Column

The Apostille Convention: Authentication in Action

Last August I reviewed basic principles of authentication, in general and as applied to electronic documents. In that context I mentioned The Hague Convention of 1961 Abolishing the Requirement of Legalisation for Foreign Public Documents, known as the Legalization Convention or the Apostille Convention. Since Canada is considering acceding to this Convention, this column will review some of the issues involved in that process and in particular the technological frontiers of authentication that The Hague Conference on Private International Law is exploring with respect to electronic apostilles.

Legalization

What is at stake in this discussion is the authentication of public documents for use in foreign countries. While the common law is flexible in what it accepts to authenticate such materials, other legal systems often are not. The traditional way to authenticate a foreign public document in non-common-law states was to have it ‘legalized’. This process starts in the country of origin, where a certificate from a national authority attests to the signature and if necessary the seal of the public official on the document. This certificate is then recognized and further certified in the country of origin by the consular officials of the country in which the document was to be used (the destination state). Then the document and its certificates are finally certified (legalized) by officials of the government of the destination state. At that point it can be sent on to the entity that will use the document. (The Hague Conference publishes a diagram showing the process, available here(page 2)).

 The result of this in Canada is that a person who wants to use a public document abroad has to have the signature on the document certified authentic by a government authority – either at the provincial level or at the Department of Foreign Affairs and International Trade , or both. DFAIT keeps a current file on the signatures of all sorts of public officials across the country, such as school principals, registrars, land title directors, and notaries, on which to base its certificates. Many provinces maintain similar services. Ontario’s is the Official Documents Service of the Ministry of Government Services. This certificate will be taken to the consulate or embassy of the country of destination, which – for a fee – certifies the Canadian governmental certificate. The document can then be sent to the foreign potential user, possibly passing through one more round of authentication in the destination country first.

This process was, and is for Canadians, time-consuming and possibly expensive, though DFAIT does not currently charge for its service. (It does take at least seven weeks to do the authentication, though. Its workload has increased dramatically in recent years.) There are commercial intermediaries that will see to the delivery to consulates and DFAIT, for a fee. Some Ottawa law firms also provide this service, again for a fee. Some countries use legalization as a serious source of income. People with a lot of documents, such as to support an international adoption, can see their fees mount up to have them legalized.

The Apostille Convention

The 1961 Convention, as it name implies, abolishes legalization among the states party to it and replaces this process with an authentication certificate known as an apostille. The apostille is applied by a “competent authority” in the country of origin. An apostille in proper form, as specified by the Convention, must be accepted in any state party, of which there are now over one hundred, including the main common law countries: the United Kingdom, the United States, Australia, New Zealand. The system is popular; several million apostilles are issued every year.

Authentication under the Convention relies on two elements: the appointment of trustworthy ‘competent authorities’ by the states of origin, and the creation of a register of apostilles issued. Different states appoint different competent authorities. Some have few and centralized authorities. Others have widely dispersed authorities. The United States has made clerks of federal courts competent authorities for judicial decisions. Sweden has made all its notaries competent authorities. In practice, no one checks up on the signatures of the competent authorities on the apostilles.

Each competent authority is bound to create a register or card index to record the number, date, signer and capacity of signer of each apostille issued. In principle the prospective user of an apostillized document in the destination state can check with the issuing register to confirm that an apostille was indeed issued for a particular document. In practice, just about no one ever checks, because doing so would involve time, expense and delay.

Notarial copies and the Convention

The Convention applies to the authentication of public documents. These are defined as court documents, administrative documents, notarial ‘acts’ (i.e. official documents attested by a notary), and official certificates attached to private documents (like confirmation of registration), but not documents issued by consular officials or administrative documents dealing directly with commercial or customs operations. A substantial number of public documents are those certified by notaries public, who make up their own category, as noted. Most of the work of Ontario’s Official Documents Service in this area is certifying the signatures and seals of Ontario notaries. 

Generally speaking, a notary who makes a notarial copy of a public document sees only the document presented by the client. The notary does not go behind the document to see if it is genuine. Putting an apostille, or for that matter a legalization certificate, on the notarial signature does not authenticate the underlying document. Nevertheless the addition of an official-looking certificate can give the air of authority to what may not be important, meaningful or even genuine.

