Electronic signature

An electronic signature, or e-signature, is any electronic means that indicates either that a person adopts the contents of an electronic message, or more broadly that the person who claims to have written a message is the one who wrote it (and that the message received is the one that was sent by this person). By comparison, a signature is a stylized script associated with a person. In commerce and the law, a signature on a document is an indication that the person adopts the intentions recorded in the document. Both are comparable to a seal. In many instances, common with engineering companies for example, digital seals are also required for another layer of validation and security. Digital seals and signatures are equivalent to handwritten signatures and stamped seals.

Increasingly, digital signatures are used in e-commerce and in regulatory filings as digital signatures are more secure than a simple generic electronic signature.[1][2] The concept itself is not new, with common law jurisdictions having recognized telegraph signatures as far back as the mid-19th century and faxed signatures since the 1980s.

In many countries, including the United States, the European Union, India, Brazil and Australia, electronic signatures (when recognised under the law of each jurisdiction) have the same legal consequences as the more traditional forms of executing of documents.[2][3]

In contract law

Since well before the American Civil War began in 1861, morse code was used to send messages electrically by telegraphy. Some of these messages were agreements to terms that were intended as enforceable contracts. An early acceptance of the enforceability of telegraphic messages as electronic signatures came from the New Hampshire Supreme Court in 1869.[4]

In the 1980s, many companies and even some individuals began using fax machines for high-priority or time-sensitive delivery of documents. Although the original signature on the original document was on paper, the image of the signature and its transmission was electronic.[5]

Courts in various jurisdictions have decided that enforceable electronic signatures can include agreements made by email, entering a personal identification number (PIN) into a bank ATM, signing a credit or debit slip with a digital pen pad device (an application of graphics tablet technology) at a point of sale, installing software with a clickwrap software license agreement on the package, and signing electronic documents online.

The first agreement signed electronically by two sovereign nations was a Joint Communiqué recognizing the growing importance of the promotion of electronic commerce, signed by the United States and Ireland in 1998.[6]

Enforceability of electronic signatures

In 1996 the United Nations published the UNCITRAL Model Law on Electronic Commerce.[7] Article 7 of the UNCITRAL Model Law on Electronic Commerce was highly influential in the development of electronic signature laws around the world, including in the US.[8] In 2001, UNCITRAL concluded work on a dedicated text, the UNCITRAL Model Law on Electronic Signatures,[9] which has been adopted in some 30 jurisdictions.[10] The latest UNCITRAL text dealing with electronic signatures is article 9, paragraph 3 of the United Nations Convention on the Use of Electronic Communications in International Contracts, 2005, which establishes a mechanism for functional equivalence between electronic and handwritten signatures at the international level as well as for the cross-border recognition.

The U.S. Code defines an electronic signature for the purpose of US law as "an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record."[11] It may be an electronic transmission of the document which contains the signature, as in the case of facsimile transmissions, or it may be encoded message, such as telegraphy using Morse code.

In the United States, the definition of what qualifies as an electronic signature is wide and is set out in the Uniform Electronic Transactions Act ("UETA") released by the National Conference of Commissioners on Uniform State Laws (NCCUSL) in 1999.[12] It was influenced by ABA committee white papers and the uniform law promulgated by NCCUSL. Under UETA, the term means "an electronic sound, symbol, or process, attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record." This definition and many other core concepts of UETA are echoed in the U.S. ESign Act of 2000.[11] 47 US states, the District of Columbia, and the US Virgin Islands have enacted UETA.[13] Only New York, Washington State, and Illinois have not enacted UETA,[13] but each of those states has adopted its own electronic signatures statute.[14][15][16]

Canadian law (PIPEDA) attempts to clarify the situation by first defining a generic electronic signature as "a signature that consists of one or more letters, characters, numbers or other symbols in digital form incorporated in, attached to or associated with an electronic document", then defining a secure electronic signature as an electronic signature with specific properties. PIPEDA's secure electronic signature regulations refine the definition as being a digital signature applied and verified in a specific manner.[17]

