Electronic Signature

The term electronic signature has several meanings. In recent US law, influenced by ABA committee white papers and commercial interest in PKI liability limitation or immunity, electronic signature has acquired the following meaning: an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record. This is the definition used by the U.S. ESign Act of 2000, which has been emulated in several jurisdictions, including several US states who have adopted model legistation (most notably, the UETA). In fact, the concept is older still in US common law, in which references to telegraph signatures, and faxed signatures can be found, some as far back as the mid-19th century.

Most, especially those with an information theory or cryptography background, use "digital signature" to refer to a digital signature protocol using cryptographic techniques, either on a document, or on a lower-level data structure. Many, however, use the terms interchangeably, leading to considerable confusion and problems as cryptographic signature techniques are very different, whatever the term used, than other electronic signatures and have extremely different security properties. Digital signatures are a 'subset' of electronic signatures.

History and Examples of Use

Beginning well before the US Civil War (1860), people used Morse code and the telegraph to electronically send and agree to contracts. An early acceptance of the enforceable validity of electronic signatures of this kind came from the New Hampshire Supreme Court in 1869. But it was the invention of electronic communication method which brought electronic signatures into everyday use.

In the 1980’s, many companies and even some progressive individuals began using fax machines for high priority or time sensitive delivery of paper based documents. Although a signature in such cases was typically on a piece of physical paper, the image capturing process and the transmission of a copy of the signature was done electronically.

Courts in various jurisdictions have decided, by the present time, that enforcable electronic signatures can include agreements made via email, by entering a person identification number "PIN" into an ATM bank machine, 'signing' a credit/debit slip with a digital pen pad device at a sales counter,, acceptance of the terms of an End-User Licennse Agreement via clickwrap when installing software, or by signing electronic documents online.

Legality of electronic signatures

Legal definitions

Various laws have been passed internationally to facilitate commerce by the use of electronic records and signatures in interstate and foreign commerce. The intent is to ensure the validity and legal effect of contracts entered into electronically. For instance,

ESIGN Act Sec 106 definitions

(2) ELECTRONIC- The term `electronic' means relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.

(4) ELECTRONIC RECORD- The term `electronic record' means a contract or other record created, generated, sent, communicated, received, or stored by electronic means.

(5) ELECTRONIC SIGNATURE- The term `electronic signature' means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.

GPEA Sec 1710 definitions

(1) ELECTRONIC SIGNATURE.—the term "electronic signature" means a method of signing an electronic message that—

(A) identifies and authenticates a particular person as the source of the electronic message; and

(B) indicates such person's approval of the information contained in the electronic message.

UETA Sec 2 definitions

(5) "Electronic" means relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.

(6) "Electronic agent" means a computer program or an electronic or other automated means used independently to initiate an action or respond to electronic records or performances in whole or in part, without review or action by an individual.

(7) "Electronic record" means a record created, generated, sent, communicated, received, or stored by electronic means.

(8) "Electronic signature" means an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.

Federal Reserve 12 CFR 202 definitions

refers to the ESIGN Act

Commodity Futures Trading Commission 17 CFR Part 1 Sec. 1.3 definitions

(tt) Electronic signature means an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.

Food and Drug Administration 21 CFR Sec. 11.3 definitions

(5) Digital signature means an electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified.

(7) Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature.

Legal Test of electronic signatures

In law, if a signature on a contract or other document is contested, the signature must meet certain tests before a court will uphold them if contested. These requirements vary by jurisdiction, but various sorts of signatures, some entirely electronic Telex addresses (for example, ABC Company sends a Telex to XYZ Company making an offer at a particular price. The offer was held to be binding when the 'signature' was challenged.), telegrams (for example, "I ACCEPT, SMITH" even though Smith never actually touched the telegraph key), and faxes of documents, even in some cases where the original was not signed by the sender.

A central question in such cases is forgery and spoofing of assent, and in these decisions, courts have held that forgery and spoofing can be in practice ruled out. Nevertheless, it is easily possible, for many electronic methods of signature, or imputed signature, to forge or spoof assent. The rapidly rising problem of identity theft illustrates the ease of such forgeries.

