The Role and Responsibility of the Authentication Body toward both the Contracting Party and Third Person in the Light of UAE Law

Dr. Kamran Al- Salihi

Associate Professor of Commercial Law

Faculty of Law – University of United Arab Emirate

Introduction

In the face of development of civilized societies and radical advances in communications technology, the traditional means of conducting commercial, administrative, financial and economic transactions disappeared from sight gradually and has been replaced by modem electronic technology ([1]). This has brought a revolution in human civilization, particularly networking for the Internet and satellite. Many information centers, companies and institutions have been established who specialize in dealing in hardware and software information and marketing.

It seems that the transformation of the internet business has become the greatest achievement in the business world in the 20th century. So the birth and development of the Internet lead to expand a global market for trade in goods and services which started to flow across international borders, particularly by international business companies which promote the marketing of their products and services through use of their sites on the Internet. Hence, under the development of telecommunications networks, political boundaries are no longer an impediment to the spread of international electronic commercial transactions.

The important role of electronic transactions in the modern world, particularly in international trade, which constitutes 20% of the total world trade in our present-day, pushed the national and international organizations to increase their efforts continually to remove the obstacles encountered in its rapid growth and to establish the legal frame work that is necessary for successfully conducting these transactions. This occurs at both national and international levels, in order to integrate the development and establish with confidence among the users of these transactions at all levels of financial, administrative, commercial and banking sectors.

This progress has been accompanied by the attention of legislators in most States to grant legitimacy to electronic transactions and to spread confidence by developing legal frameworks to resolve the legal problems concerning the admissibility, evidential value of electronic transactions, electronic authentication, and contract formation.

The international community has begun efforts to switch over from the traditional concept of writing and replaced that with e-writing in commercial transactions and adopted the electronic signature and equated it with the hand written signature by giving it authoritative evidence. The United Nations Commission of International Trade Law (UNCITRAL) has enacted, in 2001, several Conventions in order to facilitate electronic commerce and to help the States to remove the obstacles for successful conduct of electronic commerce at national and international level. The UNCITRAL, in order to promote confidence in e-commerce, has issued five documents as a Model Law ([2]).

The Arab legislators were not untouched by these global developments. Tunisia, Jordan, Egypt and the United Arab Emirates have issued legislations for electronic transactions which recognized the equality in evidence between the electronic documents and traditional written documents.

The availability of a robust communication network in the UAE in dealing with the World Wide Web, has enabled the ability to meet the changes and developments that have taken place at the international level regarding E-commerce and to match UNCITRAL Model Law. The UAE has enacted a Federal Law ([3]) regarding transactions and electronic commerce, which aims to protect the rights of online users and determine their obligations, as well as encouraging and facilitating transactions and electronic correspondence, with an aim to remove any impediments to the development of electronic commerce and transactions at the local level and international and other targets.

In fact, the United Arab Emirates was at the forefront of the Arab States in dealing with Ecommerce, and was one of the first countries to issue a law regulating E-commerce transactions. The UAE also has the highest web measure index in the region, which reaffirms the country’s commitment to setting the highest standards of E-Governance. The Emirate of Dubai has also issued its law ([4]), which includes the organization of contracts and E-commerce transactions in such a way as to promote the trade in its growth and prosperity. Since 2002, Dubai has converted to the E- commerce and E-Governance. This project aimed to provide a sound legal environment for electronic transactions and to achieve the credibility of the electronic system in trade disputes.

This research mainly focuses on the role and nature of the legal liability of the Authentication Body service provider under UAE law, for the safety and validity of the data contained in the certificate of authentication. Firstly, it will deal with the evidentiary value of electronic transaction and authentication, and then it will explain the responsibility of service provider authentication.

Chapter One

Evidentiary Value of Electronic Transaction

The Electronic transactions emerged only a few years ago when the most business people over the world started to use the internet to carry on business electronically. The emergence of new technology has helped to increase trade at the global level, which is growing rapidly in our present time through the medium of e-commerce. Today it is estimated that 10 million host computers are connected to the Internet and e-commerce transactions are done electronically and controlled from ordering to fulfillment. The effectiveness of these medium has brought drastic changes in functioning of national and international trade, as they succeed in establishing strong links between them.

Electronic Transaction is defined as any deal, contract or agreement concluded or performed through the use of electronic communications, regardless of the parties, whether they are members of the regular population of users or legal persons. In addition, it includes transactions connected with e-commerce in the first place, but it is not limited to it. It includes all transactions conducted through electronic means, and primarily contracted through the Internet, such as buying, selling, marketing, servicing, delivery, payment of products, service etc…

Electronic transactions today can be carried out more effectively at the level of both internal and external trade and therefore, they have special interest and are distinguished at the level of e-commerce. This required to requires us to shed light on the concept of this trade and the corresponding international efforts to organize and to facilitate it.

Section one

Concept and Growth of E-Commerce

The technology has changed immensely in the past few decades and affected in fundamental ways the methods that business and consumer use to interact in their transactions. When the internet became the medium of choice for electronic commerce the businesses became seriously interested in using computer communications to replace telex, telephone, or postal communications ([5]). Today, the model of the e-commerce system is being practiced by the most businesses around the world.

Thus the establishment and growth of electronic commerce and its expansion is widely regarded as a modem phenomenon, which has powerful influences on human activity. The way of conducting business, information systems, and decision making has changed. With the development of methods of shopping through electronic processing it has become possible to provide the consumer with goods and services as soon as possible and to facilitate the way of payment without having any geographical obstacles to complete transactions and varied business processes.

In our present time EC involves much functional responsibility, including design, building, manufacturing, and control. Thus many businesses today are using internet technologies to Web-enable business processes and create innovative e-business applications ([6]). The progress and development which took place in the means of communications and information has reduced the distances between communities. It has been used to determine the needs and wishes of diverse member of communities and how to deal with them through advertisements of products and new inventions. It attracts and induces them to buy through e-shopping which has resulted in the flow of goods, services and information to most consumers around the world.

E-commerce can be simply defined as conducting business electronically. It is based on the use of electronic means to conclude a contract of sale and purchase of goods and services between individuals and companies.([7]) The essence of this trade, which includes domestic and international trade, is based on the exchange of information and the electronic transfer of funds from banks and digital cash and smart cards. Furthermore, it includes most of the trade transactions, such as the commercial announcement, consumer marketing, accounting, electronic share trading, electronic bills of lading, commercial auctions settlement of payments, and negotiations.

It is clear that the concept of electronic commerce is primarily related to the idea of the business. It is based on electronic processing and transmission of data, including text, sound and visual images. So this kind of trade uses the electronic medium in the practice of its different activities, whether with suppliers, customers or business partners, or with affiliates, and various government departments, or banks and financial institutions.

Comparative jurisprudence has dealt with concept of electronic commerce with a variety of definitions between expansion and limitation of its space. Some Jurists defined it as “that kind of trade, which include the providing of Internet services and electronic delivery of services which means delivery of e-service to the consumer in the form of digital information and the use of the Internet as a channel for the distribution of services ([8]). The French Society defines e- commerce as a group of commercial transactions which performs through the means of Communication ([9]). The Assembly of electronic commerce defined it as “a group of uses of means of communication including the display of the goods, and so the goods are requested by traditional methods.” ([10])

Moreover it is defined by the Egyptian Jurists as “the process of buying and selling goods and service through electronic networks, in addition to the information and computer programs and other activities conducive to business practices.” ([11])

The UAE Law of E-commerce transactions no (1) of 2006, has defined E-commerce as “commercial transactions conducted through electronic communications.”

It is to be noted that this definition does not determine exclusively the electronic means of commercial transaction and this indicates that the UAE legislature’s desire is to keep pace with that EC scientific and technical progress in the use of media information, so this definition is free of citing examples of technical means that are involved in electronic commerce.

In this regard we see that electronic commerce is all commercial transactions concluded and implemented through electronic means or network; essentially, the Internet.

Based on above-mentioned definitions of EC, one can deduce that EC is of interest to business managers, marketers, accountants, financial executives, financial analysts, inventors, creditors, lawyers and consultants. In addition, it should be emphasized that EC may also be used for noncommercial functions such as filing and paying taxes, and personal finance ([12]).

Advantage of E-Commerce:

From previous information, it is clear that e-commerce affects manufacturing, marketing, consumption, finance and investment . Most firms are interested in EC because it can increase their sale and decrease their cost. In addition, the EC will offer the buyers increased selection, convenience and better deals. The following are some of the advantages of e- commerce; ([13])

1. Improves information flow
2. Improves how business transactions are processed over networks
3. Simplifies upgrading technology, transferring content, transactional processing and payment, production processes
4. Enables better promotion, advertising and improved service
5. Provides buyers with a wider range of choices than traditional commerce
6. Provides buyers with information about a prospective purchase
7. Protects against fraud and theft losses

Today, e-commerce has become more important to the business world by reducing the cost and offering better product management, advanced security, sales, and accounting systems which will enable more businesses to continue to enjoy to e- commerce every day. So when the e-commerce matures and becomes more available and acceptable in the business world, a business will continue to enjoy increasing success through their EC.

