Electronic Commerce Law

Module 2: The Role of Information Security; 
Security, Encryption, Confidentiality and Digital Signatures 

Return to Main Page

Legal requirements for online communications - authenticity and integrity  Analyse problems arising from electronic communications and current solution offered by information security  Digital signatures analysed and their applications in the legal context - liabilities.  Identify limitations of digital signatures and alternate cryptographic applications  Case study and practical application of security, digital signature and encryption software 

The aim of this module is that each student should: 
develop an understanding of the law and regulatory processes applicable to the security of the internet; develop basic skills in relation to online communications, authenticity and integrity  develop an appreciation of the analyse of problems arising from electronic communications and current solutions offered by information security  deveop basic skill in relation to Internet use including the use of electronic mail, encryption, decryption and digital signatures. 
1. On completion of this unit, students should be able to: 
1. identify areas of law affecting the security as it related to online transfer of information;
2. demonstrate the use of encryption algorithms in practical use commercially; 
3. consider the implications for users of the internet both commercial and non-commercial of public key cryptology; 
4. demonstrate the ability to apply the areas of law studied to case studies and other seminar presentations. 

Read:  Quirk pp 84 to 108. 

Reference:  Lawrence et al; Chapter 6, pages 120-125, 127-136, and Chapter 10, pages 210-215, of "Internet Commerce: Digital Models for Business" 

Reference: Akindemowo: pages 193-214 - as an introduction to confidentiality and security issues, the notion of "privacy" in the digital domain. 

Read:  The Introduction and and the Australian position on cryptography, see the 1999 International Survey of Encryption Policy at 
http://www.gilc.org/crypto/crypto-survey-99.html#_Toc450793134

Reference
Computer Hackers and Crackers Browse "A History of Hacking," by Robert Trigaux at 
http://www.sptimes.com/Hackers/history.hacking.html

Computer terrorism: What are the risks? Patrick Galley
http://home.worldcom.ch/pgalley/infosec/sts_en/
 

Cookies Explained
Browse: "How Webservers’ Cookies Threaten Your Privacy," at 
http://www.junkbusters.com/ht/en/cookies.htmlProtection of Confidential Information

Read Chapter 6 of the excellent "Safeguarding Your Technology" report, prepared under the auspices of the NCES at 
http://nces.ed.gov/pubs98/safetech/

Browse - recommendations made by the National Center for Education Statistics (NCES) that pertain to software security at 
http://nces.ed.gov/pubs98/safetech/

Browse "How Electronic Encryption Works and How it Will Change Your Business" by Jim Heath at http://www.viacorp.com/crypto.html

Browse Questions 25, 27-28 at 
http://www.w3.org/Security/Faq/wwwsf3.html

McBride Baker and Coles - Electronic Commerce and Digital Signature Update
http://www.mbc.com/ecommerce/ecommerce.asp

Answers are contained in the prescribed readings and links below. 

• Is the definition of confidential information by Lord Greene in Saltman Engineering Co Ltd v Campbell Engineering Co Ltd (1948) 65 RPC 203 circular? 
• What is the GILC?  When was it established and what is it purpose and function? 
• What are the OECD Cryptography Policy Guidelines? http://www.oecd.org/ See also Australian adoption
• What is the Wassenaar Arrangment? 
• What is its impact on security in electronic commerce? 
• Is the WA a treaty? www.wassenaar.org 
• What is the key escrow/recovery concept? 
• What is the G8 position in relation to encryption? 
• What is the Walsh Report? 
• What were Walsh's criticisms and recommendations? 
• Explain the operation of digital signatures. + 

Additional links for Browsing

Security

Digital Signature Law Survey ***

 

UNCITRAL Model Law on Electronic Commerce with Guide to Enactment 1996  with additional article 5 bis as adopted in 1998*** 

 

EPIC Archive - Cryptography Policy ( US) *

 

Keith Holland - Recent International Legal Developments in Encryption (Aust)**

 

Nigel Waters - Telecommunications Interception - Extending the reach or maintaining the status quo? (Aust)*

 

