BY LLOYD GALLAGHER, DIRECTOR/ARBITRATOR/ MEDIATOR, GALLAGHER & CO CONSULTANTS LTD AND MEMBER OF ADLS’ TECHNOLOGY & LAW COMMITTEE
The increase of electronic transactions has driven the need for clear confirmation of engagement. From signing for courier deliveries to general form contracts, electronic signatures have become the normal practice for business. But are these legal? Can they properly bind parties? And who will be liable when things go wrong?
Under the common law, signatures have been recognised as a wide variety of marks or symbols, whether written, printed or stamped onto paper documents. While there are some documents (such as wills, affidavits, statutory declarations, negotiable instruments, bills of lading and certain medical certificates) that are excluded from using any form of electronic or digital signature (see the Schedule to the Electronic Transactions Act 2002 for full details), for many other general form contract and simple transactions, electronic and digital signatures are well-placed to be used. And, while many New Zealand statutes require signatures, there is currently no general statutory definition of a “signature” under New Zealand law.
This article will address some of the issues with electronic signatures, how they compare to digital signatures, issues around security and encryption, and with which party/parties liability may fall if things go wrong. Whether or not relief might be available under contract law, tort, breach of confidence or consumer law is also considered.
What is an “electronic signature”?
“Electronic signatures” and “digital signatures” are two terms that are commonly used to mean the same thing. Even within the security industry, marketing people often tend to use the two terms interchangeably. However, this is incorrect as they have very different meanings, so at the outset, let us clarify the distinctions between electronic signatures and digital signatures.
An “electronic signature” is any signature that is in electronic form, as opposed to paper-based ink signatures – for example, a scanned image of your ink signature, a mouse squiggle on a screen or a hand-signature created on a tablet using your finger or stylus, a signature at the bottom of your email, a typed name, a biometric hand-signature signed on a specialist signing hardware device, a video signature, a voice signature, a click in an “I Agree” checkbox, or any other form of electronic medium to indicate acceptance of an agreement.
The Electronic Transactions Act 2002 (ETA) is the key piece of legislation in New Zealand in this area and takes the form of overarching legislation and applies to all aspects of private and public sector activity, not just to commercial activities. It enacts a general rule that legislation currently requiring dealings to take place in paper format, unless expressly excluded from the scope of the ETA, will also be able to take place electronically if all the parties consent (sections 14 and 16). It is drafted in a “technology neutral” tense, making it well-placed to keep pace with the speed of changing technology systems.
Electronic signatures are defined within the ETA as meaning “in relation to information in electronic form … a method used to identify a person and to indicate that person’s approval of that information” (section 5). The list is potentially endless and the main point to remember is that an electronic signature is any “mark” made by the person to confirm their approval of the document or transaction. Section 22 stipulates that the legal requirement for a signature will be satisfied by an electronic signature if it:
(a) adequately identifies the signatory and the signatory’s approval of the relevant information;
(b) is as reliable as is appropriate given the purpose for which and the circumstances in which the signature is required; and
(c) in the case of a signature on information that is required to be given to a person, that person consents to receiving the electronic signature.
The benefits of this approach are the lack of restrictions placed on market-driven developments, the regulation of electronic signature technologies and the continuing application of the legislation despite any of these developments. The disadvantages are the continuing uncertainty as to the authentication of signatures and the varying degrees of reliability required for different classes of transactions.
Section 24 sets out some formalities required when an electronic signature is used – it must be linked to the signatory (or other authorised person) and to no other person, it must be verified, submitted by a known author (who cannot deny having affirmed the document or information signed), and the document or information must be able to be verified as unaltered in transit (or in other words, any alteration to the document or information must be detectable). Where there is a requirement that a signature or seal be witnessed, this is addressed in section 23, which provides that this can be met (apart from the exceptions set out in the Schedule) by a witness’s electronic signature if it complies with certain listed criteria (see section 22) and the person receiving the electronic signature has consented to receiving it in electronic form.
What is a “digital signature”?
A “digital signature” is a subset of electronic signatures, as they are also in electronic form. However, digital signatures go much further by providing security and trust services in the signature delivery. When activating a digital signature, the signer is verified through authentication, the data is maintained on an integrity server for cross-checking and the signature is secured by encryption to prevent repudiation and modification in transit. Accordingly, a digital signature can be considered an electronic signature, but an electronic signature cannot be considered a digital signature. This is an important distinction when issues of validity and repudiation come into play.
Electronic vs digital – pros and cons
A number of useful guidelines on electronic signatures have begun to appear overseas (including in the UK) to assist counsel. One example can be found in the United Nations Model Law on Electronic Commerce, which has been used by our Law Commission in its examination of electronic signatures (see the “Further reading” section at the end of this article). The tables opposite provide a quick summary of the pros and cons for each signature type.
Security … and what happens when encryption fails?
In general, there are two levels of security provided in today’s encrypted digital transmission technology – digital transmissions (bits and bytes sent intermittently and reassembled on receipt), and physical encryption processes added to the digital transmission using algorithms. I say “today’s”, because the technology is moving so fast that new technologies may be present tomorrow.