The International’s efforts to develop and protect the E- Transactions:

The first important use of computer communications occurred in the late 1970’s, when the transportation industry began the use of E-message instead of paper communications. Soon after, the efforts succeeded in using the e-commerce system in most business around the world. More operations and traditional businesses became integrated into EC, so it became a multi -trillion dollar market.

In the present world of commerce and trade, E-commerce has become the way that the national and international business is conducted. Businesses with no EC strategy may find themselves losing the market to competitors who use new communications media.

The widespread use of network computers in electronic trade transactions, as well as in banking, is now accompanied by fraud and forgery crimes. Therefore the need has arisen to establish a legal framework to regulate all aspects of this trade both in terms of contract and methods of proof to preserve the rights of contractors and provide civil and criminal protection to clients in this trade. There is a need to secure the safety and stability of electronic transactions, particularly in the absence of uniform international legal rules. Various government institutions, and the European Communities, and the International Chambers of Commerce in Paris, issued a set of international recommendations, including the recommendation of the Committee of Ministers of the Council of Europe, in 1981. This addressed the Member States on the coordination of legislation with regard to writing authority, recording information and copies of registrations in evidence. Despite the importance of this recommendation, particularly for international business companies, most Member States do not respond quickly in issuing national legislation to regulate the issue of evidence in electronic transactions.

To keep the pace with the growth and development of electronic commerce, and to protect its clients, the United Nations Commission of International Trade Law, UNCID, has made efforts to resolve the legal problems relating to the evidentiary value of data records in international electronic commerce. This committee, in 1985, issued a recommendation regarding the use of automated transactions of information and asked for changes in the legal rules of those countries which have been conservative and cautious in the use of E-information as a means of proof.

A task team has been formed in order to promote the development of electronic commerce and other transactions at the local and global level. Their goal is to remove obstacles to using the data of electronic information in evidence and to realize the equality between the electronic signatures. The main role of this task team is to implement flexible procedures which contribute to the development of electronic commerce and remove the obstacles that are encountered. This team has endeavored to issue a set of recommendations aimed at unifying the rules of electronic international trade ([14]).

To this end, the International Chamber of Commerce has made some substantial efforts. The most important of its achievements was recognition of rules established by the United Nations Commission on International Trade Law. The commission issued two important projects in the area of electronic commerce. The first project relates to electronic commerce terminology, or e-terms, where the distinction between the terms derived from the Inco -terms, those derived from the Best Practice Rules, and those derived from the treaties and conventions, established the basis for data information and provided access to traders who were able take advantage by entering them into the e-mails messages. The second project includes implementation of uniform rules regarding documentation of electronic certificates.

Further, in this regard, the European Consul of Customs has prepared recommendations and several projects including inviting Member States to accept advertisements for goods that are dealt electronically by the Customs offices in accordance with conditions specified by these authorities. This Council has also prepared a recommendation to Member States regarding the trade agreements in customs and trade data, in addition to preparing a directory on the use of Electronic Data Interchange (EDI).

The basic point of EDI was to permit businesses to exchange transaction information in standardized, computer- readable form. Once both trading partners have agreed to use the EDI format, they can send and receive standard electronic versions of basic forms of business communications, such as purchase order, invoices, and delivery advices. ([15]) Even though this system was used by 100,000 businesses around the world, it become clear by the mid 1990 that EDI was not able to develop business to the degree that many had predicted. It was difficult for many businesses to adopt this system because it often required a complete reengineering of the internal administrative processes of business to be successful ([16]). By contrast, many small and medium-sized businesses that could not justify investment in EDI quickly embraced the internet.

There is no doubt that international efforts are continuing to offer national legislators a set of rules to overcome the factors that obstruct the progress of electronic commerce, and increased use of E-Commerce .So in addition to the recommendations previously presented, the international trade organizations have developed standard contract rules for guidance in the area of electronic commerce transactions. These include, the series of texts and the general rules established by the United Nations Commission on International Trade Law on electronic systems for the dealers’ of international commercial transactions ,with a view to standardizing the rules used in the exchange of trade data in electronic means of communication, as well as the maritime international committee in 1990, which developed a draft standard contract containing unified rules for electronic bills of lading in addition to the rules for shipping.

It is known that the emergence and spread of electronic commerce is due to the scientific and technological advances in communication and information. Joining the market of electronic commerce depends on it, so the area of activity of this trade is expanding every day in most countries. To keep pace with the growth and development of electronic commerce and to protect its clients, legislatures in most Arab countries have been mandated to issue national legislation.

In this regard ([17]) Federal Law No. 1 of 2006, the UAE legislator has clarified that to achieve a set of goals as following: ([18])

1. Protection of the rights of the electronic dealers and the specifications of their obligations
2. Encouragement and facilitation of electronic transactions and correspondence by electronic records to be relied upon
3. Facilitation of and removal of any obstacle before the e- commerce and the other electronic transactions which may result from the obscurity as to the requirements of writing and signature and in order to support the legal and Commercial development for the implementation of the e-commerce in a guaranteed manner
4. Facilitation of the transfer of electronic documents between governmental and non-governmental bodies, and competent support of the availability of the services of such bodies and the institutions through electronic correspondence
5. Minimizing the extent and scope of falsification of the electronic correspondence and the subsequent changes of such correspondence in addition to minimizing the chances of deceit in the e-commerce and the other electronic transactions
6. Establishing unified principles to the rules, regulations and standards with respect to the authentication and safety of the electronic correspondence
7. Confirmation of trust as to the safety and validity of the electronic transactions, correspondence and records
8. Supporting the development of e-commerce and other transactions both in the local and international arenas, by way of using electronic signatures

From the above objectives it is clear that the UAE legislature aims to secure legal environment for the growth of electronic commerce in order to meet the changes and development of international electronic commerce, and to implement the UNCITRAL Model Law in E-Commerce and other related documents.

In this regard it is worth noting that the UNDESA in 2008 has ranked the UAE in fifth position in terms of transactional service. This State has today the highest web measure index in the region which reaffirms its commitment to setting the highest standard of E-Governance excellence, and this reflects how this country is effectively using electronic communication for economic growth and human development.

Despite the fact that the UAE Federal law No (1) of 2006 applies to most transactions as E-Records, Documents and Signatures that relate to E- transaction and commerce, it does not apply to (a) The dealings and issues pertaining to personal matters, such as marriage, divorce and wills, (b) Documents of title to immovable property, (c) Negotiable instruments, (d) Dealings with respect to the sale and purchase of immovable property, disposal of the same and its lease for periods exceeding ten years as well as the registration of any other rights pertaining to the same, (e) Any document which the law requires to be notarized by the notary public, and (f) Any other documents or dealings exempted by a special law provision ([19]).

In fact, the growth and spread of electronic commerce in diverse communities is due to the ease and speed of communication at the international level, with low cost and ease of access to information. It also enables customers to access information and changes in global and local markets. Therefore, most companies, financial institutions and banks in the developed States today are increasing their daily participation and entry into the field of electronic commerce.

The statistics show a steady growth in the volume of electronic international trade in the United States of America, France, Germany and the Scandinavian countries and other advanced industrial countries such as Britain, the Netherlands, Denmark and Italy, where there are indications that more than 60% of economic growth in the present time is attributed to the international trade of dealing in electronic and information technologies.([20]) Furthermore the statistics indicate that the prosperity and the expansion of electronic commerce and the movement of profits has achieved amazing levels, especially since the beginning of 2000, and there are expectations of increased profits in excess of 200 billion dollars for the transactions of individuals and financial institutes. ([21])

Section Two

Evidential weight of electronic transaction and signature

The Electronic Transactions and Commerce Act of UAE defines the transaction as “any dealing or contract or agreement concluded or executed wholly or partially by electronic correspondence” ([22]) It is clear from the definition above that the electronic transaction means each transaction, contract or agreement concluded or executed by using electronic media, regardless of whether customers are general persons or legal persons, as individuals dealing with governmental or non­governmental organizations, or persons dealing with commercial companies, banks and financial institutions, or legal persons dealing among themselves.

It is necessary to emphasize that the transaction or agreement shall not be denied validity or enforceability on the sole ground that it is in the form of an electronic communication. The requirement is to grant any transaction the capacity of electronic transaction that is carried out wholly or partly by electronic correspondence, whatever the method used,([23]) whether fax or telex, Internet or other.

In this regard it is necessary to underline that authentication is one of the central issues facing e-commerce, particularly in case one contracting party seeks to enforce a claimed agreement, and the other party denies any existing obligation. In such a case, it becomes necessary to prove the operative facts about the transaction. Electronic authentication (e-authentication) aims to supply a forgery-resistant identifier for electronic messages that are otherwise altogether forgeable. The function of e-authentication is to enable online contracting by granting legal significance to digital signatures in situations where physical signature would be required  ([24]).

