38. The Government intends the Electronic Commerce Bill to:

• "specifically ensure that any electronic signature is capable of being given legal effect and can be submitted in evidence"[99]
• create "a rebuttable presumption that an electronic signature, meeting certain conditions, correctly identifies the signatory it purports to identify; and, where it purports to guarantee that the accompanying data has not been altered since signature, that it has not"[100].

The second objective will be achieved by ensuring that an electronic signature backed by a certificate from a licensed CA and generated using an "approved signature creation device" will be "legally equivalent to a hand-written signature."[101] A similar legal status may be accorded to electronic signatures which are backed by a certificate from an unlicensed CA, if the CA meets criteria to be laid down in the forthcoming EU directive on electronic signatures, and if it were generated using an approved device.[102]

39. The Government does not specifically define what a "rebuttable presumption" is, but the concept is linked to the evidential weight of an electronic signature, rather than to its admissibility in court. Admissibility is a purely legal test administered by a court before it will consider the content of evidence.[103] As far as signatures are concerned, the case of Goodman v. J. Eban Limited established that mechanical signatures using rubber stamps, printing or typewriting are valid in English law; a signature can be made by a mark rather than a name as long as evidence can be given to identify the placer of the mark and the intention to sign; and words other than a name can amount to a signature if the necessary intention to sign can be proven.[104] A signature which may be admissible may also lack sufficient qualities to enable a recipient to rely on it, however. A signed document sent by a facsimile machine would be admissible in court but, because of the ease with which the image of a signature can be lifted from one document and inserted into another, it may be perceived as unreliable for business transactions. By according certain electronic signatures a "rebuttable presumption" of validity, the Government intends not only to ensure that such signatures (along with other electronic signatures) are admissible in court but to lend evidential weight to such signatures, and the functions they fulfill, by legislation.

40. DTI's recent consultation document does not reflect the differences between the English and Scottish legal systems in its discussion of changes to the ways in which courts deal with electronic signatures. The evidence we received concerning the Government's proposals for electronic signatures was mostly from the perspective of the English legal system and that has influenced our consideration of the issue, below.[105] We consider it a potentially serious omission that DTI has not indicated how its proposals for electronic signatures would affect Scottish law and we recommend that they quickly do so.

Admissibility of Electronic Signatures

  41. Some witnesses questioned the need for legislation to ensure that electronic signatures could be admitted in court, given the implications of the Goodman v. J. Eban Limited case. e centre^UK argued that "there is no essential need for legislation to amend the existing English law on signatures because the law as it stands is sufficiently flexible to cover electronic signatures".[106] In oral evidence, Mr. Marsh of e centre^UK cited the chief cashier's signature on bank notes as one example of a legally effective electronic signature.[107] Mr. Reed confirmed the existence of a consensus amongst the academic community that "any form of electronic signature will work under English law" but suggested that businesses wishing to make contracts electronically would wish for that consensus to be enshrined in statute.[108] Many witnesses told us of their strong support for legislation to confirm the legal standing of electronic signatures.[109] Although electronic signatures are not currently without legal standing, legislation to clarify their status would command widespread support.

The Rebuttable Presumption

  42. The proposal that some electronic signatures would be presumed to identify the signatory and confirm the integrity of the message sent, unless evidence showed otherwise, while others would not, has proved controversial. Several witnesses questioned the implications of such a proposal. The Law Society, for instance, warned that "it is important that care should be taken to ensure that any legislation on electronic commerce should avoid creating even an implication that the status of a non-certified electronic 'signature' is legally (as opposed to evidentially) inferior to that of a certified one, for the purpose of concluding a contract".[110] If the Government were to create two classes of electronic signature, distinguished according to their form, this would represent a significant move away from English common law tradition towards a civil law approach to the treatment of signatures.

43. In a civil law jurisdiction a signature may be defined by its form — for instance, in relation to how it is created or verified. It is common in such jurisdictions for signatures to be notarised and for this to influence their evidential weight.[111] In a common law jurisdiction it is not thought necessary to define a signature in this way; the intentions of the signatory are of more importance.[112] Signatures can be used, for example, to identify a person, associate a person with the content of a document, attest to the involvement of a person in the signing of a document or attest to the intention of a party to be bound by the document.[113] When an issue relating to a signature comes before a court in a common law jurisdiction, the question examined is not whether or not the signature was made according to certain conditions, but whether or not it performs the functions it is alleged to have performed.

