millions of people sort of ''packet sniffing'', looking at that information and getting that unbeknownst to you. And what is an important distinction is it is not just people, it is programs. It is difficult to go through the garbage and go through the paper, but I can write a program that sits there while I am off drinking coffee, reading and waiting, and when it sees them, it collects them, and that is problematic, and that is why we spent the time and money to develop protocol that is secure.
Page 26 PREV PAGE TOP OF DOC
Chairman CASTLE. Well, thank you. That is complex and interesting.
Let us turn now to Mr. Flake, Ranking Member on the subcommittee.
Mr. FLAKE. Thank you very much, Mr. Chairman. I think this is probably one of our most important hearings as it relates to the futuristic directions that this issue is taking and going, and those persons who are responsible for trying to change how we function.
First of all, I would like unanimous consent that my statement be placed into the record.
Chairman CASTLE. Without objection. By the way, the statements of all of you are part of the record, so that is also done at this point.
Mr. FLAKE. The question I have is: Given that the use of computers and Internet is so relatively new, there has been a very difficult challenge that has been posed to those who are senior citizens, in particular, and other folk, like myself, who are over the age of 50, who really have had a great deal of challenge just getting into the beginning phases of the computer and understanding what it is. The fight we have had in many communities of trying to get many seniors to even use the ATM, and now we go to another leveleven before they have gotten acclimated to it, or comfortable with it, or feeling a sense of security in itto begin talking about the direction we go with computers and the Internet. Do you feel at this point, in terms of development, that you can give enough assurance to those individuals that the system will, in fact, be safe enough for them to be able to use it without any fear that their resources are going to be taken by others? You know that there is a suspicion, and that is the reason they don't do ATMs. People like my mother and father who passed, never having opened up a bank account, a checking account, because they lived through the Depression and did not even trust the banks. So, now we are talking about other people having the potential for access to your money and your privacy. How do we guard against some of this and get some comfort levels for those individuals?
Page 27 PREV PAGE TOP OF DOC
Mr. NUGENT. Mr. Chairman, if I could respond.
This electronic authentication we are talking about won't probably induce people to use their technology more per se. It hopefully will be transparent to them. It will be embedded into their software, their phones, their computers. It is our view that these systems will make electronic commerce over the Internet safer, more secure, and, in fact, will bring more electronic commerce to more people, because vendors, merchants and systems will put this in place to deal with people they don't really know in the electronic environment. This will encourage vendors, merchants and providers to do business over the Internet because of the safety and soundness that is interjected because of the way electronic authentication works.
That is really the reason for this stuff to happen in the first place is to give some kind of certainty and assurances to those who are playing in the system so they become part of the system, so that in turn they can bring the electronic commerce to consumers and users.
Mr. KONSTANTARAS. You know, there is a barrier that technology provides. What we are doing by trying to create secure electronic commerce is we are encouraging merchants to get on-line. My grandmother, she will go to like 5 different stores to buy 10 items, you know, because she is looking for the best price, and that is the mentality she grew up with, and she is pretty wonderful. But the Internet could provide a great tool for people that want that kind of access for shopping for bargains, looking for the best price, getting information. If more merchants can get on, we have a value proposition to offer people to get to use that, and I think that is one of the exciting things the Internet can offer. It offers things for a lot of different people, and especially seniors, where mobility can be an issue.
Page 28 PREV PAGE TOP OF DOC
Mr. FLAKE. There are assumptions here that all of these people are going to be on-line. The bottom line is, you are assuming that almost every household is going to, in fact, have a computer. I don't think that is necessarily going to be factual. I wonder if there is a major portion of the population that is still not going to have access to that kind of use, and then what do they do? What are their options? Do we create, do we maintain some kind of system outside of these networks that will allow them to take care of their business?
Mr. KONSTANTARAS. There are actually some solutions to that. It is going to take time for computers, just as the TV and the VCR, to get into the homes, but there are places that are setting up kiosks, so that people can go to these kiosks.
Mr. FLAKE. First thing, you better give it a name that everybody understands. I understand it, but not everyone does.
Mr. KONSTANTARAS. I am sorry. There are little places they can go to use the technology. There are Internet cafes where there are computers there, there are a lot of places popping up to meet that need. But you are absolutely right, it will take time for that to come there, but when it becomes that popular, we would like to have a set of infrastructure with plenty of merchants to offer.
Mr. FLAKE. My time is up, but Mr. Lowry keeps shaking his head on some of this, so I ask to yield, 30 seconds, Mr. Chairman, so he can answer.
Mr. LOWRY. I know the notion of public access is very important to a number of people looking at providing this service, and I go back again to some of the experiences I have had with the Social Security Administration. They are very keen on equipping public libraries with network access; that people could, in fact, go to the library and get on-line through the library and other publicly available places.
Page 29 PREV PAGE TOP OF DOC
Mr. FLAKE. Thank you very much. I yield back, Mr. Chairman.
Chairman CASTLE. OK. Mr. Jackson was here first. I don't know if Mr. Kennedy wants to go ahead of him, or how you want to work that out?
Mr. KENNEDY. Well, no, I just want to figure out how you got to Mr. Flake.
