electronic signatures in law and practice john d. gregory october 5, 2009
TRANSCRIPT
John D. Gregory Electronic Signatures 2
Outline
Signatures in general Legal considerations Electronic signatures Legal considerations Practical considerations Examples of threat-risk analysis Responses to questions
John D. Gregory Electronic Signatures 3
Signatures
A signature is evidence of a link between a person (legal entity) and a document
There are many kinds of possible link Approval, witnessing, acknowledgment ...
The signature is usually not the only evidence of the link
It may also be evidence of the character of that link, through formality or ceremony
Seriousness, legal impact
John D. Gregory Electronic Signatures 4
Signatures and the law The law does not usually require a
signature So any kind of signature will do
The law very rarely specifies the form of a signature
So any form of signature will do The legal effect of a signature – the nature
of the link to the document – is rarely evident from the form of the signature
John D. Gregory Electronic Signatures 5
Signatures and the law (2) Intention is the key So:
Anyone can sign A machine can sign A signature can look like anything
Proof of intention is the hard part Different intentions = different signatures The relying party takes the risk of forgery
John D. Gregory Electronic Signatures 6
Security of signatures Signatures on paper vary as to security:
Initials Full signature Signature plus witness (possibly notary) Signature plus two witnesses present at the
same time (for wills) Signature plus personal or corporate seal Signature plus certified sample (e.g. from
bank) Signature plus certificate of authority
John D. Gregory Electronic Signatures 7
Electronic signatures
An electronic signature is “electronic information that a person creates or adopts in order to sign a document and that is in, attached to or associated with the document” (Electronic Commerce Act)
Does not have to 'look like' a signature Does not have to be in or on the signed
document
John D. Gregory Electronic Signatures 8
Electronic signatures (2)Typewritten Electronic
Signature :“James Bond” or /s/James Bond
Digitized Electronic Signature
Personal Identification Number (PIN): 007
Digital Signature: AOI)(#)(*%(FD(*DSHJB(*8hfr98hf49*YQW(*EHR(98HR(#*H(hEOID)()(*$*JGN)(J(DS)IJ@)(UJ%)R(#U)(FRJU)*&)(@&(*$&(*#IHOLKJHE)(*#&$
John D. Gregory Electronic Signatures 9
E-signatures and the law
Because the law generally does not require a signature or a type of signature, people can use whatever they want.
For greater certainty: Electronic Commerce Act, 2000 (Ontario): A legal requirement that a document be signed is satisfied by an electronic signature
The law does not specify a standard of reliability (even “as appropriate”)
John D. Gregory Electronic Signatures 10
E-signatures and the law (2)
Some qualifications: “whatever THEY want”...
Who are the parties to a signature? What does the contract (RFP) say? Who decides? The party at risk
ECA: Nothing in this Act requires a person to use, provide or accept information in electronic form without consent.
John D. Gregory Electronic Signatures 11
E-signatures and the law (3)
Further qualification: federal law (PIPEDA) General permission to use e-signatures:
only for designated laws or regulations an opt-in approach rarely used
For several kinds of signature: use a “secure electronic signature” = digital signature
Currently only GoC PKI digital signatures
John D. Gregory Electronic Signatures 12
E-signatures and the law (4)
Generally speaking, electronic signatures do not present a legal problem.
Some methods are better for 'ceremony' than others
Specific statutes may change that rule The need for consent may change that rule
So check your contracts
John D. Gregory Electronic Signatures 13
Practical considerations
What is 'legal' is not necessarily prudent The law does not tell you what is prudent
In e-commerce as in paper commerce How to judge what is prudent?
Who decides?
Right to say No is the right to say Yes, if: The technology is acceptable The level of security is acceptable
John D. Gregory Electronic Signatures 14
Electronic prudence The TRA: threat-risk analysis
What are the chances of a problem? What is the gravity of a likely problem? What is the cost of avoiding the problem? What are the benefits of risking the
problem? Note: judgments may vary on all answers and on the
general conclusion
Parties may have different costs and benefits
John D. Gregory Electronic Signatures 15
TRA Risk factors
How accessible are data to unauthorized users?
What incentives have outsiders to hurt the integrity of the data?
How hard is it to detect alteration?