44. One objection to the Government's proposals for the recognition of electronic signatures is that they are better suited to a civil law jurisdiction, than to the English common law tradition. If the proposal was to be enacted, courts considering a case involving an electronic signature would ask first, whether a signature met certain requirements of form, rather than whether it successfully identified the signatory, associated the signatory with the content of the document, or performed some other related function. Ms Wardle of the Post Office, who described the Government's proposals as "not...terribly helpful", warned of the problems which might arise if legislation was passed to associate the form of an electronic signature with its legal status. She commented that "you [could] get back to all the problems we have had under the Statute of Frauds where people get away with murder because they say 'well, actually I have not dotted my i's and crossed my t's and used red ink, and therefore, I get away with not having signed this contract'".[114]

45. At present, many electronic communications and contracts are concluded without a signature or with verification which would not meet the requirements of the Government's proposal.[115] Many witnesses and respondents to DTI commented on the extent to which such transactions might be affected by the Government's proposals for certain electronic signatures to have an enhanced legal status.[116] In particular, the European Electronic Signatures Working Group and European Encryption Working Group told DTI that "the proposed legislation is inconsistent with existing on-line practices as well as emerging business models...by limiting full legal recognition to only a narrow class of electronic signatures, the proposed legislation would constrict...market development and prevent the growth of innovative e-commerce services".[117] A frequent observation was that, by basing legal recognition on a particular model of public-key cryptography, the Government's proposals were in no way technology neutral.[118] Barclays argued that the reference to an "approved signature device" in the Government's proposal was technology specific;[119] APACS called for rapid clarification of the definition of such devices, including who would be responsible for their approval.[120]

46. A second objection to the proposal that some electronic signatures will carry a rebuttable presumption of validity is that this would reverse the burden of proof in contractual disputes, potentially undermining confidence in electronic commerce if means of forging electronic signatures are developed. When a signature is disputed, it is up to the relying party to demonstrate the signature's validity. The Government's proposal would reverse the burden of proof in such disputes, obliging the signatory to show that a disputed signature was false. This might have important implications if electronic signatures satisfying the Government's criteria for a rebuttable resumption were forged, or the smart cards on which they were held were stolen, or if a licensed CA's procedures were deficient, including if electronic signatures were issued to criminals using false identities. Dr. Anderson warned that "the proposed Bill's presumption of validity for electronic signatures which met the licensing criteria could make it harder for the victims of electronic fraud to seek redress" and drew a comparison with the difficulties faced in the past by victims of phantom withdrawals from cash machines in gaining redress because of the presumption that the encryption systems used by cash machines were infallible and the lack of evidence to corroborate allegations of fraud.[121] Dr. Gladman told DTI that "the technology to effectively support such a shift in the burden of proof is not available and this means that those seeking to use digital signatures may carry risks that have previously been carried by others".[122] Several other respondents to DTI made similar points.[123] EURIM, for instance, noted that, "the use of a licensed certification authority in no way indicates whether the person using an electronic signature device is actually the certified owner of that device".[124] The Institute of Directors questioned the ease with which the assumption of an electronic signature's validity could be rebutted, without a CAs procedures and algorithms being subject to unrealistically close scrutiny.[125]

Suggested Alternatives

  47. Two recently drafted laws providing for the recognition of electronic signatures were brought to our attention by witnesses concerned with the Government's proposals. These were Article 7 of the UNCITRAL Model Law on Electronic Commerce and section 10 of the Australian draft Electronic Transactions Bill 1999.[126] Both of these laws are intended to ensure that electronic signatures of any sort have legal effect, unless exemptions are specified. Both leave to the recipient of a message or, ultimately, to the courts, to decide whether or not an electronic signature identifies a person and indicates that person's approval of the contents of a message. The legal status of an electronic signature, if such a law were enacted, would depend upon the evidence presented to demonstrate the intent of the signatory, which would be influenced, but not determined, by the form of the signature and the certification employed to verify it.

The EU Directive

  48. The Government's proposals for electronic signatures will have to comply with the provisions of the EU Electronic Signatures Directive, currently under discussion.[127] The directive aims to create a "harmonized and appropriate legal framework for the use of electronic signatures" in the EU and to establish "a set of criteria which form the basis for the legal recognition of electronic signatures" but "leaves detailed implementation measures to the Member States".[128] A key objective is for electronic signatures with legal effect in one Member State to have legal effect throughout the rest of the EU.