Chairman CASTLE. Because he is the Ranking Member, and Mr. Jackson is next. If he wants to yield to you, that is his business.
Mr. JACKSON. Thank you, Mr. Chairman.
Let me first begin by taking this opportunity to thank the witnesses who provided great expert testimony, I think on a very difficult subject for many of us to really comprehend and understand.
However, this morning, Mr. Chairman, I want to disagree with the premise of a couple of the witnesses that have suggested that the goal of legislation should be to promote electronic commerce. E-commerce is important. Please don't get me wrong. But its promotion should be the goal of the free enterprise system and the free market, not the goal of Congress.
One of our many concerns is obviously the protection of consumers from fraud and abuse, as well as protecting the integrity of commerce in this Nation. Federal legislation should not cripple commerce, but it can enhance security and, indeed, it should.
Page 30 PREV PAGE TOP OF DOC
Let me just give you an example, Mr. Chairman, of what I believe to be the present environment without E-commerce. If I lose my wallet and several of my credit cards are lost, on the one environment maybe 10 years ago, a person could purchase anything if they found my credit card. Now, we require and oftentimes many stores require picture ID. When fake IDs became the issue, credit card companies then subsequently began putting pictures on credit cards for that purpose.
How about this scenario? A store has a copy of my check. Therefore, they have a copy of my signature. They also have a copy of my driver's license which also has a copy of my Social Security number on it. Because in Chicago, for example, our driver's license identification number is our Social Security number. So, it is not so private. On another occasion, at the same store, I used my credit card, so they have a copy of my credit card number on file.
I am very interested in having a home page for my Congressional office and I talked with the computer expert about it. For his services, he indicated outside of a very large contract just to create my home page, that for 2 years, he could do what no other computer expert could do. He could take my home page and make sure at the top of the top 10 warehousers on the Internet that my home page would be one of the first five on top of any of the top major warehousers in the country. Why? Because he has figured out a way to get into the logarithms that allow home pages to be categorized in a particular way.
Mr. Chairman, I think it is important just to say at least this: We are looking for a thief. We are looking for a crook who needs only 1/10th of 1 percent of 1 cent of every transaction on the Internet in order to make a substantial profit. This particular thief is extremely well educated. He or she may work in the techno-security division at the encryptolink at the protocol division of thousands of companies across this country, indeed in our world. We are looking for Mr.I think his name is pronounced Konstantaras'coffee drinker. And I am interested from our witnesses today, Mr. Chairman, what the worst case scenario, since even at the Pentagon, for security protection, because of hackers that we are always concerned about, they are constantly upgrading and updating programs to avoid this level of security breach, I am interested in the worst case scenarios from any of our witnesses on the dangers of E-commerce and the role that Federal legislation should provide to protect not only the companies, but also the consumers.
Page 31 PREV PAGE TOP OF DOC
Mr. Chairman, if I may ask just unanimous consent for an additional minute-and-a-half added to the time so that they can respond.
Chairman CASTLE. Without objection, we will take that time from Mr. Kennedy, so it is perfectly OK. Please respond.
Mr. KENNEDY. Take it all.
Mr. JACKSON. Please feel free, any one of you.
Mr. DOREY. Fine, if I might pick that up.
To me, the worst case scenario is people in good faith picking up completely fraudulent services from the new electronic commerce media. This would be like purchasing equipment that was dangerous and unsafe.
The idea is similar to one of Underwriters Laboratories, the people that actually put a safety mark on equipment, so that people know that it can be trusted, that things reach a certain standard. And it is knowing that there is that certainty in place that enables people to operate. Without that, there is a danger that people with fraudulent intent will create completely fictitious electronic commerce channels and defraud people.
Mr. KONSTANTARAS. Electronic commerce is a global phenomena. And I think one of the worst case scenarios is that things become so unstable in the United States because of all the differing rules and regulations that it is just not safe to do things here, and people will not be before me. They are just not going to trust it. They won't trust the Internet. And the rest of the world will move forward.
Page 32 PREV PAGE TOP OF DOC
Europe is very aggressive right now in setting up electronic commerce. They have got lots of pilots that are being sponsored by the Commission. They are very aggressive in looking for legislation that will address some of the concerns about digital signatures.
For me, one of the worst case scenarios is that the U.S. will be left out of a great opportunity and that people just don't trust the Internet and they won't use it as a tool. It will be like not using the highways to get somewhere. They would rather walk because they are not sure of the safety.
Mr. NUGENT. I am not going to be able to talk about the worst case scenario. But one of the ways we think about this is how to deal with it. And what we at Citibank have thought about is internal process and procedures, but also the regulators. The bank regulators have this at the utmost of their agenda. And it is a partnership where the regulators and the institutions together address this issue. Because if one safety or soundness issue comes up in this stuff, if there is one worst case scenario that erupts, if there is a Three Mile Island that erupts, this is going to cripple banking. It is going to cripple electronic commerce.
It is our view that if we put this electronic authentication, which deals with the heart of what you are talking about. How do you know who you are dealing with? How do you know what they are trying to do? How do you know what they are communicating? If you put this in the hands of the banking regulators for financial institutions, in the sense of legislation that we are talking about, you are in a better position than you are right now under State legislation, where you have departments of commerce in various State capitals, who barely can cope with the various burgeoning loads they have already, who have to administer electronic authentication systems for all the corporations that want to do business in their State.
