Authentication of Electronic Signatures on Electronically Filed Statements of Account
Federal Register, Volume 78 Issue 123 (Wednesday, June 26, 2013)
Federal Register Volume 78, Number 123 (Wednesday, June 26, 2013)
Proposed Rules
Pages 38240-38247
From the Federal Register Online via the Government Printing Office www.gpo.gov
FR Doc No: 2013-15016
=======================================================================
-----------------------------------------------------------------------
LIBRARY OF CONGRESS
Copyright Office
Docket No. 2013-5
Authentication of Electronic Signatures on Electronically Filed Statements of Account
AGENCY: U.S. Copyright Office, Library of Congress.
ACTION: Notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: The U.S. Copyright Office (``Copyright Office'' or ``Office'') is reengineering certain processes in its Licensing Division to enable cable systems operating under the statutory license governing the secondary transmission of over-the-air television broadcast signals to file Statements of Account electronically. As part of that process, the Office plans to adopt an identity authentication process that will allow for the use of electronic
Page 38241
signatures. The Office proposes revisions to specific rules to account for the changes associated with the implementation of an electronic Statement of Account filing system and seeks public comment on the proposed process and regulatory changes to accommodate the use of electronic signatures.
DATES: Comments due July 26, 2013. Reply comments July 26, 2013.
ADDRESSES: All comments and reply comments shall be submitted electronically. A comment page containing a comment form is posted on the Copyright Office Web site at http://www.copyright.gov/docs/digsig. The Web site interface requires submitters to complete a form specifying name and organization, as applicable, and to upload comments as an attachment via a browser button. To meet accessibility standards, all comments must be uploaded in a single file in either the Portable Document File (PDF) format that contains searchable, accessible text (not an image); Microsoft Word; WordPerfect; Rich Text Format (RTF); or ASCII text file format (not a scanned document). The maximum file size is 6 megabytes (MB). The name of the submitter and organization should appear on both the form and the face of the comments. All comments will be posted publicly on the Copyright Office Web site exactly as they are received, along with names and organizations. If electronic submission of comments is not feasible, please contact the Copyright Office at 202-707-8380 for special instructions.
FOR FURTHER INFORMATION CONTACT: Andrea Zizzi, Office of the General Counsel, Copyright GC/I&R, P.O. Box 70400, Washington, DC 20024. Telephone: (202) 707-8380. Telefax: (202) 707-8366.
SUPPLEMENTARY INFORMATION:
-
Introduction
Section 111 of the Copyright Act (``Act''), title 17 of the United States Code (``Section 111''), provides cable operators with a statutory license to retransmit a performance or display of a work embodied in a primary transmission made by a television station licensed by the Federal Communications Commission (``FCC''). Cable system statutory licensees are required to file Statements of Account (``SOAs'') and pay royalty fees to the Copyright Office. SOAs contain information on a cable operator's channel line-ups and gross receipts for the sale of cable service to the public. Payments made under the cable statutory license are remitted semi-annually to the Office, which invests the royalties in United States Treasury securities pending distribution of the funds to those copyright owners who are entitled to receive a share of the fees.
Since 2007, the Copyright Office has been implementing plans to reengineer the workflow of its Licensing Division (``Division'') for the administration, processing, and recordkeeping of electronically filed SOAs and related documents. The goals of this ongoing effort are manifold: (1) To facilitate the timely processing of SOAs; (2) to enable the Division to better manage its royalty investment accounts; (3) to expedite the availability of SOAs and other records for public inspection; and (4) to better control costs for those who participate in the statutory licensing system.
One of the key reengineering efforts is to digitize the royalty fee collections process. The Office is in the process of configuring and deploying a commercial off the shelf (``COTS'') computer software package as part of an overall business process reengineering effort. The COTS package will support the development of an efficient electronic system for filing, managing, and retrieving Statements of Account, royalty payments, notices, amendments, and other documents related to the work of the Licensing Division. The COTS package will provide the Office with the capability to automate the reengineered processes and provide a platform for managing stakeholders' needs online. The Office has named the new electronic filing system ``eLi'' (``eLi'' or ``Electronic Licensing'').
Central to the success of eLi is the establishment of a robust identity authentication system for the preparation and electronic filing of SOAs. This authentication will be accomplished through an electronic signature process. An authentication system for electronic filings is necessary because: (1) It establishes the identity of the individual(s) preparing the form; (2) it establishes the identity of the individual charged with the responsibility of certifying and signing the SOA during a secure online session; (3) it creates an electronically signed record in a format that accurately reflects the information provided by the cable system as submitted at the time of the electronic signing; and (4) it helps protect digital documents from tampering. In establishing eLi, the Office must revise its regulations to allow for the use of electronic signatures as the means of verifying the identity of the individual signing the SOA \1\ and linking that individual to a specific electronic record.\2\ The Office requests comments on proposed regulations governing the electronic signature process for filing cable Statements of Account.