With regard to procedures of authentication of electronic transactions that take place through the use of tools and advanced electronic devices, we will focus on the most important of these ways, which are common in the present time. These procedures aim to verify that a data message is that of a specific person and detect errors or alterations in content or storage of data message or electronic record, including any procedure using algorithms or code, identifying words or numbers, encryption, answerback or acknowledgement procedures, or similar information security devices.

There are many means of images and electronic authentication, including code signing, biometric and digital. The following are a brief explanation of the work of each method of electronic authentication:

1. Signed through the use of PIN code (code-signing):

The evidentiary value of electronic signature became more common and recognized by most legislation in different States, in addition to the judiciary and comparative jurisprudence, and this method has been widely used in banking operations and payment of accounts and bills of purchase in general. It is a means of code-signing using of a combination of numbers or letters or both, chosen by the applicant himself to sign the electronic transaction. The signature codes are often linked to plastic cards and those equipped with electronic memory, such as Master Card, Visa and American Express, which are widely used in most developed societies and some developing countries.

2. – Biometric Signature:

It’s means that natural characteristics and attitude of a user’s signature, such as his personal shape, size of hands, voice and scan of his eyes and other physical and behavioral characteristics are stored in computer by the code and then decoded to verify the personality of signatory,([25]) where the computer matches the characteristics’ stored with the characteristics of a signatory.

3.  – Signature by E-Pen

This method needs a computer supplied with specific virtues, beside existence of the body of authentication,([26]) to verify the signatures. The sender of the message signs on the computer screen using the electronic pen and the verifying of validity of the signature is done by a special program that compares the current signature with a former signature that is stored in the program.

4. Digital Signature:

The digital signature achieves a range of benefits, including verification of the identity of the signatory. The contents of electronic treatment, confidentiality and its attribution to the signer cannot be challenged.

It means signing by using printed numbers, where a dealer has a private key for encryption and, after writing the letter and signing it with his key and entering the message on the computer, the written letter turns to the digital message through a special program of encryption. When the consignee is transferred the message with the public key, and using the encryption software of the computer, he can read the message after converting it to the original image. In the case of manipulation in the signing of the sender or any change in the content of the message, the computer detects it immediately, which ensures the integrity and authenticity of the letter sent to the consignee.

In order to grant an electronic transaction the capacity of evidential weight and legal equivalence of a written and original document, it requires the same conditions as the traditional written document in addition to the conditions required for the validity of electronic signature itself. This enables it to perform its function in determining the characteristics of the signatory and recognize the validity and content of a document attributed to him. The most important conditions to granting electronic transactions evidential value and equivalence with written ones are the following: (1) The electronic document shall be readable ([27]) and reflect precisely its contents like the written document, (2) The electronic transaction has a capability to retain information for a long period of time, and (3) The electronic transaction is not available for any amendment or change in its content.

Regarding electronic signature ability to enjoy the evidentiary value that is enjoyed by the traditional handwritten signature, based on Article (7) of UNCITRAL Model Law of 2001, an electronic signature satisfies the requirement of an actual signature if the electric signature is reliable and appropriate for the purpose for which the data message was generated or communicated in the light of all circumstance. Today the electronic signature has legal evidentiary value like a manual signature, especially since modem technical progresses has enhanced the confidence in it. Additionally, there is the existence of competent authorities to verify the authenticity and integrity of the electronic signature and issue a special certificate about that .So the reorganization of the signature has become actualized in countries that utilized electronic transaction.

In this regard it is worth mentioning that the State of Utah, USA, was the first state to issue the Digital Signature Act of 1995, which recognized the electronic signature and its evidentiary value, if the signer did it through a system of public key and in same time authenticated it by Electronic certificate. Later, the other U.S. states including California, Kansas, Texas, and others, issued similar legislations that gave legal validity to electronic signature in accordance with the conditions and criteria specified in their legislations.

Most of the European States have issued special legislation to recognize electronic signature as long as it meets the specific requirements determined by their legislations. Among them are Germany ([28]), Italy ([29]), and Britain ([30]). In fact, these legislations have adopted most of the conditions contained in the European Directive on a community framework for electronic signatures (1999)([31]) regarding recognition of admissibility and evidential weight of electronic signature. This Directive defined electronic signature as data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication.

In fact, this directive aims to facilitate the use of electronic signature and to contribute to their legal recognition.([32]) It therefore established a legal framework for electronic signatures and certain certification services, requiring that the advanced electronic signature should meet the following conditions:

1. The signature belongs only to the signatory.
2. The signature is able to identify the personality of signatory.
3. The means of signature is under the full control of the signatory.
4. The electronic signature is linked to the document itself

Many of the Arab countries followed this development and have issued legislations that acknowledge equality between the electronic and the manual signature regarding its evidentiary value. The United Arab Emirates which was the first Arab country after the States of Tunisia and Jordan, that has enacted legislations regarding E-Transactions and Commerce (Dubai law No. 2 / 2002 and the Federal Law No. 1 / 2006) . The Jordanian legislature has issued the Electronic Transactions Law which has equated the electronic signature with the handwritten signature regarding evidentiary value. Later, Kuwait and Egypt also issued the draft laws regarding E-commerce.

The UAE Law:

In order to meet the changes and developments in the field of electronic commerce at the international level, the UAE has enacted Law No (1) of Electronic Transaction and Commerce of 2006. This law shall apply to electronic records, documents and signatures pertaining to the electronic transaction and commerce. This Act defines an electronic signature as “Signature constituted of letters or digitals or symbols or sounds or processing system having an electronic form, logically attached to or connected with an electronic message impressed with the intention to authenticate or approve such message” ([33])

Secure Signature:

Based on Article 17 of the UAE Federal Law, one can deduce that the E- signature shall be protected in order to enjoy the capacity of proven authenticity, and in accordance with this Article the signature shall be regarded as a protected signature (Secured Signature), if it is available, through Secure Authentication procedures or commercially reasonable procedures agreed upon by the parties to verify that the electronic signature, at the time it was made, has the following virtues: (1) The signatory shall stand alone in using it. (2) The signature should prove the identity of the signatory. (3) The signature should be under the sole control of the signatory in terms of the creation or the means of use at the time of signing. (4) To be linked to the electronic message to which it relates in such manner that emphasizes integrity of the signature and, if the record was changed, that the E-signature be invalidated.

Reasonable authentication procedures:

To determine whether Secure Authentication procedures provided in Article 17 are commercially reasonable, Article 16 /2 of the Federal law stipulated that, “for the purposes of the application of this Article and Article 17 of this law, regarding the decision whether the perfect authentication procedures are reasonable commercially, such procedures shall be considered in the Commercial circumstances upon their use, including: (A) The nature of the transaction (B) The experience and skill of the parties (C) Volume of the concerned dealings made by any of the two parties or both of them (D) Availability of alternative procedures and their cost (E) The procedures generally used in similar transactions.”

By analyzing Articles 16-18 of the UAE Federal Law No. 1 of 2006 with respect to the evidential value of electronic signature, we can say the following:

1. A person is entitled to rely on the electronic signature or E-Approval Certificate to the extent that such reliance is reasonable..
2. Where an E- signature is enhanced by an Electronic authentication certificate, a person who is relied on for this signature shall be liable in case of his failure to take reasonable and necessary measures to verify the correctness and integrity of the certificate, as to whether it is suspended or revoked, otherwise he shall bear the consequences of default in case of injury damage.

Reasonable reliance:

For the purpose of deciding whether it is reasonable for a person to rely upon an electronic signature, legislature of the UAE specified the following criteria:

1. Nature of the transaction that was intended to be enhanced by electronic signature, where transactions have the importance and value considerations requires to be signed electronically.
2. The transaction has a value and is of particular importance and requires the electronic signature and certification and it is well-known to the Party relying on electronic signature.
3. Whether the relying party with respect to the electronic signature has taken appropriate and reasonable measures to determine the reliability of the E- Signature or the E- Authentic Certificate.
4. Whether the relying party with respect to the electronic signature or the E-Authentication Certificate knew or ought to have known that the electronic signature or E-Authentication certificate had been suspended or revoked.
5. Whether there was any previous transaction or agreement between the originator and the party relying on the electronic signature, or any trade usage or practice which may be applicable.
6. Any other relevant factor which determines the reasonableness of reliance on the electronic signature.
7. In accordance with paragraph (2) of Article (18) where an electronic signature is supported by an electronic authentication certificate, the party who relies on the electronic signature shall bear alone the legal consequences of his failure to take reasonable and necessary steps to verify the validity and enforceability of the certificate, as to whether it is suspended or revoked, and of observing any limitations with respect to the certificate ([34]).

