- How to give documents which exist only in electronic form the same legal status as paper documents.
- How to provide a secure, reliable and legally-sanctioned method for "signing" electronic documents, in order to make it unnecessary to generate and sign paper documents and thereby encourage and facilitate electronic commerce.
- Legislation which accords electronic documents the same legal status as paper-based documents.
- Legislation which sanctions the use of reliable methods of electronic "signatures."
Utah was the first jurisdiction in the United States to enact a statute which puts the force of law behind an electronic signature method, namely, digital signatures based upon an asymmetric cryptosystem utilizing private and public key pairs. The legislation, known as the Utah Digital Signature Act, was signed by the governor of Utah on March 9, 1995 and was amended in 1996.
California passed a digital signature statute in October, 1995.
Washington passed a digital signature statute in March, 1996.
Florida passed an electronic signature statute in May, 1996.
Connecticut, Delaware, Hawaii, Iowa, Louisiana, Minnesota, New Mexico and Wyoming have passed statutes which relate to electronic signatures.
Other states, including Georgia, Massachusetts and Illinois, presently are considering electronic signature legislation.
The Information Security Committee of the Section of Science and Technology of the American Bar Association has drafted Digital Signature Guidelines which it describes as "general statements of principle, intended as a common framework of unifying principles that may serve as a common basis for more precise rules in various legal systems." The ABA Guidelines are similar to and generally consistent with the Utah statute.
Different Legislative Approaches
The states have taken different approaches to digital signature legislation.
The Utah and Washington statutes, which are similar to each other, are detailed and comprehensive, create a state-sanctioned public key infrastructure and will be supplemented with regulations.
The California and Florida statutes are quite short. The California statute sanctions the use of digital signatures in communications with public entities, and directs the California Secretary of State to promulgate regulations. The Florida statute gives electronic documents the same legal status as tangible documents and sanctions all methods of electronic signatures; it also directs the Florida Secretary of State to study the issues relating to digital signatures.
It is likely that most states will follow one of the foregoing approaches, i.e., a comprehensive statute along the lines of Utah's or a short statute which sets forth certain basic principles and then empowers a government agency either to create comprehensive regulations or to study the issues further.
The Utah Statute (Utah Code, Title 46, Chapter 3)
Overview of the Utah Statute
Part One. Definitions.
Part Two. Licensing and Regulation of Certificate Authorities.
Part Three. Duties of Certification Authorities and Subscribers.
Part Four. Effect of a Digital Signature.
Part Five. Repositories.
Definitions of Significant Terms
- "Asymmetric Cryptosystem" An algorithm or series of algorithms which provide a secure key pair.
- "Certificate" A computer-based record which
- Identifies the certification authority issuing it.
- Names or identifies its subscriber.
- Contains the subscribers' public key.
- Is digitally signed by the certification authority issuing it.
- "Certification Authority" A person who issues a certificate.
- "Digital Signature" A transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer's public key can accurately determine whether the transformation was created using the private key that corresponds to the signer's public key and whether the message has been altered since the transformation was made.
- "Key Pair" A private key and its corresponding public key in an asymmetric cryptosystem, keys which have the property that the public key can verify a digital signature that the private key creates.
- "Licensed Certification Authority" A certification authority to whom a license has been issued by the appropriate state agency and whose license is in effect.
- "Private Key" The key of a key pair used to create a digital signature.
- "Public Key" The key of a key pair used to verify a digital signature.
- "Qualified Right to Payment" An award of damages against a licensed certification authority by a court in a civil lawsuit for violation of the statute.
- "Recommended Reliance Limit" The limitation on the monetary amount recommended for reliance on a certificate.
- "Repository" A system for storing and retrieving certificates and other information relevant to digital signatures.
- "Signer" A person who creates a digital signature for a message.
- "Subscriber" A person who is the subject listed in a certificate, accepts the certificate and holds a private key which corresponds to a public key listed in that certificate.
- "Suitable Guaranty" Either a surety bond executed by a state-approved surety or an irrevocable letter of credit issued by a state-approved financial institution, which satisfies certain requirements. A suitable guaranty may provide that the total annual liability on the guaranty to all persons making claims based on it may not exceed the face amount of the guaranty.
