URPERA security requirements

1
URPERA security requirements

• John Messing
• Legal Update Breakout Session
• Charlotte, N.C.
• July 23, 2007

2
URPERA Status

• STATE ADOPTIONSArizonaArkansas
  DelawareDistrict of Columbia Florida
  Idaho Kansas Nevada New
  Mexico North Carolina TexasVirginia Wisconsin

• 2007 INTRODUCTIONS ConnecticutIllinois
  Massachusetts Minnesota MissouriRhode Island
  South Carolina Utah Washington
• Source NCCUSL website, last visited 06/10/07

3
What URPERA does

• According to NCCUSL
• Equates electronic documents and electronic
  signatures to original paper documents and manual
  signatures.
• Establishes what standards a recording office
  must follow to make electronic recording
  effective.
• Establishes a board to set uniform statewide
  standards that must be implemented in every
  recording office.

4
Security Protections

• Standards must include
• adequate information security protection
• to ensure that electronic documents are
• accurate
• authentic
• adequately preserved
• resistant to tampering
• URPERA Section 5(b)(5)

5
Commentary

• Explains security purposes
• Authenticity
• Forgeries
• Invalid documents
• Changes during transmissions
• Preservation
• Intrusion
• Tampering
• Redundancy

6
History of Section 5(b)(5)

• Added to final NCCUSL draft during American Bar
  Association approval process.
• Science and Technology Law Section insisted upon
  security
• Inspired by ABA Standard 1.65 for electronic
  court filings
• Cryptographic protections message digests,
  digital signatures, message authentication codes
  and timestamps
• Accepted by NCCUSL.
• Principal concern extension of wholesale
  identity theft on an international scale to
  domestic residential real estate holdings of
  vulnerable classes of US residents, such as
  minorities, elderly.
• Coincides with historic role of recorders as
  custodian of official, true land records that can
  be reliably used to resolve disputes over title.
• Corollary of equivalency between paper and
  electronic records.

7
Processes with duties to secure

• Incoming documents for recording
• Archived recordings
• Transmission of recorded information to others

8
Nature of primary duty

• Duty to protect (ensure) recorded documents
• Legal duty
• Imposed upon government
• Cannot disclaim, unlike vendors
• Not necessarily satisfied by due diligence in
  vendor selection
• Subject to sovereign immunity or waiver of it
• Whether or not uniform standards have been
  adopted(?)

9
Fulfilling Primary Duty

• Employ suitable technologies within recorders
  office and for outgoing communications
• Require suitable technologies to generate and
  transmit filings coming from outside world into
  office unless recording statutes otherwise
  prohibit such a condition.
• Remain vigilant to technology changes
• Aging technology is like fish, not fine wine
• Example Digital Certificates and Quantum
  Computing

10
Related duties

• Source Legal rules and decisions in business,
  not government, context
• Smedinghoff, Where Were Headed New
  Developments and Trends in the Law of Information
  Security1
• Three duties
• Legal duty to protect own information assets
• Reasonable measures audits, plans based upon
  risk-assessment for risk management
• Duty to warn others of breaches
• ____________
• 1Privacy and Data Security Law Journal, Jan.
  2007, 103-138

11
Digital Certificates

• A specific technology, possibly an information
  security protection
• Based upon technology of asymmetric encryption
• Cryptographic keys are derived from complicated
  mathematical calculations that computers cannot
  undo.
• As computers become more powerful, the keys
  become longer
• Computationally infeasible
• Computers bog down trying to crack the numbers.

12
Quantum Computers

• Based upon properties of subatomic particles, not
  silicon chips
• Unique superposition property
• Ability to solve complex mathematical puzzles,
  like asymmetric cryptographic keys
• Schors algorithm skip one step completely that
  bogs down conventional computers
• Correct modulus sticks out of quantum array of
  moduli like a sore thumb
• Any length key is vulnerable to cracking in
  seconds with full blown quantum computer
• 2001 IBM builds 7 qubit computer and factors
  number 15 into its primes. Proof of concept for
  larger computers
• 2010 to 2015, production models likely to be
  deployed, US or foreign
• May operate in secrecy

13
Risk assessments

• Non-archival purposes should be safe, prior to
  the introduction of the production quantum
  computers, such as
• Authentications made using digital certificates
• SISAC certificates
• Possibly NNA entity seal
• Encrypted SSL/TLS sessions used to protect credit
  card data and passwords transmitted over the
  Internet
• Time delimited authentications made with WSS
  OASIS standards and SAML assertions using
  asymmetric keys
• Data stored on hard-drives and protected with
  public key encryption
• Encrypted email in transit
• No longer safe to use without technology upgrades
• Conventional digital signatures for long term
  legal documents
• Regardless of key lengths

14
Role of Standards

• Collective wisdom
• Details resolved
• Not a proprietary system that may be flawed for
  lack of testing
• Threshold of due diligence
• Likely to be responsive to technology cycles

15
Some examples of standards

• W3C securing XML documents and exchanges
• XML DSIG
• XML ENC
• OASIS securing e-commerce transactions
• SAML
• WSS
• DSS
• LegalXML-OASIS Signature profiles securing
  legal documents
• ECF TC - Court filings state courts
• Enotary TC - eNotarizations
• ISO/IEC/ITU X509 v.3 (1996) - digital
  certificates
• IETF S/MIME encrypt and sign binary files like
  TIFFS and PDFs
• ABA Think tanking
• Digital Signature Guidelines
• eNotary WhitePaper

16
Courts experience as a guide

• Court filings are very similar to land office
  recordings
• Initiated by private and public parties
• Create official records
• URPERA 5(b)(5) and ABA e-filing standard 1.65
• Over 10 years of practical court e-filing
  experience
• Almost all federal trial and bankruptcy courts
  require e-filing
• Select state systems Arizona, New York,
  California, Georgia
• Many useful lessons learned
• Similar requirements for security except
• Falsified land records may be more attractive to
  criminals
• No direct access to judges for oversight of
  e-recordings
• No direct court analogue to closing agents and
  entities
• Courts do not share the legal responsibilities of
  URPERA

17
Signature Profiles

• LegalXML ECF 3.01
• Share common history with ABA Standard 1.65 for
  e-filing security
• Digital Signature
• Proxy
• Symmetric Signature
• Application Specific
• Null
• Being implemented by LegalXML eNotary TC
• Source for URPERA signature standards

18
Summary

• URPERA places legal duties on recorders to
  protect information through security standards
  and technologies
• Requires knowing and implementing appropriate
  technologies
• Legal liabilities for governments a question mark
  in the event of a breach
• Commercial context rules useful re risk
  assessments and management
• Digital signature technology at risk from quantum
  computing as an example of impending seismic
  technology shift
• Recorders need to stay aware and informed as to
  risks
• LegalXML standards for courts and notaries
  appropriate
• Standards are shared experience and knowledge
• Helpful to meet minimum threshold for due
  diligence

19
Discussion and Questions

• John Messing
• Law-on-Line, Inc.
• (520) 512-5432
• johnmessing_at_lawonline.biz
• www.lawonline.biz/JohnMessing