Thursday, December 8, 2011

1.0 Introduction

The Uganda Law Reform Commission through its Commercial Justice Reform Project undertook a review and formulation of laws to regulate ICT related matters in the country. Three ICT laws were enacted in 2011 to supplement the National Information Technology Authority, Uganda Act (NITA-U Act), namely the Electronic Transactions Act, the Electronic Signatures Act and the Computer Misuse Act, collectively referred to as ICT laws.

Recognising the fact these ICT laws are the backbone of the regulatory framework for the ICT sector, it is important to provide the enabling regulations that will make it possible for the government to implement the principles that they are meant to achieve. It is also imperative that the laws comply with the United Nations Convention on the Use of Electronic Communications in International Contracts (2005) as well as other international or regional policies or frameworks governing electronic transactions and other attendant matters.

Following the enactment of these ICT laws, the Ministry of ICT, being the promoter of the laws, constituted a Think Tank Team on a multi-institutional basis to strategize on the process of their operationalisation. Due to the complexity of regulatory issues surrounding the operationalisation of these ICT laws, the Think Tank Team sought expert support services of Legal ICT Law and IT experts to facilitate the development of the regulations.

The Consultancy Team in collaboration with the Think Tank is in the process of drafting regulations in relation to digital signatures, and in particular as required by The Electronic Signatures Act (ESA) read with The National Information Technology Authority, Uganda Act (NITA-U Act). In doing so, the team is researching the requirements of the empowering legislation and other related legislation and government policy, as well as looking at relevant international instruments and comparative approaches in other domestic jurisdictions.

A key component of the Team’s assignment is to conduct face to face interviews with key informants from stakeholder institutions and individuals in Uganda to seek their views.

In this light, we would like to discuss some issues with you and get your feedback and advice on the Policy and Legislative Framework, Identification of regulations required, comparative analysis on International Instruments and other similar national and regional jurisdictions.

Posted by at No comments:

2.0 Policy and Legislative Framework

2.1 NITA-U Act

NITA- U was established by the National Information Technology Act 2009. The purpose of the Act is to provide for the establishment of the National Information Technology Authority, Uganda, and to provide for its objects, functions, composition, management, finances and other related matters. The NITA-U’s objects, spelt out in the NITA-U Act, are -

(a) to provide high quality information technology services to Government;

(b) to promote standardization in the planning, acquisition, implementation, delivery, support and maintenance of information technology equipment and services, to ensure uniformity in quality, adequacy and reliability of information technology usage throughout Uganda;

(c) to provide guidance and other assistance as may be required to other users and providers of information technology;

(d) to promote co-operation, co-ordination and rationalisation among users and providers of information technology at national and local level so as to avoid duplication of effort and ensure optimal utilization of scarce resources;

(e) to promote and be the focal point of co-operation for information technology users and providers at regional and international levels; and

(f) to promote access to and utilisation of information technology by the special interest groups.

NITA-U’s functions are, amongst others to -

1. Co-ordinate, supervise and monitor the utilisation of information technology in the public and private sectors;

2. Set, monitor and regulate standards for information technology planning, acquisition, implementation, delivery, support, organization, sustenance, disposal, risk management, data protection, security and contingency planning;

3. Regulate the electronic signature infrastructure and other related matters as used in electronic transactions in Uganda;

4. Promote and provide technical guidance for the establishment of e-Government, e- Commerce and other e- transactions in Uganda; and

5. Protect and promote the interest of consumers or users of information technology services or solutions.

After the promulgation of the NITA-U Act, the Uganda Law Reform Commission, through its Commercial Justice Reform Project, undertook a review and formulation of laws to regulate ICT related matters in Uganda. In the result, three ICT laws were enacted in 2011 to supplement the NITA-U Act, namely the ESA, as well as the Electronic Transactions Act, and the Computer Misuse Act.

The Consultancy Team has been engaged to draft regulations in relation to digital signatures, and in particular as required by the ESA, read with the NITA-U Act.

2.2 Terminology of Electronic Signatures

Definitions

As you might have noticed, already we have used the terms, digital signature and electronic signature. Before proceeding, it is important to understand the terminology used generally, and specifically as set out in the ESA.