To encrypt a communication, a party can use software or hardware that incorporates an algorithm. Algorithms are complex mathematical functions for converting plain text into cypher-text and back again. A communication in binary form and a key (this is often a passphrase) are plugged into the encryption algorithm, the software or hardware executes the algorithm and the result is an encrypted communication. A unique key results in cypher-text which is unique in character. Where a different key is used, or if a different communication was the source, the cypher-text would be different.
While strong cryptography is very powerful when it is done right, it is not a panacea. Focussing on cryptographic algorithms while ignoring other aspects of security is like defending your house, not by building a fence around it, but by putting an immense stake into the ground and hoping that the adversary runs right into it. Smart attackers will just go around the algorithms. There are many attack strategies that can be successful and attackers exploit errors in design, errors in implementation and errors in installation without mercy, potentially opening the way for liability.
Dealing with multiple parties
Before dealing with possible liabilities, it is worth looking at the various parties usually associated with encryption processes. These may include:
- an encryption expert (who creates the encryption software), a security firm (employed to implement that software as part of a business security system);
- internet users (who may be expected to demonstrate certain levels of care in preserving confidentiality in internal and external transactions);
- the online service providers (who provide the facilities for transporting the encrypted information between parties); and
- the clients whose information or copyrightable material is the subject of the encryption process.
Issues in contract
Contracts affirm the right of parties to decide freely who bears the brunt of liability if the technology fails, subject to qualifications such as inequality of bargaining power and monopoly contracting. Ideally, counsel should address these issues during drafting, as problems are likely to arise where liability is left open, leading to time and money costs in resolving disputes. It is also important to carefully consider terms used, as providers in this area often have greater technical knowledge than counsel and clients. The provision of encryption services may be an express term of the online service provider’s contracts, and sometimes the service provider is simply a reseller and excludes liability to the third party or encryption expert. Encryption terms may also be open-ended and not address the standard of the encryption services. Accordingly, obtaining information from a technical professional or consultant is always good practice.
Determining whether a particular custom or usage is a term of a contract can also be difficult. It is suggested that counsel adopt the following good practice principles when reviewing a contract term:
- it must be so well known that the parties must have known of it and have intended it to form part of the contract (Woods v N J Ellingham & Co Ltd  1 NZLR 218; see also Black v Falconer  GLR 627);
- it must be certain (Woods v N J Ellingham & Co Ltd  1 NZLR 218);
- it must be reasonable (H F Moss Ltd v Andersen (1914) 33 NZLR 606);
- it must be proved by clear and convincing evidence (Woods v N J Ellingham & Co Ltd  1 NZLR 218); and
- it must not be contrary to an express term of the contract (Fairbanks, Lavender & Son v Low Bros (1893) 12 NZLR 302).
Despite good drafting, the courts may still imply terms for encryption standards as encryption technology develops and becomes more common. Courts may also begin to imply terms as to the standard of the technology where needed to give efficacy to the contract. However, service providers holding a passive role are unlikely to be held to such standards based on current approaches – to date, the courts have been reluctant to imply such terms simply to protect parties from a bad bargain. Furthermore, advances in encryption mean that any standard of acceptable technology will always be changing, making it difficult for a court to determine if a provider has fallen below such a standard.
If counsel is dealing with an existing contract which does not set out as encryption standard, all is not lost – courts may imply such a term if the party can show that the custom for the type of service provided includes the encryption service to a particular standard, or if the party alleging failure can show that such a standard is required to give efficacy to the contract (subject to it being shown that the failing party should have known that such a standard was necessary for the efficacy of the contract and that the contract would be ineffective without it, that the standard is reasonable, equitable, obvious, non-contradictory of any express term of the contract and capable of clear expression). This, however, is fraught with difficulties and counsel would be best to deal with such requirements within an express term.
Issues in tort
Where a service provider delivers encryption services of a poor or inferior nature that fails to adequately encrypt (“adequate” being subject to the defined terms of the contract or generally accepted standards), the tort of negligence may provide a remedy. It is well understood that the categories of negligence are never closed, but to bring an action home the alleging party will need to prove that the provider owes a duty of care to the plaintiff. This can be particularly difficult in the case of third party resellers and care should be taken to bring the action against the correct defendant. Consider: does an online service provider owe a duty of care to its customer to engage a reasonably skilled encryption expert? Does the encryption expert owe a duty of care to the online service provider to create an adequately secure system?
Situations falling outside a recognised duty of care may still come within the prescribed tests in Anns v Merton London Borough Council  AC 728. Based on the first limb of that test, it is possible for an online service provider of encrypted transmissions with a sufficiently proximate relationship to its customer to foresee that any failure in those services could cause its customer damage. If this can be shown, a court may conclude the provider does owe a prima facie duty of care (provided that encryption was an expectation of the arrangement). This would be in line with cases where persons in professions and trades have been held to owe a duty of care in providing services. Examples can be seen where workers operating machinery in the vicinity of electric cables that supply power to a factory have been held to owe a duty to exercise reasonable care to avoid damaging the electric cables and interrupting the power supply to the factory (SCM (United Kingdom) Ltd v W J Whittal and Son Ltd  1 QB 337). Similarly, the provider of the encryption technology and the security firm may also owe a duty of care to the online service provider.