---------------------------------------------------------------------------
\1\ E-Authentication Guidance for Federal Agencies, OMB 04-04, Sec. 1.3 (Dec. 16, 2003).
\2\ According to Section 106(5) of the Electronic Signatures in Global and National Commerce Act (known as ``ESIGN''), an electronic signature is defined as ``an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.'' ESIGN, 15 U.S.C. 7006(5) (2000). Under Section 2 of the Uniform Electronic Transactions Act (UTEA), the term ``electronic signature means an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.'' Unif. Elec. Transactions Act Sec. 2 (1999).
---------------------------------------------------------------------------
-
Background
-
Levels of Authentication
Today, cable companies may utilize a number of employees in the preparation of an SOA. The Office's regulations, however, require that the document be signed by a person of authority, i.e., an owner, partner, or officer of the company who, by signing, certifies that the information in the SOA is complete and accurate. 37 CFR 201.17(3)(14). For eLi filings, the Office seeks to adopt an identity authentication method that will identify each person involved in the preparation of the SOA, authenticate the identity of the person certifying the statement by his or her electronic signature on the document, and secure the information provided in the certified document.
The Office of Management and Budget (``OMB'') manual, E-
Authentication Guidance for Federal Agencies, OMB 04-04, describes the four levels of identity assurance currently used for electronic transactions filed with the federal government that require authentication. In choosing which assurance level is appropriate to authenticate a particular kind of electronic government transaction, the agency must consider the risk factors involved and the level of security required for that transaction. Under the OMB framework, Level 1 provides the lowest security assurance and Level 4 provides the highest, with Levels 2 and 3 providing a mix of security and ease of access to protected documents.
Level 1 authentication methods do not require identity proofing, but they must provide some assurance that the party who electronically signed a protected document is the same individual who transmitted it. Level 1 methods allow a wide range of available authentication technologies to be employed and permit the use of any token methods of Levels 2, 3, or 4.
Page 38242
Successful authentication requires that the electronic signer prove, through a secure authentication protocol, that he or she controls the token. The method does not permit plain text passwords to be transmitted across a network, nor does it require cryptographic methods that block offline analysis by eavesdroppers. Thus, at Level 1, long-
term shared authentication secrets may be revealed to verifiers.\3\
---------------------------------------------------------------------------
\3\ See Electronic Authentication Guideline, NIST Publication 800-63-1, version 800-63-1 (December 2011) (``NIST Publication 800-
63-1'') at vii, http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf.
---------------------------------------------------------------------------
Level 2 provides single factor remote network authentication. Successful level 2 authentication requires that the individual prove, through a secure authentication protocol that utilizes approved cryptology, that he or she controls an access token, such as a password or a PIN number. This kind of authentication method is designed to prevent security threats such as eavesdropper and online guessing attacks. However, the single authentication token is vulnerable to compromise via replay, on-line guessing, and verifier impersonation.\4\
---------------------------------------------------------------------------
\4\ Id. at vii-viii.
---------------------------------------------------------------------------
Level 3 identity authentication will provide appropriate security for authentication of electronic signatures on Statements of Account. Level 3 provides multi-factor remote network authentication. At this level, identity proofing procedures require verification of identifying materials and information. Level 3 authentication is based on proof of possession of a key or a one-time password through a cryptographic protocol. As the second step, it requires cryptographic strength mechanisms that protect the primary authentication token (secret key, private key or one-time password).\5\
---------------------------------------------------------------------------
\5\ Id. at viii.
---------------------------------------------------------------------------
Level 4 authentication generally applies only to those systems managing access to highly sensitive information. Level 4 is structured to provide the highest practical remote network authentication assurance. Level 4 authentication is based on proof of possession of a key through a cryptographic protocol. Only ``hard'' cryptographic tokens are allowed. Level 4 also requires strong cryptographic authentication of all parties and all sensitive data transfers between the parties.\6\
---------------------------------------------------------------------------
\6\ Id.
---------------------------------------------------------------------------
The Copyright Office has conducted an internal assessment of the protocols necessary to secure and certify electronically filed Statements of Accounts. The Office notes that SOAs are made readily available to the public for inspection, and has concluded that once filed, cable system SOAs and related documents do not contain highly sensitive or confidential information. Based upon these findings, the Office has determined that it need not implement the most exacting security protocol for the authentication of the electronic signatures, meaning that Level 4 would be unnecessarily burdensome, given the low security risk. At the same time, the Office has determined that it is necessary to implement an authentication mechanism that guarantees that a particular individual has performed a certain task. Unfortunately, neither Level 1 nor Level 2 authentication will provide sufficient ``proof'' to link an individual to a specific filing.