- "Trustworthy System" Computer hardware and software which:
- Are reasonably secure from intrusion and misuse.
- Provide a reasonable level of availability, reliability and correct operation.
- Are reasonably suited to performing their intended functions.
- "Verify a Digital Signature" To determine accurately, in relation to a given digital signature, message and public key, that the digital signature was created by the private key corresponding to the public key and that the message has not been altered since its digital signature was created.
Licensing and Regulation of Certificate Authorities
Implementing Agency. In Utah, the Department of Commerce, Division of Corporations and Commercial Code (the "Division") is the agency designated to implement the statute. The Division is a certification authority and may issue, suspend and revoke certificates as do licensed certification authorities. In effect, the Division is the certification authority at the top of the chain. The Division is given the power to govern licensed certification authorities, to determine appropriate amounts for "suitable guaranties," to specify various requirements and otherwise to give effect to and implement the statute.
The statute sets forth various criteria which an entity must meet in order to become a licensed certification authority, including the following:
- It must employ as "operative personnel" only persons who have not been convicted of a felony or a crime involving fraud, false statement or deception.
- It must employ as "operative personnel" only persons who have demonstrated knowledge and proficiency in following the requirements of the statute.
- It must file a suitable guaranty with the Division.
- It must have the right to use a "trustworthy system," including a secure means for controlling usage of its own private key.
- It must meet working capital requirements set by the Division, maintain an office in the state or have a registered agent for service of process in the state and comply with all other licensing requirements established by regulations of the Division.
Effect of lack of licensing. Unless the parties agree otherwise, the licensing requirements in the statute do not affect the effectiveness, enforceability or validity of a digital signature, except:
Part Four of the statute (discussed below) does not apply to a digital signature which cannot be verified by a certificate issued by a licensed certification authority.
The liability limits discussed below do not apply to unlicensed certification authorities.
Duties of Certification Authorities and Subscribers
Issuance of a Certificate. A licensed certification authority may issue a certificate to a subscriber only if it has received a request for issuance signed by the prospective subscriber, and if the certification authority has confirmed that:
- The prospective subscriber is the person to be listed in the certificate.
- If the prospective subscriber is acting through one or more agents, the subscriber duly authorized the agent to have custody of the subscriber's private key and to request issuance of a certificate listing the corresponding public key.
- The information in the certificate to be issued is accurate "after due diligence."
- The prospective subscriber rightfully holds the private key corresponding to the public key to be listed in the certificate.
- The prospective subscriber holds a private key capable of creating a digital signature.
- The public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the prospective subscriber.
The authority must publish a "signed" copy of the certificate in a recognized repository unless the subscriber and certification authority agree otherwise.
By issuing a certificate, a licensed certification authority certifies to all who "reasonably rely" on the information contained in the certificate that:
- The information in the certificate and listed by the certification authority is accurate.
- All foreseeable information material to the reliability of the certificate is stated or incorporated by reference within the certificate.
- The subscriber has accepted the certificate.
- The licensed certification authority has complied with all applicable state laws governing issuance of the certificate.
By accepting a certificate issued by a licensed certification authority, the subscriber certifies to all who reasonably rely on the information contained in the certificate that:
- The subscriber rightfully holds the private key corresponding to the public key listed in the certificate.
- All representations made by the subscriber to the certification authority and material to information listed in the certificate are true.
- All material representations made by the subscriber to the certification authority or made in the certificate and not confirmed by the certification authority in issuing the certificate are true.
By accepting a certificate, the subscriber agrees to indemnify the issuing certification authority for any loss or damage caused by issuance or publication of a certificate in reliance on a false and material representation of fact by the subscriber or the subscriber's failure to disclose a material fact, if the representation or failure to disclose was made either negligently or with the intent to deceive the certification authority or a person relying on the certificate.
By accepting a certificate issued by a licensed certification authority, the subscriber assumes a duty to exercise reasonable care to retain control of the private key and to prevent its disclosure to anyone not authorized to create the subscriber's digital signature. The private key is the personal property of the subscriber who rightfully holds it.
