The EU’s eIDAS (Electronic Identification, Authentication
and Trust Services) Regulation was launched in October 2014, ushering in – it
was hoped - a new era of digital signing, validated documents, secure electronic
document delivery, verified time-stamps, authenticated websites and intra-EU
cross-border recognition of signatures.
In large part (it also covers Member State public sector electronic identity systems) eIDAS is version 2 of an EU initiative that started 20 years ago, with the 1999 Electronic Signatures Directive.
At the eIDAS launch ceremony the outgoing EU Digital Commissioner Neelie Kroes signed a letter to President-Elect Jean-Claude Juncker using a “qualified signature”, the most secure variety of digital signature defined by eIDAS. She said.
In large part (it also covers Member State public sector electronic identity systems) eIDAS is version 2 of an EU initiative that started 20 years ago, with the 1999 Electronic Signatures Directive.
At the eIDAS launch ceremony the outgoing EU Digital Commissioner Neelie Kroes signed a letter to President-Elect Jean-Claude Juncker using a “qualified signature”, the most secure variety of digital signature defined by eIDAS. She said.
“I am confident that I have laid
the foundation for you to build a digitally-strong house. The eIDAS Regulation
was the missing stone to make cross-border electronic transactions across
Europe a reality.”
Some geo-political tub-thumping was also evident:
“With eIDAS we have accomplished
a major milestone - and we are well ahead of the US in this.”
Finally, the signature:
As I like to practise what I
preach, I am signing this letter electronically, with my mobile, and using
technology developed thanks to the EU funded STORK project which is currently
used by citizens in Austria.”
The eIDAS ecosystem
The launch marked the official start of a project to create
an eIDAS “ecosystem”. The project aims at fostering wider adoption of digital
signatures: defined at a high level by the Regulation, then given substance by
technical standards promulgated under its umbrella. The Regulation, adopted in
July 2014, came fully into force in July 2016.
The eIDAS ecosystem is populated by a menagerie of signature
generation services, certification authorities, time stamping services,
validation services, preservation services, users and others. Nearly 40 pages
of the Regulation (plus the associated volumes of technical standards and
guidance) aim to tear down the barriers that — so it is said — stand in the way
of signing, sealing and delivering documents electronically.
eIDAS – central or peripheral?
One might expect, then, that eIDAS would be front and centre
when we analyse the ability to use electronic signatures under English law. All
the more so since, unlike its predecessor Directive, as an EU Regulation eIDAS is
directly incorporated into English law. But not so. Counter-intuitively, eIDAS
sits on the sidelines and performs little more than a supporting role.
Direct incorporation as an EU Regulation does revive some
interpretative riddles that, during the period of the Directive, could be left
unresolved. Whatever the Directive might have meant, there was no doubt that English
law complied with it. Those riddles are harder to ignore now that they form part
of English law. Later on, this piece attempts to crack them.
The conclusion, thankfully, is that the eIDAS riddles can and should be solved in a way that leaves the liberal and facilitative English law of signatures untouched.
The conclusion, thankfully, is that the eIDAS riddles can and should be solved in a way that leaves the liberal and facilitative English law of signatures untouched.
That conclusion sets the scene for the first major topic of
this piece: how can it be that, when we analyse the ability to use electronic
signatures from an English law perspective, the elaborately constructed edifice
of eIDAS turns out to be more decorative grotto than grand mansion?
The high level answer is that the
eIDAS framework, which defines some specific technical categories of signature,
is swallowed up in the broader English regime under which an electronic
signature of any kind (including something as informal as typing a name or
initials at the end of an email) can count as a signature. Consequently the
technical categories of signature defined by eIDAS (and the Directive before
it) have little legal significance.
If the law does not require the use of an eIDAS-compliant
“advanced signature” (very rarely in English statutes) or “qualified signature”
(no instances in English statutes), and if the law does not confer any exclusive
status on such eIDAS-compliant signatures (as to which more below), then people
are free to choose the kind of electronic signature that suits the transaction
in which they are about to engage.
That, since the Directive came into force 20 years ago, is
what they have done. If users adjudge that they do not require the high levels
of assurance as to identity and data integrity aimed at by EU standards, they are
unlikely to pay a premium for expensively engineered and supported standards-compliant
cryptographic signature products.
How did the Directive, and subsequently eIDAS, come to adopt
the approach that they have?
Reverence for the handwritten signature
One clue lies in reverence for the assumed properties of a handwritten
signature. Underlying both eIDAS and its predecessor Directive is the implicit
assumption that the handwritten signature offers a high degree of protection
against forgery and provides a strong physical connection to the signed
document, both of which characteristics should be replicated in the electronic
world.
