Internet Newsletter for Lawyers |
|---|
* To ensure the authenticity of the information. When sending or receiving information or placing an order or instructions, both parties need to know the sender of the message is the person they claim to be. There is a need to authenticate the identity of the sender.
* To demonstrate the integrity and accuracy of the message, because it is important to know that the content of the message has not been tampered with.
* To prevent the person making the statement from denying they made the statement. This is called non-repudiation in the security industry.
Here are definitions of "electronic signature", used by the Electronic Communications Act 2000 ("the Act"), and "individual certifying certificate".
An "electronic signature" is the incorporation of an electronic or digital method (comprising a numerical value using a known mathematical procedure associated with the private cryptographic key of the sender) to an electronic communication, which is unique to the person using it, is capable of being verified and linked to the communication in such a way that if the content of the communication is changed, the electronic signature is invalidated.
An "individual certifying certificate" means the individual certificate issued by a trusted third party (such as a certification authority), which purports to identify a natural or legal person and indicates that a public key and a private key has been issued to the natural or legal person.
Whilst there is a similarity in purpose between an electronic signature and a manuscript signature, it is true to say that an electronic signature comprises more attributes than a manuscript signature.
An electronic signature, in accordance with the provisions of s7(1) of the Act, can be admissible in evidence in relation to (a) the authenticity of the communication or data and (b) the integrity of the communication or data. In addition, an electronic signature serves other information- security purposes that manuscript signatures cannot do:
* the recipient can determine whether the communication was altered after it was digitally signed
* as a result, a certifying certificate can provide assurance about the source and integrity of the document.
Electronic signatures can be produced in different formats, including a manuscript signature that is scanned into a document, a signature created by cryptographic means or a digital representation of a biometric, such as a retina scan or fingerprint.
The Act permits an electronic signature to perform a similar role to that of a manuscript signature, and provides, in s7(3), for any person to certify that the electronic signature is a valid means of establishing the authenticity and integrity of the communication or data or both. As a result, a trusted third party that issues a certifying certificate may need to certify before or after or both before and after sending the communication, that the signature is authentic and the integrity of the data or communication is therefore not to be questioned.
It should be noted that the electronic signature is admissible in evidence in relation to the authenticity or integrity of the communication, and that the communication is deemed to have a legal effect (section 2(a)(iii) of the Act is authority on this latter point). Section 7(1) of the Act provides for a two-stage process to ensure an electronic signature can be admissible in evidence:
* First, by s7(1)(a) the electronic signature must be incorporated into or logically associated with a particular electronic communication or data, and
* Second, by s7(1)(b) there must be a certification process where a statement is produced which links the key with the person, including, but not limited to, the undertaking of checks on the identify of the individual or corporate entity.
The second stage of the process infers that somebody needs to certify that a key linked to a person or legal entity is admissible. It seems, therefore, that if a recipient receives an electronic communication which is (a) signed with an electronic signature, and (b) the certifying certificate relating to the electronic signature can be verified, the communication in question is admissible in evidence, subject to the provisions of s15(2).
A document in electronic format can be sent:
* in plain text as an e-mail or an attachment to an e-mail;
* in plain text with an electronic signature attached to it; or
* encrypted with an electronic signature attached to it.
To send a document with an electronic signature attached or in encrypted form, the sender will need two keys: one to encrypt the document or add the electronic signature and a second key to permit the recipient to decrypt the document or read the electronic signature. The sender can, if they are so inclined, produce the relevant keys on their own system or computer. If the sender wished to both encrypt the document and attach an electronic signature, two separate keys are needed to fulfil the separate functions.
For instance, the sender of a document may not be worried about sending a document over the internet because the content is innocuous. However, they may wish to assure the recipient that the sender actually sent the document. In this instance, an electronic signature will suffice.
Alternatively, the sender can decide to use the public key infrastructure (known as PKI). Companies offer a service by which they will generate a key pair, comprising a private and a public key. The public key allows recipients to open a communication which has been sent using the private key. Only the sender has the private key, so recipients can be assured that the communication comes from the sender, unless the key has been compromised.
The companies offering this service are known as certification authorities (or CAs) or trusted third parties (TTPs). For more on this topic, see my article "Electronic Signatures: The Technical and Legal Ramifications", Computers and Law, December 1999/January 2000. This article is also available online at www.itsecurity.com/papers/digsig.htm.
There are several problems that affect the reliability of certifying certificates, which are used to affix electronic signatures to an electronic communication. This article is too short to deal with these issues; please see my forthcoming article "The evidential issues relating to electronic signatures", to be published in the April/May 2002 edition of The Computer Law and Security Report.
The general rule with respect to signed documents is this: where a party relies on a signed document and wishes to enforce the document against the signing party, the relying party must prove the signature is that of the signing party, or the document was authorised by the signing party. This is so where the signing party claims they did not sign the document, or if they did sign the document, they did so under duress. It is not for the signing party to prove that they did not authorise the document or sign it.
The onus of proof - England and Wales - common law
It appears, from the decision of Waller J in Standard Bank London Limited v Bank of Tokyo Limited [1995] CLC 496; [1996] 1 C.T.L.R. T-17, that the receiving party can rely on the electronic signature, providing they have carried out due diligence in ensuring the certifying certificate has not been revoked for any reason. The Bank of Tokyo arranged for three tested telexes to be sent to Standard, containing a secret code confirming and authenticating the authorised signatory of three letters of credit with a total face value of US$19.8m, and confirming that the Bank of Tokyo accepted all responsibilities and liabilities under those letters of credit. Evidence was adduced to indicate that banks not only used this system with confidence, but used it to avoid arguments about authority. In this instance, the tested telexes were sent fraudulently. The Bank of Tokyo was found liable for negligent misrepresentation because the tested telexes could not have been sent without negligence on the bank's part.