“Electronic signature" is a general term referring to the various methods by which a person can sign an electronic data record. Electronic signatures can be created using a lot of different types of technologies and can manifest in various ways. Examples of electronic signatures include a name typed at the end of an e-mail message, a digitised image of a hand-signed signature attached to an electronic document, a secret code (foe example, those used with ATM cards and credit cards), a biometric identifier, such as a fingerprint or a retinal scan, and finally, also a digital signature (created through the use of public key infrastructure / cryptography).

"Digital signature", on the other hand, is a more specific term referring to a signature using public key infrastructure / cryptography.

In the ESA, there are various terms referred to and defined, including the most generic, “signature” to the more specific, “advanced electronic signature” and “secure signature”.

Signature” is defined to include any symbol executed or adapted or any methodology or procedure employed or adapted, by a person with the intention of authenticating a record, including an electronic or digital method.

Electronic signature” is defined as data in electronic form affixed to or logically associated with a data message, which may be used to identify the signatory in relation to the data message and indicate the signatory’s approval or the information contained in the data message, including an advance electronic signature and the secure signature.

Digital signature” is defined as a transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer’s public key can accurately determine (a) whether the transformation was created using the private key that corresponds to the signer’s public key; and (b) whether the message has been altered since the transformation was made.

Advanced electronic signature” is defined as an electronic signature, which is (a) uniquely linked to the signatory; (b) reliably capable of identifying the signatory; (c) created using secure signature creation device that the signatory can maintain; and (d) linked to the data to which it relates in such a manner that any subsequent change of the data or the connections between the data and the signature are detectable.

Secure signature”, although not defined, is referred to in section 11, which provides that it is one that is completed through a prescribed security procedure or a commercially reasonable security procedure agreed by the parties (with other criteria also having been met).

The importance of digital signatures, as set out in the ESA, is that they are accepted as signatures, where a rule of law requires a signature. The ESA also makes clear that they satisfy the requirement of signatures, written documents and original documents.

The ESA creates a legal presumption in favour of secure and advanced electronic signatures, the effect of which is to place the burden of coming forward with evidence and of persuading a court, on the person challenging the genuineness of the signature.

Public Key Infrastructure (PKI)

A big part of the ESA concerns Public Key Infrastructure (PKI). A large portion of the regulations that will have to be created also concern PKI. Therefore, it is important to understand some key aspects of PKI.

PKI is the basis for digital signatures. In each signed transaction there is a pair of keys, a private key and a public key. The private key is used only by the signer. The public key is available to anyone and used by anyone who needs to validate the signer’s electronic signature. PKI involves various components which includes electronic signature products (hardware and/or software), certification service providers, and rules for granting and revoking keys and certificates.

PKI Enabled Applications

  • Electronic Fund Transfer (EFT), Telegraphic Transfer (TT), RTGS
  • e-Government (e-Tax, e-Filing, Internet and Mobile Banking, etc)
  • Secure e-Mail Communication
  • Electronic Fund Transfer Point of Sales (EFTPOS) in business establishments
  • e-Commerce (Amazon, eBay, Auto shops, etc)

Roles of Trusted Third Parties in PKI environment

  • Authentication of e-Signatures
  • Issuance of Digital Certificates
  • Others
Posted by at No comments:

Policy and Legislative Framework Questions

Part A: General Awareness and views about the e-Signature Act (ESA)

  1. Have you ever heard of the e-Signature transactions before?

If yes, were you aware of the Ugandan e-Signature Act that was passed recently by the Government?

  1. What are the key issues that would affect you in the use of the e-Signature transactions?

  1. Have you used any e-Signature services before (Any where, not necessarily in Uganda)?

  1. What are your views regarding the use of e-Signature?

  1. What do you see any challenges to implement the e-Signature Act in Uganda?

  1. Suggest possible rules and regulations that need to be developed to address the challenges on e-Signatures implementation you have identified.

Part B: General Awareness and views about the NITA-U Act

  1. Had you ever heard of the NITA-U Act before?

  1. In your view, what should be the key roles of NITA-U as a controller of the e-Signature business transaction environment in Uganda?

