Electronic Signature – Legal and Technical aspect
The traditional signatures are hand written and are uniquely representative of one’s identity. The use of signature is mandatory in law in certain cases and holds an important legal position in the document as it signify two things, the identity of the person and its intent to it. The Signature is one’s identity on a document and is used in day to day transaction and in case of illiterate persons its fingerprint is considered as his signature. The handwritten signature is prone to forgery and tampering hence insufficient for online transaction and contracts. The online transaction requires unique and strong protection which is served by electronic signature.
The concept of digital signature was introduced through Information Technology Act 2000 in India, which is enhanced with hybrid concept of electronic signature which is based on UNCITRAL Model Law on Electronic Signatures 2001. The electronic signature is a technologically neutral concept and includes a digital signature. The object and purpose of electronic signature are similar to that of traditional signature. In cyber world electronic signature ensures that the electronic records are authentic and legitimate as electronic signature are safer and cannot be forged and is convenient as the sender himself does not have to be present personally at the place to contract to sign the document. For example a person can sign a contract in India and send it to any part of the world to complete the transaction.
UNCITRAL Model Law on Electronic Signatures 2001
The purpose of UNCITRAL Model Law on Electronic Signatures 2001 provides following statement which signifies the importance of electronic signature.
“The increased use of electronic authentication techniques as substitutes for handwritten signatures and other traditional authentication procedures has suggested the need for a specific legal framework to reduce uncertainty as to the legal effect that may result from the use of such modern techniques (which may be referred to generally as “electronic signatures”). The risk that diverging legislative approaches be taken in various countries with respect to electronic signatures calls for uniform legislative provisions to establish the basic rules of what is inherently an international phenomenon, where legal harmony as well as technical interoperability is a desirable objective.”
Sec 2 (ta) of Information Technology Act 2000 had defines electronic signature as
“Authentication of any electronic record by a subscriber by means of the electronic technique specified in the second schedule and includes digital signature.”
The definition of electronic signature includes digital signature and other electronic technique which may be specified in the second schedule of the Act, thus an electronic signature means authentication of an electronic record by a subscriber by means of electronic techniques. The adoption of ‘electronic signature’ has made the Act technological neutral as it recognizes both the digital signature method based on cryptography technique and electronic signature using other technologies.
Technical aspect of Digital Signature
The digital signature is created and verified by using the Public Key Infrastructure (PKI) technology that requires two keys that is a public key and a private key for encrypting and decrypting the information. The message is encrypted with a public key can only be decrypted using the corresponding private key and vice versa. The unique feature in public key infrastructure is that the public and private keys are related to each other and only the public key can be used for encrypting messages that can be decrypted using the corresponding private key. The public key is shared, whereas the private key is known only to its possessor. The digital signature is based on Cryptography. Cryptography is the science to secure communications by converting the message (encrypting ) into an unreadable format and only the person with a secret key can decrypt (read) it. Cryptography systems can be broadly classified into two types i.e., symmetric-key and asymmetric.
In symmetric systems, both the sender and recipient have same keys and asymmetric system each user has two keys a public key that is known to everyone and a private key that is known only the recipient of messages. In India signature uses an asymmetric system that has a public key and private key.
Digital Signature Certificates
Digital Signature Certificates are digital format certificate to prove identity in the digital world. The digital signature certificates are issued by Certifying Authorities under the authority of Controller of Certifying Authorities. A Digital Signature Certificate is an electronic document that can be used to verify that the public key belongs to the particular individual. Digital Signature Certificates contains Public key of the certificate owner, Name of the owner, Validity “from” and “to” dates, Name of the issuing authority, Serial number of the certificate, Digital signature of the issuing authority name of the person, etc. There are three different classes of digital certificate. They class I, class II and class III. Depending on the type, each digital certificate provides specific functions.
Legal aspect Digital Signature
Section 3 of the Information Technology Act 2000 provides for authentication of electronic records. It provides that the electronic records can be authenticated by using digital signatures. It lays down technology requirements for digital signatures. It prescribes the use of an asymmetric crypto system and hash function for authentication of electronic records. Authentication of an electronic document is important as it ensures that the message has not been tampered and confirms the creator’s identity, making it non repudiable, i.e., the sender cannot deny its creation. The object of authentication is achieved by the use of asymmetric system and hash function which convent the electronic message into an unreadable format to prevent tampering of electronic record.
A hash function is the method or scheme used for encrypting and decrypts digital signatures. A hash function produces a hash value which is also known as a message digest. It plays an important role in ensuring that the message has not been tampered and information is safe and secure.
