[*PG145]THE EUROPEAN COMMISSION’S DIRECTIVE ON ELECTRONIC SIGNATURES: TECHNOLOGICAL “FAVORITISM” TOWARDS DIGITAL SIGNATURES

Andrew Barofsky

Abstract:  The increasing use of e-commerce generally is considered a positive trend that should be fostered. Yet, many lawmakers believe that laws requiring signatures to authenticate certain transactions represent obstacles to e-commerce and threaten to keep it from reaching its full potential. In the European Union, several Member States have drafted or enacted “electronic signature” laws to define the legal validity of electronic signatures. However, many of these laws are taking diverging approaches, thus creating an inconsistent framework for electronic signatures. In response, the European Commission recently adopted a directive to provide a common framework for electronic signatures. In its present form, the Signature Directive appears to favor the use of a particular type of electronic signature called a digital signature to the potential detriment of other current and future technologies. This Note examines the Signature Directive’s approach to defining the legal validity of electronic signatures and concludes that the Commission should revise the Signature Directive to take a more technologically neutral approach.

Introduction

The volume of capital flowing through the veins of electronic commerce continually reaches new heights.1 By the year 2002, the total value of Internet transactions alone is expected to reach 446 billion U.S. dollars.2 This phenomenal growth of the Internet is radically impacting modern commercial and governmental practices.3 Organi[*PG146]zations worldwide are rearranging administrative and marketing strategies in order to exploit this powerful technology.4

Many consider Internet growth to be a positive development that should be fostered.5 Several lawmakers believe that certain legal “barriers” threaten to keep e-commerce from reaching its full commercial potential.6 This concern led to the development of many legal strategies aimed at removing legal obstacles to electronic commerce.7 The requirement that a “signature” authenticate certain transactions is one obstacle that receives a great deal of attention.8 Uncertainty exists about whether contracts made and “signed” through entirely electronic means will be deemed valid.9 Supporters argue that laws requiring signatures are “flexible and supportive of new commercial methods” and, therefore, electronic signatures should be recognized.10 However, due to persistent skepticism, most agree that some degree of legislative intervention is called-for.11

In the European Union (EU), several Member States already have drafted or enacted “electronic signature” laws to define the legal validity of electronic signatures.12 Many of these laws take diverging approaches.13 The European Commission (Commission) believes this lack of uniformity endangers “the functioning of the Internal Market in the field of electronic signatures.”14 Moreover, “[d]ivergent rules [*PG147]concerning the legal effect attributed to electronic signatures are particularly detrimental to the further development of electronic commerce and, for this reason, to economic growth and employment in the Community.”15 In response, the Commission proposed a Directive to provide a common framework for electronic signatures (Draft Directive).16 The Draft Directive’s primary aim is to create a “harmonized and appropriate legal framework for the use of electronic signatures within the Community and [to establish] a set of criteria which form the basis for legal recognition of electronic signatures.”17 The European Council adopted the Signature Directive on December 13, 1999 (Signature Directive).18

This Note examines the Signature Directive’s approach to defining the legal validity of electronic signatures. Part I presents a background on E-commerce and electronic signatures. Part I also introduces the Signature Directive, focusing on Article 5 which concentrates on legal validity, as well as other electronic signature laws promulgated throughout Europe. Part II discusses the “technology-neutral” and “digital signature” approaches to electronic signature legislation, while Part III analyzes the issues raised by the Signature Directive’s approach for creating a harmonized standard for legal validity of electronic signatures. This Note concludes by arguing that the Commission should revise the Signature Directive to take a more technologically neutral approach.

I.  History and Background

A.  Signature Requirements

In civil and common law countries alike, the enforceability of many types of contracts is subject to certain formalities.19 The most [*PG148]common formality is the requirement of writing and signature.20 For example, many European countries require that all non-commercial transactions over the equivalence of 5000 Francs21 be in written or notarial form; otherwise, the evidence of witnesses is inadmissible.22 Similarly, most sales of land can “only be made in writing.”23

Several reasons for formal requirements have been advanced, including preserving evidence, putting parties on notice, signaling the transition from negotiation to contract, and providing information.24 Conversely, several disadvantages to contract formalities also have been identified.25 These disadvantages include: (1) inhibiting freedom of contract, (2) slowing the “free flow of commerce,” and (3) allowing a party to defeat justified expectations.26 Of these three, the impediment to the “free flow of commerce” presents the greatest potential obstacle to e-commerce.27 Unless electronic documents are treated as “writings” which can be “signed,” paper records will have to supplement many electronic transactions, resulting in e-commerce that is “more expensive, less competitive, and less efficient.”28

