1 In subclause 2(6) after the word "approval" insert the words "or otherwise". Note on amendment 1 Clause 2(6) is intended to prohibit the imposition of a "key escrow" requirement. It does so, but only in the case of a requirement imposed by "conditions contained in an approval". This appears to leave open the possibility, presumably unintentional, that the requirement might be imposed in some other way. The amendment, which is purely technical, is designed to preclude this possibility. 2 In subclause 7(3)(b), after the word "signature" delete the word "or". 3 In subclause 7(3)(c), after the word "signature" insert the word "or". 4 After 7(3)(c) insert a new subclause as follows: "(d) data logically associated with the means of producing the signature for use in a procedure to be applied to the signature," Note on amendments 2 to 4 A certifier may certify a public signature verification key as belonging to a particular person. That is arguably the most typical case. Without the proposed amendments, clause 7(3) would fail to treat a signature verified with such a key as having been certified, because neither (a) the signature nor (b) the private key used to make the signature nor (c) any verification procedure has been certified. Subclause (d) would remedy this by including the public key amongst the items capable of legitimate certification. 5 After subclause 8(7) insert a new subclause as follows: "(8) No order under this section shall require an electronic signature to be certified by any person other than its maker unless (apart from this Act or any order made under it) a signature (not being an electronic signature) made for the same purpose is required to be notarised or otherwise authenticated by a person other than its maker. A requirement for a signature to be witnessed shall not be treated for this purpose as a requirement for it to be authenticated." Note on amendment 5 It is important for electronic commerce, and for dealings between citizen and government, and for the avoidance of reinforcing social exclusion, that electronic signatures are not subjected to unnecessary burdens or formalities which do not apply to ordinary signatures. Ordinary signatures are rarely required to be authenticated, even on such important forms as registrations of births or tax returns (passport applications are a rare exception). (Witnesses to a signature are not required to know the signatory and do not authenticate the signature, and this is made clear for the avoidance of misunderstanding.) Electronic signatures do not justify special treatment: just as an ordinary signature by an unknown person does not enable them to be identified, but enables a later signature to be recognised as coming from the same person, so an electronic signature can perform the identical function, and without any need for third party certification. Imposition by Government of unnecessary certification requirements is equivalent to introducing "voluntary" identity cards. The amendment would prevent the use of secondary powers to introduce new obstacles to the use of electronic signatures. 6 After subclause 8(8) insert new subclauses as follows: "(9) No order under this section shall make any provision inconsistent with the following provisions of this section. "(10) Unless otherwise agreed between the purported sender and the recipient of an electronic communication, the purported sender of the electronic communication is bound by that communication only if the communication was sent by the purported sender or with the authority of the purported sender. "(11) Unless otherwise agreed between the purported maker of an electronic signature and any person relying on it (or any person through or under whom the person relying on it claims), the purported maker of the electronic signature is bound by that signature only if the signature was made by the purported maker or with the authority of the purported maker. "(12) Subsections (10) and (11) are not intended to affect the operation of a law (whether written or unwritten) that makes provision for: (a) conduct engaged in by a person within the scope of the person's actual or apparent authority to be attributed to another person; or (b) a person to be bound by conduct engaged in by another person within the scope of the other person's actual or apparent authority." Note on amendment 6 This amendment follows corresponding provisions in the recently passed Australian Electronic Transactions Bill, which were recommended to the Attorney-General of the Commonwealth (of Australia) by the distinguished members of the Australian Electronic Commerce Experts Group. It ensures that unless users of electronic signatures explicitly agree otherwise between themselves, the normal rule applies, namely that whoever relies on a signature must prove it is genuine if it is disputed by the apparent maker. This rule protects someone whose signature key is stolen by hackers by clever technical means. Neither ordinary PCs nor any available smartcards are sufficiently secure to justify reversing this rule. Although new European Union standards are being proposed, the process is secretive and does not justify proper public confidence in the security of the resulting products. Until secure products are available and have gained public confidence through exposure to open and transparent expert scrutiny, there should be no power to subject users of electronic signatures to responsibility for stolen signature keys. Without this amendment, clause 8(4)(g) coupled with clause 8(5)(d) and (e) would enable such a power to be exercised. 7 Delete subsection 13(2) and insert the following in its place: "(2) Subsection (1) shall not prohibit the making of provision by an order under section 8 for- (a) treating an electronic communication as not having been made if the intended recipient is not in possession of a key for electronic data comprised in that communication and so notifies the sender within a reasonable time; or (b) imposing on a person who is under a duty to store and make available any data, and who stores it in any electronic form such that a key is required to gain access to the data or to make it intelligible, a duty to secure that the key is available when the data is required to be made available." Notes on amendment 7 The existing subclause 13(2)(a) enables an unnecessary key deposit requirement to be imposed where all that is necessary is for an unintelligible communication to be treated as if it had not been made (provided the recipient notifies the sender promptly that it is unintelligible). The amendment substitutes this more limited provision. The existing subclause 13(2)(b) is unnecessarily wide, and would enable a general requirement for either key escrow or key recovery facilities to be introduced. The amendment limits the duty to make a key available to the only relevant case (where it is almost certainly already implied by law), namely where the holder of the data is under a duty to hold a record and make it available. 8 In clause 15(2), delete "7,". Note on amendment 8 Clause 7, making electronic signatures admissible, should come into force immediately without being made dependant on the making of an order.
Return to the FIPR front page.
Last updated November 28, 1999.