Sunday 10 May 2020

Decrypting eIDAS

The EU’s eIDAS (Electronic Identification, Authentication and Trust Services) Regulation was launched in October 2014, ushering in – it was hoped - a new era of digital signing, validated documents, secure electronic document delivery, verified time-stamps, authenticated websites and intra-EU cross-border recognition of signatures.

In large part (it also covers Member State public sector electronic identity systems) eIDAS is version 2 of an EU initiative that started 20 years ago, with the 1999 Electronic Signatures Directive.

At the eIDAS launch ceremony the outgoing EU Digital Commissioner Neelie Kroes signed a letter to President-Elect Jean-Claude Juncker using a “qualified signature”, the most secure variety of digital signature defined by eIDAS. She said.

“I am confident that I have laid the foundation for you to build a digitally-strong house. The eIDAS Regulation was the missing stone to make cross-border electronic transactions across Europe a reality.”

Some geo-political tub-thumping was also evident:

“With eIDAS we have accomplished a major milestone - and we are well ahead of the US in this.”

Finally, the signature:

As I like to practise what I preach, I am signing this letter electronically, with my mobile, and using technology developed thanks to the EU funded STORK project which is currently used by citizens in Austria.”

The eIDAS ecosystem

The launch marked the official start of a project to create an eIDAS “ecosystem”. The project aims at fostering wider adoption of digital signatures: defined at a high level by the Regulation, then given substance by technical standards promulgated under its umbrella. The Regulation, adopted in July 2014, came fully into force in July 2016.

The eIDAS ecosystem is populated by a menagerie of signature generation services, certification authorities, time stamping services, validation services, preservation services, users and others. Nearly 40 pages of the Regulation (plus the associated volumes of technical standards and guidance) aim to tear down the barriers that — so it is said — stand in the way of signing, sealing and delivering documents electronically.

eIDAS – central or peripheral?

One might expect, then, that eIDAS would be front and centre when we analyse the ability to use electronic signatures under English law. All the more so since, unlike its predecessor Directive, as an EU Regulation eIDAS is directly incorporated into English law. But not so. Counter-intuitively, eIDAS sits on the sidelines and performs little more than a supporting role.

Direct incorporation as an EU Regulation does revive some interpretative riddles that, during the period of the Directive, could be left unresolved. Whatever the Directive might have meant, there was no doubt that English law complied with it. Those riddles are harder to ignore now that they form part of English law. Later on, this piece attempts to crack them.

The conclusion, thankfully, is that the eIDAS riddles can and should be solved in a way that leaves the liberal and facilitative English law of signatures untouched.

That conclusion sets the scene for the first major topic of this piece: how can it be that, when we analyse the ability to use electronic signatures from an English law perspective, the elaborately constructed edifice of eIDAS turns out to be more decorative grotto than grand mansion?
The high level answer is that the eIDAS framework, which defines some specific technical categories of signature, is swallowed up in the broader English regime under which an electronic signature of any kind (including something as informal as typing a name or initials at the end of an email) can count as a signature. Consequently the technical categories of signature defined by eIDAS (and the Directive before it) have little legal significance.

If the law does not require the use of an eIDAS-compliant “advanced signature” (very rarely in English statutes) or “qualified signature” (no instances in English statutes), and if the law does not confer any exclusive status on such eIDAS-compliant signatures (as to which more below), then people are free to choose the kind of electronic signature that suits the transaction in which they are about to engage.

That, since the Directive came into force 20 years ago, is what they have done. If users adjudge that they do not require the high levels of assurance as to identity and data integrity aimed at by EU standards, they are unlikely to pay a premium for expensively engineered and supported standards-compliant cryptographic signature products. 

How did the Directive, and subsequently eIDAS, come to adopt the approach that they have?

Reverence for the handwritten signature

One clue lies in reverence for the assumed properties of a handwritten signature. Underlying both eIDAS and its predecessor Directive is the implicit assumption that the handwritten signature offers a high degree of protection against forgery and provides a strong physical connection to the signed document, both of which characteristics should be replicated in the electronic world.