The Office does believe that Level 3 authentication methods are well suited for the authentication of electronic signatures on SOAs and related documents. Level 3 methods are utilized by financial institutions \7\ and government agencies \8\ that have found level 3 methods to provide sufficient security for their work products and operating environments. The Office believes that a two-step authentication process will provide the necessary balance between ensuring the security of the information provided by the cable operator in the SOA while allowing remote authentication of the identity of the individual who has legitimate access to sign and certify the SOA. ``Two-factor'' authentication, integral in the Level 3 security framework, provides the required level of confidence necessary to establish in a consistent and secure manner the connection between the signing individual and his/her action as it relates to electronically filed SOAs. Moreover, this level of identity authentication provides safeguards against fraud consistent with the criminal provisions under title 18 of the United States Code.\9\
---------------------------------------------------------------------------
\7\ Level 3 authentication is prevalent among financial institutions. IDManagement.gov, Trust Framework Provider Adoption Process (TFPAP) For Levels of Assurance 1, 2, and non-PKI 3 28-36, http://www.idmanagement.gov/documents/TrustFrameworkProviderAdoptionProcess.pdf. In 2005, the Federal Financial Institutions Examination Council (``FFIEC'') provided guidance, indicating that commercial banking/brokerage businesses have been using out of band authentication for years. Federal Financial Institutions Examination Council, Authentication in an Internet Banking Environment 11, http://ithandbook.ffiec.gov/media/28059/frb-sr_05_19.pdf. The FFIEC gave U.S. banks until the end-
of-year 2006 to implement two factor authentication, which is part of the level 3 authentication system. Slashdot, Banks to use two factor authentication by end of 2006. http://it.slashdot.org/story/05/10/19/2340245/Banks-to-Use-2-factor-Authentication-by-End-of-2006.
\8\ Among other government entities, the General Services Administration (``GSA''), the Internal Revenue Service (``IRS''), the Drug Enforcement Administration, and the United States Patent and Trademark Office have implemented level 3 for authentication purposes. The submission page for the GSA states that all submitted digital authentication certificate(s) must be level 3. General Services Administration eOffer/eMod, http://eoffer.gsa.gov/eoffer_docs/aces_information.htm.
The IRS requires level 3 or level 4 authentication. IRS Remote Access for Data Centers, http://www.irs.gov/privacy/article/0,,id=208067,00.html. Internal Revenue Service, Modernized e-File (MeF) Guide for Software Developers and Transmitters 171, http://www.irs.gov/pub/irs-pdf/p4164.pdf.
The Drug Enforcement Administration asserted that ``the use of . . . Assurance Level 3 identity proofing and two-factor authentication . . . will provide security commensurate with the current paper-based prescription system, and will meet statutory obligations of the CSA.'' Drug Enforcement Administration, E-
Authentication Risk Assessment for Electronic Prescriptions for Controlled Substances 32, http://www.deadiversion.usdoj.gov/ecomm/e_rx/risk_assessment_dea_218.pdf.
In 2008, the United States Patent and Trademark Office clarified that Level 3 authentication was needed for submission of documents other than an initial application. United States Patent and Trademark Office, Legal Framework For EFS-Web 4, http://www.uspto.gov/patents/process/file/efs/guidance/legalframework_2008.pdf.
\9\ Title 18 U.S.C. 1001 states as follows:
(a) Except as otherwise provided in this Section, whoever, in any matter within the jurisdiction of the executive, legislative, or judicial branch of the Government of the United States, knowingly and willfully--(1) falsifies, conceals, or covers up by any trick, scheme, or device a material fact; (2) makes any materially false, fictitious, or fraudulent statement or representation; or (3) makes or uses any false writing or document knowing the same to contain any materially false, fictitious, or fraudulent statement or entry; shall be fined under this title, imprisoned not more than 5 years or, if the offense involves international or domestic terrorism (as defined in Section 2331), imprisoned not more than 8 years, or both. If the matter relates to an offense under chapter 109A, 109B, 110, or 117, or Section 1591, then the term of imprisonment imposed under this Section shall be not more than 8 years.
---------------------------------------------------------------------------
There are different methods for implementing a ``two-factor'' Level 3 authentication process, and each has its strengths and weaknesses. In this category are key fobs,\10\ digital certificates,\11\ USB tokens,\12\ smart
Page 38243
cards,\13\ biometrics,\14\ out of band options, and virtual tokens. After considering cost factors, ease of use, infrastructure constraints, and the level of security provided, the Office expects to pursue either an out of band option or a virtual token option for digital authentication purposes. The Office's proposal is guided by the knowledge that banks, insurance companies, and federal agencies (i.e., the Internal Revenue Service) have implemented these two methods and have found them to be effective.
