Electronic signature
An electronic signature, or e-signature, refers to data in electronic form, which is logically associated with other data in electronic form and which is used by the signatory to sign.[1][2] This type of signature provides the same legal standing as a handwritten signature as long as it adheres to the requirements of the specific regulation it was created under (e.g., eIDAS in the European Union, NIST-DSS in the USA or ZertES in Switzerland).[3][4]
Increasingly, digital signatures are used in e-commerce and in regulatory filings to implement electronic signature in a cryptographically protected way. Standardization agencies like NIST or ETSI provide standards for their implementation (e.g., NIST-DSS, XAdES or PAdES).[3][5] The concept itself is not new, with common law jurisdictions having recognized telegraph signatures as far back as the mid-19th century and faxed signatures since the 1980s.
Description
An electronic signature is intended to provide a secure and accurate identification method for the signatory to provide a seamless transaction. Definitions of electronic signatures vary depending on the applicable jurisdiction. A common denominator in most countries is the level of an advanced electronic signature requiring that:
- The signatory can be uniquely identified and linked to the signature
- The signatory must have sole control of the private key that was used to create the electronic signature
- The signature must be capable of identifying if its accompanying data has been tampered with after the message was signed
- In the event that the accompanying data has been changed, the signature must be invalidated[6]
Electronic signatures may be created with increasing levels of security, with each having its own set of requirements and means of creation on various levels that prove the validity of the signature. To provide an even stronger probative value than the above described advanced electronic signature, some countries like the European Union or Switzerland introduced the qualified electronic signature. It is difficult to challenge the authorship of a statement signed with a qualified electronic signature - the statement is non-reputable.[7] Technically, a qualified electronic signature is implemented through an advanced electronic signature that utilizes a digital certificate, which has been encrypted through a security signature-creating device [8] and which has been authenticated by a qualified trust service provider.[9]
In contract law
Since well before the American Civil War began in 1861, morse code was used to send messages electrically by telegraphy. Some of these messages were agreements to terms that were intended as enforceable contracts. An early acceptance of the enforceability of telegraphic messages as electronic signatures came from the New Hampshire Supreme Court in 1869.[10]
In the 1980s, many companies and even some individuals began using fax machines for high-priority or time-sensitive delivery of documents. Although the original signature on the original document was on paper, the image of the signature and its transmission was electronic.[11]
Courts in various jurisdictions have decided that enforceable electronic signatures can include agreements made by email, entering a personal identification number (PIN) into a bank ATM, signing a credit or debit slip with a digital pen pad device (an application of graphics tablet technology) at a point of sale, installing software with a clickwrap software license agreement on the package, and signing electronic documents online.
The first agreement signed electronically by two sovereign nations was a Joint Communiqué recognizing the growing importance of the promotion of electronic commerce, signed by the United States and Ireland in 1998.[12]
Enforceability
In 1996 the United Nations published the UNCITRAL Model Law on Electronic Commerce.[13] Article 7 of the UNCITRAL Model Law on Electronic Commerce was highly influential in the development of electronic signature laws around the world, including in the US.[14] In 2001, UNCITRAL concluded work on a dedicated text, the UNCITRAL Model Law on Electronic Signatures,[15] which has been adopted in some 30 jurisdictions.[16] The latest UNCITRAL text dealing with electronic signatures is article 9, paragraph 3 of the United Nations Convention on the Use of Electronic Communications in International Contracts, 2005, which establishes a mechanism for functional equivalence between electronic and handwritten signatures at the international level as well as for the cross-border recognition.
