ELECTRONIC SIGNATURES — EVIDENCE: THE EVIDENTIAL ISSUES RELATING TO ELECTRONIC SIGNATURES — PART 1

Computer Law & Security Report Vol. 18 no. 3 2002ISSN 0267 3649/02/$22.00 © 2002 Elsevier Science Ltd. All rights reserved

175

Electronic Signatures — Evidence

Both the Government and the industry are keenly promoting the use of electronic signatures. It is assumed thatthe widespread use of electronic signatures will encourage greater use of the Internet as a means to buy goodsand services. This article looks at the evidential issues relating to electronic signatures, and illustrates theweakness of the infrastructure which, in turn, highlights the risks that both users and recipients encounterwhen using electronic signatures.

ELECTRONIC SIGNATURES —EVIDENCETHE EVIDENTIAL ISSUES RELATING TO ELECTRONICSIGNATURES1 — PART 1Stephen Mason, Barrister, Consultant

1. WHY ELECTRONIC SIGNATURES AREUSED

It is argued that consumers do not use the Internet widely topurchase goods and services because of the perceived threat tosecurity of personal data, in particular of the possible misuse ofcredit card details. In addition, it is also assumed that businessesselling goods and services over the Internet are concerned aboutthe integrity,confidentiality,authenticity and non-repudiability ofmessages sent electronically. The author is not convinced ofthese assumptions,and has previously suggested that the reasonpeople do not buy from businesses with a presence on theInternet in the volumes predicted are related to more fundamen-tal issues,rather than a lack (perceived or not) of security on theInternet.2 This is a view shared by the eminent cryptographer,Ross Anderson,amongst others,who argues that the overwhelm-ing majority of cryptographic support systems will be con-cerned with protecting intellectual property rights.3

Regardless of the volumes of certifying certificates issuedand used,the reasons for using an individual certifying certificateare as follows:• To ensure the authenticity of the information. When

sending or receiving information or placing an order,bothparties need to know that the sender of the message is theperson they claim to be.There is a need to authenticatethe identity of the sender.4

• To demonstrate the integrity and accuracy of the mes-sage, because it is important to know if the content of themessage has not been tampered with.

• To prevent the person making the statement from deny-ing that they made the statement.This is called non-repu-diation in the security industry.

In the normal course of events,many thousands of transactionstake place over the Internet each day without recourse to the use of cryptographic devices. Not only are goods and services bought and sold,but correspondence by way of email

is conducted by individuals and businesses in ever increasingvolumes.People using the Internet do not tend to use electron-ic signatures to conduct business. In the same way that a con-sumer will enter a contract to purchase an item from abusiness at a distance after viewing an illustration of a productin a catalogue or newspaper, for instance, so people use theirintuition to gauge the risk that they may be taking when enter-ing a contract over the Internet. As Jane K Winn has pointedout,even where strangers enter contracts with each other,peo-ple tend to rely on the information they glean from conversa-tions over the telephone, face-to-face meetings, advertising,brand images and references from friends.5

Whilst individual certifying certificates can help to con-firm the identity of a consumer, the use of such a certificatedoes not necessarily help the consumer determine:• whether the business they purport to be entering a con-

tract with exists, or• if the business exists,whether and when it will supply the

goods or services ordered as promised; or• if the website they have viewed is a ghost site, purely

intent on capturing their identity or credit card details, orboth, with a view to using such information fraudulently.

