ElectronicSignatures

08 March 2002

Mark O'Conor




As e-commerce continues to grow at an ever-increasing rate, more and more transactions are being completed online, particularly as companies begin to realise the efficiencies and opportunities offered by doing business in this way. In order to encourage electronic commerce, it is essential to review and possibly amend any legal obstacles which may hinder or prevent its growth. Many countries, including the UK, have recognised this and have started implementing new legislation which aims to facilitate electronic commerce.

This article addresses some of the legal obstacles which may exist under English law and how recent European and English legislation has been implemented to try and build confidence in electronic commerce and the technology underlying it. In particular, this article examines the nature and validity of electronic signatures.

Function of signatures

In order to understand whether an electronic signature can be accepted in English law in place of a manual signature, it is necessary to look at the function a signature plays.

In English law, there is no general requirement for any document to be signed in order to be legally valid. However, it is estimated that there are 40,000 separate references in current UK legislation to require documents to be "in writing" or "signed".

The common understanding of a signature is the writing by hand of one's full name or initials and surname. Nonetheless, other forms of identification have been held to satisfy a signature requirement; for example, it is acceptable to sign with an "X", or for a person to sign with their initials only. Furthermore, typewriting or printing a signature has also been held to be acceptable by the courts.

The principal functions of a signature are that it identifies the signatory, provides certainty as to the personal involvement of that person in the act of signing, and associates that person with the contents of the document.

Electronic signatures

As with manual signatures, there are a number of different types of electronic signature. The Explanatory Notes to the Electronics Communications Act 2000 (ECA) describe the electronic signature as "some- thing associated with an electronic document that performs similar functions to a manual signature. It can be used to confirm that the communication comes from whom it purports to come from ('authenticity') and to establish that the communication has not been tampered with ('integrity')". The types of electronic signature can range from a simple typed-in name or scanned-in signature to more complex bio-metric techniques, such as fingerprint scanning or signatures created by cryptographic means (digital signatures).

In its recent report Electronic Commerce: formal requirements in commercial transactions (December 2001), the Law Commission examines whether electronic signatures are capable of meeting the many formal requirements for "writing" and "signatures" set out in English law and whether any further law reform is necessary. It concludes that digital signatures, scanned manuscript signatures, typing one's name or initials and clicking on a website button are all methods of signature which are capable of satisfying a signature requirement as they demonstrate an authenticating intention.

Relevant legislation

Model laws (available from www.uncitral.org)

Most countries which have dealt with or propose to deal with e-commerce have based their legislation on or have at least purported to make it consistent with the United Nations Commission on International Trade Law (UNCITRAL) Model Law on E-commerce which aims to facilitate the use of electronic commerce and to ensure equality of treatment for users of paper documents and of electronic forms of communication. A Model Law on Electronic Signatures was also adopted in July 2001. These laws were developed to offer national legislators a set of internationally acceptable rules to replace their own legislation and are designed to be incorporated directly into the domestic laws of those countries willing to do so. The Model Law on Electronic Signatures aims to provide practical standards against which the technical reliability of electronic signatures may be measured.

Signatures Directive

In December 1999, the EU adopted a Directive on a Framework for Electronic Signatures (99/93/EC) (the Signatures Directive) which Member States were bound to implement into their national laws by July 19, 2001.

The Signatures Directive requires all Member States to ensure that their legal systems allow contracts to be concluded by electronic means and that any legal obstacles to the contractual process are removed. The Signatures Directive distinguishes between "advanced electronic signatures" which are based on a "qualified certificate" and which are created by a "secure signature creation device" and other electronic signatures. Whilst the latter may not be inadmissible merely by virtue of being electronic, this is not to say that an electronic signature will be admissible because it is electronic. The advanced electronic signatures, however, will satisfy the "legal requirements of a signature in relation to data in electronic form in the same manner as a hand written signature satisfies those requirements" and shall be admissible as evidence in legal proceedings. Not surprisingly, everyone is better off using the advanced signatures.

An advanced signature is one which meets the following requirements:

  • it is uniquely linked to the signatory; it is capable of identifying the individual;
  • it is created using means that the signatory can maintain under its sole control; and
  • it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable.

The requirements for a "qualified certificate" and a "secure signature creation device" are set out in Annexes I, 2 and 3 of the Signatures Directive and essentially seem to be describing digital signatures that are backed by certification authority certificates and are created by using public key cryptography. In addition the Signatures Directive establishes the general principle that certification services are not to be subject to prior authorisation, although Member States may introduce voluntary accreditation schemes aiming at enhancing levels of service provision.

The Signatures Directive requires Member States to make special provision for the liability of certification authorities. As a minimum, such authorities will be liable for damage caused to any entity who reasonably relies on a certificate for any inaccuracies in the assurances given, unless the certification authority can prove that they did not act negligently. What is not clear, however, is the extent to which a certification authority may limit its liability to customers by contractual provisions. This issue was recognised by the DTI prior to the Signatures Directive and they concluded that the liability of certification authorities, both to their customers and to parties relying on the certificates, is best left to existing law and to providers' and customers' contractual arrangements. The ECA does not address the issue of liability but as the deadline for the implementation of the Directive has passed, these provisions will have direct effect in the UK.

Electronic Communications Act 2000

The ECA (note that ss 1-6 are not yet in force, ss 8-10 and 13-16 came into force on May 25, 2000 and ss 7, 11 and 12 came into force on July 25, 2000) is consistent with, and seeks to implement, certain provisions of the Signatures Directive and its purpose is to facilitate and help build confidence in electronic commerce and the technology underlying it in the UK. The ECA aims to do this by:

  • providing a statutory approvals scheme for organisations providing cryptography services;
  • confirming the legal recognition of electronic signatures; and
  • providing a method to remove legal obstacles to the use of electronic communication and storage and for enabling appropriate conditions to be imposed.

