Digital signatures may take the form of a typed name in an electronic document, click wrap agreement, PIN number, scanned manuscript signature, biodynamic version of a signature. Digital signatures combine a private key, public key and a certificate as a means to verify identity. There are weaknesses with digital signatures as there are with forged signatures in real world.
Businesses, governments, civil servants, local authorities, people with credit cards, debit cards, computers and mobile telephones all use at least one form of electronic signature every day.
Way before the digital age, successive judges in England and Wales, as well as other common law countries, were presented with cases where a signature (or the type of a signature) was a central issue to the case – usually where one party might claim that a contract was not formed, because there were no signatures, so they did not have to pay for the cost of the good or services. In dealing with these cases, the judges concluded that the form a manuscript signature takes is not relevant, providing the function the signature performs is clear from the evidence.
This pragmatic view of the imperfections of human behaviour has enabled judges to widen the concept of what is meant by a signature over the centuries. Various methods have been accepted to prove the intent to sign a document: the mark of a cross, the use of a pseudonym, initials, a surname, a trade name, a partial signature, words other than a name, an identifying phrase and an abbreviation of a name. Indeed, any sign intend to operate as a signature by the signer.
Now we are in the digital age, and things have not changed.
Electronic signatures take different forms, and different types electronic signatures are acceptable in different jurisdictions.
Electronic signatures started before any legislation was passed, and by the time e-mails were being used and people began to type their name into electronic documents, judges found themselves applying well established (and very old) legal principles to the new technology – that is, by agreeing that when a person types their name into an e-mail or word document, they are signing. This also happened in the nineteenth century when judges had to decide whether a name that was printed or typewritten was a signature. It is now well established that typing a name into an e-mail is a signature.
Clicking the ‘I accept’ or ‘I agree’ icon to confirm you want to enter a contract when buying goods or services electronically has for a long time been a very popular method of demonstrating intent – especially when you click on the ‘I accept’ icon when buying software. The action of clicking the icon performs the same function of a signature.
The PIN is a very widely used form of authentication, especially to obtain access to a bank account through the use of an ATM, or to confirm a transaction with a credit card or debit card. A PIN is another form of electronic signature – unfortunately, not necessarily the best way of protecting your bank account, though.
The name in an e-mail address is capable of identifying a person, especially where an e-mail address in an organization, whether public or private, is allocated by setting out the name of the person followed by the domain name of the organization. There are other variations that can be used, such as when an e-mail address describes the office or function of the person, rather than their name. However, even this, if allocated to a single person, can also function to identify a particular person. This means the name in an e-mail address is also considered to be a signature in many jurisdictions.
Where you write your signature on a piece of paper and then scan it, the file of your scanned signature can be used to sign. The file containing the scanned signature can then be attached to a document or an e-mail. This version of a signature is used widely in commerce, especially when marketing materials are sent through the postal system to hundreds of thousands, if not millions, of addresses.
There are products that permit a person to produce what is called a biodynamic version of their manuscript signature. For instance, some delivery companies use hand-held devices that require the recipient of an item of post or parcel to sign on a screen to acknowledge receipt of the mail or parcel.
Another method of obtaining a digital version of a manuscript signature is where a person can write their manuscript signature by using a special pen and pad. The signature is reproduced on the computer screen, and a series of measurements record the behaviour of the person as they perform the action. The measurements can include the speed, rhythm, pattern, habit, stroke sequence and dynamics that are unique to the individual at the time they write their signature. The subsequent electronic file can then be attached to any document in electronic format to provide a measurement of a signature represented in graphic form on the screen.
Digital signatures are marketed as a form of electronic signature that enables the recipient to prove a document or communication actually came from the person whose digital signature was used to ‘sign’ the data. This is not necessarily correct.
Put very simply, a digital signature can comprise three elements, a key pair (a private key and a public key) and a certificate, which is usually issued by a third party, such as a certification authority. When an electronic message is signed with a digital signature, the private key is used to associate a value with the message using an algorithm. The computer undertakes this task. The value, the message and a certificate, linking the key to the named person or entity, is then sent to the recipient. The recipient uses the public key to check the value is correct by ‘unlocking’ the value created by the algorithm. A computer undertakes the entire operation. The only action required of the human being (in theory) is to cause the computer to associate the digital signature to the message.
The private key of a digital signature (also known as an ‘advanced electronic signature’ in the EU) is protected by a password. If you use a digital signature (or you are the recipient of a document or e-mail with a digital signature affixed) the most important point to be aware of is this: the private key of a digital signature is only as good as the password that protects it. This means that when the password is inserted into a computer to provide access to the private key of a digital signature (or PIN) it proves any of the following:
Many people actually believe that if a cryptographic hash (and probably, but not necessarily, the public key, or possibly but not necessarily by means of a certificate) of a digital signature is affixed to a document or e-mail, it means that the digital signature was actually affixed by the person whose key it was. It is not necessarily true that the person did affix the digital signature to the e-mail: a hacker that obtained access to their computer might have done it, as the case law from Russia demonstrates.
If you have a dispute and the use of an electronic signature is at issue, the problem is how to prove the nexus between the application of the signature, whatever form it takes, and the person whose signature it purports to be. A case from Germany illustrates the problem. A seller of items on an auction web site tried to enforce a contract against three individuals. The seller claimed they entered into a contract by e-mail to buy goods. The goods were never paid for, and the seller took legal action against the three buyers. The purported buyers claimed they did not send the e-mails, nor signed the e-mails. The seller relied on the signatures in the e-mails, and the rule of law is that the person relying on the signature must prove it is genuine. In this instance, the seller could not prove the buyers sent or typed their names into the e-mails. As a result, the seller lost the case. This case demonstrates that from a practical point of view, the recipient needs to be confident that the signature is from the person it claims to be, and that they actually used the signature in question.
For business legal advice and more information on digital signatures and our IT lawyers, contact us online or call us on 020 7353 1770.
