home page

Law Firms   ::   Tax Consultants   ::   Intellectual Property Law Firms   ::   Immigration Law Firms   ::   Property Law Firms


The 21st Birthday of the Electronic Bill of Lading: With Age Comes Maturity
© 2003 Carsten Schaal & Lex e-Scripta, INTER-LAWYER.com.  All Rights Reserved.


Chapter 2: Technical Basis of the Electronic Bill

In the paper-based system of shipping documents, the shipper normally receives the bill of lading from the carrier after the goods have been loaded aboard.[1] In order to obtain documentary credit in an international sales transaction, the shipper then endorses the bill to a bank in his country.[2] This bank is usually chosen by the issuing bank, which is a bank in the buyer’s country. After verification of the bill the shipper’s bank then endorses it against payment to the issuing bank, which finally transfers the bill of lading to the buyer. As the order bill of lading is a negotiable document of title and represents the goods in transit, it gives the bank rights over the goods themselves as a security for the advance.[3] On arrival of the goods the buyer can then represent it to the carrier who will release the goods from his vessel to the person in possession of the original paper bill of lading. The regular and lawful bill of lading holder is the only person who is entitled to demand the delivery of the goods.[4]

The objective of a replacement of this well-established traditional bill of lading process by electronic means is to hold on to all its important features – apart from the issuing of a physical paper document. Some of the functions are relatively easy to replace, as long as it merely concerns information to be sent via a computerised system.[5] However, in order to replace the function of a document of title, it is ‘necessary to send proof of title’ by electronic means.[6]

The general basis on which all attempts of computerized or electronic communication are based is called ‘electronic data interchange’ (E.D.I.).[7] This system was designed to facilitate trade without any form of documentation and it rather functions as a closed system of electronic communications between commercial parties.[8] The E.D.I. network connects the computers of businesses with each other and data streams or electronic files are sent via telephone lines[9] to the trading partner in question. The contained information is secured by a so-called ‘private key’, which is issued in substitution for the document of title. The current holder of this key is the rightful person to obtain possession of the commodities. If the goods are sold through the E.D.I. network while in transit, the existing private key is cancelled and replaced by a new key issued to the person entitled to control the goods.[10]

2.1. Digital Signatures

Such a private key needs to be secured against fraud and unauthorized alteration when being sent by electronic means. To ensure a sufficiently high level of security in electronic commerce, today’s computer world uses the techniques of digital signatures.

It is absolutely necessary to fully understand the rather complicated procedure of digital signatures. Only when it has become clear how this electro-technical mechanism proceeds, it can be argued that the electronic bill of lading in question is an acceptable substitute for the traditional bill in maritime commerce.

Essentially, a digital signature verifies a person’s identity. These electronic[11] signatures can be classified in two categories: first, in key-based encryption and secondly, in biometrics.[12] The latter ones use ‘physical characteristics such as voice and face recognition’[13], iris scanning and fingerprints[14]. However, for the scope of this dissertation only the former signatures are relevant and will be dealt with.

These key-based digital signatures authenticate an electronic message with the public key infrastructure (PKI), a method that consists of two keys - a public key and a private key – and the mathematical cryptography technique.[15] The public key infrastructure is also known as asymmetric key cryptography.[16]

Encryption of information is the scrambling[17] of data files from a plaintext into a ciphertext[18], so that only a person with the appropriate key can make it readable again. The keys work as a pair, meaning that a given public key will only decrypt messages coded with its associated private key and vice versa.[19] Therefore, if an author sends his message by encrypting it with the public key of the receiver, then only the receiver has the possibility to decrypt the message with his private key. This is the way confidential notes can be sent. On the other hand, a message that is encrypted with the private key of the sender can be decrypted by everyone with his public key. If the decryption works and produces a readable signature, then the message must have come from the sender since his private key was used to encrypt it in the first place.

Most importantly therefore, private keys must be kept as secret as possible and not shared with any other party involved.[20] Only if these essentials are observed, the public key infrastructure will work correctly.