However, while the law of negligence in New Zealand is wide enough to impose a duty of care on an encryption expert, a security firm or an online service provider, policy reasons may limit the boundaries of tortious liability and the class of persons to whom the duty is owed, including seriousness of harm (as encryption failure is likely to be purely financial, any duty of care may be reduced), opening of the floodgates, and the existence of other alternatives for self-protection. In addition, there are questions of what constitutes adequate encryption. As mentioned earlier, standards are constantly changing, making it hard for the law to keep pace. Counsel formulating a negligence claim will similarly need to consider engaging experts to assist in explaining existing standards.
Confidentiality poses a greater level of complexity when considering a claim for loss or harm. The Law Commission has acknowledged that the law for breach of confidence involving electronic transmission is uncertain in New Zealand. However, the Commission considers that a person who, without authority, intercepts a message containing confidential information may be subject to a duty of confidence.
The UK position illustrates that confidence cannot be maintained where the arena is public – see BBC Enterprises v Hi-Tech Xtravision  18 IPR 63. Here, the court held that the defendant’s conduct in decoding an encrypted BBC broadcast did not constitute a breach of confidence. The judge considered that if an author chooses to place a coded message in a public medium, he cannot complain if members of the public decode his message. The judge continued, “If the content, once decoded, does not qualify for protection on confidentiality grounds, the law of confidentiality is not, in my judgment, of any relevance.” If New Zealand courts follow BBC v Hi-Tech (which is not a binding authority here), a user of encryption is unlikely to succeed in a claim under breach of confidence.
To the author’s mind, difficulties arise with the UK approach as the internet, despite being a public place, has become the standard transmission mechanism for many day-to-day operations of government and businesses, and lower costs of internet connections mean that organisations place their trust in encryption methods. Perhaps that is the fallacy of the modern world, illustrating that where information requires enough security so as to be protected from interception, clients should be advised to use a dedicated form of connection rather than the internet.
Fair Trading Act 1986
An encryption expert, security firm or online service provider may be liable under several provisions of the Fair Trading Act 1986 (FTA) for misleading and deceptive conduct and false representations.
For example, if a person in trade markets his or her encryption services as being of a certain level of security, and the statement is not true, then that person may be liable under the FTA for misleading and deceptive conduct (section 9) and false representations (section 13).
Consumer Guarantees Act 1993
An online service provider may be liable for the guarantees found in the Consumer Guarantees Act 1993 (CGA). The courts have already accepted that computers fall within goods or services of a kind ordinarily acquired for personal, domestic or household use or consumption (CGA, section 2 – see Rask v Kelly (District Court, Dunedin, 941/96, 22 July 1997, Judge Everitt)).
As more and more consumers acquire computers and use encryption for their communications, encryption may also fall within the meaning of “services”. An online service provider, under the definition of “supplier”, may be liable for the guarantees in respect of services. Failure to provide adequate encryption services may constitute breaches of the guarantee as to reasonable care and skill and the guarantee as to fitness for particular purpose. These areas have yet to be considered by the court, but counsel should be aware of them nonetheless.
Digital signatures trump the rest, but take care …
As discussed above, the requirements for authentication and verification outlined in the ETA leave the general form of electronic signatures somewhat lacking. Such electronic signatures provide no path to authenticate the signer or the document, or to guarantee that the information is unaltered in transit. Further, as security is easily compromised, electronic signatures open clients to a range of potential liabilities that are better avoided.
Accordingly, digital signatures provide the only appropriate form for signing electronically that both conforms to the requirements of the ETA and is likely to be accepted by the courts.
- Guidelines for counsel on the use of electronic signatures: 2016 Practice Note from the Law Society of England and Wales; see also Law Commission “Electronic Commerce Part One: A Guide for the Legal and Business Community” NZLC Report 50, 1998, page 7.
- Electronic Transactions Act 2002: Discussion Paper, Ministry of Economic Development, May 2000, at page 8.
- Encryption and algorithms: Smedinghoff, Online Law: The SPA’s Legal Guide to Doing Business on the Internet, Software Publisher’s Assoc, 1996, page 497; see also Schneier, Applied Cryptography: Protocols, Algorithms and Source Code in C, 2nd Edition, Wiley, New York, 1996, pages 223-225 and Bruce Schneier “Security Pitfalls in Cryptography” (1998) Counterpane Systems at 1.
- Encryption adequacy and standards: Lim “Liability Issues in Encryption Technology” (1998) 37 Computers & Law (Aus and NZ) 42, page 46.
- Confidentiality and breach of confidence: Law Commission “Electronic Commerce Part One: A Guide for the Legal and Business Community” NZLC Report 50, 1998, pages 3 and 61).