The statute provides for the temporary suspension or permanent revocation of certificates.
A certificate must state its expiration date. When a certificate expires, the subscriber and certification authority no longer are making the certifications provided by the statute and the certification authority no longer has any duties based upon issuance of that expired certificate.
By specifying a recommended reliance limit in a certificate, the certification authority and subscriber are recommending that people rely on the certificate only to the extent that the total amount at risk does not exceed the recommended reliance limit.
Unless a licensed certification authority agrees otherwise, it is not liable for any loss caused by reliance on a false or forged digital signature of a subscriber if, with respect to the false or forged digital signature, the authority complied with all material requirements of the statute.
A licensed certification authority is not liable for more than the recommended reliance limit specified in the certificate for either
- a loss caused by reliance on a misrepresentation in the certificate of any fact that the authority is required to confirm, or
- failure to comply with the statutory requirements for issuing a certificate.
Unless it agrees otherwise, a licensed certification authority is liable only for direct, compensatory damages, which do not include punitive damages, damages for lost profits, savings or opportunity, or damages for pain or suffering.
The statute sets forth procedures for collecting on a certification authority's surety bond or letter of credit.
Effect of a Digital Signature
Where a law requires a signature or provides for certain consequences in the absence of a signature, that law is satisfied by a digital signature if:
- The digital signature is verified by reference to the public key listed in a valid certificate issued by a licensed certification authority;
- The digital signature was affixed by the signer with the intention of signing the message; and
- The recipient has no knowledge or notice that the signer (1) breached a duty as a subscriber (such as by improperly disclosing the private key) or (2) does not rightfully hold the private key (e.g. if the person signing the message stole the private key).
The recipient of a digital signature assumes the risk that the digital signature is forged, if reliance on the digital signature is not reasonable under the circumstances. If the recipient decides not to rely on a digital signature, the recipient shall promptly notify the signer of that decision.
A message is as valid, enforceable and effective as if it had been written on paper if:
- It bears a digital signature; and
- The digital signature is verified by the public key listed in a certificate which was issued by a licensed certification authority and was valid at the time the digital signature was created.
In resolving disputes involving digital signatures, courts are to make the following presumptions:
- A certificate digitally signed by a licensed certification authority is issued by that certification authority and is accepted by the subscriber listed in it.
- The information listed in a valid certificate and confirmed by a licensed certification authority issuing that certificate is accurate.
- If a digital signature is verified by the public key listed in a valid certificate issued by a licensed certification authority, then that digital signature is the digital signature of the subscriber listed in the certificate, the digital signature was affixed by the signer with the intention of signing the message and the recipient of the digital signature has no knowledge or notice that the signer breached a duty as a subscriber or does not rightfully hold the private key used to affix the digital signature.
The statute provides that the Division may "recognize" one or more repositories and sets forth criteria for such recognition.
The statute sets forth the circumstances under which a repository will and will not be liable to others.
Status of Implementation
Utah is continuing to draft its regulations and anticipates official adoption of the regulations by May, 1997. It has selected a consortium of vendors to develop a repository and to provide digital signature software and certification authority services. Utah anticipates it will be able to license certification authorities and put its infrastructure into operation by October, 1997.
The California Statute
The California statute permits any party to a written communication with a "public entity" (government agencies and political subdivisions) to affix a signature by use of a digital signature which complies with certain requirements, set forth below. The statute provides that the use of a digital signature shall have the same force and effect as the use of a manual signature if and only if it includes all of the following characteristics:
- It is unique to the person using it.
- It is capable of verification.
- It is under the sole control of the person using it.
- It is linked to data in such a manner that if the data are changed, the digital signature is invalidated.
- It conforms to regulations to be adopted by the Secretary of State.
The statute provides that the use or acceptance of a digital signature is at the option of the parties. The statute does not require a public entity to use or permit the use of a digital signature. It does not apply to communications between private parties.
The statute defines "digital signature" to mean "an electronic identifier, created by computer, intended by the party using it to have the same force and effect as the use of a manual signature." The statute does not explicitly adopt public key cryptography; instead, it defines criteria which the "signature" must meet and leaves it to the Secretary of State to decide on suitable technology which fulfills those criteria. Thus, California may adopt other electronic signature methods.
