This dissertation has been submitted by a law student. This is not an example of the work written by our professional dissertation writers.
Published: Fri, 02 Feb 2018
Electronic Signatures Dissertation
ELECTRONIC SIGNATURES – The Electronic Signature Regulations in the UK are Expect to Provide a Framework Which Will Increase the Use of Electronic Signatures and Ensure the Installation of Practical Electronic Certification Systems. However Given the Speed at which Technological Solutions Evolve, the UK Legislation Will Have to Follow Such Developments Closely, with a View to Keeping the Relevant Codes and Ordinances Up To Date. Is the Legal Framework that has been Developed in the UK to Regulate Electronic Signature A Positive Development?
Section 1 Introduction
1.1 Aim and Objective
The aim of this thesis is to discuss and explore the legal implications of digital signatures. The thesis will look at whether the electronic signature regulations in the UK are expected to provide a framework which will increase the use of electronic signatures and ensure the installation of practical electronic certification systems. It will also consider the speed at which technological improvements and systems are occurring. Finally it will consider whether or not the Legal Framework that has been developed in the UK to regulate electronic signature is a positive development or whether it is perceived as negative and as a development that brings with it as many problems as it solves. This will be achieved by looking at the various domestic, European and International legislation that is in place and the implications of this legislation. This thesis intends to explore the various security issues associated with Electronic signatures and to look at issues raised in relation to identity. This thesis also aims to explore both the technological and legal limitations of digital signatures
1.2 Introduction to Electronic Signatures
Handwritten signatures have always been generally accepted as giving sufficient certainty as to the signor’s identity for a great many transactions. . Hand written signatures are used for two main purposes that of authentication and that of integrity, by various technological means electronic signatures have sought to achieve the same level of authentication and integrity. This is achieved successfully in most instances and digital signatures appear to be becoming an alternative to the more traditional handwritten signatures, if not a suitable replacement.
Under both the European Directive and the UK ECA, an “electronic signature” is defined generally as being data in electronic form which is attached to or logically associated with other electronic data and which serve as a method of identification. This might include, for example, using your name on an email and sending it from an identifiable email address .
This considered it is also evident that digital signatures bring with them a whole host of new difficulties in relation to data protection, security and advancement of technology. Reliance on digital signatures alone causes concern because a key pair may be created by an individual who then fraudulently represents the key pair as belonging to another person or entity. This is partly addressed through verification by a certificate authority . A certificate authority is a trusted third party (e.g. the post office or a bank) that will satisfy itself as to the identity of an individual or company. This is done by for example checking an individual’s passport or driver’s licence details, or a company’s corporate documents and returns. The certificate authority will then issue a digital certificate signed with its own digital signature, which the user will attach to its own digital signature as proof of identity.
The Law Commission’s report “Electronic Commerce: Formal Requirements in Commercial Transactions” sought to address some of the limitations that exist in relation to digital signatures and considered whether or not various forms of electronic communications satisfy the current definitions of the terms “writing”, “signature” and “document” under the current laws of England and Wales. The Law Commission concluded that the current laws sufficiently dealt with these issues although they did highlight some difficulties in relation to some forms of electronic data.
As technology and globalisation grow digital signatures have become an essential requirement in relation to business transacted electronically . With the growing use of the internet as an acceptable and indeed standard medium, one does not have to look further than there own residence to confirm the growing need for electronic signatures and therefore the research into this area continues and suggested that it should be concentrated on the need to improve security measures.
2.1 What Is An Electronic Signature?
Before defining an electronic signature, it is first important to consider what a signature is. Handwritten signatures have always been generally accepted as giving sufficient certainty as to the signor’s identity for a great many transactions. . Hand written signatures are used for two main purposes that of authentication (linking the originator to the information in the signed document) and that of integrity (showing that the signed document is the one to which the signatory wants to be bound ).As Fishley and Hughes point out, “where further certainty is required, signatures can be witnessed or even notarised “.
Under both the European Directive and the UK ECA, an “electronic signature” is defined generally as being data in electronic form which is attached to or logically associated with other electronic data and which serves as a method of identification. This might include, for example, using your name on an email and sending it from an identifiable email address . The European Directive identifies a digital signature in greater detail than the Communications Act 2000 and includes the concept of an “advanced electronic signature”, which is defined as an electronic signature which is: (i) uniquely linked to the signatory; (ii) capable of identifying the signatory; (iii) created using means that the signatory can maintain under its sole control; and (iv) linked to the data to which it relates in such a manner that any subsequent change of the data is detectable .