B.  E-commerce and Electronic Signatures

Commercial data has been transferred between computers for several decades, primarily through Electronic Data Interchange (EDI).29 EDI technology typically involves transferring structured and coded messages, such as purchase orders and invoices, over secure network systems.30 The standards for structuring and coding the messages, as well as their legal consequences, are spelled out in paper-based contracts commonly referred to as “trading partner” agree[*PG149]ments.31 EDI offers several advantages over conventional paper-based commerce.32 It eliminates paper “shuffling and storage,” allows for quicker response time, reduces human error, and decreases misunderstandings.33 Use of EDI, however, generally is limited to companies involved in ongoing commercial relationships.34 Accordingly, EDI lacks broad consumer access.35

In contrast, Internet-based commerce can involve transactions between unfamiliar parties, including both businesses and consumers.36 This feature, coupled with a phenomenal expansion in the number of online participants, has made the Internet a worldwide marketplace.37 This marketplace, however, is a more hazardous environment than most EDI systems.38 Although both technologies involve the transfer of alterable digital messages, EDI transactions typically occur over secure networks and employ specially structured and coded messages.39 Moreover, trading partner contracts define the legal effects of EDI transactions.40 By contrast, messages transmitted over open networks, such as the Internet, can be intercepted and manipulated by third party users without detection.41 Furthermore, it is relatively difficult to identify the source of a message transmitted over the Internet.42 Finally, the holder of electronic records can “easily and undetectably” alter the records.43

Despite the security risks, data routinely is transferred over the Internet throughout the commercial world.44 Paper is rapidly giving way to purely electronic forms of documentation.45 This trend includes the increased use of electronic documents in the formation of [*PG150]contracts.46 Electronic contracts, like their paper counterparts, are subject to contract formalities requiring “signatures.”47 There are many ways to “sign” an electronic contract.48 A simple text signature closing an e-mail message is a common example.49 Another example is a “mouse click” that indicates the intent to be bound by certain legal terms on a web page.50 Although simple methods such as these theoretically may satisfy the formality of signature, they lack many of the “inherent security attributes” of signed paper documents, such as “semipermanence of ink embedded in paper, unique attributes of some printing processes, watermarks, the distinctiveness of individual signatures, and the limited ability to erase, interlineate, or otherwise modify words on paper.”51 Furthermore, in order to overcome the Internet’s inherent security risks, electronic signatures must serve three critical purposes, “[1] to identify the source or sender, [2] to indicate the sender’s intent (for example, to be bound by the terms of a contract), and [3] to ensure the integrity of the document signed.”52 Text e-mail signatures, mouse clicks, and the like apparently fail to serve these purposes.53

Therefore, more sophisticated methods for securely authenticating electronic documents have been developed.54 The most popular is the “digital signature.”55 Digital signatures are a special class of electronic signatures that use public key cryptography to give electronic signatories a unique digital identification.56 Used properly, digital sig[*PG151]natures identify the sender, ensure message integrity, and render the message non-repudiative.57

Cryptography is the process of communicating in secret writings.58 In conventional cryptography, identical keys are used to encrypt (i.e. “sign”) and decrypt messages.59 By contrast, public key cryptography is an asymmetric system in which a “private key” is issued to the key subscriber and a separate but mathematically linked “public key” is widely distributed.60 Only the holder of a linked private key can decipher a document “signed” with a public key.61 Conversely, if a document is signed with a private key, any holder of a corresponding public key can decipher the message.62 However, “it is technically impossible to derive a private key from a published public key.”63 In addition, the message’s integrity is verified by using special mathematical algorithms known as hash functions.64 Each encrypted or signed message has a unique hash result.65 If a message is tampered with, the hash result is altered and the signature invalidated.66 Systems that manage the keys are called Public Key Infrastructures (PKI).67 In a typical PKI, Certification Authorities (CA) issue keys and guarantee the identity of private key holders.68

Digital signatures are not, however, the only available form of secure electronic signature.69 “Signature dynamics” combines biometrics and cryptography to create signatures that securely attach unique characteristics of an actor’s character or behavior to an electronic document.70 Successful examples include the PenOp and SMARTpen.71 These devices capture an individual’s signature while simulta[*PG152]neously verifying the individual’s identity.72 Signature dynamic methods of authentication have the advantage of being bound to the signatory rather than to the document.73 This feature eliminates the need to go through a trusted third party or a CA to link an electronic signature to an individual.74 Not only do digital signature and signature dynamics overcome digital technology’s susceptibility to easy forgery and manipulation, these technologies make possible a degree of security far greater than that established by ink on paper.75

