A Book Review: Stephen Mason, Electronic Signatures in Law (3d Edition, Cambridge University Press, 2012)
One of the fascinations of electronic communications is how they make many traditional questions of law new again. What is the nature of consent? Can one make an agreement with a machine (a computer)? How permanently must information be recorded before it can be considered 'writing'? What is an original document? (Can one version of identical assemblies of bits usefully be called an original?) Where do instantaneous online transactions occur? And what is a signature?
Everybody knows that signatures are important. Children learn at an early age that signing something makes it special. We all sign a variety of documents with consequences: applications for school and work and money; agreements to buy, sell or lease; cheques and notes and promises to pay. Sometimes people are inclined to believe that if a document is not signed, it has no effect (and occasionally they are right.)
As a result, when electronic communications increasingly took over our day-to-day transactions, the question that arose most often was how to do an electronic signature. Statutes designed to remove barriers to all sorts of uses of e-communications, with names like 'Electronic Commerce Act' or 'Electronic Transactions Act', were commonly described as an 'electronic signature bill'.
After all, the process of signing electronically seemed different. It is easy enough to understand that what we produce at a typewriter and what we produces at a computer keyboard may both be forms of writing. The products look the same. The traditional signature, however, is produced by taking the paper out of the typewriter or off the printer and holding a pen to write our name. If all we have is a keyboard, how is that done?
When we began to look closely at electronic signatures, we tended to discover that our understanding of signatures was not as clear or deep as we might have thought. A lot was assumed because 'everybody knew' what a signature was. The law on signatures or the failure to sign was considered to be settled. Very little litigation was fought about signatures. E-signatures showed us, however, that there were more questions that we had thought, and that they were not all easy ones.
Stephen Mason, an English barrister and writer, has looked as closely at electronic signatures as anyone, and in this book he sets out his understanding of them. He starts quite properly by considering the legal status of signatures of any kind that are on paper. He deals with two issues in the lengthy opening chapter: the purposes of a signature and the forms that signatures have taken (which we may think of as the authentication methods that courts have been prepared to consider signatures.)
The author usefully sets out several functions of a signature, each with its own aspects. The primary function, he says, is to give evidence that the signatory (an individual or another legal entity) approves and adopts the content of the signed document, probably agreeing to be bound by it. However, several other functions are served as well, and it is useful to keep them in mind, since serving them may be achieved by different kinds or forms of signature. There is, he says, a secondary evidential function, such as authenticating the identity of the signatory, showing the person's attributes or office, demonstrating the time or completeness of the document, and so on. Such functions seem likely to be served by additional context for the signature, not the actual written name of the signatory on its own. Indeed the form of the signature on its own gives very little if any direction about the legal effect intended by it. That effect and that intention are shown by the context.
Another important function is what Mason calls the cautionary function, known to others as the ceremonial function: the act of signing draws the attention of the signatory to the legal effect being produced by it. It says, as it were, 'be aware that this is serious'. This function is sometimes said to be missing or underemphasized by some methods of electronic signing.
Mason mentions here but does not dwell on the legal grounds on which one can dispute the legal effect of a manuscript signature. The focus of the book is not on such traditional law but on what makes a signature a signature at all for legal purposes. He spends considerable time in the rest of the chapter in analyzing the elements of a signature – notably its existence, the identity of the signatory and the intent with which it was made – over several centuries of law, from 'pre-signatures' (seals, objects) through various forms of mark to printed letterheads and mechanically-signed cheques.
The analysis covers different forms of signature, different alleged defects in signatures, and different contexts in which disputes have arisen: wills, contracts, court records, and so on, under different legal regimes, including but not limited to the Statute of Frauds. It is clear that courts strive to find the intent of the signatory and the other parties to a transaction and frequently overcome apparent defects in signatures to do so – even, in some cases, in the complete absence of a signature!
Mason establishes that courts also have a long history of dealing with the evolution of technologies of communication. They have figured out how legal signatures can be created by telegraph, by telex, and even by telephone. Current commercial practices have been taken into account. Thus the challenge presented by electronic signatures is not unique but only the latest stage in this process. Most of the remainder of the book is spent considering legal responses – sometimes legislative, sometimes judicial – to this challenge, including analyzing several different ways in which e-signatures manifest themselves as e-communications continue to evolve.