Conversely, it is perfectly possible for certifying certificates toprovide authentication in relation to the points raised above.Forinstance, where the visitor has logged on to a website with asecure connection,they can click onto the secure icon to followthe trail to look at and check the certificate sitting behind theweb site.The practical point about human behaviour, which isnot the subject of this article,indicates that certifying certificatesmay never be used widely. However, even if human behaviourwas such that certifying certificates were widely used,the poten-tial user faces serious practical problems before they can use anelectronic signature.Individual certifying certificates are difficultto buy, install on a computer and use properly. It is probably forthese latter reasons that such certificates will not be used widelyby consumers.6

MayJune1803.qxd 5/3/02 11:24 AM Page 175

176


2. HOW THIS PAPER IS ARRANGEDThe aim of this paper is to introduce the reader to the range ofissues that need to be considered when seeking to adduce anelectronic signature into evidence. It may be that the relyingparty wishes to show that the party affixing the electronic signa-ture to a document intended to be legally bound to the terms ofthe document.Alternatively,the party whose electronic signaturewas used may challenge the assertion that they affixed or autho-rised the fixing of their electronic signature to the document inquestion.As a result, it is felt appropriate to set out the legalframework before considering the infrastructure relating to elec-tronic signatures.The problems relating to the way electronic sig-natures are created and used will highlight the types ofevidential issues that may arise in the future.7

First, the terms used in this paper are considered.There fol-lows a short discussion of manuscript signatures and the natureof an electronic signature. Consideration is then given to theadmissibility and legal presumptions of electronic signatures.Thereafter,‘non-repudiation’ is discussed before considering thereliability of the certifying certificate and the issues that must beconsidered in assessing the evidential weight to be given to theevidence.Finally,a brief outline of the technical structure is givenbefore setting out the weaknesses,which will have a bearing onthe evidential weight of an electronic signature.

3.TERMS

The terms ‘electronic signature’and ‘digital signature’are usedinterchangeably.8 When the author wrote about this issue in1999, an attempt was made to set out the difference, in lay terms, between an ‘electronic signature’ and a ‘digital signature’ as follows:

A digital signature is a technique that can include many otherpossibilities, other than an electronic substitute for a hand-written signature.A digital signature can also be used to estab-lish the origin and integrity of electronic data. It is easier tounderstand the digital signature as being a technique used forvarious purposes,one of which can be an electronic signature.An electronic signature is the application of an electronicsubstitute for a hand-written signature.9

Whilst it initially seemed that a digital signature com-prised a greater number of uses than an electronic signature,it is probably correct to accept that an electronic documentcan be sent with the following attributes:• An electronic document can be sent in its plain text.• Alternatively, an electronic document can be sent in plain

text with an electronic signature attached to it in accor-dance with the provisions of section 7(1) of theElectronic Communications Act 2000 (the Act), sections7, 11 and 12, which came into force on 25 July 2000 inaccordance with the provisions of the ElectronicCommunications Act 2000 (Commencement No1)Order 2000 (SI 2000 No 1798), as follows:7(1) In any legal proceedings –(a) an electronic signature incorporated into or logicallyassociated with a particular electronic communication orparticular electronic data, and(b) the certification by any person of such a signature,shall each be admissible in evidence in relation to any question as to the authenticity of the communication ordata or as to the integrity of the communication or data.

• Further, an electronic document can be sent in encryptedtext with an electronic signature attached to it.

In this paper, the following definitions have been adopted:The term ‘electronic signature’ is the incorporation of an

electronic or digital method (comprising a numerical valueusing a known mathematical procedure associated with theprivate cryptographic key of the sender) to an electroniccommunication, which is:• unique to the person using it, and• which is capable of being verified, and• is linked to the communication in such a way that if the

content of the communication is changed, the electronicsignature is invalidated.

For the purposes of this paper, ‘electronic signature’ has thespecific meaning attributed to it in section 7(2) of the Act, asfollows:10

(2) For the purposes of this section an electronic signature isso much of anything in electronic form as –(a) is incorporated into or otherwise logically associatedwith any electronic communication or electronic data; and (b) purports to be so incorporated or associated for the pur-pose of being used in establishing the authenticity of thecommunication or data, the integrity of the communicationor data, or both.

An ‘individual certifying certificate’ means the individual cer-tificate issued by a trusted third party (such as a certificationauthority), which identifies a natural or legal person and indi-cates that a public key and a private key has been issued tothe natural or legal person.