The Convention does not expressly give the competent authority the right to look behind the signature on the public document. Some competent authorities take the view that if the signature on the document is verified, then the document itself is not their concern. Others will refuse to put an apostille on a document they think is a forgery, though no one would accept a duty to screen all documents against forgery. One European authority told me that if he ever had a document that he refused to put an apostille on because he did not think it was genuine, he would refer the case to a prosecutor.

A special meeting convened by The Hague Conference in 2009 expressly recommended that competent authorities add a disclaimer, ‘outside the box’ of the prescribed form of apostille, pointing out that the apostille certifies only the signature and capacity of the signer of the public document, and says nothing about the content of the underlying document. (Conclusions and Recommendations of the Special Commission of 2009, paragraph 85.) While this is understandable, even inevitable, it seems to be a serious limit to the usefulness of the Convention. On the other hand, the legalization process is no better guarantee of the underlying document, so one might as well prefer the simplicity of the Convention.

One area of concern under the Convention has been the treatment of educational diplomas. Not all institutions of higher learning are public; only diplomas of public institutions are subject to the Convention. However, some private – and some not terribly reputable – institutions encourage their students to have a notary make a certified true copy of their diplomas, which can then bear an apostille for the notarial signature. Such diploma mills hope to attract the credibility of the Convention for their non-public diplomas. 

The Hague Conference published a study of this issue in 2008. Some states refuse to issue apostilles for certified copies of diplomas. Others insist on a disclaimer of the kind mentioned above. “Such a warning is particularly apropos when the Apostille does not relate directly to the diploma” (as for example attaching to a notarial certificate, not to the original diploma). (2008 Study, Preliminary draft recommendations, paragraph 4.) The many legitimate uses of an authenticated diploma make the rooting-out of the valueless ones all the harder but all the more important.

Electronic apostilles

Although the Apostille Convention dates from 1961 and prescribes a form for the apostille, which must be signed, nothing expressly requires it to be in tangible form. The Hague Conference has been collaborating for several years with the National Notary Association (NNA) in the United States on the creation and use of an electronic apostille. The main advantage of such a creation would be to permit the international use of electronic public documents, since they could be authenticated for use abroad and readily communicated to the destination state. This could be done for a public document that was never printed, or for a scanned version of the electronic document (though the competent authority might well insist on seeing the original paper version, if there was one, before putting his or her apostille on an electronic version of it.) 

Another advantage of an electronic apostille (or e-app, as its principals call it) is the possibility of increased security. As mentioned above, no one really verifies the signature on apostilles on paper, or checks the register. The Hague Conference recommends issuing an e-app with a certified digital signature. To make this accessible to the member states of the Convention, many of which do not have sophisticated information technology at their disposal, the Conference recommends the digital signature capacity of Adobe’s Portable Document Format (PDF). Adobe’s PDF writer has offered for several years the capacity to sign a document digitally and hash the signed text so that the signature and the text cannot be separated without detection. Compare that to the printed apostilles attached to the authenticated document merely by staples. (Some countries use an embossed seal through the apostille and the underlying document; some use rivets. In short, the security of an apostille on paper varies.)

Though some concerns may be expressed about favouring a proprietary technology, given the lack of resources in many countries, using Adobe Acrobat to create an e-app does not cost more than buying the basic program simply to create documents in PDF. Further, there are other methods of producing a PDF, and those methods could be combined with a digital certificate regime to get to the same result. The Hague Conference recommended – in the Conclusions and Recommendations of the Sixth International Forum on the E-App in Spain in 2010 - that competent authorities should get their digital certificates from an independent source who verifies the identity of the certificate signers in person. (See paragraph 9) However, the Adobe program allows the person affixing the digital certificate essentially to authenticate him- or herself.

One of the challenges of producing an e-app is to know where it might be usable. Few countries to date have the capacity to create or to accept e-apps, particularly if acceptance is to mean verification of the digital signature. However, as we see from the Permanent Bureau of The Hague Conference, verification is not essential to operations. This becomes clear in the introductory presentation at the Second regional meeting of the e-APP for Europe project in May 2011, where the focus is on our next topic, the electronic register.

