D3.2: A study on PKI and biometrics

Title: LEGAL ASPECTS OF

Electronic Signatures According to EU Directives

Germany was one of the first countries with a law regulating digital signatures. The first “Signaturgesetz” – Law Governing Framework Conditions for Electronic Signatures – Signatures Law (SigG) became effective on 01 November 1997 and was revised by a new law of 16 May 2001 (last amended 4 January 2005). By the signatures law and the ordinance “Signaturverordung” (SigV) the legal framework conditions of the construction of signatures and the certification by trust centres were regulated.

Since then, other countries of the EU have developed their own regulations regarding digital/electronic signatures. To avoid different regulations within the Member States the EU approved Directive 1999/93/EC of 13.12.1999 on a Community framework for electronic signatures. This also contained a graded system of different kinds of signature regulations regarding legal effectiveness and ability of proof. The EU Directive is neutral concerning technology and implementation and changes nothing on party autonomy or contractual freedom. The term “electronic signature” should be more open to all kinds of signature technologies than the technologically defined term “digital signature”. The purpose of the Directive is to facilitate the use of electronic signatures and to contribute to their legal recognition. It establishes a legal framework for electronic signatures and certain certification-services in order to ensure the proper functioning of the internal market (cf. Article 1 of the Directive).

The following exemplarily depicts the implementation of the Directive as it was realised in Germany. 

Other Electronic Signatures 

In principle according to Article 1 par. 1 of the Directive (cf. Section 1 par. 2 SigG) different signature methods are allowed and possible. The use of signature methods like PGP or complete free systems therefore is permitted. The legal validity remains restricted to areas in which the law does not require particular form. 

Advanced Electronic Signatures 

Prerequisites for the advanced electronic signature are (cf. Article 2 no. 2 of the Directive):  

• It is uniquely linked to the signatory 

• It is capable of identifying the signatory 

• It is created using means that the signatory can maintain under his sole control 

• It is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable

Qualified Electronic Signatures

A qualified electronic signature means a certificate which meets the requirements laid down in Annex I of the European Directive regarding electronic signatures. It must contain: 

1. An indication that the certificate is issued as a qualified certificate 

2. The identification of the  certification service provider and the State in which it is established

3. The name of the signatory or a pseudonym which shall be identified as such 

4. Provision for a specific attribute of the signatory to be included if relevant, depending on the purpose for which the certificate is intended 

5. Signature-verification data which correspond to signature-creation data under the control of the signatory 

6. An indication of the beginning and end of the period of validity of the certificate 

7. The identity code of the certificate 

8. The advanced electronic signature of the  certification service provider issuing it

9. Limitations on the scope of use of the certificate, if applicable 

10. Limits on the value of transactions for which the certificate can be used, if applicable 

Additionally it must be provided by a certification service provider who fulfils the requirements laid down in Annex II (cf. Article 2 no. 10 of the Directive). 

For qualified electronic signatures in Germany according to Section 4 SigG the obligation of Sections 5 till14 SigG must be accomplished. For this it is sufficient that the provider reports commencing of operation to the German “Regulierungsbehörde für Telekommunikation und Post” (RegTP). A voluntary accreditation is not necessary.  

The following points additionally join the prerequisites of the advanced signature: 

• signatures are based on a qualified certificate valid at the time of their creation (Section 2 no. 3a) and 

• signatures have been produced with a secure signature-creation device (Section 2 no. 3 b) SigG)

Qualified electronic signatures of providers from within the EU must be treated as equivalent to German signatures if they correspond to at least the minimum requirements provided in the Directive. For example, the EU signature guideline does not dictate the regulation of a preservation period as it applies to the German law (cf. Annex II lit. i) of the Directive). The German law regulates a preservation period of five years in Section 4 SigV. 