The International Standards Organisation have attempted to define the concept of a digital signature as: “data appended to, or a cryptographic transformation of a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protecting its forgery.” Quite simply an electronic signature can be anything attached to or associated with electronic data which serves as a method of identification. The most straightforward example of an electronic signature is a name at the end of an email sent from an identifiable email address. This was the subject of discussion in England and Wales in the case of Hall v Cognos Ltd In this case, the chairman of the Tribunal determined that a name typed into an email was a form of signature. As Mason points out “although no relevant case law was mentioned in this instance, the decision was consistent with decisions made by judges since the seventeenth century, illustrating that the function of a signature overrides the form it takes “.
There are also other methods of creating an electronic signature such clicking I accept or I agree icon. When buying goods or services online, or when installing software on a computer for the first time, the buyer is very often required to click on the “I accept” icon. This action has the effect of satisfying the function of a signature. Even if the act of clicking on an icon to order goods or services is deemed to be less secure than that provided by a manuscript signature, it does not follow that the reliability of the signature will affect its validity.
There are many other products which are available that enable a person to produce a digital version of their manuscript signature. They write their manuscript signature by using a special pen and pad. The signature is reproduced on the computer screen, and a series of measurements record the speed, rhythm, pattern, habit, stroke sequence, and dynamics that are unique to the individual when they write their signature. The subsequent file can then be attached to any document in electronic format to provide a signature.
A manuscript signature can be scanned from the paper carrier and be transformed into digital format. The signature can then be attached to a document. This version of a signature is used widely in commerce, especially when marketing materials are sent through the postal system and addressed to hundreds of thousands of addresses .
To create more complex and robust methods of electronic signatory cryptography is used. Cryptography uses algorithms (mathematical transformations) a simple example of which would be a rule saying “move all characters one along in the alphabet”. Applying this encryption algorithm to the word “car” would produce the encrypted word “dbs”. Of course, the algorithms used in cryptography are much more complex than this and may contain multi-layered algorithms which are virtually impossible to crack. The most common forms of cryptography used are “symmetric” and “asymmetric” cryptography .
“Symmetric cryptography” is created where a message is encrypted using a “private key” based on a mathematical algorithm and that encrypted message can only be decrypted (i.e. read) using that same “private” key. This private key can take many forms, this can include software or some form of smart card. If this method is utilised then the encrypting and decrypting parties will keep the key confidential. This, though perhaps the safest form of electronic signature is not always the most practicable as Fishley and Hughes point out ” e-commerce traders will either share one private key with all of its customers/suppliers or will need to have multiple private keys for each of its customers/suppliers “.
“Asymmetry cryptography” differs from symmetric cryptography as it utilises both a “public key” and a “private key”. So for example if A wants to send a message to B. B publishes his public key on the internet and keeps his private key secret. When A wants to send a message securely to B, she obtains B’s public key from the internet and encrypts her message with it. Upon receipt of A’s message, B can decrypt it using his private key and only B can decrypt the message. This does not, however, provide B with absolute surety that it was A that sent the message as B has published his public key and so others could also have it. If, however, we apply this scenario in reverse B is able to effectively electronically sign his messages. For example, if B encrypts a message using his private key and sends that message to A, A will be able to decrypt the message using B’s public key and will know that the message was from B since only B would know his private key. Further, the key pairs can be used together so, for example, where A and B have both published their public keys, A may encrypt her message with her private key and then encrypt it again using B’s public key. The resulting encrypted message can only be read by B who, to do so, must go through a two-stage process of decrypting the message with his private key and then A’s public key . This way B knows both that the message is a secure communication and that it has been sent by the person claiming to be A and publishing A’s public key .
Reliance on digital signatures can create some concerns as a key pair may be created by an individual who then fraudulently represents the key pair as belonging to another person or entity. This can be addressed through verification by a certificate authority.(which will be discussed in more detail later) A certificate authority is a trusted third party (e.g. the post office or a bank) that will satisfy itself as to the identity of an individual or company.
2.2 Are Digital Signatures Needed?
To consider whether or not digital signatures are needed it is important to consider Electronic Contracts over the internet and Electronic Transactions Legislation, to determine in exactly which circumstances an electronic signature may be used . With the growing use of the internet as an acceptable and indeed standard medium, one does not have to look further than there own residence to confirm the growing need for electronic signatures as a means of verification for transactions.
