The digital signature
The use of digital signatures (also, confusingly called electronic signatures in some jurisdictions, especially in Europe as a result of the language used in the EU Directive) has been taken up by a number of judicial systems, mainly in civil jurisdictions, to permit the submission of papers electronically to a court. What is of interest is that the relying party (the court), rely on one small item to persuade it that the sender is the person whom they claim to be: the password that protects the private key, and which enables the sender to cause a computer to affix the digital signature to the document.
In reality, the reliance rests on the integrity of the password and the security in place to protect the password and private key.
The private key of a digital signature (also known as an ‘advanced electronic signature’ in the EU) is protected by a password. If you use a digital signature (or you are the recipient of a document or e-mail with a digital signature affixed) the most important point to be aware of is this: the private key of a digital signature is only as good as the password that protects it. This means that when the password is inserted into a computer to provide access to the private key of a digital signature it proves any of the following:
1. the person to whom the private key was issued was the one that inserted this information into the computer, and therefore the recipient can rest assured that the private key of the digital signature proves that the person to whom the private key was issued is physically at the keyboard at the time of the session; or
2. a person (perhaps the owner of the private key or her secretary) instructed the computer to retain the password information in the computer memory, so that any person that obtains access to the private key (as in the Russian banking cases where hackers or insiders used the password of a private key to authorize the transfer of millions of roubles form company bank accounts) can use the password, which in turn does not prove that the person to whom the private key was issued is physically at the keyboard at the time of the session (and how is the recipient of the correspondence to know it was the person whose key it was, or her secretary, or an impostor?); or
3. that a person (whoever they may be) that used the password, actually knew the password.
Whether a username and password is used, or whether a password and the private key of a digital signature is used, the following can be concluded in relation to any activity that entails using a password (or PIN):
The person that keyed in the password (or username and password) knew the password (or username and password); or
The person with access to the computer (whether they were sitting in front of the computer or whether they obtained control of the computer remotely) did not need to know the password because the computer was instructed to remember the password.
Many people (including lawyers) actually believe that if the private key of a digital signature is affixed to a document or e-mail, it means that the digital signature was actually affixed by the person whose key it was. One must beware of anybody that does not understand logic!
Argentina
Employment Huberman Fernando Pablo c/Industrias Audiovisuales Argentinas SA s/despido ; formation of contract Cooperativa de Vivienda Crédito y Consumo Fiduciaria LTDA c/Becerra Leguizamón Hugo Ramón s/incidente de apelación
Brazil
Legal effect of electronic documents Apelação Cívil (Civil Appeal) N. 2006.01.99.025080-7/GO of September 19, 2006, the Tribunal Regional Federal - 1a. Região (Federal Appeal Court of the 1st Region)
Colombia
Juan Carlos Samper Posada v Jaime Tapias, Hector Cediel and others - for note of this case, see the Digital Evidence and Electronic Signature Law Review, 2005
Czech Republic
Validity of papers sent to the court electronically IV. ÚS 319/05, issued on April 24, 2006; Supreme Court of the Czech Republic, case number 5 Tdo 1059/2006, issued on September 20, 2006
Estonia
AS Valga Külmutusvagunite Depoo (in bankruptcy) for note of this case, see the Digital Evidence and Electronic Signature Law Review, 2004
France
Signing health records Conseil d’Etat Fédération Nationale des Infirmiers, 26 mars 2004, 255265
Germany
FG Münster 11 K 990/05 F (Electronically signed statement of claim – On the interpretation of the term ‘monetary limitation’); Federal Finance Court (BFH - Bundesfinanzhof), file number VII B 138/05; BFH/NV 2006, 104; Higher Administrative Court Rheinland-Pfalz (OVG Rheinland-Pfalz - Oberverwaltungsgericht), file number 10 A 11741/05, NVwZ-RR 2006; Higher Administrative Court Bavaria (Bayerischer VGH - Verwaltungsgerichtshof), unpublished, file number 12 ZB 05.2821 (see also Higher Administrative Court Hesse (Hessischer VGH - Verwaltungsgerichtshof), file number 1 TG 1668/05, DÖV 2006); Administrative Court Sigmaringen (VG Sigmaringen - Verwaltungsgericht), VBlBW 2005, 154, file number 5 K 1313/05; Higher Administrative Court of Rhineland-Palatinate (OVG Rheinland-Pfalz) 10 A 11741/05, dated April 21, 2006 - these cases are discussed by Dr Martin Eßer in Chapter 7 of my book.
Russian Federation
There have been a number of cases in the Russian Federation involving digital signatures. They all involve the authorization of the transfer of funds from bank accounts (which must be undertaken by digital signature in the Russian Federation). The organization has taken issue with the bank after a large transfer has been effected. The request to transfer the funds was accompanied with the correct digital signature of the person the the authority within the organization. In taking legal action to recover the money, the banks have been able to demonstrate that their actions were based on instructions received from the appropriate person authorized within the organization to authorize the transfer, and in each case the digital signature of the person was correctly affixed to the transfer request. The organization, it is not surprising, has not been able to prove that the private key to the digital signature was used by anybody other than the person whose private key it was. One case report of the Federal Arbitration Court of Moscow Region of 5 November 2003 appears in the 2008 issue of the Digital Evidence and Electronic Signature Law Review
This is the classic problem with all forms of electronic signature
How does the recipient (arguably there is a significant difference between a recipient, a verifying party and a relying party) know that it was the person whose signature is affixed to the document (whatever form the document takes) was the person that actually affixed their digital signature or typed in their name into the document? With respect to digital signatures, many laws provide a legal presumption that if you have a digital signature, you are assumed to have used it unless you can prove you did not use it (see Chapter 9 for an international comparison). So, beware agreeing to have a digital signature.