Such reverence is understandable to some extent if one
thinks only of a full name, distinctively styled, inscribed indelibly in ink on
paper: the raw material on which a forensic handwriting expert can work if
necessary. But that would be to misdescribe English law (although perhaps not
that of some other countries that have traditionally set great store by the
observance of formalities). The English law of signatures has not required perfection
or anything approaching it. Otherwise English law would not have permitted, as
it has done, an ‘X’ or a facsimile rubber stamp to count as a signature. That liberal approach to physical signatures
sets the tone for the English law approach to electronic signatures.
Reverence for the handwritten signature is a likely source
of the assumption underlying the Directive and eIDAS that the electronic
functional equivalent of a handwritten signature is a cryptographic digital
signature tied to a third party certificate, providing a high level of
confidence that the signatory is who they purport to be and that the signed
document has not been tampered with. Lack of such confidence is said to
undermine trust in the digital environment, creating an impediment to
electronic transactions.
Such comparisons, however, rely on deeper (not necessarily
well-founded) assumptions about the practical function and significance of a
physical signature, the degree of assurance that users expect or require from
any kind of signature, and the status of a signature in national law.
As to problems of interpretation, eIDAS relies on some definitional
concepts that, whilst simple on their face, are nevertheless elusive. For the
eiDAS community itself this may not always be an issue. If products and
services comply with the Commission’s promulgated technical standards they are presumed
to comply with the Regulation’s definitions, whatever those may mean. But for anyone
trying to analyse and apply eIDAS in a wider context, the Regulation and its
predecessor Directive present considerable interpretative challenges.
What does a signature do?
Before grappling with the interpretative riddles of eIDAS, let
us consider the function and legal significance of a signature.
A signature may from a legal perspective be considered to
have three[1]
functions, each of which may be present to a greater or lesser degree:
- Identification of the signatory
- Demonstrating the signatory’s intention to be bound by, or at least adopt, the contents of the document
- Identification of the contents of the signed document
All three functions can be thought of as aspects of non-repudiation:
preventing the signatory from denying that they signed the document at all, from
denying that they intended to be bound by it, or from denying that they signed
a document in those terms.
However, we run into trouble if we turn this round and make
effectiveness at achieving non-repudiation the sine qua non of legal
recognition as a signature. Doing so risks losing sight of the extent to which
traditional signatures fall short of guaranteeing non-repudiation, but
nevertheless are recognised in law as functional signatures.
The observation of the Australian Electronic Commerce Expert
Group in its March 1998 Report to the Attorney-General is apposite:
‘‘There is always the temptation,
in dealing with the law as it relates to unfamiliar and new technologies, to
set the standards required of a new technology higher than those which
currently apply to paper and to overlook the weaknesses that we know to inhere
in the familiar.’’
As the Law Commission noted in its 2001 Advice to Government:
“English law has long accepted a
‘signature’ in the form of an ‘X’ though this does not identify the ‘signatory’
in any real sense.”
Ultimately it is the second function – demonstrating an intention
to be bound – that for English law purposes is the defining characteristic of a
signature. Put more broadly, that function can be stated as an intention to
adopt the contents of the document (or perhaps part of it) or to attribute
legal significance to it.
This function is often described as demonstrating an
authenticating intention on the part of the signatory. The Law Commission, in
its September 2019 Report on Electronic Execution of Documents, concluded that:
“An electronic signature is
capable in law of being used to execute a document1 (including a deed) provided
that (i) the person signing the document intends to authenticate the document
and (ii) any formalities relating to execution of that document are satisfied.”
The term "authentication" is, however, liable to confuse.
It can be understood to mean assuring the identity of the
signatory or the contents of the signed document — in other words the first and
third possible functions of a signature — respectively. eIDAS now defines ‘authentication’ in that
way: as an electronic process that “enables the electronic identification of a
natural or legal person, or the origin and integrity of data in electronic form
to be confirmed”.
The 2019 Law Commission Report points out that, by contrast,
English law uses authentication to mean the second function:
“3.29 … We use this language
because this is what is used in case law. What it means, effectively, is that
the party intended to be bound by the document.”
The Directive’s definition of an electronic signature
required that it “serve as a method of authentication”. However, since
authentication was left undefined it was unclear in what sense it was being
used. eIDAS, as seen above, has now introduced a definition of authentication
in terms of identification of signatory and data. However, it no longer stipulates
authentication as a defining characteristic of an electronic signature. That
definition has moved towards an English law approach: “data in
electronic form which is … used by the signatory to sign.”
