Statement of Daniel Greenwood,
Deputy General Counsel for the Information Technology Division,
Commonwealth of Massachusetts
Before the
Committee on Commerce, Science, and Transportation, United States Senate
July 15, 1998.
 

Mr. Chairman, members of the Committee, thank you for the opportunity to testify today on Senate Bill 2107, the Government Paperwork Elimination Act.  I am the Deputy General Counsel for the Information Technology Division of the Commonwealth of Massachusetts.  I am here today in that capacity to share some of the experiences we have had at the state government level as we have attempted to implement the same types of efforts that are the centerpiece of S.2107.  Though making forms available for filing over the Internet is only a part of the complex combination of legal, business and technical challenges related to bringing government into the information age, it is a logical and constructive step.  This legislation will help to move the federal government in the right direction.

The Commonwealth of Massachusetts supports the basic principle that government should fully utilize information technologies as a means to control costs and to enhance the quality of government services.  Making the federal government more accessible via the Internet will be advantageous to Massachusetts citizens, businesses and to our state government as well.  All businesses and citizens of the Commonwealth would potentially benefited from the bill you consider today because we all must interact with the federal government.  The use of forms comprises a significant portion of that activity.  The ability to retrieve, complete and submit such forms over the Internet will create a more efficient, less costly and higher service quality experience for citizens and businesses who are obliged to interact with the federal government through the use of forms.  Similarly, the state government of Massachusetts, as an organization, has many interfaces with our federal partners.  The regulation of health care, banking and financial services, public safety, environmental affairs and transportation constitute just a few activities which bring state government into direct contact with incalculably numerous federal forms on a daily basis.  Clearly, the ability to complete, authenticate and transmit these forms over the Internet would be a welcome innovation from the point of view of a state government.

The benefits associated with making government available for business online are potentially great.  See the Online Government Task Force Report for the Commonwealth of Massachusetts [www.state.ma.us/itd/onlinegv/] for our view of the efficiencies, cost reductions and service quality enhancements that result from making government accessible via the Internet.  However, legislation can be an overly blunt tool for use in the delicate and dynamic realm of Internet transactions.  From the perspective of a state government that has experience implementing such initiatives, I would urge the Committee to consider the potential difficulties with provisions of the bill as currently drafted which seem to favor use of a particular business model, such as the trusted third party model, and a use of a particular technical implementation, such as digital certificates.

Given the rapid growth, number of options and dynamic change that characterize the electronic commerce marketplace, federal legislation of this type must stop short of picking technology winners and losers before the market has finished evolving the best solutions.  The Senate version of this legislation adds language that addresses this concern:  Section 7 (c) of S.2107 provides that the technical standards specified by the Department of Commerce be "technology neutral" and not favor any one industry sector.  This would, it is hoped, hold open the gates of choice in government procurement rather than locking into a solution that may become obsolete in a quick changing market, or worse, which may itself stifle innovation by private sector competitors for whom the federal market is significant.  This last point is especially true with respect to this legislation, given the fact that it not only effects the market for direct federal procurement, but also the vast array of private systems in use by every citizen and business that use federal forms.  Technology neutrality in legislation should involve more than avoiding industry bias.  The current draft provisions in the Senate version should be either broadly interpreted to address technologies rather than just industries or it should be amended to reach the intended goals of the bill.

Section 7 of both the Senate and House versions of this bill would also require the Department of Commerce to develop standards for the use of digital signatures which are "compatible with standards and technology for digital signatures used in commerce and industry and by State governments."  It will be critical for government at all levels to maintain technical standards that are consistent with the standards and technology used in commerce and industry generally.  This section indicates that federal standards should be consistent not only with private sector standards, but also with those of the state governments.  This is a refreshing and welcome provision and I predict it will engender significant good will among the states in support of the difficult and large-scale goals of this legislation.

The Commonwealth of Massachusetts and several other states participate in any number of technical and standards setting bodies in which we attempt to maintain a consistent face of government at the state and federal levels.  Section 7 of S.2107 serves as an important signal from Congress that the federal government is serious about working with states to prevent the possible introduction of conflicts between our approaches.  At the same time, the legislation avoids direct preemption or other methods to force state government compliance with federal standards.  I believe this approach by the federal government will be appreciated by state officials who are working on the same problems and who recognize that we really are all in this together, at all levels of government.  S.2107 articulates a way to harness the solution-oriented activity at state and federal levels collaboratively.  This standard should apply to the entire set of technical issues related to making federal forms available for filing over the Internet, not only for the special issues associated with digital signatures.

