III. THE ELECTRONIC TRANSACTIONS ORDINANCE

The Electronic Transactions Ordinance (“ETO”)20 was enacted on January 5, 2000, and was fully implemented by April of that year.21 It was influenced22 by the American Bar Association Digital Signature Guidelines,23 the Utah Digital Signature Act,24 the UNCITRAL Model Law on Electronic Commerce,25 the U.S. Uniform Electronic Transactions Ordinance,26 and the European Union's Digital Signature Directive.27

A. Legal Recognition of Digital Signatures

In 1995, Utah became the first jurisdiction in the United States to enact a digital signature law.28 In that statute, Utah recognized only digital signatures; it did not recognize other types of electronic signatures.29 Although such a law provides for relatively more security in e-commerce transactions, it carries the disadvantage of being too restrictive. Nevertheless, Hong Kong followed the Utah example in its original ETO recognizing only the digital signature, and did not grant recognition to other forms of electronic signatures.30 In granting recognition to the digital signature, Hong Kong was effectively telling the world that it would treat a digital signature the same as it treated a handwritten, “hard copy” signature.

Under the ETO, “digital signature” was defined similarly to the Utah Act, as follows:

An electronic signature of the signer generated by the transformation of the electronic record using an asymmetric cryptosystem and a hash function such that a person having the initial untransformed electronic record and the signer's public key can determine: (a) whether the transformation was generated using the private key that corresponds to the signer's public key; and (b) whether the initial electronic record has been altered since the transformation was generated. 31

The original ETO was not “technologically-neutral.” Instead, it favored one technology-the digital signature-to the exclusion of other forms of electronic signatures.32 The need for heightened security seemed to be paramount in the mind's eye of the ETO's creators. However, there are tradeoffs. The attainment of greater security, achieved by only granting recognition to the digital signature, meant that e-commerce participants' choices would be limited. They would be forced to use a technology that offered high security, but one that perhaps also would be more expensive, less convenient, too complicated, and less adaptable to technologies employed by other nations.33

B. Concomitant Effects of Sole Recognition, of the Digital Signature

Sole recognition of the digital signature, to the exclusion of other types of electronic signatures, has these concomitant effects: (1) employment of an asymmetric cryptology; (2) utilization of public key infrastructure (“PKI”); and (3) regulation of Certification Authorities.34

1. Asymmetric Cryptology

Under the Utah Model, adopted in the original ETO, “digital signatures receive legal protection only if asymmetric key cryptology produced the digital signature.”35 Such a system employs double keys-one key is used to encrypt the message by the sender, and a different, albeit mathematically-related,36 key is used by the recipient to decrypt the message.37 The sender has a private key, known only to him/her,38 used to generate the digital signature, and the recipient uses the public key, often available online, to verify that the proper party created the message and that it has not been altered during transmission.39 This is a very good system for e-commerce, since two stranger-parties, perhaps living far apart, can confirm each other's identity and thereby reduce the likelihood of fraud in the transaction.

2. PKI

Before a party can digitally “sign” anything, he/she must first be in possession of a pair of keys-the private key and a related public key.40 The party will apply to a Certification Authority (“CA”) to confirm his/her identity and to issue the pair of keys. After the applicant's identity has been confirmed, the CA will issue a certificate as verification of the subscriber's identity. The certificate will be placed in a public repository, most often the CA's website. Whenever the subscriber digitally signs a message, the CA confirms the signature of the sender; whereupon, the CA informs the recipient of the encrypted message which “public key” is necessary to decode the message.41 At that point, the recipient is able to access the public key which is used to decrypt the sender's message.42

The Utah model prescribes an open PKI system.43 In an open system, unlike a closed one, the same certificate is used for all parties with which the subscriber wants to transact. Accordingly, it is relatively easier to enter into a transaction because it is easier to digitally sign a document.44 However, if the subscriber's private key is lost or compromised, the consequences are potentially much more egregious because there is a greater likelihood that the subscriber may be defrauded.45 Notwithstanding the adoption of an open system, the ETO does contain some features which are typical of a closed system, such as: (1) all Recognized CAs must issue annual Certification Practice Statements; and (2) Recognized CAs also have the option of specifying monetary liability limits in the certificates they issue.46 Both of these considerations have the effect of reducing the potential legal exposure of the Recognized CA, and this is akin to a closed system. Therefore, it may be said that the Hong Kong System is a “hybrid” one rather than being purely open or purely closed.