Such reverence is understandable to some extent if one thinks only of a full name, distinctively styled, inscribed indelibly in ink on paper: the raw material on which a forensic handwriting expert can work if necessary. But that would be to misdescribe English law (although perhaps not that of some other countries that have traditionally set great store by the observance of formalities). The English law of signatures has not required perfection or anything approaching it. Otherwise English law would not have permitted, as it has done, an ‘X’ or a facsimile rubber stamp to count as a signature.  That liberal approach to physical signatures sets the tone for the English law approach to electronic signatures.

Reverence for the handwritten signature is a likely source of the assumption underlying the Directive and eIDAS that the electronic functional equivalent of a handwritten signature is a cryptographic digital signature tied to a third party certificate, providing a high level of confidence that the signatory is who they purport to be and that the signed document has not been tampered with. Lack of such confidence is said to undermine trust in the digital environment, creating an impediment to electronic transactions.

Such comparisons, however, rely on deeper (not necessarily well-founded) assumptions about the practical function and significance of a physical signature, the degree of assurance that users expect or require from any kind of signature, and the status of a signature in national law.  

As to problems of interpretation, eIDAS relies on some definitional concepts that, whilst simple on their face, are nevertheless elusive. For the eiDAS community itself this may not always be an issue. If products and services comply with the Commission’s promulgated technical standards they are presumed to comply with the Regulation’s definitions, whatever those may mean. But for anyone trying to analyse and apply eIDAS in a wider context, the Regulation and its predecessor Directive present considerable interpretative challenges.

What does a signature do?

Before grappling with the interpretative riddles of eIDAS, let us consider the function and legal significance of a signature.

A signature may from a legal perspective be considered to have three[1] functions, each of which may be present to a greater or lesser degree:

  • Identification of the signatory
  • Demonstrating the signatory’s intention to be bound by, or at least adopt, the contents of the document
  • Identification of the contents of the signed document
All three functions can be thought of as aspects of non-repudiation: preventing the signatory from denying that they signed the document at all, from denying that they intended to be bound by it, or from denying that they signed a document in those terms.

However, we run into trouble if we turn this round and make effectiveness at achieving non-repudiation the sine qua non of legal recognition as a signature. Doing so risks losing sight of the extent to which traditional signatures fall short of guaranteeing non-repudiation, but nevertheless are recognised in law as functional signatures.

The observation of the Australian Electronic Commerce Expert Group in its March 1998 Report to the Attorney-General is apposite:

‘‘There is always the temptation, in dealing with the law as it relates to unfamiliar and new technologies, to set the standards required of a new technology higher than those which currently apply to paper and to overlook the weaknesses that we know to inhere in the familiar.’’

As the Law Commission noted in its 2001 Advice to Government:
“English law has long accepted a ‘signature’ in the form of an ‘X’ though this does not identify the ‘signatory’ in any real sense.”

Ultimately it is the second function – demonstrating an intention to be bound – that for English law purposes is the defining characteristic of a signature. Put more broadly, that function can be stated as an intention to adopt the contents of the document (or perhaps part of it) or to attribute legal significance to it.

This function is often described as demonstrating an authenticating intention on the part of the signatory. The Law Commission, in its September 2019 Report on Electronic Execution of Documents, concluded that:

“An electronic signature is capable in law of being used to execute a document1 (including a deed) provided that (i) the person signing the document intends to authenticate the document and (ii) any formalities relating to execution of that document are satisfied.”

The term "authentication" is, however, liable to confuse.

It can be understood to mean assuring the identity of the signatory or the contents of the signed document — in other words the first and third possible functions of a signature  respectively.  eIDAS now defines ‘authentication’ in that way: as an electronic process that “enables the electronic identification of a natural or legal person, or the origin and integrity of data in electronic form to be confirmed”.

The 2019 Law Commission Report points out that, by contrast, English law uses authentication to mean the second function:

“3.29 … We use this language because this is what is used in case law. What it means, effectively, is that the party intended to be bound by the document.”

