Electronic Signatures Dissertation
ELECTRONIC SIGNATURES - The Electronic Signature Regulations in the UK are Expect to Provide a Framework Which Will Increase the Use of Electronic Signatures and Ensure the Installation of Practical Electronic Certification Systems. However Given the Speed at which Technological Solutions Evolve, the UK Legislation Will Have to Follow Such Developments Closely, with a View to Keeping the Relevant Codes and Ordinances Up To Date. Is the Legal Framework that has been Developed in the UK to Regulate Electronic Signature A Positive Development?
Section 1 Introduction
1.1 Aim and Objective
The aim of this thesis is to discuss and explore the legal implications of digital signatures. The thesis will look at whether the electronic signature regulations in the UK are expected to provide a framework which will increase the use of electronic signatures and ensure the installation of practical electronic certification systems. It will also consider the speed at which technological improvements and systems are occurring. Finally it will consider whether or not the Legal Framework that has been developed in the UK to regulate electronic signature is a positive development or whether it is perceived as negative and as a development that brings with it as many problems as it solves. This will be achieved by looking at the various domestic, European and International legislation that is in place and the implications of this legislation. This thesis intends to explore the various security issues associated with Electronic signatures and to look at issues raised in relation to identity. This thesis also aims to explore both the technological and legal limitations of digital signatures
1.2 Introduction to Electronic Signatures
Handwritten signatures have always been generally accepted as giving sufficient certainty as to the signor's identity for a great many transactions. . Hand written signatures are used for two main purposes that of authentication and that of integrity, by various technological means electronic signatures have sought to achieve the same level of authentication and integrity. This is achieved successfully in most instances and digital signatures appear to be becoming an alternative to the more traditional handwritten signatures, if not a suitable replacement.
Under both the European Directive and the UK ECA, an "electronic signature" is defined generally as being data in electronic form which is attached to or logically associated with other electronic data and which serve as a method of identification. This might include, for example, using your name on an email and sending it from an identifiable email address .
This considered it is also evident that digital signatures bring with them a whole host of new difficulties in relation to data protection, security and advancement of technology. Reliance on digital signatures alone causes concern because a key pair may be created by an individual who then fraudulently represents the key pair as belonging to another person or entity. This is partly addressed through verification by a certificate authority . A certificate authority is a trusted third party (e.g. the post office or a bank) that will satisfy itself as to the identity of an individual or company. This is done by for example checking an individual's passport or driver's licence details, or a company's corporate documents and returns. The certificate authority will then issue a digital certificate signed with its own digital signature, which the user will attach to its own digital signature as proof of identity.
The Law Commission's report "Electronic Commerce: Formal Requirements in Commercial Transactions" sought to address some of the limitations that exist in relation to digital signatures and considered whether or not various forms of electronic communications satisfy the current definitions of the terms "writing", "signature" and "document" under the current laws of England and Wales. The Law Commission concluded that the current laws sufficiently dealt with these issues although they did highlight some difficulties in relation to some forms of electronic data.
As technology and globalisation grow digital signatures have become an essential requirement in relation to business transacted electronically . With the growing use of the internet as an acceptable and indeed standard medium, one does not have to look further than there own residence to confirm the growing need for electronic signatures and therefore the research into this area continues and suggested that it should be concentrated on the need to improve security measures.
2.1 What Is An Electronic Signature?
Before defining an electronic signature, it is first important to consider what a signature is. Handwritten signatures have always been generally accepted as giving sufficient certainty as to the signor's identity for a great many transactions. . Hand written signatures are used for two main purposes that of authentication (linking the originator to the information in the signed document) and that of integrity (showing that the signed document is the one to which the signatory wants to be bound ).As Fishley and Hughes point out, "where further certainty is required, signatures can be witnessed or even notarised ".
Under both the European Directive and the UK ECA, an "electronic signature" is defined generally as being data in electronic form which is attached to or logically associated with other electronic data and which serves as a method of identification. This might include, for example, using your name on an email and sending it from an identifiable email address . The European Directive identifies a digital signature in greater detail than the Communications Act 2000 and includes the concept of an "advanced electronic signature", which is defined as an electronic signature which is: (i) uniquely linked to the signatory; (ii) capable of identifying the signatory; (iii) created using means that the signatory can maintain under its sole control; and (iv) linked to the data to which it relates in such a manner that any subsequent change of the data is detectable .