Page 33 PREV PAGE TOP OF DOC
You have clerks that have to deal withI guess are going to have to deal with50 or 60 lawyers, 50 or 60 information security officers, and that is probably on a good day, deal with the certificates and revocation of certificates, and these are under various State laws. So, I guess we are trying to respond to a concern, to a process. And this is part of the process.
Mr. LOWRY. I would add to that by reminding the subcommittee that the OCC, Office of the Comptroller of the Currency, has acted to help shut down fake Internet banks that were springing up. So, there is a degree of vigilance and supervision taking place already today.
Mr. JACKSON. Let me just say in conclusion, if I may, Mr. Chairman.
Chairman CASTLE. Sure.
Mr. JACKSON. One of the concerns I want to reiterate, Mr. Konstantaras' example of the coffee drinker. A fake Internet bank can be set up in a foreign market including, for example, the Bahamas or even Switzerland, for that matter. And these programs can constantly keep checking data and constantly wondering why someone is drinking coffee for the purpose of providing some great crimes. And so even as we contemplate legislation, we should be vigilant that we are not just legislating against the possibility that people may engage in it, but the computers themselves can be set on automatic program and constantly be probing.
Page 34 PREV PAGE TOP OF DOC Thank you, Mr. Chairman.
Chairman CASTLE. Well, thank you, Mr. Jackson. Those are valid points. And for those of us that are not that knowledgeable, it is all a little bit scary out there. Mr. Bereuter.
Mr. BEREUTER. Thank you, Mr. Chairman.
Gentlemen, I appreciated your testimony. This is a very interesting and complicated area and important. I would like to ask the panel of witnesses, I am getting feedback here. If there is anything that the other panelists said with which you disagree or you would like to elaborate on further? I want to see if there is any controversy among the witnesses.
Mr. NUGENT. We have the longer title for our group. That is the only controversy.
Mr. GREENWOOD. I think we have more syllables.
If I may, I think there is a difference of emphasis, for sure, that is starting to emerge. It seems like the people on this side of the table seem to be saying, ''technology-neutral legislation if legislation at all is an appropriate way to go.'' And I am hearing another point of view, which is that ''what is needed now is some legislation that specifies use of cryptography or programs, even particular implementations of cryptography is what is needed.''
Page 35 PREV PAGE TOP OF DOC I would suggest that our current thinking in the Commonwealth, based on the draft electronic legislation that we are working on, is the appropriate legislative role at this time is one that is very minimal and, in fact, technology-neutral, specifically to avoid the possible consequence of legislating a particular technological implementation which ends up not being the best way to get at security concerns and is not tested by the market as being the most efficient model.
Mr. BEREUTER. Yes, sir. Go ahead.
Mr. KONSTANTARAS. I would like to just clarify if I had given the impression if we are asking for specific, you know, use this technology that is clearly, I think, not what we are asking for, because the problem is that what the States are starting to do is they are not just saying use this technology, but use it in this way. And that becomes so difficult when you have 50 different States with different approaches.
This is basically an initial security mechanism in the context of what we are talking about. And just like the hologram on the Visa card is a security mechanism, and if 50 different States have 50 different approaches, you would have 50 different holograms all over your one card, where you might have to have 50 different cards, and that just doesn't work. And what we are really asking for is to help us bring some uniformity with respect to what the States are doing, so that the marketplace can solve the problem and use this technology to protect consumers.
Mr. BEREUTER. Mr. Nugent has given us in his testimony, I don't know if he enunciated it here orally, but he has given us seven points about which the legislation should address. Those are helpful, I believe. It would be helpful also if we had some indication that the banking industry in general supports those points that you suggest to us for legislation. And I think the staff should pursue that.
Page 36 PREV PAGE TOP OF DOC
Mr. Dorey, you, of course, are trying to give us an international input here and that is appreciated. Do you think that if Congress legislates, it will hamper an international agreement within the U.N. context? You seem to urge us to proceed here at the national level.
Mr. DOREY. Absolutely. I believe that certainty and consistency is what will assist the international process. And at the moment, the diversity that is beginning to occur across Europe with individual country laws within the European Union has led to the European Commission, in fact, taking the lead here before the State legislation.
So, what we believe is the same thing is required at the Federal level in terms of what one of my fellow panelists called a ''thin'' law, one that does not penetrate in great depth and therefore gets tangled up with technology or the details of operational standardswhich we believe would be more appropriate for industry bodies themselves to publish transparently. And so the aim, I believe, of the European Commission is to create some overarching legislation in Europe that would have a similar effect.
Mr. BEREUTER. Will they be issuing a directive on that?
Mr. DOREY. I can't speak, obviously, for the Commission myself, but my belief from my discussions with a number of them is that would be their intent, yes.
Mr. BEREUTER. Thank you.
Page 37 PREV PAGE TOP OF DOC Mr. Greenwood, I think, as the only State agency representative here for the Commonwealth at least, but perhaps speaking in general for States, two questions in conclusion. If we preempt State law by national legislation, will the States be able to tax electronic commerce that affects a given State? Do you think that is important? I assume the answer is yes. But is it something we need to look at? And I would ask finally, which level of government is responsible, in your judgment, for setting levels of liability in electronic commerce?