Evidential weight of E- information:

In assessing the evidentiary weight of E- information in the UAE law, regard shall be given to the following elements:

1. The reliability of the manner by which one or more of the operation of insertion of the information or its generating, processing, storing, presenting or communicating was performed
2. The reliability of the manner used to maintain the safety of information
3. The reliability of the source of information, if identifiable
4. The reliability of the manner in which the originator was identified
5. Any other ingredient pertaining to the subject

Foreign Electronic certificates:

Regarding the recognition of Foreign Electronic certificates and Electronic signatures, that those issued by a foreign certification service provider shall be recognized as legal in the State of UAE in the following cases:

1. The functions and practices of foreign certification service providers shall have a level of reliability equal to that required by UAE law of providers of certification services in the UAE
2. The certificates of foreign electronic authentication shall meet the requirements of UAE law
3. An agreement of reciprocity with regard to the effectiveness of these certificates ([35])

From the previous cases mentioned, one may deduce that, aside from the recognition of different legislations of electronic signature and its evidential weight, these legislations differ regarding the conditions required for the acquisition of electronic signature legal evidential weight. Some of them define these terms and others refer to the executive regulation of the law or to a decision made by the competent authorities as in the Egyptian law of electronic commerce, where the article (3) provides that the enjoyment of the electronic signature relies on authoritative assessments of the signing, upon the terms and conditions of the Law and Regulations.

Chapter Two

The role of Authentication Body and its responsibility

Before we explain the role of the body of authentication and its functions, we think it is necessary to examine the essence of the certificate of electronic authentication (e-authentication) and the purpose of its issuance and its legal action.

The e-authentication certificate issued by bodies licensed by the responsible authorities in the State uses developed electronic information system to confirm that the electronic signature meets all legal requirements for reliance and it is properly attributed to the signatory.

To promote the confidence in the e-authentication certificate as an instrument to confirm the credibility of electronic transaction, e-commerce legislations have obligated the certificate service provider to ensure the accuracy and completeness of his certificate. This certificate should be able to determine the identity of the certification service provider, the method used to identify the signatory, the identity of the source, the duration of its validity, and its extent. The legislature has also resorted to arrange a criminal penalty to ensure the evidential value of certificates of authentication to guarantee the protection of clients. Hence this certificate is a confutation instrument that the electronic signature or electronic transaction in general has been issued by whomever attributed to, and the data contained in the electronic transaction is correct and has not been exposed to any modification or change, and is reliable and provable. ([36]) It is worth mentioning that the electronic authentication certificates will vary according to purpose of their issuance as Certificate of Authentication of digital signature, Certificate of Digital Time stamp for documentation of the date and time of the digital signature , Authorizing Certificate, which includes the provision of Additional information about his owner as his work, qualifications and his licenses , in addition to all above certificates there is Attesting Certificate for documenting the genuineness of an event or a particular fact and the date of its occurrence. It is necessary to secure that the body that issued the certificate shall use developed electronic information systems and act in accordance with the course of modem scientific progress to enhance the reliability of the electronic certificate.

Electronic Approval Certificate:

The UAE Federal Law No. (1) of 2006 ,defines the E- certificate as “the certificate issued by the provider of approval services showing the confirmation of the identity of the person or body having a certain signature device.” ([37]) According to the same law, the certificate of the electronic approval shall contain the following statements: (a) The identity of he provider of the approval services (b) That the person whose identity is set out in the certificate of the electronic approval has the power, at the relevant time, to execute the instrument of signature referred to in such certificate (c) That the instrument of signature has been valid on or before the date of the issuance of the certificate of the electronic approval (d) Whether there are any restrictions as to the purpose or value which the instrument of signature or the certificate of the electronic approval may be used (e) Whether there are various restrictions as to the scope or extent of the responsibility accepted by the provider of the approval services vis-à-vis any person .([38])

It is clear from the above paragraphs that the objective of legislature in the UAE is the same as the objectives of legislators in other countries to secure the genuineness and safety of electronic transaction regarding its content and its source in order to enhance confidence in electronic transaction and to protect the rights of electronic dealers’ safety. In addition, the legislation aims to ensure that the body which is responsible for authentication is carrying on its duties efficiently in such a manner as to be qualified for the subject of trust and credibility by the clients.

Section one

Electronic Authentications Body and its duties

There is no doubt about the concern of the legislator in most states on genuineness of the authenticity of electronic certification of electronic signatures and integrity of the information contained, due to the importance of the role undertaken by the authority of authentication among the dealers with the electronic transactions and to the importance of such certification for them.

The importance of the legal outcome of a certificate of authentication for e-transaction requires strict rules to regulate the duties of the body of the issuing the authentication certificate, which is indeed regarded as independent and impartial Bodies (individuals or companies) .This body has a specialized role as mediator between the dealers with electronic transactions by the issuance of a electronic authentication certificate, and it shall issue such certification after investigation to ensure the accuracy and completeness of all material representations made by parties relevant to the electronic authentication certificate.

Regulation of the conduct of authentication service provider:

Authentication Authority of the various States shall apply similar tasks, among them we mention the following:

1. Determine the identity and eligibility of legal clients.
2. Ensure the genuineness and safety of electronic transaction.
3. Issuance of electronic keys.
4. Issuance of digital signature and certificate documented.
5. Keeping records of private electronic signatures include information on the signatures existing, canceled or suspended.

The European Union has made efforts to organize the duties of electronic authentications body, including approval of the EU Directive No 93 of 1999 ([39]). This defines the ‘certification- service -provider’ as “… an entity or a legal or natural person who issues certificates or provides other services related to electronic signatures” ([40]).

There is no doubt that the spread and prosperity of electronic transactions ([41]) requires promotion of confidence in such transactions, so the EU Directive includes guidance for the duties of the authentication service provider regarding the genuineness, safety of electronic transaction, and evidential weight of the electronic signature. The signature is attributed to the concerned signatory and the correlation of the signature with the concerned transaction, and in addition the data contained therein shall not to be subjected to forgery or alteration or amendment. However, the European Directive does not bind the dealers by its requirement of authentication; it gives them the freedom to resort to it or not.

The UAE Law:

The legislature of the UAE has focused on importance of provider of certification services particularly for its vital role, designated it as provider of certification services, and defined it as “any authorized or recognized person or body issuing electronic approval certificates or any services or jobs pertaining thereto and in respect of the electronic signatures as regulated by virtue of the provisions of this law”([42]).

It is necessary to emphasize that the importance of the role of provider of certification services and its expansions regarding supervision and control of electronic transaction, conservation and investigation of identity of parties, made easy to overcome the difficulties facing the process of establishing of electronic transactions. The seriousness of this role has promoted the legislator in most developed States to organize his duty and develop strict conditions ([43]).

The UAE Federal Law No. (1) of the year 2006 has organized the tasks of certification service provider in detail and, in accordance with Article (22) The Minister of Economy and Planning has issued rules for the regulations and organizing of certification providers in the UAE. These regulations include a set of actions, among them the following: (1) Application for licenses or renewal of licenses of Certification Service Provider (2) Specifying the activities of Certification Service Providers including the manner, place and the method of soliciting his duty (3) Specifying the standards and rules that a certification service provider shall adhere to in this work (4) Specifying the Criteria for the scientific and practical qualifications for provider of certification services (5) Determination of the form and content of an electronic authentication certificate and the digital key (6) Specifying the qualifications which the auditor’s of the provider of certification services should possess, (7) Rules and procedures for inspections and auditing of the activities of provider of certification services, (8) Specifying the Conditions and rules of the organization of any electronic system established by the certification service provider either solely or jointly with other providers of certification services, (9) Specifying the fines and penalties that should be paid in case of violation of the rules governing activities of certification service providers.

Duties of the Authentication Service provider:

In order to establish the necessary guarantees for the flourishing of electronic transactions and their expansion, the UAE legislature has imposed upon certification service providers many and varied duties. In this concern, it states that, “The provider of the approval services shall: (A) Act in accordance with the information submitted by him/her/it in respect of conducting his/her/its activity, (B) Exert a reasonable case to guarantee the accuracy and completion of all the material information submitted by him in connection with the certificate of the electronic approval or embodied therein throughout is validity. (C) Make available means which are reasonably accessible and enable the party relying upon his/her/its services to be sure of the following: (1) The identity of the provider of the approval services, (2) That the person whose identity is set out in the certificate of the electronic approval has the control, at the concerned time, over the instrument of signature referred to in such certificate, (3) The manner used is determining the identity of the signatory, (4) The existence of any restrictions with respect to the purpose or value for which the instrument of signature may be used, (5) Whether the instrument of signature is correct and not subjected to any suspicion, (6) Whether the signatory can give a notice in pursuance of this law, (7) Whether there is a suitable manner for notification of the cancellation of the signature, (D) To provide the signatories with means enabling them to give notice to the effect that the instrument of signature has been subjected to scrutiny and suspicion and to guarantee the availability of the service of cancellation of the signature which can be used in time, (E) To use, in the performance of his/her/its services, trustworthy systems, procedures and human resources, (F) Shall be licensed by the censor of the approval services if he/she/it is valid in the state.” ([44])

Based on the paragraphs of Article 21 it can be deduced that the UAE legislature has imposed on the UAE provider of certification services many and varied duties, some of them concerning its public obligations or concerning the credibility of the content of the Authentication Certificate and others concerning its obligation to provide the means of technical information to assist the parties of the transaction to ensure the accuracy and completeness of data made by the signatory. In this regard we cite here the following observations:

1. From paragraph (a -1) of Article 21, one can deduce that the Certification Service Provider does not have the authority to modify the data provided by the clients, and should issue a certificate of authentication on the basis of this data.
2. In accordance with paragraph (b) of the above Article a certification service provider is committed to exercise reasonable care to ensure the accuracy and validity of the data that is relevant to electronic certificate authentication therein, and this commitment is continuous as long as the authentication certificate is valid. Thus, if the certification service provider breaches this obligation regarding the investigating of the validity of the data which is included in the certificate, he shall be liable for damage suffered by either:

1. A party who has contracted with the Service Provider for the provision of an Electronic Authentication certificate; or
2. Any person who reasonably relies on an E- Authentication Certificate issued by the Certification Service Provider.

