You may be wondering how Public Key Infrastructure (PKI) and Electronic Signatures can be linked to the recent terrorist attacks. The common factor is security and although this was already an important aspect in the growth of PKI, the recent attacks will almost certainly lead to an acceleration of both legislation about data security and the adoption of that security by commerce and government.

 

Lack of security in commerce has always been cited as a major inhibitor for trading across the internet. For example, the results of the recent Information Security Breaches Survey revealed that 60% of organisations had suffered a security breach in the last 2 years; that only 37% of organisations had undertaken a risk assessment and that only 1 in 7 organisations had a formal information management security policy in place.

 

This level of vulnerability of businesses to fraud and security lapses had already been highlighted by the DTI but now will take on a new and even more serious significance.

 

Already the Data Protection Act 1998 requires appropriate technology and organisational measures to be taken by businesses against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage of such data.  Further, the Turnbull Report places a legal requirement on board directors to assess all risks to their company and to mitigate them.  Such risks can easily include the risk attributable to a lack of IT security.

 

But how can electronic signatures assist in providing such security?

 

The existing position under English law was that certain electronic signatures were already treated  in the same way as hand written signatures for many purposes including the creation of contracts. The important point was to show that the parties intended to be bound by a contract. That evidence was usually shown by the contract being in writing and being signed by the parties to the contract. The key requirement is not ink on paper but rather the presence of a symbol (which can be anything from an “X” to a rubber stamp) coupled with the party's intention. For instance a string of e-mails which does not include a traditional signature would not prevent a court from holding that there had been an intention to create legal relations.

 

A traditional hand written signature provided evidence on three matters:- authenticity (the signatory’s identity); certainty (the signatory intended the signature to be his signature) and link (associating a signatory to the contents of a document). Electronic signatures can also perform these functions and show an intention to create legal relations. In order to regulate this area, the government recently passed the Electronic Communications Act which now specifically admits electronic signatures and digital certificates as evidence in place of hand written signatures.

 

The use of such  signatures can also ensure security as most types of electronic signatures are created by the use of cryptography. Cryptography is an art of secret writing and comprises of a science of codes and ciphers which can be used to conceal the contents of the message. Cryptography is at the heart of all modern security mechanisms and nowadays forms the basis of digital signatures.

 

Further, in order to increase certainty and trust, digital signatures can be backed up by digital certificates issued by trusted service providers, for example the Royal Bank of Scotland and Trustis. Digital certificates are designed to give customers greater confidence to trade electronically as they provide electronic identification for use on the internet and act very much like a driving licence or company identity card.

 

However, there are other technologies which may be used to protect electronic transactions. One example is steganography which is the technique of hiding information in other data such as visual images, voice communication and music. It has been suggested that the terrorists that hit the World Trade Centre may have used some form of steganography to conceal secret communications via the internet. However, in commerce, steganography has yet to achieve the versatility of cryptography.

 

Another example is biometrics which is set to increase in the coming years. Instead of using a password to identify yourself to a computer, biometrics uses unique physical or behavioural attributes such as your finger print, iris, voice or hand geometrics to identify you.

 

Although there may be concerns about privacy in connection with the use of biometrics, there appears to be no legal obstacle in the use of anonymous biometrics as this does not involve the use of personal data (as defined in the Data Protection Act). So, especially after the recent terrorist attacks, we are likely to see an increased use of anonymous biometrics such as finger print scans or facial recognition techniques in an effort to combat security breaches at airports, banks and other businesses.

 

In the commercial sphere, most leading banks have already experimented with biometrics for ATM machines as a way of combating credit card fraud. Biometrics can also be used to prevent unauthorised access to cellular phones, smartcards, computer networks and PCs. 

 

But how can biometrics be integrated with PKI? There is an argument that in order for a PKI system to be totally reliable, a digital signature should be protected by biometrics. So perhaps, in the future, the use of digital signatures on smart cards will not provide enough security on their own so that a signature will only be authorised if, for example, the owner's finger is also presented. 

 

Finally, as there is now no general legal impediment to electronic commerce in the UK and as businesses start to embrace new technologies that provide secure methods of trading, a word of advice. Although different technologies may adequately tackle the issues of certainty, security, integrity and simplicity, companies should be concerned and take legal advice on whether certificate policies, privacy and security policies, practice statements and user contracts are legally enforceable in conjunction with PKI technologies.

 

Kamini Bharvada is a commercial/IT lawyer at Hobson Audley, specifically concentrating on security issues and electronic signatures in connection with the internet She can be reached at kamini@itlawyers.com

Do you have comments or suggestions or other ideas in this field? Give us your feedback.