Cyberlaw Series:1
Version 1
Digital Signature Law - A Survey of the International Scenario
Gulshan Rai, R.K. Dubash and A.K. Chakravarti
October , 1997
Information Technology Group Dept.of Electronics Govt. of India
1 . Information Technology and National Information Infrastructure
4 . Authentication of instructions
6 . Categories of Digital Signature
1. Information Technology and National Information Infrastructure
Information and communication technologies are rapidly reshaping the world. These technologies encompass the range of products and services which supply and manipulate information. The speed with which new technologies are created and disseminated into public life has increased and is only getting faster.
The range of new technologies seems to be growing exponentially as traditional forms of representing, manipulating and communicating information are combined with each other and continually improved.
Over the next decade, whole population will find almost every aspect of their daily life - their education, healthcare, work and leisure activities - affected by advances on National Information Infrastructure (NII).
With the exploding popularity of the Internet, it is almost a requirement that a business have a presence on the Internet. The Internet - and the technologies it has spawned - has made electronic commerce one of the most effective and reliable methods for conducting business.
Today advertisements and sales brochures are proliferated among the Web, news group and bulletin board. Cyber stores offer anything from music CDs to certificates of deposits.
Internet today has a potential of making every computer an individual printing press, library, museum, tour guide, shopping mall and bank.
According to recent report from Forrester Research, the overall Internet economy will approach $ 200 billion in the year 2000, up from $ 15 billion today. By the year 2000, many enterprises will be collaborating internally on data - rich Intranets, and selling effectively with a new breed of multimedia - rich, information - style electronic stores.
The single most important change in technology leading us to the National Information Infrastructure is the digitisation of the media and network. This has resulted in both creation and capture of the interactive age. All information including audio and video content can be used in any order and can be rearranged at will. Digital content can also be transformed for using other medium, e.g., from text to voice or vice a versa. There is a conversion of computing communications and content technologies in industries.
There is a shift towards client server computing for the dynamic client/customer service organisation. Software is processed not only on a host, but wherever it makes more sense. Software is not limited one machine but can be processed co-operatively on various computers on the network. In a client/server computing, software works on a client computer like on desk top PC or server which can be located anywhere. The computer becomes the network and the network becomes the computer.
Today Internet having a bandwidth in the range of few Gigabits transporting mainly data and text. Eight years ago we were transmitting the data and text at a speed of two pages per second. The new network will transmit data and text at a speed of 12 Gigabits by the end of 2000 and in the order of trillion bits by 2010. At that speed, the new_network may transmit data and text at speed of 2 small public libraries per second. There is a shift from separate data, text, voice and image to multimedia. The two professionals in different parts of the globe can exchange (at the speed of light computerised or digital documents tat contain data - audio and video). This compound document can be filed electronically, retrieved, altered and communicated as appropriate without ever being transformed on to paper and like the piece of paper, one can take it on the subway. Unlike the paper, it communicates with other documents and people as you ride along. In that scenario there may be static media such as data, text and still images, and there are time-bound media (including voice, sound and video).
There is a technology shift from proprietary open system enabling inter-operability on information system around the world so that one system can call any other system.
There is a shift from dumb to intelligent networks. Until recently, it was not only information appliances that were dumb - the computer that carried information had no intelligence built into them. Today the situation is different.
Today hyper media is letting us to walk through the net. We can have hyper links to any other information on the net to any other computer containing information.
Today the whole lot of rapidly deployable softwares are available for rapidly changing world and situation will improve in the near future. The direction is towards object computing.
With the digital revolution continuing and the Internet becoming more popular with each passing day, cyberspace law has emerged as a separate new area of specialisation.
The emerging information and communications network is likely to have an important impact on economic development and world trade.
The users of information technology must have trust in the security of information and communications infrastructures, networks and systems; in the confidentiality, integrity, and availability of data on them; and in the ability to prove the origin and receipt of data.
The data is increasingly vulnerable to sophisticated threats to its security, and ensuring the security of data through legal, procedural and technical means is fundamentally important in order for national and international information infrastructures to reach their full potential.