Although the mathematical cryptography technique behind the described encryption and decryption of digital signatures is very sophisticated, a short look shall be devoted to it as this process gives the system its exceedingly high level of security.

Cryptography of digital signatures is based on mathematical algorithms.[21] The best known algorithm used in this process is the RSA algorithm, named after its inventors Rivest, R.L., Shamir, A., and Adleman, L.[22] This algorithm is a mathematical transformation based on the multiplication of two large prime numbers. A prime number is a number that has no divisors except for 1 and itself, e.g. 5, 7, 13, or 17. The multiplied primes as well as their product are used to form the two keys, i.e. ‘the public key is the product of two randomly selected large prime numbers, and the secret key is the two primes themselves’.[23] The reason why this applied algorithm is extremely secure is because of the great mathematical difficulty to find the two prime factors of a large number, and of finding the private key from its relating public key.[24] As there are infinitely many prime numbers, it is said that a 128 bit public key would – with enough computing power to check one trillion of these numbers a second – take more than 121,617,874,031,562,000 years to crack.[25]

Before cryptography is used to secure the document, the signer’s software applies a ‘hash’ function to the original message.[26] This hash function computes the ‘message digest’ of the plaintext to be signed. It compresses bits of the data, e.g. the total number of characters and their value in a document, to a fixed-size hash value which is a representation of the message unique to that particular message.[27]

The software then encrypts the message digest with the user’s private key into the final digital signature, attaches it to a document and sends it to the receiver. Thereafter, the receiver’s software decrypts the signature with the sender’s public key and ‘hashes’ it back into the message digest. If the message hashes back to the former hash value it is proved that the message has not been altered by an unauthorized person.[28]

From the above procedure we learn that an electronic document which is secured with a digital signature can hardly ever be tampered by a third person. Therefore, once the message is saved on the hard drive of the recipient or some other electronic medium suchlike a diskette or a self-written compact disc, it is just as much evidence of the contractual communication as a paper document is.

Hence, an electronic bill of lading which was secured with the aforesaid cryptography mechanism is equally to a traditional bill of lading concerning its functions as a receipt for the goods shipped and as proof of evidence of the contract between the shipper and the carrier.

However, as mentioned above, the real difficulty concerning electronic bills of lading is their function as a negotiable document of title. It was already said that in order to fulfil this requirement, it is necessary to send proof of title by electronic means.[29]

2.2. Certification Authorities

In the computerized, electronic-based world this requirement of proof of title is provided by a trusted third party called the ‘Certification Authority’ (CA)[30]. These certification authorities are independent but state-controlled bodies that issue and sign qualified digital certificates. They are also responsible for the renewal and revocation of digital certificates.[31] Such an electronic authentication certificate contains information concerning the identity of the CA, the subscriber’s identity, the expiration date of the certificate, a serial number as well as a number representing the holder’s ID, and finally the public key that is associated with that identity.[32] The digital certificates themselves are then digitally signed by the certification authority.

By these means the certification authorities ensure that an encryption key emanates from the person from whom it purports to originate.[33] Therefore, the buyer of goods that are in transit knows that the seller is the person entitled to the goods, if he encrypted his offer with a public key that was issued by a certification authority. Furthermore, the carrier knows that he can release the goods to the consignee, if he received an encrypted and signed certification naming the new consignee.

In other words, the institution of certification authorities is similar to a notary public, who compulsory states that the document in question is an original and unaltered record. As the CA-bodies are state-controlled and need to fulfil certain standards themselves, they are trustworthy and can therefore function as an independent third party to the contract.

For that reason the verification of the parties’ identity by the certification authorities can be regarded as a substitute for the paper-based document of title. A qualified digital certificate by a CA is the guarantee that the two keys of a digital signature encrypt a negotiable document of title.