Patrick Gunning - Distributing encryption software by the Internet: loopholes in Australian export controls (Aust)*

 

- The proposal described in this article has become Standards Australia draft standard DR 96078 `Strategies for implementation of a public key authentication framework in Australia'

 

 

Crypto Law Survey *

 

APEC Telecommunications Working Group  ** 
review of information on international trends in public administration with respect to Public Key Authentication 

1. Ensure that the encryption software is obtained from a secure source. 
2. Use keys which ensure security; at least a 2048 bit key. 
3. Restrict access to your private key by protecting it with a unique password. 
4. Maintain backups of all keys.  Preferably store the keys in a folder protected by a unique password. 
5. Keep all passwords secure. 
6. Retain the ability to revoke a key. 
7. Only use another person's keys if you are certain of its source and validity. 

Alan Davidson and Myles McGregor-Lowndes 
*Article which appeared in the Journal of the Law Institute of Victoria Journal. 

Introduction

So you have been using e-mail, or are thinking about it.  You may have made enquiries of some government departments, or written to colleagues.  You may even have a few clients that like to write to you using e-mail and expect a similar speedy reply.  But, is it secure?  Can the message be intercepted?  You wish to send sensitive and confidential information to your client by e-mail.  Should you?  If  you receive instructions from a client, can you be sure it was sent by that client?  You know a hand written signature cannot appear for verification.  Should you require written instructions by means of a hard copy only?  These concerns can be addressed by the use of modern day encryption.  These issues are of concern to any professional to whom confidence is crucial or to those who owe a professional duty of confidence; most notably lawyers. These concerns were recently addressed in the Wallis Report on its extensive enquiry into the Financial Industry .  The Report recognised the need "to adopt appropriate internationally recognised standards for electronic commerce, including for electronic transactions over the Internet and the recognition of electronic signatures."   Specifically the Report recommended:
 

amendments to  legislation and industry codes to permit the appropriate use of digital signatures, electronic notices and documents to improve the efficiency of financial transactions and reduce costs; 

endorsement by industry and government of the Public Key Authentication Framework developed by Standards Australia to enable a reliable system for digital recognition of individuals and entities to be developed; 

amendments to Evidence Acts, to take account of electronic transactions and record keeping, including the enactment of national uniform legislation covering evidentiary issues for the electronic delivery of financial services. 

 

E-mail
Electronic mail (e-mail) is the sending and receiving of messages by transferring files between computers.  Programs such as "Pegasus" and "Eudora" are used to mimic traditional postal systems with post boxes, addresses, post offices and masters and the waste paper bin for junk mail.  The most extensive use of the Internet to date is the use of electronic mailing (e-mail) facilities. Millions of messages are sent daily across the world.  In most cases, such messages are text based, but most systems allow the transfer of other data files including photographs, sound, video and executable programs. When we write a standard letter, we put it in a stamped, addressed envelope and drop it in a letter box. We do not have to understand the subsequent processes by the mail carrier to know that our letter will be delivered. Similarly, electronic mail (e-mail) allows information to be sent and received without ever needing to understand the myriad of processes involved. It is not necessary to understand that the e-mail facility creates text using standard protocol (ASCII files) for transmission. The mailer can be used in a similar way to a word processor. The protocol used on the Internet to standardise the transfer of mail is called SMTP (Simple Mail Transfer Protocol). SMTP is activated when mail is sent. 

We cannot assume that our e-mail is private.  There is a concern that the Internet is not secure and that transmissions may be tampered with.  Generally e-mail is no more or less secure than sending information by facsimile.  Telephone and communication lines can be tapped.  The tampering may take the form of: 

- Eavesdropping - third parties listen to private communications 

- Manipulation - third parties intercepting and altering information 

- Impersonation - a sender or receiver communicates under false identification 

Service provider's are cognisant of the security implications and typically implement a system of passwords  for users to access their mail boxes.  It would be prudent to change the password on a regular basis and for the firm to have a policy on the issue.  The firm should consider a range of passwords and the level of access permitted.  However, while few service providers use encryption, e-mail users may adopt their own regine of encryption. 

