Volume 18, Number 6
INTERNATIONAL LAW AND PRACTICE
Legally Binding Electronic Documents
Digital Signatures and Authentication
By Chris Reed
Authentication of the record of an electronic communication requires that a court can be satisfied that the contents of the record have remained unchanged since it was sent; the purported sender of the communication is identifiable; the identified sender agreed to its contents; and in some cases, extraneous information, such as the apparent date of the transmission, is accurate.
Additionally, because a legal dispute will not come to court until some years after the relevant messages were sent, it is necessary to demonstrate an audit trail connecting the copy of the message before the court to the copy as originally sent or received.
Authenticity is likely to be proven if the user can produce a human witness to testify that the system (including the operational system used for archiving) was operating properly at the relevant time, and if the other party to the litigation is unable to adduce evidence to counter this presumption.
In order to ensure that an appropriate audit trail exists, and to produce evidence that will tend to authenticate records of electronic messages, it has been common in business-to-business transactions to agree in advance what records the parties will keep, and whether particular categories of messages are to be acknowledged by the receiving party, including provisions on what form that acknowledgment should take. As online trading moves to open electronic commerce via the Internet, however, such pre-trading contracts become harder to establish.
What is required for truly open communications is a method of authenticating a message that permits both the sender and recipient to store it on their own systems and to use the stored copy for authentication purposes. The leading technology that achieves this aim is digital signatures.
Digital signatures. Clearly, a traditional manuscript signature is not feasible where the parties communicate via the Internet. Digital communication technology requires methods of electronic signature, which are necessarily very different from the manuscript signature. The primary function of a physical signature is to provide evidence of three matters:
- The identity of the signatory.
- The signatory intended the signature to be his signature.
- The signatory approves of and adopts the contents of the document.
Manuscript signatures meet these functional requirements. An electronic signature, however, by itself cannot provide sufficient evidence of the signatory's identity. Evidence is required that links the signature key or other signature device to the signatory himself. But the recipient wishes to be able to rely on the signature without needing to collect evidence for use in the unlikely event that the signature is disputed. For this reason, most electronic signatures used for e-commerce communications are likely to be accompanied by an ID Certificate issued by a Certification Authority. The Certification Authority takes traditional evidence of identity, for example, by examining passports and, in the case of public key encryption digital signatures, checks that signatures effected with the signatory's secret key are verifiable using the public key. Once the Certification Authority is satisfied as to the signatory's identity, it issues an ID Certificate, which includes a certification of the signatory's identity and of his public key.
Once identity has been proven, the very fact that an electronic signature has been affixed to a document should raise the same presumptions as manuscript signatures; that is, the signatory intended to sign the document and thereby adopt its contents. There is one difference, however. In the case of a manuscript signature, the signatory must be present and must have the document to be signed in front of him. Electronic signature technology is a little different. There are essentially two options:
- The signature is effected by selecting from an on-screen menu or button, with the signature key stored on the signatory's computer; or
- The signature key is stored on a physical token, such as a smart card, which needs to be present before the signature software can affix the signature.
In either case, a third party with access to the computer or to the storage device would be able to make the signature. The party seeking to rely on the validity of the signature may need to adduce extrinsic evidence that the signature was applied with the authority of the signatory, until the use of electronic signatures becomes so common that the courts are prepared to presume that a third party who is given access to the signature technology has been authorized by the signatory to sign on his behalf, or unless a statute introduces a presumption as to the identity of the signatory. In cases where an electronic signature that has previously been acknowledged by the signatory is effected by an unauthorized third party, however, the apparent signatory should be estopped from denying that it was his signature.
The objection that an electronic signature fails to meet the evidentiary requirements because a successful forgery cannot be detected is easily dismissed by pointing out that no such requirement is imposed for manuscript signatures. In fact, electronic signatures are normally much harder to forge than manuscript signatures. Thus, the only function that electronic signatures cannot provide is that of making a mark on a document-a function that is unnecessary in the digital environment.
Where the parties have had no previous dealings, the recipient will have no knowledge of whether the public key does in fact correspond to the purported identity of the signatory. This is where the ID Certificate comes in. It contains a copy of the signatory's public key. It also contains a statement that the issuer of the certificate has checked the signatory's identity, the signatory does in fact possess the signature data that corresponds to the public key, and the issuer has checked that the public key validates the identified person's electronic signature.
Thus, where an electronic signature is made on a document, the accompanying ID Certificate provides evidence from an independent third party that the person named in the certificate did in fact have access to the unique signature data as long as the public key included in the certificate validates the signature.
Legislative initiatives. At the time of writing, there are more than 100 laws or proposals for laws regarding the use of electronic signatures. At present, three clear divisions can be seen in these instruments:
- Laws that validate the use of electronic signatures in a closed group of users, such as systems for transferring medical data among doctors, hospitals, and insurers. These laws are of no relevance to open Internet communications.
- Laws that define validity solely in terms of the functions achieved by an electronic signature method.
- Laws that define validity by reference to the use of ID Certificates within the electronic signature method. These laws do not normally prescribe a particular technical standard that must be adopted but merely describe the requirements that a certificate and its issuing Certification Authority must meet.
Most laws introduce a number of presumptions about an electronic signature that meets the law's requirements, the most important of which are:
- The apparent signatory did in fact make the electronic signature.
- The apparent signatory intended to sign and adopt the contents of the document.
- The signed document has not been altered since the time of signature.
- The information in the ID Certificate is accurate, and the holder's public key in fact belongs to that holder.
- The ID Certificate was issued by the Certification Authority whose electronic signature is contained in the certificate.
The current trend in laws and legislative proposals is to link the question of signature validity with certification of identity. It seems likely that, as commercial activity on the Internet increases, businesses will increasingly require their customers to identify themselves through ID Certificates and will demand electronic signatures that are validated by those certificates. There is also a clear trend toward introducing accreditation schemes for certification authorities, for two main reasons: (1) persons relying on ID Certificates need to trust and have confidence in the issuing Certification Authority, and this trust and confidence is engendered by adherence to the accreditation scheme's requirements and auditing (where required by the scheme rules); and (2) ID Certificates need to work for cross-border transactions, which is achieved by mutual recognition of accreditation schemes.
Chris Reed is Professor of Electronic Commerce Law, Centre for Commercial Law Studies, Queen Mary University of London. He is also of counsel to Tite & Lewis, London.
This article is an abridged and edited version of one that originally appeared on page 89 of The International Lawyer, Spring 2001 (35:1).