The International Standards Organisation have attempted to define the concept of a digital signature as: "data appended to, or a cryptographic transformation of a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protecting its forgery." Quite simply an electronic signature can be anything attached to or associated with electronic data which serves as a method of identification. The most straightforward example of an electronic signature is a name at the end of an email sent from an identifiable email address. This was the subject of discussion in England and Wales in the case of Hall v Cognos Ltd In this case, the chairman of the Tribunal determined that a name typed into an email was a form of signature. As Mason points out "although no relevant case law was mentioned in this instance, the decision was consistent with decisions made by judges since the seventeenth century, illustrating that the function of a signature overrides the form it takes ".
There are also other methods of creating an electronic signature such clicking I accept or I agree icon. When buying goods or services online, or when installing software on a computer for the first time, the buyer is very often required to click on the "I accept" icon. This action has the effect of satisfying the function of a signature. Even if the act of clicking on an icon to order goods or services is deemed to be less secure than that provided by a manuscript signature, it does not follow that the reliability of the signature will affect its validity.
There are many other products which are available that enable a person to produce a digital version of their manuscript signature. They write their manuscript signature by using a special pen and pad. The signature is reproduced on the computer screen, and a series of measurements record the speed, rhythm, pattern, habit, stroke sequence, and dynamics that are unique to the individual when they write their signature. The subsequent file can then be attached to any document in electronic format to provide a signature.
A manuscript signature can be scanned from the paper carrier and be transformed into digital format. The signature can then be attached to a document. This version of a signature is used widely in commerce, especially when marketing materials are sent through the postal system and addressed to hundreds of thousands of addresses .
To create more complex and robust methods of electronic signatory cryptography is used. Cryptography uses algorithms (mathematical transformations) a simple example of which would be a rule saying "move all characters one along in the alphabet". Applying this encryption algorithm to the word "car" would produce the encrypted word "dbs". Of course, the algorithms used in cryptography are much more complex than this and may contain multi-layered algorithms which are virtually impossible to crack. The most common forms of cryptography used are "symmetric" and "asymmetric" cryptography .
"Symmetric cryptography" is created where a message is encrypted using a "private key" based on a mathematical algorithm and that encrypted message can only be decrypted (i.e. read) using that same "private" key. This private key can take many forms, this can include software or some form of smart card. If this method is utilised then the encrypting and decrypting parties will keep the key confidential. This, though perhaps the safest form of electronic signature is not always the most practicable as Fishley and Hughes point out " e-commerce traders will either share one private key with all of its customers/suppliers or will need to have multiple private keys for each of its customers/suppliers ".
"Asymmetry cryptography" differs from symmetric cryptography as it utilises both a "public key" and a "private key". So for example if A wants to send a message to B. B publishes his public key on the internet and keeps his private key secret. When A wants to send a message securely to B, she obtains B's public key from the internet and encrypts her message with it. Upon receipt of A's message, B can decrypt it using his private key and only B can decrypt the message. This does not, however, provide B with absolute surety that it was A that sent the message as B has published his public key and so others could also have it. If, however, we apply this scenario in reverse B is able to effectively electronically sign his messages. For example, if B encrypts a message using his private key and sends that message to A, A will be able to decrypt the message using B's public key and will know that the message was from B since only B would know his private key. Further, the key pairs can be used together so, for example, where A and B have both published their public keys, A may encrypt her message with her private key and then encrypt it again using B's public key. The resulting encrypted message can only be read by B who, to do so, must go through a two-stage process of decrypting the message with his private key and then A's public key . This way B knows both that the message is a secure communication and that it has been sent by the person claiming to be A and publishing A's public key .
Reliance on digital signatures can create some concerns as a key pair may be created by an individual who then fraudulently represents the key pair as belonging to another person or entity. This can be addressed through verification by a certificate authority.(which will be discussed in more detail later) A certificate authority is a trusted third party (e.g. the post office or a bank) that will satisfy itself as to the identity of an individual or company.
2.2 Are Digital Signatures Needed?
To consider whether or not digital signatures are needed it is important to consider Electronic Contracts over the internet and Electronic Transactions Legislation, to determine in exactly which circumstances an electronic signature may be used . With the growing use of the internet as an acceptable and indeed standard medium, one does not have to look further than there own residence to confirm the growing need for electronic signatures as a means of verification for transactions.
The internet provides four ways by which businesses and individuals may enter into electronic contracts. The first of these is email. Email allows a person to send an electronic message to another person or group of people. To create an email message, the sender types a message and the sender's computer network converts message into streams of packets and then analogue tones . The tones are carried over communications links (usually telephone lines) to the recipient's computer network that reassembles them back into messages. E-mail often contains personal messages and communications which require authentication and verification, creating a digital signature is one method of ensuring that such messages are verified and authenticated.