The meaning of a digital signature as adopted by ISO/IEC7498-2: OSI Basic Reference Model - Security Architecture willbe used in this paper. This is data appended to, or a crypto-graphic transformation of, a data unit that allows a recipient ofthe data to prove the source and integrity of the data unit.Thedigital signature mechanism defines two processes: that of• the signing of a data unit by the person initiating the sig-

nature, which is a private action; and• verifying a signed data unit by using the procedures and

information publicly available, the process of which is dis-cussed later in this paper.11

If there is a difference between an electronic signature and adigital signature, it is the fine distinction between:• the incorporation of data that purports to be incorporat-

ed or associated to help establish the authenticity orintegrity of the communication; and

• the ability to prove the source and integrity of the data unit.It can be argued that the digital signature can provide a higherdegree of certainty for the relying party, subject to the verifica-tion process12, and the possibility that a digital signature can beremoved from a document in electronic format without trace.13

4. MANUSCRIPT SIGNATURE

The electronic signature is often compared to the manuscript sig-nature.Whilst there is a similarity in purpose between the two,anelectronic signature comprises more attributes than a manuscriptsignature. A manuscript signature, which can be a full name,initials,a nickname or a seal,can serve a number of functions:14

• To provide evidence of the identity of the person creatingthe document, thereby associating that person with thedocument they have signed, such as a will.


177


• It can demonstrate that the signatory approves the con-tent of a document.

• Is a declaration of the signatory’s intention that the docu-ment is to have legal effect and acts as proof of the eventof signature.

• By signing a document, the signatory is reminded of thesignificance of the act and the need to act within the pro-visions of the document.

As a corollary, the party receiving the document containing amanuscript signature recognizes that the other party affirmsthe content of the document; they are assured of the identityof the signatory and they are in receipt of the proof of thesource and contents of the document.

However, it is well known that manuscript signatures areforged.To prevent this problem,and to test both the validity andthe effectiveness of a manuscript signature, some documentsrequire the signature to be affixed in the present of a witness oran authorized official.There is a distinction between the formand function of a manuscript signature,and Professor Chris Reednotes that the modern approach to the validity of a manuscriptemphasizes function over form in the test for validity.15

5.THE NATURE OF THE ELECTRONIC SIGNATUREAn electronic signature, in accordance with the provisions ofs7(1) of the Act, can be admissible in evidence in relation tothe authenticity of the communication or data and the integ-rity of the communication or data. In addition, an electronicsignature serves other information-security purposes thatmanuscript signatures cannot:• the recipient can determine whether the communication

was altered after it was digitally signed;• as a result, a certifying certificate can provide assurance

about the source and integrity of the document.Electronic signatures can be produced in different formats,including a manuscript signature that is scanned into a docu-ment, an electronic representation of a hand-written signa-ture or a digital representation of a biometric, such as a retinascan or fingerprint.

6.THE ADMISSIBILITY OF THE ELECTRONIC SIGNATUREThe Act permits an electronic signature to perform a similarrole to that of a manuscript signature.16 The Act provides, ins7(3) for any person to certify that the electronic signature isa valid means of establishing the authenticity and integrity ofthe communication or data or both:

(3) For the purposes of this section an electronic signatureincorporated into or associated with a particular electroniccommunication or particular electronic data is certified by anyperson if that person (whether before or after the making ofthe communication) has made a statement confirming that-(a) the signature,(b) a means of producing, communicating or verifying thesignature, or(c) a procedure applied to the signature,is (either alone or in combination with other factors) a validmeans of establishing the authenticity of the communicationor data, the integrity of the communication or data, or both.

