UK: A European Community Framework For Electronic Signatures

On 13 December 1999 the European Parliament passed Directive 1999/93/EC on a Community framework for electronic signatures in e-commerce. It is due to be implemented in the UK by 19 July 2001. The declared aim of the Directive ‘is to facilitate the use of electronic signatures and to contribute to their legal recognition’. The Directive establishes a legal framework for electronic signatures and certain certification-services in order to ensure the proper functioning of the European on-line internal market.

At the heart of the Directive is the issue of the legality of e-contracts and, accordingly, there is a need to establish a legal basis to them. A large part of that legal basis is the recognition that needs to be afforded to electronic signatures and the need to have properly constituted certification authorities.

Up to recently, most B2B electronic transactions were fairly satisfactorily conducted through closed networks known as ‘electronic data interchange’ or EDI. However, with the unbridled growth of the Internet there has arisen an intricate net of business operations involving a multitude of participants, to the extent that the EDI system has to give way to an open system, which is the Internet itself. In order for it to work effectively, trust and confidence between the participants is essential. One must know who one is dealing with over the net and must be sure that the other party is indeed who he says he is! It is necessary, therefore, to employ secure technologies like digital signatures and establish consistent legal regimes to underpin their use.

In order for digital signatures to work effectively (i.e. give participants in e-commerce confidence in it), they must not only be able to unequivocally confirm the identity of the other party, but also authenticate and bear out the integrity of the e-document. In some respects, digital signatures are uniquely verifiable and cannot be repudiated. This is because on a ‘computer-to-computer’ basis, ‘digital handshakes’ can ensure that the parties are who they say they are.

However, digital signatures are subject to a fatal flaw: they can be subjected to what is known as ‘signature stripping’. A digital document is nothing more than a series of bits that can be read by a computer and then converted into human readable language. A digital signature is just one such bit which can be easily stripped and displaced. Accordingly, it cannot adhere to a digital document in the same way as a traditional signature can to a ‘paper-based’ document. One solution to this would be to encrypt the digitally signed document. However, this cannot be done every where because in some countries it is illegal to do so in view of confidentiality legislation. Thus, the only real solution is to employ independent trusted third parties acting as a conduit, with whom digital documents can be first lodged. They will then time stamp the information and relay it with their verification certificates with reference to apparatus such as public ‘keys’. In this way the integrity of the entire message, which includes the digital signature, can be borne out and the trusted third party would play the equivalent role of a notary public.

This is the approach that the Directive has taken which could accommodate certification by reference to a public key and beyond to providing a complete digital notary service by time stamping and e-archiving.

Article 2 defines two types of electronic signatures. First, ‘electronic signature’ is defined as ‘data in electronic form which are attached to or logically associated with other electronic date and which serve as a method of authentication’. Second, and more importantly, ‘advanced electronic signature’ is defined as meaning an electronic signature which meets the following requirements:

1. it is uniquely linked to the signatory;
2. it is capable of identifying the signatory;
3. it is created using means that the signatory can maintain under his sole control; and
4. it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable

This definition does meet the avowed aim of the Directive that it wishes to be ‘technology neutral’. This is because, even though the predominant technology that exists today revolves around ‘public key’ certification, there must be provision made for the employment of other technology in the future. Eventually, a variety of authentication mechanisms will develop and the Directive ought not, therefore, be tied to the digital signature based ‘public key’ certification. Thus, this definition accommodates future technological improvements, without restricting it to ‘public key’ certification.

The public key certification system works with the maker of an e-document digitally signing it by employing a secret encrypted private key. The signature can then be verified by reference to a public key by a trusted third party, which will then issue a verification certificate. The object of the exercise being the identification of the signatory by his possession of the secret private key. The trusted third party verification is central to the public key system because it would ensure that the public key really belongs to the appropriate person. It can guarantee the relationship between the party and the public key.

The Directive requires that Member States establish certification service providers which will issue certificates or provide other services (e.g. digital notary services) related to electronic signatures. In regulating this service, Member States are entitled to opt for voluntary accreditation schemes. However, they must ensure that an appropriate system is established such as to allow for supervision of certification-service-providers to issue certificates of authentication (called ‘qualified certificates’ which are really digital attestations which link the signature verification device to a person, thereby confirming his identity).

The Directive gives legal effect to electronic signatures provided they are created by the so-called ‘secure signature-creation devices’. Such devices, among other things, must employ such technology as appropriate to ensure that the signature generation is kept secret, occurs only once, is protected from forgery, protects the legitimate signatory against the use of others.

Article 5.1 requires that Member States must ensure that advanced electronic signatures which are based on a qualified certificate and which are created by a secure signature-creation device are treated on par with hand-written signatures on paper-based data and are made admissible as evidence in legal proceedings. It appears that Article 5.1 merely provides for a threshold on the restrictions which can be applied in order for electronic signatures to have legal effect. So the pre-conditions envisaged for legal effect can be lower than this. Moreover, Article 5.2 ensures that electronic signatures are not denied legal effect solely on the grounds that they are in electronic form, are not based on a qualified certificate, that the certificate is not issued by an accredited certification-service-provider or that they were not created by a secure signature-creation device.

Accordingly, it is possible for the UK to opt (to ensure cost-effectiveness) not to make it compulsory for electronic signatures to be made by secure signature-creation devices or to be accompanied by qualified certificates in order to have legal effect.

It is worth noting that under section 7 of the Electronic Communications Act 2000 electronic signatures and their related authentication certificates have already been made admissibility as evidence under certain circumstances. However, Article 5.1 of the Directive goes beyond mere admissibility and extends, among other things, to ‘legal effect’. Accordingly this must be accommodated in future legislation or section 7 must be amended.

The liability of secure-certification-service-providers is outlined in Article 6 of the Directive. Even though Article 6 appears to re-state the requirements for the common law tort of negligence, the burden of proof is reversed as against such providers in that they must prove they have ‘not acted negligently’. Accordingly, legislation would be required in this area as well.

Article 3.7 specifically allows Member States to make ‘additional requirements’ for the use of electronic signatures in the public sector. This takes into account the fact that government dealings with citizens can be particularly sensitive. However, it does not appear that anything above and beyond the threshold requirements for ‘advanced electronic signatures’ need to be legislated for, since the requirements of qualified certificates and secure signature-creation devices appear to be more than adequate for these purposes.

This Directive, while not solving all the problems inherent in the whole question of the security of and confidence in the use of electronic signatures in Internet transactions, does go some way to creating a legal basis within Europe on which consumers, especially, can feel relatively secure that their transactions are secure and can be acted upon to obtain relief if things go wrong whether by reference to the courts or ADR methods.

1 Even though there is a difference between ‘digital’ and ‘electronic’ signatures – in that the former is a sub-set of the latter involving public key cryptography – since the Directive avoids it, the terms will be used interchangeably.