The second type of communication is that that is facilitated by the World Wide Web. Businesses can establish websites for the purpose of selling goods and services and included in these websites may be advertisements for goods and services and details of how customers may order or purchase goods. Pitiyasak offers the example of the www.amazon.com site. This website advertises many products such as books, etc., and invites customers to make a purchase offer by completing a form on the website. This form incorporates the credit card details of the customer. Amazon verifies the credit card details and makes a claim for payment of the agreed amount with the bank or the credit card company .
The third example of where electronic signatures may be necessary is where businesses use electronic data interchange ("EDI") to form electronic contracts. EDI can be defined as "computer-to-computer transmission of data in a standardised format ". EDI allows organisations to exchange documents over either the internet or their own private network. Private network EDI is often utilised by the larger organisations when purchasing goods were as smaller businesses and individuals often prefer to use EDI on the internet because of the reduced costs. There are two methods of document exchange, this can be done either through web-based forms for recording EDI, or by email for EDI transmissions to their partners.
The final example is where individuals use chat-rooms to form electronic contracts. Chat-rooms are electronic fora where individuals congregate at the same time to have real time conversations. Once an individual types a short message, the message is sent from that individual's computer through the communications lines to the chat-room network. The network adds the message to a incessant stream of messages that are instantly read and responded to by other individuals in the chat-rooms. Similar to talking over the telephone or face-to-face, messages sent through a chat-room provide almost instantaneous conversation. However, the message usually appears and is gone within a minute, and thereby no message is saved .
The usefulness of a signature of this kind depends on the fact that the unique signature key used to make it is associated with a unique verification key. The verification key can be used by another algorithm. The inputs to the verification algorithm are the text which purports to have been signed, the signature, and the verification key. The output is either a confirmation that the text or file was signed by the corresponding signature key, or a statement that no such confirmation can be given. The process again requires a computer, but is wholly straightforward.
The signature key and the verification key are related to one another mathematically. But if they are chosen so as to be large enough, it is computationally infeasible to derive the signature key from the verification key, even under the most testing assumptions about the availability of present or future computing resources. It follows that a verification key can be provided to those who wish to verify a signatory's digital signatures, or can indeed be published at large, without thereby revealing the signature key. The software that implements the signature and verification algorithms will normally also implement the functions necessary to enable the user to generate a signature key and its associated verification key. Users could obtain key pairs from a third party, but to do so introduces an unnecessary reliance on the security of the third party's procedures, to no discernible advantage.
2.3 What Are The Technical and Legal Limitations of Digital Signatures?
The Law Commission published a report in December 2001 entitled "Electronic Commerce: Formal Requirements in Commercial Transactions " in which the Law Commission considered the legal limitations of digital signatures, considering whether or not various forms of electronic communications satisfy the current definitions of the terms "writing", "signature" and "document" under the current laws of England and Wales.
The main issue that was considered was the extent to which reform of the statute book is required to enable conclusion by digital signature to become a satisfactory way of concluding contracts, thus considering some of the legal limitations of digital signatures. The Law Commissions conclusion was that no reform was required. Their rationale for concluding this can be sub divided into four main categories. The first of these deals with writing. The Law Commission came to the conclusion that both e-mail and website trading will generally satisfy the Interpretation Act definition of "writing" and the functions of writing, the reasoning for this was that they are visible to the relevant parties as required by the Interpretation Act definition. However they were of the view that EDI as it is not visible to the relevant party.
Secondly in relation to signatures, the Law Commission came to the conclusion that digital signatures, scanned manuscript signatures, typing one's name (or initials) and clicking on a website button are all methods of signature which are generally capable of satisfying a statutory signature requirement. The rationale for this conclusion was formed on the basis that it is function, rather than form, which is determinative of the validity of a signature and that these methods are all capable of satisfying the main aim of demonstrating and authenticating intention.
Thirdly the Law Commission considered the concept of a document. The Law Commission concluded that there is a consensus that information stored in an electronic form can be considered to be a "document" and therefore would satisfy a statutory requirement for a document.
Finally, the Law Commission concluded that e-mail, website trading and signatures are not universally accepted and acknowledged the difficulties which the lack of a consensus on this issue presents when considering whether reform of the statute book is required and, if so, how that reform should be approached. Although the final conclusion of the Law Commission was that reform of the statute books was not necessary. As Fishely and Hughes point out although the Law Commissions views are not binding on the courts, the Law Commission Report adds further weight to the validity and enforceability of online transactions .