It appears, therefore, that the person or organization certi-fying the electronic signature may need to certify before orafter or both before and after sending the communication,that the signature is authentic and the integrity of the data orcommunication is therefore not to be questioned. From apractical point of view, the certification process will probablyoccur before the sending of the communication, althoughthere may be circumstances where the certification processcan occur after the communication is sent.The actual certifi-cation will probably be an assertion by the person or organi-zation certifying the signature that there is an associationlinking the public key with the private key. It is the provisionof this extrinsic evidence that is necessary to provide evi-dence of the user’s identity.17

7.THE LEGAL PRESUMPTION OF ANELECTRONIC SIGNATUREIt should be noted that the electronic signature is admissiblein evidence in relation to the authenticity or integrity of thecommunication, and that the communication is deemed tohave a legal effect (section 2(a)(iii) of the Act is authority onthis latter point). Section 7(1) of the Act provides for a two-stage process to ensure an electronic signature can be admis-sible in evidence for the purposes of the Act:• First, by s7(1)(a) the electronic signature must be incor-

porated into or logically associated with a particular elec-tronic communication or data; and

• Second, by 7(1)(b) there must be a certification processwhere a statement is produced which links the key withthe person, including,but not limited to, the undertaking ofchecks on the identify of the individual or corporate entity.

The second stage of the process infers that it is the duty of thetrusted third party to certify that a key linked to a person orlegal entity is admissible. It seems, therefore, that if a recipientreceives an electronic communication which is (a) signed with an electronic signature, and (b) the certifying certificaterelating to the electronic signature can be verified by a trustedthird party, the communication in question is admissible in evidence, subject to the provisions of s15(2) of the Act.

8.THE MEANING OF NON-REPUDIATION

In legal terms, the meaning of ‘non-repudiation’ is different tothat used in the technical cryptographic sense.As McCullaghand Caelli point out,18 a manuscript signature can be repudi-ated for a number of reasons, including:• the signature is a forgery;• whilst not a forgery, the signature was obtained as a

result of:- unconscionable conduct by a party to a transaction;- fraud instigated by a third party;

• undue influence exerted by a third party.

(a) Legal meaningIn civil proceedings, the Judicial Studies Board indicate that acertifying certificate may be hearsay evidence as to the iden-tity of the public key,and if a party relies on such a certificate,they must meet the requirements relating to notice of thisevidence in accordance with section 2 of the Civil Evidence


178


Act 1995 and the provisions of Part 33 of the Civil ProcedureRules. Once the party relying on the public key provides therelevant notice and particulars, it will be for the other party toraise an objection as to the authenticity or otherwise of thecertifying certificate. A party to civil litigation is taken toadmit, in accordance with Part 31 of the Civil ProcedureRules, the authenticity of a document disclosed to themunder Part 32, Rule 19(1) of the Rules unless they servenotice that they wish the document to be proved at trial.As far as criminal proceedings are concerned, a judge will berequired to consider whether a certificate is admissible underthe terms of section 24 of the Criminal Justice Act 1988 andsection 68 of the Police and Criminal Evidence Act 1984.19

(b) Technical cryptographic meaningThe term ‘non-repudiation’ in the cryptographic sense for tech-nical purposes is a property, attained through cryptographicmethods, which prevents the person sending the messagefrom denying they sent the message,as well as denying the ori-gin, submission, delivery and integrity of the content.20 Thistechnical meaning of the term has begun to be used in a legalsense by vendors of public key infrastructure which, in turn,has had tended to confuse legislators.21 McCullagh and Caellisuggest that the technical response by the InternationalOrganization for Standardization is either to deny the right ofthe individual to repudiate an electronic signature,or shifts theburden of proof from the recipient to the alleged user.22

(c) Repudiating electronic signaturesA key issue with respect to electronic signatures is the con-nection between the mental state of the person who maywish to be bound by the affixing of the electronic signatureto a communication, and the act of affixing the electronic sig-nature to the electronic message.The following issues are per-tinent when establishing a nexus between the electroniccommunication and the electronic signature:• whether the genuine user intended to be bound by the

contents of the electronic document;• if another person used the electronic signature without

authorization, how they obtained access to the certifyingcertificate;

• who should bear responsibility for the unauthorized use.

