Electronic Signatures in Law

March 1, 2004

I approached the task of reviewing Stephen Mason’s book on electronic signatures with a certain apprehension. Would I understand the complex technicalities behind electronic signatures? Would I find it practical enough to say that it is useful? Would it make any difference to my daily job as a technology lawyer? What if the answer to these three questions was ‘no’? Let us find out what happened.

The preface helped to calm my anxiety. It sets the background to the book and starts by saying that the most widely used form of electronic signature is the ‘I accept’ button on a web site, even if the millions of people using it every day are unaware of that. A dose of reality is always good and it was an early sign that the book was likely to do its job just fine. Also at the outset, Stephen states that the majority of the text in the book concentrates on digital signatures, which is an obvious clue to the author’s intention to remain focused.

This is a book of two halves: the legal bit (chapters 1 to 8) and the technical bit (chapters 9 to 16). This is not something that is particularly stated anywhere and the relationship between the two halves is often blurred, but from a potential reader’s perspective it is comforting to know which part of the book is likely to answer your questions. What I will reveal is that if you think that a lawyer will struggle with the second half, then you are likely to be pleasantly surprised.

Readers will also realise quite early on that Stephen is not shy of picking a fight. He questions the public policy arguments behind placing the risk of forgery of a digital signature on the signing party, as it is the recipient who wants the advantage of digital coding to verify the user. I found this approach quite thought provoking. However, one of the most amusing sections of the book is the analysis of the legal role of a signature, particularly the discussion concerning common law. The author devotes 42 pages to illustrating how judges have been testing the validity and effectiveness of a signature since the early 19th century.

Quite quickly we are back to the 21st century, as the book describes as plainly as it possibly could the six different forms of electronic signatures. The next chapter deals quite thoroughly with some of the rules and laws that have been passed in recent years to regulate electronic signatures. My only criticism here is that I would have liked to see more of Stephen’s own interpretation of the extent to which electronic signatures have been given legal validity by statutory provisions.

The practical risks and potential liabilities attached to electronic signatures are neatly and methodically described in a way that even the most technologically-challenged lawyers would understand, which is not an easy task considering the interaction between uncertain law and untested technology. From a legal perspective, one of the most engaging chapters of the whole book is chapter 8, which addresses the evidential issues linked to electronic signatures. Whilst the admissibility of electronic signatures in evidence was confirmed by the Electronic Communications Act 2000, the statutory shift in the burden of proof is a crucial aspect of the book – as brilliantly highlighted by Stephen’s analysis of the Jitsuin, an eigth century Japanese system of authentication.

The technical half starts – as you would expect – with acronyms such as PGP and PKI. Public key infrastructure (PKI) is one of those concepts that takes a while to settle in. However, whilst I have read plenty of articles that gloss over the principle of PKI, the beauty about writing a book on electronic signatures is that one can spend a whole chapter getting into the nitty-gritty of PKI’s functionality and limitations, as Stephen has done. This is followed by a succinct review of one of the components of a PKI system: the certification authorities. Again, I had read about these before, but I certainly didn’t know that to become one, you have to undergo a rigorous process overseen by an organisation called tScheme.

As I was thinking that things were about to get utterly complicated, the book makes a bit of a U-turn and looks at the most commonly used types of electronic signatures. All of us use some of these on a daily basis, particularly when we shop online, so it is actually very interesting to read how we are protected against fraud when we buy our groceries from Tesco.com and our books from Amazon. In this chapter, the book even looks at the technology behind electronic voting proposals.

The final five chapters are more like side orders – nice to have, but not entirely necessary. Having said that, I can think of situations where a lawyer may be asked out of the blue about export controls on cryptographic algorithms or the status of electronic signatures in, say, Bermuda (this has actually happened to me!). In fact, one of the most impressive things about the book is the comparative analysis between different jurisdictions. You may not become an expert in Argentinean e-commerce law by buying this book, but you may be able to impress a client by confirming that a digital signature is valid in Argentina provided that a digital certificate has been issued by a licensed certification authority.

In summary, Electronic Signatures in Law is superbly researched, clearly written and incredibly useful. Let me put it this way, if you have a question concerning electronic signatures, the chances are that you will find the answer in this book.

Eduardo Ustaran is Chairman of the SCL Internet Interest Group