These digital signatures that are verified by a CA are also known as ‘advanced digital signatures’, as they fulfil the four additional requirements imposed by the EU Electronic Signature Directive (1999/93/EC).[34]

The above description of digital signatures has demonstrated the way electronic documents can be secured today is indeed a matter of great security. However, this arena is subject to day-to-day changes and developments. News emerges on a regular basis that even greater, faster and better algorithms have been invented[35] or - on the other hand – that some key size has been cracked[36].

2.3. Comparison to the Traditional Bill of Lading

Notwithstanding the above, a look at the traditional paper bill of lading discloses even greater shortcomings in respect of security matters.

In order to forge a paper-based bill of lading, it is simply necessary to issue a second faked set of documents and distribute it to potential new buyers or to a different, unauthorized consignee. Obviously, the original and rightful signature on the bill of lading must be copied or falsified. Using this method, an ‘entire bill of lading may be counterfeited, (...) the quantity of the goods may be altered, and the consignor may fraudulently sell the same goods two or three times to different buyers’.[37] It could even be possible to trade with goods that do not exist[38] or to seek for documentary credit with nonexistent securities.[39]

In comparison, such forgery is much more difficult with electronic bills of lading. Unless the defrauder is able to crack the cryptographic code - which was shown above is computationally infeasible to do – there is no way that a third party can issue a faked set of electronic documents. This is impossible because every electronic document which is not encrypted with a digital signature approved by a certification authority will be deemed by other parties to be inconsistent with the requirement of using qualified, digital certificated key encryption.[40]

2.4. Conclusion

The evaluation in this second chapter has proved that the complicated technical and computerized processing of electronic bills of lading does not only fulfil the first and second requirements of the traditional bill of lading, but also provides a solution for the aspect of negotiability. The function of the certification authority as a trusted third party enables merchants in international sales to believe in the rightful possession of goods and to regard the e-bill as a negotiable and transferable document of title.

Beyond that, it has become clear that electronic bills of lading are much more secure than the traditional bills in regard of forgery matters. The mathematical algorithms with which cryptography works are far beyond the human comprehension and it is unlikely that a new mathematical breakthrough will be achieved in the near future in order to break down the innumerable number of primes in question. Additionally, the development of constantly growing bit seizes[41] makes it more and more difficult for unauthorized individuals to decipher the secret codes.

[1] Faber, Shipping Documents and EDI, note 19 above, p. 74; Wilson, Carriage of Goods by Sea, note 9 above, p. 121, 122.

[2] Wilson, Carriage of Goods by Sea, note 9 above, p. 140.

[3] Todd, Banker’s Documentary Credits, note 2 above, p. 13; Wilson, Carriage of Goods by Sea, note 9 above, p. 141.

[4] Margetson, Nigel, „Bill of lading: Who picks up the bill?”, 17 (4) P&I International 2003, p. 17.

[5] Todd, Banker’s Documentary Credits, note 2 above, p. 155.

[6] ibid.

[7] See e.g. Asay, Alan, “Drafting electronic bills of lading”, 3 (9) Int. Journal of Shipping Law 1999 (hereinafter “Asay, Drafting e-bills”), p. 212; Bainbridge, Computer Law, note 32 above, p. 263; Burden, EDI and Bills of Lading, note 5 above, p. 269; Faber, Shipping Documents and EDI, note 19 above, p. 73; Faber, Diana, “Electronic bills of lading”, Lloyd’s Maritime and Commercial Law Quarterly 1996 (hereinafter “Faber, E-Bills”), p. 233; Heard, Sîan, “E-bills: Will they Deliver?”, at www.legamedia.net/legapractice/singlair-roche-temperley/2000/00-10/0010_heard_sian_ebills.php (hereinafter “Heard, E-bills: Will they deliver?”), p. 2; Reed/Angel, Computer Law, note 1 above, p. 299, 321-326; Todd, Banker’s Documentary Credits, note 2 above, p. 154.

[8] Reed/Angel, Computer Law, note 1 above, p. 299.

