In the past, where the law required a signature, statement or document to be notarised, acknowledged, verified or made under oath, that requirement was, until recently, typically only met if the handwritten signature of the person authorised to perform those acts was used.
The goal of this requirement was, of course, to safeguard authenticity and to provide appropriate proof should a legal dispute arise at a later stage.
It is now possible for that person to achieve the same end with a few simple keystrokes on a computer, thanks to innovative software development and legislative recognition of the rapidly changing manner in which business is done. On19 March 2012, a South African certification service provider, LAW Trusted Third Party Services (Pty) Ltd (LAWtrust, www.lawtrust.co.za), was recognised by the South African Accreditation Authority (www.saaa.gov.za) in the Department of Communications (the Accreditation Authority) as an accredited authentication products and services provider in terms of section 37 of the Electronic Communications and Transactions Act 25 of 2002 (ECT Act). The accreditation of authentication products and services allows the electronic signatures of such products and services to qualify as advanced electronic signatures, thus safeguarding the authenticity of the signature.
This article seeks to provide some of the detail behind the who, where, when, what, why and how questions you, the reader, are probably now asking yourself after having read the above introduction.
Writing, original, data, data messages and computer programs
Consider the following: an e-mail can be viewed, in law, as an original written communication; a data message made up of data and compiled using a computer program (e.g. Microsoft Outlook). Confusing? Maybe, but it doesn’t have to be when you unpack and understand the following definitions from the ECT Act and the Copyright Act 98 of 1978 (Copyright Act):
– E-mail means a data message used or intended to be used as a mail message between the originator and addressee in an electronic communication [ECT Act, s1];
– Electronic communication means a communication by means of data messages [ECT Act, s1];
– Data message means data generated, sent, received or stored by electronic means [ECT Act, s1];
– Data means electronic representations of information in any form [ECT Act, s1];
– Computer program means a set of instructions fixed or stored in any manner and which, when used directly or indirectly in a computer, directs its operation to bring about a result (s1 Copyright Act). We also refer to computer programs as software;
– Information is not without legal force and effect merely on the grounds that it is wholly or partly in the form of a data message [ECT Act, s11(1)];
– A requirement in law that a document or information must be in writing is met if the document or information is in the form of a data message; and accessible in a manner usable for subsequent reference (ECT Act, s12];
– Where a law requires information to be presented or retained in its original form, that requirement is met by a data message [ECT Act, s14(1)];
Signatures, electronic signatures and advanced electronic signatures:
The Oxford Dictionary describes a “signature” as a person’s name written in a distinctive way as a form of identification or authorisation. In law, this is not the only way a document can be signed: any mark on a document made by a person for the purpose of attesting the document, or identifying it as his act, is his signature thereto [Putter v Provincial Insurance Co. Ltd and Another, 1963 (3) SA 145 (W) at 148].
An electronic signature is data attached to, incorporated in, or logically associated with other data and which is intended by the user to serve as a signature [ECT Act, s1]. An advanced electronic signature is an electronic signature which results from a process which has been accredited by the Accreditation Authority [ECT Act, s1 and 37]. As already mentioned, LAWtrust’s authentication products and services have been so accredited by the Accreditation Authority, which means, in law, the electronic signatures created through use of such products and services qualify as advanced electronic signatures.
The use of electronic signatures must be distinguished from the use of advanced electronic signatures. The important issue is whether the signature is required by law. Whilst the ECT Act recognises other forms of electronic signatures used between parties in an electronic transaction (e.g. a private agreement), these will not be recognised if the signature is required by law (e.g. signatures required in terms of the Companies Act, 2008). In this regard, the ECT Act provides:
– An electronic signature is not without legal force and effect merely on the grounds that it is in electronic form, and may be used by the parties to an electronic transaction [ECT Act, s13(2), (3) read with definition of transaction in s1];
– Where the signature of a person is required by law and such law does not specify the type of signature, that requirement in relation to a data message is met onlyif an advanced electronic signature is used [ECT Act, s13(1)].
