New Zealand Law Commission
[Database Search] [Name Search] [Previous] [Next] [Download] [Help]
309 ASIGNATURE IS A METHOD OF ESTABLISHING the validity and authenticity of a document. This is done by connecting the content of a document with an individual person (who has signed the document) so that a reader of the document can act on the basis that the document is a valid statement of that person’s intent. In law, signatures are also required by statute in order to give effect to legal documents or transactions:
The Companies Act 1993 alone contains over 20 different requirements that company directors sign certificates in various different circumstances (eg, ss 47, 49, 52, 60–61, 69–70).
310 The use of signatures as a physical manifestation of consent or as a requirement of law presents an immediate difficulty for those who would prefer to transact business electronically. How can technology provide a substitute for a signature which will give a similar degree of security both to the person who signs a document, and to the person who acts in reliance on the signed document? And will the law recognise such a substitute when a statute demands that the document evidencing a transaction be signed?
311 This chapter examines the various uses of manual signatures and the legal definitions of what constitutes a signature. We then discuss electronic signatures, and the various approaches to statutory reform which have been adopted or recommended in order to facilitate their use in overseas jurisdictions. Finally, we make recommendations for reform in New Zealand.
312 The Guide to Enactment of the United Nations Commission on International Trade (UNCITRAL) Model Law on Electronic Commerce (para 53) identifies seven different functions which a signature might perform in a paper-based environment:
313 To these functions we would add an eighth: to meet a statutory requirement that a particular class of document must be signed in order to be legally valid.
314 The underlying purpose of a signature is to provide evidence of:
315 A signature, by making it easier to prove that someone has manifested an intention to say or do something, simply promotes efficient transactions between people by making it difficult for persons who appear to have signed a document to deny that they intended to be bound by what was said in it.
316 There is no general statutory definition of “signature” in New Zealand. Some statutes give indications of what constitutes a signature for the purposes of that particular statute (Bills of Exchange Act 1908 s 92; Warsaw Convention article 6(4) in the Carriage by Air Act 1967 sched 1). For the most part, however, the question of what constitutes a signature is a matter of common law.
317 The courts will not always require a “signature” to have been made personally by the person intending to be bound thereby. In Goodman v J Eban  1 QB 550, a majority of the English Court of Appeal held that a solicitor’s bill of costs had been adequately signed when a facsimile signature was applied through a rubber stamp bearing the name of the firm rather than that of the solicitor (557, 564). However, Romer LJ noted that “neither of the questions which was argued before us admits of a very confident answer” (563). And Denning LJ came to a different conclusion stating:
In modern English usage when a document is required to be “signed by” someone, that means that he must write his name with his own hand upon it. It is said that he can in law “sign” the document by using a rubber stamp with a facsimile signature. I do not think that this is correct, at any rate, not in the case of a solicitor’s bill. Suppose that he were to type his name; or suppose that he were to use a rubber stamp with his name printed on it in block letters? No one would then suggest that he had signed the document. (561)
318 Denning LJ referred to cases going back to 1620 in holding that someone cannot “sign” a document by putting a seal upon it (561–562), citing in particular Grayson v Atkinson (1752) 2 Ves Sen 454, 459.
319 Further, in Electronic Rentals Pty Ltd v Anderson (1971) 124 CLR 27 (HCA) Windeyer J, sitting in the High Court of Australia, referred to a requirement that a summons be issued under the hand and seal of a Justice of the Peace:
To be under his hand, means, I take it, that it must bear his signature. At common law one person may authorise another to sign a document for him: see London County Council v Agricultural Food Products Limited ( 2QB 218). But when a document is required by statute to be under a man’s hand or signed by him what is ordinarily meant is that he must personally sign it, with his name or his mark, by a pen or by a stamp. (42)
320 Although the common law has permitted “signature” by a variety of marks or symbols, whether written, printed or stamped on to paper documents, there appears to be no authority which countenances a signature by purely electronic means. Thus, in the absence of a statutory definition of “sign” or “signature” which includes an electronic equivalent, there is uncertainty whether it is possible to meet a statutory requirement of “signature” unless a physical document is created, and a physical mark is made on that document.
