Signing & Authentication
Signatures
In Ireland, as in many other common law jurisdictions, signatures are regarded as authenticating the terms of a document. Certain type of contracts must either be signed or must be proved by a document, which in some cases, must be signed in order to be valid.
The E-Commerce legislation allows for an electronic signature. This is data attached to or associated with other data, which is intended as a method of authenticating the originator. Generally, a signature at an end of the e-mail or a scanned version or typed name would be sufficient to authenticate the document, at least presumptively.
An e-mail address in itself may be a signature in the sense that it serves to authenticate the originator. In the context of a less formal legal action, such as an order or communication, a typed signature at the end of the mail is generally equivalent to a signed letter. An e-mail communication coming from a proper source is presumptively valid until the contrary was shown.
In the case of a more formal legal document, the inclusion of an e-mail address with a name was held not to be sufficient as a signature under the legislation, which required guarantees to be signed and made in writing.
Signature Requirement
If by law or otherwise, the signature of a person is required or permitted, an electronic signature may be used where the person to whom the signature required or permitted to be given, consents. This applies whether the requirement is in the form of an obligation or if legal consequences follow if there is no signature.
Where a signature is required or permitted to be given to a public body, which requires that it be in accordance with particular information technology and procedural requirements (including, for example, a qualified certificate issued by an accredited provider), an electronic signature may be used, provided that the requirements have been met. Those requirements are to be objective, transparent and non-discriminatory.
Witnessing Requirements
Where by law a signature to a document is required to be witnessed, the legislation contemplates that this can be done electronically subject to conditions. It contemplates that both the signatory and the witness would use an advanced electronic signature.
Further requirements, similar to those above apply in relation to signature for public bodies. An advanced electronic signature based on a qualification certificate may be used for signatory and witness, where the signature required is on a document to be given to a public body or a person acting on behalf of a public body, and the public body consents to its use.
Where it requires that the document and signatures be in accordance with a particular information technology and procedural requirements (including that qualified certificate on which the signature is based issued by accredited certification service provider), then the requirements must be met.
Seal / Deed Requirement
Where a document is required by law to be under seal (now executed / delivred as a deed) then the requirement may be taken to have been met by use of an advanced electronic signature based on a qualified certificate, by the person or body by whom it is required to be sealed, provided that public body or private person consents to the same.
In the case of a public body, where the public body consents to its use but requires that it follow particular information technology and procedural requirements, they must be used. The public body’s requirements must have been made public and must be objective, transparent, proportionate and non-discriminatory in all cases.
Where a signature is required or permitted to be given to a person who is neither a public body nor its representative (i.e. a private person or company), an electronic signature may be used if the person to whom a signature is required or permitted to be given, consents to the use of an electronic signature.
Similarly where the document is one in respect of which, the signature is to be witnessed, then if it is required or permitted to be given to a person who is neither a public body nor its representative) then if the person to whom it is required to be given consents to the use of an advanced electronic signature based on the qualified certificate for that purpose, it may be so given by the signatory and witness.
Similarly, in cases of documents required to be sealed (executed as a deed) for a private person, an advanced electronic signature based on the qualified certificate may be used, provided that the private person, company or body so consents.
Electronic Signature
The Directive on electronic signatures contemplated the development of advanced and encrypted electronic signatures in a way which did not ultimately emerge. The EU had expected that electronic signatures would be widely established by the middle of the first decade of the millennium.
In practice, electronic/digital signatures have had more limited application to date than anticipated, being most commonly encountered in the context of e-government and personal e-banking services. They are commonly used for authentication but are less commonly used to enter binding contracts.
Ordinary Electronic Signature
An electronic signature is data in electronic form, which is attached to or logically associated with other electronic data, which serves as a method of authentication.It has been held in England that an automatically generated e-mail address containing a name, is not sufficient to be a signature under the Statute of Frauds where required.
Accordingly, in a case where it was alleged to provide the requisite memorandum of a guarantee as required by statute, the automatic insertion of an e-mail address in the e-mail was not sufficient. It would have been enough if the person had used his full name in the text or a combination of letters indicating his name.
Advanced Electronic Signatures I
The E-Commerce legislation contemplated the development of a higher level of electronic signature. It called these “advanced electronic signatures”. These were intended to be the equivalent to handwritten signatures for use in more formal documents.