Technologists and policy-makers may tend to assume that an
electronic signature cannot be valid (or at least useful) unless it performs
each of the three non-repudiation functions to a high level of confidence. Even
when specified in a technology-neutral fashion, that tends to lead to complex
schemes involving third party certification of the signatory’s identity, allied
with cryptographic methods of securing the signature and of demonstrating that
the document has not been altered.
Such techniques, however, go far beyond achieving
equivalence with the capabilities of an ordinary handwritten signature. To the
extent that a traditional signature performs the first and third functions (identification of signatory and document), it may
do so only weakly.
Even a full handwritten autograph is not proof against forgery. An ‘X’ marked at the end of the document (which in English law is capable of operating as a signature) barely, if at all, identifies the signatory. Neither it nor an autograph signature infallibly identifies the contents of the document (at least, one consisting of several pages), nor renders it tamper-evident. To the extent that digital signatures have sought to render electronically signed documents tamper-evident, that emulates the qualities of paper rather than that of the signature inscribed upon it.
Even a full handwritten autograph is not proof against forgery. An ‘X’ marked at the end of the document (which in English law is capable of operating as a signature) barely, if at all, identifies the signatory. Neither it nor an autograph signature infallibly identifies the contents of the document (at least, one consisting of several pages), nor renders it tamper-evident. To the extent that digital signatures have sought to render electronically signed documents tamper-evident, that emulates the qualities of paper rather than that of the signature inscribed upon it.
A historic quest for near-perfect non-repudiation mechanisms
lies behind some policy and technological developments in the electronic
signatures field. A tendency to prescribe technology-specific requirements was
especially evident in some 1990s legislation (the 1995 Utah Digital Signature
Act being the paradigm example). Whilst legislatures have generally moved on
since then towards adopting more technology-neutral approaches, the echoes
still reverberate.
Now let us turn from function to legal significance
of a signature. On most occasions when we
sign documents the law does not require a signature to be used. Sometimes,
however, it does so. Compliance with such a mandatory requirement is a different
and separate issue from the legal significance of a signature generally, which
is discussed below.
Mandatory signatures
If the law (usually a statute) does require a signature to
be used in a particular situation, then does the kind of signature proposed to
be used comply with that requirement? The answer is likely to affect the
validity of the document or of a transaction to which it relates.
eIDAS does not prevent a Member State from enacting
legislation that stipulates formalities that have to be complied with for a
particular purpose, including use of a particular kind of signature (whether
wet-ink or electronic) (see discussion under ‘Legal Effect’ below).
The 2019 Law Commission Report observed that there is an
argument that eIDAS would have allowed the common law to develop to the effect
that an electronic signature was not a valid way of signing a contract.
However, English common law has not done that. Conclusion of
a contract is not generally subject to a statutory requirement for a signature.
Furthermore, English law has taken a liberal view of what
constitutes a signature for the purposes of a generally expressed statutory
signature requirement, encompassing all kinds of electronic signature including
the most informal. In English law any kind of electronic signature is capable
of satisfying a generally expressed requirement for a signature, so long as
there is an intention thereby to adopt the contents of the document and so long
as any other applicable formalities are satisfied (see 2019 Law Commission
Report, above).
Non-mandatory signatures
Signing a document without any statutory or other legal requirement
for a signature may (or may not) have some legal significance. Thus:
- signature is one way of concluding a contract and indicating assent to its terms (even though the law does not in general require a contract to be signed).
- when we sign a letter the signature associates us with the final contents. That may have legal consequences (if, for instance, the letter provides a reference on which the recipient will rely).
- if we sign a painting we do so in order to adopt it as our work.
- if we sign a receipt we are acknowledging that the goods, services or money have been received.
- if we sign a document as a witness, we do so to indicate that we observed the signatory signing the document (but we do not thereby endorse the contents of the document).
- if a celebrity signs an autograph book, they are providing a specimen of their signature. There is no intent, by signing the book, to adopt any of its contents other than the signature itself.
Thus the legal effect (if any) of a signature may vary considerably
depending on the purpose for which the signature is applied and the context in
which it is later relied upon.
The riddles of eIDAS
Now let us turn to eIDAS. eIDAS describes several kinds of
electronic signature. Most relevantly, it defines advanced electronic
signatures and qualified electronic signatures.
