E-Signatures in the GC/E-Signature Terminology
Home |
Jurisdictions throughout the world have adopted laws and regulations that recognize the validity of electronic documents and electronic signatures. Some jurisdictions are very technology specific, others are much more general and technology neutral. In addition, the terms and definitions surrounding electronic signatures tend to differ from one jurisdiction to another and this can lead to some degree of confusion. A more thorough examination of the terms and definitions used in other jurisdictions is provided in Annex A of the Government of Canada Guidance on using Electronic Signatures.
At the Canadian federal government level, the terms electronic signature, digital signature and secure electronic signature are all present in Government of Canada (GC) legislation. The purpose of this post is to help clarify these terms so that they can be used consistently throughout the GC. This post is primarily based on the Government of Canada Guidance on using Electronic Signatures but provides a more condensed tutorial on the terminology.
Part 2 of the Personal Information Protection and Electronic Documents Act (PIPEDA) defines an electronic signature as follows:
“a signature that consists of one or more letters, characters, numbers or other symbols in digital form incorporated in, attached to or associated with an electronic document.”
Essentially, an electronic signature (also denoted as “e signature” for short ) can be virtually any form of electronic representation that can be linked or attached to an electronic document or transaction. Although not intended to represent an exhaustive list, examples of e-signatures include:
- user authentication combined with a mouse click on some form of acknowledgment button to capture intent (i.e., “click to sign”)
- using a stylus on a tablet touchscreen to write a signature by hand and capture it in electronic form
- a typed name or signature block in an email
- a scanned hand-written signature on an electronic document
- a sound such as a recorded voice command (for example, a verbal confirmation in response to a question)
- a digital signature
- a secure electronic signature
Notice that both digital signatures and secure electronic signatures are considered to be a form of an e-signature.
In the context of the GC the earliest definitions for digital signature date back over two decades with the introduction of the Payments and Settlements Requisitioning Regulation and the Electronic Payments Regulation. Both regulations define a digital signature exactly the same as follows: “the result of the transformation of a message by means of a cryptosystem using keys such that a person having the initial message can determine:
- whether the transformation was created using the key that corresponds to the signer’s key, and
- whether the message has been altered since the transformation was made.”
The Canadian Centre for Cyber Security also provides a definition for digital signature in ITSP.40.111: “a cryptographic transformation of data which provides the service of authentication, data integrity, and signer non-repudiation.”
In essence, a digital signature is a type of e-signature based on asymmetric cryptography. The signer of the message, document or transaction uses their private signing key to create a digital signature and anyone with access to the signed data and the signer’s public key verification certificate can verify the digital signature
However, not all digital signatures are created equal and some are more reliable or robust than others. For example, the manner in which a signer’s identity is verified before issuing their public key verification certificate, the type of token used to store the signer’s private signing key, the trustworthiness of the Certification Authority (CA) that issues the public key verification certificate and the digital signature algorithm and key length (among other things) collectively determine the reliability of the digital signature.
This is where the term “secure electronic signature” comes in. A secure electronic signature is also a digital signature but with specific characteristics as defined in Part 2 of PIPEDA as follows:
- the electronic signature resulting from the use by a person of the technology or process is unique to the person;
- the use of the technology or process by a person to incorporate, attach or associate the person’s electronic signature to an electronic document is under the sole control of the person;
- the technology or process can be used to identify the person using the technology or process; and
- the electronic signature can be linked with an electronic document in such a way that it can be used to determine whether the electronic document has been changed since the electronic signature was incorporated in, attached to or associated with the electronic document.