In addition, one can deduce from general rules of the UAE Federal Law on E-commerce and Transactions that the authentication service provider is obligated to use sophisticated computer programs which are insured against any penetration, or modification or alteration of the data stored. In addition, it should have specialized staff qualified in the field of information systems, program design and the protection of networks with availability of trust, honesty and diligence in the performance of their duties. It is notable that the certification service provider is required to obtain administrative permission of the Controller of certification services for the exercise of its activity within the State of UAE.

Section Two

Liability of the E-Authentications Body

We have mentioned previously that the authentication service provider is entrusted with its role as mediator between the parties of the transaction, and to promote confidence in electronic transaction ([45]) (e-transaction) and electronic signature (e-signature) through the certificates that are issued.

These certificates ensure the validity of e-signatures and integrity of the data contained in contracts and agreements. In addition, they identify the sender , the receiver, the safety of their expression and the certainty of source of e-transaction.

The importance of the role of authentication body to stabilize the confidence in e-transaction and expand its scope was the motive behind the legislation of most countries to pay attention and issue special rules for the regulation licensing and operating of the authentication service providers. In addition, it was also to ascertain the impartiality of these bodies, and the credibility and safety of their works. The importance and magnitude of this role raises the question regarding the nature and extent of its responsibility to compensate the damage caused to third parties who rely on certificates issued.

It should be observed that this issue has been and is still regarded as a controversial case in most countries of the world, therefore the legal systems in these countries have begun to move towards this issue to designate an appropriate legal framework for it, particularly as the inadequacy of the general legal rules is relived and the need arises to develop special rules to resolve the question of liability.

The nature of the liability of the Authentications body has always raised continuous jurisprudential debate, particularly about its classification under contract or tort liability, their legal consequences toward the Contracting Parties, and the third person in particular with regard to the damage and the burden of proof. It is known that this burden is variable depending on the type of liability, whereas a proof of damage in the contractual responsibility is more easily compared with tort liability. Some international organizations have adopted a contractual responsibility to determine the liability of the body of electronic authentication toward the parties of the transaction. The United Nations Commission on International Trade Law UNCID, and the International Maritime committee (CMI) have contributed in development of contractual liability rules. However, these international efforts have not resolved the controversial debate in the doctrine of various legislation of States. It is known that the contractual responsibility requires existence of a contract between parties of the e- transaction, and this is not always available, particularly regarding the third person who has relied on the certification of service provider. A part of contemporary doctrine has tended to regard this liability as liability of tort. Turning from this generality to the rules that govern the liability of authentication providers in the UAE law of Electronic Commerce and Transactions, determining this liability requires first a definition of the content and nature of its obligation regarding the extent of damage and the size of compensation in the case of a breach of its obligations toward the contracting parties and third party who has relied on the authentication certificate.

The nature of obligations of the certification service provider:

According to the UAE Law, the provider of the approval services shall “exert a reasonable case to guarantee the accuracy and completion of all the material information submitted by it in connection with the certificate of the electronic approval or embodied therein throughout its validity.” ([46])

Through the interpretation of this text can be said that the nature of the obligation imposed on the provider of certification is an obligation of taking reasonable care to verify the accuracy and completeness of all material representation made by him that are relevant to electronic authentication certificate or that is included throughout its validity.

If this commitment is regarded as just an obligation to exercise reasonable care to secure the safety of the authentication of certificate that was issued, that means the responsibility of the service provider shall not stand except in the case where it proves that the damage occurred as result of its fault or negligence. Otherwise the certification service provider shall be discharged from its liability.

In accordance with Article 21/4, if the damage was caused as a result of e-certificate being incorrect or defective, the certification service provider shall be liable for damage suffered by either: (a) A party who has contracted with service provider, (b) Any person who reasonably relies on an electronic approval certificate ([47])

Based on the obligation of the service provider to take reasonable care, one may deduce that this commitment, unlike the obligation of realizing a result, requires that the victim (contracting party) shall prove that the damage has been caused as result of the electronic authentication certificate being incorrect or defective. Otherwise, the certification service provider shall be discharged from its liability, and regarding the third person who has relied on the authentications certificate , one can deduce that the liability of the certification service provider toward him is based on a tort liability, because there is not any contract between the service provider and the affected third party, who has relied on the certificate of the authentications and therefore the victim(third person) should proved a damage and error and a causal relationship. Otherwise he shall not be able to get compensation even though the damage has been caused as a result of the electronic authentication certificate being incorrect or defective. In fact, we don’t support such opinion regarding the liability of authentication body, and we call to unify such liability toward both the contracting party and any person who relies on a electronic authentication certification ,and we shall talk about this later.

The Liability of service provider for compensation:

With regard to compensating damage to the contracting party or a third party as a result of incorrect information contained in the certificate of electronic authentication, we see that is necessary to shed light on some crucial issues.

As we saw previously, according to the paragraph 4 of the Article 21, it appears that the responsibility of the certification service provider of payment of a compensation occurs when damage is incurred by a contracting party or the person who relied on the authentication certificate, and it is clear that the UAE legislature distinguish between the responsibility of the service provider toward the contracting party and the third who relies on the electronic approval certificate to the extent to which such reliance is reasonable.

Based on Article 18 /2 the relying party shall bear the legal consequences of its failure to take reasonable and necessary steps to verify the validity and enforceability of the certificate.

In fact the existence of damage itself is sufficient for the contracting harmed person to deserve a compensation , but for the third party he should, in addition to proving the damage that he incurred, he prove that he relied upon the electronic signature or certificate of electronic authentication to the extent to which such reliance was reasonable, and he should prove that he took reasonable and necessary steps to verify the validity of the certificate. If he fails to prove that he should not be entitled to compensation despite the damage.

Distinction between the responsibility of the body of authentication toward the contracting party and the third person, without any doubt, shall raise a question regarding a distinction between reasonable reliance and non- reasonable reliance.

In fact the UAE law has not determined the concept of reasonable reliance, and has not designated a critical criterion for determining that, but for the purpose of deciding whether it is reasonable for a person to rely upon an electronic signature or an authentication certificate. According to the UAE Federal law, the following factors shall be taken into consideration: (1) The nature of the concerned transaction that E- Signature was intended to enhance, (2) Value or importance of the transaction, if it is known to the party, who is relying on the E-Signature, (3) Whether a person who relied on the E- Signature or E- Certificate authentication had taken appropriate steps to determine the reliability of the E- Signature or E-Authentication Certification, (4) Whether the party relying on the electronic signature has taken appropriate steps to verify that the electronic signature is enhanced, or was reasonably expected to have been enhanced by E- Authentication certificate, (5) Whether the party relying on the electronic signature or electronic certificate authentication knew, or ought to have known, that the electronic signature and electronic certificate authentication had been violated or revoked, (6) Knowledge of previous agreement or course of dealing between the originator and the party relied on the electronic signature or E- Authentication Certificate or any trade custom which may be applicable in this regard, and (6) Any other relevant factor ([48]).

It is clear from the above mentioned Article that the UAE legislature did not define the concept of reasonable reliance, but has issued a set of provisions, taking into consideration whether or not it is reasonable for a person to rely upon of the certificate of authentication. Some of these considerations are due to the nature of the E-Transaction itself regarding its value or importance, and others are due to the position of the person who has relied on authentication certificates. In addition, it must be considered whether his behavior is normal conduct regarding the investigation of the electronic signature, whether the Certificate was enhanced by certification or not, and whether the certificate was valid or had been revoked or withdrawn, and whether its negligent acts or omissions demonstrated clearly and effectively in such manner that his reliance on a certificate of authentication was not reasonable. So it is obvious that the person relying on electronic signature or electronic authentication certificate, if he fails to prove that his reliance is in accordance with above- mentioned article, shall assume the risk that the electronic signature or electronic authentication certificate is forged, which means that the service provider shall be exempted from his responsibility for the damage that has been caused as a result of the electronic authentication certificate being incorrect or defective.

It is clear that, according to the above mentioned Articles of the UAE law, the responsibility should fall on the certification service provider if a contracting party has been harmed as a result of the error or negligence of the service provider, and that he did not take reasonable care to ensure the accuracy of information relevant to the authentication certificate provided by him. Regarding a third party, the responsibility of the authentication service provider should not be fall on it unless the victim proves that it was reasonable for him to rely upon the authentication certificate and all the necessary steps to verify the validity of approval certificate have been taken by him, in addition he should prove a damage and causal relationship between error and damage. From the previously discussion, we can say that the tendency of the UAE legislature is not to restrict the responsibility of the certification service provider. He is only obliged to take just care regarding the safety and completeness of Authentication of the certificate.

