E-Signatures: Not Making Their Mark Just Yet

Have you ever authorised a payment from your bank account with a PIN, checked off an “I agree” box on a website or acknowledged delivery of a package by signing with a stylus on the delivery man’s electronic pad? The chances are that most of us have done all of those things within the past few weeks. Every time we did so, we were “e-signing” a contract or other document. In fact, as I’ll make clear shortly, we were not only e-signing but also “digitally signing” — and yes, there is a difference between the two. But whichever way you do it, signing documents without a traditional pen has become an integral part of modern life.

“E-signing” is a shortened version of “electronic signing”, and it isn’t new: electronic and even electrical signatures have been with us for well over a hundred years. Back in the days of the telegraph, it was possible to agree to a contract by exchange of telegrams. Since those days we have had the telex and the fax, and again it has long been recognised in English law that either of these can be “signed” by typing the name of the sender rather than writing it by hand.

For this reason, digital technology experts prefer to use the term “digital signature” for the way we sign emails and other internet transactions. A “digital signature” is a kind of e-signature. At its most basic level, a digital signature can be your email address; at its most advanced, it can be a piece of code which is individual to you or even to the particular transaction, and which only you and the person you are emailing are able to read.

It’s worth pausing for a moment to think about why signatures are important. In the days when only quill and ink were available to make a mark on documents, a person signed a document in order to demonstrate that he or she had seen the document and intended to be bound by it. It has always been extremely difficult in English law for a person to escape the consequences of a document he or she has signed, based on the general presumption that if you put your name to a piece of paper, you must be intending that to have some consequences for you. In other words, it is your look-out if you sign something without reading or understanding it.

Signing “Mary Jones” also makes it clear that you are claiming to be Mary Jones, and it will be possible to compare your signature against other signatures in order to establish whether you really are Mary Jones or not. In other words, signatures have been important in establishing both intention and identity.

Of course there have always been problems with this. In the seventeenth century and well into the eighteenth, a significant number of Mary Joneses would not have known how to write their names and would have had to make a cross or other mark, which is easy to forge. There are many stories also of trusting souls who put their signatures to blank pieces of paper only to have them produced later, with terms now written on them which were very much to their disadvantage. Overall, however, what is now called the “wet-ink” system of signing documents has worked pretty well for the past five hundred years at least.

The question now is, can the rules of the wet-ink system be transferred to the digital age, or do we need to develop further technology to make signatures more verifiable? The European Union thinks so, because in 1999 it published a directive which set out general rules for the implementation of what are still being called “e-signatures”, despite anguished computer scientist protests, across the Union. The rules were implemented in England and Wales by s.10 of the Electronic Communications Act 2000 and the Electronic Signature Regulations of 2002.

In basic terms, the logic behind the rules is that the more important and valuable the transaction, the more we need to ensure the identity and intentions of the person sending the emails. Unsurprisingly, the EU is particularly concerned about both electronic transfers of very large sums of money and agreements for major supply contracts. Verification of identity and intention in contracts of this significance need to be much more stringent, says the EU, than the security required for Mary Jones to place an order with Amazon.

At the foundation of the UK’s Electronic Signature Regulations is a system of code and certification called “public key cryptography”, by which a message can be encrypted with one key code, called a “private key”, and then decrypted only by another code, called a “public key”. When Mary Jones sends a message, the receiver uses the public key to decode it. By doing so, the receiver verifies that the message was indeed sent by Mary Jones.

But like regular signatures, electronic signatures can be forged. What if someone manages to steal either the private or the public key, for instance? In the UK (and elsewhere), the answer to that question has been to provide an extra level of security in the form of “digital certification”. Through this process, an independent, government-appointed body confirms that the electronic signature really is that of Mary Jones and has not been stolen or copied. The only such authority, or “certification service provider” (CSP), currently in the UK is British Telecom. 

It is unclear at the moment how far these complex (and expensive to apply) regulations are being used in the UK. Those of us who work with BACS or the Land Registry will know that those organisations have adopted a middle course of certifying users themselves and then allowing for electronic signature in limited situations. The European Union is currently proposing that all lawyers be issued with an identity card which will include a key for making digital signatures. These proposals are still in the planning stage, but they may affect us all in years to come, so it makes sense to watch this space.