The use of Electronic signatures also creates a number of technical difficulties. Electronic signatures created using the public key cryptography process described above are often referred to as "digital signatures". One problem with such digital signatures is that they do not guarantee that the person claiming to be A and publishing A's public key is in fact A (as the key may have been forged, stolen or created by a fictitious identity). For example, if you go to an online bookstore, you may be encouraged to take and use the public key from the bookstore's website. In doing so there is no certainty that the bookstore claiming to be "XYZ books" is in fact XYZ books and has not been set up as a sham operation to attract your custom. This is where certification authorities come into play. If XYZ books wished to provide certainty of its identity, it could procure a digital certificate from a trusted third party certification authority. The authority would verify the identity of XYZ books (for example, by way of corporate identity through checking corporate documents and returns etc) and then issue a digital certificate (signed with the certification authority's own digital signature verifying its own identity) which will verify that XYZ books is in fact who it claims to be. If you had doubts about the identity of the certification authority, then its digital signature could also be verified and certified by another certification authority .
3.1 The Problem With Identity
As has been discussed above reliance on digital signatures alone causes concern because a key pair may be created by an individual who then fraudulently represents the key pair as belonging to another person or entity. This can be addressed through verification by a certificate authority . A certificate authority is a trusted third party (e.g. the post office or a bank) that will satisfy itself as to the identity of an individual or company. This is done by for example checking an individual's passport or driver's licence details, or a company's corporate documents and returns. The certificate authority will then issue a digital certificate signed with its own digital signature, which the user will attach to its own digital signature as proof of identity.
A certificate authority is a trusted entity that provides information about the identity of a key holder in the form of an authenticated key certificate . The position of a certificate authority can be compared to the DVTL, whom issue drivers' licences and is generally accepted as a trustworthy means of personal identification. All electronic certificates are digitally signed by the Certificate Authority with a private key. If the Certificate Authority maintains good security protection of the private key, it is almost impossible for anyone to forge an electronic certificate .
A certificate can be distributed in more than one way. The certificate can be "handed" out to the holder of the signature. It is then up to the holder to distribute the certificate to whoever needs it. This approach is preferable to publishing the certificate on a website.
The use of electronic signatures poses significant problems in relation to identity. The use of paper based means of making and keeping records often involves manual signatures and such means of verification like stamping, is the predominant means of executing official acts. Typical examples of paper-based rules are formalistic legal requirements favouring paper documents and hand-written signatures, or archiving rules demanding the storage of valuable information on paper. These rules can be found in diverse national, international and supranational legal frameworks.
Traditionally, a hand-written signature is a sufficient authentication tool. By signing a paper document the maker 'identifies' himself as the author of the document, and affirms the 'integrity' of the document. The Electronic Communications act indicates an intention to be bound to the content of the document. The procedure of signing also entails the possibility of reflection and serves as a caveat, as well as confirms the fact that the information has been given a final shape . Distinctive marks may be coded into the information itself in order to identify the source and to authenticate the contents. There are many forms of digital authentication that are now used, such as the use of a password, such as a PIN code, the use of encryption techniques, such as digital signatures, and the use of biometrics identification, such as fingerprints or voice recognition. Mostly, these authentication techniques are being combined providing a high-level security of the authentication .
Finally the issue of identification raises concerns in relation to Data Protection. This said the European Directive requires general compliance with the Data Protection Directive (95/46/EC). The Electronic Signatures Directive also requires Member States to ensure that service providers issuing certificates to the public do not collect personal data other than directly from the data subject, or without the data subject's explicit consent. There is a further requirement that data may only be collected insofar as it is necessary for the purposes of issuing and maintaining the certificate
3.2 The Use of Identification
It is important to understand how certification works in order to appreciate the use of identification under the concept of digital signatures.
Electronic signatures are available from bodies known as certification authorities (CA) .
The application process for digital certificates varies depending upon which particular certification authority is used and which authority is issuing the certificate and finally the level of signature that is being applied for. At the lower levels, an electronic signature cannot really confirm that a person is who they say they are, as the application is made online, without any stringent identity checks. These low level digital certificates are, for all intents and purposes, only good for secure email. Higher level digital certificates require an individual to submit documentary evidence of their identity in person where the information is verified. This verification process takes place either at the premises of the certification authority, or at a Local Registration Authority (LRA). These local registration authorities will be offices spread around the country, where either individuals or businesses, can show the documents that prove their identity. For example, an individual may show their passport or driving licence, whereas a business may be required to show utility bills and some proof that the individual is linked to that business .