Mr. GREENWOOD. The position of Governor Weld has been that the Internet should be basically a tax-free zone. There is a speech that he gave to the Massachusetts Software Council which is linked from our web site. The address is in my written remarks. I have to admit I am not a tax expert. But my understanding is that there is a perception that we are going to have problems if you have got 50 different State taxation requirements and that there is a real need for uniformity there. And that may be fruitful ground for some Federal reform. It seems to me like a helpful approach would be to look at serious tax reform as a way to promote activity in this sector.
As to the second question, liability, my honest assessment at this time is that there are so many context-specific applications in which electronic commerce generally will take place, that there inevitably are going to be different rules that will apply depending on the given transaction, particularly if a dispute develops that could form the basis of an action in State court then look to State rules, Federal court then Federal rules, and conceivably, even local ordinances. It really depends on the circumstances. And I would strongly recommend that we continue a discussion between State organizations and Federal rulemakers and lawmakers so that we are sure that we are coming up with coordinated and consistent liability and other legal requirements.
Page 38 PREV PAGE TOP OF DOC
Mr. BEREUTER. Thank you, Mr. Chairman. It looks like we are set for another commerce-banking
Chairman CASTLE. Just what we need is additional commerce-banking crossover. Mr. Kennedy.
Mr. KENNEDY. Thank you, Mr. Chairman.
I actually think that that is an important issue in terms ofand it is important that you have established this hearing this morning, because this issue isn't just going to be between commerce and banking, I think if you look at the implications for the kind of information that is made available in terms of medical records, the kind of financial information that is crossing, and very personal information, the Internet happens to be started in the district that I represent. I also represent a number of the companies that have essentially the exclusive rights to put information on the Internet. And even the heads of those companies today will tell you that it is very difficult to guarantee that there can be real protections in terms of privacy, that you have all sorts of capabilities.
And the companies themselves also have information about every person that uses the Internet that will blow your mind. And the idea that we can, as a Government, sort of sit idly back and not take any actions to protect the American consumer, and the American people, not just the American consumer, but every American I think is one that is important for this subcommittee to take a leading role on. And I commend you for having this hearing. And I want to thank the witnesses that come before us this morning.
Page 39 PREV PAGE TOP OF DOC
I guess my concern is that you have got a rapidly changing environment out there. You know, we saw just a month or two ago when the United States tried to, on the international transactions at least, determine whether or not there was possibility of espionage and the like, which fell flat in terms of the international community being willing to even allow that kind of invasive actions by the American Government or other governments. So, this is an area that I think is fraught with difficulty.
I guess my basic concern, Mr. Chairman, really has to do with whether or not we are even prepared at this point to draw conclusions. I thought it was interesting in Mr. Greenwood's presentation that even though Massachusetts has taken an advance look at how to protect its citizens, that he even leaves some room for the fact that the Federal Government might set a floor. I am not sure that we ought to be establishing a ceiling with that floor in any legislation that we would consider. It does seem to me that we have looked to the States for innovative and creative solutions to these kinds of problems in the past. It took many, many years to get things like the truth in lending, truth in savings legislations past. We have let a lot of that information develop at the State level.
Certainly, I think some of the base protections that many of you have talked about are appropriate. But I am interested in determining whether or not you feel that any of the protections that you could put in place now would truly, in fact, give the American consumer the kind of protection against the type of computer games, computer kinds of jamming that can take place that will allow people to get in there and use this very personal and important information, you know, to their individual gain, without your permission.
Page 40 PREV PAGE TOP OF DOC And given the fact that I think that that is highly unlikely that you could give strict assurance that that could happen, it doesn't seem to me that we are really in a position yet where we can say that any piece of legislation that would be considered by the Congress should be the end-all. My sense is that you are going to have to allow the States to participate in the creation of new legislation in the future. And I guess with that statement, I would just like to see if you have any comment about that.
Yes, Mr. Nugent.
Mr. NUGENT. Yes. Mr. Kennedy, the legislative point that we have been trying to talk about, the seven points I address in my testimony, tries to achieve the balance of what you are talking about. But you have to have some important principles and consumer protections in place and you want the private sector to lead at the same time.
What we are saying in the legislative approach we are talking about is the law should say something along the lines that, ''We will let financial institutions,'' broadly defined because we are addressing the payment system, ''use authentication in their business.'' We are also saying that the existing raft of consumer protection laws should apply. We think most of the consumer protection laws, which you will find in the EFT Act and Truth in Lending Act, will work very well in this area, limitations of liability, disclosure, and so forth, will work very well in these systems. And we are saying that the bank regulators ought to take a look at this and just see how it works for a while. Don't overreact. As many of the States have.
The thin and the thick approach that Mr. Lowry talked about is accurate. But even the thinnest laws have Government decision on what kind of system should be used and also how these systems should be applied. So, we are trying to capture that balance that you are talking about; also trying to keep the raft of consumer protection laws in place so consumers feel that they are going to be protected in this environment.
