Monday 23 January 2012

Compliance & Value of digital signatures

Under the Electronic Commerce Act 2000 of Ireland, electronic communications are equally valid with paper-based communications. Electronic signatures are valid if the receiving party consents to the use of an electronic signature.  The definition of an electronic signature in this legislation is very broad: "electronic signature, an advanced electronic signature, an electronic signature based on a qualified certificate, an electronic signature created by a secure signature creation device or other technological requirements relating to an electronic signature"

There is however one caveat - where there is a legal obligation to retain original documentation e.g. Financial Advisor needs to keep client instructions for 7 years, the electronic record can meet this requirement, provided that:
  • there exists a reliable assurance as to the integrity of the information from the time when it was first generated in its final form, whether as an electronic communication or otherwise,
  • where it is required or permitted that the information be presented— if the information is capable of being displayed in intelligible form to a person or public body to whom it is to be presented,
  • if, at the time the information was generated in its final form, it was reasonable to expect that it would be readily accessible so as to be useable for subsequent reference,
  • where the information is required or permitted to be presented to or retained for a public body or for a person acting on behalf of a public body, and the public body consents to the information being presented or retained in electronic form, whether as an electronic communication or otherwise, but requires that it be presented or retained in accordance with particular information technology and procedural requirements— if the public body's requirements have been met and those requirements have been made public and are objective, transparent, proportionate and non-discriminatory, and
  • where the information is required or permitted to be presented to or retained for a person who is neither a public body nor acting on behalf of a public body— if the person to whom the information is required or permitted to be presented or for whom it is required or permitted to be retained consents to the information being presented or retained in that form.
However Digiproving does have the following real advantages:
  1. When added to electronically signed document at the same time the document is signed, it meets any statutory obligation in relation to retention of original documents
  2. Offers an irrefutable assurance that the document has not been altered either accidentally or deliberately since its creation
  3. Offers an irrefutable timestamp certifying the time of creation of the document (And location information if it is available on the device)
  4. It meets the requirements for retention of records (In digital format), thus creating less dependence on paper records.
Items 2 & 3 are important because not only do they provide comfort to the receiving party (who must after all consent to the use of e-communications) of the integrity of the document, they remove all reasonable doubt (whether in a court case or otherwise) that a document could have been altered.  Other safeguards such as archiving and time stamping logs may be circumvented by any software engineer or gifted amateur, or indeed by malicious design.

Finally the legislation describes an "advanced electronic signature based on a qualified certificate".  I am pretty certain this means what is usually referred to as a Digital Signature, based on PKI using CAs such as Verisign (such as what is implemented in Adobe and there are many examples like this I think An Post have something as well).  This has one particular legal advantage in that it is recognised as a witnessed signature, and appears to be a requirement in applying signatures to documents that require witnessing. Cryptographically it is a very secure solution.  However it comes with a major overhead - everyone who signs has to have a Digital ID (or digital certificate) from a recognised CA.  There is (as you would expect) a whole process involved in proving your identity to the CA, and of course an annual cost.  Despite massive promotion by companies like RSA and Baltimore in the late 90s this technology did not succeed.

For more information

http://www.digiprove.com/

http://www.brokerprove.com/ for financial advisors

2 comments:

  1. I am just aware of the basic usage and importance of digital signatures. But this article helped me to know the real advantages and value that a digital signature holds. I am grateful to you for providing this detail.
    digital signature certificate

    ReplyDelete