Electronic Signatures in Law and Practice


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Electronic Signatures in Law and Practice

  1. 1. ELECTRONIC SIGNATURES in Law and Practice John D. Gregory October 5, 2009
  2. 2. Outline <ul><li>Signatures in general </li></ul><ul><li>Legal considerations </li></ul><ul><li>Electronic signatures </li></ul><ul><li>Legal considerations </li></ul><ul><li>Practical considerations </li></ul><ul><li>Examples of threat-risk analysis </li></ul><ul><li>Responses to questions </li></ul>
  3. 3. Signatures <ul><li>A signature is evidence of a link between a person (legal entity) and a document </li></ul><ul><ul><li>There are many kinds of possible link </li></ul></ul><ul><ul><ul><li>Approval, witnessing, acknowledgment ... </li></ul></ul></ul><ul><ul><li>The signature is usually not the only evidence of the link </li></ul></ul><ul><li>It may also be evidence of the character of that link, through formality or ceremony </li></ul><ul><ul><li>Seriousness, legal impact </li></ul></ul>
  4. 4. Signatures and the law <ul><li>The law does not usually require a signature </li></ul><ul><ul><li>So any kind of signature will do </li></ul></ul><ul><li>The law very rarely specifies the form of a signature </li></ul><ul><ul><li>So any form of signature will do </li></ul></ul><ul><li>The legal effect of a signature – the nature of the link to the document – is rarely evident from the form of the signature </li></ul>
  5. 5. Signatures and the law (2) <ul><li>Intention is the key </li></ul><ul><li>So: </li></ul><ul><ul><li>Anyone can sign </li></ul></ul><ul><ul><li>A machine can sign </li></ul></ul><ul><ul><li>A signature can look like anything </li></ul></ul><ul><li>Proof of intention is the hard part </li></ul><ul><li>Different intentions = different signatures </li></ul><ul><li>The relying party takes the risk of forgery </li></ul>
  6. 6. Security of signatures <ul><li>Signatures on paper vary as to security: </li></ul><ul><ul><li>Initials </li></ul></ul><ul><ul><li>Full signature </li></ul></ul><ul><ul><li>Signature plus witness (possibly notary) </li></ul></ul><ul><ul><li>Signature plus two witnesses present at the same time (for wills) </li></ul></ul><ul><ul><li>Signature plus personal or corporate seal </li></ul></ul><ul><ul><li>Signature plus certified sample (e.g. from bank) </li></ul></ul><ul><ul><li>Signature plus certificate of authority </li></ul></ul>
  7. 7. Electronic signatures <ul><li>An electronic signature is “electronic information that a person creates or adopts in order to sign a document and that is in, attached to or associated with the document” ( Electronic Commerce Act) </li></ul><ul><li>Does not have to 'look like' a signature </li></ul><ul><li>Does not have to be in or on the signed document </li></ul>
  8. 8. Electronic signatures (2) <ul><li>Typewritten Electronic Signature : “James Bond” or /s/James Bond </li></ul><ul><li>Digitized Electronic Signature </li></ul><ul><li>Personal Identification Number (PIN) : 007 </li></ul><ul><li>Digital Signature : AOI)(#)(*%(FD(*DSHJB(*8hfr98hf49*YQW(*EHR(98HR(#*H(hEOID)()(*$*JGN)(J(DS)IJ@)(UJ%)R(#U)(FRJU)*&)(@&(*$&(*#IHOLKJHE)(*#&$ </li></ul>
  9. 9. E-signatures and the law <ul><li>Because the law generally does not require a signature or a type of signature, people can use whatever they want. </li></ul><ul><li>For greater certainty: Electronic Commerce Act, 2000 (Ontario): A legal requirement that a document be signed is satisfied by an electronic signature </li></ul><ul><li>The law does not specify a standard of reliability (even “as appropriate”) </li></ul>
  10. 10. E-signatures and the law (2) <ul><li>Some qualifications: </li></ul><ul><li>“ whatever THEY want”... </li></ul><ul><ul><li>Who are the parties to a signature? </li></ul></ul><ul><ul><li>What does the contract (RFP) say? </li></ul></ul><ul><ul><li>Who decides? The party a t risk </li></ul></ul><ul><li>ECA: Nothing in this Act requires a person to use, provide or accept information in electronic form without consent. </li></ul>