C.  European Electronic Signature Laws

In the EU, only Germany and Italy have enacted electronic signature legislation.76 Several other Member States, however, have legislative proposals under review or ready for adoption.77 A brief review of different European legal schemes highlights the different approaches taken to regulate electronic signatures.78

On March 15, 1997, Italy passed the Bassini Law (Italian Law) which validates the use of digital signatures for legal transactions.79 The Italian Law is limited strictly to digital signatures.80 Notably, it treats a digital signature as the equivalent of a hand-written signature only if it is based on asymmetrically paired keys that are certified by an officially authorized CA.81 The Italian Law recognizes digital signatures from other Member States if they are based on “equivalent requirements.”82

Germany passed digital signature legislation in August of 1997 (German Act).83 The German Act focuses on defining the “conditions [*PG153]under which digital signatures are deemed secure.”84 Unlike the Italian Law, it does not grant digital signatures the legal equivalency of hand-written signatures.85 Rather, digital signatures meeting voluntary technical standards merely are presumed to be “secure” in a court of law.86 The principal effect of the German Act is that users of digital signatures may benefit from a legal presumption that is not attainable through the use of other types of electronic authentication technology.87

In contrast to the Italian Law and the German Act, the United Kingdom is proposing an Electronic Communications Bill (English Bill) that will grant electronic signatures legal admissibility in court for the purpose of establishing the “authenticity” or “integrity” of communications.88 “Authenticity” refers to whether the communication or data comes from a particular person or other source or is accurately timed and dated.89 “Integrity” refers to “whether there has been any tampering with or other modification of the communication or data.”90 The English Bill is not tied to one particular technology and “leaves it up to the court[s] to decide in a particular case whether an electronic signature has been correctly used and what weight it should be given.”91

D.  Electronic Signature Directive

On June 18, 1999, the European Council reached a common position on the Signature Directive.92 The primary aim of the Signature Directive is to create a “harmonized and appropriate legal framework for the use of electronic signatures within the Community and [to establish] a set of criteria which form the basis for legal recognition of electronic signatures.”93 The Signature Directive defines an “elec[*PG154]tronic signature” as “data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication.”94 According to the Signature Directive, an “advanced electronic signature” is an electronic signature if:

a)it is uniquely linked to the signatory;

b)it is capable of identifying the signatory;

c)it is created using means that the signatory can maintain under his sole control; and

d)it is linked to the data to which it relates in such a manner that any subsequent alteration of the data is detectable.95

The Signature Directive takes a two-tiered approach in defining the legal effects of an electronic signature.96 The first tier requires Member States to “ensure that an electronic signature is not denied legal effectiveness and admissibility as evidence in legal proceedings” solely because it is a) not in electronic form, b) not based on a qualified certificate or not based on a qualified certificate issued by an accredited certification-service-provider, or c) not created by a secure signature-creation device.97 A “certificate” is an “electronic attestation which links signature-verification data to a person and confirms the identity of that person.”98 A “qualified certificate” is a certificate that meets specific security standards and is issued by a qualified “certification-service-provider,” more commonly known as a CA.99 The Signature Directive lays down requirements for qualified certificates and CAs in Annexes I and II, respectively.100 Similarly, requirements for a “secure-signature-creation device” are laid down in Annex III.101 The first level of legislation accepts most electronic signatures on a technologically-neutral basis.102

The second tier of legal validation entitles qualified technologies to legal equivalency with handwritten signatures.103 The Signature Directive requires Member States to:

[*PG155]ensure that advanced electronic signatures which are based on a qualified certificate and which are created by a secure-signature-creation device a) satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data, and b) are admissible as evidence in legal proceedings.104

II.  Discussion

The proliferation of electronic signature legislation, both in the United States and abroad, has fueled much scholarly debate.105 A central source of disagreement among scholars and lawmakers is whether the laws governing electronic signatures should remain neutral towards technology or attempt to specifically regulate currently favored technologies.106 At the time when the first electronic signature initiatives began to emerge, digital signatures were the most widely used and universally accepted means for securely authenticating electronic documents.107 Therefore, early electronic signature initiatives were limited to promoting and facilitating digital signature technology.108 The Utah Digital Signature Act, enacted in 1995, typifies this approach and is the foundation for subsequent initiatives, including the German and Italian digital signature laws.109 Supporters of the “technology movement,” particularly the German Government, continue to believe that e-commerce legislation should be “limited to digital signatures, and thus to a technical concept for guaranteeing authenticity and integrity which can satisfy the high technical security standards required in electronic commerce.”110 In jurisdictions that have enacted digital signature-specific laws, it is not be clear whether an [*PG156]electronic message signed by any method other than a digital signature is valid.111