The electronic register

Though the Convention refers to card indexes as well as registers, the latter – media-neutral – term is now preferred for the official record of apostilles issued. The benefits of a register in electronic form are easy to understand: speed of creation, potential for automation, and perhaps most important, ease of access by anyone with an Internet connection. For the first time, verification of apostilles may become practicable.

The apostille number becomes a kind of unique identifier of the document, referring back to a secure database by which the issuance can be confirmed. A similar technique is used in Ontario for electronic certificates of corporate status from the Companies Branch, and for electronic writs of search and seizure in the Ontario Courts. Fraudulent use of an electronic document is discouraged when authentication becomes so easy.

The Hague Conference contemplates six different levels of verification in a register. (Second regional meeting of the e-APP for Europe project, May 27, 2011, slide 18, followed by examples from the registers’ websites) They range from a simple confirmation that the apostille referred to was issued, to a description of the underlying document, to a copy of the underlying document, to the validation of the digital signature on the document.

The Hague e-app web site lists the electronic registers. One can see the degree to which the different registers verify an apostille referred to them. The state of Colorado goes beyond these limits to a very comprehensive disclaimer that appears likely to remove much of the comfort from the verification process: 

Any result posted or generated by the Authentication verification search tool is made available for informational purposes only. The Colorado Secretary of State makes no warranty, expressed nor implied, regarding the accuracy, adequacy, completeness, legality, reliability or usefulness of any information so provided by the Authentication verification tool.

To prevent fishing expeditions and breaches of the privacy of people who have received apostilles, registrars insist that they be given the exact number and date of apostilles before confirming them. Further, states party to the Convention were encouraged (at the Sixth International Forum on the E-App in 2010, Conclusions and Recommendations, paragraph 5(a)) to issue apostilles with non-consecutive numbers. This way, someone asking about one apostille cannot readily guess the numbers of others to ask for.

The Hague Conference provides open-source software to support states party in creating an e-register, and instruction on how to use it. Several states have been able to use this resource, and in any event have preferred to ‘start’ with the e-register rather than the e-app itself. Links to the current e-registers are online.

The Canadian picture

Where is Canada in all this? Naturally enough there is a question of federal and provincial jurisdiction involved, though a spirit of cooperation prevails. The electronic age will permit a single competent authority to have a number of public outlets using a single data base. Even The Hague Conference suggests that several competent authorities in a country might share an e-register. (See the Sixth International Forum on the E-App in 2010, Conclusions and Recommendations, paragraph 5(d).) Adopting the Convention would also eliminate today’s frequent duplication of provincial and federal authentication; any single apostille will suffice under the Convention. 

Discussions continue about who will do the work and how. It seems likely that Canada would move to an e-register from the outset, but the challenges of the e-app may lead it to start with apostilles on paper. Most destination states still cannot deal with an electronic apostille, not just at the national level but in the institutions – educational, medical, or commercial – that rely on them. Just about everyone in the world can understand and make an inquiry of an electronic register, and an e-register can accept inquiries on paper too.

Many of the countries for which Canadians ask that documents be authenticated are not parties to the Convention, so legalization will continue for them. Having a single authentication system designed to support apostilles and legalization certificates is a tempting goal. The United Kingdom does it. Most do not. Such a duplicate system would present more challenges if it had to be electronic as well.

In practice, Canadian courts and institutions (including those in Quebec) tend to be flexible in authenticating foreign documents. No one appears to require legalization at present. The Convention prohibits any state party from requiring even the apostille if they have not previously demanded legalization. (Whether a private entity could require an apostille is a different question.) Apostilles in Canada are likely in practice to be restricted to outbound documents only.

Summing up

Over the years The Hague Conference has presented a number of international forums along with the NNA and others to discuss e-apps. A list of them appears on The Hague Conference web site. Currently as well, The Hague Conference is collaborating with the European Union to hold symposiums in different European countries about the e-app and e-register programs. Sessions have been held this year in Finland and the Czech Republic, and another is scheduled for Paris later in 2011. The materials for those held so far are online and are instructive in setting out the concerns and the solutions proposed for them from time to time.