321 Electronic signatures have been variously defined. The following definition was adopted by the Australian Electronic Commerce Expert Group (ECEG) in its 1998 report, Electronic Commerce: Building the Legal Framework:
Electronic signatures can be defined as any symbol or method executed or adopted by a party with the present intention to be bound by or to authenticate a record, accomplished by electronic means. Authentication is generally defined to mean establishing the validity of the identity of a particular entity. Electronic signatures could include a sophisticated biometric device, such as a fingerprint computer recognition system or even the simple entry of a typed name at the end of an email message. This definition focuses upon the legal purposes of the signature, not upon the particular technology used to accomplish the signature. (para 3.1.3)
322 One type of technology which has received much attention is that of digital signatures. Digital signatures operate by using asymmetric cryptography in the form of a public key and a private key, known as a key pair. Essentially, messages are encrypted using a private key which is unique to the sender of the message. The message is unintelligible in its encrypted form, and cannot be altered after encryption. The message is then sent to the recipient who decrypts it using the matching public key. Unlike the private key, the public key component of a key pair is publicly available. A public key may also be used to encrypt a message, which would be decrypted by the corresponding private key. But although such a message would be unintelligible to anyone else it would lack any guarantee as to the identity of the sender because the public key is not unique. The private key encryption programme cannot be replicated or broken from the public key. In other words, messages encrypted by private key A can only be decrypted by public key A, and public key A cannot be used to decrypt any other message.
323 Digital signature technology relies on a particular infrastructure to provide the following functions:
The infrastructure is often referred to as a public key infrastructure (PKI) or a public key authentication framework (PKAF) (see generally Standards Australia 1996).
324 Several jurisdictions have passed legislation for the purpose of implementing a digital signature infrastructure. Examples are the Digital Signature Act 1995 (Utah); the Digital Signature Act 1997 (Malaysia); and the Digital Signature Act 1997 (Federal Republic of Germany). We examine the Utah and German statutes below.
325 The Digital Signature Act 1995 (Utah) defines a digital signature as
a transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer’s public key can accurately determine whether:
(a) the transformation was created using the private key that corresponds to the signer’s public key; and
(b) the message has been altered since the transformation was made.108
The Utah Act is therefore technologically specific in that only digital signature technology using public key cryptography receives legal recognition. Alternative electronic signature technology is not covered by the Utah Act.
326 Under s 46-3-104(1) of the Utah Act, the Utah Department of Commerce Division of Corporations and Commercial Code (the division) is a certification authority responsible for issuing, suspending and revoking private keys. The division may also license other certification authorities providing they meet security criteria under s 46-3-201. The obligations of certification authorities are also set out in the Act, including extensive auditing and reporting requirements.
327 Section 46-3-401 provides that duly authorised digital signatures may be used to meet statutory requirements of signed writing. Section 46-3-403 provides that messages which bear digital signatures are as valid, enforceable and effective as if they were written on paper.
328 A notable aspect of the Act is that it allocates risks for those who issue, use or rely on digital signatures in respect of transactions governed by the law of Utah. For example, s 46-3-402 provides:
Unless otherwise provided by law or contract, the recipient of a digital signature assumes the risk that a digital signature is forged, if reliance on the digital signature is not reasonable under the circumstances. If the recipient determines not to rely on a digital signature pursuant to this section, the recipient shall promptly notify the signer of its determination not to rely on the digital signature.
Similarly, ss 46-3-309–46-3-310 limit the liability of certification authorities who issue private keys. Further, s 46-3-306(6) imposes criminal penalties on anyone who misrepresents his or her identity or authorisation to a certification authority in requesting the suspension of a private key.
329 Section 1(1) of the German statute provides that the purpose of the Act is
to establish general conditions under which digital signatures are deemed secure and forgeries of signatures or manipulation of signed data can be reliably ascertained.
Like the Utah Act, it is technologically specific, defining a digital signature as
a seal affixed to digital data which is generated by a private signature key and establishes the owner of the signature key and the integrity of the data with the help of an associated public key provided with a signature key certificate of a certification authority . . . (s 2(1))109
330 The German Act and its subordinate legislation, the Digital Signature Ordinance, provides a code for the establishment and regulation of certification authorities. Under s 3 of the Act, certification authorities must be licensed by the state. However, s 15 provides for recognition of digital signatures issued in another member state of the European Union or contracting state to the Treaty on the European Economic Area, provided the signature is subject to comparable levels of security.