3. Regulation of Certification Authorities

The ETO does not require a CA to apply for “recognition.” An “unrecognized” CA may legally operate in Hong Kong. However, the ETO does not apply to an unrecognized CA. As a result, a digital signature issued by an unrecognized CA has no legal recognition, and accordingly, no legal rights and obligations will attach to it that are enforceable in a court of law. Thus, although it is a “voluntary” system,47 an unrecognized CA faces tremendous pressure to become “recognized.” In a de facto sense, the system is not really voluntary; it is compulsory.

Furthermore, an unrecognized CA has unlimited liability, whereas a Recognized CA (“RCA”) is generally able to limit its liability under the ETO.48 For example, an RCA will not be liable for loss incurred due to reliance on a false or forged digital signature supported by its certificate, provided the RCA has complied with all material requirements of the ETO and the Code of Practice.49 Additionally, the RCA may reduce its exposure by placement of a “cap” on its legal liability, i.e., by stating a “reliance limit.”50 The RCA is afforded limitation of liability because of two reasons: (1) it will speed up the issuance of certificates, since the CA will not have to engage in so much research of the applicant; and (2) it will make the purchase of the digital signature cheaper to the applicant, since the RCA will have less expenses due to diminished need for liability insurance coverage. On the other hand, the ETO has been criticized for shifting “an immense liability burden onto consumers who conduct electronic transactions through the RCA.”51

But note-the above does not give the RCA carte blanche to be negligent, reckless, or to intentionally deceive. The RCA will be liable for damages incurred due to reliance on erroneous information stated in a certificate or in a repository, if the RCA had a duty to confirm the information according to the Code of Practice or the Certification Practice Statement, but negligently, recklessly or intentionally failed to do so.52

The RCA is afforded relatively greater respect and status than its unrecognized counterpart. Subscribers, other interested parties, and the general public place relatively greater trust and reliance in an RCA. This is because RCA status is only granted to those CAs with: (1) a good financial position; (2) good liability insurance coverage; (3) trustworthy systems; (4) good security arrangements; (5) high standards required for issuance of certificates; (6) officers who are “fit and proper persons;” and (7) notice of acceptance reliance limits which are stated in the certificates.53

The RCA must be able to show that it uses a trustworthy system of issuing and withdrawing certificates and displaying them in a public repository. The Director of Information Technology issued a Code of Practice for RCAs, which delineates the standards and procedures to be used by RCAs for implementation of the ETO.54 Furthermore, every RCA is required to submit a report to the Director of Information Technology Services, a Certification Practice Statement (“CPS”), stating the standards and procedures employed in issuing certificates and in carrying out its other tasks.55 The CPS, in turn, is used to determine the legal liability limits of the RCA.

Interestingly, the ETO established the Hong Kong Post Office as an RCA.56 Several reasons may account for this. One is that it is simply convenient to go to a local post office in one's neighborhood to find an RCA. Another reason may be that the lawmakers were unsure as to whether private firms57 would be interested in becoming a CA and they wanted to ensure that at least one well-known CA was available to get the implementation of the ETO underway.