---------------------------------------------------------------------------
\10\ A key fob is a small hardware device with built-in authentication mechanisms. The key fob controls access to network services and information. The user identifies his or her cell phone and/or email address to be used with the fob and the system to which he or she is accessing stores the information along with the user ID and other details.
\11\ A digital certificate is an electronic document that uses a digital signature to bind a public key with an individual using such information as the name of a person or an organization. The certificate, obtained from Microsoft, VeriSign, or other firm, can be used to verify that a public key belongs to an individual.
\12\ USB Tokens are designed to securely store an individual's digital identity. These portable tokens plug into a computer's USB port either directly or using a USB extension cable. When users attempt to login to applications via the desktop, VPN/WLAN or Web portal, they will be prompted to enter their unique PIN number. If the entered PIN number matches the PIN within the USB Token, the appropriate digital credentials are passed to the network and access is granted. PIN numbers stored on the token are encrypted for added security.
\13\ A smart card, chip card, or integrated circuit card is any pocket-sized card with embedded integrated circuits. Smart cards support multiple authentication factors (PIN, fingerprint template, digitally signed photo), and provide a way to digitally sign and encrypt security documents, other data, communications and transactions. Smart chip-based credentials allow individuals to use their identities safely, quickly and widely and trust that their personal information remains private.
\14\ Biometrics are technologies used for measuring and analyzing a person's unique characteristics. There are two types of biometrics: behavioral and physical. Behavioral biometrics are generally used for verification while physical biometrics can be used for either identification or verification. Fingerprint biometrics are common for digital authentication purposes and are best for devices such as cell phones, USB flash drives, notebook computers and other applications where price, size, cost and low power are key requirements.
---------------------------------------------------------------------------
Virtual tokens. A virtual token is a hash \15\ of unique system characteristics paired with the standard username and password. Virtual tokens work by sharing the token generation process between a Web site and the individual's computer. They have the advantage of not requiring the distribution of additional hardware or software. In addition, since the user's computer communicates directly with the authenticating Web site, virtual tokens are resistant to ``man-in-the-middle attacks'' \16\ and similar forms of online fraud. In most respects, virtual tokens function like the fob (physical) token noted above, but without the added costs. Some of the benefits of a virtual token authentication method are that the measure is simple to implement, its software is easy to configure, and neither the Office nor the user would require special equipment. However, a key drawback to using virtual tokens for identity authentication related to SOA forms is that with this method, authentication can only be implemented from previously identified computers connected at a specific site.
---------------------------------------------------------------------------
\15\ A ``hash'' is a unique and permanent code or value generated from the contents of an electronic document at the time of submission.
\16\ ``A ``man-in-the-middle attack,'' also known as a bucket brigade attack, fire brigade attack, or sometimes a Janus attack, is a form of active eavesdropping in which the attacker (an impersonator) makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection. In fact, though, the entire conversation is controlled by the attacker, who intercepts all messages between the two victims and injects new messages.
---------------------------------------------------------------------------
Out of Band (Email/SMS). Out of band authentication is a security confirmation system that provides an added layer of protection to validate certain transactions. It uses a separate, discrete pathway (``out of band'') to authenticate an individual's identity while performing online transactions. It can be performed either by text messaging or by email. When a user logs into a particular Web site, a numeric code is sent via Short Messaging Service (``SMS'') to either a cell phone or email address on record. Upon receiving the code, the user must to enter it on a secure Web page to verify his authenticity.
Some of the benefits of out of band authentication techniques are: (1) They are easy to implement; (2) the software is simple to configure; and (3) they do not require specialized equipment. Another key benefit of out of band authentication is that unlike virtual tokens, out of band options do not require a participant to use the same computer at the same location, and therefore are more practical for some operators who have several different individuals working on a particular SOA. Out of band security is tied to a specific user but is not tied to a specific computer at a particular physical site. Because of this flexibility, the Office believes that the out of band option may be a more workable approach to implementing electronic signatures for most operators.
The SOA signature authorization method adopted by the Office must also comply with the Federal Information Processing Standards (``FIPS''). FIPS are standards developed by the United States federal government for use in computer systems by all non-military government agencies and by government contractors.\17\ The levels of the digital authentication discussed above, which are known as cryptographic modules, are outlined in FIPS 140.2. Based on the Office's understanding of virtual tokens and out of band methods, the Office tentatively concludes that these Level 3 authentication methods conform to FIPS.
---------------------------------------------------------------------------
\17\ Under the Information Technology Management Reform Act (Pub. L. 104-106), the Secretary of Commerce must approve standards and guidelines for Federal computer systems that are developed by the National Institute of Standards and Technology (``NIST''). See NIST Publication 800-63-1, http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf. These standards and guidelines are issued by NIST as Federal Information Processing Standards (FIPS) for government-wide use. NIST develops FIPS when there are compelling Federal government requirements, such as for security and interoperability, and there are no acceptable industry standards or solutions.
