ELECTRONIC SIGNATURES in Law and Practice John D. Gregory October 5, 2009

ELECTRONIC SIGNATURES in Law and Practice

John D. Gregory

October 5, 2009

John D. Gregory Electronic Signatures 2

Outline

Signatures in general Legal considerations Electronic signatures Legal considerations Practical considerations Examples of threat-risk analysis Responses to questions


Signatures

A signature is evidence of a link between a person (legal entity) and a document

There are many kinds of possible link Approval, witnessing, acknowledgment ...

The signature is usually not the only evidence of the link

It may also be evidence of the character of that link, through formality or ceremony

Seriousness, legal impact


Signatures and the law The law does not usually require a

signature So any kind of signature will do

The law very rarely specifies the form of a signature

So any form of signature will do The legal effect of a signature – the nature

of the link to the document – is rarely evident from the form of the signature


Signatures and the law (2) Intention is the key So:

Anyone can sign A machine can sign A signature can look like anything

Proof of intention is the hard part Different intentions = different signatures The relying party takes the risk of forgery


Security of signatures Signatures on paper vary as to security:

Initials Full signature Signature plus witness (possibly notary) Signature plus two witnesses present at the

same time (for wills) Signature plus personal or corporate seal Signature plus certified sample (e.g. from

bank) Signature plus certificate of authority


Electronic signatures

An electronic signature is “electronic information that a person creates or adopts in order to sign a document and that is in, attached to or associated with the document” (Electronic Commerce Act)

Does not have to 'look like' a signature Does not have to be in or on the signed

document


Electronic signatures (2)Typewritten Electronic

Signature :“James Bond” or /s/James Bond

Digitized Electronic Signature

Personal Identification Number (PIN): 007

Digital Signature: AOI)(#)(*%(FD(*DSHJB(*8hfr98hf49*YQW(*EHR(98HR(#*H(hEOID)()(*$*JGN)(J(DS)IJ@)(UJ%)R(#U)(FRJU)*&)(@&(*$&(*#IHOLKJHE)(*#&$


E-signatures and the law

Because the law generally does not require a signature or a type of signature, people can use whatever they want.

For greater certainty: Electronic Commerce Act, 2000 (Ontario): A legal requirement that a document be signed is satisfied by an electronic signature

The law does not specify a standard of reliability (even “as appropriate”)


E-signatures and the law (2)

Some qualifications: “whatever THEY want”...

Who are the parties to a signature? What does the contract (RFP) say? Who decides? The party at risk

ECA: Nothing in this Act requires a person to use, provide or accept information in electronic form without consent.



Further qualification: federal law (PIPEDA) General permission to use e-signatures:

only for designated laws or regulations an opt-in approach rarely used

For several kinds of signature: use a “secure electronic signature” = digital signature

Currently only GoC PKI digital signatures



Generally speaking, electronic signatures do not present a legal problem.

Some methods are better for 'ceremony' than others

Specific statutes may change that rule The need for consent may change that rule

So check your contracts


Practical considerations

What is 'legal' is not necessarily prudent The law does not tell you what is prudent

In e-commerce as in paper commerce How to judge what is prudent?

Who decides?

Right to say No is the right to say Yes, if: The technology is acceptable The level of security is acceptable


Electronic prudence The TRA: threat-risk analysis

What are the chances of a problem? What is the gravity of a likely problem? What is the cost of avoiding the problem? What are the benefits of risking the

problem? Note: judgments may vary on all answers and on the

general conclusion

Parties may have different costs and benefits


TRA Risk factors

How accessible are data to unauthorized users?

What incentives have outsiders to hurt the integrity of the data?

How hard is it to detect alteration?

Who bears the risk of loss if data are altered or document is not genuine?

Who is best able to protect data?

What is the signer’s incentive to repudiate data?


TRA (2) Cost factors

How much does it cost to secure data? Who will pay to secure the data – producer or

user of data? How hard is it to protect data?

Benefit factors (to being electronic) How much does the system save? How much do users save? Is a single signing method cheaper? What is trust in the system worth?


Examples of TRASome Ontario examples Dispense with signature

Business registration forms Online licence tag renewals

Close the system

Security interest registration Land registration

Prescribe the technology

Income tax filings, ePass (Canada)


The story so far ... Signatures are one way of linking a legal entity to

a document The law generally allows signatures in electronic

form Not every electronic form will suit every purpose A key question is how to prove the link that the

signature is supposed to show

Prove the link or prove the technology? Prove signer's identity or attributes?


And in practice ... Most uses of e-signatures in high-value

transactions are in closed systems: Parties know each other over time Parties agree on the technology (or one

of them prescribes it) Appropriate records are kept

Open systems: very hard (= costly) to verify identity of potential user, so indefinite risk to relying party or to certifier of identity


In practice (2)

Consumer e-commerce depends on authentication by credit card more than on e-signature.

Merchant does not care who buys, just that payment is made

Credit card system is huge but closed Government uses tend to be closed too –

the e-signature used to deal with it cannot be used to deal with anyone else.


In practice (3)

Some particular difficulties: Online enrollment: no way of identifying a

stranger to the system Proxies: financial institutions, educational

institutions etc Key management: staff (signer) turnover,

compromise, sloppy behaviour Liability: certifier can't pass to relying party


Q & A

Q: Does e-sig = photocopied sig?

A: Yes and no. Depends on what kind of e-sig. Digitized signature has similar risk of fraud. Record retention may be different.

Q: E-sig vs digital sig

A: Digital signature (PKI) (i.e. using cryptography) is very secure but hard to do. No formal legal difference absent legal rule.


Q & A (2)

Q: When it is appropriate to 'introduce' e-sigs? How to persuade collaborators?

A: When both (all) sides agree with results of a TRA (formal or informal). Voluntary.

Q: Case studies showing savings?

A: SAFE pharma, industry studies, credit card industry, auto sales, bank and securities clearances, e-filing in court


Q & A (3)Q: Why do some agencies accept any

medium and some insist on h/w (wet) sig?

A: Each has its own express or implied TRA, its own evidence and archiving needs. Some 'outsourced' signature pages OK.

Q: How to design a system that will work, with appropriate practices?

A: A lot of people would like to know, and a lot of consultants are out there trying


Q & A (4)Q: What legal arguments to use to persuade

collaborator to accept e-signaures?

A: It's not a legal question (subject to institutional rules e.g. granting agencies)

Q: What about a document with one handwritten signature and one by PDF?

A: Contracts signed in counterparts are common on paper. No different issues electronically. Q of proof and trust.


Conclusions

The law is easy; the practice is hard Proving the technology is often harder than

proving the link (between signer and doct) Not only signatures can prove the link. E-records do not need to be more reliable

than paper records – but people forget that. Novelty of judging trust in e-world is large

part of the challenge


Sources (partial) Electronic Legal Records: Pretty Good Authentication? (1998)

http://www.euclid.ca/call.html

Legal Situation of Electronic Signatures: an Ontario perspective (1999)

http://www.euclid.ca/ontsig.html

Authentication Rules and Legal Records (2002)

http://www.euclid.ca/cbr2002.pdf

E-records and the Law (2007)

http://www.verney.com/opsim2007/presentations/301.ppt

Paperless Government and the Law (2009)

http://www.euclid.ca/paperless.ppt





http://www.euclid.ca/cbr2002.pdf

http://www.verney.com/opsim2007/presentations/301.ppt



Documents

ELECTRONIC SIGNATURES in Law and Practice John D. Gregory October 5, 2009