Follow ACC Docket Online:  

The Evolution of Electronic Signatures in the United States and Canada

Canadian Briefings

Electronic signatures have been around for many years. In fact, one would be surprised to know that the validity of an electronic signature was first dealt with in 1867 by US courts which recognized the validity of a signature transmitted via telegraph.

Digitalization imposes, and almost automatically requires, the use of electronic signatures. An overview of the North American legal framework illustrates certain technicalities and misconceptions related to e-signatures.

E-signature vs. digital signature

The terms "electronic signature" and "digital signature" are often used interchangeably. However, they are different concepts and have distinct sets of features and functions.

Essentially, an electronic signature consists of affixing a tag to a document (whose support is electronic, i.e. PDF) to express consent. More specifically, attaching a code to a message guarantees the integrity of the document and the authentication of the sender. It is important to note that "electronic signature" is a generic term that includes several electronic processes, including a digital signature which is based on asymmetric cryptography. In other words, an electronic signature is merely a legal concept. It is a lasting representation and captures someone's intent.

On the other hand, a digital signature is simply an encryption technology within the electronic signature. It works with an electronic signature and not as an electronic signature. A digital signature is "a signature that is specifically based on asymmetric cryptography, coupled with a one-way hash function." Thus, a digital signature supports an electronic signature and provides a higher degree of certainty for the recipient.

Legal framework

Many jurisdictions have adopted legislation related to electronic signatures. To that end, the main purpose has been to provide for the authenticity of the person using the signature, the capture of intent and the integrity of a message or document on which the signature is affixed.

The North American legal framework that covers e-signatures has been guided by the UNCITRAL Model Law on Electronic Commerce (MLEC), and the UNCITRAL Model Law on Electronic Signatures (MLES). A technology-neutral approach is taken, "which avoids favouring the use of any specific technology or process. This means in practice that legislation based on this Model Law may recognize both digital signatures based on cryptography (such as public key infrastructure or PKI) and electronic signatures using other technologies."

In other words, an electronically signed document is perfectly admissible in evidence and has the same effect as if it were on paper. This legislative approach is considered as a "minimalist" approach considering that there is no particular type of technology adopted to replace a manuscript signature in the digital environment.

In Canada and the United States, any form of electronic symbol or message can qualify as a signature. The main emphasis is on how intention is communicated.

United States

In 2000, the US Congress adopted the Electronic Signatures in Global and National Commerce Act (E-SIGN). It is a federal statute which preempts state law in case of conflict between the two. Of interest, E-SIGN does not apply to states which have enacted the Uniform Electronic Transactions Act (UETA).

Uniform Electronic Transactions Act (UETA)

Section 5 of the UETA provides that the act "applies only to transactions between parties each of which has agreed to conduct transactions by electronic means." It does not create a new system of legal rules for the electronic marketplace, but rather ensures that electronic transactions are equivalent to and as enforceable as paper-based transactions.

The UETA defines an electronic signature as "an electronic sound, symbol, or process attached to or logically associated with an electronic record and executed or adopted by a person with the intent to sign the electronic record."

Essentially, the UETA ensures that contracts and transactions are enforceable and valid notwithstanding the fact that an electronic process is applied.

E-SIGN

As mentioned above, E-SIGN bestows an equivalent legal status to electronic signatures and electronic documents. Similar to the UETA, due to its technology-neutral approach, the parties are free to decide which electronic process they want to apply to their electronic transaction.

It is important to note that E-SIGN requires consent from customers. Moreover, prior to consenting, the consumer "must be provided with a clear and conspicuous statement" outlining their rights.

E-SIGN specifies that a state statute, regulation or other rule of law may preempt the federal law, but only by adopting the UETA or by passing a law that is consistent with E-SIGN and essentially technologically neutral.

E-SIGN came into effect after the UETA and the reason behind this federal intervention is based on the inconsistency of the states when it came to defining which method could create an authentic electronic signature. In other words, a federal law was necessary because state electronic signature and electronic commerce statutes lacked uniformity.