The Directive’s definition of an electronic signature required that it “serve as a method of authentication”. However, since authentication was left undefined it was unclear in what sense it was being used. eIDAS, as seen above, has now introduced a definition of authentication in terms of identification of signatory and data. However, it no longer stipulates authentication as a defining characteristic of an electronic signature. That definition has moved towards an English law approach: “data in electronic form which is … used by the signatory to sign.”

Technologists and policy-makers may tend to assume that an electronic signature cannot be valid (or at least useful) unless it performs each of the three non-repudiation functions to a high level of confidence. Even when specified in a technology-neutral fashion, that tends to lead to complex schemes involving third party certification of the signatory’s identity, allied with cryptographic methods of securing the signature and of demonstrating that the document has not been altered.

Such techniques, however, go far beyond achieving equivalence with the capabilities of an ordinary handwritten signature. To the extent that a traditional signature performs the first and third functions (identification of signatory and document), it may do so only weakly.

Even a full handwritten autograph is not proof against forgery. An ‘X’ marked at the end of the document (which in English law is capable of operating as a signature) barely, if at all, identifies the signatory. Neither it nor an autograph signature infallibly identifies the contents of the document (at least, one consisting of several pages), nor renders it tamper-evident. To the extent that digital signatures have sought to render electronically signed documents tamper-evident, that emulates the qualities of paper rather than that of the signature inscribed upon it.

A historic quest for near-perfect non-repudiation mechanisms lies behind some policy and technological developments in the electronic signatures field. A tendency to prescribe technology-specific requirements was especially evident in some 1990s legislation (the 1995 Utah Digital Signature Act being the paradigm example). Whilst legislatures have generally moved on since then towards adopting more technology-neutral approaches, the echoes still reverberate.

Now let us turn from function to legal significance of a signature.  On most occasions when we sign documents the law does not require a signature to be used. Sometimes, however, it does so. Compliance with such a mandatory requirement is a different and separate issue from the legal significance of a signature generally, which is discussed below. 

Mandatory signatures

If the law (usually a statute) does require a signature to be used in a particular situation, then does the kind of signature proposed to be used comply with that requirement? The answer is likely to affect the validity of the document or of a transaction to which it relates.

eIDAS does not prevent a Member State from enacting legislation that stipulates formalities that have to be complied with for a particular purpose, including use of a particular kind of signature (whether wet-ink or electronic) (see discussion under ‘Legal Effect’ below).

The 2019 Law Commission Report observed that there is an argument that eIDAS would have allowed the common law to develop to the effect that an electronic signature was not a valid way of signing a contract.

However, English common law has not done that. Conclusion of a contract is not generally subject to a statutory requirement for a signature.

Furthermore, English law has taken a liberal view of what constitutes a signature for the purposes of a generally expressed statutory signature requirement, encompassing all kinds of electronic signature including the most informal. In English law any kind of electronic signature is capable of satisfying a generally expressed requirement for a signature, so long as there is an intention thereby to adopt the contents of the document and so long as any other applicable formalities are satisfied (see 2019 Law Commission Report, above).

Non-mandatory signatures

Signing a document without any statutory or other legal requirement for a signature may (or may not) have some legal significance. Thus:

  • signature is one way of concluding a contract and indicating assent to its terms (even though the law does not in general require a contract to be signed).
  • when we sign a letter the signature associates us with the final contents. That may have legal consequences (if, for instance, the letter provides a reference on which the recipient will rely).
  • if we sign a painting we do so in order to adopt it as our work.
  • if we sign a receipt we are acknowledging that the goods, services or money have been received.
  • if we sign a document as a witness, we do so to indicate that we observed the signatory signing the document (but we do not thereby endorse the contents of the document).
  • if a celebrity signs an autograph book, they are providing a specimen of their signature. There is no intent, by signing the book, to adopt any of its contents other than the signature itself.
Thus the legal effect (if any) of a signature may vary considerably depending on the purpose for which the signature is applied and the context in which it is later relied upon.
 
The riddles of eIDAS

Now let us turn to eIDAS. eIDAS describes several kinds of electronic signature. Most relevantly, it defines advanced electronic signatures and qualified electronic signatures.

