<< . .

. 17
( : 53)



. . >>

sure to have its share of disputes and losses. These may be due to negligence by one
of the third parties or the parties to the transaction, or technological failures or any other
reason.
If the information-communications systems are used for day-to-day business and private
interests “ to buy consumer goods, submit tax forms or to send confidential messages
“ there will ultimately be the need for a digital identity. Other existing solutions “
identification using credit card numbers, etc. “ are simply makeshift solutions that are
being used temporarily in certain areas. Normally speaking, identity is something very
complex. It does not merely refer to name, date of birth, color of eyes and all those other
features contained in personal identification documents, but also means a person™s
entire personality, background and integrity.
Digital identity means considerably less than all these everyday meanings: first of all, that
a person owns and uses a digital ID “ in other words, an ID expressed in zeros and ones
that can be transmitted via the Internet (or any other data network). This ID is digital or



Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
106 Ruzic


is also termed an electronic certificate. It confirms not just name and e-mail address of
a person, but may also confirm other information - the name of company where a person
is working, etc. “ and the validity of the digital signature.
When a machine or a person issues someone with a certificate, this is confirmation of the
existence of this person, including the name and one or two other details. This identity
is invaluable for the entire digital economy - it forms a foundation for trust. But whether
this person is honest, creditworthy or reliable, or whether the machine is operated by a
reputable company “ i.e., what in fact belongs to identity in a broader sense of the word
“ remains unknown.
Nevertheless, this manner of ensuring reliability is also indispensable for the digital
economy. This is carried out using other means, beyond the scope of electronic signature
technologies. In the case of companies with a good Web presence “ with a shop system,
SSL, credentials, supplier brand, general terms and conditions, quality labels, etc. “ this
is a good indication of their reliability, and the legislator has provided for legal provisions
(remote sales law, EU e-commerce guideline, etc.).




Basic E-Business Legislation and
Regulation
Companies doing E-Business activities are not operating in an unregulated world. The
old rules still apply in new digital environment. And new statutes and regulations aimed
at digital violations are quickly emerging. When it comes to regulations, however,
ignorance is not bliss. Advertising, sweepstakes, unsolicited commercial e-mail (Spam),
trade regulation compliance, securities laws, tax regulatory compliance, and other
regulatory issues all can pose significant challenges for E-Business. Doing E-Business
activities in a borderless medium raises special challenges, given that many jurisdictions
have inconsistent laws regulating E-Business, e-commerce, e-signatures, etc.
At the core of all of E-Business activities is the fundamental question: “Is it legal?” And
the answer to that question will depend on what law applies and how online activities
are structured. Yet determining what law applies is easier said than done when
transactions are being conducted in what is essentially a borderless medium. At the same
time, the Internet is profoundly changing the law that applies to these business activities.
The law that governed our transactions six months ago may not be the law that governs
our transactions today or, even if the prior law is still relevant, it may apply in ways we
never contemplated because of legal developments in the interim (Zoellick, 2001). Many
countries have already enacted numerous statutes and regulations related to some
aspect of E-Business activities. In some cases, these laws represent an experiment
designed to anticipate and resolve issues that have not yet arisen, and in other cases
these laws represent significantly conflicting approaches to a common set of issues.
Some of the outmost areas of regulation and legislation in the digital economy cover
several key issues:



Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
Electronic Signature 107


• Electronic Transactions and Contracts (e-commerce): The electronic communi-
cation of documents, as well as electronic advertising, contracting, and payment,
are clearly the future of e-commerce. Companies have embraced e-commerce in
order to decrease costs, streamline transactions, and increase sales. To really do
high-value deals online, however, companies must feel confident that the transac-
tions they enter into today will be legally enforceable and binding tomorrow. In the
paper-based world, putting a contract on company letterhead and using ink
signatures help to provide that reassurance. Concern over what that means in the
digital world has produced an explosion of legislation at national, and international
levels.
• Electronic Finance (services, Tax and Customs): The proper characterization of
a transaction for tax purposes is probably the most difficult issue in the taxation
of e-commerce. Nevertheless, characterization is critical to determining how an e-
commerce transaction will be treated for income tax and consumption tax (VAT)
purposes. Local, national, and international tax authorities and organizations are
struggling with these concepts and trying to decide whether new legislation will
be needed or whether existing rules can be applied to the new concepts.
• Intellectual Property Laws (trademarks, copyrights, and patents): Companies
face unprecedented challenges both in protecting their intellectual property
worldwide and in minimizing the likelihood that they might be infringing someone
else™s intellectual property rights (Sang, 2002).
• Privacy and Personal Data Protection: Thanks to information-communications
systems, it has never been so easy to collect, reproduce, disseminate, and compile
personally identifiable information. Organizations have never faced such daunting
privacy issues regarding the increasingly indispensable information and, E-
Businesses should address the attendant privacy issues in order to avoid legal
liability. Given the current media and legal climate, and the fact that electronic
communications and technology tracking abilities will only increase in the future,
concerns about the privacy of electronic communications are recognized in many
countries, and many privacy-related bills are now pending at both the national and
international scene.
• Information Security (Cybersecurity, Cybercrime): New information and commu-
nications technologies give rise to new opportunities for their abuse, which in turn
give rise to legal restrictions. This notion arises the need to legislate against a
variety of new abuses and frauds “ or old frauds committed in new ways. Cyber-
crime may cause serious financial damage, and computer-related offences fre-
quently involve more than economic loss. Damage can be a waste of time, or the
loss of privacy and security. The most significant harm and danger caused by
cyber-crime is the threat of lost reliability and lost trust in cyber-space. There is
another aspect of harmful and dangerous activity within E-Business environment
“ the digital content broadcasting. There is no consensus yet, neither on what kind
of content should be prohibited, nor how it can be handled.




Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
108 Ruzic


• Consumer Protection: Considering the functionality and applicability of such
issues, it is worthy to find one, generic-shaped, key category that links all of these
separate issues in one regulated scene. It is obvious that as a signature means
almost everything in the physical world of paper-based business, some kind of the
instrument that could ensure security, trust and functionality of E-Business,
should be introduced. This issue is considered the core category of any national
and international regulation in digital economy “ the answer lies with introducing
electronic signature equivalence with a hand-written signature no matter what type
of information technology is in use.




Electronic Signature as the Core
Category in Digital Economy

Background

For E-Business of any kind (private or public sector) to grow, businesses must implement
the use of electronic signatures correctly, and legally. With the advent of electronic
signatures, E-Business is changing the way we sign and store documents. Thus, any
business that wants to succeed in the digital economy must deal with electronic
signatures. It is considered an everyday activity whenever a law or other arrangement
requires a signature of a person. A signature is needed as a medium for authentication
in order to identify the person (the signer), to indicate the person™s approval of the
information communicated and, to be legally applicable.
Whether captured on paper or electronically, a signature has a specific legal definition
and purpose. The Commercial Codes (the laws adopted by most countries to govern
commercial transactions) defines a document that is “signed” as one that includes any
name, word, mark, or symbol executed or adopted by a party with the present intention
to authenticate the writing. A signature usually serves several purposes, including
authentication and attribution of a document to its signer, a reminder of the significance
of the document, evidence that the signer intended the signed document to have legal
effect, and an indication that the signed document was intended to be the final version.
In today™s digital economy environment, establishing a framework for the authentication
of computer-based information requires a familiarity with concepts and professional
skills from both the legal and computer security fields. Combining these two disciplines
is not an easy task. Concepts from the information security field often correspond only
loosely to concepts from the legal field, even in situations where the terminology is
similar.
The historical legal concept of signature is broader. It recognizes any mark made with the
intention of authenticating the marked document. In a digital setting, today™s broad legal
concept of signature may well include markings as diverse as digitized images of paper
signatures, typed notations, or even addressing notations, such as electronic mail



Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
Electronic Signature 109


origination headers. A signature is not part of the substance of a transaction, but rather
of its representation or form. Signing writings serve the following general purposes:
• Evidence: A signature authenticates a writing by identifying the signer with the
signed document. When the signer makes a mark in a distinctive manner, the writing
becomes attributable to the signer.
• Ceremony: The act of signing a document calls to the signer™s attention the legal
significance of the signer™s act, and thereby helps prevent “inconsiderate engage-
ments.”
• Approval: A signature expresses the signer™s approval or authorization of the
writing, or the signer™s intention that it has legal effect.
• Efficiency: A signature on a written document often imparts a sense of clarity and
finality to the transaction and may lessen the subsequent need to inquire beyond
the face of a document.


To achieve the basic purposes of signatures outlined above, a signature must have the
following attributes:
• Signer authentication: A signature should indicate who signed a document,
message or record, and should be difficult for another person to produce without
authorization.
• Document authentication: A signature should identify what is signed, making it
impracticable to falsify or alter either the signed matter or the signature without
detection.


