Internet Newsletter for Lawyers
The move towards e-conveyancing will require practitioners to use digital signatures and obtain separate insurance to cover the security of the computer system they use.
A digital signature can comprise three elements, a key pair (a private key and a public key) and a certificate, which is usually issued by a third party such as a certification authority. When an electronic document or message (hereinafter only a message will be referred to) is signed with a digital signature, the private key is used to associate a value with the message using an algorithm. The computer undertakes this task. The value, the message and a certificate linking the private key to the named person or entity, is then sent to the recipient. The recipient uses the public key to check the value is correct by "unlocking" the value created by the algorithm. A computer undertakes the entire operation of affixing a digital signature by a sender, and the checking of a digital signature by the recipient. The only action required of the human being (in theory) is to cause the computer to associate the digital signature to the message. Depending on the software used, the recipient is not be required to do anything other than open the document, and the computer will do the rest.
Most computers now have the ability to generate a key pair, although if you generate your own key pair, you will then need to distribute the public key. Alternatively, you can subscribe to a certification authority for the provisions of a certificate, and either the certification authority will generate a key pair, or more often, a specialist trusted key generation company undertake this task. Digital signatures can be obtained in the name of an individual or a body corporate.
A certification authority acts as a trusted third party. Depending on the nature of the certificate, it may verify the identity of the party applying for a certificate. The certificate is then linked to the private key, and the public key is placed in a public depository, thus eliminating the need to distribute the public key. A person wishing to obtain the public key downloads a copy. The certificate associates the private key with the subscribing party. When a certificate is revoked for some reason (where it has been compromised, for instance, or has expired), the certification authority places a notice to this effect in a certification revocation list.
Where an outsider intends to attack the computer or system, the first line of attack will be to crack a password. This is relatively easy for any attacker to accomplish, given the propensity of most users to use words that are susceptible to automated attack, such as dictionary attacks. Thereafter, weaknesses can be manipulated in the security system itself by a hacker, whereby a hacker enters the system and leaves a Trojan horse that permits them to activate the computer and gain entry to the files at a time of their choosing, and to use the private key to send messages that are signed with a digital signature.
A range of attacks are theoretically possible, not all of which are associated with taking over the computer of the sending party. For instance, the "root" key of the certification authority can be replicated, which means it is possible to make the recipient believe they are communicating with the legitimate sending party, when they are, in fact, communicating with an impostor. Private keys are also prone to being misused by employees or contractors, which means appropriate security should also include provisions against such risks.
For those using Microsoft software, if you look in Outlook Express: Tools - Options - Security, you will probably find a number of certificates relating to various certification authorities already loaded into the computer. The certificates are relatively easy to navigate, depending on the version of software on your system. If you want to use a digital signature, it is probable that you will have to ask somebody to help you install one, although some users may be familiar with how to undertake this task.
1. The combination of s91(3)(b) and s91(4) could be construed as an irrebuttable presumption that the purported signatory did in fact sign an electronic document.
2. Alternatively, these provisions can be construed that the document has in it or associated with it something that, at common law, is the signature of the relevant party.
3. Further in the alternative, by reference to s91(10) and ss7(1) and 15(2)(a) of the Electronic Communications Act 2000, for an electronic signature to be effective, it may be necessary to demonstrate that it came from each person by whom the document purports to be authenticated, and the use of the electronic signature was intended to have a legal effect.
It is not clear what meaning to attribute to the provisions of s91, but what is obvious, is if a practitioner intends to spend the money with the Land Registry and offer electronic conveyancing, they must sign up to the land registry network by way of a network access agreement. The practitioner will be required to have separate, compulsory, insurance cover for the security of their computer system, in accordance with the provisions of schedule 5 paragraph 11(3)(c). As it is difficult, if not impossible to quantify the potential losses, and as both the largest firm and the single practitioner can suffer from the same attacks, the cost of such insurance will fall disproportionately on the smaller firm. Unless there is any evidence to the contrary, the introduction of electronic conveyancing will significantly increase the costs of conveying property.
1. Where a person has a digital signature, they cause the signature to be associated with the message.
2. A recipient, when they open a message that has been signed with a digital signature, can be sure that the sender actually caused the digital signature to be associated with the message.
3. The certificate that accompanies the digital signature confirms the link between the private key of the sender and the certificate, and therefore confirms that the message was sent by the person whose private key was used.
None of these assertions are true. In addition, these assertions are very difficult to prove using the present infrastructure. The only way of ensuring the sender actually caused their computer to associate their digital signature with the message in question, is for the sender to confirm they signed the message, preferably in writing, by way of e-mail, facsimile transmission or letter.
When you send an e-mail, you add your name to the e-mail. This is a form of electronic signature, and binds you to the message in the same way as a digital signature. If a recipient doubts that you send the message, they can always telephone you to confirm it was sent by you.
© Stephen Mason 2003. Stephen Mason practices from St Pauls Chambers, Leeds and specialises in authentication, electronic signatures, e-business, e-mail, e-risks and commercial law. Stephen ' book "Electronic Signatures in Law" is to be published by Butterworths in the autumn of 2003, see www.butterworths.co.uk.
Back to Contents.