Canadian law (PIPEDA) attempts to clarify the situation by first defining a generic electronic signature as "a signature that consists of one or more letters, characters, numbers or other symbols in digital form incorporated in, attached to or associated with an electronic document", then defining a secure electronic signature as an electronic signature with specific properties. PIPEDA's secure electronic signature regulations refine the definition as being a digital signature applied and verified in a specific manner.[17]
In the European Union EU REGULATION No 910/2014 on electronic identification and trust services for electronic transactions in the European internal market (eIDAS) sets the legal frame for electronic signatures . It repeals Directive 1999/93/EC.[2] The current and applicable version of eIDAS was published by the European Parliament and the European Council on July 23, 2014. Following Article 25 (1) of the eIDAS regulation, an advanced electronic signature shall “not be denied legal effect and admissibility as evidence in legal proceedings". However it will reach a higher probative value when enhanced to the level of a qualified electronic signature. By requiring the use of a qualified electronic signature creation device[18] and being based on a certificate that has been issued by a qualified trust service provider, the upgraded advanced signature then carries according to Article 25 (2) of the eIDAS Regulation the same legal value as a handwritten signature.[2][6] However, this is only regulated in the European Union and similarly through ZertES in Switzerland. A qualified electronic signature is not defined in the United States.[19][20]
The U.S. Code defines an electronic signature for the purpose of US law as "an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record."[21] It may be an electronic transmission of the document which contains the signature, as in the case of facsimile transmissions, or it may be encoded message, such as telegraphy using Morse code.
In the United States, the definition of what qualifies as an electronic signature is wide and is set out in the Uniform Electronic Transactions Act ("UETA") released by the National Conference of Commissioners on Uniform State Laws (NCCUSL) in 1999.[22] It was influenced by ABA committee white papers and the uniform law promulgated by NCCUSL. Under UETA, the term means "an electronic sound, symbol, or process, attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record." This definition and many other core concepts of UETA are echoed in the U.S. ESign Act of 2000.[21] 47 US states, the District of Columbia, and the US Virgin Islands have enacted UETA.[23] Only New York, Washington State, and Illinois have not enacted UETA,[23] but each of those states has adopted its own electronic signatures statute.[24][25][26]
Legal definitions
Various laws have been passed internationally to facilitate commerce by the use of electronic records and signatures in interstate and foreign commerce. The intent is to ensure the validity and legal effect of contracts entered into electronically. For instance,
- PIPEDA (Canadian federal law)
- (1) An electronic signature is "a signature that consists of one or more letters, characters, numbers or other symbols in digital form incorporated in, attached to or associated with an electronic document";
- (2) A secure electronic signature is as an electronic signature that
- (a) is unique to the person making the signature;
- (b) the technology or process used to make the signature is under the sole control of the person making the signature;
- (c) the technology or process can be used to identify the person using the technology or process; and
- (d) the electronic signature can be linked with an electronic document in such a way that it can be used to determine whether the electronic document has been changed since the electronic signature was incorporated in, attached to or associated with the electronic document.
- ESIGN Act Sec 106 (US federal law)[27]
- (2) ELECTRONIC- The term 'electronic' means relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.
- (4) ELECTRONIC RECORD- The term 'electronic record' means a contract or other record created, generated, sent, communicated, received, or stored by electronic means.
- (5) ELECTRONIC SIGNATURE- The term 'electronic signature' means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.
- GPEA Sec 1710 (US federal law)
- (1) ELECTRONIC SIGNATURE.—the term "electronic signature" means a method of signing an electronic message that—
- (A) identifies and authenticates a particular person as the source of the electronic message; and
- (B) indicates such person's approval of the information contained in the electronic message.
- UETA Sec 2 (US state law)
- (5) "Electronic" means relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.
- (6) "Electronic agent" means a computer program or an electronic or other automated means used independently to initiate an action or respond to electronic records or performances in whole or in part, without review or action by an individual.
- (7) "Electronic record" means a record created, generated, sent, communicated, received, or stored by electronic means.
- (8) "Electronic signature" means an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.
- Federal Reserve 12 CFR 202 (US federal regulation)
- refers to the ESIGN Act
- Commodity Futures Trading Commission 17 CFR Part 1 Sec. 1.3 (US federal regulations)
- (tt) Electronic signature means an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.
- Food and Drug Administration 21 CFR Sec. 11.3 (US federal regulations)
- (5) Digital signature means an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.
- (7) Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature.