Page 41 PREV PAGE TOP OF DOC
Mr. KENNEDY. Yes. But I guess my point is not that, you know, you wouldn't have the $50 protection, which is the essential one you are referring to. I think while that is important, it is not the greatest concern, because there are other kinds ofI mean, you look at some of the information as contained in a credit report. You look at some of the information as contained in any of the other kinds of confidential issues that pertain to people's financial holdings and the like. They can be much more damaging than the simple act of a theft of a credit card.
So, I think that what you are trying to suggest is that the fundamental protection of a $50 liability is one that should allow us to feel like we are doing our diligence as Members of Congress. And what I am trying to suggest to you is that there are liabilities that are much more significant than the $50 that I think require us to allow States to take a more innovative approach, at least for some period of time here.
I don't know what the solutions are going to be like. I can't tell you that there is a particular program or anything else that is going to enable you to encrypt this in a method that is really going to provide protection. I don't think that that is going to occur. But I guess my suggestion is, and my sense is, that you are going to have to establish some sort of minimum Federal floor, but you are going to have toand it is going to cost you some money, and it is going to be a pain in the neck to deal withbut you are going to have to allow some continued innovation at the State level. Because I am not certain that the Feds themselves are going to be able to encompass all the various different schemes that the criminal mind is going to be able to develop given the opportunities that are available.
Page 42 PREV PAGE TOP OF DOC Yes. Mr. Konstantaras.
Mr. KONSTANTARAS. I think that the issues that you are talking about, like people getting access to information that is very sensitive and to do things which is a critical one as we move into the Internet. But what we are trying to focus on, in terms of this hearing, is the authentication component. The cryptographic stuff that you are talking about, there are lots of great tools out there, but I think there are other bills and other hearings that are addressing those uses of those.
This authentication is one security mechanism that will allow the consumer to know, you know, if you are talking to your doctor and you want to give them some information you want to be sure that is your doctor. You want to be sure that you are talking to a merchant that is going to use your card information correctly. And this technology provides a solution for that. But if all of the different State approaches are different, then it is going to be almost impossible for us to use this technology. So, an additional security mechanism that will be able to give consumers assurances will not be available. Because it is going to be different in Massachusetts, from Illinois, to, you know, Wisconsin. All of those differences just create tremendous problems when you are operating on a national
Mr. KENNEDY. Well, Andrew, you have to talk a little bit more specifically about what those differences are, and how they specifically will end up affecting you. That argument that you are using has been utilized by people in industry sitting where you are sitting on almost every consumer protection piece of legislation that I have ever heard in this place, right. It is the same old harp every time. So, I am just trying to suggest to you that when you get down, if you can explain to us some very specific concerns that you have where one State's actions have severely limited your ability to provide a verification, and that that would be something that would damage the ability of commerce to take place on an interstate basis, that would be one thing. But just screaming that States are going to screw up every different transaction as a general theory, I don't think is really the standard that we ought to be setting in terms of the kind of action that we take in the Congress.
Page 43 PREV PAGE TOP OF DOC
Mr. KONSTANTARAS. I did not address that in my testimony, but I would be happy to submit something to the subcommittee to address that.
Mr. KENNEDY. I think that would be helpful.
Mr. Chairman, thank you very much for the time.
Chairman CASTLE. Thank you, Mr. Kennedy.
Mr. JACKSON. Mr. Chairman.
Chairman CASTLE. Mr. Jackson.
Mr. JACKSON. If afforded the opportunity to ask an additional question, I
Chairman CASTLE. I thought we would have a little mini round here because I have a couple of questions, too. And I want to wrap it up fairly rapidly because everybody has other business today as well.
Again, maybe this is something that you want to submit writings on, but if you want to say something now, that is fine, but I want to ask another question ahead of this.
But, the ultimate question I want to ask is, you all heard Mr. Nugent speak to his seven points that he thought should be encapsulated in Federal legislation, I guess is a fair way of putting it, if we were to pass it. I don't know if you have his testimony there or not, but if any of you have any comments on that I would be interested in it. If you don't have it in front of you or if it would take too long, you can put it in writing, but I will be interested in your comments to that.
Page 44 PREV PAGE TOP OF DOC
But my first preliminary question is could one or more of you give me a time-line with respect to Federal legislation? Are we behind the ball here? We should have done it 3 years ago or expanded what already exists on the books 3 years from now? Should we be doing it now? Should we be doing it 3 years from now? And I realize there are some differentials amongst what we should be doing with the States versus the Federal Government, but in general what should our subcommittee be looking at it in our own judgments from a time point of view, if any of you would like to comment on it. Mr. Nugent.
Mr. NUGENT. I will start it off.
Now is the time. There are 16 State laws on our watch that are nowI am sorry 16 Statethere is legislation pending in 16 States that will have an effect in banks in this area. And it will be differing effects. It is important now to get this minimalist national uniformity mandate in place. It would be important to get this done before next year. Next year, you are going to see a lot more of these electronic authentication systems really happening. Citibank conducted the first pilot of the set standard for electronic authentication this year. We are looking very actively in enrolling our system and services. And, frankly, the differing State approaches inject an element of uncertainty in how we deal with it and an element of risk in how we go forward. Yet, our chairmen is saying get this CA, our chairmen, Citibank's chairman, get this certificate of authority issue resolved, try to figure out what you are doing, try to scope out the risk and the issues. So, we are having a lot of pressure to get this role out now and the systems are being manufactured now. So, it is important. And the 16 States are just a beginning.