In the European Union, Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures was published in the EC Official Journal on 13 December 1999 (OJ No L 13 p. 12 19/1/2000).[18]

Legal definitions

Various laws have been passed internationally to facilitate commerce by the use of electronic records and signatures in interstate and foreign commerce. The intent is to ensure the validity and legal effect of contracts entered into electronically. For instance,

PIPEDA (Canadian federal law)
(1) An electronic signature is "a signature that consists of one or more letters, characters, numbers or other symbols in digital form incorporated in, attached to or associated with an electronic document";
(2) A secure electronic signature is as an electronic signature that
(a) is unique to the person making the signature;
(b) the technology or process used to make the signature is under the sole control of the person making the signature;
(c) the technology or process can be used to identify the person using the technology or process; and
(d) the electronic signature can be linked with an electronic document in such a way that it can be used to determine whether the electronic document has been changed since the electronic signature was incorporated in, attached to or associated with the electronic document.
ESIGN Act Sec 106 (US federal law)[19]
(2) ELECTRONIC- The term 'electronic' means relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.
(4) ELECTRONIC RECORD- The term 'electronic record' means a contract or other record created, generated, sent, communicated, received, or stored by electronic means.
(5) ELECTRONIC SIGNATURE- The term 'electronic signature' means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.
GPEA Sec 1710 (US federal law)
(1) ELECTRONIC SIGNATURE.—the term "electronic signature" means a method of signing an electronic message that—
(A) identifies and authenticates a particular person as the source of the electronic message; and
(B) indicates such person's approval of the information contained in the electronic message.
UETA Sec 2 (US state law)
(5) "Electronic" means relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.
(6) "Electronic agent" means a computer program or an electronic or other automated means used independently to initiate an action or respond to electronic records or performances in whole or in part, without review or action by an individual.
(7) "Electronic record" means a record created, generated, sent, communicated, received, or stored by electronic means.
(8) "Electronic signature" means an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.
Federal Reserve 12 CFR 202 (US federal regulation)
refers to the ESIGN Act
Commodity Futures Trading Commission 17 CFR Part 1 Sec. 1.3 (US federal regulations)
(tt) Electronic signature means an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.
Food and Drug Administration 21 CFR Sec. 11.3 (US federal regulations)
(5) Digital signature means an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.
(7) Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature.
United States Patent and Trademark Office 37 CFR Sec. 1.4 (federal regulation)
(d)(2) S-signature. An S-signature is a signature inserted between forward slash marks, but not a handwritten signature ... (i)The S-signature must consist only of letters, or Arabic numerals, or both, with appropriate spaces and commas, periods, apostrophes, or hyphens for punctuation... (e.g., /Dr. James T. Jones, Jr./)...
(iii) The signer's name must be:
(A) Presented in printed or typed form preferably immediately below or adjacent the S-signature, and
(B) Reasonably specific enough so that the identity of the signer can be readily recognized.[20]

Legal test of electronic signatures

The purpose of the UETA and the federal ESIGN Act is to authorize the use of electronic records and signatures. In other words, these laws answer the question "is it a signature", but not the question "is it YOUR signature." Most contract disputes are not related to the authenticity of signature or the identity of the contracting parties, and so these laws have great utility for a broad range of electronic contracting transactions, and allow flexibility by permitting the type of electronic signature used to fit the nature of the transaction. But in law, if a signature on a contract or other document is contested, the signature must meet certain tests before a court will uphold it. These requirements vary by jurisdiction, but various sorts of signatures, some entirely electronic Telex addresses (for example, ABC Company sends a Telex to XYZ Company making an offer at a particular price. The offer was held to be binding when the "signature" was challenged.), telegrams (for example, "I ACCEPT, SMITH" even though Smith never actually touched the telegraph key), and faxes of documents, even in some cases where the original was not signed by the sender.