What those consist of in technical terms need not detain us
for the moment. Suffice to say that both attempt to incorporate all three
signature functions (identity of signatory, intention to authenticate and
identification of document contents) to a high level of confidence. Advanced
signatures can be thought of as the eIDAS silver standard, qualified signatures
as the gold standard. The bronze standard is any other signature in electronic
form.
eIDAS itself does not compel the use of advanced or
qualified signatures. Nor does it require Member States to compel private
parties to use either of them in their dealings. They are in the nature of prefabricated tools that Member States (or indeed private parties in contracts)
are at liberty to prescribe if they wish to do so.
So where lies the problem of interpretation? The EU
legislature wanted to do two further things: (a) prevent Member States from
discriminating against use of electronic signatures as such and (b) attribute a
specific status to its gold standard “qualified signature”. But at the same
time Member States were to be free to lay down whatever formalities for
transactions between private parties they saw fit. That could include
stipulating that a specific kind of signature had to be used in any given
situation.
The attempt to reconcile these objectives resulted first in
in Article 5 of the Directive, then Article 25 of eIDAS. Article 25 states (in
part):
“1. An electronic signature shall
not be denied legal effect and admissibility as evidence in legal proceedings
solely on the grounds that it is in an electronic form or that it does not meet
the requirements for qualified electronic signatures.”
2. A qualified electronic signature shall have
the equivalent legal effect of a handwritten signature. …”
Article 5 of the Directive employed broadly comparable terminology:
“legal effectiveness” and “satisfy the legal requirements of a signature in
electronic form in the same manner as a handwritten signature satisfies those
requirements in relation to paper-based data”.
Legal effect and admissibility in evidence are, on the face
of them, separate concepts. Admissibility in evidence is simple: the
court is able to look at the signature (although it is still free to give it as
much or as little evidential weight as it thinks fit). Legal effect, however, is a puzzle.
Riddle 1: Legal Effect
‘Legal effect’ is mentioned in both Article 25.1 and 25.2 of
eIDAS.
Article 25.1 is the non-discrimination provision. Legal effect must not be denied either solely
on grounds of electronic form or because it is not a gold-standard qualified
signature.
But what constitutes legal effect? At first sight it could mean
that any electronic signature must be taken to satisfy a national law statutory
requirement for a signature. However, that
cannot be the answer, for several reasons.
Purposively, it would be a pointless exercise for the Regulation
to define different kinds of electronic signature if Article 25(1) meant that Member
State legislatures could not stipulate that a specified kind of electronic
signature must be used in particular circumstances.
Indeed Recital (49) of eIDAS makes clear that the only
limitation on Member States’ ability to define the legal effect of an
electronic signature is the stipulation for handwritten signature equivalence
provided by Article 25.2:
“It is for national law to define
the legal effect of electronic signatures, except for the requirements provided
for in this Regulation according to which a qualified electronic signature
should have the equivalent legal effect of a handwritten signature.”
The Law Commission Report on Electronic Execution of
Documents observed at para 3.15:
“eIDAS therefore allows member
states to make provision for the legal effect of electronic signatures which
are not qualified electronic signatures. This would allow member states to lay
down, for example, security standards to be complied with by e-signing systems
should they want to.”
Furthermore, Article 2(3) of eIDAS reserves to national or other EU law
the imposition of formalities. The Regulation:
“does not affect national or
Union law related to the conclusion and validity of contracts or other legal or
procedural obligations relating to form”
Recital (21) reinforces the point:
“Neither should this Regulation
cover aspects related to the conclusion and validity of contracts or other
legal obligations where there are requirements as regards form laid down by
national or Union law. In addition, it should not affect national form
requirements pertaining to public registers, in particular commercial and land
registers.”
Obligations relating to form may include formalities
relating to signatures. The Law Commission took the view (at para 3.34) that
such formalities could include a requirement for witnessing of a signature, or
that the signature be in a specific form (such as handwritten).
eIDAS therefore does not prevent a Member State from
enacting legislation that stipulates formalities that have to be complied with
for a particular purpose, including use of a particular kind of signature
(whether wet-ink or electronic).
Compliance with a statutory requirement for a signature, potentially
affecting the validity of the underlying document or transaction, is best
understood as a separate matter from ‘legal effect’ of a signature. As such it
is a matter of domestic English law, untouched by eIDAS.
If ‘shall not be denied legal effect’ in Article 25(1) does
not refer to satisfying a statutory requirement for a signature, what does it
mean? The answer probably lies in the uses to which signatures are generally
put in the absence of a statutory requirement. As already discussed, if
a person adopts the contents of a document by means of their signature, any
legal effect will vary depending on the kind of document and the legal issue
that has subsequently arisen.
