Some issues arising from the use of Digital Signatures
35. Here we indicate some examples of issues that may arise in litigation. Under the heading “Evidence in litigation” below we deal with the nature of the evidence that may be relevant to such issues.
36. A certificate may amount to a representation, for example, as to the identity of the owner of the public key. If the representation is inaccurate and is relied upon by a third party who suffers loss as a result then there may be a claim against the CA. Such a claim may give rise to issues as to whether the CA owes the third party any legal duties, whether the certificate amounts to representations upon which the third party is entitled to rely and as to the nature of such representations. A decision as to the liability of the CA may turn in part upon evidence as to whether the CA’s processes were reasonable in the circumstances.
37. A certificate may include a statement purporting to limit the liability of the CA in relation to certain factual matters and/or as to financial limits. There may be arguments as to whether a CA is entitled to rely on such limitations. If the private key is lost then the certificate should be revoked. If no revocation takes place then issues may arise as whether the signatory and/or the CA is liable for such a failure. If the CA is in another country its liability may have to be determined according to the law of that jurisdiction.
38. In civil or criminal proceedings there may be an issue as to whether a signatory did sign a particular electronic document that appears to have been signed using his private key. To decide whether anyone else had access to it the judge or jury will consider evidence as to the creation, keeping and use of the private key .
Alteration of the content of the electronic document
39. There may be a dispute as to the content of an electronic document, such as the figures in an electronic order for goods, which has been digitally signed by the buyer. If the digital signature is verified then it will show that there has been no alteration since the order was digitally signed. If there is some evidence that something has gone wrong with the digital signature technology then it may be necessary to consider not only evidence as to the creation, keeping and use of the key pair but also evidence about the verification technology. It is possible that an alleged signatory may be mistaken as to the content of what he signs or he may be tricked into signing an electronic document that does not contain what he thinks it contains. These situations could arise because, as we have said, he does not actually see much of the signing process. The court may have to investigate what was seen by the signatory and/or whether or not a malicious person could have hacked into the signatory’s system or in some way altered the content of the electronic document before it was signed.
40. An issue may arise in criminal proceedings as to whether the private key is “property” capable of being stolen. A smart card holding the key would be such property but a judge may have to consider whether the key itself falls within the definition in s 4(1) of the Theft Act 1968.
41. Under Part 5, paragraph 5.3 of the Civil Procedure Rules, a requirement in the Rules or any practice direction for a signature is capable of being satisfied if it is “printed by computer or other mechanical means”. The Practice Direction, paragraph 1, refers to “replica signatures”, however, which suggests that the digital signatures described in these Guidelines are not included.
42. It is submitted that an electronic signature is no more hearsay than a manuscript signature. A certificate may be hearsay evidence as to the identity of the owner of the public key and therefore a party relying on one in civil proceedings would have to meet the notice requirements of section 2 of the Civil Evidence Act 1995 and of the provisions of Part 33 of the CPR. In criminal proceedings it would be necessary to consider the admissibility of a certificate under section 24 of the Criminal Justice Act 1988.
Electronic Communications Act 2000
43. The Act has four main objectives. The first is to build trust among consumers and business in the providers of cryptography services. Part I creates power for the Government to establish and maintain a register of approved providers of cryptography support services. Those include services securing confidentiality, authenticity and integrity of electronic communications and data. They would include a CA as described above. The public would have access to the register and any changes to the information in it would be publicised. Its purpose would be to ensure that registered providers have been independently assessed against particular standards of quality. This is intended to encourage the public to use their services. Regulations would prescribe technical and other requirements which applicants for registration would have to satisfy. The register would be voluntary and there is nothing in the legislation to prevent provision of the services by unregistered entities. The Government prefer self-regulation and are working with the Alliance for Electronic Business which is drawing up a self-regulatory approvals scheme, known as the tScheme. If the Government are satisfied that the tScheme meets the objectives they have set, the statutory powers in Part I will not be used but be held in reserve. There is to be a review in 2004 of the progress of self-regulation and if it is working well then under section 16(4) the powers in Part I would lapse within five years.
