The European Directive
of December 13, 1999[1] on electronic signatures has
now been fully implemented in France. To this end, two decrees, which
supplement the law of March 13, 2001 (amending article 1316 of the French
Civil code)[2], have been adopted.
The Directive has
been implemented as follows: the law of March 13, 2001 assimilates the
electronic signature, through means of a reliable process, to hand signatures
and grants the same probative value to electronic documents as to paper
documents. This law is an important step towards the development of
e-commerce in France and within the European Union. Indeed, it will
no longer be necessary to draft an agreement on how to administer evidence.
The decree of March
13, 2001[3] provides that a process is presumed reliable
if created with a secured device and based on a qualified electronic
signature certificate. A definition of a secured device is contained
within the chapter one of the decree. The decree of April 18, 2002[4]
details the accreditation scheme of the certification service providers
and has been completed by an "arrêté" of May
31, 2002[5].
This article seeks
to examine under French law, the conditions in which a signature is
proved to be reliable and detail the accreditation scheme of the certification
service providers ("CSPs") whose responsibility it is to deliver
the qualified certificate. It will also look at how free movement of
electronic signature applies within E.U. and non-E.U. Member States.
A brief technical
outline of electronic signatures
An electronic signature
results from the association of three essential elements: a document,
an encryption technique and a certificate. The encryption and the certificate
are essential for identifying the author and guarantying the authentication
of the document. The process rests on the use of a "public key"
infrastructure. This, also called "PKI", is based on the combination
of two encryption keys: a key known as "private", which is
not revealed to the public, and a public key, which can be published
in particular in Internet service providers directories.
The creation of
an electronic signature consists of the encryption by the signatory
of the documents/communication by means of his private key. The recipient
then deciphers the coded message using the public key.
The recipient can,
upon receipt of the document, check the identity of the signatory. In
order to check the integrity of the message or document signed using
the electronic signature, the recipient needs to calculate the impression
using the same functions and compare it with that which is deciphered.
If they are identical,
this means that the content of the document has not been altered. According
to the power of the PKI software, this operation is done quickly and
in a very straightforward way.
Nevertheless, there
remains a default in the security chain of the electronic signature;
how can one be certain that a person sending the message is not using
a third party's electronic signature?
Indeed only the
physical presence of the signatory at the time of the attribution of
an electronic signature allows optimal security, by the establishment
of a link between the signature and the person designated by this signature.
Within the framework
of electronic signatures, an electronic "certificate" can
be generated by a CSP and integrated into the signature. The CSP's role
is precisely to ensure and attest to the link between the signatory
and the signature. The CSP verifies the identity of the signatory, and
those reviewing the certificate may rely on it unless it has been publicly
revoked. If the certificate is incorrect, the CSP may be held liable
for damages incurred by the recipient.
Conditions under
which an electronic signature is deemed reliable
Pursuant to the
decree of March 30, 2001, an electronic signature is presumed reliable
if; it is created by using a secured signature creation device and based
on a "qualified certificate".
French law does
not use the terms "advanced electronic signature" or "electronic
signature" as stated in the E.C. Directive on electronic signatures
but rather the term "secure". So, as to be "secure",
the electronic signature shall be:
- uniquely linked to the signatory;
- created using means that the signatory can maintain under their sole
control; and
linked to the data to which it relates, in such a manner that any subsequent
change of the data is detectable.
The delivery
of qualified certificates by CSPs
According to the
decree of March 30, 2001, the secure signature is one created by certain
certified software. The validity of the signature is based on the involvement
of an accredited CSP, one entitled to issue a "qualified certificate".
The recently adopted
Decree n°2002-535 of April 18, 2002 sets up the accreditation scheme
of the CSP as follows:
A company manufacturing
"signature creation devices" which are configured software
or hardware used to implement the signature creation data (signature
creation data being unique data, such as code or private cryptographic
keys, which are used by the signatory to create an electronic signature)
will file an "Evaluation Form" with the Service Central de
la Sécurité des Systèmes d'Informations (hereinafter
"SCSSI"). The evaluation form will provide details on the
trustworthiness of the systems and a description of all relevant information
regarding the standard of security of the system.