Status of Implementation
California has drafted regulations for the Secretary of State to review. The draft regulations permit creation of a public key infrastructure and are similar to the Utah statute. They recognize "public-key based digital signature solutions" as meeting the criteria set forth in the statute.
The Secretary of State will draft additional regulations at such time that other technologies are proven to meet the statutory criteria.
The Florida Statute
In May 1996 the Florida Legislature passed the "Electronic Signature Act of 1996."
The Florida statute is a California-type statute in the sense that it is relatively short, sets forth certain fundamental legal principles and grants certain powers and responsibilities to the Secretary of State. Unlike the California statute, however, it would apply to transactions between private parties.
The statute defines the word "writing" to include information which is created or stored in any electronic medium and is retrievable in perceivable form.
The statute provides that an "electronic signature" may be used to sign a writing and shall have the same force and effect as a written signature. "Electronic signature" is defined to mean any letters, characters or symbols, manifested by electronic or similar means, executed or adopted by a party with an intent to authenticate a writing. A "digital signature," i.e. a signature using private key/public key cryptography, is defined as one type of electronic signature. Thus, under the Florida statute, both digital signatures and other types of electronic signatures are legally-sanctioned methods for "signing" electronic documents.
The Secretary of State is given the authority to issue certificates required to verify digital signatures and to take other actions necessary to achieve the purposes of the statute.
The statute directs the Secretary of State to address certain issues to assist the legislature in determining whether it is in the public interest for the Secretary of State to set up a public key infrastructure, i.e., certification authorities and repositories.
Status of Implementation
The Florida Secretary of State organized a Digital Signature Advisory Committee to address the issues identified in the statute. The Committee issued its report on November 30, 1996. The Committee concluded:
- The legal and business climate for private certification authorities is uncertain. No company in the industry had come forward to say it had a pressing need to use digital signature technology in a way that would require immediate state regulation and it would be difficult to justify the cost of implementing a legislatively mandated scheme of comprehensive regulation at this time.
- Licensure of private certification authorities is likely to be necessary in the future, but because the demand for digital signature services is not immediate, comprehensive legislation would be inappropriate. Instead, the Committee recommended that the legislature authorize the Secretary of State to establish licensure standards by rule and to conduct a detailed study of the future role of digital signatures and electronic commerce within Florida.
The Proposed Georgia Legislation
In January 1997, the Digital Signature Task force of the Georgia Electronic Commerce Consortium, a group consisting of businesspeople, educators, government officials and lawyers, transmitted a proposed electronic signature statute to the Georgia legislature. At the time this paper is being written, it is under consideration by the legislature.
The Georgia bill takes a minimalist approach, similar to the Florida statute. It defines an "electronic signature" as an electronic or digital method executed or adopted by a party with the intent to be bound by or to authenticate a record, which is unique to the person using it, is capable of verification, is under the sole control of the person using it, and is linked to data in such a manner that if the data are changed the electronic signature is invalidated. Thus, it specifies the same four criteria as the California statute.
The Georgia bill gives both private entities and public agencies the option of using electronic records executed or adopted with electronic signatures. In those instances where someone accepts or agrees to be bound by an electronic record with an electronic signature, then any law which requires records of that type to be in writing shall be deemed satisfied and any law which requires a signature shall be deemed satisfied.
The Georgia bill also creates an Electronic Commerce Study Committee to study issues relating to electronic records and signatures. In addition, the bill authorizes state agencies to establish pilot projects to serve as models for the application of technology such as electronic signatures.
The text of the proposed Georgia statute may be found at the World Wide Web site of the Georgia Electronic Commerce Consortium, at http://www.cc.emory.edu.BUSINESS/GDS.html.
David A. Rabin is a partner in the Technology Group of the Atlanta law firm, Morris, Manning & Martin, LLP He chairs the Digital Signature Task Force of the Georgia Electronic Commerce Consortium, which has submitted a draft electronic signature statute to the Georgia Legislature.