Legality of Electronic Signatures in the EU and the US
1. Introduction
Electronic signatures were used for the first time in 1861 when agreements were signed by telegraphy using Morse code. In 1869, the New Hampshire Court confirmed the legality of such agreements by stating that:
"It makes no difference whether [the telegraph] operator writes the offer or the acceptance in the presence of his principal and by his express direction, with a steel pen an inch long attached to an ordinary penholder, or whether his pen be a copper wire a thousand miles long. In either case the thought is communicated to the paper by the use of the finger resting upon the pen; nor does it make any difference that in one case common record ink is used, while in the other case a more subtle fluid, known as electricity, performs the same office."
In the past, electronic signatures were accepted with mixed feelings. Nowadays, they are considered as a secure way of authentication and are often used for signing legal documents, such as contracts and tax declarations.
The European Union (EU) and the United States (US), the two largest financial markets, have adopted legislation recognizing the enforceability of electronic signatures. This article provides an overview of the laws concerning electronic signatures in the EU (Section 2) and the US (Section 3). Afterward, it examines the similarity and difference between the EU and the US laws (Section 4). Next, this article analyses the validity of EU electronic signatures in the US and vice versa (Section 5). Finally, a conclusion is drawn (Section 6).
Before proceeding with Section 2, it is necessary to clarify the difference between the electronic signature and digital signature. Any signature in electronic form can be generally defined as an electronic signature. The digital signature is a type of electronic signature that is created by using cryptographic techniques. Such cryptographic techniques are typically based on Public Key Infrastructure (PKI) systems. The term "PKI" refers to the set of computer systems, individuals, policies, and procedures necessary to provide encryption, integrity, non-repudiation, and authentication services by way of public and private key cryptography.
2. EU electronic signature laws
The EU Electronic Signatures Directive 1999/93/EC (the "Directive") currently regulates the electronic signatures in the EU. However, on July 1st, 2016, the Directive will be replaced by a new European Regulation which will ensure the cross-border operability of electronic signatures within the EU. The Directive defines three types of electronic signature, namely, basic electronic signature (Section 2.1), advanced electronic signature (Section 2.2), and qualified electronic signature (Section 2.3). These three types of electronic signature are discussed below.
2.1 Basic electronic signature
The term "basic electronic signature" refers to "data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication." This type of electronic signature is considered as weak in terms of reliability and security of authentication. For example, a scanned signature which is attached to a document will be regarded as a basic electronic signature.
The basic electronic signatures can be easily faked. Actually, there are numerous malware programs that use fake electronic signatures, including basic electronic signatures. A 2012 McAfee report stated that, at that time, there were 200,000 malware programs that used valid electronic signatures. A large number of those signatures were faked or based on stolen certificates. Some of the faked signatures indicate that the signature is made by Microsoft, whereas it is actually made by a hacker.
2.2 Advanced electronic signature
An advanced electronic signature allows the unique identification and authentication of the signer of a document. Moreover, the advanced electronic signature enables the check of the integrity of the signed data. In most cases, asymmetric cryptographic technologies (e.g., PKI) are used for advanced electronic signatures.
There is no difference between the legal value of the electronic signature and the advanced electronic signature. Both types of electronic signature can have a legal effect if they offer sufficient guarantees with respect to authenticity and integrity.
According to the Directive, an advanced electronic signature should meet four requirements, namely: (1) it is uniquely linked to the signatory; (2) it is capable of identifying the signatory; (3) it is created using means that the signatory can maintain under their sole control; and (4) it is linked to the data to which it relates in such a manner that any subsequent change in the data is detectable.
Pertaining to the first requirement, the uniqueness of an electronic signature depends on how unique a signature key is to an individual. Signature keys should be unique if they are generated properly. For instance, the recommended parameters for RSA (a widely used digital signature algorithm) should provide at least the equivalent security of a 128-bit symmetric key, which means that there should be 1040 possibilities for a signature key. Because this number exceeds the number of the people in the world, it is very unlikely that two individuals will be able to generate the same signature key.
Concerning the second requirement, a signatory can be "identified" by verifying an electronic signature created by the signatory. Such a verification can be done, for example, by a PKI system.
With regard to the third requirement, the confidence that an electronic signature could only be produced by the designated signatory requires confidence in: (1) the processes that surround the generation of signature keys; (2) the ongoing management of signature keys; and (3) the secure operation of the computing device that was used to compute the electronic signature.
In relation to the fourth requirement, the only form of electronic signature that is capable of complying with this requirement is the private key of electronic signature.
2.3 Qualified electronic signature
According to the Directive, the qualified electronic signature is an advanced electronic signature which is based on a qualified certificate and which is created by a secure-signature-creation device. In practice, the qualified electronic signature relates to a PKI-based electronic signature for which the signature certificate and the device used to create the signature meet certain quality requirements.
The qualified electronic signature benefits from an automatic legal equivalence to a hand written signature within the territory of the European Union. If a non-qualified signature is used, it will be necessary to assess the following two factors before accepting it for the specific context in which it is used: (1) the characteristics of this electronic signature; and (2) whether it offers sufficient guarantees regarding authenticity and integrity. For the qualified signature, such an assessment is not necessary.