Section 1 of the Electronic Communications Act allows for the creation of a Government register listing approved certification authorities that is those CAs that conform to basic operational standards. Unfortunately, this section is not in force and therefore no register has as yet been set up. The European Directive that states in Article 3(2) that member states may introduce voluntary self-regulation. This self-regulation has arrived in the form of TScheme who ensure that CAs affiliated to the scheme comply with certain operational standards.
Identification is a problematic issue in any medium. It certainly can be suggested that identification causes no more problems in relation to electronic means that it does in the traditional handwritten means. It can be argued that it is much easier to steal someone's identity by copying their signature that it is by stealing electronic signature. This is perhaps best demonstrated by the introduction of chip and pin in relation to debit and credit cards as an alternative to the traditional method of signing for purchase using these cards. The problem that arises with identification in electronic signatures is the amount of people that become involved; this increases both the margin for error and the people who could be potentially involved in fraudulent activities. Identity is of paramount importance in business commercial and consumer transactions and it must its protection should be the most important consideration in any discussion or reform relating to digital signatory.
3.3 Liability of Certificate Authority
There are situations which may arise where the revocation of an electronic certificate may become necessary. Where a certificate authority receives a request to invalidate or suspend a certificate, he is required to act as soon as possible after the request has been made. Invalidation or suspension of a certificate normally occurs in emergency situations, such as when a subscriber has lost a key. The liability of certification-service providers is regulated in part by the Electronic Signatures Regulations 2002 which came into force on 8 March 2002. These regulations relate to the supervision of certification-service providers (CSPs), the regulation of their operation and imposition of liability and particular data protection requirements on the CSP.
A certificate authority is required to revoke or suspend a certificate without the subscriber's consent if:
- a material fact represented in the certificate is false;
- a material prerequisite to issuance of the certificate was not satisfied; or
- the certificate authority's private key was compromised in a manner materially affecting the certificate's reliability. A certificate authority must promptly publish notice of the suspension or revocation of a certificate if that certificate was published at the time of issuance, if not the suspension or revocation must be disclosed to any one who makes an enquiry.
In case of revocation of a certificate, the unique sequence number of the certificate is enough to identify the certificate as one that has been revoked. The cause of revocation need not be mentioned .The important role of certificate authorities has been reflected in the liabilities imposed on them by the EU Directive on Electronic Signatures of 1999. Article 6 of this Directive requires Member States to ensure the certificate authorities are liable for damages caused to any entity, legal or natural person who reasonably relies on the certificate unless the certificate authority proves that he/she has not been negligent.
Article 6 of the European Directive sets out the following:
- A person providing an information society service shall make available to the recipient of the service and any relevant enforcement authority, in a form and manner which is easily, directly and permanently accessible, the following information
- the name of the service provider;
- the geographic address at which the service provider is established;
- the details of the service provider, including his electronic mail address, which make it possible to contact him rapidly and communicate with him in a direct and effective manner;
- where the service provider is registered in a trade or similar register available to the public, details of the register in which the service provider is entered and his registration number, or equivalent means of identification in that register;
- where the provision of the service is subject to an authorisation scheme, the particulars of the relevant supervisory authority;
- where the service provider exercises a regulated profession -
- the details of any professional body or similar institution with which the service provider is registered;
- his professional title and the member State where that title has been granted
- a reference to the professional rules applicable to the service provider in the member State of establishment and the means to access them; and
- where the service provider undertakes an activity that is subject to value added tax, the identification number referred to in Article 22(1) of the sixth Council Directive 77/388/EEC of 17 May 1977 on the harmonisation of the laws of the member States relating to turnover taxes - Common system of value added tax: uniform basis of assessment
- Where a person providing an information society service refers to prices, these shall be indicated clearly and unambiguously and, in particular, shall indicate whether they are inclusive of tax and delivery costs.
Therefore it can be seen that under the EU Directive, as a minimum, EU member states are required to ensure that certification authorities are liable for the damage caused to any entity which reasonably relies on a qualified certificate issued by them unless the certification authority can prove that it has not acted negligently. The EU Directive further provides that certification authorities may limit their liability by stipulating a financial cap for transactions effected relying upon their certificates or by limiting the use of their certificates. In the UK, the issue of liability of certification authorities is not addressed in the Electronic Communications Act and its absence is sorely felt. It is suggested that whilst the Directive regulates the Certificate Authority adequately that UK law should provide further protection for those utilising the services of Certificate Authority Agencies.