9. CHALLENGING AN ELECTRONIC SIGNATUREAn electronic signature can be challenged for a number ofreasons:• where the person whose certifying certificate is used,

claims they did not authorize the affixing of the key num-ber to the document (this could be because an unautho-rized person gained access to and used the certifyingcertificate,such as a member of the family, fellow employeeor a hacker);

• the communication was sent with the electronic signa-ture affixed, but the sender did not intend the communi-cation to have any legal effect;

• the communication was sent with the electronic signa-ture affixed, but the sender was coerced into sending the

communication with the electronic signature affixedagainst their will;

• the communication was sent with the electronic signatureaffixed,but the sender revoked the certifying certificate;

• a certifying certificate may have been issued to an impostor.The party challenging the admissibility of the electronic signa-ture may be making either one or all of the following claims:• the security used by the sender was not sufficient to pre-

vent a third party from gaining access to their computeror system and making improper use of their key number;

• the procedures and technical abilities (such as the meansof producing, communicating or verifying the signature)of the trusted third party were at fault;

• another organization in the chain that links the sending ofthe electronic key and its receipt by the relying party,other than the trusted third party, was at fault.

Where the electronic signature is used to authenticate the doc-ument or to establish its authenticity, a number of questions(some of which are set out above) must be considered, inaccordance with s15(2) of the Act,which provides as follows:

(2) In this Act-(a) references to the authenticity of any communication ordata are references to any one or more of the following-(i) whether the communication or data comes from a partic-ular person or other source;(ii) whether it is accurately timed and dated;(iii) whether it is intended to have legal effect;and(b) references to the integrity of any communication or dataare references to whether there has been any tamperingwith or other modification of the communication or data.

Whichever party has the burden of proof will be required tosubmit evidence in response to the provisions of s15(2),together with any other extrinsic evidence that may be nec-essary to support the evidential burden.

As pointed out by Mark Sneddon, the technology can, to ahigh degree of probability, prove that an electronic signaturewas affixed to a communication, but it cannot prove whoused the signature. It is to be inferred that the holder of thecertifying certificate affixed the electronic signature to thecommunication.The inference is weaker where there is littleor no security in place on the computer or system uponwhich the certifying certificate sits.23

10. RELIABILITY OF CERTIFYING CERTIFICATES AND BURDEN OF PROOFRegardless of the technical meaning of the term ‘non-repudia-tion’, there are a number of problems that affect the reliabilityof certifying certificates that are used to affix electronic signa-tures to an electronic communication:• The confusing design on the screen,which can lead a user

to activate the non-repudiation function without knowingthe significance others attach to the certifying certificate.

• The software application may be set to send a receipt, butthe recipient may not know the original sender sent thereceipt. This also raises the question as to whether thereceipt is authentic.

• Flaws in the design of the security system that permitsone person to activate the non-repudiation bit in the elec-tronic certificate of another user without permission.


179


• A design flaw in the public key infrastructure.• The open nature of the Internet,which means hackers could

infect computers with a virus or Trojan horse that can bedesigned to steal private keys.The risks of hackers gainingentry to computers and networks increased with DigitalSubscriber Link (DSL) and cable modem technologies.With-out a DSL connection, the computer is assigned a dynamicaddress each time a person connects to the internet.Whilstconnected on an DSL line,a computer may have either a per-manent Internet Protocol (IP) address, or a dynamic IPaddress, depending on the Internet service provider (ISP),although a customer can request a static address. Where acomputer has a persistent connection to the Internet, therisk to attack and penetration by a third party is greater.AsMcCullagh and Caelli point out, by having a permanent IPaddress,a user is more vulnerable to attack by a hacker.24

The general rule with respect to signed documents is this:where a party relies on a signed document and wishes toenforce the document against the signing party, the relying

party must prove the signature is that of the signing party, orthe document was authorized by the signing party.This is sowhere the signing party claims they did not sign the docu-ment, or if they did sign the document, they did so underduress. It is not for the signing party to prove that they didnot authorize the document or sign it.