Encryption
Encryption is the transformation of data into a form that is unreadable by anyone without a decryption key.  Its purpose is to ensure privacy.  Some organisations encrypt files on their hard disk to prevent an intruder from reading and deciphering them.  We will briefly deal with encryption by e-mail generally and commercial encryption methods which we will term Private and Public.  E-mail is already encrypted by the process of sending it.  However its purpose is to convert the data into appropriate code for transmission and then back again, at the other end, for reading.  Whilst an interceptor of such a message may receive gibberish, it may, with the right know how, be converted back into the original message.  Commercial encryption programs are available which state that they guarantee security of transmission.  Security methods are centred upon public-key encryption, zero-knowledge interactive proof systems, and various software protocols for interaction, authentication and verification.  The development of such methods has been closely monitored, in the U.S. by the National Security Agency.  Recent advances have made the newer systems economically feasible and effectively unstoppable.  High-speed networks,  ISDN, tamper-proof boxes, smart cards, satellites, Ku-band transmitters, multi-MIPS personal computers and encryption chips, which enhance encryption technology, are under constant development.  The paper is limited to the more readily available public and private encryption.  The law enforcement agencies world wide and notably the FBI have been seeking to ban some forms of encryption software because they are unable to decode the transmission.  Such authorities claim national security concerns and use of the  technology by drug dealers and tax evaders.  They express concern that illegal information, such as encrypted paedophile material, is being transferred across the Internet.  Nevertheless, such a level of encryption is desirable for legitimate purposes for the protection of clients. 

Security Issues
The public perception of e-mail is that it is inherently not secure.  However, other forms of communication such as mail, facsimiles and couriers have their own secuity risks which are taken as acceptable for business and commerce.  A misaddressed letter or facsimile raises privacy concerns.  The paradox is that e-mail can be made so secure that the U.S. Government has enacted legislation to restrict the level of security permitted for transmissions in that country.  For example RSA Data Security Inc has more than 75 million copies of RSA encryption and authentication technologies and in use worldwide.  This technology is embedded in Microsoft Windows, Netscape Navigator, Intuit's Quicken, Lotus Notes and many other products.  However in promoting its services the company states that it has intentionally reduced the level of encryption to obtain Government approval.  In order to make this ground-breaking product available internationally, we have applied for and received a Commodity Jurisdiction from the US Department of Commerce. This means that the strength of the cryptography has been reduced from the commercial product available in the US and Canada in order to comply with cryptographic export regulations.  Site: http://www.rsa.com/

U.S. Debate
Increasingly private communications are being routed through electronic channels. E-mail messages may be intercepted and scanned for interesting keywords.  International cablegrams are currently scanned in the United States on a large scale by U.S agencies.  A 1991 U.S. anti-crime bill would have forced manufacturers of electronic communications equipment to provide a back door method for the Government to read encrypted messages. The explanatory memoranda to the bill stated in part:  It is the sense of Congress that providers of electronic communications services and manufacturers of electronic communications service equipment shall insure that communications systems permit the Government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law.  This aspect of the bill was removed after substantial lobbying by interested groups.  In 1993 there was push by the American Government to have industry adopt the Clipper chip containing a new classified NSA encryption algorithm.  At the time of manufacture each Clipper chip will contain its own unique key, a copy of which is retained by the Government.  The Government includes the promise that the keys will only be used for legal purposes.  Affordable military grade public-key cryptographic technology is available to those who choose to use it. 

Private Encryption
Standard encryption requires the sender and recipient of a message knowing and using the same secret key.   This method private encryption.  The major difficulty with such an approach is agreeing on the secret key with confidence that no one else finds out.  Trust is often placed in the normal mail, a courier, the telephone system  or some other transmission system.  Anyone who overhears or intercepts the key potentially can read all encrypted messages.  Further, one may have little notice as to whom your correspondent may be.  Accordingly private encryption has its own inherent security risks. 