It is worth noting that this book aims at a global coverage of e-signatures at law, not only at one jurisdiction or, for example, just the common law. It draws extensively on international sources and discusses cases from many countries and legal systems. Thus it is not surprising that Mason first turns to legislative responses to e-signatures at the international level. In general, that means the United Nations Commission on International Trade Law (UNCITRAL), which has led the development of e-commerce law in the world.
Mason discusses the two UNCITRAL model laws, on electronic commerce (1996) and on electronic signatures (2001) and the interplay between them. He explains UNCITRAL's functional equivalence principle – that an electronic process of creating communications is not the same as what happens on paper, but the legal requirements based on paper can be satisfied electronically. He spends some time on the reliability requirement – that an electronic signature must, to be considered a functional equivalent of a handwritten signature, be as reliable as appropriate in the circumstances. He notes the official UNCITRAL explanation of the factors that can support reliability.
Mason says, however, that 'the reliability of the method does not demonstrate a link between the owner of the electronic signature and the act of affixing the signature to a document in electronic form' (91). While there is little explanation of that point in this part of the text, he is probably drawing on two separate issues. First, there is a distinction between the fact of a signature (is the document signed?) and the origin of the signature (who signed it?). This distinction was generally not a problem in the UNCITRAL discussions for lawyers of common law training, but it was not generally admitted to be valid by civil lawyers. My own view is that some of the reliability factors do support the connection to the person, though if 'demonstrate' means 'prove conclusively', then the factors may fall short of that degree of certainty. UNCITRAL clearly intended that the analysis of reliability should apply to the identification function and to the link with the document.
The second issue raised by Mason's doubts about reliability is how a person intending to sign a document electronically knows that his or her command to the computer to sign, using whatever method, is actually applied to the right electronic document. Either computer malfunction or illicit intervention may divert the signature data elsewhere. Mason makes this point elsewhere in the book as well,though it is not clear that he ever provides a definitive solution for this problem. Again, it seems to me that some of the reliability factors would give comfort here, and some would not.
He makes the valid point that meeting the test (thus satisfying the legal requirement to have a signature) does not necessarily make the signed document enforceable. Other defences may be available, according to the law applicable to the document or transaction in question.
The main criticism of the reliability test, however, as Mason points out, is that it is applied after the fact by a court ruling on a disputed document. The intention of the parties to use the signing method does not guarantee the validity of the signature. This would allow an attack on a transaction based on the 'unreliability' of the signature, even if all parties to the transaction knew who had signed what, and if everyone's intentions were clear. An UNCITRAL commentary notes that this would not be a proper use of the test, but nothing in the model laws prevent it. Mason points out that the problem has been settled by provisions in UNCITRAL's Electronic Communications Convention (2005), which allowed a fact-based validation of the e-signing method.
He notes the effort of the International Chamber of Commerce in the 1990s to formulate a guide to e-signatures (General Usage for International Digitally Ensured Commerce – GUIDEC). He considers overstated the founding statements about the need for highly reliable authentication – perhaps a European failing, repeated in the EU Directive described below. He also attacks the GUIDEC commentary for conditioning reliable digital signatures on parties acting in good faith and without negligence, saying that if one can know independently of the signature method that the parties are so acting, one does not need the security allegedly provided by the high-tech methods required.
After his treatment of global initiatives, Mason narrows his focus to the European Union and the 1999 Directive on Electronic Signatures, along with some later activity. He explains the origins of the Directive, though he finds the statements of the need for detailed technical specifications exaggerated. He reviews the principles of 'advanced' and 'qualified' electronic signatures, which create a digital signature system supported by certificates. (Digital signatures are those that depend on cryptography and often on third-party certification of authenticity) He points out that some of the requirements are hard or impossible to satisfy in practice, notably that the signature creation data must be uniquely linked to the signatory, since a person has to count on keeping the data on a computer which could in principle be used by anyone. The rules also require that the signing device be under the sole control of the signatory. Such sole control may be effective in fact but is hard to prove in practice in the face of a denial. The Directive is undermined, in Mason's view, by the lack of attention to the security of the signatory's system. This should be 'of prime concern to anybody relying on a key pair'(130).