In general, "Cyber law" typically encompasses all the cases, statutes, and constitutional provisions that impact persons and institutions who control the entry to cyberspace, provide access to cyberspace, create the hardware and software which enable people to access cyberspace, or use their own computers to go "on-line" and enter cyberspace.
Some of the key players in cyber law disputes may include phone companies, regulatory agencies, personal computer companies, software companies, Internet service providers, schools, colleges, universities, all persons and companies that have established a presence on the Internet.
Currently, Cyber law is a wide-open area of law, with much uncharted territory and many unresolved issues.
4. Authentication of instructions
Our law is tuned to establish authenticity of a transaction through signature. In the absence of paper, signature needs to be replaced. Legal rules are required to define under what circumstances a person can be bound in respect of an electronic instruction purported to have been issued by him. Generally, authentication is achieved by what is known as security procedure. Electronic devices like identification numbers, call-back procedures, encyption are evolved to establish authenticity of an instruction. But from a legal perspective, the security procedure requires to be recognised by law as a substitute for signature.
New challenges arise in solving problems unique to electronic authentication such as issues of data integrity, non-repudiation, evidentiary standards, choice of technology, liability standards, contractual freedom, consumer protection, and cross-border recognition of electronically signed documents.
The basic characteristics and substantive aspects point at the following issues for which law must provide for :
- Authentication of instruments
- Countermanding or reversal of instructions
- Operational Security of the system
- Fraud, technical failure and errors
- Allocation of loss
- Evidence, data protection and record preservation
* A digital signature is a personalised thumbprint.
* It is the encryption of an electronic document by a key.
An early example of encryption was the use by a Roman emperor. Every letter in a word was shifted 3 alphabets to the right.
As a paper is authenticated by an ink signature, a clean check is identified by having the same handwriting and no scratch marks, in a digital signature, every bit of the document has been signed.
Applications include such as electronic banking, email, and general security/authentication of documents.
It is the basic security concept for home commerce, and business to business commerce. The Internet is insecure, VANs (Value Added Networks in use for business to business commerce) are secure.
The distinction between an electronic and digital signature is an important one, the terms frequently are used interchangeably. For purposes of consistent analysis here, "electronic signature" means any identifiers such as letters, characters, or symbols, manifested by electronic or similar means, executed or adopted by a party to a transaction with an intent to authenticate a writing. A writing, therefore, is deemed to be electronically signed if an electronic signature is logically associated with such writing.
In contrast to an electronic signature, a "digital signature" is an electronic identifier that utilizes an information security measure, most commonly cryptography, to ensure the integrity, authenticity, and nonrepudiation of the information to which it corresponds.
Digital Signature and Encryption is not a secret technology monopolised by any one country. Any hobbyist can program a PC to do powerful encryption. Many algorithms are well documented, some with source code available in textbooks.
6. Categories of Digital Signature
Most of the electronic and digital signature initiatives fall into three categories:
- prescriptive,
- criteria-based, and
- signature enabling
Prescriptive Approach
The prescriptive approach is a comprehensive effort that seeks to enable and facilitate electronic commerce with the recognition of digital signatures through a specific regulatory and statutory framework. It establishes a detailed PKI(Public Key Infrastructure) licensing scheme (albeit voluntary), allocates duties between contracting parties, prescribes liability standards, and creates evidentiary presumptions and standards for signature or document authentication.
On the whole, 18 states in USA have adopted or considered PKI-based digital signature laws. Of these, 14 states have addressed digital signatures alone while four states have considered giving effect to both electronic and digital signatures.
Thirty-one states have or are considering 58 statutes that address electronic signature or electronic authentication standards. Fifty-five of these initiatives representing 29 states may be divided between the criteria-based and enabling categories.
Thirty-one states have or are considering 58 statutes that address electronic signature or electronic authentication standards.