- United States Patent and Trademark Office 37 CFR Sec. 1.4 (federal regulation)
- (d)(2) S-signature. An S-signature is a signature inserted between forward slash marks, but not a handwritten signature ... (i)The S-signature must consist only of letters, or Arabic numerals, or both, with appropriate spaces and commas, periods, apostrophes, or hyphens for punctuation... (e.g., /Dr. James T. Jones, Jr./)...
- (iii) The signer's name must be:
- (A) Presented in printed or typed form preferably immediately below or adjacent the S-signature, and
- (B) Reasonably specific enough so that the identity of the signer can be readily recognized.[28]
Laws regarding their use
- Australia - Electronic Transactions Act 1999 (which incorporates amendments from Electronic Transactions Amendment Act 2011), Section 10 - Signatures specifically relates to electronic signatures.
- Canada - PIPEDA, its regulations, and the Canada Evidence Act.
- China - Law of the People’s Republic of China on Electronic Signature (effective April 1, 2005)
- Costa Rica - Digital Signature Law 8454 (2005)
- Croatia 2002, updated 2008
- Czech Republic – Zákon o elektronickém podpisu 227/2000 Sb.
- European Union - eIDAS regulation on implementation within the EU is set out in the Digital Signatures and the Law.
- India - Information Technology Act
- Ireland - Electronic Commerce Act 2000
- Japan - Law Concerning Electronic Signatures and Certification Services, 2000
- Mexico - E-Commerce Act [2000]
- New Zealand - Electronic Transactions Act 2002
- Paraguay - Ley 4017: De validez jurídica de la Firma Electrónica, la Firma Digital, los Mensajes de Datos y el Expediente Electrónico (12/23/2010) (Spanish), Ley 4610: Que modifica y amplia la Ley 4017/10 (05/07/2012) (Spanish)
- Peru - Ley Nº 27269. Ley de Firmas y Certificados Digitales (28MAY2000) (Spanish)
- Philippines - Electronic Commerce Act of 2000
- Poland - Ustawa o podpisie elektronicznym (Dziennik Ustaw z 2001 r. Nr 130 poz. 1450) [29]
- Romania - Legea nr. 455 din 18 iulie 2001 privind semnătura electronică
- Russian Federation - Federal Law of Russian Federation about Electronic Signature (06.04.2011)
- Singapore - Singapore Electronic Transactions Act (1998, 2010) [30]
- Slovakia - Zákon č.215/2002 o elektronickom podpise
- Slovenia - Slovene Electronic Commerce and Electronic Signature Act
- South Africa - The Electronic Communications and Transactions Act 25, 2002
- Spain - Ley 59/2003, de 19 de diciembre, de firma electrónica
- Switzerland - ZertES
- Republika Srpska (entity of the Bosnia and Herzegovina) 2005
- Turkey - Electronic Signature Law
- Ukraine - Electronic Signature Law, 2003
- UK - s.7 Electronic Communications Act 2000
- U.S. - Electronic Signatures in Global and National Commerce Act
- U.S. - Uniform Electronic Transactions Act - adopted by 48 states
- U.S. - Digital Signature And Electronic Authentication Law
- U.S. - Government Paperwork Elimination Act (GPEA)
- U.S. - The Uniform Commercial Code (UCC)
Technological implementations (underlying technology)
Digital signatures
Digital signatures are cryptographic implementations of electronic signatures used as a proof of authenticity, data integrity and non-repudiation of communications conducted over the Internet. When implemented in compliance to digital signature standards, digital signing should offer end-to-end privacy with the signing process being user-friendly and secure. Digital signatures are generated and verified through standardized frameworks such as the Digital Signature Algorithm (DSA).[5][31] by NIST or in compliance to the XAdES, PAdES or CAdES standards, specified by the ETSI.[32]
There are typically three algorithms involved with the digital signature process:
- Key generation – This algorithm provides a private key along with its corresponding public key.
- Signing – This algorithm produces a signature upon receiving a private key and the message that is being signed.