331 Neither the Act nor the Ordinance determines the general legal validity of digital signatures. No general right has been created in Germany to comply with requirements of signed writing by use of a duly issued digital signature.110 Unlike the Utah statute the German Act does not allocate risk for the use of digital signatures.
332 The German statute imposes an ongoing obligation on the state to monitor developments in digital signature technology. In particular, s 17 of the Ordinance requires an “over view of the algorithms and pertinent perimeters considered suitable for generation of signature keys” to be Gazetted each year
333 Both the Utah and German statutes share certain characteristics:
334 The advantages of the legislation used in Utah and Germany are that the users (both sender and recipient) enjoy certainty as to the integrity of a signature: they know that they can accept and rely upon it without question. But this certainty is achieved by legislating for one form of electronic technology which may quickly prove to be inadequate or outdated. Further, it requires certification authorities for those who licence them to keep abreast of the continuing security of encryption technology and to withdraw certificates if necessary. This may introduce costs which could be avoided if the legislation was technologically neutral (Electronic Commerce: Building the Legal Framework paras 3.3.1–3.3.9).
335 Our own preference in terms of our guiding principle 3 is for technological neutrality. This principle suggests not only neutrality as between paper and electronic-based means of trading and communicating but also neutrality as between different forms of electronic trading and communication. Accordingly, we do not recommend adoption of statutes based on either the Utah or German model but proceed to consider alternative approaches to reform.
336 The UNCITRAL Model Law on Electronic Commerce adopts a different approach to electronic signatures. Rather than attempt to set out a comprehensive code encompassing all aspects of electronic signature infrastructure, use and technology, article 7 provides:
Article 7. Signature
(1) Where the law requires a signature of a person, that requirement is met in relation to a data message if:
(a) a method is used to identify that person and to indicate that person’s approval of the information contained in the data message; and
(b) that method is as reliable as was appropriate for the purpose
for which the data message was generated or communicated, in the light of all the circumstances, including any relevant agreement.
(2) Paragraph (1) applies whether the requirement therein is in the form of an obligation or whether the law simply provides consequences for the absence of a signature.
337 Article 7 provides that an electronic signature may be legally effective as a manual signature, but does not define an electronic signature.111 The Model Law is silent on the form an electronic signature may take. It does not necessarily require the implementation of an infrastructure for issuing signatures. Rather, it would make the issue of whether a particular electronic signature met a legal requirement of signed writing a question of fact, dependent upon evidence of the method used to indicate the identity and approval of the signer.
338 The January 1998 UNCITRAL Report of the Working Group on Electronic Commerce notes that UNCITRAL is currently in the process of developing more specific rules on electronic signatures, the draft Uniform Rules on Electronic Signatures. When finalised, these are intended to be at least consistent with the Model Law on Electronic Commerce (para 25) and may ultimately be combined with the Model Law to form a draft international convention (para 212).112 The draft uniform rules adopt the same technologically neutral approach to electronic signatures as the Model Law, with article 1 of the draft providing that electronic signatures may be in the form of digital signatures, any other form that is capable of verification and identifying the person concerned, or as agreed by the parties to a transaction (para 27). The Commission will continue to monitor the UNCITRAL work on electronic signatures.
339 The minimalist approach of the Model Law has been adopted by the draft Massachusetts Electronic Records and Signatures Bill 1997. Clause 3 of the Massachusetts Bill as at 4 November 1997 provides:
(a) A signature may not be denied legal effect, validity or enforceability solely because it is in the form of an electronic signature;
(b) If a rule of law requires a signature, or provides consequences in the absence of a signature, an electronic signature satisfies that rule of law.
“Electronic signature” is defined in clause 2 the Bill as:
any identifier or authentication technique attached to or logically associated with an electronic record that is intended by the person using it to have the same force and effect as a manual signature.
Other provisions in the Massachusetts Bill address the legal requirements of writing and the admissibility of electronic records, writings and signatures in a similar way (clause 3 would insert new ss 67 and 69 into the General Laws of Massachusetts).