Criteria-Based Approach
The predominant model for criteria-based laws is the "California" authentication standard. The California criteria-based approach has proven quite flexible for various state legislators. The broad criteria may apply both to electronic and digital signatures since it is designed to lay the requirements for trustworthiness and security. For example, the California Secretary of State has recently published its Proposed Digital Signature Regulations, in which it adopts two acceptable technologies: PKI digital signatures and signature dynamics. Indiana has adopted the California criteria as a prerequisite for the recognition of digital signatures. Illinois is considering the criteria as a basis for evaluating whether an electronic signature may be deemed "secure." The first four elements of the California standard also have been used in legislation from New Hampshire, Rhode Island, and Virginia as optional criteria that the trier of fact may consider when evaluating the authenticity of an electronic signature.
On the whole, 11 states have 19 initiatives that incorporate the criteria-based approach. Ten states have adopted the California standard into law.
Signature-Enabling Approach
The remaining legislative initiatives fall within the signature-enabling category. The"general" laws permit any electronic mark that is intended to authenticate a writing to satisfy a signature requirement.
Massachusetts also is representative. Massachusetts has put forward the most modest position regarding electronic authentication due to similar concerns voiced in California regarding the potential for market distortions and the need for technological neutrality. Massachusetts, however, does not adopt any particular authentication criteria like California in removing signature and writing barriers.
Electronic Records and Signatures
Where the law requires information to be in writing, that requirement is met by a record. In any legal proceeding, a record shall not be inadmissible in evidence on the sole ground that it is an electronic record. Any duplicate record that accurately reproduces the original record shall be admissible in evidence as the original itself unless in the circumstances it would be unfair to admit the duplicate in lieu of the original.
Where the law requires a signature of a person, that requirement is met by that person’s electronic signature. Where any rule of law requires a signature to be notarized or acknowledged for filing, that rule is satisfied by an electronic signature that meets standards established by the secretary of the commonwealth. Subscribers have a duty of care (reasonableness) in holding their private keys secure. CAs have a similar duty to use trustworthy methods and may be bound by certain warranties.
Several countries have either planned or planning to enact laws related to Digital Signature. The status is given below.
UNCITRAL
UNCITRAL (United Nations Commission on International Trade Law) is working on a model digital signature law. The UNCITRAL Working Group on Electronic Commerce met in February 1997.
OECD (Organisation for Economic co-operation and Development)
On March 27, 1997, the OECD has in a recommendation adopted guidelines concerning cryptography. The guidelines aim at promoting the use of cryptography, e.g. for digital signatures, in order to advance the development of electronic commerce.
The guidelines tackle the following subjects: trust in and choice of cryptographic methods, privacy protection, lawful access to keys and encrypted data, liability of persons and organisations that offer cryptographic services, and international co-operation. As regards the lawful access to keys and encrypted data, the guidelines distinguish between keys used for confidentiality purposes and those used for digital signatures. The latter may not be made available without the key holder’s consent.
United States of America
29 US States have enacted, proposed or drafted digital signature legislation. The Utah Digital Signature Act of 1995 provides a legal framework for the use of cryptography for authentication and integrity purposes. Other states including Georgia, Florida, Hawaii, Oregon, Washington, and Wyoming, have enacted similar bills. Massachutts has a draft legislation that is more technology-neutral, covering both digital signatures and other forms of electronic authentication. California and Arizona have passed digital signatures legislation regarding electronic transactions with state entities. California is also proposing a law to authorize use of digital signatures and signature dynamics. Minnesota has established licensing criteria for Certification Authorities and defined their legal responsibilities to third parties. Nevada has enacted a law authorising the use of electronic symbols as a substitute or supplement for certain signatures.
Arizona
1996 Arizona Session Laws 213. Arizona amended Section 41-121 of Arizona Revised Statutes on April 18, 1996 to provide limited use of digital signatures. The amendment provides that the Secretary of State shall "approve for use by all other state agencies, and accept digital signatures for documents filed with the office of the secretary of state" and gives the Secretary of State authority to adopt rules to achieve this purpose.
California
California has adopted digital signature legislation significantly narrower than that of Utah. It governs only digital signatures affixed to communications with public entities. The Act provides that a digital signature shall have the same force and effect as a manual signature if :
(1) it is unique to the person using it;
(2) it is capable of verification;
(3) it is under the sole control of the person using it;
(4) it is linked to data in such a manner that if the data are changed, the digital signature is invalidated; and
(5) it conforms to regulations adopted by the Secretary of State.