[9] See Gordon, Judith R.; Gordon, Steven R., Information Systems – A Management Approach, 2nd edition, Dryden Press: Forth Worth 1999 (hereinafter “Gordon/Gordon, Information Systems”), p. 281.

[10] Faber, E-Bills, note 41 above, p. 233; Wilson, Carriage of Goods by Sea, note 9 above, p. 172. This procedure is also embodied in the CMI (Comité Maritime International) Rules for Electronic Bills of Lading, article 7 (b). The CMI Rules were adopted in 1990 and can be incorporated into contracts of carriage.

[11] The terminology of ‚digital’ and ‚electronic’ signatures may change within the assignment. See Mason, Stephen, “The evidential issues relating to electronic signatures, Part I”, 45 (Jan/Feb) Amicus Curiae 2003 (hereinafter “Mason, Evidential issues to electronic signatures”), p. 22.

[12] Floisand, Mark, „What are digital signatures?“, 10 (3) IT Law Today 2002 (hereinafter “Floisand, Digital signatures”), p. 30; Chissick, Michael; Kelman, Alistair, Electronic Commerce: Law and Practice, 2nd edition, Sweet & Maxwell: London 2000 (hereinafter “Chissick/Kelman, E-Commerce”), p. 164.

[13] Floisand, Digital signatures, note 46 above, p. 30.

[14] Chissick/Kelman, E-Commerce, note 46 above, p. 164; Mason, Evidential issues to electronic signatures, note 45 above, p. 22.

[15] Corbitt, Terry, “Encryption and Digital Signatures“, 167 (13) Justice of the Peace 2003 (hereinafter “Corbitt, Encryption and Digital Signatures”), p. 234; Floisand, Digital signatures, note 46 above, p. 30; Gordon/Gordon, Information Systems, note 43 above, p. 299; Morrison, Phil, “Formal requirements in digital signatures”, 13 (4) Construction Law 2002 (hereinafter “Morrison, Formal requirements in digital signatures”), p. 31; Reed/Angel, Computer Law, note 1 above, p. 312-313; Todd, Banker’s Documentary Credits, note 2 above, p. 160-162; http://livinginternet.com/?i/is_crypt_sig.htm; www.ssh.com/support/crypography/introduction/algorithms.html.

[16] Edwards, Lilian; Waelde, Charlotte, Law & the Internet – a framework for electronic commerce, 2nd edition, Hart Publishing: Oxford 2000 (hereinafter “Edwards/Waelde, Law & the Internet”), p. 39 mention that the counterpart of asymmetric key cryptography is symmetric key cryptography, which works faster as it uses smaller numbers of bits. However, it is not as secure as the asymmetric or public key cryptography. A famous example of an symmetric key algorithm was the Data Encryption Standard (DES).

[17] Corbitt, Encryption and Digital Signatures, note 49 above, p. 234; Reed/Angel, Computer Law, note 1 above, p. 312.

[18] Chissick/Kelman, E-Commerce, note 46 above, p. 155; www.ssh.com/support/crypography/introduction/terminology.html.

[19] Chissick/Kelman, E-Commerce, note 46 above, p. 157; Corbitt, Encryption and Digital Signatures, note 49 above, p. 234; Edwards/Waelde, Law & the Internet, note 50 above, p. 39; Gordon/Gordon, Information Systems, note 43 above, p. 299.

[20] Corbitt, Encryption and Digital Signatures, note 49 above, p. 234.

[21] An algorithm is an explicit description how a particular computation should be performed, see at www.ssh.com/support/crypography/algorithms/asymmetric.html.

[22] Asay, Drafting e-bills, note 41 above, p. 220 and note 24; Chissick/Kelman, E-Commerce, note 46 above, p. 156; Reed/Angel, Computer Law, note 1 above, p. 312; see www.rsasecurity.com.

[24] ibid.