Public Encryption
Public encryption was developed in 1976 to resolve the private encryption dilemmas.  The sender and recipient each possesses a pair of keys called the public key and the private key.  Each person's public key is freely available to anyone.  The private key is kept secret.  There is no need for both parties to share secret information about the private key.  All communications involve only the public keys and no private key is ever transmitted or shared.  There is a relationship between the public key and the private key, but the private key cannot be determined  if one only has the public key.  For example, a given encryption program may prompt the user to type in a phrase and press 'enter' when finished.  The program then performs a lengthy series of calculation based not only on the phrase but also on the timing between each of your keystrokes.  A truly unique private key is created.  One or more public keys may be created in a simlar fashion from the private key.  The program makes complex mathematical calculations to create the public key.  However, the private key cannot be determined from the public key.  To send a secure message, the sender obtains the intended recipient's public key.  Next the sender encrypts the message and e-mails it.  The intended recipient, and only the intended recipient,  uses the private key to decrypt the message.  (See Fig.1 )  Provided the private key has remained confidential, no one else can read the message. 

Figure 1

 

Digital Signature and Authentication

Authentication of electronic messages will become increasing important for lawyers for evidentiary purposes.  Australian Evidence Acts do not address all aspects of e-mail communications.  Australian Evidence Acts make presumptions regarding the sending and receipt for postal articles, telexes, lettergrams and telegrams.   There is no similar presumption regarding e-mail.  However  the Evidence Acts of New South Wales and the Commonwealth do state:  The hearsay rule does not apply to a representation contained in a document recording a message that has been transmitted by electronic mail or by a fax, telegram, lettergram or telex so far as the representation is a representation as to: 

(a)  the identity of the person from whom or on whose behalf the message was sent, or 

(b)  the date on which or the time at which the message was sent, or 

(c)  the message's destination or the identity of the person to whom the message was addressed. 

Nevertheless courts will need to be satisfied regarding the authenticity of transmissions.  A digital signature is authentication of an electronic transmission.  When using the digital signature, a simple computation is completed (automatically) involving the sender's private key and the message itself.  The result is referred to as the digital signature and is attached to the message.  The recipient verifies the digital signature by a simple automatic computation involving the message, the purported digital signature and sender's public key.  The computation determines whether a special mathematical relational exists and if it does it reports that the digital signature is verified.  An unverified digital signature may be an indication of some other hoax sender or an alteration to the message.  The recipient should then take appropriate steps such as determining the bona fides of the message and seek a retransmission.  Such an authentication should be accepted by the courts. 

Practice
Some commentators in the field recommend a combination of both the private encryption and public encryption methods.  The proposal is to use the public encryption method to encrypt a secret key which is then used to encrypt all other transmission which are used by the private encryption method.  This overcomes some concerns that the public system is in fact a slower method.  Lawyers would be best advised to seek client's specific instructions before sending confidential information by e-mail and to advise the level of security used.  On the other hand some commentators contend that proper use of encryption methods is more secure than normal mail, couriers or facsimiles.   Nevertheless the prudent lawyer may prefer to obtain the client consent in advance and discuss encryption options.  In a similar vain, one should seek approval of one's partners (or employers etc) in relation to both the use of e-mail and the procedures  to be complied with and the records to be kept.  An appropriate message regarding the firm's policy may be placed on the firm's Internet site (see the following example) or sent to clients who use or intend to correspond by e-mail with the firm. 

• Notice to be placed on the firm's Internet page next to the e-mail link. 
 

This message is intended to be private.  It is not encrypted.  Persons may intercept and read the e-mail.  E-mail is usually regarded as being as secure as a facsimile or postcard.  This firm recommends that sensitive information should be encrypted using the encryption method this firm provides to you once you are a client of the firm. 

This firm will respond to your non-encrypted email with a non-encrypted reply.  This firm makes no representations as to the security of encrypted or unencrypted e-mail. 

To receive encrypted e-mail messages you must have the software "Pretty Good Privacy" (PGP), a private key and a public key registered with this firm.  The software is available from us upon becoming a client of the firm. 