The European Commission, in its eIDAS Questions and Answers,
says:
“What do
the eIDAS non-discrimination clauses mean?
The eIDAS Regulation sets the
principle of non-discrimination of the legal effects and admissibility of
electronic signatures … as evidence in legal proceedings. Courts (or other
bodies in charge of legal proceedings) cannot discard them as evidence only
because they are in an electronic form. Nevertheless, Courts must check whether
there are any procedures to be followed according to the EU or national
(general or sectorial) law for a given document (including possible
requirements on the use of specific levels of electronic tools) and might
discard them on these grounds. In other words, the non-discrimination clause
does not mean that each and every procedure can be carried out electronically.
It means that Courts have to assess these electronic tools in the same way they
would do for their paper equivalent.”
This suggests a limited application of the
non-discrimination principle, interpreting ‘legal effect’ as requiring only non-discriminatory
application of national court procedures. On this basis only a bright line
categorical refusal by a court to consider electronic signatures as a class would be
impermissible.
Also, Recital (49) of eIDAS (above) suggests that Member
States may stipulate the legal effect of electronic signatures (other than
qualified signatures), even if that legal effect is specific to a particular
kind of electronic signature.
Article 25(1) may thus mean that a court considering an
electronic signature used in a non-mandated context cannot categorically preclude
it from having any legal effect simply because it is electronic; but that
Member States may (a) define the legal effect of an electronic signature other
than a qualified signature and (b) mandate that particular kinds of signature
(electronic or otherwise) must be used for some kinds of document. A court
would still be free to deny an electronic signature legal effect on its merits
(or lack of them) - for instance on the ground that the particular electronic
signature that had been used lacked sufficient probative value.
That sits well alongside the second limb of Article 25(1),
which provides that an electronic signature must be admissible in evidence.
Admissibility means only that the court can look at the evidence. The court is
then able to consider what evidential weight to give to the signature, for the
purpose of evaluating whatever legal significance the signature may have in the
context of the dispute on which the court is adjudicating. Article 25(1) does
not prescribe that any particular evidential weight should be given to any kind
of signature.
As to admissibility in evidence, from an English law perspective
admissibility is trivial. There was never any doubt that an electronic
signature is admissible in evidence in an English court. For good measure, that
was made explicit in the Electronic Communications Act 2000, which implemented
the Electronic Signatures Directive.
Riddle 2: equivalent legal effect to a handwritten
signature
Article 25(2) provides that a qualified electronic signature
shall have the equivalent legal effect of a handwritten signature. The implicit
premise of Article 25.2 is that a handwritten signature has some particular (presumably
greater) legal effect than some other kinds of signature. eIDAS does not say
what it means by a handwritten signature.
Whether any distinction between handwritten and other
signatures exists is a matter of the underlying law of each Member State.
Recital (20) of the Directive recognised that: “national law lays down
different requirements for the legal validity of handwritten signatures”.
Equally, Member States may lay down different legal effects for handwritten
signatures recognised as valid under their laws.
To an English lawyer an assumed distinction between
handwritten signatures and others is conceptually puzzling, since (as discussed
above) handwritten signatures generally have no special legal status in English
law. A signature is a signature, whether it be a flowery autograph inscribed using
a fountain pen, a rubber stamp facsimile, or an X marked with a pencil. What
matters is whether the putative signatory applied it with intent to sign the
document[2].
Given the underlying variety of Member State physical
signature laws, Article 25(2) can be understood to mean that if under a
Member State’s law a handwritten signature as such has some particular legal
effect, then a qualified signature must be accorded equivalent legal effect.
Conversely, however, Article 25(2) does not say that only
a qualified signature can be accorded equivalent legal effect to a handwritten
signature. It is therefore open to a Member State to treat electronic
signatures generally as having equivalent legal effect to handwritten and other
kinds of physical signature, thus bypassing the potential difficulty of being
required to accord an assumed but non-existent special status to a qualified
signature.
That is the position that has been adopted in England: any
kind of electronic signature is capable of performing the function of a
signature.
When we consider the millions of informal electronic
signatures used every day, one shudders to think of the havoc that would have
been wrought had the Directive (and now eIDAS) stipulated that a Member State
could confer legal effect equivalent to a handwritten signature only on a
qualified signature. Fortunately, that is not what it says.