In the case of Mehta v J Pereira Fernandes[21] the English High Court held that

if a party or a party's agent sending an e mail types his or her or his or her principal's name to the extent required or permitted by existing case law in the body of an e mail, then in my view that would be a sufficient signature.

Accordingly, it would appear that in English law any insertion of a name by the purported signer or a natural person authorised by him constitutes a signature but an automatically inserted email address does not.[22] However, there has been academic commentary to the effect the learned judge reached a conclusion that cannot be reconciled with the international cases or long-standing English case law.[23]

A central question in such cases is forgery and spoofing of assent, and in these decisions, courts have held that forgery and spoofing can be in practice ruled out. Nevertheless, it is easily possible, for many electronic methods of signature, or imputed signature, to forge or spoof assent. The rapidly rising problem of identity theft illustrates the ease of such forgeries.

Often, businesses rely on other means to attempt to ensure an electronic signature is correct, including talking with the signing person directly or over the phone before an electronic signing, having an ongoing business relationship, and receiving payment or other indications of intent to do business that do not rely solely on a signed document. This is good business practice even in the paper world, as forgeries have been common there since time immemorial. Fraud is a common issue in all signature situations, and neither type of signature (paper or electronic) provides fully effective anti-fraud protections.

None of the electronic signatures in these examples are "digital signatures", as that term is commonly used, in that there is no cryptographic assertion of the signer's identity, and no integrity check on the text received. However, all are electronic signatures, and all have been found legally binding in many different types of consumer, commercial and business transactions. However, proving the authenticity of a digital signature in a court of law may, in some circumstances, be easier than proving the validity of other types of electronic signatures. The relative ease of proving authenticity of a digital signature is dependent on the integrity of the process for delivering the cryptographic key to the signer, and the extent to which the signer has agreed, or is otherwise bound, to protect the key and accept responsibility for its use.

Laws regarding use of electronic signatures

Controversial assumptions of electronic signature

Further information: Shrink wrap contract, Clickwrap and Browse wrap

Some web sites and software EULAs contain terms that assert that various electronic and other actions give rise to legally effective signatures. For example, a web page might announce that, by accessing the site at all, you have agreed to a certain set of terms and conditions. A software product might assert, in its packaging or on an early installation screen, that by using it you have agreed to licensing terms. These may or may not have been discernible prior to sale, and may or may not be completely displayed even at installation.

In regard to a prominent limitation typically imposed in EULAs: Such licenses often include such restrictions as a prohibition of reviewing the product for publication (electronic or otherwise) without prior permission of the publisher/distributor, or prohibition on studying the product (i.e., reverse engineering) for an otherwise lawful purpose such as producing data files in a compatible format. Some such claims would appear to be contrary to patent law (which requires public disclosure as a condition of granting a patent) or to copyright law which does the same for works available to the public, or to contract law which requires informed knowing assent to reasonable contract terms as a condition of enforceability in court. Only if all such covered matters are trade secrets would many such clauses appear sustainable, but even so a condition of trade secrecy is maintenance of the secret by the holder. This may not be met in the case of a widely distributed product offered for sale to anyone.

By legal system

The legal status of such claims is uncertain. In the US, only two states have adopted a new revision of the Uniform Commercial Code which authorize such licensing restrictions, with disclosure after purchase. The validity of such terms remains uncertain, despite the views of many EULA authors. Analogies to the physical world in which contracts and signatures are written, signed, and stored in tangible form suggest that analogous terms would not be acceptable.

Returning to the subject of the validity of a contract's existence (as determined by its means of creation): Courts in the UK have taken the view that online contracts are no different from (a) offline ones or (b) ones made electronically at a distance by telex, fax, or morse-code telegraphy, and accordingly can be valid subject to all the usual contract principles: there must be offer, acceptance, contractual intention and certainty as to terms. Contract terms must be available before acceptance, as established in the 1971 case of Thornton v Shoe Lane Parking Ltd where a contract was entered into with a machine before terms were known (and therefore those terms were not binding).