The Director has a number of enforcement powers which may be exercised against RCAs. Their recognition may be suspended or revoked if they do not: (1) maintain a trustworthy system; or (2) abide by the provisions of the ETO, the Code of Practice, or its own CPS.58

C. Obligation of Secrecy

In reaction to the public concern over security of private information, the ETO included a provision mandating secrecy. Persons attaining access to confidential data while performing functions covered by the ETO (e.g., the RCA's attainment of the subscriber's personal information in an application for a certificate) are prohibited from disclosure to other persons.59 The ETO also forbids the knowing or reckless dissemination of false information whilst engaged in a function under the statute (e.g., giving false information to an RCA in an application for a certificate),60 or for persons pretending to be an RCA.61 Violators may be subject to fine or imprisonment.62

D. ETO Not Applicable in Certain Specified Situations

The old-fashioned “hard copy” is still mandatory in the creation of the following legal documents: wills, codicils and other testamentary documents;63 anything to do with the creation, change or revocation of an express trust;64 a power of attorney;65 documents required to be stamped pursuant to the Stamp Duty Ordinance (Cap. 117);66 government grants and leases;67 deeds, conveyances, judgments, written instruments, lis pendens and documents effecting a floating charge (referred to in sect. 2A) pursuant to the Land Registration Ordinance (Cap. 128);68 assignments, mortgages and legal charges under the Conveyancing and Property Ordinance (Cap. 219);69 oaths and affidavits;70 statutory declarations;71 judgments or orders of a court;72 warrants issued by a court or a magistrate;73 and negotiable instruments.74

Furthermore, in Hong Kong (as in most jurisdictions of the world), forget about using email to file court documents. The ETO is not applicable to matters coming before the following courts, government agencies or government officials: the Court of Final Appeal;75 the Court of Appeal;76 the Court of First Instance;77 the District Court;78 the Mental Health Review Tribunal established pursuant to the Mental Health Ordinance (Cap. 136);79 the Lands Tribunal;80 a coroner appointed under § 3 of the Coroners Ordinance (Cap. 504);81 the Labour Tribunal;82 the Obscene Articles Tribunal established under the Control of Obscene and Indecent Articles Ordinance (Cap. 390);83 the Small Claims Tribunal;84 and magistrates.85

E. Deficiencies of the Original ETO

1. No Mention of Foreign CAs

E-commerce is an international phenomenon.86 If a party in Hong Kong engages in a commercial transaction with a party in a foreign country, and the foreign party uses a certificate issued by a foreign CA does the ETO recognize that certificate? That issue was not dealt with in the original ETO.87

2. No Mention of Insolvency of CAs

What if the CA, after issuing the certificate, becomes insolvent and declares bankruptcy? What is the impact of that situation on the legal viability of the certificate generally, and upon the legal liability of the CA specifically? This important issue is not addressed in the ETO.88

3. No Mention of Legal Obligations of Subscribers

The ETO devotes a considerable amount of attention to the duties and responsibilities of CAs. In particular, the statute goes to great pains to ensure that the CA uses a “trustworthy” system. However, the original ETO gave scant attention to the duties and responsibilities of subscribers, and to their actions which could undermine the trustworthiness of the system. Subscribers should be held accountable and legally responsible for their actions which reduce the security of the system, e.g.: (1) not maintaining adequate security controls over the private key; (2) committing errors in the creation of the message and the digital signature; and (3) using unreliable hardware or software which could lead to mechanical errors. If the CA has responsibilities, so does the subscriber.89

4. Deficient Consumer Protections

Sometimes, the e-commerce buyer finds herself at the mercy of the predator-seller. Especially, the buyer is in need of protections requiring the seller to prominently display electronic notices pertaining to the sale, and to ensure that the buyer will be able to gain access to those notices.

5. The “Hamstrung” Effect

As mentioned, the original ETO followed the Utah Model and adopted the digital signature as the only recognized technology. This degree of devotion to one technology “locked in” the ETO to the digital signature exclusively and made it less open-minded and considerate of other, potentially better technologies. Technology changes and evolves at a rapid pace indeed. Accordingly, the original ETO had the drawback of becoming passé and out-of-date overnight, just as soon as some new, better form of technology made its appearance.90 The original ETO was criticized for being too inflexible, and this criticism (and others) led to a number of amendments in the statute.91