Another significant provision in Section 7 would require the Department of Commerce to set standards that assure "a digital signature shall be as reliable as is appropriate for the purpose for which an electronic message containing a digital signature is generated, in light of all the circumstances, including any relevant agreement."  This language is consistent with legislative initiatives at the state and international levels.  The United Nations Commission on International Trade Law first popularized this general language in their Model Law on Electronic Commerce.  Since then, the concept has gained wide attention in state law reform efforts, including by the National Conference of Commissioners on Uniform State Law.  This concept is important because it would assure a rule of proportionality between the security and authentication measures that are selected and the genuine level of safety required based upon a cost, benefit and risk assessment for a given transaction.

The reliability associated with security and authentication for a given form will differ depending on the context in which the form exists.  The differences will not only be quantitative (i.e.: "how much security is needed") but also qualitative (i.e.: "what kinds of technology are appropriate for this transaction, given the parties, business and existing systems").  Certainly, questions like "how much money is at risk" and "is there private data involved" are classic issues to address and will vary depending on the particular form.  Beyond such basic issues, implementers will also need to consider such question as whether they are dealing with a relatively closed and sophisticated community, like a set of under 100 large companies that file a particular regulatory form on a regular basis.  In such a case, existing communications channels may suffice to provide the needed security and authentication.  In cases where any member of the citizenry might spontaneously and for the first time file a form, then the technical and practical solutions may well be different.

Some existing requirements for signatures on forms may need to be reassessed as the forms are made available online.  Some signature lines on forms enjoy absolutely no requirement basis in law or common sense but exist only because at some point in the past someone put it there.  The process of putting so many forms on the Internet will reveal many opportunities to reformulate the need to authenticate the filer.  There are several situations in the Commonwealth of Massachusetts where we have found that online forms can be processed with no special identification and authentication of the filer - even where a payment may be required to fulfill the requested form.  In these cases, our more precise requirements analysis demonstrated that there was no need for additional levels of costly authentication technology or regulatory mandates on the filer.  Again, see the Online Government Task Force Report for more details and examples of the Massachusetts experience.

Generally, the provisions of the current legislation that provide goals and outcomes for implementers should be favored over provisions that detail technical requirements within the statute itself.  For example, the requirement in Section 2, which would mandate that online forms be "substantially identical in content and requirements to any corresponding paper versions" may provide too much detail regarding the final implementation requirements.  I can think of any number of examples where forms that have been put online have been significantly improved to take advantage of the additional functionality of the digital media.  Requiring online forms to be "substantially identical" to "corresponding" paper forms may chill improvement and perpetuate flaws.  Unless this type of language is amended, then words like "identical" would have to be interpreted as "identical in purpose" or "similar in form."  Too often, the well intentioned technical specificity found in legislation of this type ends up creating barriers to the most efficient and highest value implementations.  The legislative trick is to create definite mandates and a basis for accountability to perform the online function (getting federal forms online within a time limit in this case) while providing the implementers with sufficient flexibility to avail themselves of the best options in a swiftly changing environment.

The provisions of Section 7 of the Government Paperwork Elimination Act would require federal standards setters to tailor technical requirements for security and authentication to the actual needs of a given transaction.  This will save money on unnecessary levels of security and will align incentives to use the right market-based solution for the particular transactional challenge at hand.  Naturally, every form will not have a special process, but nor should every form be required to meet the same process.  Section 7 recognizes the need for some flexibility to match the technical and business solutions to the forms to be filed.

As the federal government begins the process of setting the technical and business practice standards necessary to carry out this legislation, I hope the appropriate officials and technicians will consider working collaboratively with state governments working on the same issues.  Our systems at the state and federal levels are inter-related and in many cases are inter-dependent.  There are often corresponding state and federal forms covering the same subject matter.  From the point of view of the citizen, we have a duty to coordinate our online presence at least enough to avoid unnecessary burdens related to conflicting or inconsistent approaches at our respective levels of government.

The National Automated Clearinghouse has served as a promising forum in which state, federal and private sector participants have already begun to tackle some of the more subtle issues around digital signature and related standards.  The non-profit organization CommerceNet has been a very important association in which the private sector has come forward to arrive at technical and practical solutions that meet business and public policy requirements for privacy and security.  Both state and federal government members participate along with innovative technology companies at CommerceNet because public and private sector approaches must be coordinated.  In addition, the National Association of State Information Resource Executives, the National Association of State Procurement Officers, and the National Association of State Comptrollers have recently formed the Electronic Commerce Coordinating Council (EC3) to promote information sharing and consistent approaches regarding these issues at a state government level.  The EC3 has recently passed a resolution that encourages, among other things, technology neutrality and market based solutions in electronic commerce legislation at the state, federal and international levels of governance.  I will make available to the Committee a running list of such relevant initiatives at www.tiac.net/biz/danielg on the Internet.

I hope you will not hesitate to ask if I can be of any assistance to you as you continue to consider these important issues.  On behalf of the Commonwealth of Massachusetts, I thank you for the opportunity to participate in this important hearing and to contribute another perspective for your consideration.  Thank you.