---------------------------------------------------------------------------
-
Proposed Identity Authentication Procedure
Access to eLi will be predicated on security-based user roles that allow each cable operator to control who has the authority to prepare various elements of the SOA. Cable operators have advised the Office that under the filing system currently in place, often the person who signs/certifies the paper SOA is not the same person or persons charged with doing other preliminary tasks related to the preparation of the SOA and the issuance of the required royalty payment. Under either of the proposed Level 3 electronic identity authentication systems, each person needing access to the document during the preparation phase would be able to gain access to the body of the SOA document, while the system would only give electronic access to the certification page of the SOA to the person of authority who was pre-designated by the cable operator to be the signer. Regardless which authentication method is ultimately chosen, ``approval'' of an SOA will mean the simultaneous certification and signing of the document by the appropriate official.
The Office envisions that the digital authentication and signing process would work with either a virtual token or an out of band system. In closely evaluating the two systems, we concluded that the out of band option would be the more practical one, and propose adopting that option. Under either Level 3 option, the person(s) responsible for preparing an SOA on behalf of a cable system would be able to log onto eLi using a previously established user name and password, and the system would authenticate each one as a ``preparer.'' The same procedure would be followed by any reviewer of the ``draft'' SOA, such as a company officer or attorney.
After the preparers and reviewers have produced a completed version of the body of the SOA in eLi, the person charged with signing and certifying the document on behalf of the cable system would follow a different procedure to electronically approve and sign the document. The signer could be a person who prepared the document or could be someone else with statutory authority to sign it. Like others with access to the SOA, he or she would log onto eLi using a previously established user name and
Page 38244
password, and the system would ``identify'' him or her as the signer authorized to complete the certification process. ELi would then send the signer a code that provides access for a virtual token or out of band authentication of the signer's identity.\18\ Once the signer has successfully completed the authentication process, he or she would then follow a procedure to obtain, electronically approve, and electronically sign the final version of the SOA.
---------------------------------------------------------------------------
\18\ If we adopt an out of band authentication method, the authentication code would be sent via email correspondence to the signer's pre-identified mailbox.
---------------------------------------------------------------------------
The Copyright Office anticipates that the system will display a ``notice of consent to electronic records,'' and the signer would have to ``accept'' the terms of the notice of consent. Once accepted, the system would display the SOA for approval. The signer would have the opportunity to review the SOA, enter an ``S-signature'' \19\ and his title, and then complete the transaction by entering a ``key'' to indicate that the SOA is being electronically signed.
---------------------------------------------------------------------------
\19\ An S-signature is a signature, made by electronic or mechanical means, that is inserted between forward slash marks.
---------------------------------------------------------------------------
ELi is being designed to save the details about the electronic signature process for each SOA filed. It will use the electronic ``key'' to generate hash from the contents of the electronically filed SOA. The hash of the SOA will help ensure that the approved SOA is not changed after approval. The electronically-signed document will identify the signer of the document, the date the document was signed, and the information provided at the time of submission.
-
Proposed Regulations
To effectuate the process for electronic identity authentication as a part of eLi, the Office proposes new regulations governing the electronic signing and certification process. Currently, Section 201.17(e)(14) provides that each Statement of Account filed under Section 111 shall contain the handwritten signature of the owner of the cable system or a duly authorized agent of the owner, if the owner is not a partnership or a corporation; or a partner, if the owner is a partnership; or an officer of the corporation, if the owner is a corporation. The signature must be accompanied by (1) the printed or typewritten name of the person signing the SOA; (2) the date of signature; (3) if the owner of the cable system is a partnership or a corporation, the title or official position held in the partnership or corporation by the person signing the SOA; (4) certification of the capacity of the person signing; and (5) a declaration of the veracity of the statements of fact contained in the SOA and the good faith of the person signing in making such statement of fact.
Under eLi, an electronic signature will be substituted for the handwritten signature, and the other requirements will remain in place for filing a SOA. ELi will include a two step authentication procedure to identify the person completing the certification process. As explained above, the person with authority to certify the accuracy of the information in and sign the SOA will access the certification Section of the SOA using the two step authentication process, approve the form, provide his or her title or official position in the organization, and sign the form using an electronic ``S-signature.'' This process will also apply to the filing of SOA amendments.