Functions of Electronic Signature
The concept of electronic signature was introduced under section 3A of the Information Technology (Amendment) Act 2008. An electronic signature means authentication of an electronic record by a subscriber by any means of electronic authentication techniques. An electronic signature technique can be used as an authorized electronic signature if such technique is notified by the central government in the official gazette or in the second schedule of the Act. There are different types of electronic signature, however, all of them are not secure; hence only the techniques notified in the official gazette or in the second schedule can be used as a legitimate electronic signature. For example typed name, a digitized image of a signature is also a form of electronic signature, but is prone to tampering and are insecure. The electronic signature technique has to be reliable to be recognized as an electronic signature. Section 3A of the Information Technology Act 2000 is based on Article 6 “Compliance with a requirement for a signature” of UNCITRAL Model Law on Electronic Signatures 2001. The following are the requirement of an electronic signature.
a) It has to be reliable.
b) The central government may notify in the official gazette the technique and procedure for electronic signature or specify in the second schedule of the Information Technology Act 2000.
An electronic Signature shall be considered as reliable if it fulfills following requirement,
a) The technique should be such that it can be linked to the creator of the message.
b) The technique of electronic signature must be under the control of the maker of the signature.
c) Any change or alteration to the electronic signature after affixation must be detectable.
d) Any change or alteration of data after affixing electronic signature must be detectable.
The Central Government is the authority to declare the technique as reliable electronic signature and can add or remove any technique from the electronic authentication technique. As on date the central government has not issued any notification on the concept of electronic signature and thus the electronic signature has not gained much attention. In this regard the Delhi high court has directed the central government to frame policy on electronic signature for authentication of electronic records. The only method of authentication of electronic records in India presently being digital signature as there are no guidelines on use of electronic signature.
The legal recognition of electronic signature has been provided under section 5 of information technology Act 2000. This section equates electronic signature as traditional handwritten signature. It provides that if any, information or document if confirmed by electronic signature shall have the same effect as the affixing of signature if done according to the prescribed manner. The central government shall prescribe the manner in which electronic signature has to be affixed.
Offenses related to Electronic Signature
The offenses related to electronic signature are generally related identity theft, publication of false electronic signature certificate, publication of electronic certificate with fraudulent purpose. Section 66C of the Act punishes for identity theft. This Act punishes fraudulent use of electronic signature of any other person and such person shall be punished with imprisonment of up to three years and will also liable to pay fines which may extend up to one lakh.
Misrepresentation or suppression of material fact in order to obtain any license or electronic signature is an offense under section 71 of the Act. This section is applicable in following cases
a) If a person makes a misrepresentation to the Controller or Certifying authority.
b) If a person suppresses any material fact from, the Controller or Certifying authority.
Such misrepresentation or suppression of material fact with the intent to obtain any license or electronic certificate from, the Controller or Certifying authority is punishable with imprisonment of up to two years and fine up to rupees one lakh. The information to be provided to the Controller or Certifying authority should be proper and correct and presentation of wrong, incorrect or false information is an offense under Section 71 of the Act.
Publication of electronic signature certificate which is false in certain particulars is an offense under section 73 of the Act. The following shall amount to publication of false particulars in an electronic certificate,
a) Publication of Electronic signature certificate which the certifying authority has not issued.
b) Publication of Electronic signature certificate which subscriber of the certificate has not accepted.
c) Publication of Electronic signature certificate which is revoked or suspended.
Sec 74 of the Act punishes creation, publication or providing of electronic signature certificate for fraudulent or unlawful purpose with imprisonment for a term which may extend up to two years or a fine which may extend up to one lakh.
The growing online transactions and contracts requires stronger protection which is currently fulfilled by digital signature. However, it would be in the interest of cyber community if the Government allows and initiate multiple method of authentication like the use of fingerprint or aadhaar card linked with password based online transaction. The multiple methods would permit easy identification of persons which will assist in curbing online frauds and ease online transaction and further enhance online security of users as to even today the factual identity of persons online is a mirage.
# Sujata Pawar and Yogesh Kolekar, 'Essentials of Information Technology law', Notionpress, 2015
# A mark or sign made by an individual on an instrument or document to signify knowledge, approval, acceptance, or obligation. The term signature is generally understood to mean the signing of a written document with one's own hand. However, it is not critical that a signature actually be written by hand for it to be legally valid. It may, for example, be typewritten, engraved, or stamped. The purpose of a signature is to authenticate a writing, or provide notice of its source, and to bind the individual signing the writing by the provisions contained in the document. Because a signature can obligate a party to terms of a contract or verify that the person intended to make a last will and testament, the law has developed rules that govern what constitutes a legally valid signature. The Internet and other forms of telecommunication have created the need to transact legally binding agreements electronically….." http://legal-dictionary.thefreedictionary.com/signature
# Section 463 of Indian Penal Code: Whoever makes any false documents or electronic record part of a document or electronic record with, intent to cause damage or injury, to the public or to any person, or to support any claim or title, or to cause any person to part with property, or to enter into any express or implied contract, or with intent to commit fraud or that fraud may be committed, commits forgery.