SStteepphheenn MMaassoonn,, Report Correspondent, Barrister, Consultant© Stephen Mason, 2002

This paper was written to accompany a lecture given to a joint meeting of the Society for Advanced Legal Studies and British Computer Society Internet Specialist Group on 15 November 2001 in Senate Room, Senate House, Universityof London, chaired by David Spinks, Director InformationAssurance, EDS.

Stephen Mason is a barrister and Chairman of Pario Comm-unications Limited. He specializes in e-risks, e-business, dataprotection and interception of [email protected]

FOOTNOTES

1 The author wishes to thank Professor Tapper, Peter Howes COO ofrchive-it.com, Charles Hollander QC, John Theobald of Ikan plc andNicholas Bohm consultant to Fox Williams and Alec Muffett PrincipleEngineer Security at Sun Microsystems Limited, for reading the firstdraft of this paper and for their valuable comments. All errors andomissions remain with the author.2 Stephen Mason,“Risk,business and e-commerce”,Amicus Curiae,TheJournal of the Society for Advanced Legal Studies, Issue 27, May 2000,9 - 13.This view is also shared by Jane K Winn,“The emperor’s newclothes: the shocking truth about digital signatures and internet com-merce”, <http://www.smu.edu/~jwinn/shocking-truth.htm> viewedon 23 March 2001,1,3. Adrian McCullagh and William Caelli,“Non-Repudiation in the Digital Environment”, <http://firtsmonday.org/issues/issue5_8/mccullagh/index.html state> “With the advent of newdigital signature technology, face-to-face communications as a manner of doing business will, in the not too distant future,become the excep-tion rather than the norm”at 1,viewed on 20 July 2001.3 Ross Anderson, “The real applications of cryptography”, <http://www.cl.cam.ac.uk/users/rja14/dtiresponse/node9.html>, viewedon 3 October 2001; see also Carl Ellison and Bruce Schneier, “TenRisks of PKI: What You’re not Being Told about Public KeyInfrastructure”, Computer Security Journal,Volume XVI, Number 1,2000 available in electronic format at <http:// www. counterpane.com/pki-risks.html>. See a reply to the article by Ellison andSchneier: Simon Corell,“Ten Risks of PKI - In Favour of Smart Card-based PKI”,<http://www.id2tech.com/ whitepapers/ tenrisks.asp>viewed on 26 July 2000.4An authentication protocol can be designed to establish responsi-bility, credit, or both. If a protocol is inadequately designed, it can beattacked by a third party.The design of an authentication protocolcan, therefore, be pertinent where a party disputes that an electron-ic signature was used. Martín Abadi,“Two Facets of Authentication”,SRC Technical Note 1998 - 007, March 18, 1998 available fromhttp://gatekeeper.dec.com/pub/DEC/SRC/technical-notes/abstracts/src-tn-1998-007.html viewed on 15 March 2002.5 Winn, 7.6 See Nicholas Bohm, Ian Brown and Brian Gladman, “ElectronicCommerce: Who Carries the Risk of Fraud?”, 2000 (3) Journal of

