The Electronic Signatures Regulations 2002

Reference: UK/2002/SI/318

Electronic signatures have seen significant adoption in the past decade within insurance, lending, government and other industries following the introduction of The Electronic Signatures Regulations 2002 which transposed the EU Electronic Signatures Directive into UK law.

Why are electronic signatures important?

Electronic identity (eID) technologies and authentication services are essential for all kinds of online transactions. Today, log-in usernames and passwords are among the most common online authentication systems. While these systems are adequate for many applications, more secure solutions are increasingly needed to protect personal data online.

Legal validity of electronic signatures

Much like one signs a document with a pen in the offline world, electronic signatures deliver a way to sign documents in the online world. But without seeing a person sign the document, how can you prove it is the right person? In the past only hand-written signatures were legally valid.

The European Union's Electronic Signatures Directive extends that recognition to electronic signatures. A reliable system of electronic signatures that work across EU countries is vital for safe electronic commerce and efficient electronic delivery of public services to businesses and citizens.

UK regulations

The Electronic Signatures Regulations 2002 implement Directive 1999/93/EC of the European Parliament and of the Council on a Community framework for electronic signatures into UK law. The implemented provisions of this Directive relate to the supervision of certification-service-providers, their liability in certain circumstances and data protection requirements for them; provisions relating to the admissibility of electronic signatures as evidence in legal proceedings were implemented by s7 of the Electronic Communications Act 2000.

The Directive does not favour any specific technology.

Replacing manual, paper-based processing with automated, electronic signing processes has enabled organizations large and small to significantly reduce the cycle times, errors and costs associated with getting customers, partners, supplier and employees to review and sign documents needed to close new business, authorize decisions, and move operations forward.

Indeed, the impact electronic signatures have on an organization’s ability to deliver superior customer service, increase operational efficiency and improve bottom line results has often far exceeded initial expectations.

tScheme

Regulation 3 imposes a duty on the Secretary of State to keep reviewing the carrying on of activities of certification-service-providers, to establish, maintain and publish a register of these certification-service-providers & to have regard to any evidence of their conduct which is detrimental to users of qualified certificates with a view to publication of any of this evidence. Liability on certification-service-providers in certain circumstances is imposed even though there is no proof of negligence unless the certification-service-provider proves he was not negligent.

tScheme is the independent, industry-led, self-regulatory scheme set up to create strict assessment criteria, against which it will approve Trust Services.

tScheme approval will therefore be an essential element in providing a level of assurance to individuals and companies using or relying upon e-business transactions.tScheme is taking a strong lead in Europe through this commitment to industry-led self-regulation, rather than government-led legislation. As a key element of this self-regulatory focus, tScheme's objective is to continue to be the preferred option for fulfilling Part I of the UK's Electronic Communications Act 2000.

Regulation 5 imposes a duty on certification-service-providers in certain circumstances to comply with specified data protection requirements. Breach of that duty is actionable by a data subject who suffers loss and compliance with the requirements can also be enforced by civil proceedings by the Crown.

Forms of electronic signature

  • Typing a name in an electronic document

The use of electronic signatures pre-dates any form of legislation, and in the latter decade of the twentieth century, adjudicators found themselves applying well established legal principles to new technologies when presented in the form of electronic signatures, just as judges in the nineteenth century were confronted with the increasing use of printing, typewriting and telegrams: all, is must be said, without the need for special legislation to be enacted.

  • The ‘click wrap’ method of indicating intent

Clicking the ‘I accept’ or ‘I agree’ icon to confirm the intention to enter a contract when buying goods or services electronically has for a long time been a very popular method of demonstrating intent. In itself, the action of clicking the icon has the effect of satisfying the function of a signature.