The E-Commerce Act contemplated that where there was a legal requirement for actual signature or execution as a deed, that an advanced signature would be used. In practice, these requirements apply only to a small limited number of transactions. The legislation has not yet been extended to the formal legal documents which require signature such as land contracts, deeds wills, etc.
Where a signature must be witnessed by law (such as a deed), an advanced electric signature would be required. The witness would also use an advanced electronic signature. Likewise, where a document was required to be under seal, such as a deed or power of attorney an advanced electronic signature would be required.
Advanced Electronic Signatures II
An advanced electronic signature is defined by the E-Commerce act as an electronic signature uniquely linked to the signatory, capable of identifying him and created using means that are capable of being maintained by the signatory under his control and is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable.
Advanced electronic signatures are based principally on public key infrastructure-based signatures. This technology uses encryption to protect and authenticate. The definition of an advanced electronic signature is technologically neutral. It may include other methods and systems for authentication including those based on electronic or biological features.
Certification
The directive and legislation contemplated certification services being an integral part of the system of electronic signature. The Act contemplated that certification service providers would issue certificates. These certificates are an electronic attestation linking signature verification data to a person or body, which confirms his / its identity.
Persons who provide a certification service may apply for accreditation in order to participate in systems. Regulation may prescribe a scheme of supervision of certification service providers established in the State, who issue qualified certificates to the public. The Minister may designate persons or public bodies for the purpose of determining whether secure signature creation devices conform with the requirements of the directive.
Certification service providers have a duty in providing or guaranteeing qualified certificates to take reasonable steps to ensure,
- the accuracy, at the time of issue, of all information contained in the certificate
- the fact that the certificate contains the details prescribed;
- that at the time of issue, the signatory identified in the qualified certificate held the signature creation device corresponding to the signature verification device given or identified in the certificate;
- that the signature creation device and signature verification device can be used in a complementary manner in cases where the certification service provider generates them both.
Certificate Service Providers
Qualified certificates must meet criteria. It must appear that the certificate is issued as a qualified certificate. The certification service provider must be identified. The name of the signatory must be identified. There must be a signature and authentication data which corresponds to data held under the control of the signatory. The certificate must have a period of validity. There are to be limitations on the use and number of transactions.
The directive requires that certification service providers are to be liable for damages caused to any entity or person who relies on a qualified certificate. The certification service provider may avoid liability if it can show that it has not acted negligently. Certification service providers who have issued a certificate or qualified service certificate to the public, are liable for damage caused to any entity or person who reasonably relies on the certificate, arising from failure to register or give appropriate notice of the revocation of the certificate. Certification service providers may avoid liability where they prove that they have not acted negligently.
States may allow certificate service providers to limit the uses to which the certificate may be put and to limit the value of transactions for which they can be used, provided that they are clearly identified. Providers would not be liable in the case of use outside of such limits.
Authentication in Practice
In practice, the qualified certificates contemplated by the E-Commerce Act have been largely bypassed. In the absence of the commencement of the relevant provisions of the Act, other methods for authentication and validation have developed.
Advanced signatures are sometimes used on websites, in order to ensure the identity and integrity of data. This is in the nature of an added security feature. Revenue and other public service bodies now adopt digital signatures.
The parties to the contract may always specify that certain levels of security and authentication are required. In practice, the vast majority of commercial transactions, purchases, sales, and contracts are concluded over the internet without the use of advanced or other authenticated signatures.
E-commerce, as developed by major websites such as Amazon and eBay, does not require digital authentication. Authentication through unique usernames passwords is widely used. E-Commerce sites typically provide for password and registration procedures. Purchases are affected through submission of credit card information and clicking a purchase icon.
Offences I
The legislation provides for a number of offences based on the misuse of electronic signatures. It is an offence knowingly to access, copy or otherwise obtain possession or re-create the signature creation device of another person or public body without authorisation, for the purpose of creating, authorising or causing another person to create an unauthorised electronic signature, using the signature creation device.
It is an offence knowingly, to alter, disclose or use the signature creation device of another person or public body without authorisation or in excess of lawful authorisation, for the purpose of creating, allowing or causing another person to create an unauthorised electronic signature, using the signature creation device.
