- Inquiry: +91 9881096687
- |
- E-mail: info@elock.com
- |
- Career: hr@elock.com
A lot has been written about this topic and practically every company or entity that provides a sig ning service or solution has a section on their website alluding to this. And yet, there is a confusion in the market between the terms digital signatures and electronic signatures and their legality. Reading the information presented on multiple vendors’ sites will leave you none the wiser. Depending on which vendor’s site you are reading, the picture presented could be completely different. One reason for that is different vendors implement electronic signatures differently. And another reason is that laws of different countries differ both in terms of what kind of signature is considered legal and what kinds of documents or transactions are allowed to use such signatures.
This writeup clarifies the differences and discusses the issues of their legality specifically in the context of Indian law, without going into technical details of signature mechanisms. It concludes by showing that ordinary electronic signatures, at least the way most electronic signature services implement them, are not legally valid in India (and most of the world)!
At a very basic level, the term electronic signature is used widely to designate any kind of “signature” on a document that is not done using pen and paper (also referred to as “wet” signature). These signatures are done electronically on documents in electronic format.
There are many definitions of the term.
USA passed its ESIGN Act in the year 2000 and gave electronic signatures the same legal standing as paper-based “wet” signatures. It defines electronic signature as “an electronic sound, symbol or process that is attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.”. This allowed any kind of signature to be done electronically – typing one’s name or initials at designated place, drawing the signature using mouse or a stylus, or even putting a previously scanned image of hand drawn signature, etc. and all of them would be considered legally valid.
It is to be noted that this kind of signature by itself does not provide any kind of assurance that the signature was indeed done by the intended signatory on the intended document. The document or the signature can easily be forged. What is more, a genuinely signed document can be altered and there would be no way to detect it.
European Union’s eIDAS defines electronic signature similarly as: “data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign”. This more or less correlates with the US definition of the term. In terms of legality, it says, a bit ambiguously, “electronic signature should not be denied legal effect on the grounds that it is in an electronic form or that it does not meet the requirements of the qualified electronic signature”.
India passed an Information Technology Act 2000 and amended later in 2008, which defined the term Electronic Signature as a way to authenticate an electronic record that meets the following reliability criteria:
EU’s eIDAS also defines a special kind of electronic signature and calls it Advanced Electronic Signature (AES in short). Those electronic signatures which meet certain criteria are called AES. These criteria are:
EU eIDAS defines a further constrained form of signature called Qualified Electronic Signature, but that is beyond the scope of this document. In terms of legality, the loose definition accorded to mere electronic signature is defined more precisely for AES, thus:
Indian IT Act 2000 (amended later in 2008) defines the term digital signature as a way of authenticating an electronic record such that:
This definition of the term digital signature takes an even narrower view than EU’s AES as it talks about signatures that are done using public-private key technology. Other sections and Rules require the signatures to be in specific format called PKCS#7 (CMS Standard) and constraint it further by implying the use of public/private key technology and requiring use of a certified signature creation device. The Act further defines the role of entity called Controller of Certifying Authorities and defines a hierarchical structure of authorities that would be allowed to certify identity of subscribers and tie it to their public key.
In general, Electronic Signatures are loosely defined whereas the definition of Digital Signature across the world gets close to the technology (public/private key) involved. Also, the loose language that is used to describe legality of electronic signatures becomes more precise when dealing with digital signatures.
It is safe to say that all digital signature are electronic signatures but not all electronic signatures are digital signatures – in terms of how they are generated, technology used, security offered and their legality.
One of the downsides of electronic signatures is that they are not regulated like digital signatures are. Each signing service does them in different ways. You have to take their word for it when they say their signatures are secure. The service typically captures a string of virtual “fingerprints,” such as hash markers and IP identifiers, to verify a signer’s identity and “intent” to sign a document. These fingerprints are digitally tied to the document being signed by storing the association on the service backend.
This leads to the other problem with signing services based on electronic signatures: they require you to check back with them if you would like to know if the document has been tampered with. As a result, there is a vendor lock-in. You cannot transport your signed documents to another vendor or just store them in-premise yourself. You would have the signed document, but no assurance of the authenticity of the signatories.
Digital signatures, on the other hand, provide primarily two levels of assurance to the party relying on the signature:
Further attributes can be added to the signature, for example a time-stamp from another trusted third party which proves that the signature was done prior to that time.
Many online signing services use electronic signatures. For instance an online service that is popular in signing property / real-estate related documents which involve multiple parties uses electronic signatures of the parties to complete the transactions. The service makes a reasonable attempt to make sure that the party that is supposed to sign is indeed the one who actually ends up signing. This is ensured by making some checks online (like doing a live video with the signatory, making the signatory self-attest to her own identity, etc.) before the signatory affixes her signature. Once the document is signed by all signatories, the document (typically in PDF form) is then “sealed” by the service putting a digital signature using its own private key and digital certificate on the document. They refer to this action as “notarization”. The questions then arises are how authentic such a document is and how legally binding those signatures are.
The answer to the first one depends on how much you trust the signing service to ensure that the signatories are indeed who they are claiming to be and how much you trust them to not modify the document after the parties electronically sign the document but before the “sealing” digital signature is affixed by the service. An incorrectly implemented flow, a bug in the signing service, a hacked email etc. might allow a completely different person than the intended signatory to sign. A compromised employee might be in a position to modify the document after the electronic signature but before the digital signature.
The answer to the question about legality depends on the country. In a country like India, though the digital signature done by the service at the end is legal, the electronic signatures by the parties (which is the most important part of the transaction) are not legal! To understand this, one needs to look at the Indian IT act (read with its amendments) which clearly states that the signature needs to be done with the signatory’s private key and that key needs to be under direct and explicit control of the signer. This is violated on multiple counts in the above signature scheme: The signatory (or the party to the transaction) has no private key in this scenario. Secondly the private key that is eventually used to sign the document is not under the control of the signatory (the party to the transaction). This, merely having a digital signature does not make the transaction legal. What is required and is missing here is that the signatures done by the transacting parties need to be digital signatures, done using their private keys which are under their direct control respectively.