What those consist of in technical terms need not detain us for the moment. Suffice to say that both attempt to incorporate all three signature functions (identity of signatory, intention to authenticate and identification of document contents) to a high level of confidence. Advanced signatures can be thought of as the eIDAS silver standard, qualified signatures as the gold standard. The bronze standard is any other signature in electronic form.

eIDAS itself does not compel the use of advanced or qualified signatures. Nor does it require Member States to compel private parties to use either of them in their dealings. They are in the nature of prefabricated tools that Member States (or indeed private parties in contracts) are at liberty to prescribe if they wish to do so.

So where lies the problem of interpretation? The EU legislature wanted to do two further things: (a) prevent Member States from discriminating against use of electronic signatures as such and (b) attribute a specific status to its gold standard “qualified signature”. But at the same time Member States were to be free to lay down whatever formalities for transactions between private parties they saw fit. That could include stipulating that a specific kind of signature had to be used in any given situation.

The attempt to reconcile these objectives resulted first in in Article 5 of the Directive, then Article 25 of eIDAS. Article 25 states (in part):
“1. An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.”
2.   A qualified electronic signature shall have the equivalent legal effect of a handwritten signature. …”

Article 5 of the Directive employed broadly comparable terminology: “legal effectiveness” and “satisfy the legal requirements of a signature in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data”.

Legal effect and admissibility in evidence are, on the face of them, separate concepts. Admissibility in evidence is simple: the court is able to look at the signature (although it is still free to give it as much or as little evidential weight as it thinks fit).  Legal effect, however, is a puzzle.  

Riddle 1: Legal Effect

‘Legal effect’ is mentioned in both Article 25.1 and 25.2 of eIDAS.

Article 25.1 is the non-discrimination provision.  Legal effect must not be denied either solely on grounds of electronic form or because it is not a gold-standard qualified signature.

But what constitutes legal effect? At first sight it could mean that any electronic signature must be taken to satisfy a national law statutory requirement for a signature.  However, that cannot be the answer, for several reasons.

Purposively, it would be a pointless exercise for the Regulation to define different kinds of electronic signature if Article 25(1) meant that Member State legislatures could not stipulate that a specified kind of electronic signature must be used in particular circumstances.

Indeed Recital (49) of eIDAS makes clear that the only limitation on Member States’ ability to define the legal effect of an electronic signature is the stipulation for handwritten signature equivalence provided by Article 25.2:
“It is for national law to define the legal effect of electronic signatures, except for the requirements provided for in this Regulation according to which a qualified electronic signature should have the equivalent legal effect of a handwritten signature.”

The Law Commission Report on Electronic Execution of Documents observed at para 3.15:
“eIDAS therefore allows member states to make provision for the legal effect of electronic signatures which are not qualified electronic signatures. This would allow member states to lay down, for example, security standards to be complied with by e-signing systems should they want to.”

Furthermore, Article 2(3) of eIDAS reserves to national or other EU law the imposition of formalities.  The Regulation:
“does not affect national or Union law related to the conclusion and validity of contracts or other legal or procedural obligations relating to form”

Recital (21) reinforces the point:
“Neither should this Regulation cover aspects related to the conclusion and validity of contracts or other legal obligations where there are requirements as regards form laid down by national or Union law. In addition, it should not affect national form requirements pertaining to public registers, in particular commercial and land registers.”

Obligations relating to form may include formalities relating to signatures. The Law Commission took the view (at para 3.34) that such formalities could include a requirement for witnessing of a signature, or that the signature be in a specific form (such as handwritten).

eIDAS therefore does not prevent a Member State from enacting legislation that stipulates formalities that have to be complied with for a particular purpose, including use of a particular kind of signature (whether wet-ink or electronic).

Compliance with a statutory requirement for a signature, potentially affecting the validity of the underlying document or transaction, is best understood as a separate matter from ‘legal effect’ of a signature. As such it is a matter of domestic English law, untouched by eIDAS.

If ‘shall not be denied legal effect’ in Article 25(1) does not refer to satisfying a statutory requirement for a signature, what does it mean? The answer probably lies in the uses to which signatures are generally put in the absence of a statutory requirement. As already discussed, if a person adopts the contents of a document by means of their signature, any legal effect will vary depending on the kind of document and the legal issue that has subsequently arisen.