4.1 Electronic Signature Directive and The International Aspect
This Directive was due for implementation by Member States on 19 July 2001. Its aim is to make the use of electronic signatures easier and to establish criteria for their legal recognition. On 8 March 2002, its provisions were implemented in the UK by the Electronic Signature Regulations 2002 .
The main provision of the directive is that an electronic contract and the electronic signature cannot be legally discriminated against solely on the grounds that it is in electronic form . Therefore the directive stipulates that should a certificate and the service provider as well as the signature product used meet a set of specific requirements, that an automatic assumption will arise that any resulting electronic signatures are as legally valid as a hand-written signature. Such signatures can also be used in legal proceedings.
The directive further sets out that all products and services related to electronic signatures can circulate freely and are only subject to the legislation and control by the country of origin. This means that Member States are not able to enact law that makes e the provision of services related to electronic signatures subject to any form of mandatory licensing. The directive also sets out the minimum liability rules for service providers who would, in particular, be liable for the validity of a certificate's content. In anticipation of today's dynamic society the directive also ensures legal recognition of electronic signatures irrespective of the technology that is used to create them.
The legislation covers the supply of certificates to the public aimed at identifying the sender of an electronic message. In accordance with the principles of party autonomy and contractual freedom it does, however, permit the operation of schemes governed by private law agreements such as corporate intranets or banking systems, where a relation of trust already exists and there is no obvious need for regulation .
4.2 Electronic Communication Act 2000
The Electronic Communications Bill was first published in draft form in July 1999. The Government has identified lack of trust as a principal barrier to electronic commerce . The Performance and Innovation Unit report in September 1999, entitled "firstname.lastname@example.org", identified data authentication as a principal means of improving trust in electronic transactions. The lack of equivalence between written and digital documents was also found to create difficulties for the enforceability of contracts. The Act was intended to deal with this aim .
The United Kingdom's Electronic Communications Act 2000 came into force on 25 May 2000. The UK ECA was enacted partly as a response to the EU Electronic Signatures Directive (1999/93/EC) although only implements certain provisions of it.
Section 2 deals with the facilitation of electronic commerce and data storage by making them "technology neutral" i.e. the legislation is designed to remove the distinction between the traditional and electronic business methods. Section 3 of the act is concerned primarily with the establishment and maintenance of a register of cryptography support service providers who provide services in the UK
Section 7 of the Act provides that electronic signatures and certificates that support them can be used as evidence in court in much the same way as hand-written signatures. It contains the definition of an electronic signature and provides for the legal recognition of electronic signatures, including making them legally admissible evidence in court in relation to any question as to the authenticity or integrity of the data or communication . It will be for the court to decide on a case by case basis whether or not the electronic signature has been properly used and the intent behind its use. Some commentators have said that the introduction of this section simply clarifies the law on this point in that, before the section was brought into force, an electronic signature would be treated by the court in the same way as a written signature, if the intention behind it can be shown to be to create a legally binding contract.
Section 8 of the Electronic Communications Act 2000 empowers the appropriate minister to modify any enactment by statutory instrument to remove restrictions from individual pieces of legislation preventing the use of electronic communication. It does not provide that all electronic signatures will now satisfy any legislative requirements for a written signature.
4.3 International Legislation Applicable to Electronic Signature
Both the European Directive and the Electronic Communications Act 2000 intend to allow individuals to operate on a world wide scale. The European Directive in particular, clarifies that the Internal Market principle of mutual recognition of national laws and the principle of control in the country of origin must be applied to Information Society services.
There are however international agreements that are in place that should be noted at this juncture. The United Nations Model law on Electronic commerce is one such agreement.
Article 7 of the Model Law on Electronic Commerce considers the form of an electronic signature and whether it is appropriate in the circumstances:
Where the law requires a signature of a person, that requirement is met in relation to a data message if:
- A method is used to identify that person and to indicate that person's approval of the information contained in the data message; and
- that method is as reliable as was appropriate for the purpose for which the data message was generated or communicated, in the light of all the circumstances, including any relevant agreement.
- Paragraph (1) applies whether the requirement therein is in the form of an obligation or whether the law simply provides consequences for the absence of a signature."
The Model Law on Electronic Signatures takes one step further than European and UK legislation, by incorporating the provisions of Art.7 of the Model Law on Electronic Commerce, and adding a provision relating to the reliability of a signature:
"Article 6 Compliance with a requirement for a signature
- Where the law requires a signature of a person, that requirement is met in relation to a data message if an electronic signature is used that is as reliable as was appropriate for the purpose for which the data message was generated or communicated, in the light of al the circumstances, including any relevant agreement.