Often, businesses rely on other means to attempt to ensure an electronic signature is correct, including talking with the signing person directly or over the phone before an electronic signing, having an ongoing business relationship, and receiving payment or other indications of intent to do business that do not rely solely on a signed document. This is good business practice even in the paper world, as forgeries have been common there since time immemorial. Fraud is a common issue in all signature situations, and neither type of signature (paper or electronic) provides fully effective anti-fraud protections.

None of the electronic signatures in these examples are digital signatures in that there is no cryptographic assurance of the sender's identity, and no integrity check on the text received. however, all are electronic signatures, and all have been found legally binding in some circumstances.

Laws regarding use of electronic signatures

• U.S. - Electronic Signatures in Global and National Commerce Act
• U.S. - Uniform Electronic Transactions Act - adopted by 48 states
• U.S. - Digital Signature And Electronic Authentication Law
• U.S. - Government Paperwork Elimination Act (GPEA)
• U.S. - The Uniform Commercial Code (UCC)
• UK - s.7 Electronic Communications Act 2000
• European Union - Electronic Signature Directive (1999/93/EC)
• Mexico - E-Commerce Act [2000]
• Costa Rica - Digital Signature Law 8454 (2005)
• Slovenia Slovene Electronic Commerce and Electronic Signature Act

Pseudo-legal use of imputed electronic signatures

Some web sites (notably pornographic ones) and software EULAs claim that various electronic actions are legally binding signatures, and so are an instance of electronic signature. For example, a web page might announce that, by accessing the site at all, you have agreed to a certain set of terms and conditions. A software product might assert, in its packaging or on an early installation screen, that by using it you have agreed to licensing terms. These may or may not have been discernable prior to sale, and may or may not be completely displayed even at installation. Such licenses often include such restrictions as a prohibition of reviewing the product for publication (electronic or otherwise) without prior permission of the publisher/distributor, or prohibition on studying the product (ie, reverse engineering) for an otherwise lawful purpose such as producing data files in a compatible format. Some such claims would appear to be contrary to patent law (which requires public disclosure as a condition of granting a patent) or to copyright law which does the same for works available to the public, or to contract law which requires informed knowing assent to reasonable contract terms as a condition of enforceablity in court. Only if all such covered matters are trade secrets would many such clauses appear sustainable, but even so a condition of trade secrecy is maintenance of the secret by the holder. This may not be met in the case of a widely distributed product offered for sale to anyone.

The legal status of such claims is uncertain. In the US, only two states have adopted a new revision of the Uniform Commercial Code which authorize such licensing restrictions, with disclosure after purchase. The validity of such terms remains uncertain, despite the views of many EULA authors. Analogies to the physical world in which contracts and signatures are written, signed, and stored in tangible form suggest that analogous terms would not be acceptable. In the UK, Regulation 9 of the Electronic-Commerce (EC Directive) Regulations 2002 (SI 2002/2013) requires that a purchaser is able to determine in advance “the different technical steps to follow to conclude the contract.”

Cryptographic signatures

An electronic signature may incorporate a digital signature if it uses cryptographic methods to assure, at the least, both message integrity and authenticity. For example, a proposed contract accepted by a vendor and returned via email to the purchaser after being digitally signed. In fact, in modern practice, a digital signature of some text is always electronically processed in some sense, for the cryptographic mechanisms are impracticable without computers. In theory however, this is not required. Because of the use of message integrity mechanisms, any changes to a digitally signed document will be readily detectable if tested for, and the attached signature cannot then be taken as valid.

It is important to understand the cryptographic signatures are much more than an error checking technique akin to checksum algorithms, or even high reliability error detection and correction algorithms such as Reed-Solomon. These can offer no assurance that the text has not been tampered with, as all can be regenerated as needed by a tamperer. In addition, no message integrity protocols include error correction, for to do so would destroy the tampering detection feature.

Popular electronic signature standards include the OpenPGP standard supported by PGP and GnuPG, and some of the S/MIME IETF standards. All current cryptographic digital signature schemes require that the recipient have a way to obtain the sender's public key with assurances of some kind that the public key and sender identity properly belong together, and that message integrity measures (also digital signatures) which assure that neither the attestation nor the value of the public key can be surreptitiously changed be present and used. A secure channel is not typically required.

A digitally signed text may also be encrypted for protection during transmission, but this is not required when most digital signature protoocls have been properly carried out. Confidentiality requirements will be the guiding consideration.