Encryption programs can be circumvented in a variety of ways which do not involve being able to break the encryption.  Security will be breached if the pass phrase or secret key is inappropriately disclosed or disseminated.  The user may believe that the files have been deleted, but they may still be somewhere on the disk.  Viruses may affect security.  Further there are physical and electronic concerns to be considered.. 

Pass Phrase Security

To access the private key, a pass phrase is required.  Security is breached if this pass phrase is disclosed to another or it is left written down for others to read.  This would give someone else access to your files so that they can read your messages and make signatures in your name.  Do not use an obvious pass phrase that can be easily guessed, such as the names of your children, your spouse or dog.  Avoid single word pass phrases as these can be more easily guessed by having a computer try all the words in the dictionary.  One colleague uses two lines to a poem that is well known to him and will thus not be forgotten.  However a resourceful and resolute intruder may have a computer scan a book of famous quotations, or knowing your like for Banjo Paterson or Shakespeare may have the computer run combinations of phrases. 

Public Key Substitution.

If you are given a public key to encrypt and send a message to the recipient with the corresponding private key, ensure that the key is the correct key.  A substituted public key will allow the perpetrator to read the message.  Accept keys only directly from the its owner or from someone that can be trusted.  Similarly include a warning to clients that they should only use public key distributed directly from the source. 

"Deleted" Files

When files are deleted the computer does not physically erase the data on the file.  Instead its removes the pointers to the file so that it is no longer indexed and now classifies the space the file had allocated as now being free.  Before the space is reused it  is possible to reconstruct some or all of the file.  There are several file recovery programs available to retrieve accidentally deleted files.  While creating text there may be additional copies of the file created according to the operating system and program used.  These temporary copies may be retreived.  Most operating systems include options which erases the entire file and not just the pointers.  MSDOS, Nortons Utilities and PGP perform such a function. 

Viruses

Viruses could be designed to do general damage or to attack specific sorts of files.  Theoretically a virus could be designed to attack your encryption programs and related files.  Always perform a virus check daily with the latest release of virus protection software.  Check all external data before loading onto your system.  Backup all files including your public and private keys.  Correspondingly, the backups must be kept in a secure place. 

Trojan Horses

The concept of a Trojan Horse is related to computer viruses but is typically more insidious.  The computer runs many different pieces of software according to its use.  The software is typically obtained from software companies, retailers, friends or downloaded from the Internet.  A given program could have included additional code to perform unexpected functions, hence the term Trojan Horse.  These functions may be destructive or fulfil a particular purpose.  For example an attempt could be made to insert a Trajan Horse into encryption software so  that it behaves correctly in most respects, but deliberately disable the signature verification allowing a substitutedkey to be accepted.  Accept software only from a source that can be trusted.  As with viruses, perform regular checks. 

Physical Security Breach

A breach of security need not be a computer, software or electronic problem.  A determined intruder might use burglary, trash-picking, unreasonable search and seizure, bribery, blackmail or infiltration of staff.  Electronic security is just one aspect of protection. 

Espionage

Electromagnetic radiation is emitted from computer screens and the cables from the computer to the screens.  The radiation can be decoded to determine the keystrokes being made and display on the screen.  Using the right kind of sophisticated and expensive equipment this radiation can be detected and decoded from a distance.  Electronic shielding can be used to protect your systems to remove inappropriate radiation.  This shielding technology is known as "Tempest" and is used in the United States by some Government agencies and defense contractors.  A less sophisticated, but neverthless an effective method is viewing telescopically keyboards and screens from distances, such as through windows, including the recording of such information onto videos for latter scrutiny.  The confidentiality of all information would be at risk.  The careful positioning of equipment can reduce this concern. 

Multi-user Systems

Some multi-user systems permit users to read the display of other computer screens by simply entering an appropriate command.  Owners of multi-user systems should ensure that they are away of the capabilities of their system and, if concerned about sensitive information,either the use of such systems or take steps to remove such a capability in appropriate circumstances. 