The European Commission, in its eIDAS Questions and Answers, says:

            “What do the eIDAS non-discrimination clauses mean?

The eIDAS Regulation sets the principle of non-discrimination of the legal effects and admissibility of electronic signatures … as evidence in legal proceedings. Courts (or other bodies in charge of legal proceedings) cannot discard them as evidence only because they are in an electronic form. Nevertheless, Courts must check whether there are any procedures to be followed according to the EU or national (general or sectorial) law for a given document (including possible requirements on the use of specific levels of electronic tools) and might discard them on these grounds. In other words, the non-discrimination clause does not mean that each and every procedure can be carried out electronically. It means that Courts have to assess these electronic tools in the same way they would do for their paper equivalent.”

This suggests a limited application of the non-discrimination principle, interpreting ‘legal effect’ as requiring only non-discriminatory application of national court procedures. On this basis only a bright line categorical refusal by a court to consider electronic signatures as a class would be impermissible.

Also, Recital (49) of eIDAS (above) suggests that Member States may stipulate the legal effect of electronic signatures (other than qualified signatures), even if that legal effect is specific to a particular kind of electronic signature.

Article 25(1) may thus mean that a court considering an electronic signature used in a non-mandated context cannot categorically preclude it from having any legal effect simply because it is electronic; but that Member States may (a) define the legal effect of an electronic signature other than a qualified signature and (b) mandate that particular kinds of signature (electronic or otherwise) must be used for some kinds of document. A court would still be free to deny an electronic signature legal effect on its merits (or lack of them) - for instance on the ground that the particular electronic signature that had been used lacked sufficient probative value. 

That sits well alongside the second limb of Article 25(1), which provides that an electronic signature must be admissible in evidence. Admissibility means only that the court can look at the evidence. The court is then able to consider what evidential weight to give to the signature, for the purpose of evaluating whatever legal significance the signature may have in the context of the dispute on which the court is adjudicating. Article 25(1) does not prescribe that any particular evidential weight should be given to any kind of signature.

As to admissibility in evidence, from an English law perspective admissibility is trivial. There was never any doubt that an electronic signature is admissible in evidence in an English court. For good measure, that was made explicit in the Electronic Communications Act 2000, which implemented the Electronic Signatures Directive.

Riddle 2: equivalent legal effect to a handwritten signature

Article 25(2) provides that a qualified electronic signature shall have the equivalent legal effect of a handwritten signature. The implicit premise of Article 25.2 is that a handwritten signature has some particular (presumably greater) legal effect than some other kinds of signature. eIDAS does not say what it means by a handwritten signature.

Whether any distinction between handwritten and other signatures exists is a matter of the underlying law of each Member State. Recital (20) of the Directive recognised that: “national law lays down different requirements for the legal validity of handwritten signatures”. Equally, Member States may lay down different legal effects for handwritten signatures recognised as valid under their laws.

To an English lawyer an assumed distinction between handwritten signatures and others is conceptually puzzling, since (as discussed above) handwritten signatures generally have no special legal status in English law. A signature is a signature, whether it be a flowery autograph inscribed using a fountain pen, a rubber stamp facsimile, or an X marked with a pencil. What matters is whether the putative signatory applied it with intent to sign the document[2].

Given the underlying variety of Member State physical signature laws, Article 25(2) can be understood to mean that if under a Member State’s law a handwritten signature as such has some particular legal effect, then a qualified signature must be accorded equivalent legal effect.

Conversely, however, Article 25(2) does not say that only a qualified signature can be accorded equivalent legal effect to a handwritten signature. It is therefore open to a Member State to treat electronic signatures generally as having equivalent legal effect to handwritten and other kinds of physical signature, thus bypassing the potential difficulty of being required to accord an assumed but non-existent special status to a qualified signature.

That is the position that has been adopted in England: any kind of electronic signature is capable of performing the function of a signature.

When we consider the millions of informal electronic signatures used every day, one shudders to think of the havoc that would have been wrought had the Directive (and now eIDAS) stipulated that a Member State could confer legal effect equivalent to a handwritten signature only on a qualified signature. Fortunately, that is not what it says.