- Verification – This algorithm checks for the authenticity of the message by verifying it along with the signature and public key.[33]
The process of digital signing requires that the signature generated by both the fixed message and private key can then be authenticated by its accompanied public key. Using these cryptographic algorithms, the user’s signature cannot be replicated without having access to their private key.[33] A secure channel is not typically required. By applying asymmetric cryptography methods, the digital signature process prevents several common attacks where the attacker attempts to gain access through the following attack methods.[1]
The most relevant standards on digital signatures with respect to size of domestic markets are the Digital Signature Standard (DSS)[31] by the National Institute of Standards and Technology (NIST) and the eIDAS Regulation[2] enacted by the European Parliament.[3] OpenPGP is a non-proprietary protocol for email encryption through public key cryptography. It is supported by PGP and GnuPG, and some of the S/MIME IETF standards and has evolved into the most popular email encryption standard in the world.[34]
Biometric signatures
Electronic signature may also refer to electronic forms of processing or verifying identity through use of biometric "signatures" or biologically identifying qualities of an individual. Such signatures use the approach of attaching some biometric measurement, or hash of said measurement, to a document as evidence. For instance, fingerprints, hand geometry (finger lengths and palm size), iris patterns, or even retinal patterns. All of these are collected using electronic sensors of some kind. Since each of these physical characteristics has claims to uniqueness among humans, each is to some extent useful as a signature method.
Biometric measurements of this type are useless as passwords, as they can't be changed if compromised. However, they might be serviceable as electronic signatures of a kind - except that, to date they have been so easily spoofable that they can carry little assurance that the person who purportedly signed a document was actually the person who did. Unfortunately, each is easily spoofable by a replay of the electronic signal produced and submitted to the computer system responsible for 'affixing' a signature to a document. Wiretapping techniques often suffice for this. In the particular case of fingerprints, a Japanese professor and some graduate students managed to spoof all of the commercially available fingerprint readers available to them with some ordinary kitchen chemistry (gummy bear candy gel) and a little ingenuity. No actual fingers were needed to successfully spoof every reading device.[35] In addition, some German journalists at a CeBit conference were able to fool several iris pattern scanners with improvised masks.
References
- 1 2 Turner, Dawn. "What is a Digital Signature - What It Does, How It Works". Cryptomathic. Retrieved 7 January 2016.
- 1 2 3 4 "REGULATION (EU) No 910/2014 of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC". THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. Retrieved 7 January 2016.
- 1 2 3 Turner, Dawn. "Major Standards and Compliance of Digital Signatures - A World-Wide Consideration". Cryptomathic. Retrieved 7 January 2016.
- ↑ "Federal Rules of Evidence | Federal Rules of Evidence | LII / Legal Information Institute". Law.cornell.edu. Retrieved 2015-03-06.
- 1 2 JA, Ashiq. "Recommendations for Providing Digital Signature Services". Cryptomathic. Retrieved 7 January 2016.
- 1 2 Turner, Dawn M. "Advanced Electronic Signatures for eIDAS". Cryptomathic. Retrieved 7 June 2016.
- ↑ Turner, Dawn M. "Understanding eIDAS". Cryptomathic. Retrieved 7 June 2016.
- ↑ Turner, Dawn M. "QUALIFIED ELECTRONIC SIGNATURES FOR EIDAS". Cryptomathic. Retrieved 7 June 2016.
- ↑ Turner, Dawn M. "Trust Service Providers according to eIDAS". Cryptomathic. Retrieved 23 June 2016.
- ↑ "Privacy Issues In Federal Systems: A Constitutional Perspective". Crawls-wm.us.archive.org. Retrieved 2015-03-06.
- ↑ "The History of Electronic Signature Laws". Isaac Bowman. Retrieved 2015-03-06.
- ↑ Archived March 16, 2012, at the Wayback Machine.
- ↑ "UNCITRAL : Model Law on Electronic Commerce with Guide to Enactment 1996" (PDF). Uncitral.org. Retrieved 2015-03-06.
- ↑ Gabriel, Henry. "The New United States Uniform Electronic Transactions Act: Substantive Provisions, Drafting History and Comparison to the UNCITRAL Model Law on Electronic Commerce" (PDF). International Institute for the Unification of Private Law (UNIDROIT). Retrieved 30 April 2011.
