Security

Electronic signatures in practice

March 2006

Stephen Mason explains the various forms an electronic signature can take, and indicates the weaknesses, illustrating that no form of esignature is totally secure.


Electronic signatures take a variety of forms, all of which can demonstrate the intent of the signing party to authenticate the document. Advanced electronic signatures are not special, nor any more secure or advanced than any other form of electronic signature. The important factor is proving that an esignature affixed to a message has been sent by its owner; the type of signature used is irrelevant.

Br J Healthcare Comput Info Manage 2006; 23(2): 22–4.

Before the digital age, successive judges in England and Wales, as well as in other countries where part of the law derives from custom and from judges’ rulings, considered that the form a manuscript signature takes is not relevant, providing the function the signature performs is clear from the evidence. This pragmatic view of the imperfections of human behaviour has enabled judges to widen the concept of what is meant by a signature. Various methods have been accepted to prove the intent to sign a document: the mark of a cross, the use of a pseudonym, initials, a surname, a trade name, a partial signature, words other than a name, an identifying phrase and an abbreviation of a name.

Forms of electronic signature

Electronic signatures did not require the passing of an Act of Parliament. The Chairman of an Industrial Tribunal decided the first case of this nature in 1997, before the Electronic Communications Act 2000, which in turn was passed as a result of the EU Directive on electronic signatures. Electronic signatures take a variety of forms, all of which can demonstrate the intent of the signing party to authenticate the document.

The different types are:

  • when a person types his/her name onto a file in electronic format, such as a letter, email or other form of document, the text added is a form of electronic signature. This was the subject of discussion in the case of Hall v Cognos Limited (Industrial Tribunal Case No 1803325/97). In this case, the Chairman determined that a name typed into an email was a form of signature. The decision was consistent with judgments made by judges in England and Wales since the 17th century, illustrating that the function of a signature overrides the form it takes. A number of similar cases brought before the courts in the United States of America and Singapore between 2001 and 2005 have reached identical conclusions in relation to the name typed at the end of an email;
  • the ‘click wrap’ method of indicating intent, namely clicking the “I accept” icon to confirm the intention to enter a contract when buying goods or services electronically;
  • a personal identification number (PIN), used to obtain money from cash machines or to authenticate a credit card purchase with a PIN;
  • a biodynamic version of a manuscript signature. A special pen and pad measure that records the actions of the person as he/she signs. This creates a digital version of the manuscript signature. The file can then be attached to electronic documents;
  • a scanned manuscript signature. A manuscript signature is scanned and transformed into digital format, which can then be attached to an electronic document; and
  • a digital signature (or cryptographic signature). Put simply, a digital signature can comprise three elements: a key pair (a private key and a public key) and a certificate, which is usually issued by a third party, such as a certification authority. When an electronic message is signed with a digital signature, the private key is used to associate a value with the message using an algorithm. The computer undertakes this task. The value, the message and a certificate, linking the key to the named person or entity, is then sent to the recipient. The recipient uses the public key to check the value is correct by ‘unlocking’ the value created by the algorithm. A computer undertakes the entire operation. The only action required of the human being (in theory) is to cause the computer to associate the digital signature to the message.

One other form of electronic signature is the so-called ‘advanced electronic signature’, which is an invention of the EU Directive. The elements that make up an advanced electronic signature are as follows:

  • it is uniquely linked to the signatory. No electronic signature can be uniquely linked to the signatory as a user relinquishes control over his/her scanned signature once it has been sent. A digital signature is not linked to the person creating it: the unique link is made with the private key, not the user. Moreover, nobody remembers their private key, because it is far too complicated. As a result, private keys tend to be retained on a computer, disk or smartcard;
  • it is capable of identifying the signatory. Any form of electronic signature is capable of identifying the person that is purported to have signed it;
  • it is created using means that the signatory can maintain under his sole control. Any form of electronic signature can be created under the sole control of the user, but when a private key is used, a recipient will not know whether it was the owner that actually used the private key; and
  • it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable. The only form of electronic signature that is capable of complying with the fourth element is the digital signature, but even a digital signature is not immune from attack from determined criminals.

Advanced electronic signatures are not special, nor any more secure or advanced than any other form of electronic signature. The important issue to bear in mind is proving the sender was the person that affixed the signature to the message, not the type of signature that was used.

Correcting an assumption

The technical community thinks it has a solution to the problem of linking the use of an electronic signature to the person whose signature it is. The term non-repudiation is used, which has, in turn, become part of the vocabulary of digital signatures.

When this term is used in an engineering sense, it can mean that there is a high (and specifiable) degree of probability that it can be proved that an email, with a digital signature attached, was sent from a specific computer.

The technical community, therefore, argue that if it can be shown that an email was sent from a specific computer with a digital signature attached, then it was the owner of that computer who sent it.

This logic is flawed anybody with access to the computer in question could send a message. Perhaps the computer has a number of Trojan horses on it that the owner is not aware of, and one or more of these malicious items of software could enable a hacker to enter the computer without authority and to send emails at will, as well as affixing a digital signature to them.

The case of R v Caffrey (Southwark Crown Court, October 2003) illustrates this point. The defendant was charged with causing unauthorised modification of computer material under s3(1) of the Computer Misuse Act 1990.

The prosecution alleged that the defendant sent a deluge of electronic data from his computer to a computer server operated in the Port of Houston, Texas, the effect of which was to cause the computer at the Port to shut down. His defence was that unknown hackers obtained control of his computer and then launched a number of programs to attack the computer at Houston.

The forensic examiner for the prosecution could not find any evidence of a Trojan horse on his computer. The defence claimed that it was impossible for every file to have been tested, and that the Trojan horse file might have destroyed itself, leaving no trace.

The forensic examiner for the prosecution stated that a Trojan horse would leave a trace on the computer. The jury nevertheless acquitted Mr Caffrey. Just because an individual has a private key on his computer for use as a digital signature, it does not follow that he is responsible for sending all the messages from that machine.

Concluding remarks

For lawyers, where the use of an electronic signature is at issue, the problem is how to prove the connection between the application of the signature, whatever form it takes, and the person whose signature it purports to be.

To the author's knowledge, there has only been one case, in Germany, where this was at issue. A seller of items on an auction website tried to enforce a contract against three individuals. The seller claimed they entered into a contract by email to buy goods. The goods were never paid for, and the seller took legal action against the three buyers. The purported buyers claimed they did not send the emails, nor sign the emails. The seller relied on the signatures in the emails, and the rule of law is that the person relying on the signature must prove it is genuine.

In this instance, the seller could not prove the buyers sent or typed their names into the emails. As a result, the seller lost the case. This case demonstrates that from a practical point of view, the recipient needs to be confident that the signature is from the person it claims to be, and that he/she actually used the signature in question.

Stephen Mason, Barrister.

Stephen Mason is the author of Electronic signatures in law (LexisNexis Butterworths, 2003); Networked communications and compliance with the law (xpl publishing, 5th edition, 2005); and the electronic and digital signatures editor and author of Chapter VI Electronic and digital signatures for the practitioner loose-leaf textbook by Michéle T Rennie, International Computer and Internet Contracts and Law (Sweet & Maxwell).

He is also Director of the Digital Evidence Research Programme, British Institute of International and Comparative Law; General Editor, e-Signature Law Journal; and Associate Senior Research Fellow, Institute of Advanced Legal Studies.
[email protected]

Copyright Stephen Mason, 2006. 

  

To top^