S 25(1) of the Electronic Transactions Act 2010 “(1) Any public agency that, under any written law —
(a) accepts the filing of documents, or obtains information in any form; (b) requires that documents be created or
retained; (c) requires documents, records or information to be provided or retained in their original form; (d) issues any
permit, licence or approval; or (e) requires payment of any fee, charge or other amount by any method and manner of
payment, may, notwithstanding anything to the contrary in such written law, carry out that function by means of
electronic records or in electronic form.”
Similarly, under Indian legislation,
Section 4 of the Information Technology Act 2008 reads as
follows:
“4. Legal Recognition of Electronic Records
Where any law provides that information or any other matter shall be in writing or in the typewritten or printed form,
then, notwithstanding anything contained in such law, such requirement shall be deemed to have been satisfied if such
information or matter is:
(
a) rendered or made available in an electronic form; and
(b) accessible so as to be usable for a subsequent reference.”
2.4 Identification, Authentication and Authorization
The online services accessible to users on the web portal of a Single Window are the proverbial tip
of the iceberg. In addition, the Single Window must adopt a secure and legally sound solution in
order to provide access to diverse applications and business processes of participating CBRAs, and
to give Single Window users a sense of seamless access.
UN/CEFACT Recommendation No. 35 suggests the adoption of an ‘identity management’ solution.
The Single Window solution needs to provide ‘rule-based and role-based’ access to heterogeneous
systems. Identity management solutions that are based on open standards can promote
interoperability by federating and managing identities of users across different organizations. It is
also necessary to isolate and decouple the access control mechanisms from the underlying
application and database resources which may be hosted on disparate platforms.
There is hardly any legislation which explicitly addresses identity management systems (European
Commission (TURBINE Project),2009).
However, privacy and data protection law squarely applies
to data held in identity management systems. Some other regions have also pursued paths towards
international standards in this area, most notably the APEC Cross-Border Data Privacy ‘Pathfinder’
programme. Be that as it may, the Single Window operator must meet national legislation on
privacy, and commercial confidentiality must be observed.
There is a concern regarding the ability of identity management systems to enable digitally available
personal data in disparate systems to be linked up, and to observe the actions of individuals, as well
as a concern that individuals do not have the ability revoke their identity.
Data protection authorities
therefore lay stress on the unlinkability of the information contained in identity management
8
systems, the unobservability of actions, and the
revocability of identity as legal principles that
should govern identity management systems
and federated identities.
These concerns need to be reconciled with the
broader purposes of using identity management
systems in a Single Window environment:
automated systems operated by authorities will
in some applications legitimately seek to link
up information about economic operators for
risk profiling purposes, and therefore
deliberately seek linkability. Further, they like
to maintain observability and auditability of
actions by individuals: the latter are not at
liberty to revoke their engagement with the
identity management systems operated on the
Single Window and, in any case, should not be
able to repudiate their actions.
The contracts that bring users on board a Single
Window system need to reconcile these
opposing concerns of individual privacy and
legitimate business interest. Having ‘accepted’
the terms of participation in a Single Window
environment, economic operators waive their
rights to privacy and commercial
confidentiality to the extent that the
information is for the legitimate use of CBRAs.
Identifiers issued to the individual user should
be somehow linked to his/her civil identity that
is duly issued by the State. This is analogous
to economic operators being identified based
on their legally assigned identifiers (e.g. their
business registration number or EORI number).
CBRAs need to identify regulated entities in
the event of having to proceed against them to
enforce cross-border trade regulations.
Furthermore, it is a legal person that needs to be held to account for his/her observed actions in the
automated systems.
Authentication and authorization are mechanisms performed by the automated system. The former
is the mechanism under which the system is securely able to identify the user and to ascertain
whether the user is the person he or she is claiming to be. The latter is about the level of access of a
user, and whether the user is allowed to perform a particular operation (e.g. a database update
operation).
UN/CEFACT Recommendation No. 14
UN/CEFACT Recommendation No. 14,
‘Authentication of Trade Documents by Means other
than Signature’, has been revised. The
Recommendation seeks to reinforce the message
contained in the earlier text on the need to do away
with paper signatures and to encourage the use of
electronic data transfer in international trade. It
exhorts governments to review national and
international requirements for signatures on trade
documents in order to eliminate the need for paperbased documents, by meeting the requirement for
manual-ink signatures through authentication methods
that can be electronically transmitted. The message is
equally valid for the traders and their solution
providers, who should also examine business
processes to identify signatures (of any kind) and to
eliminate them and, where not possible, to pursue the
electronic transfer of trade data and the adoption of
authentication methods other than the manual-ink
signature.
The main points in the Recommendation are:
removal of the requirement for a signature
(manual or its functional equivalent) except
where essential for the function of the
document
introduction of other methods to authenticate
documents
creation of a legal framework that permits and
gives equal status to authentication methods
other than manual-ink signature
regular review of documentation used for
domestic and cross-border trade, possibly by a
joint public and private sector effort
9
Consistent application of identification, authentication and authorization procedures is vital for
ensuring that the information system is secure and is delivering a consistent, auditable service.
Single Window services grow with the trust of their users over years of reliable operation. The legal
validity of actions performed by users will be challenged in the absence of a legally sound
mechanism of identification, authentication and authorization.
The conditions under which electronic records, electronic documents and contracts will have
probative value are determined according to national legislation. Determinations about digital
evidence will be made in courts, where experts will have to assist judges in deciding on the
evidentiary value of access logs (for instance, whether such records were authentic, reliable and
intact). In the case of electronic records or documents, valid digital signatures will have high
evidentiary value.
Digital evidence is an important legal issue. In some countries, digital signatures may not be given
more probative value than other types of electronic signature. Further, there are costs and reliability
issues associated with digital signatures that come into play in many national environments. Thus,
whilst digital signatures are technologically sound and feature in the WCO SAFE Framework of
Standards as a means for securing data, there are other ways of acquiring data, and the measures
taken to protect it must be commensurate with the risks associated with its breach.