Who bears the risk of loss if data are altered or document is not genuine?
Who is best able to protect data?
What is the signer’s incentive to repudiate data?
John D. Gregory Electronic Signatures 16
TRA (2) Cost factors
How much does it cost to secure data? Who will pay to secure the data – producer or
user of data? How hard is it to protect data?
Benefit factors (to being electronic) How much does the system save? How much do users save? Is a single signing method cheaper? What is trust in the system worth?
John D. Gregory Electronic Signatures 17
Examples of TRASome Ontario examples Dispense with signature
Business registration forms Online licence tag renewals
Close the system
Security interest registration Land registration
Prescribe the technology
Income tax filings, ePass (Canada)
John D. Gregory Electronic Signatures 18
The story so far ... Signatures are one way of linking a legal entity to
a document The law generally allows signatures in electronic
form Not every electronic form will suit every purpose A key question is how to prove the link that the
signature is supposed to show
Prove the link or prove the technology? Prove signer's identity or attributes?
John D. Gregory Electronic Signatures 19
And in practice ... Most uses of e-signatures in high-value
transactions are in closed systems: Parties know each other over time Parties agree on the technology (or one
of them prescribes it) Appropriate records are kept
Open systems: very hard (= costly) to verify identity of potential user, so indefinite risk to relying party or to certifier of identity
John D. Gregory Electronic Signatures 20
In practice (2)
Consumer e-commerce depends on authentication by credit card more than on e-signature.
Merchant does not care who buys, just that payment is made
Credit card system is huge but closed Government uses tend to be closed too –
the e-signature used to deal with it cannot be used to deal with anyone else.
John D. Gregory Electronic Signatures 21
In practice (3)
Some particular difficulties: Online enrollment: no way of identifying a
stranger to the system Proxies: financial institutions, educational
institutions etc Key management: staff (signer) turnover,
compromise, sloppy behaviour Liability: certifier can't pass to relying party
John D. Gregory Electronic Signatures 22
Q & A
Q: Does e-sig = photocopied sig?
A: Yes and no. Depends on what kind of e-sig. Digitized signature has similar risk of fraud. Record retention may be different.
Q: E-sig vs digital sig
A: Digital signature (PKI) (i.e. using cryptography) is very secure but hard to do. No formal legal difference absent legal rule.
John D. Gregory Electronic Signatures 23
Q & A (2)
Q: When it is appropriate to 'introduce' e-sigs? How to persuade collaborators?
A: When both (all) sides agree with results of a TRA (formal or informal). Voluntary.
Q: Case studies showing savings?
A: SAFE pharma, industry studies, credit card industry, auto sales, bank and securities clearances, e-filing in court
John D. Gregory Electronic Signatures 24
Q & A (3)Q: Why do some agencies accept any
medium and some insist on h/w (wet) sig?
A: Each has its own express or implied TRA, its own evidence and archiving needs. Some 'outsourced' signature pages OK.
Q: How to design a system that will work, with appropriate practices?
A: A lot of people would like to know, and a lot of consultants are out there trying
John D. Gregory Electronic Signatures 25
Q & A (4)Q: What legal arguments to use to persuade
collaborator to accept e-signaures?
A: It's not a legal question (subject to institutional rules e.g. granting agencies)
Q: What about a document with one handwritten signature and one by PDF?
A: Contracts signed in counterparts are common on paper. No different issues electronically. Q of proof and trust.
John D. Gregory Electronic Signatures 26
Conclusions
The law is easy; the practice is hard Proving the technology is often harder than
proving the link (between signer and doct) Not only signatures can prove the link. E-records do not need to be more reliable
than paper records – but people forget that. Novelty of judging trust in e-world is large
part of the challenge
John D. Gregory Electronic Signatures 27
Sources (partial) Electronic Legal Records: Pretty Good Authentication? (1998)
http://www.euclid.ca/call.html
Legal Situation of Electronic Signatures: an Ontario perspective (1999)
http://www.euclid.ca/ontsig.html
Authentication Rules and Legal Records (2002)
http://www.euclid.ca/cbr2002.pdf
E-records and the Law (2007)
http://www.verney.com/opsim2007/presentations/301.ppt
Paperless Government and the Law (2009)
http://www.euclid.ca/paperless.ppt