Signer authentication and document authentication are tools used to exclude imperson-
ators and forgers and are essential ingredients of what is often called a non-repudiation
service. A non-repudiation service provides assurance of the origin or delivery of data
in order to protect the sender against false denial by the recipient that the data has been
received, or to protect the recipient against false denial by the sender that the data has
been sent. Thus, a non-repudiation service provides evidence to prevent a person from
unilaterally modifying or terminating legal obligations arising out of a transaction
effected by computer-based means.
Traditional methods, however, are undergoing fundamental changes that are coming
with the digital economy. Although digital media is in use, documents continue to be
written on paper, but sometimes merely to satisfy the need for a legally recognized form.
In many instances, the information exchanged to effect a transaction never takes paper
form. Computer-based information can also be utilized differently than its paper coun-
terpart. For example, computers can read digital information and transform the informa-
tion or take programmable actions based on the information. Information stored in digital
media rather than on paper can travel near the speed of light, may be duplicated without
limit and with insignificant cost. Although the basic nature of transactions has not
changed, the law has only begun to adapt to advances in technology. The legal and
business communities must develop rules and practices, which use new information



Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
110 Ruzic


technology to achieve and surpass the effects historically expected from paper forms.
Electronic signature technology generally surpasses paper technology in all these
attributes.


Electronic Signature: Scope and Definition

The term electronic signature could be defined as a sound, symbol or process attached
to or logically associated with an electronic record by a person (a signer) with the present
intent to authenticate that record. Every downloading software activity from the Internet
includes reading the licensing agreement and clicking “I accept,” where a person is using
some kind of an electronic signature (the click combined with a person self identification
create the signature). If a person places a trade over the phone and verbally confirms that
wants to buy or sell stock, the recording of a person™s voice could be considered as an
electronic signature. Digital signatures and images of handwritten signatures also
constitute electronic signatures. A handwritten signature signals intent to agree with the
terms of a document, and it authenticates “ at least in theory “ the identity of the signer.
Handwritten signatures don™t have an exact parallel online. In the electronic world, a
person may end up doing the same things in a different way. The authentication may be
done up front and the signal of intent may be done later. Authentication, the act of making
sure that signers are who they say they are, can be handled online in several ways. A
signer can use a digital certificate or smart card, take a fingerprint or retina scan, answer
additional questions regarding personal identification. A signal of intent may be created
online by clicking an “I accept” button, by signing one™s name on an electronic signature
pad or by appending a signature image to a document.
Hence, the foregoing definition of electronic signature within most national legislation
is a generic, technology-neutral definition, which recognizes that there are many different
methods by which a person can sign an electronic record. In all cases, electronic
signatures are represented digitally, but they can take many forms, and can be created
by many different technologies. Examples of electronic signatures include:
• A name typed at the end of an e-mail message by the sender;
• A digitized image of a handwritten signature that is attached to an electronic
document (sometimes created via a biometrics-based technology called signature
dynamics);
• A secret code, password, or PIN to identify the sender to the recipient (such as that
used with phone cards and credit cards);
• A unique biometrics-based identifier, such as a fingerprint, voice print, or a retinal
scan;
• A mouse click (such as on an “I accept” button);
• A sound (or voice) attempting to issue a meaning to agree);
• A digital signature (created through the use of public key cryptography).




Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
Electronic Signature 111


There are other ways of signing an electronic document, and presumably many more will
be developed in the future. However, all forms of electronic signature must satisfy the
three requirements:
• there must be a digitally mediated symbol, or process,
• digitally mediated symbol, or process must be logically associated with an
electronic record, and
• digitally mediated symbol, or process must be made with the intent of a person (a
signer) to sign the electronic record.