Riddle 3: uniquely linked

“Advanced electronic signature” is the silver standard defined under eIDAS. Unlike for the gold standard “qualified electronic signature”, eIDAS confers no particular legal status on an advanced electronic signature. It is intended as a defined category of signature that can be referred to in other EU or Member State legislation or in private documents such as contracts.  But it is also a component of the qualified signature which, as we have seen, must be accorded equivalent legal effect to a handwritten signature.

The definition of an advanced electronic signature sets another puzzle. An advanced signature must satisfy four conditions:

  • The signature is uniquely linked to the signatory
  • It is capable of identifying the signatory
  • It is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control. “electronic signature creation data” means unique data which is used by the signatory to create an electronic signature. An “electronic signature” is data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.
  • It is linked to the signed data in such a way that any subsequent change in the data is detectable.
The first condition is that the signature is uniquely linked to the signatory. But what does that mean? Is the required link technical, logical or some other kind of association?

Since a signatory (“a natural person who creates an electronic signature”) has to be a human being, how can data be linked in any technical sense to a human being? It is possible to link data to a device, or to other data. But the device is not the human being. What kind of technical feature would be capable of linking an electronic signature to a human being, whether or not uniquely?[3]

Does ‘uniquely linked’ perhaps imply some kind of assurance that the signatory is who s/he says s/he is? If so, that does not go so far as to require third party verification by certification authority. Nothing in eIDAS suggests that a third party certificate was intended to be required by the definition of advanced signature.

A middle ground interpretation could be that if some kind of remembered or biometric information, such as a password or a fingerprint, is required in order to use the unique signature creation data, or perhaps to log on to the machine on which the signing facility is installed, that creates a sufficient logical link between the signature and the signatory[4].

Another possibility might be that it is sufficient if the signature technology is based on data that is unique to the signatory. In this interpretation, “uniquely linked” implies unique association with the signatory, but not necessarily a technological link such as a password to make use of the unique data. However this interpretation seems unlikely, since uniqueness of the data is already a requirement of the third condition.

Fortunately, this riddle rarely requires a solution in the English law context, since there are few examples of legislation that refer to a bare advanced signature. However, some do exist. For instance Reg 37(7) of the Risk Transformation Regulations 2017 provides that where the Financial Conduct Authority certifies an electronic copy as a “true copy”, it must do so with an advanced electronic signature.

The relevance of eIDAS to English signatures law

We have suggested that eIDAS, for all its complexity and technical sophistication, sits on the sidelines as far as the ability to use electronic signatures under English law is concerned. We can now summarise the reasons why this is so:

  • No English statute requires use of an eIDAS-compliant qualified signature
  • Very few English statutes require use of an eIDAS-compliant advanced signature
  • English law already contained no bar, either substantive or in terms of admissibility in evidence, against a signature as such being in electronic form
  • eIDAS does not preclude a national law stipulation for a particular kind of signature. In any event most English law statutory signature requirements are stated in general terms (e.g. ‘signed by’, or ‘signed by or on behalf of’), which under the English law of signatures is capable of being satisfied by any kind of electronic signature.
  • Since English law confers no special status on a handwritten signature, the eIDAS requirement to give equivalent effect to a qualified signature is redundant. In any event English law gives effect to any kind of electronic signature, whether a qualified signature or not.
  • Most impediments to use of electronic signatures under English law are caused not by signature rules, but other formalities governing medium, process or form (such as witnessing). These are outside the scope of eIDAS.
As a matter of practice, within this liberal framework parties deploy electronic signatures by the million, choosing anything from an informal name typed at the end of an e-mail, to signature buttons, to the varieties of signature offered by signing platforms — all according to the nature, value and significance of the transaction. Whether or not to use an eIDAS-defined advanced or qualified signature is a matter of choice on their merits.

In the UK (and indeed in most EU countries) the use of qualified signatures pre-eIDAS was minimal. A 2012 European Commission Staff Working Document recorded one UK qualified certificate provider, which had issued one certificate. As for advanced signatures, under the Directive an advanced signature was generally thought to require the use of a physical signing device such as a smart card, which for signature applications were barely used in the UK.