  11. 11. E-signatures and the law (3) <ul><li>Further qualification: federal law (PIPEDA) </li></ul><ul><li>General permission to use e-signatures: only for designated laws or regulations </li></ul><ul><ul><li>an opt-in approach rarely used </li></ul></ul><ul><li>For several kinds of signature: use a “secure electronic signature” = digital signature </li></ul><ul><ul><li>Currently only GoC PKI digital signatures </li></ul></ul>
  12. 12. E-signatures and the law (4) <ul><li>Generally speaking, electronic signatures do not present a legal problem. </li></ul><ul><ul><li>Some methods are better for 'ceremony' than others </li></ul></ul><ul><li>Specific statutes may change that rule </li></ul><ul><li>The need for consent may change that rule </li></ul><ul><ul><li>So check your contracts </li></ul></ul>
  13. 13. Practical considerations <ul><li>What is 'legal' is not necessarily prudent </li></ul><ul><li>The law does not tell you what is prudent </li></ul><ul><ul><li>In e-commerce as in paper commerce </li></ul></ul><ul><ul><li>How to judge what is prudent? </li></ul></ul><ul><ul><ul><li>Who decides? </li></ul></ul></ul><ul><li>Right to say No is the right to say Yes, if: </li></ul><ul><ul><li>The technology is acceptable </li></ul></ul><ul><ul><li>The level of security is acceptable </li></ul></ul>
  14. 14. Electronic prudence <ul><li>The TRA: threat-risk analysis </li></ul><ul><ul><li>What are the chances of a problem? </li></ul></ul><ul><ul><li>What is the gravity of a likely problem? </li></ul></ul><ul><ul><li>What is the cost of avoiding the problem? </li></ul></ul><ul><ul><li>What are the benefits of risking the problem? </li></ul></ul><ul><li>Note: judgments may vary on all answers and on the general conclusion </li></ul><ul><ul><li>Parties may have different costs and benefits </li></ul></ul>
  15. 15. TRA <ul><li>Risk factors </li></ul><ul><ul><li>How accessible are data to una uthorized users ? </li></ul></ul><ul><ul><li>What incentives have outsiders to hurt the integrity of the data? </li></ul></ul><ul><ul><li>How hard is it to detect alteration? </li></ul></ul><ul><ul><li>Who bears the risk of loss if data are altered or document is not genuine? </li></ul></ul><ul><ul><li>Who is best able to protect data? </li></ul></ul><ul><ul><li>What is the signer’s incentive to repudiate data? </li></ul></ul>
  16. 16. TRA (2) <ul><li>Cost facto rs </li></ul><ul><ul><li>How much does it cost to secure data? </li></ul></ul><ul><ul><li>Who will pay to secure the data – producer or user of data? </li></ul></ul><ul><ul><li>How hard is it to protect data? </li></ul></ul><ul><li>Benefit factors (to being electronic) </li></ul><ul><ul><li>How mu ch does the system save? </li></ul></ul><ul><ul><li>How much do users save? </li></ul></ul><ul><ul><li>Is a single signing method cheaper? </li></ul></ul><ul><ul><li>What is trust in the system worth? </li></ul></ul>
  17. 17. Examples of TRA <ul><li>Some Ontario examples </li></ul><ul><li>Dispense with signature </li></ul><ul><ul><li>Business registration forms </li></ul></ul><ul><ul><li>Online licence tag renewals </li></ul></ul><ul><li>Close the system </li></ul><ul><ul><li>Security interest registration </li></ul></ul><ul><ul><li>Land registration </li></ul></ul><ul><li>Prescribe the technology </li></ul><ul><ul><li>Income tax filings, ePass (Canada) </li></ul></ul>
  18. 18. The story so far ... <ul><li>Signatures are one way of linking a legal entity to a document </li></ul><ul><li>The law generally allows signatures in electronic form </li></ul><ul><li>Not every electronic form will suit every purpose </li></ul><ul><li>A key question is how to prove the link that the signature is supposed to show </li></ul><ul><ul><li>Prove the link or prove the technology? </li></ul></ul><ul><ul><li>Prove signer's identity or attributes? </li></ul></ul>