Canada

Federal

In 2000, the Personal Information Protection and Electronic Documents Act (PIPEDA) came into effect. It is a federal statute which, like its American counterpart, provides for functional equivalency between electronic and paper documents.

Essentially, PIPEDA provides for "the use of electronic alternatives ... where federal laws contemplate the use of paper to record or communicate information or transactions."

Of interest, PIPEDA provides for the use of electronic signatures, the ability to provide electronic documents when an original document is required21 and the use of electronic documents to satisfy a requirement under federal law for a document to be in writing.

Compared to E-SIGN, the Canadian federal legislator went a step further and envisioned a situation where a "secure electronic signature" would be required. That is, an electronic signature resulting from the application of a prescribed technology or process. Following this tangent, in 2005, the Secure Electronic Signature Regulations were adopted. It provided that the term "secure electronic signature" refers to a digital signature that results from asymmetric cryptography.

Provincial

The primary focus of the provincial legislations is to provide a single, media-neutral definition of an electronic signature. However, Quebec's legislation is slightly different. In fact, the Act to establish a legal framework for information technology (the "Act") has a more extensive framework.

An electronic signature affixed to a document will benefit from a presumption of integrity. That is, it will not require any proof of authenticity if the "integrity of the document is ensured and the link between the signature and the document was established at the time of signing and has since been maintained."

Moreover, the Act goes into some detail and sets out very strict rules about certificates and biometrics and establishes a harmonization committee to create technical standards for Quebec.

The Act is somewhat similar to the federal Secure Electronic Signature Regulations because it defines standards and regulates the choice (not to the same extent obviously) of technologies.

Cryptography

Cryptographic techniques ensure the integrity and confidentiality of messages exchanged and they also ensure that none of the parties to the transaction can deny their participation in the exchange of information.

The main type of cryptography is public- key cryptography. Essentially, this technology uses two keys which are intrinsically linked to each other and they are necessary to decrypt a given message.

In simple terms, there are three main steps in digital signature technology. First, a message or document is encrypted using a hash function. A hash function is used to determine whether the document has been altered and it assures integrity. It is a one-way encryption. In other words, there is no way to decrypt the hash. It is only possible to validate it. For example, if a password is "cat" and the resulting hash is "Tr121as" it is impossible to decrypt "Tr121as" to "cat" and re- cover the password. Second, in order to prove that the message was in fact sent by the legitimate sender, the encrypted message is sealed by the sender's private key. Finally, upon reception of the message, the recipient decrypts the message using the sender's public key and evaluates the hash to verify if the underlying message/document was compromised.

Here's the step-by-step:

1. The sender sends a message/document which is converted by a mathematical function called a "hash function." The latter generates an abstract called a "hash" or "digest."

2. A digest is specifically linked to each message/document, like a fingerprint. The digest is then encrypted using the private key of the sender and attached to the message. The product of this process corresponds to the digital signature.

3. The recipient validates the identity of the sender of the message by decrypting the digital signature with the public key of the sender to obtain the digest. Subsequently, the message/document passes through the hash function a second time and if both codes are identical (digest sent versus digest received) then the sender is authenticated and the message/document is upright. If along the way, the message was changed (by someone malicious) then the digest would have been different, and the validation process of the digest would have failed.

In short, the North American landscape is ripe (and has been for a while) for disruption. Electronic signature solutions are increasingly evolved and equal to ink in the eyes of the law. In fact, many electronic signature solutions go beyond the legislative and statutory requirements. In a world where digitization is the main focus, electronic signatures provide a great opportunity for speed, efficiency and reliability. CB

About the Author

Amir Tajkarimi is legal counsel at National Bank of Canada and cofounder of legal tech start-up Lexop.com. The opinions expressed in this article are solely those of the author and do not necessarily represent the viewpoint of the National Bank of Canada.


The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.