Whilst the market may be having a crisis of confidence regarding the prospects for e-commerce, the EU and the Government continue apace to develop the legal framework. Most recently, this has resulted in the Electronic Signatures Regulations 2002. These Regulations were made on 13 February 2002 and came into force on 8 March 2002.
The Regulations implement the European Electronic Signatures Directive (1999/93/EC). Critics may say that the Regulations were implemented too late (they were due to have been implemented by 19 July 2001), with too short a consultation period (25 January 2002 to 12 February 2002) and with an unconvincing case as to what they add to English law (as to which, read on).
What is an electronic signature?
The Regulations define an electronic signature as “data in electronic form which are attached to or logically associated with other electronic data which serve as a matter of authentication”. In other words, it’s the on-line equivalent of making your mark or signing your name.
The area of law relating to signatures was rarely visited until e-commerce came along. It was thought to need attention in order to promote confidence in e-commerce, to create trust in those involved in providing signature technology and services and, so far as practicable, to harmonise the law internationally.
The expressions “electronic signature” and “digital signature” are often used interchangeably. However, technologists make a distinction between the two. A digital signature is a type of electronic signature, but an electronic signature is not necessarily a digital signature. An electronic signature could be anything; an e-mail, clicking an “I accept” button on a Web page, a fax. A digital signature involves the use of some form of encryption and password (or “key”) to produce a signature, the authenticity of which is guaranteed. This guarantee is provided by a third party, who will have validated the identity of the signatory and issued him or her with a “certificate”, which can be thought of as an electronic identity card. This third party is referred to in the Regulations as a Certification Service Provider (“CSP”). The nearest equivalent in the world of paper, ink and ribbon is the notary public. The Regulations do not use the expression digital signatures, but instead link electronic signatures with “certificates”.
Electronic signatures and certificates will become increasingly important. They will have particular application within the legal profession in relation, for example, to e-conveyancing, the giving of undertakings and the exchange of contracts.
The legal validity of electronic signatures
The objective of the EU Electronic Signatures Directive was to harmonise the legal acceptance of electronic signatures throughout the EU. The Directive was already partly implemented by the Electronic Communications Act 2000.
Under English common law, any distinctive or personal mark which has been placed by or with the authority of the signatory can be valid (In Re a Debtor [1996] 2 All ER 345). There is no reason under English law to suppose that an electronic signature would be any more or less valid than its pen and ink counterpart. After all, it is just a new method of signing one’s name. However, the manner of the signature is only one aspect; the more crucial issue is the authenticity of the signature. This is for a court to determine based on the available evidence.
Section 7 of the Electronic Communications Act provides for the admissibility in legal proceedings of electronic signatures and related digital certificates. Although this perhaps does little more than state what was already the position under common law, the matter is put beyond doubt. It remains the position that, whilst admissible, the authenticity of an electronic signature will be for the court to determine based on the evidence. It may be that strong (although perhaps not conclusive) evidence will be available when an electronic signature is used with a certificate supplied by a CSP.
Certification Service Provider (CSP)
When you digitally sign an electronic communication, you create an encrypted summary of the communication using a “private key” which is available only to you by use of a password. This summary can be read by the recipient only by decrypting it with your “public key”. The recipient can verify your public key with the CSP that issued your certificate. This will confirm to the recipient that the communication was indeed signed by you (“authenticity”) and that it hasn’t been tampered with (“integrity”).
The CSP is, therefore, in a trusted position as it must verify the identity of the person, issue a certificate to him/her and make available the person’s public key. The CSP must also be in a position speedily to “revoke” a certificate. This may happen, for example, if the private key falls into the wrong hands.
The two key issues regarding CSPs are:
- the extent to which they may be subject to regulatory supervision, and
- their liability to third parties who rely on certificates issued by them.
Supervision of CSPs
The Directive allowed Member States to decide the extent of the supervision to be applied to CSPs. The Government decided on a minimal, or “light touch”, approach.
Under the Regulations, the Secretary of State has a duty to keep under review the activities of CSPs established in the UK and who issue “qualified certificates” to the public. A qualified certificate is defined as one which contains certain specific information and is provided by a CSP who fulfils certain requirements specified in schedules to the Regulations.
The Secretary of State must establish and maintain a register of CSPs which must be open to public inspection. If the Secretary of State receives evidence of any conduct of a CSP which seems to be detrimental to the interests of those who use or rely on certificates, he must make this evidence available to the public in such manner as he considers appropriate.
The Regulations must be viewed alongside the provisions of Part 1 of the Electronic Communications Act 2000. This established powers for a statutory voluntary approvals regime for CSPs. In fact, this has not yet been implemented and may not be if the Government continues to be happy with the non-statutory voluntary scheme being put in place by the Alliance for Electronic Business (a consortium of industry bodies involved in the promotion of electronic business) under a scheme known as the tScheme.
Liability of CSPs
The typical e-commerce transaction involving a qualified certificate is a tripartite relationship between the signatory, the CSP who issues the certificate and the party that relies on the certificate to verify the electronic signature (the relying party).
A contractual relationship exists between the signatory and the CSP, but no contractual relationship may exist between the CSP and the relying party. However, the liability of the CSP to the relying party is central to the legal security of the certificate. This liability is founded in tort, assuming that the CSP owes a duty of care to the relying party. Under common law it would seem hard to deny that such a duty exists and the Regulations support this explicitly. Indeed, they go much further. In certain circumstances, the CSP may be deemed to be negligent and liable in damages to the relying party (notwithstanding that there is no proof that he was negligent) unless he can prove that he was not negligent. This is an extraordinary reversal of the usual burden of proof in tort. CSPs will no doubt look to manage their risk by clearly defining the narrow scope of their responsibility and limiting their liability (subject to the Unfair Contract Terms Act 1977).
Links:
The Regulations are at: http://www.hmso.gov.uk/si/si2002/20020318.htm
The Electronic Communications Act 2000 is at: http://www.hmso.gov.uk/acts/acts2000/20000007.htm
Nigel Miller is a partner in City law firm Fox Williams and is Joint Chairman of the Society for Computers and Law.