Page 45 PREV PAGE TOP OF DOC Chairman CASTLE. Other comments either on the time-line or on Mr. Nugent's seven points?
Mr. GREENWOOD. Thanks.
I guess, first of all, on the time-line, my suspicion is that there is going to be a continuum of need over the foreseeable future and beyond for legislation and government action at all levels. There are some things I think that can be very fruitfully done starting now at the Federal level and certainly at State levels; namely, targeting existing antiquated requirements for writings and signings. I think that is one. The old quill pen laws really do stick out. That is something that is timely to begin analyzing now.
In terms of a more aggressive Federal law authentication act, my best guess, taking a look at the market, would be that in perhaps a year, as late as 18 months, it would be an appropriate time to revisit in earnest the issue based on the real technical and business practice regimes that have emerged at that time. And obviously in Internet years I don't know how many decades that would be. But, you know, keep a careful eye on it and act in a more accelerated fashion if that is necessary, but this is premature at this time.
And then, finally, on your first question as to the seven points, I regret that I don't have the seven points in front of me, but I was fortunate to get a fax of a draft of the technical amendments bill that was out and I reviewed it on the plane. The first thing that strikes me is some of the language I construed as very comprehensively preempting State contract law. And possibly rules of evidence. I am not sure if that is part of the points or not, but I think it would be very useful to begin a dialogue between proponents of this draft statute and a broader community to take a look at drafting much more narrowly and thinking about what the proper timing is.
Page 46 PREV PAGE TOP OF DOC
Finally, I think it is important for the subcommittee to notice regarding the specific technology of public cryptography and the certification issue that the States absolutely share the feeling that there is an immediate need to begin coming up with business practices and standards for that, and we are seeking to work with the market to look for an accreditation scheme for certification authorities as opposed to a Government license scheme. There are seven States and three organizations and some Federal involvement in that now and a lot of industry involvement. And we would be happy to send a summary of that process to you in the future.
Chairman CASTLE. Before we go to Mr. Konstantaras and then we should perhaps go on to other Members up here, if any of you wish to submit anything on this in writing to our subcommittee or anyone, for all that matter, who is attending here today who may be very interested in the subject, we would be glad to receive that and review it as part of our process. It can be very helpful to us. Mr. Konstantaras.
Mr. KONSTANTARAS. I agree with Mr. Nugent. I think the time is now. I think we are a little bit late, in fact, in getting there with digital signature or electronic authentication legislation. Internationally, we are running the risk of losing our opportunity to be in the lead, because like I said, I am currently based in London right now and I am working with the German government and the Commission and other European governments. They are going at this very aggressively. If they come out with an international solution for interoperating, we will have to comply with that. I mean it would just be a fact. So, I think it would be very good for us to take the lead.
Page 47 PREV PAGE TOP OF DOC Chairman CASTLE. Thank you.
Let me turn to Mr. Flake now.
Mr. Lowry, do you want to comment?
Mr. LOWRY. Yes, I just wanted to reiterate, we are visited routinely by representatives from Japan, Malaysia, Germany, England. The train is very clearly leaving the station internationally. And we have a chance to either shape the direction of that trip or we will follow. And it is almost late, if not late.
Chairman CASTLE. Well, I would just say, to me, maybe I am wrong on this, but this is one subject in which you will not have a lot of Congressional protection as you might in some other areas. And we should be able almost in a vacuum to develop really good progressive legislation, hopefully. So that with your input we can do that, and hopefully competing interests won't conflict so much that we can't do the right thing. This is an area, in my judgment, we should be able to intellectualize ours to the right bottom line if we work together on it.
Mr. FLAKE. Thank you, Mr. Chairman. I will submit my statement and any further questions in writing and yield to Mr. Jackson.
Mr. JACKSON. I thank the gentleman for yielding.
Page 48 PREV PAGE TOP OF DOC
Mr. Chairman, it is becoming increasingly clear to me that we need some kind of a treaty, or some kind of international summit on this issue, because the technology is moving very, very fast. And I think that we should consider sending a letter to the President on that issue.
Let me ask a question of all of the panelists, and it is very quick. You can just respond by a show of hands. How many of you think that the Internet should remain a tax-free zone?
Mr. DOREY. Might I ask for a qualification? What do you mean by ''tax free''?
Mr. JACKSON. Let me finish my question, and I appreciate that. I saw at least one hand.
If the Internet remains or becomes a tax-free zone, and because it is a tax-free zone it becomes the desirable method of transactions in commerceor the equivalent of promoting the Net's use through a Government subsidy of commercedoes that mean that municipal, State, and Federal services from schools to firemen to drinking water to environmental enforcement to roads to national security should suffer at the expense of the efficiency of transactions in commerce? That is what we are talking about here, the efficiency of transactions in commerce. And is this a way around our present method for raising revenue for the Federal Government to handle vital services for the American people? I am interested in anyone's comments.
Page 49 PREV PAGE TOP OF DOC Thank you very much for the time, Mr. Chairman.