  1. What do you see as challenges to implement the NITA-U Act?

  1. Suggest possible rules and regulations that need to be developed to address the challenges that might compromise NITA-U’s role.

Part C: Deficiency/Gaps in the Current e-Signature and NITA-U Acts

  1. At this point, we welcome any comments that you might have about the sufficiency of the provisions of the ESA itself.

  1. If there are any deficiencies, we also request any advice that you might have as to whether the deficiencies can be cured by way of regulations.

  1. Specifically, are the definitions adequate and are the distinctions meaningful?

  1. If not, can regulations do anything to clarify any inadequacies?

  1. Have you identified any Ugandan laws not mentioned, that might be instructive in formulating these regulations?
Posted by at No comments:

3. Identification of Regulations Required

The ESA sets out specific provisions mentioning regulations that may be made by the Minister on the recommendation of the NITA-U. We have identified various sets of regulations below (set out in bold type) that may have to be drafted in line with the provisions of the ESA. The section numbers set out in parentheses are references to the specific provisions of the ESA.

i. Procedures relating to qualifications and recognition of certification service providers, auditors, repositories and date stamp services

Procedures for recognising certification service providers (13(b)(i)); Procedures for recognising certification service providers outside of Uganda (13(b)(ii)) (37(1)); Procedures for recognising government entities for operating as certification service providers (13(b)(iii)); Qualifications required for certification service providers (23); Forms and procedures of applications (exemptions, renewals, replacements) for a licence as a certification service provider (22(3)) (25) (35) (36); Licence fees (and renewal fees, replacement fees) payable by certification service providers (26) (35) (36); Regulation of activities of certification service providers (regulations and/or licence conditions) (33) (39); Qualifications for auditors and procedures for auditing certification service providers (38(3); Requirements for recognition of repositories and procedures for recognition (77); Requirements for recognition of date stamp services and procedures for recognition (79)

ii. Procedures relating to the issuance, revocation and suspension of certificates issued by certification service providers

Fees payable by subscribers (for certificates and revocation of certificates) to certification service providers (24(1)) (72(b)); procedures for suspensions of certificates by the Controller (63)

iii. Regulations relating to information requirements in respect of certification service providers

Regulations for the maintenance of database of certification service provider disclosure records 21(3) + requirements for the content, form and sources of information in certification service provider disclosure records, the updating and timeliness of such information and other practices and policies relating to certification service provider disclosure records (97(1)(d)); The form of certification practice statements (97(1)(e)); Requirements for the submission of information by certification service providers to controller (41(1)); Fees payable for requests for disclosures of certification practice statements and other facts in an investigation (44(2))

iv. Procedures relating to standards for secure electronic signatures

Security procedures (necessary for secure electronic signatures) (11(1)); The procedure for the review of software for use in creating digital signatures and of the applicable standards in relation to digital signatures and certification practice and for the publication of reports on such software and standards (97(1)(i))

In addition to the provisions specifically mentioning regulations set out above, there are a few other provisions in the ESA that lend themselves to the promulgation of regulations. We have identified the further regulations that might be necessary below (in bold type). Note that section 97 is a catchall provision dealing with the making of regulations, and it states, in addition to listing certain regulations, that the Minister may make regulations as are necessary for giving full effect to the provisions of the ESA and their implementation.

v. Procedures for revocation of licences of certification service providers (to supplement section 27)

vi. Procedures for appeals (to supplement section 28)

vii. Procedures for orders by the controller to revoke certificates (to supplement section 49)

viii. Procedures for publication of unreasonable risk advisories with repositories (to supplement section 80)

Identification of Regulations Required Questions

  1. We would first like to solicit your comment on the sufficiency of the list of regulations identified.

  1. In addition to your comment on the sufficiency of the list of regulations that we have identified (i.e. is it over inclusive), we would like your suggestions for any other regulations that are necessary to give effect to the provisions of the ESA. In particular, we would like to request you to consider whether there are any other necessary or appropriate regulatory interventions that will need to be made.

  1. We also welcome any experience you can share with us regarding specific issues. For example, in respect of procedures relating to standards for secure electronic signatures, do you suggest the incorporation by reference to internally recognised standards, and if so, which ones?
Posted by at No comments:
Subscribe to: Posts (Atom)