To belabour the point: whilst an advanced electronic signature is an electronic signature, an electronic signature is not necessarily an advanced electronic signature, the differentiator being whether or not there is accreditation by the Accreditation Authority of the authentication products and services used to create the electronic signature [ECT Act, s13(2), (3) read with definition of advanced electronic signature in s1].
Digital Certificates and Public Key Infrastructure (PKI):
Public key infrastructure (PKI) is a broad term that refers to the public and private key cryptography, the hardware, software, people, processes and policies collectively implemented and used to manage risk when transacting electronically (e.g. online or by email). PKI includes the use of digital certificates, in order to identify the persons behind an electronic transaction [for further details, see ISO 21188:2006, Public Key Infrastructure For Financial Services — Practices And Policy Framework, as published by the International Organisation for Standardisation (www.iso.org), adherence thereto required by the Accreditation Authority in an ECT Act s37 accreditation exercise].
Digital certificates are typically issued by certification service providers [note: whilst the ECT Act refers to certification service providers, in the digital certificate/encryption services industry these entities are generally known as certificate/certification authorities or “CAs”].
Besides being used as a means of online access control (e.g. conveyancers logging on to receive their bond registration instructions from Absa/Standard Bank), a digital certificate can also be used to create an electronic signature. If the digital certificate used to create such electronic signature was issued by a certification service provider, such as LAWtrust, whose authentication products and services have been accredited by the Accreditation Authority in terms of s37 of the ECT Act, the resultant electronic signature of the individual identified in the digital certificate also qualifies as an advanced electronic signature [ECT Act, s37 read with definition of advanced electronic signature in s1].
The reasons for supporting the use of digital certificates originate from a commercial perspective. The issues that arise when transacting online usually have to do with how to create enforceable electronic contracts for the sale of goods and services, or how to ensure that an electronic transaction will be at least as legally enforceable and binding as a traditional paper-based transaction. Username and passwords have been a common means of seeking to achieve this. The problem is that there are instances when requiring the use of a username and a password is simply too risky in that these can be compromised by numerous means of breaching computer security, e.g. covert monitoring of electronic communications (wiretapping), masquerading as a trustworthy entity to obtain sensitive information (phishing), covert tracking of keys pressed on a computer keyboard (keystroke logging), obtaining confidential data by manipulating and/or deceiving people (social engineering), sifting through commercial data records (dumpster diving), exploiting data security weaknesses (side-channel attacks) and other software vulnerabilities.
Digital certificates, in a well implemented PKI, go a long way towards managing risk when communicating or transacting online, such as false identity, fraud, unauthorised access, snooping/observation, message alteration and transaction repudiation. A properly issued digital certificate is strong evidence in support of proving the function of a signature in an electronic transaction, namely the conveyance of an attestation by the person signing of his/her approval and authority for what is contained in the document, and that it emanates from him/her [Jurgens and others v Volkskas Bank Ltd 1993 (1) SA 214 (A) at 220E-F].
A certification service provider plays an important role in a PKI in that it issues digital certificates, sets policy (as stated in its Certification Practice Statement (CPS), a statement issued by a certification service provider to specify the practices that it employs in generating and issuing digital certificates) on what identification a person must produce in order to obtain a digital certificate; and in order to maintain security, indicates in a published certificate revocation list those digital certificates that are no longer valid (e.g. revoked, expired or suspended).
A digital certificate is an electronic form of identification, much like an identity document, passport or driver’s license. Technically it is:
– a strong method of authentication, likened to a cryptographic handshake as opposed to a shared secret like a username and password;
– immune to phishing scams, keystroke loggers and the like;
– the method of choice in web services development, as seen in computer programming languages like SAML, XML and others;
– a roadmap for further use, i.e. signing to preserve integrity of data messages, transactions, e-mail, Adobe PDF, Microsoft Word and Excel documents; based on the widely accepted X.509v3 format [an international telecommunications standard, www.itu.int], which means system and program interoperability is almost guaranteed.