49. Article 5 of the directive is concerned with the legal effect of electronic signatures. It intends that:

• Member States shall ensure that an electronic signature is not denied legal effect, validity and enforceability solely on the grounds that the signature is in electronic form, or is not based upon a qualified certificate,[129] or is not based upon a certificate issued by an accredited certification service provider.
• Member States shall ensure that electronic signatures which are based on a qualified certificate issued by a certification service provider which fulfills the requirements set out in an annex are, on the one hand, recognised as satisfying the legal requirement of a hand written signature, and on the other, admissible as evidence in legal proceedings in the same manner as hand written signatures.

50. The Government's proposals would satisfy the first part of Article 5, although legal opinion might affirm that even without legislation electronic signatures are not denied legal effect in the UK at present. The second part might be satisfied by the proposed licensing scheme for CAs, discussed in more detail below, and by the provision for electronic signatures backed by certificates from unlicensed CAs to be given the same status as electronic signatures backed by certificates from licensed CAs, if certain conditions specified in the directive were met. Respondents to DTI have argued, however, that the proposed licensing scheme is not necessary in order for UK law to conform with the directive.[130] Visa suggested that the Government's "two-track system" for legal recognition of electronic signatures might even contravene the intention of the directive by hindering full legal recognition in the UK of signatures and certificates accredited elsewhere in the EU.[131] DTI told us that its changes were, at least in part, inspired by the need "to move in step" with the directive. We are not convinced by this argument. When DTI first provided an explanatory memorandum on the draft directive to the parliamentary European legislation scrutiny committees, in July 1998, it suggested that UK law would need to change once the directive was adopted.[132] When pressed to provide information, DTI submitted an analysis of possible changes required to the definition of "signature" in English and Scots statute law and the potential need for clarification of case law.[133] DTI indicated that the draft directive "encouraged" the establishment of a voluntary accreditation scheme for CAs, but did not inform Parliament of the necessity of legislation to link the form of electronic signatures with their evidential weight as a result of the directive.[134]

Conclusion

  51. The Government has justified the proposed tie between the form and legal status of an electronic signature in terms of encouraging confidence in electronic commerce, although Dr. Anderson has warned that the proposals might lead to a collapse in confidence if ways of forging electronic signatures are found.[135] The proposals were first mooted by the previous Administration and might have provided a means of enticing TSPs to seek a licence and thus accept key escrow, in return for the electronic signatures they certified being accorded an enhanced legal status.[136] Now that the Government has indicated its commitment to a clear policy distinction between CAs and TTPs and has withdrawn its wholehearted support for key escrow, we question the need for some electronic signatures to be presumed valid, unless proved otherwise. When we asked the Minister to explain why the Government was proposing to depart from the UK's common law tradition in this area, he indicated his belief that common law was not able to cover eventualities resulting from the use of new technologies.[137] Common law has dealt with the development of new technologies, such as the telephone, facsimile machine and computer in the past precisely because it embodies a flexible, interpretative legal approach. We believe that it is well suited to deal with the challenges posed by electronic commerce. In conclusion, we recommend that the Government lay before Parliament the justification for such a radical change to the way signatures are considered by English law and explain in greater detail than hitherto whether or not the EU Electronic Signatures Directive genuinely necessitates such a change to be made.

100   Ibid, paragraph 19 Back

101   Ibid, paragraph 20, Annex A page 32; and see footnote 98 Back

102   Ibid, paragraph 20 and footnote 14 Back

103   As far as civil law is concerned, the Civil Evidence Act 1995, particularly sections 8 and 9, removed many earlier problems associated with the admissibility of electronic documents. NCIS, in their response to the DTI consultation document (paragraph 9; and see EURIM p2), called for likewise reform to the admissibility of computer evidence in criminal proceedings, particularly the repeal of section 69 of the Police and Criminal Evidence Act 1984, in accordance with a recent Law Commission Report (Evidence in Criminal Proceedings: Heresay and Related Topics, Report no. 245, Cm 3670), the recommendations of which have been accepted by the Government (see HC Deb, 17 Dec 98, c725w) Back

104   [1954] 1QB 550, [1954] 1 All ER 763, [1954] 2 WLR 581, Court of Appeal; also Ev, p7 annex 2 paragraph 3 Back

105   But see Q31 Back

106   Ev, p3 section 5, p7 annex 2, paragraph 4; the argument was extended to Scots law, Q30 Back

107   Q30 Back

108   Q269 Back

109   Qq142, 146, 277, 289; Ev, p81 paragraph 1.1, p108, p156 annex 1 paragraph 1.7, p216, pp226, 239 paragraph 3.5, p267 paragraph 18, p271 priority 1, p274 paragraph 2.2, p295; response to Government from Visa pp3-4 Back