[25] ibid., p. 3; see also in great detail and slightly differentiated Reed/Angel, Computer Law, note 1 above, p. 312-313 and notes 46 and 49, who mentions the required figures N, Kp (for the public key, used for encryption) and Ks (the secret key, used for decryption).

[26] Joslin, Debra; Summerville, Rett, “Digital Signatures”, 13 (4) Trolley’s Practical Audit & Accounting 2002 (hereinafter “Joslin/Summerville, Digital Signatures”), p. 45.

[27] Chissick/Kelman, E-Commerce, note 46 above, p. 157 and note 29; Joslin/Summerville, Digital Signatures, note 60 above, p. 45; www.ssh.com/support/crypography/introduction/hash.html.

[28] Chissick/Kelman, E-Commerce, note 46 above, p. 157; Joslin/Summerville, Digital Signatures, note 60 above, p. 45.

[29] See page 9 and note 40.

[30] Corbitt, Encryption and Digital Signatures, note 49 above, p. 234; Morrison, Phil, “E-Commerce: Formal Requirements in Digital Signatures”, 7 (1) Construction & Engineering Law 2002 (hereinafter “Morrison, Digital Signatures”), p. 26; Shum, Clement; Ko, Sai-Hong, “Electronic Transactions Law in Hong Kong”, (2) International Trade Law Quarterly 2000 (hereinafter “Shum/Ko, Electronic Transactions in Hong Kong”), p. 103; Sinisi, Vincenzo, “Digital Signature Legislation in Europe”, 16 (1) Butterworths Journal of International Banking and Financial Law 2001 (hereinafter “Sinisi, Digital Signature Legislation”), p. 20.

[31] Shum/Ko, Electronic Transactions in Hong Kong, note 64 above, p. 103.

[32] Compare Corbitt, Encryption and Digital Signatures, note 49 above, p. 234; Morrison, Digital Signatures, note 64 above, p. 27.

[33] See Edwards/Waelde, Law & the Internet, note 50 above, p. 42.

[34] These are according to Art. 2 (2) of the Directive that the electronic signature a) is uniquely linked to the signatory, b) is capable of identifying the signatory, c) is created using means that the signatory can maintain under his sole control, and d) is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable. Compare Sinisi, Digital Signature Legislation, note 63 above, p. 18.

[35] E.g. the invention of an algorithm called ‚Pretty Good Privacy’ (PGP), which combines symmetric and asymmetric algorithms, see Edwards/Waelde, Law & the Internet, note 50 above, p. 41; or the newest invention of ‘Wireless Encryption Technology’ by RSA Security for mobiles etc., see www.corporate-ir.net/ireye/ir_site.zhtml?ticker=RSAS&spript=410&layout=-6&item_id=394480 (March 26th, 2003).

[36] http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci896016,00.html (article by Hurley, Edward, „Experts: Encryption not a security cure-all“, April 28th, 2003).

[37] Yiannopoulos, Ocean Bills of Lading, note 3 above, p. 19.

[38] ibid., p. 18; Todd, Paul, Modern Bills of Lading, 2nd edition, Blackwell Scientific Publications: Oxford 1990 (hereinafter “Todd, Modern Bills of Lading”), p. 262.

[39] Yiannopoulos, Ocean Bills of Lading, note 3 above, p. 18.

[40] The establishment of certification authorities is a legal requirement which is embodied in the UK Electronic Communication Act 2000.

[41] Standard bit seizes today are 64-bit, 128-bit and 256-bit, but there are also cryptosystems with 512-bit or even 2048-bit; compare www.ssh.com/support/crypography/introduction/strength.html.

© 2003 Carsten Schaal & Lex e-Scripta, INTER-LAWYER.com.  All Rights Reserved.

back to Lex e-Scripta

Add to Favourites  Publish an article  |  Free Listing  |  Advertise  |  Add URL  |  Currency Converter  |  Search

About Us  |  Contact Us  Links  |  Become an Editor  |  Terms & Conditions  |  Privacy Policy

Content & Design © 2000-11 INTER-LAWYER.com