Why COM(2012) 238/2 is not a good proposal
I and many with me have serious issues with Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on electronic identification and trust services for electronic transactions in the internal market’ COM(2012) 238/2, and no, it is not only the very long name of the proposal, but that the way it tries to solve the problem with the fact Directive 1999/93/EC on a ‘Community framework for electronic signatures’ has not been implemented. In reality, I think the problem that it is not implemented is that the Directive tried to impose on entities who to trust. One can never do that. Whoever is to take and calculate a risk must both benefit from a trust service and be able to choose as many parameters as possible.
Also note that what now is created is a Regulation. Not a Directive. If this regulation that is on its way through the European Parliament passes, it is immediately legislation. It is not, as a directive, to be implemented in national legislation.
But this explanation might not explain clearly enough why the regulation is bad. My friend Fredrik Ljunggren at Kirei has explained very well the flaws of the regulation. Below are his words:
I think the problems are:
- The focus on a government-provided electronic identification scheme using a single technology, which have been tried in several member states and failed miserably every single time. I’m not aware of a single successful roll-out of government issued PKI-based tokens to citizens (successful = where citizens actually use the tokens) during the decade of the old directive (1999/93/EC).
- The lack of a trust framework, which would clearly define assurance levels for interoperability. This is not suitable to have in a legislation, but is rather a set of rules mutually agreed between the stakeholders (the MS in this case). The regulation should provide (just) the foundation for such a mutually agreed trust.
- The complexity and low-level technocratic approach has been discussed in many fora. It focuses on the methodology, not the goals to achieve. Rather than harmonizing the legal status of an electronic signature, it regulates everything from how time should be provided to the requirements of a device for creating such signatures. Hand-written signatures can be created on any paper, using any type of pen. And we have not had the need for a certification scheme of watches and clocks before.
- There is no clear trust model. It is immensely unclear what liability a MS would assume on behalf of a trust service provider for participating in this model. Also, it prohibits any business model where the costs are transferred to where the benefits arise (the relying parties). This is a key to get the ecosystem started, as I believe the development are driven by market forces rather than incubated by the government using tax money (see bullet 1). This is also closely tied to bullet 2.
In my opinion, a regulation must be the lowest common denominator necessary to facilitate interoperable trust between MS. Everything beyond that is just likely to create obstacles for the very purpose of the regulation. As evidence I refer to the old directive.
The trust have to originate from voluntary agreements. No entity can be forced to trust another, they would do it for their own benefit and choose who to trust. A federation (or similar constellation of trust service providers) would be a way for a relying party to establish transitive trust to possibly a large numbers of trust service providers. It is purely something to facilitate integration, and even within a federation, an entity may have separate rules for who to trust and not trust.