1. Purpose and Scope
The proposed Section will be placed at the end of Section 201.17(e) as a new Section (e)(15), because the electronic signatures on an electronically filed SOA will be considered part of the contents of the SOA. Proposed Section 201.17(e)(15) sets forth the purpose and scope of the new authentication and signature protocol. The regulation addresses the criteria under which the Office will consider electronic records and electronic signatures to be trustworthy, reliable, and generally equivalent to handwritten signatures executed on paper. The regulation applies to SOA records and related documents \20\ in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in Section 201.17. Where electronic signatures meet the other requirements of Sections 201.17(d) and (e), the Office will consider the electronic signatures to be equivalent to full handwritten signatures, initials, and other general signings required by Copyright Office regulations. Electronic records that meet the requirements of this regulation may be used in lieu of paper records unless paper records are specifically required.
---------------------------------------------------------------------------
\20\ ``Related documents'' would include attachments related to the SOA submission and documents submitted in response to a request from the Licensing Division.
---------------------------------------------------------------------------
2. Definitions
Proposed Section 201.17(e)(15)(i) would codify terms and definitions pertinent to electronic document authentication and electronic signatures on SOAs. The Office has created six new definitions:
(A) ``Authentication'' is a cryptographic or other secure electronic technique that allows the Copyright Office to authenticate the identity of an individual who signs and certifies a Statement of Account or related documents and to determine that the Statement or related documents were not altered, changed, or modified during their transmission to the Copyright Office.
An ``electronic signature'' is a signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.
A ``handwritten signature'' is the scripted name or legal mark of an individual handwritten by that individual on a document or other writing and executed or adopted with the present intention to authenticate the signed document or other writing.
A ``password,'' is confidential authentication information composed of a string of characters.
The term ``token'' refers to an item necessary for user identification when used for the authentication of a signature.
3. Signature Parameters
Proposed Section 201.17(e)(15)(iv) sets forth the functional requirements for tying the signer with the electronically filed SOAs. The Office proposes that electronically signed electronic records shall contain information that clearly indicates the following: (1) The printed name of the signer; (2) the date and time the signature was executed; and (3) the title of the signee.
The proposed regulation also specifies that each electronic signature is unique to one individual and shall not be reused by, or reassigned to, anyone else within the cable system.
4. Authentication Protocols
Proposed Section 201.17(e)(15)(v) establishes authentication components and controls for a Level 3 authentication protocol. Level 3 authentication requires at least a two factor authentication process and is based on proof of possession of a cryptographic key. Typically, a key may be used only during a limited time period, i.e., up to 30 minutes. Each SOA must contain the signature of the appropriate certifying official. In some instances, one person will be responsible for signing multiple cable SOAs. The proposed system will allow a signing official to use a single electronic signature that automatically applies multiple signature time stamps
Page 38245
to a batch of SOAs submitted by the multiple system operator (``MSO'') during a single session, as explained below. In this way, a series of SOA submissions and electronic signings are made with one ``signing'' executed and initiated by the individual during one continuous period of controlled system access while the key remains valid. If the key's validity expires before all of the multiple SOAs are electronically signed with time stamps, a new key may be requested to complete the certification and signing process. Section (e)(15)(iii) provides that if the signing individual executes one or more electronic signings that are not performed during a single, continuous period of controlled system access, the signer must reinitiate the authentication process to proceed with the signing.
5. Batch Submissions
Proposed Section 201.17(e)(15)(vi) addresses the submission of multiple SOAs by the same cable operator in one group or ``batch'' filing. The Office proposes that eLi be configured to enable a cable operator to choose to file multiple SOAs with a single ``submit'' key. The single electronic signature by the appropriate individual would be automatically applied to all SOAs in the batch with a separate recognizable electronic signature stamp and time stamp for each individual SOA comprising the batch. The proposed rule specifically states that batch or bulk filings of electronically filed Statements of Account would be permitted so long as the cable operator complies with paragraphs (3) and (4) of the regulation.
-
Other Rule Revisions
The shift from a paper filing system to an electronic filing system necessitates an examination of existing rules to see what needs to be changed to facilitate the transition. The Office has identified the following regulations as being in need of updating. There may be other rules that may be affected by the switch to electronic filing, but it is difficult to predict all conceivable changes at this time.
1. Accounting Periods and Deposits
Section 201.17(c)(2) establishes rules regarding accounting periods and the depositing of royalties under the cable statutory license. This rule needs to be updated to reflect the advent of electronic filing. The rule contains a reference SOAs being ``physically received,'' which implies that a hard copy version of SOAs must be submitted to the Office. An update is necessary to remove the term ``physically'' from the regulation, to reduce any confusion.
2. Forms
Section 201.17(d)(1) explains where the public may obtain a physical copy of the Statement of Account form. This reference has been in the Office's regulations since 1978, but is irrelevant in an e-
filing environment. During the transition to all-electronic filing, the Office proposes to retain this portion of the regulation to accommodate any remitters who may need to use the current SOA forms rather than immediately file on the new online filing system. The SOA forms are currently available either at www.copyright.gov or by contacting the Licensing Division at: Library of Congress, U. S. Copyright Office, Licensing Division, 101 Independence Avenue SE., Washington, DC 20557-
6400. The Office proposes amending the regulation to reflect this different procedure for obtaining hard copy SOA forms, and anticipates that such forms will ultimately be phased out.