Chairman CASTLE. Would you yield for a minute?
Mr. JACKSON. I would be glad to.
Chairman CASTLE. I am not sure I understand. When we say ''tax free,'' are we talking about transaction tax free or sales tax or other transactions taxes? You are not talking about when somebody buys an automobile the company would still be responsible for taxes wherever it may be. It is the transaction itself would be tax free. Is that
Mr. JACKSON. My understanding, Mr. Chairman, of Governor Weld's impression and take on the Internet is that it should remain a tax-free zone for all transactions that has very little regard for transactions, including those taxes that we levy against automobile purchases, big ticket items. But the question becomes should we, since this is the equivalent of non-taxing Internet transactions, the equivalent of a Government subsidy, or at least our giving the Net transactions the ability to go ahead free from any form of taxation. Does that simply mean that we are promoting, therefore, the use of the Internet as a means for transactions in commerce, which could have the equivalent effect of being a Government subsidy, and to what expense, is really the nature of my question.
Mr. FLAKE. Will the gentleman continue to yield?
Mr. JACKSON. I will be glad to yield to my Ranking Member.
Page 50 PREV PAGE TOP OF DOC Mr. FLAKE. I think you get into a pretty gray area that is already operative in the mail order business, that the person can order an item, have it sent to almost any State today, and in general, to my knowledge and understanding, does not have to pay tax on that. And so your question is very relevant just in terms of trying to determine what does it mean when one says a tax-free zone.
Are we talking about the same kind of exemption of whatever we have granted or haven't dealt with, really, as it relates to mail order? Are we talking about some kind of tax exemption that has to do with all Federal and State taxes that would ordinarily apply on that kind of purchase? So, I yield back and they can answer.
Mr. JACKSON. I thank the gentleman for his clarification. That is precisely along the lines that I am getting at. If any of the panelists would feel free to comment, we would be more than welcome to hear.
Chairman CASTLE. Mr. Nugent.
Mr. NUGENT. Yes, sir. The point that we have been raising is the Internet should not be an excuse to add a new tax just because it is an Internet transaction, but that a transaction conducted over the Internet, if it results in a sale should yield a sales tax. If it results in income to a recipient, there should be income. In other words, an income tax. In other words, the tax law shouldn't be changed or be removed from the Internet. But the Internet shouldn't be a reason to add a new tax like, say, a tax on bits of information that go back and forth. Or a tax on some perceptible value that is derived because you are using the Internet versus some other thing. That is what we mean by Internet should be a tax-free zone. In other words, it should not be an excuse for new taxes.
Page 51 PREV PAGE TOP OF DOC
Mr. JACKSON. I am wondering, consistent with that, are there occasions, Mr. Chairman, where we engage in transactions where the Net could be used to avoid our presentis it more efficientI understand it to be more efficient. But is it a way around paying transactions and taxes that require our in-person involvement?
Chairman CASTLE. Yes, my judgment isI come from a State, first of all, that doesn't have a sales tax, so I am a little biased on this. But, my judgment is, I think the answer is fair that we just received. My view is, if there is normally a sales tax, if there is normally income aspects that would be taxed, that those things probably should still be in place. But we all know that many people go through mail order systems and avoid paying taxes altogether, as Mr. Flake has pointed out.
I can tell you we have developed corporations in Delaware and have all kinds of yachts and other things registered there to avoid either personal property taxes or sales taxes. I mean this goes on regularly. And I think the Internet is going to invite all manner of attempts to avoid taxation.
While we don't have a sales tax, we have a 3 percent document fees on cars. Once you try to register, they would get you on that anyhow. That is going to happen.
So, you do raise in my judgment a very significant question. And that is, are we avoiding taxes and therefore impacting State revenues or whatever it may be? I don't think there should be any additional taxes, either.
Page 52 PREV PAGE TOP OF DOC Mr. Greenwood may want to comment on that because he sort of brought it up originally. I would be interested in how Massachusetts is looking at that.
Mr. GREENWOOD. I work for the Information Technology Division, I should hasten to add, not the Department of Revenue, and this is fairly significantly out of the scope of my competence.
And just one other sort of covering comment would be anywhere in my testimony that is in conflict with Governor Weld's on the Internet, you know, by all means yield to the Governor. But I think our general position is not to tax. There was a telecommunications tax which was actually passed, I believe in the waning years of the Dukakis Administration which was finally repealed. And that was something that the Weld Administration had supported. That was an example of a particular tax on telecommunications which was not welcome.
I know generally that there are knotty issues of nexus when you are dealing with Internet transactions that are multijurisdictional by nature.
Another issue that has come up has been the tremendous administrative burden that Internet commerce companies are subject to for doing sales in a number of States where it is not always possible to know exactly, technically speaking, where that TCPIP address is, geographically when a Net-based transaction comes in. So, it raises a specter of relatively burdensome overlay of administrative costs in order to accommodate 50potentially 50different State tax regimes for this area of transaction.
I would assume that the general principle that we have for Internet law and policy is that we need consistent treatment of transactions among States and between the States and the Federal Government and, frankly, internationally, would apply also to tax measures.
Page 53 PREV PAGE TOP OF DOC
Chairman CASTLE. The Internet knows no State boundaries, but it knows no international boundaries, either.