Regulations. The Secretary of State has created a task force to draft regulations and to study further expansion to the statute to the private sector. The software industry is monitoring the task force with great interest. Under the legislation the Secretary of State will license certification authorities (CAs) only for state agencies and state employees and for individuals who will be submitting digitally signed documents to the State. CAs licensed by the State must publish all certificates as opposed to using repositories. This could be an overhead cost problem that impedes scaling up a digital signatures public key infrastructure (PKI). Language in proposed regulations provides that California will accept certifications from other agencies and other States, trying to leave it open for further expansion. California enacted legislation permitting the use of an electronic signature, or other indicator of authenticity, approved by the state registrar in lieu of a manual signature on certificates of death by embalmers and by persons attesting to the accuracy of the certificate. The act also authorizes the use of such signature substitutes by local registrars in registering certificates of death.
Connecticut
General Statutes of Connecticut. Connecticut has promulgated legislation directing the Commissioner of Public Health and Addiction Services to adopt regulations for the use of electronic signatures for certain medical records. The statute, however, does not make specific reference to digital signatures.
Delaware
On July 12, 1996 Delaware enacted legislation to amend Title 29 of the Delaware Code, which relates to state budget, accounting and payroll policies and procedures, to allow for the use of electronic signatures with respect to documents created pursuant to Title 29. The bill broadens the scope of the term "signature" as it applies to the signing of checks or drafts by the state treasurer by dispensing with the requirement that a check-signing machine be used if the check or draft is not signed by hand. Furthermore, the bill authorizes the use of an "electronic approval" by state officers in approving payment for services.
Florida
1996 Florida Senate Bill 942. This Bill creates the "Electronic Signature Act of 1996". It authorizes the Secretary of State to be a certification authority to verify electronic signatures and requires it to conduct a study of the use of electronic signatures for commercial purposes. It has become law.
Hawaii
1995 Hawaii Senate Bill 2401. On June 17, 1996, Hawaii enacted this Bill into law. This Bill provides that the state Judiciary shall convene a task force in consultation with the Department of Commerce and Consumer Affairs to explore a program for computer based digital and electronic filing of court documents. The Judiciary and the Department of Commerce and Consumer Affairs shall submit a joint report to the legislature on an annual basis regarding the status and results of the program. A special fund is created for implementation of the program. The Bill is to be repealed on June 30, 2000.
Iowa
Iowa permits electronic signatures for voter registration forms once "the state voter registration commission shall prescribe by rule the technological requirements for guaranteeing the security and integrity of electronic signatures".
Louisiana
Louisiana has adopted legislation similar to that of Connecticut for electronic signatures. It provides for the use of "alphanumeric or similar codes, fingerprints, or other identifying methods" for medical records, subject to guidelines promulgated by the Department of Health and Hospitals.
New Mexico
On March 4, 1996 New Mexico enacted the Electronic Authentication of Documents Act. The act describes as its purpose to "provide a centralized, public, electronic registry for authenticating electronic documents by means of a public and private key system; promote commerce; and facilitate electronic information and document transactions". An "office of electronic documentation" is established under the secretary of the state to maintain a register of public keys. The Secretary of State is required to adopt regulations to accomplish the purposes of the act, and may contract with a private, public or quasi-public organisation to provide services under the act. The act took effect July 1, 1996.
New Mexico has three of four important elements in place :
(1) legislation regarding authentication for electronic signatures;
(2) authority for standards to be approved by a Commission on Public Records;
(3) Secretary of State as Officer of Electronic Documentation, is authorised to establish procedures for registering public keys. Still to come is the necessary appropriation legislation.
Utah
The Utah Digital Signature Act. A copy of this Act and related commentary can be found @ www.state.ut.us. This legislation was the first to authorize commercial use of digital signatures. It governs the use of public-private key pair encryption and certification authorises and was designed to conform with various international and national standards that are already in place. Certification authorises are to be licensed by the Utah Department of Commerce. The legislation also protects the subscriber’s private key as property, and therefore its theft or unauthorized use is subject to criminal and civil liability.