Riddle 3: uniquely linked
“Advanced electronic signature” is the silver standard
defined under eIDAS. Unlike for the gold standard “qualified electronic
signature”, eIDAS confers no particular legal status on an advanced electronic
signature. It is intended as a defined category of signature that can be
referred to in other EU or Member State legislation or in private documents
such as contracts. But it is also a
component of the qualified signature which, as we have seen, must be accorded
equivalent legal effect to a handwritten signature.
The definition of an advanced electronic signature sets
another puzzle. An advanced signature must satisfy four conditions:
- The signature is uniquely linked to the signatory
- It is capable of identifying the signatory
- It is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control. “electronic signature creation data” means unique data which is used by the signatory to create an electronic signature. An “electronic signature” is data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.
- It is linked to the signed data in such a way that any subsequent change in the data is detectable.
The first condition is that the signature is uniquely linked
to the signatory. But what does that mean? Is the required link technical,
logical or some other kind of association?
Since a signatory (“a natural person who creates an
electronic signature”) has to be a human being, how can data be linked in any
technical sense to a human being? It is possible to link data to a device, or
to other data. But the device is not the human being. What kind of technical
feature would be capable of linking an electronic signature to a human being, whether
or not uniquely?[3]
Does ‘uniquely linked’ perhaps imply some kind of assurance
that the signatory is who s/he says s/he is? If so, that does not go so far as
to require third party verification by certification authority. Nothing in
eIDAS suggests that a third party certificate was intended to be required by
the definition of advanced signature.
A middle ground interpretation could be that if some kind of
remembered or biometric information, such as a password or a fingerprint, is
required in order to use the unique signature creation data, or perhaps to log
on to the machine on which the signing facility is installed, that creates a sufficient
logical link between the signature and the signatory[4].
Another possibility might be that it is sufficient if the
signature technology is based on data that is unique to the signatory. In this
interpretation, “uniquely linked” implies unique association with the signatory,
but not necessarily a technological link such as a password to make use of the
unique data. However this interpretation seems unlikely, since uniqueness of
the data is already a requirement of the third condition.
Fortunately, this riddle rarely requires a solution in the
English law context, since there are few examples of legislation that refer to
a bare advanced signature. However, some do exist. For instance Reg 37(7) of
the Risk Transformation Regulations 2017 provides that where the Financial
Conduct Authority certifies an electronic copy as a “true copy”, it must do so
with an advanced electronic signature.
The relevance of eIDAS to English signatures law
We have suggested that eIDAS, for all its complexity and technical
sophistication, sits on the sidelines as far as the ability to use electronic
signatures under English law is concerned. We can now summarise the reasons why
this is so:
- No English statute requires use of an eIDAS-compliant qualified signature
- Very few English statutes require use of an eIDAS-compliant advanced signature
- English law already contained no bar, either substantive or in terms of admissibility in evidence, against a signature as such being in electronic form
- eIDAS does not preclude a national law stipulation for a particular kind of signature. In any event most English law statutory signature requirements are stated in general terms (e.g. ‘signed by’, or ‘signed by or on behalf of’), which under the English law of signatures is capable of being satisfied by any kind of electronic signature.
- Since English law confers no special status on a handwritten signature, the eIDAS requirement to give equivalent effect to a qualified signature is redundant. In any event English law gives effect to any kind of electronic signature, whether a qualified signature or not.
- Most impediments to use of electronic signatures under English law are caused not by signature rules, but other formalities governing medium, process or form (such as witnessing). These are outside the scope of eIDAS.
As a matter of practice, within this liberal framework
parties deploy electronic signatures by the million, choosing anything from an
informal name typed at the end of an e-mail, to signature buttons, to the
varieties of signature offered by signing platforms — all according to the
nature, value and significance of the transaction. Whether or not to use an
eIDAS-defined advanced or qualified signature is a matter of choice on their
merits.
In the UK (and indeed in most EU countries) the use of
qualified signatures pre-eIDAS was minimal. A 2012 European Commission Staff Working
Document recorded one UK qualified certificate provider, which had issued one
certificate. As for advanced signatures, under the Directive an advanced
signature was generally thought to require the use of a physical signing device
such as a smart card, which for signature applications were barely used in the
UK.
Why, if a legal system can cope flexibly with all kinds of
electronic signature, did EU digital signatures law go down its standards-based
path and end up with the eIDAS ecosystem?
For at least part of the answer, we have to delve back into
the history of the predecessor Electronic Signatures Directive.