Mr. Dorey hadn't even commented on that. But you know the truth of the matter is, you can start dealing all over the world with this. So, we get into a hugely complicated area in terms of the tax aspects of these transactions. I am not sure if that is something that we should be legislating on here. But it is, boy, it is something we should all be paying attention to in this country as we go more and more into this.
Mr. BEREUTER. Thank you, Mr. Chairmen. I am not about to get into ''naughty'' issues of nexus, and I am not sure it is about naughty, but I am interested in the very strong expression of sentiment that it is time, or perhaps a little past time, for us to move.
I think that, Mr. Chairman, your optimistic comments about an opportunity for us to work together with industry consumer groups and with the committees is, I hope, realistic.
It seems to me that there are reasons why a consumer group should like to have the United States at the Federal level set the policy. The truth-in-savings, truth-in-lending provisions are not going to be implemented by a directive that comes from the European Commission. And, as we know, in the first 200-plus directives that they issued at the European Commission level, there was a lack of transparency. We had to fight to understand what would happen. There were elements of protectionism. And certainly in many of those directives, and certainly some were not based on good science, especially when the European Parliament had an impact upon the Commission. And we still suffer from some of those non-tariff barriers and that is what they really are.
Page 54 PREV PAGE TOP OF DOC
It is clear to me that it is very much a ''talk-down system'' that doesn't pay as much attention as I think we want to pay to consumer issues. But from a business point of view, I do think there are reasons why we want to set the standard, and you have enunciated a few of those, so that we can maintain a high level of competitiveness from the beginning.
In my judgment, if we do pass appropriate legislation here we will set the standard for the world. And we don't have to go through a complicated kind of arrangement where we move through an international treaty process.
I would ask any of the witnesses if they believe that legislation which is generally being sketched here would in any fashion necessarily be inconsistent with the Clinton Administration's recently announced policy on global information infrastructureI don't see any necessary difficulties; it seems to me to be consistentbut I would like to have any warnings that you might have.
Mr. DOREY. If I might pick up.
Mr. BEREUTER. Mr. Dorey.
Mr. DOREY. I think an encouraging point on the European view is that there seems to be a level of openness, a recognition that electronic commerce is truly a global issue, and, in fact, by putting up any sort of barrier will actually disadvantage Europe rather than advantage it in any way. So, I believe the openness is there. I do have a concern, however, that in a vacuum something will rush in and fill it. And if there isn't, say, a matching or equal U.S. force present, then there will be a danger that certain European factions might bias the legislation in a non-international light. So, I think, Mr. Bereuter, it is important to move ahead at the same time in the U.S. to at least match the progress in Europe.
Page 55 PREV PAGE TOP OF DOC
This corresponds to the thoughts in the recent statement by the Administration. I believe what we are saying is fully in accord with that.
Mr. BEREUTER. Mr. Nugent, do you believe that banks are among the more interested commercial parties in this country? And a standard encryption policy and a key structure, which is a separate question?
Mr. NUGENT. That is different than this issue. Banks are the biggest users of encryption, and I think will, in the immediate future, be the biggest users of electronic authentication in part because of the pace of electronic banking and in part electronic banking. Internet banking is going to have to be there before electronic commerce occurs. Otherwise, it is not going to be electronic commerce; it is going to be electronic billboards. So, I think financial institutions are, in fact, leading the way, which is why we focused on financial institutions; we are also a financial institution. We also think that this is where legislation should start. It does not mean that other players can't pick their own legislative approach; we just think we need legislation now for inspection institutions to clear the uncertainties posed by State legislation and come up with a simple minimalist regime along the lines of what the Clinton Administration had called for.
Mr. BEREUTER. What are the points of nexus between electronic authentication and encryption as far as commercial banks are concerned?
Mr. NUGENT. The way I see encryption, it is used to take a message and scramble it up, to hide it from those who may intercept it.
Page 56 PREV PAGE TOP OF DOC
Mr. BEREUTER. Right.
Mr. NUGENT. That is not what this is about. This uses the same underlying mathematical algorithm principle. It uses cryptography, that is, electronic authentication. It uses cryptography for a totally different purpose. It uses it to authenticate a user, authenticate the content of a message, and to tie a message to a sender. So it is cryptography to use it for authentication versus cryptography used to scramble the message.
Mr. BEREUTER. So, do you believe they were two entirely separate tracks?
Mr. NUGENT. Absolutely separate. We have studiously tried to keep these things separate.
Mr. BEREUTER. Thank you, Mr. Chairman.
Chairman CASTLE. Thank you, Mr. Bereuter.
We will now conclude our hearing. Let me thank all of you very much. Because of the nature of ongoingwith the consideration of legislation, we may be in touch with you. Also, the Members may have a particular question they may want to submit to you in writing and hopefully you will be able to answer those as well. But we do very much appreciate all of you being here, the attendance of the subcommittee Members and staff members and everybody who has been here today, and hopefully this will be a springboard to better legislation in the future with respect to authentication. Thank you.
Page 57 PREV PAGE TOP OF DOC
The hearing is adjourned.
[Whereupon, at 11:46 a.m., the hearing was adjourned.]