- Paragraph 1 applies whether the requirement referred to therein is in the form of an obligation or whether the law simply provides consequences for the absence of a signature.
- An electronic signature is considered to be reliable for the purpose of satisfying the requirement referred to in paragraph 1 if:
- The Signature creation data are, within the context in which they are used, linked to the signatory and to no other person;
- The signature creation data were, at the time of signing, under the control of the signatory and of no other person;
- Any alteration to the electronic signature, made after the time of signing, is detectable; and
- Where a purpose of the legal requirement for a signature is to provide assurance as to the integrity of the information to which it relates, any alteration made to that information after the time of signing is detectable
- Paragraph 3 does not limit the ability of any person:
- To establish in any other way, for the purpose of satisfying the requirement referred to in paragraph 1, the reliability of an electronic signature; or
- To adduce evidence of the non-reliability of an electronic signature." The legal effect that follows the use of an electronic signature is left for the enacting state.
Thus international law owes a further dimension to the European and domestic law in this area, providing means of testing the reliability of such electronic signatures. It is considered that this is a necessary addition to the law . The counter argument is of course if this area of law becomes to complex and specific it will lose the flexibility to keep abreast of the growing technology. This of course has practicable consequences as it will mean that the law will have to be re enacted much sooner than perhaps the UK and European law does.
The electronic signature regulations in the UK are expected to provide a framework which will increase the use of electronic signatures and ensure the installation of practical electronic certification systems. However given the speed at which technological solutions evolve, the UK legislation will have to follow such developments closely, with a view to keeping the relevant codes and ordinances up to date.
As technology and globalisation grow digital signatures have become an essential requirement in relation to business transacted electronically . With the growing use of the internet as an acceptable and indeed standard medium, one does not have to look further than there own residence to confirm the growing need for electronic signatures and therefore the research into this area continues and suggested that it should be concentrated on the need to improve security measures. Therefore in this respect the development of electronic signatures can be seen as a positive step and movement in a bid to keeping up with technology.
This thesis has started with first an attempt to draw a definition of what an electronic signature is. This is a difficult quest, as under both the European Directive and the UK ECA, an "electronic signature" is defined generally as being data in electronic form which is attached to or logically associated with other electronic data and which serves as a method of identification. This might include, for example, using your name on an email and sending it from an identifiable email address . The European Directive identifies a digital signature in greater detail than the Communications Act 2000 and includes the concept of an "advanced electronic signature", which is defined as an electronic signature which is: (i) uniquely linked to the signatory; (ii) capable of identifying the signatory; (iii) created using means that the signatory can maintain under its sole control; and (iv) linked to the data to which it relates in such a manner that any subsequent change of the data is detectable.
However to define a digital signature in precise terms would undermine one of the main requirements of this type of technology and that is that it be flexible to allow for the dynamic nature of this area. A precise definition is perhaps not appropriate, but conversely not having a precise definition means that security and identification are often jeopardised which of course are the very reasons for digital signatory.
Reliance on digital signatures can create some concerns as a key pair may be created by an individual who then fraudulently represents the key pair as belonging to another person or entity. This can be addressed through verification by a certificate authority.(which will be discussed in more detail later) A certificate authority is a trusted third party (e.g. the post office or a bank) that will satisfy itself as to the identity of an individual or company . Although this can also cause some real security issues, which have been discussed in the body of this paper. Where does this leave us in relation to digital signatures? Is the UK position and adequate one and one which can be viewed in a positive light both legally and in terms of technological development?
It has been demonstrated that there are numerous ways of electronically signing things and differing levels of certainty attaching to them. Under the current law in the UK there is no particular method of electronically signing a document that is potentially unenforceable or indeed inadmissible as evidence. This demonstrates that flexibility of UK law and the ease with which it will be able to keep up with growing technology in this are. This should however not be at the sacrifice of security and identity both of which should be of paramount importance and the absence of the stringent rules on Certificate Authorities in the Electronic Communications act is very telling.
Another fault of the UK legislation is that it has not specifically stated that the use of Electronic Signatures is akin to use of handwritten signatures, this is of course a feature of the European legislation. Nevertheless, the existence of such an "advanced electronic signature" would likely be given great weight by a court. This does not therefore suggest that the weight in UK law of these signatures can be underestimated. The Law Commission's report serves to add further weight to the validity and enforceability of online transactions by finding that digital signatures, scanned manuscript signatures, typing one's name (or initials) and clicking on a website button are all methods of signature which are generally capable of satisfying current UK statutory signature requirements without need for specific amendments to legislation.