In any event any contract is subject to tests of reasonableness (and in the case of contracts with consumers, "fairness") under the Unfair Contract Terms Act and the Unfair Terms in Consumer Contracts Regulations. In addition under the Electronic Commerce Regulations 2002 (SI 2002/2013) and Distance Selling Regulations there are requirements to make the steps required to conclude the contract clear, and rights to revoke contracts within certain periods and subject to certain limits. Many of these laws and regulations arise from EU Directives and Regulations so are broadly replicated throughout the European Economic Area. Generally the courts have treated this more as a matter of acceptance by conduct than signature.

Technological implementations (underlying technology)

Digital signatures

Further information: Digital Signature
A diagram showing how a digital signature is applied and then verified.

Digital signatures are cryptographic implementations of Electronic signatures used as a proof of authenticity, data integrity and non-repudiation of communications conducted over the internet. When implemented in compliance to digital signature standards, digital signing should offer end-to-end privacy with the signing process being user-friendly and secure. Digital signatures are generated and verified through a Digital Signature Algorithm (DSA).[2]

The most relevant standards on digital signatures with respect to size of domestic markets are the Digital Signature Standard (DSS)[26] by the National Institute of Standards and Technology (NIST) and the eIDAS Regulation[27] enacted by the European Parliament.[1] OpenPGP is a non-proprietary protocol for email encryption through public key cryptography. It is supported by PGP and GnuPG, and some of the S/MIME IETF standards and has evolved into the most popular email encryption standard in the world.[28]

There are typically three algorithms involved with the digital signature process: The key generation algorithm provides a private key along with its corresponding public key. The signing algorithm produces a signature upon receiving a private key and the message that is being signed. And last, the verification checks for the authenticity of the message by verifying it along with the signature and public key. The process of digital signing requires that the signature generated by both the fixed message and private key can then be authenticated by its accompanied public key. Using these cryptographic algorithms, the user’s signature cannot be replicated without having access to their private key. A secure channel is not typically required. By applying asymmetric cryptography methods, the digital signature process prevents several common attacks where the attacker attempts to gain access through the following attack methods.[29]

Biometric signatures

As already discussed, the term "electronic signature" may be used to refer to "cryptographic signatures" (cryptographic data affixed to a document) and more broader forms of establishing authenticity and origin of messages which often include cryptographic data. However, electronic signature may also refer to electronic forms of processing or verifying identity through use of biometric "signatures" or biologically identifying qualities of an individual. Such signatures use the approach of attaching some biometric measurement, or hash of said measurement, to a document as evidence. For instance, fingerprints, hand geometry (finger lengths and palm size), iris patterns, or even retinal patterns. All of these are collected using electronic sensors of some kind. Since each of these physical characteristics has claims to uniqueness among humans, each is to some extent useful as a signature method.

Biometric measurements of this type are useless as passwords, as they can't be changed if compromised. However, they might be serviceable as electronic signatures of a kind - except that, to date they have been so easily spoofable that they can carry little assurance that the person who purportedly signed a document was actually the person who did. Unfortunately, each is easily spoofable by a replay of the electronic signal produced and submitted to the computer system responsible for 'affixing' a signature to a document. Wiretapping techniques often suffice for this. In the particular case of fingerprints, a Japanese professor and some graduate students managed to spoof all of the commercially available fingerprint readers available to them with some ordinary kitchen chemistry (gummy bear candy gel) and a little ingenuity. No actual fingers were needed to successfully spoof every reading device.[30] In addition, some German journalists at a CeBit conference were able to fool several iris pattern scanners with improvised masks.