As noted in the authentication article last summer, authentication involves the creation of trust. The challenge is to have the widespread apostille system go electronic while maintaining its half-century of trust. The e-register seems likely to become the guarantor of that result, while the users, the technologists and the lawyers wrestle with making the apostille itself electronic.

Retweet information »

Comments

  1. Hello John, I wanted to thank you for your very detailed and informative analysis of this issue. I understand that this all raises a number of nuanced policy issues, but I must say I’m struck by the fact that Canada, almost alone of OECD countries (other holdouts include Chile, Denmark and S. Korea), has not yet done away wit legalization. At a time when great efforts are being made to tear down _digital_ authentication-based boundaries to transborder data flows, Canada has yet to sign the Apostille Convention? This seems a basic step that should be taken as a starting point, before even turning to the question of e-authentication. I understand there may not be strong political will to remedy this, but I believe it is impacting on Canadians in negative ways and unnecessarily and I believe that impact is only increasing, not decreasing.

    Regarding e-authentication, I think this, too, would be a positive step, although I would advise caution with respect to what I see as a potential privacy concern arising from the e-registry (disclaimer: I work for an NGO with a focus on both e-commerce and privacy protection, so I sometimes tend to see privacy concerns even where the risks are minimal). My concern is that the operation of the e-registry brings with it the chance track the use of the ‘e-app’ (I suggest new nomenclature if this authentication aspires to greater respect than ‘angry birds’ on my iphone gets), and, more concerning, that this will be used for secondary purposes.

    Now, my understanding is that governments operating ‘brick&mortar’ registries are notified whenever a foreign entity checks in to verify the authenticity of an apostille that appears at their doorstep. Govs are able to track this, currently, so what’s the risk of going digital, you might ask.

    I would argue that going digital could pose a risk in four different ways. 1.) as you note in your comment, foreign entities currently rarely check the registries, but this is likely to change once verification can be done easily and electronically; 2.) Easy in also means easy out – since the registry will be electronic, it will be easily ping-able with search queries, etc., meaning that mining it for useful data will become far easier; 3.) principles protecting preventing law enforcement/intelligence from accessing information collected for other purposes seem out of fashion these days and are in rapid decline; and 4.) there’s a tendency (provincially, out west, and now there are federal rumblings) towards consolidating all Gov data in one, easy to use/store central location. I add that a centralized international registry does not appear inconceivable.

    In any case, concerns over increasing secondary uses of personal information by our gov (let alone other govs) is by no means a concern unique to e-apps and, perhaps, it is one that is more salient with respect to other forms of online interactions that may yield perhaps richer forms of data (although I can see the tracking of apostille use easily becoming a component of international terrorism investigations, particularly if their use becomes more commonplace). Still, including such explicit restrictions on secondary uses might be worth considering.

    In any case, just my thoughts. And I apologize for the lengthy ramblings.

  2. I should add — these concerns should not be a barrier to adoption per se. I think eventually most of this will be digital, so we may as well start figuring out how best to do this with appropriate safeguards in place, rather than putting it off.

  3. Someone who sends a query to a register about an apostille will have that apostille in hand. As noted in the article above, the Hague Conference urges that registers be set up to avoid random searches. The holder of the apostille will have it from someone who wants the holder to use the document to which the apostille is affixed in the interests of that person and thus who does not mind that the holder has his or her personal information in the document.

    In any event, checking the register will usually give only a yes or no answer: did you issue this apostille? Check the operation of the existing registers listed on the e-app web site mentioned above. No additional personal information will be disclosed.

    Could someone – a governmental authority, a sophisticated hacker – get access (‘lawful access’ or otherwise) to the entire register and see what apostilles had been issued to whom? Perhaps – but such access could occur with the paper-based registers that the Convention has always required of apostille issuers. The paper registers would be harder for the remote hacker to access, but no harder for a government agency with authority over the issuer/register owner to exercise.

    And even then, the register may be bare bones only, with no detail about the underlying document to which the apostille was attached. It would be minimally – if that – invasive of anyone’s privacy.

    I conclude that the threats to privacy from an electronic register are not worth worrying about.