- ↑ "UNCITRAL : Model Law on Electronic Signatures with Guide to Enactment 2001" (PDF). Uncitral.org. Retrieved 2015-03-06.
- ↑ "Status". Uncitral.org. Retrieved 2015-03-06.
- ↑ Archived June 5, 2011, at the Wayback Machine.
- ↑ eIDAS regulation Article 3 (12)
- ↑ Tuner, Dawn M. "Is the NIST Digital Signature Standard DSS legally binding?". Cryptomathic. Retrieved 12 May 2016.
- ↑ Information Technology Laboratory National Institute of Standards and Technology. "FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION (FIPS PUB 186 -4): Digital Signature Standard (DSS)" (PDF). Retrieved 12 May 2016.
- 1 2 "Public Law 106-229 : June 30, 2000 : Electronic Signatures in Global and National Commerce act" (PDF). Frwebgate.access.gpo.gov. Retrieved 2015-03-06.
- ↑ "Biddle Law Library: Library: • Penn Law". Law.upenn.edu. Retrieved 2015-03-06.
- 1 2 Archived January 15, 2011, at the Wayback Machine.
- ↑ Archived May 6, 2011, at the Wayback Machine.
- ↑ "Chapter 19.34 RCW: WASHINGTON ELECTRONIC AUTHENTICATION ACT". Apps.leg.wa.gov. Retrieved 2015-03-06.
- ↑ "5 ILCS 175/ Electronic Commerce Security Act". Ilga.gov. 2003-10-17. Retrieved 2015-03-06.
- ↑ "Electronic Signatures in Global and National Commerce Act ("ESIGN")". Isaac Bowman. Retrieved 2015-03-06.
- ↑ "MPEP §501". USPTO Manual of Patent Examining Procedures (MPEP).
- ↑ Archived September 27, 2011, at the Wayback Machine.
- ↑ Archived June 26, 2012, at the Wayback Machine.
- 1 2 "FIPS PUB 186-4: Digital Signature Standard (DSS)" (PDF). National Institute of Standards and Technology. Retrieved 7 January 2016.
- ↑ Turner, Dawn M. "THE DIFFERENCE BETWEEN AN ELECTRONIC SIGNATURE AND A DIGITAL SIGNATURE". Cryptomathic. Retrieved 21 April 2016.
- 1 2 Turner, Dawn. "What is a digital signature - what it does, how it work". Cryptomathic. Retrieved 7 June 2016.
- ↑ "Welcome to The OpenPGP Alliance". OpenPGP Alliance. Retrieved 7 January 2016.
- ↑ Matsumoto (2002). "Impact of artificial gummy fingers on fingerprint systems". Proceedings of SPIE. pp. 275–289. CiteSeerX 10.1.1.100.8172.
Further reading
- Stephen Mason (2016). Electronic Signatures in Law (4th ed.). Institute of Advanced Legal Studies for the SAS Humanities Digital Library, School of Advanced Study, University of London. ISBN 978-1-911507-00-0.
- Jeremiah S. Buckley, John P. Kromer, Margo H. K. Tank, and R. David Whitaker (2014). The Law of Electronic Signatures. 2014-2015 Edition, Thomson Reuters.
- Stephen Mason (Ed.). Digital Evidence and Electronic Signature Law Review.
External links
Wikibooks has a book on the topic of: Legal and Regulatory Issues in the Information Economy |
- Introduction to cryptography from the PGP international website
- OpenOffice Electronic Signatures and Security specification (ODT format), also in pdf format. Incorporates standards for document format and XML Digital Signatures. Includes a comparison of document signature software and features from Adobe (Acrobat), Microsoft (Word) and Mozilla.
- E-Sign Final Report (2005, European Union)
- 21 CFR Part 11 Electronic Records; Electronic Signatures; Final Rule Electronic Submissions; Establishment of Public Docket; Notice - as published in the Federal Register / Vol. 62, No. 54 / Thursday, March 20, 1997
- Judicial Studies Board Digital Signature Guidelines
- Publication PHARMA IT: E-Signatures Set the Standard
- Dynamic signatures