Digital certificates and the Companies Act, 2008
Section 6(12) (a) of the Companies Act provides: “If a provision of this Act requires a document to be signed or initialled (a) by or on behalf of a person, that signing or initialling may be effected in any manner provided for in the ECT Act, …”. Consider this in line with s13(1) of the ECT Act. Also note that s14 of the ECT Act provides for originals to be in electronic form if certain integrity requirements are met. The cryptography behind an advanced electronic signature makes it mathematically infeasible to tamper with the document without showing evidence of tampering, i.e. you’ll get a warning.
Section s51(1)(b) read with s51(2) provides a certificate evidencing any certificated securities of a company may be signed by electronic means by two persons authorised by the company’s board (i.e. electronic share certificates). Also consider s12(5): signing reservation of name notice; s13(1): signing a Memorandum of Incorporation , s30(3)(c): signing annual financial statements, s58(2)(a): signing a proxy appointment; s61(3): signed demand for a shareholder meeting (e.g. by using electronically signed email using a LAWtrust issued digital certificate); s73(8): signed minutes of a board meeting; s77(3)(a) and (d) director liability as consequence of signing anything on behalf of a company; s101(5) signed offers.
Digital certificates and the Magistrates’ Court Rules of Court
The updated Magistrates Rules of Court (No.R740 dated 23 August 2010) provide in s1 for “signature” to include an advanced electronic signature as defined in the ECT Act, and that this also applies to “sign”, “signing” and “signed.”
There is other legislation that requires signatures. If you come across provisions therein that provide for signatures you may wish to consider the applicability of the ECT and the use of advanced electronic signatures.
Instances when electronic signatures are not permitted:
There are instances when, in law, the use of an advanced electronic signature is not permitted. The ECT Act envisages this and only allows the use of advanced electronic signatures when the law does not specify the type of signature required [s13(1), ECT Act]. For example, s2 of the Wills Act 7 of 1953 (Wills Act) provides no will executed is valid unless signed at the end thereof by the testator. “Sign” is defined in s1 of the Wills Act to include the making of initials and, only in the case of the testator, the making of a mark, and “signature” has a corresponding meaning.
Digital Certificates and electronic notarisation, acknowledgement and certification under the ECT Act:
Most of the readers of this article are admitted attorneys, meaning they are also ex officio commissioners of oaths. Where a law requires a signature, statement or document to be notarised, acknowledged, verified or made under oath, that requirement is met if the advanced electronic signature of the person authorised to perform those acts is attached to, incorporated in or logically associated with the electronic signature or data message [s18(1), ECT Act].
Where a law requires or permits a person to provide a certified copy of a document and the document exists in paper or other physical form, that requirement is met if an electronic copy of the document is certified to be a true copy thereof and the certification is confirmed by the use of an advanced electronic signature [s18(3), ECT Act].
Digital certificates and transacting online:
As stated above, most computer systems require some form of access control. Most common is username and password, which can be too risky for when the business risks are high. Take for example conveyancing online, namely the electronic communication of bond information (e.g. instruction, re-instruction, not taken up (NTU), acknowledgment, milestone status, payment advice and rating files) between the home loan divisions of the banks and their respective panels of conveyancing attorneys. In a conveyancing transaction one cannot run the very real risk of allowing fraud to be committed as a result of unauthorised data access, data manipulation and leakage, and misuse of access by persons unknown. The companies involved need to know with a degree of certainty who is accessing their computer systems online, and need for those persons to take responsibility for that which they do whilst online with them. It should also provide those companies with a level of confidence that only personnel authorised to communicate electronically on the company’s behalf can in fact do so. Standard components of a sound security solution include authentication that makes use of encryption technologies, i.e. digital certificates. [Examples of other components not dealt with here, but also very important, include firewalls, anti-virus scanners, content security management, intrusion prevention systems, virtual private networks and security incident and event manager tools].
Digital certificates and public and private key cryptography:
Digital certificates, as already stated, make use of public and private key cryptography. For a layman, this means using standard Microsoft computer program functionality: two data keys are generated on the digital certificate holder’s computer. These keys are mathematically related to each other (sometime referred to as asymmetric encryption). One data key is called the private key and the other the public key. It is mathematically infeasible, using the best computing power available today, to break the algorithms used to create these keys. The private key is required to be kept private and not shared with anyone, usually stored in the browser of a computer or on a cryptographic memory stick.