In fact the nature of the obligation of the authentication body is not consistent with the importance of the certifications that are issued by it, and the role in consolidating the confidence in electronic transactions and promoting the use of them. In addition, this obligation is not agreeable with the service provider’s ability to use trustworthy systems, procedures and human resources in performing its service. So with all of the financial and human resources that are available for the service provider to verify the validity of information before issuing the certificate, it is not fair to obligate it simply to take care of the safety of the authentication certificate. We also believe that the mitigation of responsibility for the certification service provider does not agree with the UAE legislature’s tendency to inspire confidence in electronic transactions in general, and in a certificate of authentication in particular. Its aims behind all strict procedures regarding certificate authentication are to verify the data message is that of a specific person and to detect error or alteration in the communication, content or storage of a data message or electronic record from a specific point in time, including any procedures using algorithms or codes, identifying words or numbers, encryption, answerback or similar information security devices to ensure validity of the data contained therein.

There is no doubt that this raises a question regarding inconsistency of the position of the UAE legislature which, while obligated as the provider of certification services with a multi-duties according to Article 21, at the same time is not required to take additional reasonable care to insure the accuracy and completeness of the authentication certificates it issues. Here we have a right to raise a question if the request to the certification service provider to verify the accuracy, safety and completeness of electronic transaction is addressed as if it is not a tough task. These heavy tasks which were imposed on the certification service provider did not agree with the text of Article 21/b, which simply required him to carry on a reasonable and customary care, and in this regard we believe that the obligations imposed on the authentication service provider are in reality an obligation of realizing a result and not an obligation of just taking care. It is obliged to ensure the accuracy of statement and is relevant to the certificate of authentication, so its commitment is not temporary but is related to the validity of the certificate. Thus, we can say that the importance of the Authentication certificate and the seriousness of the information contained absolutely is not harmonized with a consideration that the certification service provider should simply be obligated to reasonable care in validating the information. Thus he would not be responsible, unless his negligence or failure to take reasonable care was proved.

The UAE law attaches importance to the authentication certificate by the legal duties imposed on the provider of certification services to enable the contracting party or the third party who relies on the services of identification, to identify the identity of the service provider, have control of the signature device, determine the method used to identify the signatory, and to secure that the signature and authentication certificate associated with the data contained therein is not exposed for forgery or alteration . Based on this analysis, it is clear that the responsibility of the certification service provider in the UAE is in fact strict liability, and shall occur by simple verification of the non-safe information in electronic transaction and, therefore his mere failure to implement its commitment to ensure the safety of the data contained in the certificate of authentication is enough to determine its responsibility for damages incurred. Thus we see that the responsibility for the service provider under the UAE law towards a contracting party or the third party should be based on the assumed error and not an error that should be proven by the victim, therefore liability shall occur if it is proven that the information and data contained in the certificate of authentication is not correct. In fact this shall be regarded as a breach of the obligations of the certification service provider against a contracting party or the third party who relies on electronic signature or electronic approval certificate and rise its responsibility to pay compensation, unless it proves that a force majeure prevented it from the implementation of its commitment regarding securing the safety of authentication certificates.

It is well known that the basis of civil liability is the damage which entitles a victim a right of compensation, and that this damage should personally and really hurt the victim ([49]).

Therefore, a probability of damage should not serve as a basis for compensation and, therefore, if the certification of service provider breach of trust between the dealers with electronic transactions, it shall be responsible for compensation for damage which affects a person relying on this electronic certificate. Regarding the damage caused by using the certificate for a purpose other than that for which it was issued, the victim in this case shall not be entitled to compensation because he violated the instructions of use while using the certificate.

Regarding the allegation that the lack of existence of direct contract between the certification service provider and the third party (as a victim) who relies on a certificate of authentication, shall prevent the occurrence of the liability of the certification service provider ,unless he shall prove the damage and the connection between the error of certification service provider and the damage which is not so easily proved. We believe that the certification service provider’s responsibility shall be achieved on the basis of the rules of the stipulation for the interests of the third person, because a person who has interest of these certificate often requires the certification service provider to ensure a validity of the certificate for the benefit of the third person who relies on this certificate in his dealings. No doubt that the interest of the contracting parties requires the existence of this provision, so the interest of the signatory and the certification service provider are realized when the third person has been trusted in the certificate of authentication. In this regard we see that the relationship between the certification service provider in the UAE and third person is contractual and based on rules of stipulation for the interest of third person and, therefore, the certification service provider shall pay the victim a compensation for damage caused as a result of his reliance on the certificate of authentication and without obligating him to prove that his reliance on this certificate was reasonable. So we believe that any breach of the obligations of certification service provider to ensure the safety of a data contained in the certificate of authentication, shall occur his liability to compensate the victim without obligating him to prove that the certification service provider had committed error or to prove the existence of a causal relationship between error and damage.

The scope of damage due for compensation:

Even though Article 21/4 provided that a certification service provider shall be liable for damages suffered by either: a party who has contracted with him, or any person who reasonably relies on this certificate issued by him. However, the UAE legislature did not put a limit on the amount of deserved compensation for a victim. We think that this compensation does not exceed the damages and losses that are unusual in accordance with the normal course of things and the estimation should be referred to the judiciary that can resolve whether the damage was familiar or unfamiliar. In this regard we support the majority of comparative jurisprudence and English doctrine. which calls on the judiciary to adopt a narrow criterion in determining the damages in order to alleviate the burden of Authentications body of the performance and its functions.

Restrict of the responsibility of the service provider:

In accordance with Article 21 of the Federal Law, one can deduce that the criterion of liability of the certification service provider is based on the legal duty imposed on it to carry on reasonable care to ensure the safety and completeness of the data relevant to the e-certificate of authentication, so his responsibility stands in case of breach of his duty to carry reasonable care. However, that means the service provider shall be liable for damage toward a party who has contracted with it ,or any person who reasonably relies on e-authentication certificate on condition that if there is any damage that has affected them and was caused as result of the certificate being incorrect or defective, the mere fault or negligence of certification service provider does not entail its responsibility as in the case that there was no any consequent damage to the contracting party or to third parties who relied on the certificate of authentication to the extent that such reliance was reasonable.

Burden of proof:

According to the Article as mentioned above, it can be said that the UAE legislature is silent regarding the burden of proving violation of the certification service provider of his duty of exercising reasonable care. We believe that the UAE legislature is obligated to both the third party and contracting party with the service provider to prove just that the latter has breached its legal duty, and neglected to take reasonable care. In addition, the contracting party is not required to prove the damage and the causal connection between the damage and the error. This can be justified according the contractual responsibility of the Service provider toward his contracting party. Regarding the person who reasonably relies on the certificate of the service provider, we think that the UAE legislature has regarded the responsibility of the latter based on the rules of non-contract liability, and that means the victim shall prove the damage and the connection between it and the error of the service provider. There is no doubt that the burden of proof is particularly onerous because of the continued development of technical procedures which are often hard to follow up on by the harmed person. So we do not support the allocation of the responsibility of the certification service provider on the basis of non- contractual liability rules, because there is no distinction between the interest of the contracting party and the third person who has relied on the authentication certificate; both of them have used and trusted it. Regarding the law requires that the third person should reasonably rely on the e-authentication certificate which means that the victim should prove that his reliance was reasonable. We believe this condition is not logical, because any person who uses the authentication certificate realized it, therefore there is no need to prove that such reliance was reasonable. In addition, we think that it is difficult to prove it, and that may lead to discharge the service provider from his responsibility whenever the victim fails to prove that his reliance was reasonable.

Exemption of liability:

The UAE Federal Law provides that “The provider of the approval services shall not be responsible of any damage in the following two cases: (A) If he/she /it inserts into the certificate of the electronic approval a statement restricting the scope and extent of his/her/ its responsibility visa-vis any concerned person, in accordance with the regulations to be issued in this respect, (B) If he/ she/ it proves that he/she/it did not commit any fault or negligence or that the damage arose form an extraneous reason out of his/ her/ its control” ([50]).

Thus, based on this Article the authentication body may restrict its responsibility towards any person related to E- Transaction regarding both of reducing the maximum amount of compensation paid to the harmed party or exclusion of his responsibility for certain transactions involving the use of certificate authentication.

With regard to determining the responsibility of the certification service provider, whether for damages caused to others as a result of their reliance on a certificate or regarding their use of the certificate or limitation of a maximum value of transactions, we believe there is not any relation between the using of the certificate of authentication or its value to the responsibility of the certification service provider. Its responsibility is to ensure the safety and reliability of certificate authentication, regardless of the value of the type of transactions involving the use of the certificate. The body of authentication is able to declare in advance that it is not going to issue a certificate of authenticity if the value of the transaction increases beyond a certain amount, or to specify the type of transactions for which it is not willing to issue a certificate of authentication, and so everyone is aware of this and there is no need to list the special conditions in the electronic certificate.