Digitally captured signatures

An emerging form of electronic signatures for the purposes of contracts is defined as "Dynamic Signature", or confusingly sometimes themselves labeled "Biometric Signatures" (despite their existence as only one item in the category of biometric signatures). The term stands for handwritten signatures that are digitized throughout the writing process – including static characteristics and biometric (dynamic) signals. Instead of replacing the handwritten signature e-signing solutions of this kind seek to transfer the signing ceremony into the digital world. Like any biometric signature system, these "Dynamic signatures" require a hardware device for signature capturing and a software which is able to combine the signature data, encrypt it and allows to detect later manipulation by creating a hash value.

At the time when the first versions of electronic signature laws were created in the mid 90s this sort of technology was almost unknown. In 1999 the European Directive about a framework for electronic signatures opened a broader technological approach to electronic signatures. Law makers are gradually reflecting "biometric signatures" now as well.

Many digitized handwritten signatures today are taken at a low resolution. One example is the capture devices that courier services are using. They capture a rather pixellated image of a signature that is usually not applicable for a later verification. Signatures taken on these devices may easily be claimed to be a forgery. Non-repudiation can only be achieved when the biometric characteristics of a signature are captured too, and when this information is securely bound to the signed document. The additional verification of dynamic signals offers a higher level in security. A signature with a similar image like the reference signature may be detected as falsification because differences in their creation characteristics are discovered.

In order to understand what is necessary to trust a signature it is important to keep in mind that forensic experts rely on the holistic analysis of signatures, i.e. they look at and take into account the paper features, type of stylus, the ink flow and "visible" pressure. Most forensic experts exposed to the analysis of dynamic signatures tend to forget to apply the same principles. The equivalent holistic approach for dynamic signatures must take into account which device was used for signature capture, the device features and maybe even the signing environment and the co-relations to the signing process.

Handwritten signatures may be digitized during the signing process instead of scanning them from paper using a wide range of instruments: pen pads (with and without LC display), special pens and Tablet PCs. They allow a gradual move from paper-based documentation to electronic forms and straight-through-processing as well as upgrading the quality of signature verification in general. A proper comparison of static signature characteristics and dynamic signature signals requires a digitizing instrument that is taking a sufficient amount of time signals.

Technological implementations (signature systems)

In practice, many different electronic signature systems find wide use today, for many different purposes. In the broad sense of establishing identity and successful transmission of data, cryptographic signatures (also known as "digital signatures"). Examined here, however, are systems used specifically for verifying the authenticity of a single transmitted message.

E-Sign

0 One of the best examples of widespread use of electronic signature for common contractual purposes is in the Baltics. Estonia, and most recently Latvia, have seen widespread adoption of E-Sign systems by which all citizens are provided with the means to electronically sign agreements.[31]

Mobile phones

Many companies have been aiming to launch applications for mobile phones so that people can sign documents electronically when viewing contracts or other documents on mobiles that support document viewing. On the 13th of December 2013, Icelandic Financial Ministerial signed a contract using a mobile phone.[32] This was also done as a part of Iceland's aim to enforce maximum security when signing documents electronically as mobile phone certification is thought to be one of the most secure methods to sign documents.