3. Handwritten Signatures
Section 201.17(e)(14) sets forth the handwritten signature requirements for cable systems filing hard copy Statements of Account. The Office understands, as explained above, that even after the transition to an e-filing system, there will for some time remain certain instances in which cable operators will need to file physical versions of the SOA forms. For example, paper filings may still be necessary where cable operators must back-file SOAs for accounting periods that ended before eLi becomes operational (i.e., covering an accounting period such as January 1-June 30, 2011). The Office anticipates that there will be very few instances in which this mode of filing will still be warranted. Nevertheless, the Office proposes to maintain the current handwritten signature requirements, but modify Section 201.17(e)(14) to include a reference to the new electronic signature requirements.
4. Copies of Statements of Account
Current Section 201.17(l) requires cable operators to file an original and one copy of a Statement of Account with the Licensing Division. The Office proposes to retain this requirement to address those limited instances where paper filings are still necessary. However, the Office plans to amend this rule to clarify that when a licensee files a SOA via eLi, only one electronic form need be filed with the Licensing Division because digital copies can easily be made if the situation so warrants. This will reduce unnecessary filings and work burdens.
5. Signatures and Certifications Related to Corrections, Supplemental Payments, and Requests for Refunds
Current Section 217.17(m) outlines the procedures to be followed by a cable operator who seeks to correct a SOA, submit a supplemental royalty fee payment for deposit, or request a refund of royalty fees already paid. Section 217.17(m)(3)(iii)(B) outlines the procedure to be followed where the operator's calculation of the royalty fee payable for a particular accounting period was incorrect, and the amount deposited in the Copyright Office for that period was either too high or too low. The regulation requires the cable operator to submit an affidavit or statement that indicates that the corrected information is signed and certified as made in good faith under penalty of perjury. The affidavit or statement must describe the reasons why the royalty fee was improperly calculated and include a detailed analysis of the proper royalty calculations. The Licensing Division has accepted under this provision amended SOAs that have been signed and certified by the appropriate party in Space O of the statement, because the certification language in Space O is the equivalent of a sworn affidavit or statement in accordance with Section 1746 of title 28 of the United States Code.
The Office posits that it would be appropriate to retain this provision for requests to correct the royalty calculations made in SOAs that were not filed and signed electronically, so long as such statements are still accepted by the Office. However, the Office proposes to amend the regulation to codify the Division's current practice of accepting the filing of a signed and certified amended SOA in lieu of the sworn affidavit or statement required by the regulation, so long as the amended statement (with any pertinent attachments), describes the reasons why the royalty fee was improperly calculated and includes a detailed analysis of the proper royalty calculations.
The Office has also determined that for SOAs that were originally filed and signed under the eLi system, the electronic signature verification process will satisfy the signature and certification requirements set out in the current Section 201.17(m)(3)(iii). As with paper submissions, the Office would require that electronic amended Statements of Account include, either on the amended statement itself or in an
Page 38246
attached document, an explanation of why the royalty fee was improperly calculated and a detailed analysis of the proper royalty calculations.
-
-
Conclusion
The Office hereby seeks comment from the public on issues raised in this Notice related to the authentication of electronically filed Statements of Accounts, the establishment of proposed rules for electronic signatures, and the concomitant rule changes necessary to implement the new proposed regulations. If an interested party identifies any additional pertinent issues related to the authentication of electronic signatures on SOA forms that have been filed on eLi, the Office encourages the party to bring those matters to its attention.
List of Subjects in 37 CFR Part 201
Copyright.
Proposed Regulation
For the reasons set forth in the preamble, the Copyright Office proposes to amend part 201 of title 37 of the Code of Federal Regulations as follows:
PART 201--GENERAL PROVISIONS
0
1. The authority citation for part 201 continues to read as follows:
Authority: 17 U.S.C. 702.
0
2. Amend Sec. 201.17 by:
0
-
Revising the first sentence of paragraph (c)(2), the last sentence of (d)(1), paragraphs (e)(14) introductory text and (e)(14)(iii)(A) and (B);
0
-
Adding paragraph (e)(15); and
0
-
Revising paragraphs (l) and (m)(3)(iii)(B).
The revisions and addition read as follows:
Sec. 201.17 Statements of Account covering compulsory licenses for secondary transmissions by cable systems.