110   Ev, p3 section 5, p7 annex 2 paragraph 7, p226; response to Government from European Electronic Signatures Working Group and European Encryption Working Group (EESWG) section I Back

111   See Ev, pp319-25 Back

112   L. J. Davies, A Model for Internet Regulation?, section 3.9, including footnote 205; also Ev, p153 section 2, p155 annex 1 paragraph 1.1 Back

113   Planning of Future Work on Electronic Commerce: Digital Signatures, Certification Authorities and Related Legal Issues, note by secretariat, UNCITRAL, Dec 96, on the internet at www.un.or.at/uncitral/english/sessions/wg_ec-wp-71.htm paragraph 12 Back

114   Q433 Back

115   For instance, a purchase made using a credit or debit card over the telephone or internet does not require a signature; communications are frequently sent electronically verified only by a printed "signature" or the scanned image of a handwritten signature; see Q433; responses to Government from IBM p2, Post Office paragraph 1.1, Alliance for Electronic Business paragraph 2.3.2, Demon Internet/Scottish Power paragraph 2, Law Society section II.1, Hewlett Packard (main submission) pp5-6 Back

116   The Post Office paragraph 1.14 and the Law Society section II.1 both argued in their responses to Government that the proposals regarding electronic signatures would adversely impact on businesses; also Ev, pp240-1 paragraph 2.1.2, section 3.2 Back

117   Section 1, p3; and see response to Government from EURIM p4 Back

118   For instance responses to Government from IUA p1, Neil Barrett p3; also see footnote 18 Back

119   Response to Government from Barclays, p2 Back

120   Response to Government from APACS p4; also from BBA p2, Charles Lindsey section 1.2, Steptoe and Johnson LLP (second submission) p4, Reuters p1 Back

121   Qq458, 460; Ev, p164; "Why Cryptosystems Fail", R. Anderson, Communications of the Association of Computer Machines, vol. 37 no. 11 Nov 94, pp32-40  Back

122   Response to Government from Dr. B. Gladman p1; also from Hewlett Packard (main submission) pp3-5, EESWG section I.A.2; and Dr. Ross Anderson warned of smartcard forgeries - Q461 Back

123   For instance responses to Government from Lloyds p2, Post Office paragraph 1.4, Computer Weekly p2, SAP(UK)Ltd paragraph 3.1.3, the Law Society section II.1, American Express p2 about whether it is possible for an electronic signature to be uniquely linked to an individual; also response from Neil Long Back

124   Response to Government from EURIM, paragraph 2.5; also from Baltimore section 3.2, Motorola p12, Association for Biometrics p2 Back

125   Response to Government from Institute of Directors, p1 Back

126   Qq433-4, 459, 462; Ev, p164; responses to Government from the Law Society section II.1, Hewlett Packard (main submission) p7, Dr. B. Gladman p1; MacRoberts (p12) advocated the approach taken by the Florida Digital Signatures Act 1996 Back

127   See footnote 45 Back

128   Proposal for a Directive on a Common Framework for Electronic Signatures, European Commission, May 98, Com (98) 297 (hereafter Con(98)297), section II p5 and section III.1 p6 Back

129   The requirements of a qualified certificate are set out in Annex 1 of Com(98)297 Back

130   Responses to Government from Microsoft section 2biv, EESWG section 1.A.4, Motorola p12, APCIMS p1, Energis paragraph 2.2, Hewlett Packard (main submission) p7, Intel p1 Back

131   Ev, p156 annex 1 paragraph 1.5; responses to Government from Visa p4, Post Office paragraph 1.8, British Telecommunications paragraph 2, Demon Internet/Scottish Power section 4 Back

132   DTI Exploratory Memorandum, 9708/98  Back

133   Annex A to letter from Barbara Roche MP, Under-Secretary of State DTI to Lord Tordoff, Chairman of the House of Lords European Communities Committee, 24 November 1998 Back

134   DTI Exploratory Memorandum 9708/98, paragraph 5 Back

135   Consultation 99, paragraph 20; Qq460-1; Ev, pp231-2, 246 Back

136   Consultation 97, paragraph 53; Ev, pp8-9 annex 3 section 1; and see responses to Government from Energis paragraph 2.3, LIBA p4, British Telecommunications paragraph 2, Alliance for Electronic Business paragraph 2.3.1, IBN Ltd p2, MacRoberts pp 15, 27, Dibb Lupton Alsop pp4-5, QMWC section 2, Law Society section III.1, Steptoe and Johnson LLP p3 about the distortion to the CAs' market which the "rebuttable presumption" might cause Back

137   Q576 Back