History of the Directive
The Directive was hatched in the late 1990s. The initial focus
of the project was on cryptographic digital signatures rather than on electronic
signatures generally. This was at a time when it was widely asserted that addressing
the perceived electronic non-repudiation problem required the use of
cryptographically assured public key-private key digital signatures. Italy, a
country traditionally wedded to formalities, had promulgated a highly
prescriptive digital signatures decree. Germany was also heading down a
technology-specific PKI path.
This was a classic situation in which the Commission could
see that national legislation would erect technical barriers within the
Internal Market. Hence the enthusiasm to head that off with EU-wide legislation.
The Directive had its origins in the Commission’s 1997
Communication “Ensuring Security and Trust in Electronic Communication”. This
aimed to carve out use of encryption for digital signatures from the broader
‘crypto-wars’ that were raging at the time. As the Communication put it:
“discussions about the possible conflict between divergent interests on
security” had shown “a considerable amount of confrontation and discontent
between institutions and interest groups”.
The Communication focused on how to promote use of cryptographic
digital signatures as the solution to lack of security and trust, which were said
to be an impediment to electronic commerce.
There was also a characteristic European Commission aim of
“stimulating a European industry for cryptographic services and products”. The
Commission observed that only a few companies in Europe had so far taken steps
to offer digital signature services. It averred: “One of the main reasons is
the weakness of demand resulting partly from the absence of legal recognition
of digital signatures”.
After asserting that important documents could not be
exchanged across open networks because of the absence of contractual and mutual
trust arrangements present in closed networks, the Commission suggested that ‘authentication
and integrity services are needed for secure and trustworthy data transmission
and communication over open networks”.
The Commission was particularly focused on cryptographic
digital signatures supported by certificates issued by trusted third party
Certification Authorities: “In particular CAs are crucial for digital
signatures to become a fully accepted tool within national legal systems, for
instance to ensure legal recognition and enforceability of a signature in
electronic commerce.”
But the underlying premise of all this — that technically
sophisticated digital signatures were a river waiting to flood once EU
legislation broke the dam — was little more than an assumption.
So, for example, when the Communication observed that “a key
used to authorise a large financial transfer between two banks will require a
high level of trust whilst one used to validate a low value personal purchase
will not need to be trusted to the same extent”, it did not go on to question why,
for the low value personal purchase, anyone would go to the trouble of
employing a key-based digital signature or a validation mechanism at all.
A less politically driven project might have placed more
emphasis on testing whether assumptions about the degree of trust needed from
an electronic signature reflected reality.
By the time of its May 1998 proposal for the Directive the
Commission had backed off a little from its focus on PKI and decided that it
had to take a more technology-neutral approach:
“Since a variety of
authentication mechanisms is expected to develop, the scope of this Directive
should be broad enough to cover a spectrum of “electronic signatures”, which
would include digital signatures based on public-key cryptography as well as
another means of authenticating data”.
Against this background the advanced electronic signature
(which as regards ‘uniquely linked’ was defined in the same terms in the
Directive as in eIDAS) can be understood as an attempt to describe, in abstract
terms, the features of a public key-private key digital signature:
- The certificate contains data identifying the signatory.
- The private key is unique.
- The signature data is technically linked to the private key.
- The hash function renders the signed document tamper-evident.
However, the Commission’s approach still seemed to assume that
an electronic signature of any kind would need some kind of authentication
mechanism, whether PKI or some future technology:
“The proposal for a Directive
aims at “enabling” the use of electronic signatures within an area without
internal frontiers by focusing on the essential requirements for
certification services…” [p.5]
The Proposal still envisaged electronic signatures as the
kind of thing that would involve internationally agreed standards to establish
“an open environment for interoperable products and services” [p.3 pt 6]
Recital (6) of the Proposal for Directive, in a passage that
did not make it into the Directive itself, observed that “digital signatures
based on public-key cryptography are currently the most recognised form of
electronic signature”.
Thus the focus was — perhaps unsurprisingly in an Internal Market
Directive — on the technically advanced kinds of signatures that it was hoped
would stimulate a future cryptographic services industry within the EU.
Of course typing a name, or pasting a scan of a manuscript signature, into a document have no authentication mechanism beyond inclusion in the document intended to be signed. They need no service industry infrastructure to support them. In English law, as we have seen, both are capable of functioning as a signature, even where a signature is required by a statute.
Although not firmly established at that time, that was even then a reasonable deduction from previous English law relating to physical signatures. Only a few years later, in 2001, the English Law Commission opined that:
Of course typing a name, or pasting a scan of a manuscript signature, into a document have no authentication mechanism beyond inclusion in the document intended to be signed. They need no service industry infrastructure to support them. In English law, as we have seen, both are capable of functioning as a signature, even where a signature is required by a statute.