Traffic analysis

Even if the intruder cannot read the contents of your messages, certain conslusions may be made by analysing where the messages were sent and from whom they were received, the size of the messages and the time of day the messages are sent.  Removing this concern would involve introducing a set of procedures which may invlove using differing, but secure equipment, changing the timing of the sending of messages and sending additional red herring messages to various locations designed to complicate the analysis.

Protecting Against Misuse of Timestamps

A user could alter the date and time setting of his or her computer's clock.  The alteration may give the appearance that public key certificates and signatures appear to have been created at a different time.  A legal or financial benefit may accrue if it appears that an event occurred earlier or later than in reality.  This problem is no greater than with hardcopies.  An incorrect date may be inserted in documents and such an error might occur quite innocently.  No greater problem arises with digital documents than with hardcopies.  In both cases a procedure should be established where appropriate to verify or witness documents. 

PGP

Pretty Good Privacy (PGP) is a high security cryptographic software application for MSDOS, UNIX, VAX/VMS, and other computers.  No secure channels are needed to exchange keys between users as PGP uses public key cryptography.  Whilst the authors of this paper make no  representations regarding PGP, the program contains the features described in this paper.  Most notably the software is available for downloading on the Internet and necessary documentation for understanding and running the program is available and is comprehensive.  One department of James Cook University uses PGP to encrypt and send draft examinations paper between campuses as added security to minimise interception by enterprising, but overzealous persons. 

PGP has released version 5 and 6 which are much simply whilst retaining its military strength.  A specific site has been set up for Australian lawyers at: 
http://210.15.255.14

Encryption Sites

The International Home Page of PGP 
http://www.pgpi.org/

Note the use of the international version of PGP has been illegal in the U.S.A.

Client Confidentiality:  A Lawyer's Duties with Regard to Internet E-Mail http://www.gsu.edu/%7Elawppw/lawand.papers/bjones.html

RSA Data Security Inc 
http://www.rsa.com/

Netscape Security Solutions 
http://home.netscape.com/info/security-doc.html

Australian Privacy 
http://210.15.255.14
 

Conclusion

The Internet provides tools which lawyers can utilise to maximise their time, communication and research.  E-mail adds a further dimension to communication.  We predict that e-mail will be required by many government departments and courts for the lodging of materials and to facilitate correspondence.  Newsgroups and Mailing Lists provide access to colleagues with similar interests and needs.  We now have a fast and efficient communication potential to the world.  The answers to our questions and the availability of knowledge is at our fingertips.  Now we need to protect our clients' legitimate rights, information and privacy.  The technology is here. 

"Electronic signature” refers to data in electronic form, which is typically appended to or logically associated with an electronic file.  The data is used to identify the signatory in relation to the file and indicates the signatory’s approval of the information contained in the file.  The purpose of the electronic signature typically parallels the purpose of the usual hand written signature. 

The "digital signature" is a subset of the electronic signature. Digital signatures are attached to specific data, such as an e-mail, computer file or web page. A digital signature permits the verification and authentication of the data. When using a digital signature, a simple computation is completed automatically, involving the sender's private key and the data itself. The result is referred to as the digital signature and is attached to the data. The recipient verifies the digital signature by a simple automatic computation involving the data, the purported digital signature and sender's public key. The computation determines whether a special mathematical relational exists, and if it does, it reports that the digital signature is verified. An unverified digital signature may be an indication of a hoax sender or an alteration to the message. The recipient should then take appropriate steps such as determining the bona fides of the message and seek a retransmission. 

The degree of certainty of a verified result of a digital signature is regarded as certain in the industry so far as the computing aspects are concerned.  The courts should accept such an authentication. 

 Authentication of electronic data messages will become increasingly important for lawyers for evidentiary purposes. The Australian Evidence Acts do not address all aspects of email communications. Some State Acts make presumptions regarding the sending and receipt for postal articles, telexes, lettergrams and telegrams. However, there is no similar presumption regarding email. Nonetheless, the Commonwealth and New South Wales Evidence Acts state: 

"The hearsay rule does not apply to a representation contained in a document recording a message that has been transmitted by electronic mail or by a fax, telegram, lettergram or telex so far as the representation is a representation as to: 

• the identity of the person from whom or on whose behalf the message was sent, or
• the date on which or the time at which the message was sent, or 
• the message's destination or the identity of the person to whom the message was addressed": Cth, Evidence Act 1995, s 71; NSW, Evidence Act 1995, s 71. 