340 Unlike the Californian statute discussed in paras 342–343, the Bill is not limited to communications involving government bodies. Clause 4 of the Bill provides:
(a) A contract between business entities shall not be unenforceable, nor inadmissible in evidence, on the sole ground that the contract is evidenced by an electronic record or that it has been signed with an electronic signature. For purposes of this section, “contract” shall mean a contract for the sale of goods or services, for the sale or license of digital information, or for the lease of tangible personal property. The provisions of this subsection shall not apply to the extent that their application would involve a construction of a rule of law that is clearly inconsistent with the manifest intent of the lawmaking body or repugnant to the context of the same rule of law, provided that the mere requirement that information be “in writing”, “written”, “printed”, or “signed”, or any other word that purports to specify or require a particular communications medium, shall not by itself be sufficient to establish such intent.
(b) Nothing in this section shall be construed to prevent a party from establishing reasonable requirements with respect to the method executed or adopted by a party to sign a contract, absent agreement to the contrary.
(c) Nothing in this section shall be construed to mean that electronic records and electronic signatures do not satisfy legal requirements for a writing or a signed writing in transactions not covered by this section.
341 The Massachusetts Bill closely resembles the UNCITRAL Model Law in that it is entirely technologically neutral and adopts a minimalist approach to electronic signature technology. There is no attempt to legislate standards for certification authorities or to allocate risks between parties using electronic signatures in commercial transactions.
342 The California Government Code was amended in 1995 to allow the use of electronic signatures in communications with “public entities”.113 Section 16.5 provides:
16.5 (a) In any written communication with a public entity, as defined in Section 811.2, in which a signature is required or used, any party to the communication may affix a signature by use of a digital signature that complies with the requirements of this section. The use of a digital signature shall have the same force and effect as the use of a manual signature if and only if it embodies all of the following attributes:
(1) It is unique to the person using it.
(2) It is capable of verification.
(3) It is under the sole control of the person using it.
(4) It is linked to data in such a manner that if the data are changed, the digital signature is invalidated.
(5) It conforms to regulations adopted by the Secretary of State. Initial regulations shall be adopted no later than January 1, 1997. In developing these regulations, the secretary shall seek the advice of public and private entities, including, but not limited to, the Department of Information Technology, the California Environmental Protection Agency, and the Department of General Services. Before the secretary adopts the regulations, he or she shall hold at least one public hearing to receive comments.
(b) The use or acceptance of a digital signature shall be at the option of the parties. Nothing in this section shall require a public entity to use or permit the use of a digital signature.
(c) Digital signatures employed pursuant to Section 71066 of the Public Resources Code are exempted from this section.
(d) “Digital signature” means an electronic identifier, created by computer, intended by the party using it to have the same force and effect as the use of a manual signature.
343 The section is limited in that it only provides that electronic signatures are legally effective as signatures in transactions with public entities. Although the section appears to be technologically neutral, the draft of the Digital Signature Regulations, made under s 16.5(a)(5), allows that only “acceptable technologies” be used (dated 18 November 1997). Under s 22003 of the draft regulations, either digital signature or signature dynamics technologies are currently approved.114 However, s 22004 allows for new technologies to be added to the list. The draft regulations also provide for licensing of certification authorities for the use of digital signatures, but does not seek to allocate commercial risks for users.
344 In our view the needs of the market can be met by making a change to the proposed Interpretation Act by including a definition of the term “signature” to ensure that electronic signatures are acceptable. This could follow the intent of article 7 of the UNCITRAL Model Law on Electronic Commerce by permitting a signature to be made provided a method is used to:
The definition could go on, adopting the Californian model, to make it clear that it is inclusive of certain types of currently used electronic technology but can also include different forms of technology which are yet to be invented. This would leave businesses free to make commercial decisions as to the appropriate method for “signing” electronic messages.
345 We regard this change to the law as fundamental in assisting business to make the most of the opportunities provided through electronic technology. It has the dual benefit of solving an immediate problem in relation to the perceived inability to “sign” documents electronically while leaving for mature reflection and consideration the issues relating to encryption and certification authorities for electronic signatures generally. However, we seek submissions on the following questions.
Should New Zealand adopt a statutory provision similar to article 7 of the UNCITRAL Model Law on Electronic Commerce, which allows electronic signatures to have the same effect as manual signatures?
Should any such reform, if adopted, also specify acceptable standards for electronic signatures, or should standards of security or reliability be left for the market to develop?
Does New Zealand need a domestic electronic signature infrastructure?
Should the state play any role in facilitating the use of electronic signature technology, for example, by assuming responsibility for the implementation of such an infrastructure?