Qualified Electronic Signatures based on voluntary Accreditation (Accredited Electronic Signature) 

Voluntary accreditation is according to Article 2 no. 13 of the Directive any permission, setting out rights and obligations specific to the provision of certification services, to be granted upon request by the  certification service provider concerned, by the public or private body charged with the elaboration of, and supervision of compliance with, such rights and obligations, where the  certification service provider is not entitled to exercise the rights stemming from the permission until it has received the decision by the body.

The accredited electronic signature is regulated in Germany in Section 15 SigG and goes beyond the standard regulations of qualified electronic signatures. The obligations of the Sections 5-14 SigG have to be met. The supplier must in particular prove this by an initial examination / voluntary accreditation. A re-examination is carried out every three years at the latest (cf. Section 11 paragraph 2 SigV).  

Legal effects

Not only were the types of signatures regulated in Europe, but the Directive also instructed the Member States to regulate the recognition of electronic signatures in their systems of laws for different legal transactions in civil and administration law. This also means the modification of proof methods to put strong powers into the hand of the users and acceptors of electronic signatures in a dispute in front of court. 

This means that the Member States must ensure that advanced electronic signatures satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a hand-written signature satisfies those requirements in relation to paper-based data (cf. Article 5 of the Directive). 

The regulation shall be illustrated using the German law again. 

Other Electronic Signatures 

For other electronic signatures there are no particular regulations for legal effect. They can be employed everywhere where the law does not require particular form. As in the case of verbal contracts and simple e-mails with corresponding contents, a valid contract takes place according to German law. 

Advanced Electronic Signatures 

The advanced electronic signature obtains the same rules as the ‘other electronic signatures’. It is also only applicable where the law does not stipulate particular form for correct business behaviour. With the increased prerequisites it can however be easier to prove. 

Qualified Electronic Signatures 

The application field for the qualified electronic signature was expanded in the German law by Sections 126 pp. BGB (German civil law). In most cases in which writing is demanded according to the law, the “signature” also can be carried out with the qualified electronic signature (cf. Section 126 par. 3 BGB). Only for particularly serious business are the handwritten signature or even stronger forms still required such as at declarations of surety (Section 766 BGB), purchases of property or the making of a will (Section 2247 BGB). 

Qualified Electronic Signatures based on voluntary Accreditation 

For the accredited electronic signature, there is limited application in the business area today. This kind of signature was also stipulated by the corresponding EU Directive. Only in the area of administration are the Member States allowed to dictate stricter prerequisites than for the qualified electronic signature for certain actions. One example is the accredited electronic signature in Germany. A reason for the limited application today seems to be that accredited signatures have to remain testable for 30 years (a problem of electronic archives). According to German law, the supplier of qualified signatures is obliged to store certificates for five years only after the year the validity has expired. 

Probative value

Anyone who wants to sue for his right in front of court with digitally signed documents must prove the substantiating facts. If he does not succeed, his complaint will be rejected. On the other hand, the one who wants to defend himself against a complaint must have counterevidence or show the insufficiency of the evidence of his opponent. 

Article 5 of the EU Directive states that Member States shall ensure that advanced electronic signatures are admissible as evidence in legal proceedings (Article 5 no. 1). The Member States shall also ensure that an electronic signature is not denied legal effectiveness and admissibility as evidence in legal proceedings solely on the grounds that it is in electronic form, or not based upon a qualified certificate, or not based upon a qualified certificate issued by an accredited certification service provider, or not created by a secure signature-creation device (Article 5 no. 2). 

The possibilities for this are regulated very differently within the systems of laws in Europe. German law is used once more as an example. 

In principle, the German law has different regulations for different kinds of evidence. Electronic documents, such as e-mails according to Section 371 par. 1 ZPO (German code of civil procedure), are seen as “objects of appearance” (Augenscheinsobjekte). The judge has the possibility of free evaluation of evidence. With the “Gesetz zur Reform der Zivilprozessordnung” (law for the reform of the code of civil procedure), which became effective on 01 January 2002, there are special consequences in civil action regarding electronic signatures now. These aim particularly at facilitating the tendering of evidence. 