Offences II
The following offences are also provided;
- knowingly to create, publish, alter, or otherwise use a certificate or an electronic signature for a fraudulent or another unlawful purpose;
- knowingly to misrepresent a person or public body’s identity or authorisation in requesting or accepting a certificate or in requesting suspension or revocation of a certificate;
- knowingly to access, alter, disclose or use a signature creation device of a certification provider used to issue certificates, without the authorisation of the provider or in excess of authorisation, for the purpose of creating, allowing or causing another person or body to create an unauthorised electronic signature using the signature creation device;
- knowingly to publish a certificate or otherwise knowingly to make it available to anyone likely to rely on the certificate or on an electronic signature that is verifiable with reference to data such as codes, passwords, algorithms, public cryptographic keys, or other data which are used for the purpose of verifying an electronic signature listed in the certificate, if that person knows
- that the certification service provider listed in the certificate has not issued it,
- the subscriber listed in the certificate has not accepted it or
- the certificate has been revoked and suspended unless its publication is for the purpose of verifying an electronic signature before such revocation or suspension or notice thereof.
The above offences may be prosecuted whether they take place inside or outside the State. The usual investigatory powers in respect of criminal offences apply. The offences are subject on conviction on indictment to a fine up to €634,869 and/ or imprisonment of up to five years. On summary conviction, a person may be fined up to €1,904 and/or imprisonment up to 12 months. The maximum financial penalties have been adjusted by the Fines Act.
The Electronic Identification and Trust Services Regulation
The Electronic Identification and Trust Services (eIDAS) Regulation creates a new system for secure electronic interactions across the EU between businesses, citizens and public authorities.
It aims to improve trust in EU-wide electronic transactions and to increase the effectiveness of public and private online services and e-commerce. It applies to:
- electronic identification (eID)* schemes notified to the European Commission by EU countries;
- trust service providers based in the EU.
It removes existing barriers to the use of eID in the EU. For instance, it would now be straightforward for a firm in one EU sStaet to tender for a public service contract in another.
National eID schemes notified must be interoperable. The interoperability framework must be technology-neutral, not favouring any specific national technical solutions for eID.
Electronic identification
eID issued in one EU country must be recognised in all others. This applies only if the eID meets the regulation’s requirements and has been notified to the Commission and published in a list. Mutual recognition of eIDs will be mandatory from 28 September 2018 and will facilitate secure electronic transactions across the EU.
An eID scheme must specify one of three levels of assurance (low, substantial and high) for the form of electronic identification issued under that scheme. Mutual recognition is mandatory only when the relevant public-sector body uses the ‘substantial’ or ‘high’ levels for accessing that service online.
When notifying the Commission of eID schemes, EU countries must provide information on aspects such as:
- the level of assurance and the issuer of eID under that scheme;
- the applicable supervisory and liability systems;
- the body managing the registration of unique personal ID data.
In the event of a security breach of the eID scheme or authentication, the notifying EU country must quickly suspend/revoke the EU-wide authentication or the compromised parts of the scheme; and inform other EU countries and the Commission.
In any transaction between EU countries where there is a failure to comply with the regulation’s obligations, the following parties can be held liable for any damage caused intentionally or negligently to any person or body:
- a notifying EU country;
- the party issuing the eID;
- the party managing the authentication procedure.
Trust services
The regulation defines trust services as paid-for services that include:
- the creation, verification and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services; or
- the creation, verification and validation of certificates for website authentication; or
- the preservation of electronic signatures, seals or certificates related to those services.
Trust service providers based in the EU are considered ‘qualified’ if they meet the regulation’s applicable requirements. They are legally entitled to provide qualified trust services (e.g. qualified electronic signatures, seals or certificates) in all EU countries. Trust services offered by service providers from non-EU countries can be considered legally equivalent to qualified ones, but only after an agreement between the EU and the non-EU country or an international organisation.
Supervision
EU countries must select one or more bodies for the supervisory activities under this regulation. These bodies must cooperate with data protection authorities where appropriate.
All trust service providers are subject to supervision and to risk management and security breach notification obligations.Non-qualified trust service providers are subject to ‘light-touch’ supervision, i.e. the supervisory body only reacts if the provider is suspected of misconduct.
Qualified trust service providers based in the EU are subject to strict supervision. This includes prior authorisation by supervisory bodies and auditing at least once every 2 years by an organisation that assesses whether they meet regulation requirements.
A new, voluntary EU trust mark will identify the qualified trust services provided by the relevant providers.