The internet provides four ways by which businesses and individuals may enter into electronic contracts. The first of these is email. Email allows a person to send an electronic message to another person or group of people. To create an email message, the sender types a message and the sender’s computer network converts message into streams of packets and then analogue tones . The tones are carried over communications links (usually telephone lines) to the recipient’s computer network that reassembles them back into messages. E-mail often contains personal messages and communications which require authentication and verification, creating a digital signature is one method of ensuring that such messages are verified and authenticated.
The second type of communication is that that is facilitated by the World Wide Web. Businesses can establish websites for the purpose of selling goods and services and included in these websites may be advertisements for goods and services and details of how customers may order or purchase goods. Pitiyasak offers the example of the www.amazon.com site. This website advertises many products such as books, etc., and invites customers to make a purchase offer by completing a form on the website. This form incorporates the credit card details of the customer. Amazon verifies the credit card details and makes a claim for payment of the agreed amount with the bank or the credit card company .
The third example of where electronic signatures may be necessary is where businesses use electronic data interchange (“EDI”) to form electronic contracts. EDI can be defined as “computer-to-computer transmission of data in a standardised format “. EDI allows organisations to exchange documents over either the internet or their own private network. Private network EDI is often utilised by the larger organisations when purchasing goods were as smaller businesses and individuals often prefer to use EDI on the internet because of the reduced costs. There are two methods of document exchange, this can be done either through web-based forms for recording EDI, or by email for EDI transmissions to their partners.
The final example is where individuals use chat-rooms to form electronic contracts. Chat-rooms are electronic fora where individuals congregate at the same time to have real time conversations. Once an individual types a short message, the message is sent from that individual’s computer through the communications lines to the chat-room network. The network adds the message to a incessant stream of messages that are instantly read and responded to by other individuals in the chat-rooms. Similar to talking over the telephone or face-to-face, messages sent through a chat-room provide almost instantaneous conversation. However, the message usually appears and is gone within a minute, and thereby no message is saved .
The usefulness of a signature of this kind depends on the fact that the unique signature key used to make it is associated with a unique verification key. The verification key can be used by another algorithm. The inputs to the verification algorithm are the text which purports to have been signed, the signature, and the verification key. The output is either a confirmation that the text or file was signed by the corresponding signature key, or a statement that no such confirmation can be given. The process again requires a computer, but is wholly straightforward.
The signature key and the verification key are related to one another mathematically. But if they are chosen so as to be large enough, it is computationally infeasible to derive the signature key from the verification key, even under the most testing assumptions about the availability of present or future computing resources. It follows that a verification key can be provided to those who wish to verify a signatory’s digital signatures, or can indeed be published at large, without thereby revealing the signature key. The software that implements the signature and verification algorithms will normally also implement the functions necessary to enable the user to generate a signature key and its associated verification key. Users could obtain key pairs from a third party, but to do so introduces an unnecessary reliance on the security of the third party’s procedures, to no discernible advantage.
2.3 What Are The Technical and Legal Limitations of Digital Signatures?
The Law Commission published a report in December 2001 entitled “Electronic Commerce: Formal Requirements in Commercial Transactions ” in which the Law Commission considered the legal limitations of digital signatures, considering whether or not various forms of electronic communications satisfy the current definitions of the terms “writing”, “signature” and “document” under the current laws of England and Wales.
The main issue that was considered was the extent to which reform of the statute book is required to enable conclusion by digital signature to become a satisfactory way of concluding contracts, thus considering some of the legal limitations of digital signatures. The Law Commissions conclusion was that no reform was required. Their rationale for concluding this can be sub divided into four main categories. The first of these deals with writing. The Law Commission came to the conclusion that both e-mail and website trading will generally satisfy the Interpretation Act definition of “writing” and the functions of writing, the reasoning for this was that they are visible to the relevant parties as required by the Interpretation Act definition. However they were of the view that EDI as it is not visible to the relevant party.
Secondly in relation to signatures, the Law Commission came to the conclusion that digital signatures, scanned manuscript signatures, typing one’s name (or initials) and clicking on a website button are all methods of signature which are generally capable of satisfying a statutory signature requirement. The rationale for this conclusion was formed on the basis that it is function, rather than form, which is determinative of the validity of a signature and that these methods are all capable of satisfying the main aim of demonstrating and authenticating intention.
Thirdly the Law Commission considered the concept of a document. The Law Commission concluded that there is a consensus that information stored in an electronic form can be considered to be a “document” and therefore would satisfy a statutory requirement for a document.