1996 Utah Senate Bill 73. This Bill was signed by the Governor March 8, 1996. It makes some minor technical amendments to Sections 46-3-103 and 46-3-301 of the Utah Digital Signature Act, above.
1996 Utah Senate Bill 188. This Bill was signed by the Governor on March 12, 1996. It is the first set of substantial amendments to the Utah Digital Signature Act. The Act is concerned with notarization and authentication. It, among other things: defines certain terms; outlines the role of the Division of Corporations and Commercial Code; provides certification requirements, procedures, and duties; provides for performance audits and investigations; outlines enforcement responsibilities; provides for warranties and obligations of certification authorities; specifies control of the private key; provides for suspension, revocation, and expiration of certificates: gives recommended reliance limits and liability; provides for collection on suitable guarantee; specifies signature requirements and presumptions in adjudications; recognizes repositories and their liabilities; and provides exemptions to auditing requirements.
The Utah Digital Signature Agency has issued a request for proposal (RFP) for an initial repository, from which Utah would issue certificates to state agencies and individuals. Based on bids submitted it selected a consortium of Novell, Zions Bank, Certco (Bankers Trust) and Exoterica, Inc. The Agency has negotiated the contract. The repository is expected to be up and running 6 months after signing the contract, but it might take a year. Mike Wims, Assistant Attorney General is currently drafting the Agency regulations required by the existing statutes. One of difficult issues is the recognition of certification authorities (CAs) and repositories outside of the jurisdiction. What should be the standards for foreign accreditation? Fees need to be set by the State. Draft regulations should be available for public comment under the Utah administrative procedure act, and will be posted in the Utah website http://www.state.ut.us. The State needs to increase the intensity of its regulation drafting effort to meet the goal of being done before repository is up and running.
Virginia
1996 Virginia House Joint Resolution 195. This Bill relates to digital signatures and issues related to electronic commerce. It establishes a joint committee to study digital signature issues and to determine whether Virginia should adopt legislation that would facilitate the development of electronic commerce in Virginia. It passed the Senate on February 29, 1996, and the House concurred in the Senate amendments on March 4, 1996. A copy of this Bill can be found @ www.state.va.us. More comprehensive legislation House Bill 822 has been introduced dealing with "Trade and commerce; digital signatures," establishes a regulatory framework for the use of digitized signatures, thereby enabling what is referred to as electronic commerce. Such framework provides the basis by which individuals and businesses can electronically authenticate business contracts and other agreements exchanged over computer networks without the necessity of obtaining pen-and-ink signatures.
Washington
1996 Washington Senate Bill 6423. This Bill was signed by the Governor on March 29, 1996. It creates the Washington Digital Signature Act. It declares an intent to facilitate commerce by means of reliable electronic messages, to minimize the incidence of forged digital signatures and fraud in electronic commerce, to implement legally the general import of relevant standards, and to establish in coordination with multiple states uniform rules regarding the authentication and reliability of electronic messages. The Washington bill is modeled after the Utah statute.
One difference between Washington and Utah is that although Washington will licence Certification Authorities, Washington will not have a public repository as in Utah. There is a high level of awareness and enthusiasm for digital signatures in the State of Washington. The vote was unanimous in the house, there was only one negative vote in Senate, and the Governor signed the bill digitally.
European Union
The European Commission has launched a call for tender for a Study on the Legal Aspects of Digital Signatures, which is presently carried out. The study will give an overview of national and EU policies, existing and envisaged rules and regulations, as well as (de facto) practices concerning digital signatures in the Member States and the EU’s main trading partners.
On July 3, 1997 a call for tenders in the Area of European Trusted Services (ETS-II) was issued, which provides, amongst others, for a study on promoting trust and user confidence concerning security services through legal measures. The objective of this study will be the proposal of guidelines for "harmonisation of national legislation concerning the rules of electronic documentary evidence and TTP liability".
A Survey of Legal Issues relating to the Security of Electronic Information is presented by the Electronic Commerce Secretariat of the Department of Justice of Canada. Chapter 9 of the Survey deals with Electronic Records, Digital Signatures and Evidenc
RSA Public key encryption and digital signatures; patented.