  19. 19. And in practice ... <ul><li>Most uses of e-signatures in high-value transactions are in closed systems: </li></ul><ul><ul><li>Parties know each other over time </li></ul></ul><ul><ul><li>Parties agree on the technology (or one of them prescribes it) </li></ul></ul><ul><ul><li>Appropriate records are kept </li></ul></ul><ul><li>Open systems: very hard (= costly) to verify identity of potential user, so indefinite risk to relying party or to certifier of identity </li></ul>
  20. 20. In practice (2) <ul><li>Consumer e-commerce depends on authentication by credit card more than on e-signature. </li></ul><ul><ul><li>Merchant does not care who buys, just that payment is made </li></ul></ul><ul><ul><li>Credit card system is huge but closed </li></ul></ul><ul><li>Government uses tend to be closed too – the e-signature used to deal with it cannot be used to deal with anyone else. </li></ul>
  21. 21. In practice (3) <ul><li>Some particular difficulties: </li></ul><ul><li>Online enrollment: no way of identifying a stranger to the system </li></ul><ul><ul><li>Proxies: financial institutions, educational institutions etc </li></ul></ul><ul><li>Key management: staff (signer) turnover, compromise, sloppy behaviour </li></ul><ul><li>Liability: certifier can't pass to relying party </li></ul>
  22. 22. Q & A <ul><li>Q: Does e-sig = photocopied sig? </li></ul><ul><li>A: Yes and no. Depends on what kind of e-sig. Digitized signature has similar risk of fraud. Record retention may be different. </li></ul><ul><li>Q: E-sig vs digital sig </li></ul><ul><li>A: Digital signature (PKI) (i.e. using cryptography) is very secure but hard to do. No formal legal difference absent legal rule. </li></ul>
  23. 23. Q & A (2) <ul><li>Q: When it is appropriate to 'introduce' e-sigs? How to persuade collaborators? </li></ul><ul><li>A: When both (all) sides agree with results of a TRA (formal or informal). Voluntary. </li></ul><ul><li>Q: Case studies showing savings? </li></ul><ul><li>A: SAFE pharma, industry studies, credit card industry, auto sales, bank and securities clearances, e-filing in court </li></ul>
  24. 24. Q & A (3) <ul><li>Q: Why do some agencies accept any medium and some insist on h/w (wet) sig? </li></ul><ul><li>A: Each has its own express or implied TRA, its own evidence and archiving needs. Some 'outsourced' signature pages OK. </li></ul><ul><li>Q: How to design a system that will work, with appropriate practices? </li></ul><ul><li>A: A lot of people would like to know, and a lot of consultants are out there trying </li></ul>
  25. 25. Q & A (4) <ul><li>Q: What legal arguments to use to persuade collaborator to accept e-signaures? </li></ul><ul><li>A: It's not a legal question (subject to institutional rules e.g. g ranting agencies) </li></ul><ul><li>Q: What about a document with one handwritten signature and one by PDF? </li></ul><ul><li>A: Contracts signed in counterparts are common on paper. No different issues electronically. Q of proof and trust. </li></ul>
  26. 26. Conclusions <ul><li>The law is easy; the practice is hard </li></ul><ul><li>Proving the technology is often harder than proving the link (between signer and doct) </li></ul><ul><li>Not only signatures can prove the link. </li></ul><ul><li>E-records do not need to be more reliable than paper records – but people forget that. </li></ul><ul><li>Novelty of judging trust in e-world is large part of the challenge </li></ul>
  27. 27. Sources (partial) <ul><li>Electronic Legal Records: Pretty Good Authentication? (1998) </li></ul><ul><ul><li>http:// www.euclid.ca/call.html </li></ul></ul><ul><li>Legal Situation of Electronic Signatures: an Ontario perspective (1999) </li></ul><ul><ul><li>http:// www.euclid.ca/ontsig.html </li></ul></ul><ul><li>Authentication Rules and Legal Records (2002) </li></ul><ul><ul><li>http://www.euclid.ca/cbr2002.pdf </li></ul></ul><ul><li>E-records and the Law (2007) </li></ul><ul><ul><li>http://www.verney.com/opsim2007/presentations/301.ppt </li></ul></ul><ul><li>Paperless Government and the Law (2009) </li></ul><ul><ul><li>http:// www.euclid.ca/paperless.ppt </li></ul></ul>