Why, if a legal system can cope flexibly with all kinds of electronic signature, did EU digital signatures law go down its standards-based path and end up with the eIDAS ecosystem?

For at least part of the answer, we have to delve back into the history of the predecessor Electronic Signatures Directive.

History of the Directive

The Directive was hatched in the late 1990s. The initial focus of the project was on cryptographic digital signatures rather than on electronic signatures generally. This was at a time when it was widely asserted that addressing the perceived electronic non-repudiation problem required the use of cryptographically assured public key-private key digital signatures. Italy, a country traditionally wedded to formalities, had promulgated a highly prescriptive digital signatures decree. Germany was also heading down a technology-specific PKI path.

This was a classic situation in which the Commission could see that national legislation would erect technical barriers within the Internal Market. Hence the enthusiasm to head that off with EU-wide legislation.

The Directive had its origins in the Commission’s 1997 Communication “Ensuring Security and Trust in Electronic Communication”. This aimed to carve out use of encryption for digital signatures from the broader ‘crypto-wars’ that were raging at the time. As the Communication put it: “discussions about the possible conflict between divergent interests on security” had shown “a considerable amount of confrontation and discontent between institutions and interest groups”.

The Communication focused on how to promote use of cryptographic digital signatures as the solution to lack of security and trust, which were said to be an impediment to electronic commerce.

There was also a characteristic European Commission aim of “stimulating a European industry for cryptographic services and products”. The Commission observed that only a few companies in Europe had so far taken steps to offer digital signature services. It averred: “One of the main reasons is the weakness of demand resulting partly from the absence of legal recognition of digital signatures”.

After asserting that important documents could not be exchanged across open networks because of the absence of contractual and mutual trust arrangements present in closed networks, the Commission suggested that ‘authentication and integrity services are needed for secure and trustworthy data transmission and communication over open networks”.

The Commission was particularly focused on cryptographic digital signatures supported by certificates issued by trusted third party Certification Authorities: “In particular CAs are crucial for digital signatures to become a fully accepted tool within national legal systems, for instance to ensure legal recognition and enforceability of a signature in electronic commerce.” 

But the underlying premise of all this — that technically sophisticated digital signatures were a river waiting to flood once EU legislation broke the dam — was little more than an assumption.

So, for example, when the Communication observed that “a key used to authorise a large financial transfer between two banks will require a high level of trust whilst one used to validate a low value personal purchase will not need to be trusted to the same extent”, it did not go on to question why, for the low value personal purchase, anyone would go to the trouble of employing a key-based digital signature or a validation mechanism at all.

A less politically driven project might have placed more emphasis on testing whether assumptions about the degree of trust needed from an electronic signature reflected reality.

By the time of its May 1998 proposal for the Directive the Commission had backed off a little from its focus on PKI and decided that it had to take a more technology-neutral approach:
“Since a variety of authentication mechanisms is expected to develop, the scope of this Directive should be broad enough to cover a spectrum of “electronic signatures”, which would include digital signatures based on public-key cryptography as well as another means of authenticating data”.

Against this background the advanced electronic signature (which as regards ‘uniquely linked’ was defined in the same terms in the Directive as in eIDAS) can be understood as an attempt to describe, in abstract terms, the features of a public key-private key digital signature:

  • The certificate contains data identifying the signatory.
  • The private key is unique.
  • The signature data is technically linked to the private key.
  • The hash function renders the signed document tamper-evident.
However, the Commission’s approach still seemed to assume that an electronic signature of any kind would need some kind of authentication mechanism, whether PKI or some future technology:
“The proposal for a Directive aims at “enabling” the use of electronic signatures within an area without internal frontiers by focusing on the essential requirements for certification services…” [p.5]

The Proposal still envisaged electronic signatures as the kind of thing that would involve internationally agreed standards to establish “an open environment for interoperable products and services” [p.3 pt 6]

Recital (6) of the Proposal for Directive, in a passage that did not make it into the Directive itself, observed that “digital signatures based on public-key cryptography are currently the most recognised form of electronic signature”.