Finally, the Law Commission concluded that e-mail, website trading and signatures are not universally accepted and acknowledged the difficulties which the lack of a consensus on this issue presents when considering whether reform of the statute book is required and, if so, how that reform should be approached. Although the final conclusion of the Law Commission was that reform of the statute books was not necessary. As Fishely and Hughes point out although the Law Commissions views are not binding on the courts, the Law Commission Report adds further weight to the validity and enforceability of online transactions .
The use of Electronic signatures also creates a number of technical difficulties. Electronic signatures created using the public key cryptography process described above are often referred to as “digital signatures”. One problem with such digital signatures is that they do not guarantee that the person claiming to be A and publishing A’s public key is in fact A (as the key may have been forged, stolen or created by a fictitious identity). For example, if you go to an online bookstore, you may be encouraged to take and use the public key from the bookstore’s website. In doing so there is no certainty that the bookstore claiming to be “XYZ books” is in fact XYZ books and has not been set up as a sham operation to attract your custom. This is where certification authorities come into play. If XYZ books wished to provide certainty of its identity, it could procure a digital certificate from a trusted third party certification authority. The authority would verify the identity of XYZ books (for example, by way of corporate identity through checking corporate documents and returns etc) and then issue a digital certificate (signed with the certification authority’s own digital signature verifying its own identity) which will verify that XYZ books is in fact who it claims to be. If you had doubts about the identity of the certification authority, then its digital signature could also be verified and certified by another certification authority .
3.1 The Problem With Identity
As has been discussed above reliance on digital signatures alone causes concern because a key pair may be created by an individual who then fraudulently represents the key pair as belonging to another person or entity. This can be addressed through verification by a certificate authority . A certificate authority is a trusted third party (e.g. the post office or a bank) that will satisfy itself as to the identity of an individual or company. This is done by for example checking an individual’s passport or driver’s licence details, or a company’s corporate documents and returns. The certificate authority will then issue a digital certificate signed with its own digital signature, which the user will attach to its own digital signature as proof of identity.
A certificate authority is a trusted entity that provides information about the identity of a key holder in the form of an authenticated key certificate . The position of a certificate authority can be compared to the DVTL, whom issue drivers’ licences and is generally accepted as a trustworthy means of personal identification. All electronic certificates are digitally signed by the Certificate Authority with a private key. If the Certificate Authority maintains good security protection of the private key, it is almost impossible for anyone to forge an electronic certificate .
A certificate can be distributed in more than one way. The certificate can be “handed” out to the holder of the signature. It is then up to the holder to distribute the certificate to whoever needs it. This approach is preferable to publishing the certificate on a website.
The use of electronic signatures poses significant problems in relation to identity. The use of paper based means of making and keeping records often involves manual signatures and such means of verification like stamping, is the predominant means of executing official acts. Typical examples of paper-based rules are formalistic legal requirements favouring paper documents and hand-written signatures, or archiving rules demanding the storage of valuable information on paper. These rules can be found in diverse national, international and supranational legal frameworks.
Traditionally, a hand-written signature is a sufficient authentication tool. By signing a paper document the maker ‘identifies’ himself as the author of the document, and affirms the ‘integrity’ of the document. The Electronic Communications act indicates an intention to be bound to the content of the document. The procedure of signing also entails the possibility of reflection and serves as a caveat, as well as confirms the fact that the information has been given a final shape . Distinctive marks may be coded into the information itself in order to identify the source and to authenticate the contents. There are many forms of digital authentication that are now used, such as the use of a password, such as a PIN code, the use of encryption techniques, such as digital signatures, and the use of biometrics identification, such as fingerprints or voice recognition. Mostly, these authentication techniques are being combined providing a high-level security of the authentication .
Finally the issue of identification raises concerns in relation to Data Protection. This said the European Directive requires general compliance with the Data Protection Directive (95/46/EC). The Electronic Signatures Directive also requires Member States to ensure that service providers issuing certificates to the public do not collect personal data other than directly from the data subject, or without the data subject’s explicit consent. There is a further requirement that data may only be collected insofar as it is necessary for the purposes of issuing and maintaining the certificate
3.2 The Use of Identification
It is important to understand how certification works in order to appreciate the use of identification under the concept of digital signatures.
Electronic signatures are available from bodies known as certification authorities (CA) .