The Government has, however, bowed to industry pressure and has agreed to an industry-Ied approvals process being put in place instead of the statutory scheme envisaged in Pt I of the ECA which is not yet in force. Therefore the Alliance for Electronic Business (AEB) has drawn up an industry-Ied scheme known as the "Scheme" (details can be found at www.tscheme.com). The Government has said that it will not commence Pt I of the ECA if the t5cheme continues to meet the Government's objectives. The tScheme aims to provide assurances by developing sets of criteria, known as Approved Profiles, against which cryptography providers and other trust service providers can be independently assessed for each of the services they wish to provide for clients. There are currently 25 members of the tScheme, which includes Microsoft, BT Ignite, British Chambers of Commerce and the CBI.

The ECA includes at s 7 a provision broadly similar to Art 5.1 of the Signatures Directive which states that an electronic signature, or its certification, will be admissible as evidence in respect of any question regarding the "authenticity" or "integrity" of an electronic communication or data. The definition of electronic signature is drafted widely and from a technical perspective, in a neutral way, to include anything in "electronic form incorporated into or otherwise logically associated with an electronic communication or electronic data which purports to be so associated or incorporated for the purpose of being used in establishing the authenticity or integrity of that communication or data, or both". However, this section of the ECA is considerably more detailed than the Signatures Directive and does differ in several respects (details of these differences are set out at p 466 of Graham Smith's book Internet Law and Regulation (3rd edn)).

Another important provision of the ECA is s 8 which allows a Minister to make an order for the purposes of authorising or facilitating the use of electronic communications or electronic storage. Such an order may also impose conditions upon their use and can be used to make it clear whether an electronic communication can or cannot be used, or to clarify where the law is unclear.

It is also worth mentioning Art 9 of the E-Commerce Directive (2000/31/EC) which requires Member States to ensure that their legal systems allow contracts to be concluded by electronic means. In particular they "shall ensure that the legal requirements applicable to the contractual process neither create obstacles for the use of electronic contracts nor result in such contracts being deprived of legal effectiveness and validity on account of them having been made by electronic means". This Directive was due to be implemented by January 17, 2002, but to date no Regulations have been implemented in the UK.

Finally, on the legislative front. it is worth mentioning that there are still some aspects of the Signatures Directive which have not been implemented by the ECA 2000. The DTI has, however, issued some draft Regulations (the Electronic Signatures Regulations 2002) which it has released for comments. These are available from wwww.dti.gov.uk/cii/datasecurity/electronic signatures/signatures.shmtl. As currently drafted, these Regulations provide that the Secretary of State shall be under a duty to review the activities of certification-service providers who are established in the UK and who issue qualified certificates to the public and shall maintain a register of such certification-service providers. In addition, the Regulations address the liability of certification-service providers and implement Arts 6.1 and 6.2 of the Signatures Directives as well as Art 8.2 which places specific data protection requirements on certification-service providers that issue certificates to the public.

Digital signatures

As we have seen, the legislation is biased towards "advanced signature" techniques. Therefore, it is worth briefly mentioning the use of cryptography technology. This is a technique for converting information such as text, into another form with a view to the intended recipient converting the result back to the original information. There are two common forms known as private key encryption and public key encryption. In both cases a complex cryptographic algorithm is applied to the plain text to produce the cryptogram. The algorithm in each case calculates the transposition of each letter of the plain text based upon a number which is called a key. In private key encryption, both parties use the same key. However, both parties need to agree the key in advance and keep it completely secret thereafter. Thus this technique would not be practicable for an e-commerce trader who would need to share a secret key with each customer. A public key encryption, however, uses two keys: a public key which can be published to the world at large and a private key which is kept by the person issuing the signature. When used in connection with electronic signatures, anyone with access to a public key can check the signature and verify that it could only have come from someone who had access to the private key.

Thus the correct handling of keys is vital if such a system is to be effective. In addition, there must also be a way of establishing or verifying the "real world" identity of a particular keyholder as well as a way of distributing, deleting and storing keys. A considerable administrative infrastructure (often known as a "public key infrastructure" or "PKI") is therefore needed. It is this area that the legislation is keen to regulate and monitor. In the UK, there are already several companies providing electronic signatures and digital certificates, verifying the identity of the sender. For example, ViaCode has recently teamed up with the British Chamber of Commerce to provide the Chambersign service that offers affordable digital certificates and other e-commerce security services and British Telecom have set up BT Trustwise in association with Verisign. Identrus have also set up an international banking PKI to provide a global framework for the provision of certification authority services for financial institutions.

Conclusion

So it is now clear that a digital signature (both in the UK and in the EC) is capable of having legal weight, and as such one of the many obstacles to e-commerce has been removed. Of course there will be teething issues as the public become increasingly aware and able to trust the new schemes. Similarly there will no doubt be high profile fraud or attempts to defraud which may have an impact. The approach of the UK legislator to date seems to be to implement e-commerce-related directives in a piecemeal way, ie by enacting enabling legislation which allows the relevant Secretary of State to amend existing legislation in order to remove further obstacles. This can be seen as both a flexible way of proceeding or an effective way of kicking the problems into the long grass (depending upon one's viewpoint). What remains to be seen is the way in which the E-commerce Directive will be implemented in the UK.

For now, organisations and individuals involved in e-commerce have a real and viable solution enabling them to take advantage of the Internet as a formal and secure medium for commerce.

Written by Mark O'Conor and Elizabeth Brownsdon. First published in NLJ Information Technology Supplement 8 March 2002.