* * * * *
(c) * * *
(2) Upon receiving a Statement of Account and royalty fee, the Copyright Office will make an official record of the actual date when such statement and fee were received in the Copyright Office. * * *
* * * * *
(d) * * *
(1) * * * Copies of Statement of Account forms are available online at www.copyright.gov/forms or upon request to the Library of Congress, Copyright Office, Attn: 111 Licenses, 101 Independence Avenue SE., Washington, DC 20559.
* * * * *
(e) * * *
(14) The handwritten or electronic signature of:
(iii) * * *
(A) The printed name of the person signing the Statement of Account;
(B) The date of signature, for handwritten signatures on statements that are not filed electronically, or, the electronically created date and time stamp for electronically filed and signed statements.
* * * * *
(15) For signatures on and certification of Statements of Account, each statement must include either a handwritten signature or an electronic signature of a person designated in paragraph (e)(14) of this section. Signing the Statement of Account signifies that the signer has examined the statement and certifies that all statements of fact contained therein are true, complete, and correct to the best of the signer's knowledge, information, and belief, and are made in good faith.
(i) For purposes of this section:
(A) Authentication is a cryptographic or other secure electronic technique that allows the Copyright Office to authenticate the identity of an individual who signs and certifies a Statement of Account or related documents and to determine that the statement or related documents were not altered, changed, or modified during their transmission to the Copyright Office.
(B) An electronic signature means a signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified. Each electronic signature shall be unique to one individual and shall not be reused by, or reassigned to, anyone else.
(C) A handwritten signature is the scripted name or legal mark of an individual handwritten by that individual on a document or other writing that is executed or adopted with the present intention to authenticate the signed document or other writing. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other devices that capture the name or mark.
(D) A password is confidential authentication information composed of a string of characters.
(E) A token is an item necessary for user identification when used for the authentication of a signature.
(ii) Each electronic signature shall require electronic authentication. Electronic authentication shall require use of both an identification code and a password to obtain a random generated key for access to the Statement of Account for the purpose of signing the statement.
(iii) When an individual executes one or more electronic signings not performed during a single, continuous period of controlled system access, each new electronic signing or signings shall require the signer to reinitiate the authentication process.
(iv) Electronically signed records shall include information that clearly indicates:
(A) The printed name of the signer;
(B) The date and time the signature was executed; and
(C) The title of the signer.
(v) Each Statement of Account must contain the signature of the appropriate certifying official. The verification of the electronic signature of that official must be accomplished by use of an authentication system determined by the Register of Copyrights. The electronic signature authentication process shall be based upon the signer/certifier's proof of possession of a cryptographic key that would provide that person with access to the certification page of the document being electronically signed.
(vi) A cable official of a multiple system operator may, during a single period of controlled system access, use a single electronic signature to sign/certify multiple Statements of Account so long as the official complies with paragraphs (3) and (4) of this Section. Once such official electronically signs the certification page of the first in a series of related statements, the electronic licensing system will in the same signing session automatically apply multiple electronic signatures and time stamps to some or all of the statements in the batch. If the cryptographic key expires before all of the multiple statements are electronically signed and time stamped, to complete the batch certification and signing process the official must request a new key and begin a new period of controlled system access.
* * * * *
(l) Copies of Statements of Account. If a licensee files a Statement of Account electronically, the licensee shall file one electronic copy of the Statement of Account with the Licensing Division of the Copyright Office.
* * * * *
(m) * * *
(3) * * *
(iii) * * *
(B) In the case of a request filed under paragraph (m)(1)(ii) of this Section, where the royalty fee was miscalculated
Page 38247
and the amount deposited in the Copyright Office was either too high or too low,
(1) If the original Statement of Account was not filed and signed electronically, the request must be accompanied by an affidavit under the official seal of any officer authorized to administer oaths within the United States, a statement in accordance with Section 1746 of title 28 of the United States, made and signed in accordance with paragraph (e)(14) of this Section. In the alternative, the cable operator may choose to file an amended Statement of Account signed and certified in Space O of the amended statement. The affidavit, statement, or amended Statement of Account shall describe the reasons why the royalty fee was improperly calculated and include a detailed analysis of the proper royalty calculations. If the filing official chooses to file an amended Statement of Account, this additional information may be included on the Statement of Account itself or may be set out in a written document attached to the Statement of Account.
(2) If the original Statement of Account was filed and signed electronically, the filing official of the cable system shall electronically sign and file in accordance with paragraph (e)(15) of this Section an amended Statement of Account. The amended statement shall include on the amended statement itself, or in an attached written document, an explanation of why the royalty fee was improperly calculated and a detailed analysis of the proper royalty calculations.
* * * * *
Dated: June 18, 2013.
Maria A. Pallante,
Register of Copyrights.
FR Doc. 2013-15016 Filed 6-25-13; 8:45 am
BILLING CODE 1410-30-P
-