 The enactment of legislation dealing with digital and electronic signatures needs to be considered with caution. Only recently have international models been available for national legislatures.  In July 2001 UNCITRAL released the Model Law of Electronic Signatures. (The text of the UNCITRAL Model Law on Electronic Signatures was adopted on 5 July 2001.  Available at http://www.uncitral.org/english/texts/electcom/ml-elecsig-e.pdf) 

This Model Law is intended to bring greater legal certainty regarding the use of electronic signatures.  It establishes the presumption that electronic signatures are to be treated as equivalent to hand-written signatures where certain criteria of technical reliability are met. The Model Law uses technology-neutral language and establishes rules of conduct for assessing responsibilities and liabilities of the signatory, the relying party and trusted third parties that might intervene in the signature process.  In a similar vein, the European Union passed a Directive on a Community framework for electronic signatures.( Directive 1999/93/Ec of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures.  Available at http://europa.eu.int/comm/internal_market/en/media/sign/Dir99-93-ecEN.pdf) It establishes a legal framework for electronic signatures and certain certification services. 

Given the pace of technological development, it is more appropriate for the market to determine practice issues, such as the levels of security and reliability required for electronic signatures. Legislation should deal simply with the legal effect of electronic signatures. 

http://www.lawnet.com.sg/ freeaccess/ETA.htm 

Read sections 2, 17, 19 and 20. 

The expansion of electronic communications raises a number of unique legal questions.  Among these questions is the status of an electronic signature.

Signatures

What is a signature?  What is a signature's purpose?  These should be relatively simple questions for the lawyer.  However, the status of signatures has been taken for granted or assumed. The law has developed for centuries with notions of deeds and documents being signed, sealed and delivered, witnessed, notarised and so forth.  In certain situations a signatory is not bound by a document until it is delivered. The underlying intention is to be bound by a subsequent act of delivery.  There may be two signatures on a contract.  One may sign intending to be bound, whilst the other is a witness.  Their intention is paramount.  A signature may appear on a document, but the signor is not bound because he or she lacked the requisite intention, raising duress, undue influence, non est factum, unconscionability etc.  The "signature" may be an "X".  A quadriplegic may use another to place the "signature" on the document.

The case of R v Moore; Ex Parte Myers (1884) 10 VLR 322 dealt with a pawnbroker's pledge ticket that was not signed in accordance with the relevant legislation but was signed by an authorised agent.  The name of the pawnbroker was printed on the ticket. Higginbotham J stated that a "signature is only a mark" and may "be impressed upon the document by a stamp engraved with a facsimile of the ordinary signature of the person signing."
 

Electronic Signature

The term electronic signature should not be confused with "digital signature".  The later refers to a specific attachment which uses an asymmetric cryptosystem and a hash function and public and private "keys" for authentication and verification.  An "electronic signature" is any means of electronic authentication of the identity of a person and of the intent of that person associated with an electronic record.  The term has no universally accepted meaning and internationally is variously defined in different statutes.

In R v Frolchenko (1998) QCA 43 Williams J in the Queensland Court of Appeal recognised that modern communication, such as e-mail, may not bear a personal signature.  His Honour stated that such a electronic document could be authenticated by looking at other factors such as whether the name appears in typescript at the end of the document.

In the US case Doherty v Registry of Motor Vehicles (1998) <http://www.state.ma.us/itd/legal/case.htm> Agnes J held that a police report made "by means of e-mail or some other electronic method" is regarded as signed subjecting the reporting officer to possible perjury charges.
 

Arguments are raised that an e-mail can appear to be from someone else and that false addresses and pseudonyms can be employed.  However this is not new.  Letters, facsimiles, telexes and so forth can easily be faked.  Typically a range of proofs are used to verify the origin and genuineness of messages.