44. Part II of the Act confirms the legal admissibility of electronic signatures. It gives Ministers the powers to modernise legislation by providing for electronic equivalents to paper signatures, records and documents. The third main aim of the Act which is dealt with in Part III is to modernise the current system for modification of telecommunications licences.
Admissibility of electronic signatures and certificates
45. Section 7 deals with the admissibility of electronic signatures and certificates. It is not limited to digital signatures but could apply to any electronic means of signing communications or records . The statute does not deal with whether or not the signature is, for example, genuine or intended to have legal effect. That will be a matter of evidence for the judge to decide. Nor does section 7 authorise the use of digital signatures where the law requires use of a traditional means of signing. Unless some statutory requirement provides otherwise, parties may reach agreement as to procedures to be adopted to prove that the electronic document comes from the person from whom it purports to come or that it has not been altered on the way or as to any other aspect of the process. This legislation is not intended to interfere with any such contractual arrangement.
46. The wording of section 7(1) is as follows: In any legal proceedings –
(a) an electronic signature incorporated into or logically associated with a particular electronic communication or particular electronic data, and
(b) the certification by any person of such a signature, shall each be admissible in evidence in relation to any question as to the authenticity of the communication or data or as to the integrity of the communication or data.
47. The words “incorporated into or logically associated with a particular electronic communication” could cover signatures effected digitally and those which are in part digital and in part verified by use of biometric recognition or a password. In (a) the use of the phrase “or particular electronic data” is to ensure that the clause covers digital signature of a document that is not to be sent anywhere but just to be stored. It would also cover simpler signatures such as a facsimile of a manuscript signature at the end of a faxed document or a sender’s name written electronically at the end of an e-mail message.
48. Subsection (2) defines an electronic signature. It provides: For the purposes of this section an electronic signature is so much of anything in electronic form as -
(a) is incorporated into or otherwise logically associated with any electronic communication or electronic data; and
(b) purports to be so incorporated or associated for the purpose of being used in establishing the authenticity of the communication or data, the integrity of the communication or data, or both.
49. Authenticity and integrity are defined in section 15(2): In this Act -
(a) references to the authenticity of any communication or data are references to any one or more of the following:
(i) whether the communication or data comes from a particular person or other source;
(ii) whether it is accurately timed and dated;
(iii)whether it is intended to have legal effect; and (b) references to the integrity of any communication or data are references to whether there has been any tampering with or other modification of the communication or data.
50. As for certification, this is defined in section 7(3): For the purposes of this section an electronic signature incorporated into or associated with a particular electronic communication or particular electronic data is certified by any person if that person (whether before or after the making of the communication) has made a statement confirming that:
(a) the signature,
(b) a means of producing, communicating or verifying the signature, or
(c) a procedure applied to the signature, is (either alone or in combination with other factors) a valid means of establishing the authenticity of the communication or data, the integrity of the communication or data, or both.
51. The wording of section 7, subsection (3) was amended at Third Reading in the House of Commons on 25 January 2000 so as to insert the word “verifying” in 7(3)(b) and the words “is (either alone or in combination with other factors)”. The Minister, Patricia Hewitt, explained that the amendment to (3)(b) was to make it clear that certification of a public key is one of the matters deemed to be admissible under sub-section 3(b). The inclusion of the words in parenthesis is, she explained, to make “it clear that any one of those processes or procedures is admissible in its own right, as well as when it is combined with other facts”.
52. In the House of Lords debate at the Report stage of the Bill on 16 May 2000 Lord McIntosh for the government said (Hansard column 186) - “The Government’s intention is that the clause [now section 7] should apply to a wide category of electronic things so that the courts are able to receive evidence of them and give that evidence the weight it should properly bear. The clause states what is meant by an electronic signature and its certification. Each of these terms is given a pretty wide meaning. . . Clause 7 (3) has already been amended in another place to widen the concept of certification in the Bill. In particular a certificate does not have to be seen in isolation. In considering whether the subject matter of a certificate is a valid means of establishing authenticity or integrity – for example, when a witness is required to confirm an electronic signature – other factors may be considered as well”.
© Crown copyright 2002