The digital certificate is simply a piece of data that lists the public key and identifies the individual holding the corresponding private key, and also identifies the certification services provider who issued the digital certificate in the first place; effectively vouching for the identity of the individual identified in the digital certificate based on the identity verification criteria set out in its CPS, compliance against which it is audited from time to time, such audit in the case of LAWtrust being conducted by the Accreditation Authority.
When an electronic signature is created, it is only the public key and the digital certificate that become ‘embedded’ in the electronic document being signed, but these can only be ‘embedded’ if the corresponding private key was used. Therefore, the recipient of an electronic document (e.g. e-mail message, PDF document) that contains the author’s public key and digital certificate should be assured that the author of the document, i.e. the only person who exercises control over the corresponding private key, is the same person identified in the digital certificate. The document is said to then contain the author’s electronic signature or advanced electronic signature, as the case may be
If the private key becomes compromised, that is when problems arise, because a stranger exercising control over the private key of another can then impersonate the person identified in the corresponding digital certificate. It is therefore important to be diligent in retaining control of the private key associated to the public key listed in the digital certificate, including retaining control of any pass-phrase, pin or token used to activate the private key, and prevent disclosure to any person not authorised to create one’s electronic signature.
Applying to be issued with a digital certificate:
For a person to be issued with a digital certificate that can be used to sign electronic documents with an advanced electronic signature (and which can also be used to access computer systems over the Internet), that person needs to register his/her details with a certification services provider that has been accredited by the Accreditation Authority, an enrolment process which can be frustrating at times, but ultimately worth it when the risks sought to be addressed by doing so are able to be properly mitigated.
An applicant (also referred to as a Subscriber) typically needs to:
– complete a Personal Digital Certificate Application Form;
– sign a Subscriber Agreement; and
– present the original and one copy of his/her identity document (there might be other criteria that need to be adhered to, depending on which certification services provider you choose to deal with).
After verifying the applicant’s identity and completing certain internal checks and controls, the certification services provider will issue a digital certificate. The applicant will then be notified and directed on how to download the digital certificate and commence using it to access computer systems online.
Using a digital certificate:
At present the Adobe Acrobat Professional computer program appears to have the most user-friendly functionality to sign an electronic document [It is also possible to sign a Microsoft Word document]. Once a document is ready for signature, convert/save it to the Adobe PDF format. The step by step functionality to actually signing the document is fairly easy to follow. This electronically signed document can then be attached to an e-mail and forwarded to the intended recipient, encrypted as well if need be.
There are also online signing services, such as Signing Hub (www.signinghub.com) that do away with the need to incur the cost of obtaining an Adobe Acrobat Professional license, and which enable the uploading, sharing and signature (using digital certificates) of documents, and which also assist in managing costs of printing, faxing, couriers, postage, scanning, storage and searching].
A word of caution:
Digital certificates and the functionality to use digital certificates to create electronic signatures have been around for years now. It is therefore important for the recipient of a signed electronic document to carefully scrutinise the digital certificate to confirm whether the signature created with that digital certificate qualifies as an advanced electronic signature or is merely an electronic signature.
To do this one needs to verify two important things:
(i) that the certification services provider who issued the digital certificate is in fact accredited by the Accreditation Authority in terms of s37 of the ECT (you can view this accreditation confirmation on the Accreditation Authority’s website at www.saaa.gov.za/accreditation_ProductsServices.htm or telephone them on 012 427 8241); and
(ii) that the digital certificate itself makes reference to a advanced electronic signatures (e.g. LAWtrust refers to “AESign” in the digital certificates issued by it for the purposes of advanced electronic signatures).
As practitioners, it is imperative that to keep pace with technological developments, more especially those that facilitate business transactions in an increasingly global economy, without sacrificing the integrity of the process and the documents involved. The advent of advanced electronic signatures and digital certificates, together with other electronic security enhancements, enable both to the advantage of the client.
This article first appeared in the November 2012 issue of De Rebus, the SA Attorneys’ Journal published by the Law Society of South Africa.