It is rare that standard hardcopy messages are they proven purely from the signature.  More often the origin and genuineness are determined from the facts and surrounding circumstances of the case.  Parties to contracts generally have no technical proof of genuineness of a handwritten signature, and there is typically no practice requiring additional verification, until a dispute arises.  There is no technical proof of origin of a telegram or telex.  Commercial parties have accepted the risk factor in the past.  The law needs to address the same level of trust and not impose unreasonable standards for the electronic medium.

The same can be said regarding the future of electronic signatures.  It will be rare where the facts solely rely on the electronic signature alone.  A combination of conduct, spoken words, part performance and other communications will contribute to proving a party's intention.

Legislation

The Electronic Transactions Acts (ETA) include a weak attempt to give electronic signatures functional equivalence to traditional signatures.  The weakness arises in two respects.

Based on the UNCITRAL Model Law of Electronic Commerce, section 10 of the Commonwealth ETA and section 14 of the Queensland ETA  give legal effect to the electronic signature only after regard is given "to all the relevant circumstances when the (electronic signature) was used" and that "the method was as reliable as was appropriate for the purposes for which the information was communicated."  This formulation, whilst reasonable on one level, leaves open a number of possible arguments.  Courts are yet to consider both the circumstances and the meaning of "as reliable appropriate".

The second weakness is that both the Commonwealth and States' ETAs inserted a consent provision absent from the UNCITRAL original.  This provision requires the person to whom the signature is required to be given to consent to the requirement being met by using the electronic signature.  The parties must reach an agreement in advance as the use of the particular electronic signature method.

The Explanatory Memorandum to the Commonwealth's ETA states that the intention of the provision is to allow a person to satisfy a legal requirement for a manual signature by using an electronic communication that contains a method that identifies the person and indicates their approval of the information communicated.

The consent provision was based on the Government's "general policy that a person should not be compelled to use an electronic communication to conduct a transaction in order to satisfy requirements or permissions to give information in writing under Commonwealth law".  The recipient's consent is required in relation to the medium by which the information is communicated.

The definition of "consent" in the Acts includes consent that can reasonably be inferred from the conduct of the person concerned, but does not include consent given subject to conditions unless the conditions are complied with.  This is intended to ensure that express consent is not required prior to every electronic communication. The federal Explanatory Memorandum gives the example, the fact that a person has used electronic mail to communicate with a Commonwealth entity should generally be sufficient to allow the Commonwealth entity to assume the person's consent to receiving further information at that email address.
 

The UNCITRAL Model Law on Electronic Signatures

In July 2001 The United Nations Commission on Trade and Law (UNCITRAL) released its Model Law on Electronic Signatures.  The Model provide a template for national legislatures for a specific legal framework to reduce uncertainty as to the legal effect regarding Electronic Signatures.  Its intention is to build on the fundamental principles underlying signature provisions of the Model Law on Electronic Commerce.  The new Model Law offers practical standards against which the technical reliability of electronic signatures may be measured to add certainty and truly foster functional equivalence.

Australian Approach to Electronic Signatures

The Australian approach to date has been to provide a light touch regulatory structure.  The matters set out in the ETAs were considered sufficiently significant to legislate federal and state standards.  However, the same lawyers and drafters have resolved to leave additional matters such as both electronic and digital signatures to industry.

Clearly the Australian legislatures have not provided any real equivalence in relation to electronic signatures.  However, each department is maintaining a watching brief to consider the future, as commercial parties and industry set standards and come to grips with the alternatives in the digital world.

Model Law of Electronic Signatures
http://www.uncitral.org/english/texts/electcom/ml-elecsig-e.pdf
 

What are the potential security risks associated with the use of email?  Outline the ways in which encryption can be used to protect e-mail against security breaches. Why are law enforcement agencies concerned about the use of cryptography?  Is this concern justified? 

What is the Wassenaar arrangement? What are its objectives?  How does it relate to cryptography regulation? Outline Australia’s approach to the regulation of cryptography. What are the principal objections to cryptography regulation? 

Return to Top