DIGITAL SIGNATURE LEGISLATION By: David A. Rabin Morris, Manning & Martin, L.L.P. 1600 Atlanta Financial Center 3343 Peachtree Road, N.E. Atlanta, Georgia 30326 (404) 233-7000 dar@momama.mhs.compuserve.com THE PROBLEMS * How to give documents which exist only in electronic form the same legal status as paper documents. * How to provide a secure, reliable and legally-sanctioned method for "signing" electronic documents, in order to make it unnecessary to generate and sign paper documents and thereby encourage and facilitate electronic commerce. THE SOLUTION * Legislation which accords electronic documents the same legal status as paper-based documents. * Legislation which sanctions the use of reliable methods of electronic "signatures." PRESENT LEGISLATION * Utah was the first jurisdiction in the United States to enact a statue which puts the force of law behind an electronic signature method, namely, digital signatures based upon an asymmetric cryptosystem utilizing private and public key pairs. The legislation, known as the Utah Digital Signature Act, was signed by the governor of Utah on March 9, 1995 and was amended during the 1996 Utah legislative session. * California passed a digital signature statute in October, 1995. * Washington passed a digital signature statute in March, 1996. * Other states, including Georgia and Florida, presently are considering digital signature legislation. * The Information Security Committee of the Section of Science and Technology of the American Bar Association has drafted Digital Signature Guidelines which it describes as "general, abstract statements of principle, intended to serve as long-term, unifying foundations for digital signature law across varying legal settings." The ABA Guidelines are similar to and generally consistent with the Utah statute. DIFFERENT LEGISLATIVE APPROACHES * Utah and California took different approaches to digital signature legislation. The Washington statute is similar to the one enacted by Utah. * The Utah statute is detailed and comprehensive, and will be supplemented with regulations. * The California statute is quite short. It sanctions the use of digital signatures in communications with public entities, and then directs the California Secretary of State to promulgate regulations. * It is likely that most states will follow one of the foregoing approaches, i.e., a comprehensive statute along the lines of Utah's or a short statute which sets forth certain basic principles and then empowers a government agency to create comprehensive regulations. THE CALIFORNIA STATUTE * The California statute permits any party to a written communication with a "public entity" (government agencies and political subdivisions) to affix a signature by use of a digital signature which complies with certain requirements, set forth below. The statute provides that the use of a digital signature shall have the same force and effect as the use of a manual signature if and only if it includes all of the following characteristics: * It is unique to the person using it. * It is capable of verification. * It is under the sole control of the person using it. * It is linked to data in such a manner that if the data are changed, the digital signature is invalidated. * It conforms to regulations to be adopted by the Secretary of State. * The Secretary of State is to adopt initial regulations no later than January 1, 1997. * The statute provides that the use or acceptance of a digital signature is at the option of the parties. The statute does not require a public entity to use or permit the use of a digital signature. It does not apply to communications between private parties. * The statute defines "digital signature" to mean "an electronic identifier, created by computer, intended by the party using it to have the same force and effect as the use of a manual signature." The statute does not explicitly adopt public key cryptography; instead, it defines criteria which the "signature" must meet and leaves it to the Secretary of State to decide on suitable technology which fulfills those criteria. Thus, California may adopt other electronic signature methods. THE UTAH STATUTE Overview of the Utah Statute * Part One. Definitions. * Part Two. Licensing and Regulation of Certificate Authorities. * Part Three. Duties of Certification Authorities and Subscribers. * Part Four. Effect of a Digital Signature. * Part Five. Repositories. Definitions of Significant Terms * "Asymmetric Cryptosystem" An algorithm or series of algorithms which provide a secure key pair. * "Certificate" A computer-based record which * Identifies the certification authority issuing it. * Names or identifies its subscriber. * Contains the subscribers' public key. * Is digitally signed by the certification authority issuing it. * "Certification Authority" A person who issues a certificate. * "Digital Signature" A transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer's public key can accurately determine whether the transformation was created using the private key that corresponds to the signer's public key and whether the message has been altered since the transformation was made. * "Key Pair" A private key and its corresponding public key in an asymmetric cryptosystem, keys which have the property that the public key can verify a digital signature that the private key creates. * "Licensed Certification Authority" A certification authority to whom a license has been issued by the appropriate state agency and whose license is in effect. * "Private Key" The key of a key pair used to create a digital signature. * "Public Key" The key of a key pair used to verify a digital signature. * "Qualified Right to Payment" An award of damages against a licensed certification authority by a court in a civil lawsuit for violation of the statute. * "Recommended Reliance Limit" The limitation on the monetary amount recommended for reliance on a certificate. * "Repository" A system for storing and retrieving certificates and other information relevant to digital signatures. * "Signer" A person who creates a digital signature for a message. * "Subscriber" A person who is the subject listed in a certificate, accepts the certificate and holds a private key which corresponds to a public key listed in that certificate. * "Suitable Guaranty" Either a surety bond executed by a state-approved surety or an irrevocable letter of credit issued by a state-approved financial institution, which satisfies certain requirements. A suitable guaranty may provide that the total annual liability on the guaranty to all persons