Laws favoring digital signatures have sparked much criticism.112 Critics argue that such legislative intervention is premature, overregulating, and interferes with the natural evolution of the market.113 “Favoritism” toward digital signatures risks excluding other possibly superior technologies from entering and competing in the marketplace.114

More recent electronic signature laws have parted with the “technology movement” in favor of more technology-neutral or “minimalist” legal frameworks.115 The goals of the “law revision movement” are to “remove the barriers to electronic commerce, treat electronic communications on a par with paper communications, and not to favor one technology over another (technology neutrality) nor one business model over another (implementation neutrality).”116 According to this theory, the law merely should enable the use of electronic signatures, so that parties are free to choose whatever “technology” and “implementation scheme” they deem most suitable for their particular transactions.117 Initiatives cast under this approach intentionally avoid regulating authentication techniques, such as digital signatures.118

“Minimalist” laws are criticized for failing to establish a reliable security infrastructure.119 Potential participants may forego engaging in e-commerce because of the absence of legally recognized security procedures.120 Moreover, the pervasive use of insecure electronic signatures may give rise to fraud, message tampering, and mistake, fur[*PG157]ther decreasing confidence in e-commerce.121 Accordingly, in order for e-commerce to enjoy widespread use, critics argue, a reliable security infrastructure is needed.122

III.  Analysis

The Signature Directive’s two-tiered structure strives to reach a middle ground between technology-specific and enabling approaches.123 On the one hand, the Signature Directive enables the use of all electronic signatures by mandating their “legal effectiveness and admissibility as evidence in legal proceedings.”124 On the other hand, it promotes digital signature technology by creating a presumption that “advanced electronic signatures which are based on a qualified certificate . . . satisfy the legal requirements of a signature . . . in the same manner as a handwritten signature.”125 This presumption is limited functionally to digital signatures because qualified certificates are unique to PKI technology.126

Under the Signature Directive, authentication methods that qualify as “advanced electronic signatures,” created by a “secure-signature-creation device” but not based on a qualified certificate, appear to fall short of presumptive equality with handwritten signatures.127 It follows that signatures created through signature dynamics would not enjoy the same presumptive validity as digital signatures because they provide direct proof of signer identity rather than relying on “a complex system of trusted third parties.”128 Thus, under the current Signature Directive, a business using an otherwise “secure” signature method that is not a digital signature subject to a qualified certificate risks creating an unenforceable or voidable contract.129 This is not “technological neutrality” but rather technological “favoritism.”

As Theodore Roosevelt said, “[I]t is difficult to make our material condition better by the best law, but it is easy enough to ruin it by bad laws.”130 As between the technology-specific and technology-neutral [*PG158]approaches, it is the latter that comports with the principles suggested by this maxim.131 Businesses that engage in sound commercial business practices will, as they currently do, choose methods for signing their computer documents that meet their commercial needs.132 Businesses should use digital signatures because they solve practical problems created by open network transactions, not because the law dictates their use.133 “[T]he technology implementation itself provides the necessary security and certainty necessary for electronic commerce without the need for legislative intervention.”134 Thus, laws favoring digital signatures are not needed to create a “security infrastructure.”135 Moreover, enacting technology-specific and technology-favoring laws risks precluding more favorable market-oriented solutions.136

In its present form, the Signature Directive appears to favor digital signatures to the potential detriment of other current and future technologies.137 Encouraging the use of digital signatures is superfluous to achieving the Signature Directive’s goals of Market harmonization.138 Simply validating currently held broad interpretations of what is a “writing” is sufficient to remove fears that electronic contracts will be held invalid.139 For example, Ireland is considering this better reasoned approach and recently unveiled an outline for electronic signature legislation.140 This outline borrows the Signature Directive’s first tier of validation, but notably leaves out the second tier.141

Conclusion

Statutes that merely extend legal recognition to electronic signatures can best foster electronic commerce on the Internet. Statutes [*PG159]that, in the name of security, favor one emerging technology over another will hinder the natural growth of a burgeoning market. Under the Signature Directive, the fittest technology may not be given a chance to survive. The Commission should revise the Signature Directive to “enable” electronic signatures and to eliminate the special treatment granted to digital signatures.

[*PG160]BLANK PAGE

?? ??