Forms of Electronic Signature Technology

In an E-Business environment and networked economy, the terms of authentication and
identification of parties are vital elements of functionality, operability and security. We
should also underline the distinction between authentication and identification.
Authentication refers to the authentication or verification of a claimed identity. In other
words, the user wishes to log on to a network or service, or undertake an online
transaction and claims to be a certain person. The authentication process seeks to verify
this claim via the provision of a characteristic (PIN/password/token/biometrics or other
information), or multiple characteristics, known to be associated with the claimed
identity. There is therefore a one-to-one matching process involved, as the characteristic
in question is matched against the reference associated with the claimed identity,
according to predefined threshold criteria in the case of biometrics.
Identification seeks to identify a user from within a population of possible users,
according to a characteristic, or multiple characteristics that can be reliably associated
with a particular individual, without an identity being explicitly claimed by the user. There
is therefore a one-to-many matching process involved against a database of relevant
data. We should perhaps make a further distinction between identifying an individual
from within a known population using relevant characteristics (PIN/password/token/
biometrics, etc.) and seeking to identify an individual via connectivity address informa-
tion. In the latter case, we may correctly identify an address and the name that is registered
in association with it, but that does not necessarily guarantee that the same individual
undertook a specific transaction (unless robust biometrics have been used across
multiple processes).
While the rapid development of new information technologies has improved the ease of
access and use of digital information, it has also led to fears that consumer protection,
intellectual property rights, privacy and related issues could be eroded by the illegal
copying and redistribution of digital media. Mechanisms to protect digital content are
seen as a necessary step towards the creation of global business and commercial
information infrastructure. While equipment capable of copying digital content exists in
any E-Business environment, some technologies of electronic signatures are emerging
to provide organizations with the desired degree of protection, and to act as a disincen-
tive to information piracy. These technologies are relating to:




Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
112 Ruzic


• Watermarking: A technique for embedding hidden data that attaches copyright
protection information to a digital object and provides an indication of ownership
of object signed by watermark
• Fingerprinting: A technique that identifies the recipient of a digital object and its
owner, and acts as a deterrent to illegal redistribution by enabling the owner of
digital object to identify the original user of the redistributed copy.


E-Business users are not confident enough in the security of online systems to believe
that a hacker can™t break in and steal credentials there. Password lists and credit card lists
are stolen regularly from online servers and can just as easily be lifted from unsuspecting
users™ machines by malicious software. For instance, the “Love Bug” virus was designed
to collect user credentials and mail them out. So shared secret systems, including
passwords and biometrics, are inappropriate for use directly as electronic signatures, but
we will find that they still have an important indirect role. What we need are credentials
that don™t have to be given away to prove an identity or to create a verifiable electronic
signature. Fortunately, proven technology that solves these problems is available
through the Public Key Infrastructure environment.


Public Key Infrastructure

Security is always a concern with any electronic signature technology. An electronic
signature based on asymmetric cryptography (digital signature) is considered superior
to a handwritten signature in that it attests to the contents of a message as well as to the
identity of the signer. As long as a secure hash function is used, there is almost no chance
of taking someone™s signature from one document and attaching it to another, or of
altering a signed message in any way. The slightest change in a signed document will
cause the digital signature verification process to fail. Thus, public key authentication
allows people to check the integrity of signed documents. If a signature verification fails,
however, it will generally be difficult to determine whether there was an attempted forgery
or simply a transmission error.
Within a Public Key Infrastructure technology environment, an electronic signature is
accompanied by the term digital signature “ a data item that vouches for the origin and
integrity of a document or message (Forno & Feinbloom, 2001). Digital signature is a
mechanism employed within Public Key Cryptosystem that enables the originator of an
digital object to generate a signature using encipherment in order to provide the recipient
with the proof of the authenticity of the digital object™s originator (author).
Public Key Infrastructure uses a digital signature as one type of electronic signature. It
is made by asymmetric encryption in order to authenticate the contents of a document,
secure its integrity and confidentiality, and attribute it to a particular signatory. When
a digital signature is used by Public Key Infrastructure, the document is finalized,
encrypted using a private key, and then sealed by attaching a numerical hash file
reflecting the contents of the document. Any changes in the document result in a
numerical hash file that does not match that of the original document.



Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
Electronic Signature 113


Figure 1. View of the digital certificate




Within Public Key Infrastructure, the encrypted document is usually transferred through
a third party known as a Certification Authority. The Certification Authority may assist
in encrypting the document and in creating the numerical hash file, as well as authenticate
the identities of one or more of the parties through the digital certificate, keep a record
of the digitally signed document™s unique numerical hash file, and maintain the public
key that permits decryption of the document. Taken together, this multistep process
constitutes the digital signature.
A digital certificate can be issued by the organization initiating the approval process or
by a Certification Authority. A certificate usually contains the holder™s name, a serial
number, expiration dates, a private key that signs documents and messages through
encryption, and a public key that the recipient uses to decrypt the message. Cryptogra-
phy binds the digital signature to a document. If someone changes the terms and
conditions or prices in that electronic document, the signature will become invalid.
Although digital signatures and the assistance of Certification Authorities can be costly,
they provide worthwhile safeguards against electronic document tampering, deception,
fraud, and unwanted disclosure, particularly when the stakes are high. Most people
consider digital signatures to be the most robust technology available. But the strength


Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
114 Ruzic

<< . .

. 17
( : 53)



. . >>