Although not firmly established at that time, that was even then a reasonable deduction from previous English law relating to physical signatures. Only a few years later, in 2001, the English Law Commission opined that:
“Digital signatures, scanned
manuscript signatures, typing one’s name (or initials) and clicking on a
website button are, in our view, all methods of signature which are generally
capable of satisfying a statutory signature requirement. We say that on the
basis that it is function, rather than form, which is determinative of the
validity of a signature. These methods are all capable of satisfying the
principal function: namely, demonstrating an authenticating intention.”
Against the background of the 1997 Communication and the
1998 Proposal, and the emphasis on a hoped-for future digital signatures
industry, the subsequent inclusion of broadly defined ordinary electronic
signatures in the Directive (defined to include any kind of signature in
electronic form) has the impression of being something of an afterthought.
But for English law at any rate, that — and the ability to provide equivalence to a handwritten signature for any kind of electronic signature — were highly significant. It meant that the Directive changed little or nothing, since as we have seen the common law was already flexible in its approach to what constituted a signature.
But for English law at any rate, that — and the ability to provide equivalence to a handwritten signature for any kind of electronic signature — were highly significant. It meant that the Directive changed little or nothing, since as we have seen the common law was already flexible in its approach to what constituted a signature.
In the event, takeup of qualified signatures in the years following
the Directive was modest, and in the UK almost non-existent. People and businesses tended to use whatever kind of
electronic signature suited their purpose best – even down to the most
informal, such as typing a name at the end of an e-mail or into a web form.
Cloud-based signing platforms eventually became popular, but
for the most part offered ‘good enough’ signature methods that did not seek to
conform to the Directive’s advanced and qualified signature standards. For most
ordinary purposes that sufficed and, in the absence of a statutory requirement
for an advanced or qualified signature, no-one in England had much reason to worry
about whether a signature conformed to any of the Directive’s specifications.
Revising the Directive
When it came to the revision of the Directive, the
Commission determined that the modest take-up of standards-based signatures was largely
due to lack of cross-border recognition within the EU.
The Commission’s 2012 Proposal for a Regulation displayed
the same equation of electronic signatures and sophisticated technology that
had been apparent in the 1990s.
The Staff Working Paper that accompanied the Proposal suggested that a reason for modest take up of electronic signatures was that signing a document or email was “not handy”, that to install a certificate on the computer was “uneasy” and that most applications for private use badly integrated e-signature functionalities.
It went on to say that “free webmail services (such as Hotmail, Yahoo or Gmail) do not allow signing e-mails”. The notion that a user could validly sign an email by typing their name at the foot of it was absent. With this underlying mindset, it is perhaps no surprise that eIDAS turned out to be largely orthogonal to English signatures law.
The Staff Working Paper that accompanied the Proposal suggested that a reason for modest take up of electronic signatures was that signing a document or email was “not handy”, that to install a certificate on the computer was “uneasy” and that most applications for private use badly integrated e-signature functionalities.
It went on to say that “free webmail services (such as Hotmail, Yahoo or Gmail) do not allow signing e-mails”. The notion that a user could validly sign an email by typing their name at the foot of it was absent. With this underlying mindset, it is perhaps no surprise that eIDAS turned out to be largely orthogonal to English signatures law.
For signatures, the eIDAS Regulation made two main changes
compared with the Directive: it made clear that the ‘gold standard’ signature
(now called a ‘qualified signature’) could be implemented remotely in the
cloud, not just by a physical device such as a USB signature dongle or a smart
card; and it introduced a system of intra-EU cross-border recognition of trust
service providers (who provide the third party certificates that underpin
qualified signatures).
With these eIDAS changes, providers
are now offering standards-based advanced and qualified signatures. Whether there
will be an increase in the appetite to use them will no doubt become apparent
in time.
[1]
Lorna Brazell, in Electronic Signatures and Identities Law and Regulation
(3rd ed Sweet & Maxwell, 2018, para 2-002) identifies as many as seven
potential functions of a signature.
[2]
However, other questions may arise such as whether the signatory can delegate the
act of signing to an agent.
[3]
Stephen Mason has suggested that the ‘uniquely linked’ condition is impossible
to comply with. See Electronic Signatures in Law (4th ed,
2016), para 4.17.
[4]
Cf. Brazell (op cit) at 6-054: “some unique logical link”, such as “independent
evidence as to who it was who applied the signature means”.
No comments:
Post a Comment
Note: only a member of this blog may post a comment.