# Sec.2(p) of the Information technology Act 2000, digital signature means authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with the provisions of section 3
# Sec. 2(ta) of the Information technology Act 2000, electronic signature means authentication of any electronic record by a subscriber by means of the electronic technique specified in the Second Schedule and includes digital signature
# Article 2 (a) of UNCITRAL defines an electronic signature as means data in electronic form in, affixed to or logically associated with, a data message, which may be used to identify the signatory in relation to the data message and to indicate the signatory’s approval of the information contained in the data message.
# Section 2(zg) of the Information technology Act 2000, subscriber means a person in whose name the Electronic Signature Certificate is issued
# “PKI is a security architecture used for secure communication over Internet. PKI enables users to exchange information or perform monetary transactions securely through Internet. PKI ensures the authenticity of the sender, security and accuracy of the information sent to the receiver. It provides assurance that the information sent is accurate and authentic and it can be produced as evidence in court.” http://www.e-zest.net/blog/public-key-infrastructure/
# Section 2(zc) of the Information technology Act 2000, public key means the key of a key pair used to verify a digital signature and listed in the Digital Signature Certificate# Section 2(zd) of the Information technology Act 2000, private key means the key of a key pair used to create a digital signature
# “The art of protecting information by transforming it (encrypting it) into an unreadable format, called cipher text. Only those who possess a secret key can decipher (or decrypt) the message into plain text. Encrypted messages can sometimes be broken by cryptanalysis, also called code breaking, although modern cryptography techniques are virtually unbreakable. As the Internet and other forms of electronic communication become more prevalent, electronic security is becoming increasingly important. Cryptography is used to protect e-mail messages, credit card information, and corporate data. One of the most popular cryptography systems used on the Internet is Pretty Good Privacy because it's effective and free. Cryptography systems can be broadly classified into symmetric-key systems that use a single key that both the sender and recipient have, and public-key systems that use two keys, a public key known to everyone and a private key that only the recipient of messages uses.” http://www.webopedia.com/TERM/C/cryptography.html
# Section 2(q) of the Information technology Act 2000, means a Digital Signature Certificate issued under sub-section (4) of section 35.
# Section 2(g) of the Information technology Act 2000, means a person who has been granted a licence to issue a electronic signature Certificate under section 24.
# Sec. 18(a) exercising supervision over the activities of the Certifying Authorities
# http://www.certificatetiger.com/News/difference-between-digital-certificate-and-digital-signature.htm# There is another class of digital certificate which is called as Class 0 Certificate. It is issued only for demonstration/ test purposes.
# “A unique numerical identifier that can be assigned to a file, a group of files, or a portion of a file, based on a standard mathematical algorithm applied to the characteristics of the data set. The most commonly used algorithms, known as MD5 and SHA, will generate numerical values so distinctive that the chance that any two data sets will have the same hash value, no matter how similar they appear, is less than one in one billion. ‘Hashing’ is used to guarantee the authenticity of an original data set and can be used as a digital equivalent of the Bates stamp used in paper document production.”
# “Managing Discovery of Electronic Information: A Pocket Guide for Judges,” Federal Judicial Center, at 24 (2007)
# Article 6. Compliance with a requirement for a signature 1. Where the law requires a signature of a person, that requirement is met in relation to a data message if an electronic signature is used that is as reliable as was appropriate for the purpose for which the data message was generated or communicated, in the light of all the circumstances, including any relevant agreement. 2. Paragraph 1 applies whether the requirement referred to therein is in the form of an obligation or whether the law simply provides consequences for the absence of a signature. 3. An electronic signature is considered to be reliable for the purpose of satisfying the requirement referred to in paragraph 1 if: (a) The signature creation data are, within the context in which they are used, linked to the signatory and to no other person; (b) The signature creation data were, at the time of signing, under the control of the signatory and of no other person; (c) Any alteration to the electronic signature, made after the time of signing, is detectable; and (d) Where a purpose of the legal requirement for a signature is to provide assurance as to the integrity of the information to which it relates, any alteration made to that information after the time of signing is detectable. http://www.uncitral.org/pdf/english/texts/electcom/ml-elecsig-e.pdf
# Sec. 3A(a) of Information Technology Act 2000
# Sec. 4 of Information Technology Act 2000
# Sec. 3A(b) of Information Technology Act 2000
# Sec.3A(2)(a) of Information Technology Act 2000
# Sec.3A(2)(b) of Information Technology Act 2000
# Sec.3A(2)(c) of Information Technology Act 2000
# Sec.3A(2)(d) of Information Technology Act 2000
Written By: Yogesh Prasad Kolekar, BAL,LLM,NET, Assistant Professor, Ismailsaheb Mulla Law College, Satara