making claims based on it may not exceed the face amount of the guaranty. * "Trustworthy System" Computer hardware and software which: * Are reasonably secure from intrusion and misuse. * Provide a reasonable level of availability, reliability and correct operation. * Are reasonably suited to performing their intended functions. * "Verify a Digital Signature" To determine accurately, in relation to a given digital signature, message and public key, that the digital signature was created by the private key corresponding to the public key and that the message has not been altered since its digital signature was created. Licensing and Regulation of Certificate Authorities * Implementing Agency. In Utah, the Department of Commerce, Division of Corporations and Commercial Code (the "Division") is the agency designated to implement the statute. The Division is a certification authority and may issue, suspend and revoke certificates as do licensed certification authorities. In effect, the Division is the certification authority at the top of the chain. The Division is given the power to govern licensed certification authorities, to determine appropriate amounts for "suitable guaranties," to specify various requirements and otherwise to give effect to and implement the statute. * The statute sets forth various criteria which an entity must meet in order to become a licensed certification authority, including the following: * It must employ as "operative personnel" only persons who have not been convicted within the past fifteen years of a felony or a crime involving fraud, false statement or deception. * It must employ as "operative personnel" only persons who have demonstrated knowledge and proficiency in following the requirements of the statute. * It must file a suitable guaranty with the Division. * It must have the right to a "trustworthy system," including a secure means for controlling usage of its own private key. * It must meet working capital requirements set by the Division, maintain an office in the state or have a registered agent for service of process in the state and comply with all other licensing requirements established by regulations of the Division. * Effect of lack of licensing. Unless the parties agree otherwise, the licensing requirements in the statute do not affect the effectiveness, enforceability or validity of a digital signature, except: * Part Four of the statute (discussed below) does not apply to a digital signature which cannot be verified by a certificate issued by a licensed certification authority. * The liability limits discussed below do not apply to unlicensed certification authorities. Duties of Certification Authorities and Subscribers * Issuance of a Certificate. A licensed certification authority may issue a certificate to a subscriber only if it has received a request for issuance signed by the prospective subscriber, and if the certification authority has confirmed that: * The prospective subscriber is the person to be listed in the certificate. * If the prospective subscriber is acting through one or more agents, the subscriber duly authorized the agent to have custody of the subscriber's private key and to request issuance of a certificate listing the corresponding public key. * The information in the certificate to be issued is accurate. * The prospective subscriber rightfully holds the private key corresponding to the public key to be listed in the certificate. * The prospective subscriber holds a private key capable of creating a digital signature. * The public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the prospective subscriber. * The authority must publish a "signed" copy of the certificate in a recognized repository unless the subscriber and certification authority agree otherwise. * By issuing a certificate, a licensed certification authority certifies to all who "reasonably rely" on the information contained in the certificate that: * The information in the certificate is accurate. * All information foreseeably material to the reliability of the certificate is stated or incorporated by reference within the certificate. * The subscriber has accepted the certificate. * The licensed certification authority has complied with all applicable state laws governing issuance of the certificate. * By accepting a certificate issued by a licensed certification authority, the subscriber certifies to all who reasonably rely on the information contained in the certificate that: * The subscriber rightfully holds the private key corresponding to the public key listed in the certificate. * All representations made by the subscriber to the certification authority and material to information listed in the certificate are true. * All material representations made by the subscriber to the certification authority or made in the certificate and not confirmed by the certification authority in issuing the certificate are true. * By accepting a certificate, the subscriber agrees to indemnify the issuing certification authority for any loss or damage caused by issuance or publication of a certificate in reliance on a false and material representation of fact by the subscriber or the subscriber's failure to disclose a material fact, if the representation or failure to disclose was made either with the intent to deceive the certification authority or a person relying on the certificate, or with negligence. * By accepting a certificate issued by a licensed certification authority, the subscriber assumes a duty to exercise reasonable care to retain control of the private key and to prevent its disclosure to anyone not authorized to create the subscriber's digital signature. The private key is the personal property of the subscriber who rightfully holds it. * The statute provides for the temporary suspension or permanent revocation of certificates. * A certificate must state its expiration date. When a certificate expires, the subscriber and certification authority no longer are making the certifications provided by the statute and the certification authority no longer has any duties based upon issuance of that expired certificate. * By specifying a recommended reliance limit in a certificate, the certification authority and subscriber are recommending that people rely on the certificate only to the extent that the total amount at risk does not exceed the recommended reliance limit. * Unless a licensed certification authority agrees otherwise, it is not liable for any loss caused by reliance on a false or forged digital signature of a subscriber if, with respect to the