A file should also
be completed with one or more "Centre d'Evaluation" (or "Evaluation
Centres").
At the end of the
evaluation procedure, each Evaluation Centre will validate and submit
their evaluation report to the SCSSI. The SCSSI must then draft a certification
report within one month of receiving the evaluation reports. The report
will determine whether a certificate is granted or not. The subsequent
certification report, which can either remain confidential or be made
public according to the instruction of the company seeking accreditation,
will be delivered by the Prime Minister.
The Evaluation Centre
described above will be accredited according to the following procedure
:
- the accreditation demand will be filed with the SCSSI;
- the agreement will then be delivered by the French Prime Minister
with the approval of the Comité Directeur de la Certification
(hereinafter the Certification Committee") composed of members
of each ministry;
- once delivered, the agreement is valid for a period of two years.
Internal (E.U.)
market principles
According to the
free movement of electronics signatures provided for in the Directive,
certificates delivered by authorities of other Member States and subject
to similar procedures, have the same legal effect as the certificates
delivered according the present procedure.
Regarding non-Member
States, the SCSSI can, with prior approval of the Certification Committee,
sign mutual recognition agreements with similar public authorities of
other non-Member States. These agreements may provide that the certificates
delivered according to a similar procedure have the same legal effect.
Conclusion
Certain ambiguities
nevertheless remain. Specifically, how to solve the problems of exclusivity
in the presentation of the certificates attesting to the identity of
the signatory, i.e. where two or more words have the same spelling and
punctuation but different meanings. In electronic signature concepts,
how do you deal with two "John Smith's"?
Work begun by the
Ministry of Justice on electronic signatures has faced opposition from
the National Data Processing and Liberties Commission (CNIL), which
is concerned about the possible threat to privacy that the use of electronic
signatures could pose. It is particularly opposed to the use of an individual's
social security code as a mode of identification of signatories, as
is the Privacy Authority. The National Data Processing and Liberties
Commission has questioned the compatibility of such a provision with
proper protection of personal data.
It is interesting
to note that nothing in the actual legal framework has been provided
regarding the conditions of storage of the information collected by
the CSP.
The Decree only
retains a security process consisting of a certification by a third
party. This certification involves limits and risks, as it creates a
three-sided relationship by incorporating a third party into a bilateral
relationship.
The extent of the
liability of the CSP is not clearly stated. This question will be integrated
into the new LSI (i.e. the project of Law regarding Information Society)
but has not yet been clarified. The proposed law mentions Article 6
of the Directive regarding liability. It would seem that, it is better
to regulate the liability of the CSP by a law rather than merely by
decree.
It should be remembered
that the reliability of an electronic signature is simply based on a
presumption and can therefore be challenged. This is due to the fact
that the legal framework of laws in this area is strongly dependent
on technology in the broadest sense, and not within the meaning of any
specific electronic signature technology.
The major concern
is of course the interoperability of the securitisation processes (software)
and the interoperability of the software used during this process.
In conclusion, certain
exceptions still exist where handwriting is required, which means that
each case must be assessed individually (for instance, notaries acts
such as matrimonial acts). However, under the new law regarding the
LSI, the validity of the electronic signature for all private agreements
is affirmed under Article 1369-1.
A.M.
Notes
1.
Directive 1999/93/EC of the European Parliament and of the Council of
December 13, 1999 on a Community framework for electronic signatures.
2. Loi n° 2000-230 du mars 13, 2000 portant adaptation
du droit de la preuve aux technologies de l'information et relative
à la signature électronique.
3. Décret n° 2001-272 du mars 30, 2001 pris
pour l'application de l'article 1316-4 du code civil relatif à
la signature électronique.
4. Décret n°2002-535 du avril 18, 2002 relatif
à l'évaluation et à la certification de la sécurité
offerte parles produits et les systèmes des technologies de l'information.
5. Arrêté ministériel du mai 31,
2002 relatif à la reconnaissance de la qualification des prestataires
de certification électronique et à l'accréditation
des organismes chargés de l'évaluation.