Information, Law and Technology (JILT),<http://elj.warwick.ac.uk/jilt/00-3/bohm.html>, who suggests that another reason is becausemerchants suffer the loss if a card holder claims they did not purchasegoods or services over the Internet. For the problems associated withusing electronic signatures by a business, see Simon Owen,“Read thesmall print”, Itconsultant, October 2001, 38 and Ben Rothke “Securitystrategies for e-companies” at <http://www. infosecuritymag.com/arti-cles/october01/columns_logoff.html> viewed on 19 December 2001.7 Individuals can create their own private and public keys.For the pur-poses of this paper, the assumption is that electronic keys are obtainedthrough a Certification Authority,also called a Trusted Third Party,usingthe public key infrastructure.The reader will be aware that the sameissues discussed in this paper will apply to privately created keys,withthe added complication that the level of authenticity will clearly belower because ascertaining proof of identity will be more difficult forany person wishing to rely on the key pair generated by an individual.How the key pair is generated may also be problematic.8 This is also pointed out in paragraph 2.2 of the Final Report of theEESSI Expert Team, 20 July 1999, European Electronic Signature Stan-dardization Initiative,available from <http://www.ict.etsi.org/essi/ Final-Report.doc>; also see GUIDEC II, “General Usage for InternationalDigitally Ensured Commerce”for further discussion of terms available at<http://www.iccwbo.org/ home/guidec/guidec_two /foreword.asp>viewed on 29 November 2001.Unfortunately,GUIDEC II do not use theterm ‘electronic signature’ but ‘digital signature’ thus adding to the confusion. In addition, the Draft Guide to Enactment of the UNCITRALModel Law on Electronic Signatures,dated 12 - 23 March 2001 (A/CN.9/WG.IV/ WP.88),also appears to refer to digital signatures and electronicsignatures interchangeably; see paragraphs 31 to 62 (available from<http://www.uncitral.org/english/sessions/wg_ec/dig-sign-bckdocs/index.htm> viewed on 20 July 2001).9 Stephen Mason, “Electronic Signatures: The Technical and LegalRamifications”, Computers and Law, December 1999/January 2000,Volume 10, Issue 5, 37 - 44, 39. Also available at <http://www.itsecu-rity.com/papers/digsig.htm>. [Please note, in retrospect, this papermainly deals with cryptography, not electronic signatures].10 See a discussion of the need to define ‘signature’ internationally inChristopher Kuner and Anja Miedbrodt,“Written Signature Requirements


180

Electronic Signatures - Evidence

and Electronic Authentication:A Comparative Perspective”, 8, availableat <http://www.kuner.com/data/sig/signature_perspective.html> view-ed on 24 October 1999.11 Final Report of the EESSI Expert Team,Annex B.The definitionsoffered in this paper are similar to the definitions set out inAppendix 1 of “PKI Assessment Guidelines”, PAG v0.30, June 18,2001, produced by the Information Security Committee, ElectronicCommerce Division, Section of Science and Technology Law,American Bar Association, available from <http://www.abanet.org/scitech/ec/isc/pag.html> viewed on 29 January 2002.12 Graham J H Smith, “Internet Law and Regulation”, (Sweet andMaxwell,Third Edition, 2002) 12 - 135, describes a digital signatureas the encryption of a document, rather than the act of adding a sig-nature to a document.13 Adrian McCullagh,William Caelli,Peter Little,“Signature Stripping:A Digital Dilemma”, 2000 (1) Journal of Information, Law andTechnology (JILT), http://elj.warwick.ac.uk/jilt/01-1/mccullagh.html, 10.14 Phipson on Evidence, (Sweet and Maxwell, 15th Edition, 2000),40-04;“Digital Signature Guidelines”, Judicial Studies Board, July 2000,3 (available at <http://www.jsboard.co.uk/indbod.htm>);“The LegalAspects of Digital Signatures”, Interdisciplinary Centre for Law and Information Technology,at <http://www.law.kuleuven.ac.be/ icri/projects/report.data/executive.htm> viewed on 20 July 2001;“Legal and Regulatory Issues for the European Trusted ServicesInfrastructure - ETS” Final Report by ISTEV, available at <http://www.cordis.lu/infosec/src/stud2fr.htm> viewed on 17 March 2000;Adrian McCullagh, Peter Little and William Caelli, “ElectronicSignatures: Understand the Past to develop the Future”, available at <http://www.law.unsw.ed.au/ unswlj/ecommerce/ mccullagh.html> viewed on 10 August 2001; Draft Guide to Enactment of the

