By Alejandra Lopez-Contreras
Baker & McKenzie |
|
Following the 2000's amendments, these new modifications update the provisions contained in the Commercial Code, by adding and revising the regulations that refer to the proof of electronic documents (data message), identity and expression of consent (electronic signatures). In addition, international concepts are added to the National legislation (United Nations Commission on International Trade Law -UNCITRAL- Model Law), the concept of Provision of Certification Services is formalized, and the value of certificates issued abroad is recognized.
 |
It is important to emphasize that the provisions contained in the Second Title of the Commerce Code must be interpreted and applied following the principles of: (i) Technological neutrality - Avoid having any preferences between traditional contractual means and use of developing technology, as well as limiting the use of any type of technology. The purpose of this is avoiding being restrictive with respect to future technological advances. (ii) International Compatibility - The interpretation and application of the amendments to the Commerce Code should not contravene the established rules in the international agreements to which Mexico is a signatory, (iii) Will
Autonomy - this is the basis for contractual obligations, and it establishes that the parties have the freedom to enter into agreements in the terms accorded by the parties, as long as the agreements comply with local laws; and finally (iv) Functional Equivalence - this means the procurement of equal treatment based on the function that each jurisdiction have as signatures. In fulfilling this point, the digital and autograph signatures would receive equal treatment; likewise, data messages as defined by law are considered equal to non-electronic data messages.
Thus, the legislation regulates how an electronic document can be signed before it is sent, so an electronic signature becomes the vehicle means by which a document may be signed.
Article 89 of the Commerce Code defines the electronic signature as "the data in electronic form included in a data message, or enclosed or logically associated to it by any technology, that are used to identify the signatory in relation to the data message and indicate that the signatory approves the information contained in the data message and that such signature produces the same legal effects as the autograph signature, being admissible as proof in trials;" in addition, it indicates that the electronic signature will be considered advanced or trustworthy when:
| a) |
The signed document (Date of creation of the signature) corresponds exclusively to the signatory, |
| b) |
The signed document (Date of creation of the signature) was under the exclusive control of the signatory, |
| c) |
It is possible to detect any alteration of the signature, and |
| d) |
It is possible to detect any alteration in the integrity of the contents of the signed document. |
The above has become a relevant issue in electronic commerce, as the purpose of electronic signatures, especially of advanced electronic signatures, and certificates is to guarantee:
|
|
Authentication: making sure that the message senders really are who they say they are, |
|
|
Confidentiality: ensuring that the information in the network remains private, |
|
|
Privacy: controlling the way in which the information thus obtained is used, |
|
|
Integrity: making sure that the information in not altered or corrupted in transit, |
|
|
Non-repudiation: the sender cannot deny that he sent the message, and |
|
|
Availability: accessing the message for reference after it has been sent. |
Nowadays there are many different tools available to protect communications over the Internet, with encryption as one of the most basic means. This process consists of transforming a given text or information into an "encrypted" document, which can only be read by the sender and the recipient. The purpose of encryption is to guarantee the integrity of the information and its transmission.
There are two types of keys or systems: (i) symmetric encryption or double key encryption, in which both the sender and the receiver have the same key to encrypt and decrypt the message; and (ii) asymmetric encryption, which consists of two related mathematical keys, one of which is used as a public key and the other as a private key. The private key is kept secret by its owner whereas the public key is disclosed. One of the keys can be used for encryption and the other one for decryption and vice versa.
However, this system is still missing a very important feature, because despite the fact
that the message integrity is guaranteed, no authenticity is ensured. In other words, the sender is able to repudiate the message. The solution to this problem is to include a digital signature to identify the sender, and then encrypt the message. However, even by doing this there remains the security problem:
How does one verify the veracity of the identity of the sender? Anyone could obtain public and private keys and pretend to be someone else, which is more easily controlled when a person or institution must physically show an ID issued by an authority. The same situation is happening in the digital world, but instead of an ID, a certificate is used for proof of identification, consisting of an electronic document issued by a certifying authority, which contains information related to the parties. This instrument intends to support the electronic signature system by solving the digital identity problem.
Thus, under the Amendment, public brokers or notaries, private legal entities and public institutions may obtain authorization from the Ministry of Economy to become certification service providers. This certification may or may not be used as public instruments.
An Integral System for the Certification and Digital Signature record, as proposed by the Amendment, proves the authenticity of an electronic document and allows us to make a connection between an individual and his digital signature; it also helps to guarantee the exclusive existence of keys and the distribution of such certificates in a safer way.
It is important to note that there are several transactions and so each of them requires different security levels. For this reason, the proper electronic signature must be used in order to accomplish the purpose for which the data message was created or communicated.
In conclusion, on-line transactions can represent a risky business. Companies invest more and more money in security every year, but all this security may discourage users, affect profits, and consume too many resources. On the other hand, too little security may jeopardize the very existence of the business.
The question then becomes: what is a good security system? It must aim to protect individuals and companies by focusing on the unexpected behavior of the electronic market, considering the risks involved and the weakest aspects of information:
| a) |
Create security policies. |
| b) |
Educate users. |
| c) |
Control access. |
| d) |
Authenticate procedures through digital signatures, certificates issued by certifying authorities, and the use of key systems |
| By Baker & McKenzie |
 |
|
|
For further information, please contact us at info.mexico@bakernet.com
All Rights Reserved © Baker & McKenzie Abogados, S.C. Mexico 2003 |
|
|