Shifting the onus of proof - England and Wales - Electronic Communications Act 2000
By section 8(1) of the Act, Parliament has given Ministers the authority to modify legislation to permit the use of electronic signatures as an acceptable alternative to a manuscript signature. The Act allows for the burden of proof to be shifted, in accordance with sections 8(4)(g), and 8(5)(d). In combination, these section give scope to a Minister to determine where the burden of proof will lie in any particular order issued under the Act.
As a result, anybody deciding to use electronic signatures will need to ensure they guard the use of their certifying certificates very closely. In particular, they will need to ensure that their computer or the system upon which the electronic signature sits, is properly protected.
In this respect, it is only right that solicitors should be concerned about the proposals for conveyancing, because the risks are serious and certainly outweigh the benefits that some people claim. The Lord Chancellor's Department issued a Consultation Paper "Electronic Conveyancing - A draft order under section 8 of the Electronic Communications Act 2000" in March 2001, which set out the proposals relating to the provision of electronic conveyancing, inviting comments by 25 June 2001 - see www.lcd.gov.uk/consult/general/e-conv.htm. The response by the Law Society can be found on the Law Society web site, appendix 2 of which illustrates some of the vulnerabilities electronic conveyancing will face.
See also two articles by Raymond Perry, "The perils of non-repudiation", Law Society Gazette, 11 October 2001, and "Digital signatures - security issues and real-world conveyancing", New Law Journal, July 20, 2001.
Tim Travers expresses a contrary view in "Digital certificates will pass the test", Law Society Gazette, 20 Sep. 2001.
Over the past few years politicians have rushed into passing laws placing electronic signatures on par with manuscript signatures. In putting legislation on to the statute book, individual states have:
* failed to agree an international meaning of what is meant by an "electronic signature",
* taken different views in relation to the types of electronic signature to be made available (ordinary signatures and qualified signatures),
* ignored the issues relating to compatibility of software and hardware, and
* failed to agree whether trusted third parties should be licensed or unlicensed, public or private.
Whether it is wise to use electronic signatures is debatable, bearing in mind the liability issues and the possible costs of dealing with a section 49 notice under the Regulation of Investigatory Powers Act 2000.
© Stephen Mason, 2001
Stephen Mason was called to the Bar by Middle Temple in 1988 after nine years in bomb disposal. He specialises in e-risks, e-business, data protection and commercial law. He drafted ten e-commerce precedents in 2000 for http://www.ebldirect.com and writes the legal commentary to the Risk Management chapter of the Encyclopedia of Information Technology Law.
email stephenmason@stephenmason.co.uk.
Stephen Mason has provided some addition material below on The Electronic Commerce Act 2000 (No 27 of 2000) was brought into force
by a commencement order (SI No 293 of 2000) on 20 September 2000. There is a summary of the
Act prepared by the Department of Enterprise, Trade & Employment at
www.entemp.ie/ecd/ebus1.htm
and there is a link, on that page, to a pdf version of the Act.
The Act covers the same ground as the UK equivalent, but provides some
interesting differences that set the two Acts apart:
* The provision for an advanced electronic signature, as set out in EU
Directive 1999/93/EC of 13 December 1999.
* The use of an electronic signature where a manuscript signature is required
(s13). An electronic signature is defined in s2(1). The function of an electronic
signature serves to provide "a method of authenticating the purported
originator". This definition, taken together with the definition of "certificate"
("means an electronic attestation which links signature verification data to a
person or public body, and confirms the identity of the person or public body"
[author's italics]) seems to mean that the provider of an electronic signature
is required to (a) verify the true identity of the user and (b) authenticate the
originator of the electronic signature. There appears to be a distinct link
between ascertaining true identity with the issuing of a certificate and the
subsequent authentication of the electronic signature. If this is the case, the
duty on the provider of an electronic signature is very high.
* By s14, where a signature is required to be witnessed, both the signature
that is required to be witnessed and the witnessing signature must be an
advanced electronic signature based on a qualified certificate (as defined in
s2(1)). The infrastructure requirements for advanced electronic signatures are
set out in Annex II and the provision of a qualified certificate is subject to the
requirements of Annex I.
* The Act provides that contracts cannot be denied legal effect if they are in
electronic format (s19). In addition, the Act incorporates, in section 20,
provisions dealing with the time and place of dispatch and receipt of
electronic communications, which have been derived from the United Nations
model law on electronic commerce (online
here).
* A number of offences are listed in section 25, relating to fraud and misuse
of electronic signatures. It is interesting to note that by section 26, these
offences extend to activities that take place partly outside the State.
* A certification service provider is liable, by section 30, to a party that relies
on a qualified certificate issued by the service provider. This liability also
exists where a service provider guarantees such a certificate. This statutory
provision relating to liability of the service provider (subject to proof that the
service provider had not acted negligently), places a heavy burden on the
service provider to ensure they correctly identify the user of the certificate
and that they have adequate technical systems in place to ensure a relying
party can check a certificate has been revoked (for details of what can go
wrong technically, see the previously mentioned forthcoming paper by the
author).
Back to Contents.
Electronic signatures in Ireland