See also

Books and journals dealing with the law

Global in scope with an emphasis on case law

Global in scope with an emphasis on regulations

By country

Netherlands

United States of America

Journals on electronic signatures

References

  1. 1 2 Turner, Dawn. "Major Standards and Compliance of Digital Signatures - A World-Wide Consideration". Cryptomathic. Retrieved 7 January 2016.
  2. 1 2 3 JA, Ashiq. "Recommendations for Providing Digital Signature Services". Cryptomathic. Retrieved 7 January 2016.
  3. "Federal Rules of Evidence | Federal Rules of Evidence | LII / Legal Information Institute". Law.cornell.edu. Retrieved 2015-03-06.
  4. "Privacy Issues In Federal Systems: A Constitutional Perspective". Crawls-wm.us.archive.org. Retrieved 2015-03-06.
  5. "The History of Electronic Signature Laws". Isaac Bowman. Retrieved 2015-03-06.
  6. Archived March 16, 2012, at the Wayback Machine.
  7. "UNCITRAL : Model Law on Electronic Commerce with Guide to Enactment 1996" (PDF). Uncitral.org. Retrieved 2015-03-06.
  8. Gabriel, Henry. "The New United States Uniform Electronic Transactions Act: Substantive Provisions, Drafting History and Comparison to the UNCITRAL Model Law on Electronic Commerce" (PDF). International Institute for the Unification of Private Law (UNIDROIT). Retrieved 30 April 2011.
  9. "UNCITRAL : Model Law on Electronic Signatures with Guide to Enactment 2001" (PDF). Uncitral.org. Retrieved 2015-03-06.
  10. "Status". Uncitral.org. Retrieved 2015-03-06.
  11. 1 2 "Public Law 106-229 : June 30, 2000 : Electronic Signatures in Global and National Commerce act" (PDF). Frwebgate.access.gpo.gov. Retrieved 2015-03-06.
  12. "Biddle Law Library: Library: • Penn Law". Law.upenn.edu. Retrieved 2015-03-06.
  13. 1 2 Archived January 15, 2011, at the Wayback Machine.
  14. Archived May 6, 2011, at the Wayback Machine.
  15. "Chapter 19.34 RCW: WASHINGTON ELECTRONIC AUTHENTICATION ACT". Apps.leg.wa.gov. Retrieved 2015-03-06.
  16. "5 ILCS 175/ Electronic Commerce Security Act". Ilga.gov. 2003-10-17. Retrieved 2015-03-06.
  17. Archived June 5, 2011, at the Wayback Machine.
  18. "Directive 1999/93/EC of the European Parliament and of the Council : Electronic signatures" (PDF). Eur-lex.europa.eu. Retrieved 2015-03-06.
  19. "Electronic Signatures in Global and National Commerce Act ("ESIGN")". Isaac Bowman. Retrieved 2015-03-06.
  20. "MPEP §501". USPTO Manual of Patent Examining Procedures (MPEP).
  21. Mehta v J Pereira Fernandes, EWHC 813 (Ch) (English High Court 2006).
  22. Abbiati, Paul (19 October 2006). "When can an email be accepted as an official signature?". Supply Management.com. Retrieved 7 May 2011.
  23. Mason, Stephen (2012). Electronic Signatures in Law (3 ed.). Cambridge University Press. 229-245. ISBN 9781107012295.
  24. Archived September 27, 2011, at the Wayback Machine.
  25. Archived June 26, 2012, at the Wayback Machine.
  26. "FIPS PUB 186-4: Digital Signature Standard (DSS)" (PDF). http://nvlpubs.nist.gov/. National Institute of Standards and Technology. Retrieved 7 January 2016. External link in |website= (help)
  27. "REGULATION (EU) No 910/2014 of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC". http://eur-lex.europa.eu/. THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. Retrieved 7 January 2016. External link in |website= (help)
  28. "Welcome to The OpenPGP Alliance". OpenPGP Alliance. Retrieved 7 January 2016.
  29. Turner, Dawn. "What is a Digital Signature - What It Does, How It Works". Cryptomathic. Retrieved 7 January 2016.
  30. Matsumoto (2002). "Impact of artificial gummy fingers on fingerprint systems". Proceedings of SPIE. pp. 275–289. CiteSeerX: 10.1.1.100.8172.
  31. "Everyone to use e-signature in two years | Baltic News Network - News from Latvia, Lithuania, Estonia". Bnn-news.com. 2011-08-09. Retrieved 2015-03-06.
  32. "Bjarni undirritaði með símanum". mbl.is. 2013-12-13. Retrieved 2015-03-06.

External links

Wikibooks has a book on the topic of: Legal and Regulatory Issues in the Information Economy
This article is issued from Wikipedia - version of the Wednesday, May 04, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.