What is controversial in the UAE Law is the text of Article 21/4, which permits the certification service provider to be exempted from his liability despite the damage inflicted to others due to the non-genuineness of the certificate of authentication in cases where if it proves that it has not committed any fault or negligence or in cases where it proves that the damage resulted from foreign cause.

We believe there is no reasonable justification for this exemption, because if the issuance of the certificate of authentication was defective with any defect detrimental to others, this shall be regarded as a violation of the provider’s obligation to ensure the safety and integrity of the data contained therein. It is supposed to avoid all kind of the negligence or failure for importance and seriousness of its duty, so it is responsible for its failure or neglect in taking all available steps to make sure the credibility of the electronic signature and the data contained in the certificate issued by him, particularly since there is a huge resource of technical capabilities and technological instruments placed at its disposal, in addition to the cadres working for the provider, who have a high level experience and efficiency. Therefore, we believe that exemption of the certification service provider should be permitted only in two cases: first, if he proves that the damage had risen from a foreign cause, and second, if he proves that the person who was relying on the certificate used it, even though he knew that the information contained therein was not genuine.

The UAE legislature position coincides with the position of most States with regard to limitation or exemption of the liability of Certification Service Provider, but the controversy still continues in comparative jurisprudence. This doctrine still raises the question of the impact of terms of limitation of liability on the nature of the obligations imposed on this body. For instance, does any violation of the conditions that set a maximum limit of liability for compensation for the value of electronic transaction, or violation of conditions that limit liability to cases where the certificate is used, have any affect toward the liability of the authentication service provider?

Most of the comparative jurisprudence agrees that the violation of the requirement that sets a maximum value of the transaction, which would be used in certificate authentication, results in a limitation of liability only.

In this regard we see that the interconnection of the duties imposed on the certification service provider and those imposed on the electronic signatory shows that the serious concern of the UAE legislature is to ensure the safety of certificate authentication and to establish confidence in dealing with it. At the same time, its concern does not agree with the requirement that the certification service provider should carry on its duty with reasonable care, even if it is not consistent with area of exemption from responsibility that it granted to service provider . In other words the UAE legislature has on one hand obligated the service provider to exercise reasonable care to ensure the accuracy and completeness of his authentication certificate, and on the other hand has obligated it to carry on a very tough task, particularly as it imposes upon the provider to follow certain procedures to make sure that the information is correct, which means that nature of its obligation is not just taking care, but also of realizing the result. In addition, the UAE legislature does not exempt the signatory from liability in the event of default or neglect toward the duties imposed on it to ensure that the use of signature was authorized and to ensure the accuracy and completeness of all submitted data relevant to the certificate throughout the period of validity. So we can say that the obligation of both the service provider and the signatory have the obligation of realizing the result.

Through the commitment of both the service provider and the signatory, and with the duties imposed on each of them, it is clear that the opportunity for the service provider to discharge itself from its responsibility regarding default or negligence is very close, because the service provider is obliged always to ensure the achievement of the result regarding the safety of the data contained in the certificate of authentication. This means the service provider has no possibility to exempt itself, except in the case of a foreign cause of the damage or in case the victim did not use the certificate in the purposes for which it was given.

Influence of other external factors:

The foreign reason should be unexpected events that consist of the force majeure, such as war or devastating natural disasters which lead to damage or disrupt electronic devices, technical capabilities and human resources available to the certification service provider to conduct the necessary inquiries to ensure the accuracy of the data and certificate of authentication. The foreign reasons may be any event outside the control and the will of the body of authentication, such as where a third party or contracting party took precautionary measures to alter or to disrupt the investigations undertaken by the body of authentication to ensure safety of its certificate authentication. Finally, we call the UAE legislature to unify the responsibility of the service provider, towards both the contracting party and a third party who relies on the authentication certificate, to establish his responsibility on the assumed error, which means if damage has been caused as a result of the electronic authentication certificate being incorrect or defective, the service provider shall be liable for damage suffered by either contracting party, or third person who relied on the certificate issued by the provider, unless it proves that the damage occurred was for unknown reasons or reason beyond its control. So both the contracting party and a third person who relied on the certification shall be released from the burden of proof of the damage, error and the causal connection in cases where damage suffered was by them. They would be able to request a compensation if the E-Authentication certificate was incorrect or defective. In addition we call to change the obligation of the certification service provider regarding performance of his duties from simple obligation of care to the obligation of realizing a result which coincides with the essence of his duties particularly, with his task to ensure the accuracy and completeness of all material representations made by him that are relevant to electronic authentication certificate or that are included throughout its life validity.

Conclusion:

Even though the UAE Federal law No (1) of 2006 has followed the Model Law of the UNCITRAL in order to give validity to electronic correspondence, equate an electronic transaction with written one, accept electronic messages, rely on electronic signatures, and recognize foreign electronic certificates and signatures, it appears through the analysis of legal texts of the electronic authentication certificate and the duties of the certification service provider that the application of rules in the UAE law is not enough to provide full protection to the harmed party who had relied on the electronic certificate issued by the service provider.

In order to accomplish the task of authentication it is necessary to promote the individual to deal with electronic transactions and inspire confidence among them. In order to overcome the difficulties in introducing the electronic form of evidence and to facilitate electronic commerce at national and international levels, we make the following suggestions:

1. If the damage has been caused as a result of the authentication certificate being incorrect or defective, it should be deemed a fundamental a breach of the obligations imposed on him according the law, and there is not any reasonable justification to obligate the victim with the burden of proving the fault of service provider, or compelling him to prove the damage and the causal relationship between error and damage as in the case of third party, particularly obligating him to prove that the service provider has violated his duty to take reasonable care in performance of his duty. It is often difficult , and the difficulty of proving fault is usually due to the complexity of technical procedures , which may lead to exempt the service provider from his responsibility in many cases. I believe if the service provider has failed to ensure the accuracy and completeness of the material representation made by him; he should be responsible for any damage which has been caused as result of his omission or negligence.
2. Electronic Approval Service provider according to the UAE law is required to ensure accuracy, precision and safety of the certificate of authentication and, thus the lack of correct information in the certificate leads to his responsibility and, therefore, exempts him from his liability according to Article 21 in the event if he had proved that he did not commit any fault or negligence is not logical. The essence of his duties restricts him from committing any negligence or omission and, consequently, there is no need to prove that he did not violate the rules of his task in order to be granted exemption from his liability. We see if his certificate was incorrect or defective that shall prove his negligence, and thus there is no justification to grant him exemption, unless he proves that the damage occurred by force majeure was beyond his control. In other words even if, he proved that he had not committed any negligent acts or omissions in performance of his task, he should not be exempted from the responsibility of his failure or omissions to ensure the safety of the certificate of authentication issued by him, because he is obligated to avoid the negligence or omission in performance of his duty.
3. We see there is not any legal justification to link the responsibility of the service provider’s negligence in ensuring the integrity of the certificate of authentication and the reasonable reliance on the certificate by the harmed person. A service provider is responsible for the safety and security of information contained in his certificate and in case of breach of his legal duty he becomes responsible regardless of whether the reliance of the victim on this certificate was reasonable or not reasonable. In addition we see that the mere existence of others using the electronic certificate is decisive evidence of their reliance, and thus no justification for the distinction between reasonable and unreasonable reliance to state the liability of the service provider.
4. Regarding article (21 / IV), which provides that the service provider shall not be liable for any damage if the authentication certificate includes a statement limiting the scope or extent of his liability to any relevant person, and according to the regulation issued in this regard , we believe this determination of the responsibility of the service provider should be confined to the amount of compensation paid by him to the harmed person who relied on a certificate of authentication without the other cases. In this case we call to not over load the service provider with overstrain compensation.
5. In light of the responsibility of the certification service provider and importance of his role in consolidating the confidence in electronic transactions and prosperity, we see the inadequacy of current rules to provide the necessary protection to third person as victim, therefore we believe that the responsibility of a service provider should be established on the supposed error toward both the contracting party and third person ,and the service provider should be responsible simply if he did not secure the safety and the validity of the certificate.
6. There is no doubt that the legal protection of electronic transactions and international trade in particular, requires adoption of international conventions regarding the status of international legal regimes to which all the member states are obligated.

Summary

Given the importance of electronic transactions and encouraging the spread and confidence in their use, besides the efforts to provide a legal framework for the completion of these transactions and documentation, the various States have begun to organize these transactions and to develop their legal rules. The UAE was one of the first Arab countries which organized the electronic transactions. E-commerce law No 2 of 2002 was enacted in Dubai to regulate the terms, contracts and E- commerce transactions, and then E -government project implemented in 2002 provided a suitable environment for interaction between the public and private sectors in order to facilitate the conduct of electronic transactions and the legal validity of electronic documents.

Following the afore-mentioned law, the Federal Law No. 1 of 2006 is issued to facilitate E-business transactions and  support the spread and consolidation of confidence in them. The importance of the role of the provider of certification services in the certification of electronic data transactions and certificates relating to electronic signature was the reason behind the legislature. Most legislation focuses on defining the rights and duties of the certification service provider and the nature of his legal responsibility in order to establish confidence and trust in the minds of dealers in the electronic transactions.