The application process for digital certificates varies depending upon which particular certification authority is used and which authority is issuing the certificate and finally the level of signature that is being applied for. At the lower levels, an electronic signature cannot really confirm that a person is who they say they are, as the application is made online, without any stringent identity checks. These low level digital certificates are, for all intents and purposes, only good for secure email. Higher level digital certificates require an individual to submit documentary evidence of their identity in person where the information is verified. This verification process takes place either at the premises of the certification authority, or at a Local Registration Authority (LRA). These local registration authorities will be offices spread around the country, where either individuals or businesses, can show the documents that prove their identity. For example, an individual may show their passport or driving licence, whereas a business may be required to show utility bills and some proof that the individual is linked to that business .
Section 1 of the Electronic Communications Act allows for the creation of a Government register listing approved certification authorities that is those CAs that conform to basic operational standards. Unfortunately, this section is not in force and therefore no register has as yet been set up. The European Directive that states in Article 3(2) that member states may introduce voluntary self-regulation. This self-regulation has arrived in the form of TScheme who ensure that CAs affiliated to the scheme comply with certain operational standards.
Identification is a problematic issue in any medium. It certainly can be suggested that identification causes no more problems in relation to electronic means that it does in the traditional handwritten means. It can be argued that it is much easier to steal someone’s identity by copying their signature that it is by stealing electronic signature. This is perhaps best demonstrated by the introduction of chip and pin in relation to debit and credit cards as an alternative to the traditional method of signing for purchase using these cards. The problem that arises with identification in electronic signatures is the amount of people that become involved; this increases both the margin for error and the people who could be potentially involved in fraudulent activities. Identity is of paramount importance in business commercial and consumer transactions and it must its protection should be the most important consideration in any discussion or reform relating to digital signatory.
3.3 Liability of Certificate Authority
There are situations which may arise where the revocation of an electronic certificate may become necessary. Where a certificate authority receives a request to invalidate or suspend a certificate, he is required to act as soon as possible after the request has been made. Invalidation or suspension of a certificate normally occurs in emergency situations, such as when a subscriber has lost a key. The liability of certification-service providers is regulated in part by the Electronic Signatures Regulations 2002 which came into force on 8 March 2002. These regulations relate to the supervision of certification-service providers (CSPs), the regulation of their operation and imposition of liability and particular data protection requirements on the CSP.
A certificate authority is required to revoke or suspend a certificate without the subscriber’s consent if:
- a material fact represented in the certificate is false;
- a material prerequisite to issuance of the certificate was not satisfied; or
- the certificate authority’s private key was compromised in a manner materially affecting the certificate’s reliability. A certificate authority must promptly publish notice of the suspension or revocation of a certificate if that certificate was published at the time of issuance, if not the suspension or revocation must be disclosed to any one who makes an enquiry.
In case of revocation of a certificate, the unique sequence number of the certificate is enough to identify the certificate as one that has been revoked. The cause of revocation need not be mentioned .The important role of certificate authorities has been reflected in the liabilities imposed on them by the EU Directive on Electronic Signatures of 1999. Article 6 of this Directive requires Member States to ensure the certificate authorities are liable for damages caused to any entity, legal or natural person who reasonably relies on the certificate unless the certificate authority proves that he/she has not been negligent.
Article 6 of the European Directive sets out the following:
- A person providing an information society service shall make available to the recipient of the service and any relevant enforcement authority, in a form and manner which is easily, directly and permanently accessible, the following information
- the name of the service provider;
- the geographic address at which the service provider is established;
- the details of the service provider, including his electronic mail address, which make it possible to him rapidly and communicate with him in a direct and effective manner;
- where the service provider is registered in a trade or similar register available to the public, details of the register in which the service provider is entered and his registration number, or equivalent means of identification in that register;
- where the provision of the service is subject to an authorisation scheme, the particulars of the relevant supervisory authority;
- where the service provider exercises a regulated profession –
- the details of any professional body or similar institution with which the service provider is registered;
- his professional title and the member State where that title has been granted
- a reference to the professional rules applicable to the service provider in the member State of establishment and the means to access them; and
- where the service provider undertakes an activity that is subject to value added tax, the identification number referred to in Article 22(1) of the sixth Council Directive 77/388/EEC of 17 May 1977 on the harmonisation of the laws of the member States relating to turnover taxes – Common system of value added tax: uniform basis of assessment
- Where a person providing an information society service refers t
Cite This Dissertation
To export a reference to this article please select a referencing style below:Reference Copied to Clipboard.Reference Copied to Clipboard.Reference Copied to Clipboard.Reference Copied to Clipboard.Reference Copied to Clipboard.Reference Copied to Clipboard.Reference Copied to Clipboard.