Further EU Acts
A series of acts adopted by the European Commission set out:
- procedural arrangements for cooperation between EU countries on electronic identification
- specifications relating to the form of the EU trust mark for qualified trust services;
- technical and operational requirements of the interoperability framework;
- minimum technical specifications and procedures for assurance levels for eID means;
- technical specifications and formats relating to trusted lists;
- specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies; and
- circumstances, formats and procedures of notification of eID schemes.
References and Sources
Legislation
Electronic Commerce Act 2000
Electronic Commerce Act, 2000 (Commencement) Order 2000, S.I. No. 293 of 2000
European Communities (Distance Marketing of Consumer Financial Services) Regulations 2004,
European Communities (Distance Marketing of Consumer Financial Services) (Amendment)
Regulations 2005, S.I. No. 63 of 2005
European Communities (Protection of Consumers in Respect of Contracts Made by Means of
Distance Communication) (Amendment) Regulations 2005, S.I. No. 71 of 2005
European Communities (Protection of Consumers in Respect of Contracts made by Means of
Distance Communication) (Amendment) Regulations 2010, S.I. No. 370 of 2010
Electronic Commerce (Certification Service Providers Supervision Scheme) Regulations 2010, S.I. No. 233 of 2010
European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, S.I. No. 336 of 2011
European Union (Consumer Information, Cancellation and Other Rights) Regulations 2013, S.I. No. 484 of 2013
European Union (Consumer Information, Cancellation and Other Rights) (Amendment)
Regulations 2014, S.I. No. 250 of 2014
European Union (Consumer Information, Cancellation and Other Rights) (Amendment)
Regulations 2016, S.I. No. 336 of 2016
EU Legislation
Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’)
Regulation (EU) No 524/2013 of the European Parliament and of the Council of 21 May 2013 on online dispute resolution for consumer disputes and amending Regulation (EC) No 2006/2004 and Directive 2009/22/EC (Regulation on consumer ODR)
Directive 2013/11/EU of the European Parliament and of the Council of 21 May 2013 on alternative dispute resolution for consumer disputes and amending Regulation (EC) No 2006/2004 and Directive 2009/22/EC (Directive on consumer ADR)
Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC
Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights, amending Council Directive 93/13/EEC and Directive 1999/44/EC of the European Parliament and of the Council and repealing Council Directive 85/577/EEC and Directive 97/7/EC of the European
Regulation (EU) 2017/2394 of the European Parliament and of the Council of 12 December 2017 on cooperation between national authorities responsible for the enforcement of consumer protection laws and repealing Regulation (EC) No 2006/2004
Irish Books
EU Data Protection Law Kelleher & Murray 2018
Information & Technology Communications Law Kennedy & Murphy 2017
Social Networking Lambert 2014
Law Society PPG Hyland Technology & Intellectual Property Law 2008
Information Technology Law in Ireland 2 Kelleher & Murray 2007
Data Protection Law in Ireland: Sources & Issues 2 Lambert 2016
Privacy & Data Protection Law in Ireland Kelleher 2015
Data Protection: A Practical Guide to Irish & EU Law Carey 2010
Practical Guide to Data Protection Law in Ireland A&L Goodbody 2003
Contract Law in an Electronic Age Haigh 2001
Contract law McDermott 2nd ed 2017
EU and UK Texts
Cover of Getting the Deal Through: e-Commerce 2018 Robert Bond 2017
EU Regulation of e-Commerce: A Commentary Edited by: Arno R. Lodder, Andrew D. Murray 2017
Butterworths E-Commerce and IT Law Handbook 6th ed Jeremy Phillips 2012
Internet & E-commerce Law, Business and Policy Internet & E-commerce Law, Business and Policy 2nd ed Brian Fitzgerald, Anne Fitzgerald, Gaye Middleton, Yee Fen Lim, Timothy B Beale 2011
E-Commerce and Convergence: A Guide to the Law of Digital Media E-Commerce and Convergence: 4th ed Edited by: Mike Butler 2011
Blackstone’s Statutes on IT and e-commerce Blackstone’s Statutes on IT and e-commerce 4th ed Edited by: Steve Hedley, Tanya Aplin 2008
E-Commerce Law E-Commerce Law Paul Todd 2005
A Practical Guide to E-Commerce and Internet Law 2nd ed Osborne Clarke 2005