  • Personal Identification Number (PIN)

The PIN is a very widely used form of authentication, especially to obtain access to a bank account through the use of an ATM, or to confirm a transaction with a credit card or debit card. Invariably, a claim by the user that one or more transactions conducted on the account were not authorized by them will require the relying party to prove the transaction was authorized by the account holder. The fact a withdrawal or other form of transaction took place may not be in issue, and in any event, the bank can adduce the evidence under the relevant business records or the Bankers’ Books exemptions.

  • The name in an e-mail address

The name in an e-mail address is capable of identifying a person, especially where an e-mail address in an organization, whether public or private, is allocated by setting out the name of the person followed by the domain name of the organization. There are other variations that can be used, such as when an e-mail address describes the office or function of the person, rather than their name. However, even this, if allocated to a single person, can also function to identify a particular person.

The link between the prefix of the e-mail address and the person responsible for sending the e-mail can be problematic: for instance, the sender may be able to choose the first part, and may decide to adopt letters or numbers or a combination of letters and numbers with a view to obfuscation of their identity.

Further, the true e-mail address might be hidden by the sender. If it was not obvious who the sender was, and if correspondence ensues and a dispute occurs, it will be a matter of establishing what, if any, evidence there is pertaining to the source of the relevant e-mails as a preliminary point. It has been held in a number of jurisdictions that the name in an e-mail address, or the combination of the name and the domain name in an e-mail address can be a form of electronic signature.

  • A manuscript signature that has been scanned

A variation of the biodynamic version of a manuscript signature is where a manuscript signature is scanned from the paper carrier and transformed into digital format. The files containing the representation of the signature can then be attached to a document. This version of a signature is used widely in commerce, especially when marketing materials are sent through the postal system and addressed to hundreds of thousands, if not millions, of addresses.

  • Biodynamic version of a manuscript signature

There are products available that permit a person to produce a biodynamic version of their manuscript signature. For instance, some delivery companies use hand held devices that require the recipient of an item of post or parcel to sign on a screen acknowledging receipt of the mail.

Another method of obtaining a digital version of a manuscript signature is where a person can write their manuscript signature by using a special pen and pad. The signature is reproduced on the computer screen, and a series of measurements record the behaviour of the person as they perform the action. The measurements include the speed, rhythm, pattern, habit, stroke sequence and dynamics that are unique to the individual at the time they write their signature. The subsequent electronic file can then be attached to any document in electronic format to provide a measurement of a signature represented in graphic form on the screen.

  • The digital signature

Digital signatures are marketed as a form of electronic signature that enables the recipient to prove a document or communication actually came from the person whose digital signature was used to ’sign’ the data. This is not correct.

The private key of a digital signature (also known as an ‘advanced electronic signature’ in the EU) is protected by a password. If you use a digital signature (or you are the recipient of a document or e-mail with a digital signature affixed) the most important point to be aware of is this: the private key of a digital signature is only as good as the password that protects it. This means that when the password is inserted into a computer to provide access to the private key of a digital signature (or PIN) it proves any of the following:

- The person that keyed in the password (or username and password) knew the password (or username and password); or

- The person with access to the computer (whether they were sitting in front of the computer or whether they obtained control of the computer remotely) did not need to know the password because the computer was instructed to remember the password.

Legal Weakness of Digital Signatures

Many people (including lawyers) actually believe that if the private key of a digital signature is affixed to a document or e-mail, it means that the digital signature was actually affixed by the person whose key it was. One must beware of anybody that does not understand logic.

Just as possessing a credit card does not prove you are the rightful owner, electronic signatures do not categorically prove that a signed document came from the claimed sender. It only shows that someone had access to the token or PC on which the digital certificate and signing process was stored.

European digital agenda

Action 8: Revision of the eSignature directive

The European Commission is proposing the revision of the eSignatures Directive. Creating eID systems that work at European level is naturally a very sensitive issue. Close cooperation between EU Member States will be essential. Adopting an acceptable system will require a wide-ranging consultation of both stakeholders and the general public across Europe.

The Commission is proposing an eID Directive in 2012.

Newswire

Further information