3. US electronic signature laws
The US Electronic Signatures in Global and National Commerce Act (E-Sign Act) allows the use of electronic signatures to "satisfy any statute, regulation, or rule of law requiring that such information be provided in writing, if the consumer has affirmatively consented to such use and has not withdrawn such consent." According to the E-Sign Act, the electronic signature means "an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record." Consequently, the electronic signature as defined by the E-Sign Act may include, but is not limited to, encryption-based signatures, signatures created by electronic signing pads, and scanned signatures.
The E-Sign Act does not apply to every type of documentation. Certain types of records and documents are not covered by the E-Sign Act. These documents include, without limitation, adoption paperwork, divorce decrees, court documents, documentation accompanying the transportation of hazardous materials, foreclosures, prenuptial agreements, and wills.
It should be noted that 48 US States have adopted the Uniform Electronic Transactions Act (UETA) with the aim to create more uniformity in relation to electronic signatures. The UETA and the E-Sign Act overlap significantly. However, UETA is more comprehensive than the E-Sign Act. Similarly to the E-Sign Act, the UETA does not distinguish different types of electronic signatures.
4. Similarity and difference between the EU and the US laws
The similarity between the e-Sign Act and the Directive is that both laws recognize the enforceability of electronic signatures. The difference between the two laws is that, whereas the Directive distinguishes three types of electronic signatures, the E-Sign Act provides a broad definition of electronic signature that encompasses signatures made through various technologies.
5. The validity of the EU electronic signatures in the US and vice versa
In most cases, electronic signatures meeting the requirements of the Directive would also comply with the E-Sign act because the e-Sign Act defines the electronic signature broadly. However, electronic signatures complying with the e-Sign Act would need to meet additional requirements in order to comply with the requirements of the Directive in relation to advanced electronic signatures and qualified electronic signatures.
6. Conclusions
This article has shown that the electronic signatures are legally enforceable in both the EU and the US. However, the EU and the US have adopted different legislative approaches with regard to electronic signatures. While the US provides a broad definition of electronic signature, the EU distinguishes three types of electronic signatures, namely, (1) basic electronic signature, (2) advanced electronic signature, and (3) qualified electronic signature. Each of these three types allows the authentication of electronic communications. The advanced electronic signature and the qualified electronic signature ensure greater security as to the authenticity of electronic communications than the basic electronic signature. The qualified electronic signature benefits from an automatic legal equivalence to handwritten signatures.
Although the EU has a comprehensive legal framework regarding electronic signatures, the framework does not ensure the cross-border interoperability of electronic signatures throughout the entire EU. The new EU Regulation which would enter into force on 1st July 2016 would address this issue by ensuring that electronic trust services (e.g., electronic signatures, electronic seals, time stamp, electronic delivery service, and website authentication) will work across all EU countries. The EU Commissioner Neelie Kroes justified the new Regulation as follows:
"People and businesses should be able to transact within a borderless Digital Single Market, that is the value of Internet. Legal certainty and trust is also essential, so a more comprehensive eSignatures and eIdentification Regulation is needed."
* The author would like to thank Rasa Juzenaite for her invaluable contribution to this article.
References
1. Abelson, H., Ledeen, K., Lewis, H., 'Blown to Bits: Your Life, Liberty, and Happiness After the Digital Explosion', Addison-Wesley Professional, 2012.
2. 'Community framework for electronic signatures', a webpage published by the European Commission, last updated on 6th of July 2011. Available at http://europa.eu/legislation_summaries/information_society/other_policies/l24118_en.htm .
3. Chander, H., 'Cyber Laws and IT Protection', PHI Learning Pvt. Ltd., 3.04.2012.
4. De Andrade, N., 'Electronic Identity', Springer, 2014.
5. Howley v. Whipple 48 N.H. 487 (1869).
6. Liard, B., Lyannaz, C., 'Adoption of a new European legal framework applicable to cross-border electronic identification and e-signatures', September 2014. Available at http://www.whitecase.com/articles/092014/adoption-of-a-new-european-legal-framework-applicable-to-cross-border-electronic-identification-e-signatures/#.VNtvY8krpho .
7. Mason,S., 'Electronic Signatures in Law', Cambridge University Press, 2012.
8. Menna, M., 'From Jamestown to the Silicon Valley, Pioneering A Lawless Frontier: The Electronic Signatures in Global and National Commerce Act', 6 VA. J.L. & TECH 12, 2001.
9. Miller, R., 'Cengage Advantage Books: Fundamentals of Business Law: Excerpted cases', Cengage Learning, 2012.
10. Orijano, S., 'Cryptography InfoSec Pro Guide', McGraw Hill Professional, 16 August 2013.
11. Savin, A., 'EU Internet Law', Edward Elgar Publishing, 2013.
12. Savin, A., Trzaskowski, J., 'Research Handbook on EU Internet Law', Edward Elgar Publishing, 2014.
13. Schmugar, C., 'Signed Malware: You Can Run, But You Can't Hide', 23 March, 2012. Available at https://blogs.mcafee.com/mcafee-labs/signed-malware-you-can-runbut-you-cant-hide .
14. Srivastava, A., 'Electronic Signatures for B2B Contracts: Evidence from Australia', Springer India, 2014.
What should you learn next?
15. Wang, F., 'Law of Electronic Commercial Transactions: Contemporary Issues in the EU, US and China', Routledge, 2014.