Other Electronic Signatures and Advanced Electronic Signatures 

For the ‘other electronic signature’, as well as the advanced electronic signature, there is in Germany the basic principle of free evaluation of evidence by the judge with regard to these objects of appearance. There are no special proof regulations with respect to this. The process of proving can in fact be easier when using a digital signature. This confidence can be obtained by long experience with the reliability of such methods or measures of the suppliers. 

Qualified Electronic Signatures 

For the qualified electronic signature the new Section 292a ZPO was edited in Germany. Therein it is called: “The appearance of genuineness of an explanation available in electronic form (Section 126a of the German civil law) resulting from an examination according to the signature law, can only be unsettled by facts that substantiate serious doubts that the explanation has been given willingly by the key owner.”

This means that when there is a qualified electronic signature that was tested positively, the court in principle assumes that this explanation has been made by the signature key owner. If the opposing party already denies that a qualified electronic signature exists, the party which refers to the validity has to prove the prerequisites. He has to prove the fulfilment of the prerequisites of a qualified signature according to Section 2 no. 2 a) – d) and no. 3 a) and b) SigG. He is not obliged to do so, if the opposing party can not arouse doubt. 

Initially, the exclusive assignment of the signature to the signature key owner must be proven according to Section 2 no. 2 a) SigG. Suppliers of qualified signatures have to rely upon their documentation in accordance with § 10 SigG. 

The proof of identifiability of the signature key owner like in Section 2 no. 2 b) SigG can fail because of the restricted obligation to store certificates for qualified signatures (Section 4 par. 1 SigV). The supplier is obliged to keep them for only five years after expiry of the validity. There is no trustworthiness of the root authority as such either since qualified certification suppliers confirm their trustworthiness to themselves on their own and mutually. 

Furthermore the party giving evidence has to prove that the signature was created with resources that one of the signature key owners can hold under his exclusive control. This can be difficult owing to the short period of storage mentioned above. 

The proof of reliability (like Section 2 no. 3 b) SigG) can then be problematic if the employed signature method in the meantime has been proven to be insecure. To prevent this, a regular re-evaluation of the signatures every six years can be recommended. 

Evidence to prove the use of a secure signature-creation unit as in Section 2 no. 3b) SigG might arise from the documentation of the supplier. This also applies to the proof that the signature is based on a qualified certificate valid at the time of its production (Section 2 no. 3 a) SigG). The technical and administrative security of the supplier must hereby be explained by the probating party. 

If the probating party succeeds in proving these six points, the ‘proof of appearance’ that the explanation was given with the will of the key owner is valid in his favour. This is however only a ‘proof of appearance’. The opposing party can still destroy this appearance by presenting facts which arouse a serious doubt that the signature key owner has given the intended statement. 

For example the signatory could refer to the fact, that not he but someone else (e.g., a thief) has performed the signing process unauthorised. The obligations to take precautions have to be noticed by signatories according to Section 6 no. 1 and 2 SigV. 

Furthermore he could claim that it is not the actual data he signed being shown to him. He also has to prove this. 

Qualified Electronic Signatures based on voluntary Accreditation 

Further alleviation of the burden of proof exists in the context of the use of accredited signatures if it is necessary to prove the appearance of the genuineness of a prepared explanation. 

It is expected, according to Section 15 par. 1 sentence 4 SigG that suppliers of accredited signatures use only signature keys which cannot be duplicated and the signature key cannot be calculated from the signature or the signature examining key (“security that has been comprehensively tested technically and administratively”). 

The identification of the signature key owner is possible for a longer time for users of accredited signatures because they are testable for 30 years after expiry (Section 4 par. 2 SigV). This also applies to the proof that the signature was created with both software and hardware, which the signature key owners can hold under their exclusive control. Furthermore a trustworthy root authority exists in Germany with the RegTP (“Regulierungsbehörde für Telekommunikation und Post”) and the publication of the public key of the supplier in the German “Bundesanzeiger”. 

The technical and administrative security of the supplier and the production of valid qualified certificates can end since this had already been proven certainty for the accreditation process.