UNCITRAL Model Law on Electronic Signatures with Guide toEnactment 1966, paragraphs 48 and 53 (available at <http://www.uncitral.org/english/texts/electcom/ml-ecomm. htm> viewed on 11January 2002);“Protections of the Acknowledgment”in “A Position OnDigital Signature Laws And Notarization”,A Position Statement FromThe National Notary Association, September 2000, 3 - 5 (<http://www.nationalnotary.org>).15 Chris Reed, “What is a Signature?” 2000 (3) Journal of Infor-mation, Law and Technology (JILT), http://elj.warwick.ac.uk/jilt/00-3/reed.html.16 An electronic signature is not the equivalent of a manuscript signa-ture,as pointed out by Bruce Schneier,Secrets and Lies Digital Securityin a Networked World,(Wily Computer Publishing,2000),225.17 Reed,18 and note 143.18 McCullagh and Caelli, 2.19 Paragraph 42 “Digital Signature Guidelines”and Phipson , 40 - 01.20 See paragraph 1.20 of “Digital Signature Guidelines LegalInfrastructure for Certification Authorities and Secure ElectronicCommerce” produced by the Information Security CommitteeElectronic Commerce and Information technology division Sectionof Science and Technology, American Bar Association, 1996 avail-able at <http://www.abanet.org/scitech/ec/ise/dsgfree.html>; alsoMcCullagh and Caelli, 3; also the brief discussion in “Legal andRegulatory Issues for the European Trusted Services Infrastructure -ETS”Final Report by ISTEV.21 Schneier, 235 and McCullagh and Caelli, 5.22 McCullagh and Caelli, 3 - 4.23 Mark Sneddon,“Legal liability and e-transactions”, Commonwealth of Australia, 2000, 3.2 (b)(i), available at <http://www.noie.gov.au/pub-lications/2000.htm> viewed on 31 January 2002.24 McCullagh and Caelli, 7.

BOOK REVIEW

Privacy and Human RightsPPrriivvaaccyy && HHuummaann RRiigghhttss –– AAnn IInntteerrnnaattiioonnaall SSuurrvveeyy ooff PPrriivvaaccyy LLaawwss aanndd DDeevveellooppmmeennttss iinn AAssssoocciiaattiioonn wwiitthh PPrriivvaaccyyIInntteerrnnaattiioonnaall,, 22000011,, EElleeccttrroonniicc PPrriivvaaccyy IInnffoorrmmaattiioonn CCeenntteerr aanndd PPrriivvaaccyy IInntteerrnnaattiioonnaall,, ssoofftt-ccoovveerr 331188 pppp..,, IISSBBNN 11 889933000044 1133 00..

The Electronic Privacy Information Center (EPIC) is a public-interest research center in Washington DC. Established in1994, it focuses public attention on emerging civil liberties issues, privacy, the First Amendment and constitutional values.Privacy International (PI) is a human-rights group formed in 1990 as a watchdog on surveillance by governments and cor-porations.This study, first produced in 1997,has been updated on an annual basis since that date.The 2001 update reviewsthe state of privacy in more than 50 countries around the world. It outlines legal protections for privacy, and summarizesimportant issues and events relating to privacy and surveillance. New sections in the 2001 issue cover genetic privacy,location tracking, increasing authentication and identification requirements, electronic numbering, corporate sharing ofinformation with governments, and the privacy implications of digital-rights management schemes for protecting intellec-tual property.The first 80 pages of the survey cover the basic issues with country reports following thereafter.

AAvvaaiillaabbllee ffrroomm EEPPIICC’’ss OOnnlliinnee BBooookkssttoorree aatt:: <<wwwwww..eeppiicc..oorrgg//bbooookkssttoorree>>


Documents

ELECTRONIC SIGNATURES — EVIDENCE: THE EVIDENTIAL ISSUES RELATING TO ELECTRONIC SIGNATURES — PART 1