Our reading has shown a lack of rules governing the responsibility of the authentication service provider. The UAE legislature’s direction is to consider this responsibility toward the third person based on the rules of tort which are not appropriate to the importance and role of the certification service provider or with his duties. Therefore, I believe that his obligation toward both the contracting party and third person should be unified , and the service provider shall be bound to achieve a result rather than to simply take care in performance of his duty, and he should not be exempt from his responsibility except in the event of foreign cause .We have suggested the development of special rules to organize the providers responsibility toward both the contracting party and third person on the basis of presumed error, and exempt the victim to prove the causal relationship between fault and damage .

References

• Abdel-Fattah Hegazy, The Legal System for Electronic Commerce, Dar Al-Feker, Alexandria, 2002.
• Ahiz Rashid Al Marri, The Evidential Modem Technological Means to Prove Commercial Contracts, Ph.D. Thesis, Cairo University.
• Diane Rowland & Elizabeth Macdonald, Information Technology Law, Garnish Publishing Limited, London, 2000.
• Hassan Abdel Basset Gumahi, Proof of Legal Actions that Concluded Through the Internet, Dar Al Nahtha Alarabya, Cairo, 2000.
• Holmes, E-Government, E-Business Strategies for Government, Nicholas Brealey Publishing, London, 2001.
• Huda Hamid Kashkoush, Criminal Protection of Trade Across the Internet, Dar Alnahtha Al Arabya, Cairo, 2000.
• Hussein al-Mahi, View of Electronic Commerce, research presented to the First Scientific Conference on aspects of legal and operational security, electronic Conference, Dubai, 2004.
• Ibrahim Ahmed, A Report on the Legal Aspects of Electronic Commerce in Egypt, Center for Information and Decision Support Center, Cairo, 2000.
• Ibrahim Dasooqi Abo Laill, The Unilateral Contracts, Kuwait, 1994.
• Jae K. Shim, Electronic Commerce, Global Professional Publishing, United States of America, 2010.
• Khalid Mustafa Fahmy, The Legal System of the Electronic Signature Legislation in the light of the Arab and International Conventions, Alexandria, 2007.
• Mann Winn, Electronic Commerce, Aspen publisher, New York, 2002.
• Margaret Jane Radin, Internet Commerce, Foundation Press, New York, 2002.
• Medhat Ramadan, The Criminal Protection of Electronic Commerce, a comparative study, Dar Alnahtha Alarabya, Cairo, 2001.
• Mohammed Hassan Rifai Attar, Sales Via the Internet – Dar Aljamiha, Alexandria, 2007.
• Mustafa Mari, Civil Liability in the Egyptian Law, Maktabat Abdullah Wahba, Cairo, 1994.
• Mustafa Said Ahmed, E-commerce in the Next Century, research presented to the Seventh Conference of Agricultural Economists, Cairo, 1999, p2.
• Osama Hassan Abu Mujahid, The Characteristics of the Contract Via the Internet, Conference of law and computer and Internet, Faculty of Law – University of United Arab Emirates, 2000.
• Ronald J. Mann, Electronic Commerce, Aspen Law Business, New York, 2003.
• S. K. Black, Telecommunication Law in the Internet Age, Morgan Kaufman, United States of America, 2002

[1]Diane Rowland & Elizabeth Macdonald, Information Technology Law, Garnish Publishing Limited, London, 2000, p252.

[2] These documents include: (1) -Recommendation on the Legal value of Computer Records (1985), (2) UNCITRAL Model Law on E-Commerce (1996), (3) UNCITRAL Model Law on E-Signatures (2001), (4) United Nations Convention on the Use of E- Communications in International Contracts(2005), (5) UNCITRAL document: Legal issues on international use of E- Authentication and signature methods (2007).

[3]Federal Law No. (1) of 2006 Concerning Electronic Transactions and E-commerce (Gazete Issue No. 442 – 31 January 2006).

[4]Law No. 2 of 2002 of the Emirate of Dubai – Electronic Transactions and Commerce Law (issued on 16 February 2002).

[5]Mann Winn, Electronic Commerce, Aspen publisher, New York, 2002, p244.

[6]Jae K. Shim, Electronic Commerce, Global Professional Publishing, United States of America, 2010, p 2.

[7]S. K. Black, Telecommunication Law in the Internet Age, Morgan Kaufman, United States of America, 2002, p 390.

[8]Ibrahim Ahmed, A Report on the Legal Aspects of Electronic Commerce in Egypt, Center for Information and Decision Support Center, Cairo, 2000, p28.

[9]Medhat Ramadan, The Criminal Protection of Electronic Commerce, a comparative study, Dar Alnahtha Alarabya, Cairo, 2001, pl8.

[10]Holmes, E-Government, E-Business Strategies for Government, Nicholas Brealey Publishing, London, 2001, p914.

[11]Mustafa Said Ahmed, E-commerce in the Next Century, research presented to the Seventh Conference of Agricultural Economists, Cairo, 1999, p2.

[12]Jae. K. Shim, op, cit, p 4.

[13]Id, p 42

[14]These recommendations include (1) Authentication of trade documents by means other than signature, March 1979, (2) Recommendation No. 26: Commercial Use of Interchange Agreements for Electronic Data Interchange, March 1995, (3) Measures to facilitate maritime transport documents procedures, March 1979, it is necessary here to find out that the later one was an obstacle in the path of international electronic commerce, so the amendment of 1994 promoted using of letters of maritime transport and documentation format in Short -Form.

[15]Mann Winn, op, cit, p 245.

[16]Ibid.

[17]Reference here can be made to Jordanian Electronic Transactions Act of 2001, Law of Electronic Commerce of Tunisian, Egyptian, Kuwaiti and UAE laws regarding transactions and electronic commerce.

[18]Article 3 of the mentioned Law.

[19]Article 2 of the Law.

[20]Osama Hassan Abu Mujahid, The Characteristics of the Contract Via the Internet, Conference of law and computer and Internet, Faculty of Law – University of United Arab Emirates, 2000, p 11.

[21]Huda Hamid Kashkoush, Criminal Protection of Trade Across the Internet, Dar Alnahtha A1 Arabya, Cairo, 2000, p9.

[22]Article 1 of the law.

[23]Abdel-Fattah Hegazy, The Legal System for Electronic Commerce, Dar Al-Feker, Alexandria, 2002, p97.

[24]Margaret Jane Radin, Internet Commerce, Foundation Press, New York, 2002, p 372.

[25]Mohammed Hassan Rifai Attar, Sales Via the Internet – Dar Aljamiha, Alexandria, 2007, p 176.

[26]Ahiz Rashid A1 Marri, The Evidential Modem Technological Means to Prove Commercial Contracts, Ph.D. Thesis, Cairo University, p 112.

[27]Hassan Abdel Basset Gumahi, Proof of Legal Actions that Concluded Through the Internet, Dar Al Nahtha Alarabya, Cairo,  p 21.

[28]See German Digital Signature Law (1997).

[29]See Italian Digital Signature Law (1997).

[30]See Electronic Communications Act (2000).

[31]Directive 1999/93/EC of the European Parliament and the council of December 13, 1999, on a community framework for electronic signatures.

[32]Ronald J. Mann, Electronic Commerce, Aspen Law Business, New York, 2003, p 237.

[33] Article 1 of the low

[34]Abed Al-Fattah, op, cit, p 222.

[35]See Article 23 of UAE Law.

[36]Ibrahim Dasooqi Abo Laill, The Unilateral Contracts, Kuwait, 1994, p 86.

[37]Article 1 of the Law.

[38]Paragraph 3 of the Article 21 of the Law.

[39]Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures, Official Journal L 013 , 19/01/2000 P. 0012 – 0020.

[40]Paragraph 11 of the Article 2 of the Directive.

[41]Diane Roland, op, cit, p 176.

[42]

Article 1 of the Law.

[43]Hussein al-Mahi, View of Electronic Commerce, research presented to the First Scientific Conference on aspects of legal and operational security, electronic Conference, Dubai, 2004, p 207.

[44]Paragraph 1 of the Article 21 of the Law.

[45]Khalid Mustafa Fahmy, The Legal System of the Electronic Signature Legislation in the light of the Arab and International Conventions, Alexandria, 2007, p 109.

[46]Paragraph 1(B) of the Article 21 of the Law.

[47]The mentioned Article provides for that “If any damage occurs as a result of the incorrectness of the certificate of electronic approval or due to any defect therein, the provider of the approval services shall be responsible of he losses sustained by: A. Each party contracting with the provider of the approval services in respect of the submission of the certificate of electronic approval.

B. Any person relied on a reasonable way upon the certificate of the electronic approval issued by the provider of the approval services.”.

[48]See paragraph 3 of the Article 18 of the Law.

[49]Mustafa Mari, Civil Liability in the Egyptian Law, Maktabat Abdullah Wahba, Cairo, 1994, p 106.

[50]Paragraph 1 of the Article 21 of the Law.