Electronic and Digital Signatures
There is a lot of confusing and conflicting terminology surrounding the concept of electronic and digital signatures. The following is an attempt to clarify some issues. However, remember that while the use of electronic signatures may initially seem to be a technical issue, it is also a legal issue, involving concerns such as but not limited to: for what purpose is the electronic signature being used; is there an agreement between the parties as to the use and form of the electronic signature; is there guidance or approval needed from relevant oversight authorities such as granting agencies for Federal funds; and ultimately what is acceptable in a court of law as evidence that the parties intended to sign a document.
A written signature that has been read by a computer device, which has converted the signature into digital data, examples include:
These devices can be quite simple such as a scan of the signature, or very sophisticated such as a device that measures pressure throughout the signature and the number of stokes used during the signature.
For several years the Federal Government has tried to support electronic commerce, but the requirement for a signature has been a problem. As a result, the National Conference of Commissioners on Uniform State Laws drafted a recommended law in 1999, the State of Indiana passed a Uniform Electronic Transactions Act in early 2000, IC 26-2-8, and the Federal Government passed the Federal Electronic Records and Signature in Commerce Act (e-Sign Law), on electronic transactions effective in late 2000. Normally, a Federal Law would override a state law, but this Federal Law specifically states that if the state law is not in conflict with the Federal Law, the state law takes precedence.
An electronic signature means an electronic sound, symbol, or process attached to or logically associated with an electronic record and executed or adopted by a person with the intent to sign the electronic record. This record or signature may not be denied legal effect or enforceability solely because it is in electronic form. Examples of potential electronic signatures include but are not limited to:
The definition was intentionally broad so it would not favor any existing technology or prevent the use of new technologies that will be available in the future. It was assumed technology would progress more rapidly than specific laws could be enacted.
A governmental unit shall determine whether, and the extent to which, it will send and accept electronic records and electronic signatures to and from other persons and otherwise create, generate, communicate, store, process, use, and rely upon electronic records and electronic signatures.
If a party agrees to conduct a transaction electronically, the party is not prohibited from refusing to conduct other transactions electronically.
The State Board of Accounts does not have a position on whether or not the governmental units should participate in this technology. The governmental unit may choose to participate in electronic signatures to assist in performing their responsibilities or to assist others in increasing their efficiency.
The State Board of Accounts audit scope is based on Indiana Code 26-2-8-202 that states the governmental units are required to “control the processes and procedures as appropriate to ensure adequate preservation, disposition, integrity, security, confidentiality, and auditability of electronic records”. Concerns about the use of Electronic Signatures include but are not necessarily limited to:
Indiana Code 5-24-1 Electronic Digital Signature Act defines a Digital Signature. It’s only applicable to State Agencies. Indiana Administrative Code, Title 20 State Board of Accounts, Article 3 Digital Signature (20 IAC 3) further defines the requirements for Digital Signatures that are used by State agencies. Other governmental entities are not bound by these provisions.
A Digital Signature means an electronic signature that transforms a message using an asymmetric cryptosystem such that a person having the initial message and the signer’s public key can determine whether: The transformation was created using the signer’s private key; and whether the initial message has been altered since the transformation. The process is as follows:
As a result, the receiving person knows who sent the message and that no changes have occurred to the message. Any “legal” meaning attached to this process, such as agreement to contract terms, should be defined by the agreement between the parties on how to use the electronic or digital signatures in conducting business.
In order for State agencies to use a Digital Signature, the Certificate Authority that issues the certificate must comply with the additional provisions of 20 IAC 3, including:
Currently there are no Certificate Authorities that comply with 20 IAC 3.
In addition to the Electronic Signature concerns discussed above, the use of Digital Signatures present additional concerns such as:
Electronic signatures are a key element in the implementation of electronic transactions and their use will expand in the future as government units attempt to provide better and more cost effective services to citizens and business organizations. Currently, definitions of electronic signatures are broad and there is limited guidance on the controls necessary to assure their legal validity.