false or forged digital signature, the authority complied with all material requirements of the statute. * A licensed certification authority is not liable for more than the recommended reliance limit specified in the certificate for either * a loss caused by reliance on a misrepresentation in the certificate of any fact that the authority is required to confirm, or * failure to comply with the statutory requirements for issuing a certificate. * Unless it agrees otherwise, a licensed certification authority is liable only for direct, compensatory damages, which do not include punitive damages, damages for lost profits, savings or opportunity, or damages for pain or suffering. * The statute sets forth procedures for collecting on a certification authority's surety bond or letter of credit. Effect of a Digital Signature * Where a law requires a signature or provides for certain consequences in the absence of a signature, that law is satisfied by a digital signature if: * The digital signature is verified by reference to the public key listed in a valid certificate issued by a licensed certification authority; * The digital signature was affixed by the signer with the intention of signing the message; and * The recipient has no knowledge or notice that the signer (1) breached a duty as a subscriber (such as by improperly disclosing the private key) or (2) does not rightfully hold the private key (e.g. if the person signing the message stole the private key). * The recipient of a digital signature assumes the risk that the digital signature is forged, if reliance on the digital signature is not reasonable under the circumstances. If the recipient decides not to rely on a digital signature, the recipient shall promptly notify the signer of that decision. * A message is as valid, enforceable and effective as if it had been written on paper if: * It bears a digital signature; and * The digital signature is verified by the public key listed in a certificate which was issued by a licensed certification authority and was valid at the time the digital signature was created. * In resolving disputes involving digital signatures, courts are to make the following presumptions: * A certificate digitally signed by a licensed certification authority is issued by that certification authority and is accepted by the subscriber listed in it. * The information listed in a valid certificate and confirmed by a licensed certification authority issuing that certificate is accurate. * If a digital signature is verified by the public key listed in a valid certificate issued by a licensed certification authority, then that digital signature is the digital signature of the subscriber listed in the certificate, the digital signature was affixed by the signer with the intention of signing the message and the recipient of the digital signature has no knowledge or notice that the signer breached a duty as a subscriber or does not rightfully hold the public key used to affix the digital signature. Repositories * The statute provides that the Division may "recognize" one or more repositories and sets forth criteria for such recognition. * The statute sets forth the circumstances under which a repository will and will not be liable to others. PROPOSED LEGISLATION The Proposed Florida Legislation * A bill known as the "Electronic Signature Act of 1996" is being considered by the Florida Legislature as of this writing (April, 1996) and is expected to be passed by the legislature in May, 1996. * The Florida bill is a California-type statute in the sense that it is relatively short, sets forth certain fundamental legal principles and grants certain powers and responsibilities to the Secretary of State. Unlike the California statute, however, it would apply to transactions between private parties. * The statute defines the word "writing" to include information which is created or stored in any electronic medium and is retrievable in perceivable form. * The statute provides that an "electronic signature" may be used to sign a writing and shall have the same force and effect as a written signature. "Electronic signature" is defined to mean any letters, characters or symbols, manifested by electronic or similar means, executed or adopted by a party with an intent to authenticate a writing. A "digital signature," i.e. a signature using private key/public key cryptography, is defined as one type of electronic signature. Thus, under the Florida statute, both digital signatures and other types of electronic signatures are legally-sanctioned methods for "signing" electronic documents. * The Secretary of State is given the authority to issue certificates required to verify digital signatures and to take other actions necessary to achieve the purposes of the statute. * The statute directs the Secretary of State to address certain issues to assist the legislature in determining whether it is in the public interest for the Secretary of State to set up a public key infrastructure, i.e., certification authorities and repositories. * The Secretary's report is also to address any other issues related to digital signatures which the legislature should consider and shall recommend whether additional legislation on digital signatures is necessary to further electronic commerce in Florida. * In sum, the Florida statute sanctions the use of digital and other electronic signatures, gives electronic documents the same legal status as tangible documents and directs the Secretary of State to study whether more comprehensive legislation or a more comprehensive infrastructure should be created. The Proposed Georgia Legislation * In February, 1996, the Georgia Electronic Commerce Consortium, a group consisting of businesspeople, educators, government officials and lawyers, transmitted a proposed digital signature statute to the Georgia Legislature. The statute was introduced in the Georgia Senate shortly before the end of the 1996 session. As of this writing, it is being reviewed by legislative study committees and by other governmental officials. * The proposed Georgia statute is almost identical to the Utah statute. The text of the proposed Georgia statute may be found at the World Wide Web site of the Georgia Electronic Commerce Consortium, at http://www.cc.emory.edu.BUSINESS/GDS.html. David A. Rabin is a partner in the Technology Group of the Atlanta law firm, Morris, Manning & Martin, L.L.P. He chairs the Digital Signature Task Force of the Georgia Electronic Commerce Consortium, which has submitted a draft digital signature statute to the Georgia Legislature.