Along with other sectors of commerce, it is clear that electronic transactions are here to stay even if they have not quite revolutionised the business world as was first thought. It is clear that these transactions are the way forward and that they will continue to develope. This said the last few years have shown little in the way of legal development in this area. Although consideration should be given to all of the international ramifications and legislation in this area and this should be acted on accordingly. Given the public's predilection for acting without thinking, though, and the time pressures on everyone today it will come as no surprise when lawyers are called in to advise on cross-border contracts which are either not evidenced properly in writing or contradictory terms and conditions are in place. Nevertheless it remains the best advice that it is in everyone's interest if the terms of the contract are clearly set out and agreed by the parties. It is only in this way that the numerous problems encountered in contracting on the internet can begin to be avoided. Therefore in conclusion it is suggested that the UK law in this area has come a long way and successfully kept up to date with technology and with any kind of law on identity and security, a lot will depend on the individuals own risk management procedures. The law can only go so far in protecting the technology and security it is up to individuals to ensure that it is enforced, adhered to and protected.
- Hall v Cognos Ltd Industrial Tribunal Case No.1803325/97
- Data Protection Act 1988
- Electronic Communications Act 2000
- Electronic Signatures Regulations 2002
- The Data Protection Directive (95/46/EC)
- The EU Directive on Electronic Signatures (Directive 1999/ 93/ EC)
- UNCITRAL Model Law on Electronic Commerce (www.uncitral.org/en-index.htm)
- The Performance and Innovation Unit report in September 1999, entitled "email@example.com
- Author Unknown, (2001) "In Focus - Electronic Signatures and The Consumer", Consumer Law Today 24. 5(9)
- Capps D, (2002) "Conveyancing in the 21st Century: An outline of Electronic Conveyancing and Electronic Signatures", Conveyancer and Property Lawyer SEP/OCT 443- 455
- Coleman C, (2001) "Electronic Signatures in Banking", Finance and Credit Law 3.5(1)
- Esen R, (2000) "Cryptography and Electronic Data", New Law Journal vol 150 6953 p1417
- Fishley B & Hughes B, (2002) "Electronic Signatures", International Journal of Electronic Commerce Law and Practice 2.2 (25)
- Gooch C, (1998) "The Internet, Personal Jurisdiction, and the Federal Long-Arm Statute: Rethinking the Concept of Jurisdiction", Arizona Journal of International and Comparative Law 15 635, 640, 641
- Kendrick R, (2003) "Cyber-Risks At Law", New Law Journal 153.7071 (395)
- Lambert P, 'Legal Aspects of Digital signatures' Paper published by Interdisciplinary Centre for Law and Technology available at http://www.law.kuleuven.ac.be/icri/projects/report.data/executive.htm
- Mason S, (2005) "The International Implications of Using Electronic Signatures", Computer and telecommunications Law Review 11 (5) 160-166
- Morrison P, (2002) "E-Commerce: Formal Requirements in Digital Signatures" Construction and Engineering Law 7.1 (23)
- Odutun G, (2004) "The Evidentiary Issues Arising From the Proposed Use of the Satilitee Based Vehicle Monitoring System and Electronic Logbooks in the Fishcam Project Within the European Union", International Journal of Law and IT 12 (74)
- Pitiyasak S, (2003) "Electronic Contracts: Contract Law of Thailand, England and UNCITRAL Compared", Computer and Telecommunications Law Review 9 (1) 16-30
- Schellekens M, (2004) "Privacy and Electronic Signatures Are They Compatible?" Computer and Telecommunications Law Review 10(7) 182-186
- Thompson D, (2000) "Making Sense out of a Dog's Dinner - The Electronic Communications Bill", International Journal of Electronic Commerce Law and Practice 1.1(5)
- Blackstones Statues on IT and Commerce
- Lloyd, (2000) "Information Technology and the Law", Third Edition, Butterworths
- Sparrow A, (2001) "The E -Commerce Handbook- A Legal Guide to Doing Business on the Internet" , Fitzwarren Publishing
- Susskind R, (2000) "Transforming the Law: Essays on Technology, Justice and the Legal Market Place, Oxford University Press
- Whinston A, Stahl D, Choi S, (1997) "The Economics of Electronic Commerce", Macmillan Technical Publishing