Thus the focus was — perhaps unsurprisingly in an Internal Market Directive — on the technically advanced kinds of signatures that it was hoped would stimulate a future cryptographic services industry within the EU. 

Of course typing a name, or pasting a scan of a manuscript signature, into a document have no authentication mechanism beyond inclusion in the document intended to be signed. They need no service industry infrastructure to support them. In English law, as we have seen, both are capable of functioning as a signature, even where a signature is required by a statute. 

Although not firmly established at that time, that was even then a reasonable deduction from previous English law relating to physical signatures. Only a few years later, in 2001, the English Law Commission opined that:
“Digital signatures, scanned manuscript signatures, typing one’s name (or initials) and clicking on a website button are, in our view, all methods of signature which are generally capable of satisfying a statutory signature requirement. We say that on the basis that it is function, rather than form, which is determinative of the validity of a signature. These methods are all capable of satisfying the principal function: namely, demonstrating an authenticating intention.”

Against the background of the 1997 Communication and the 1998 Proposal, and the emphasis on a hoped-for future digital signatures industry, the subsequent inclusion of broadly defined ordinary electronic signatures in the Directive (defined to include any kind of signature in electronic form) has the impression of being something of an afterthought.

But for English law at any rate, that — and the ability to provide equivalence to a handwritten signature for any kind of electronic signature — were highly significant.  It meant that the Directive changed little or nothing, since as we have seen the common law was already flexible in its approach to what constituted a signature.

In the event, takeup of qualified signatures in the years following the Directive was modest, and in the UK almost non-existent. People and businesses tended to use whatever kind of electronic signature suited their purpose best – even down to the most informal, such as typing a name at the end of an e-mail or into a web form.

Cloud-based signing platforms eventually became popular, but for the most part offered ‘good enough’ signature methods that did not seek to conform to the Directive’s advanced and qualified signature standards. For most ordinary purposes that sufficed and, in the absence of a statutory requirement for an advanced or qualified signature, no-one in England had much reason to worry about whether a signature conformed to any of the Directive’s specifications.

Revising the Directive

When it came to the revision of the Directive, the Commission determined that the modest take-up of standards-based signatures was largely due to lack of cross-border recognition within the EU.

The Commission’s 2012 Proposal for a Regulation displayed the same equation of electronic signatures and sophisticated technology that had been apparent in the 1990s. 

The Staff Working Paper that accompanied the Proposal suggested that a reason for modest take up of electronic signatures was that signing a document or email was “not handy”, that to install a certificate on the computer was “uneasy” and that most applications for private use badly integrated e-signature functionalities.

It went on to say that “free webmail services (such as Hotmail, Yahoo or Gmail) do not allow signing e-mails”. The notion that a user could validly sign an email by typing their name at the foot of it was absent. With this underlying mindset, it is perhaps no surprise that eIDAS turned out to be largely orthogonal to English signatures law.

For signatures, the eIDAS Regulation made two main changes compared with the Directive: it made clear that the ‘gold standard’ signature (now called a ‘qualified signature’) could be implemented remotely in the cloud, not just by a physical device such as a USB signature dongle or a smart card; and it introduced a system of intra-EU cross-border recognition of trust service providers (who provide the third party certificates that underpin qualified signatures).

With these eIDAS changes, providers are now offering standards-based advanced and qualified signatures. Whether there will be an increase in the appetite to use them will no doubt become apparent in time.




[1] Lorna Brazell, in Electronic Signatures and Identities Law and Regulation (3rd ed Sweet & Maxwell, 2018, para 2-002) identifies as many as seven potential functions of a signature.
[2] However, other questions may arise such as whether the signatory can delegate the act of signing to an agent.
[3] Stephen Mason has suggested that the ‘uniquely linked’ condition is impossible to comply with. See Electronic Signatures in Law (4th ed, 2016), para 4.17.
[4] Cf. Brazell (op cit) at 6-054: “some unique logical link”, such as “independent evidence as to who it was who applied the signature means”.


No comments:

Post a Comment

Note: only a member of this blog may post a comment.