He gives an overview of criticisms of the Directive made in a 2003 review and notes that few businesses have taken up the use of qualified certificates or advanced e-signatures, unless their national laws have required it. He concludes by noting 'the overwhelming evidence that nobody seems to want to use them'(138).
The book then turns to the United Kingdom's laws, mainly the Electronic Communications Act of 2000. Since few provisions of UK law require a signature, if parties choose to sign, they may use any form of signature, including electronic, that serves their purposes. Courts have been willing to accept a variety of methods. The Act essentially confirms that principle. The Act also deals with the admissibility of e-signatures in evidence.
It is noted that the legislation does not amend the 'many thousands' of statutory and regulatory requirements that do or may require paper. It was not possible or, says Mason, desirable to deal with all of them by 'an overall catch-all clause' (though that is essentially what was done in Canada and the United States). Instead, the relevant ministers have been given broad authority to modify any rules as they see fit to authorize or facilitate e-communications. The book reviews how these very broad powers may be exercised and notes the potential for injustice, especially to smaller users of e-communications.
The author next looks at a selection of national laws from around the world, to show the approaches taken to e-signature legislation. Three such approaches appear: a prescriptive approach that requires the use of digital signatures, based on a 'false promise' of equivalence to manuscript signatures and 'incorrect assurances that digital signatures are secure'; a minimalist approach that does not prescribe any technology, though some countries have followed UNCITRAL in requiring that e-signatures be appropriately reliable; and a hybrid or two-tier approach that allows e-signatures at large for some purposes and requires digital signatures for others.
He reviews in some detail the legal presumptions that technology-specific legislation tends to contain: presumptions of integrity, of ownership of the signature creation data, and of signature itself, and the defences available to rebut the presumptions. From there he looks at the liability imposed on different parties by legislation, pointing out that the relying party is in a different position in principle from the signatory or the certification authority, and statutory treatment of this party varies as nations try to express that difference.
Having set out the legislative context in the first half of the book, Mason turns to principle for the second half. He starts with a discussion of the form of the signature. This chapter can be considered a parallel to the opening chapter on manuscript signatures. He reviews the functions of a signature, then turns to different manifestations of electronic methods to perform these functions and considers their fate in the courts. Thus he looks at, among other things, typing one's name in an electronic document, clicking 'I agree' or equivalent, using a PIN and password, relying on the header in an email as signature, attaching a scanned version of a handwritten signature, and using biodynamic e-signatures (by which direction, speed, weight and other characteristics of the signing motion are captured, for example on a signature pad.) He reviews many of these techniques in different contexts: wills, contracts, communications with public authorities, and others. It is fascinating to see the amount of law available for these instances.
Mason spends nearly 20 pages on the J Pereira Fernandes case (Pereira Fernandes (J) SA v Mehta,  EWHC 813 (Ch)), in which the English courts held that a header in an email did not satisfy the Statute of Frauds' requirement that a personal guarantee be supported by a signature. After analysing English and foreign law and foreign cases, he concludes that the case was wrongly decided. The issue he wrestles with is whether a header can show an intent to sign, as distinct from simply being a method of authentication. Is the knowledge that the header will be there, and reliance that the recipient of the communication will know the origin of the method because of it, enough to show intent to sign? Similar issues were noted in the first chapter about printed letterhead and the like. Not everyone will follow the author to the same conclusion, but he demonstrates beyond a doubt the intricacy of the analysis that is possible.
The reader may be left wondering whether it would be simpler just to provide a limited number of specific methods of e-signing, to exclude the need for such meticulous – and sometimes perhaps speculative – explication.. It is perhaps one of the aims of this book to show why the answer to that question should be No. The following chapter on digital signatures helps show why.
After a fairly rapid and somewhat sketchy description of what cryptography is and how it can work to create signatures, he lists the claims made for digital signatures and public key infrastructures (PKI) set up to support their use. According to Mason, a number of risks remain despite the claims for reliability. He describes basic principles of authentication, expanding on what has been said elsewhere in the book. He goes through how PKIs can work and what they should have in order to maximize credibility, including evidentiary issues (on which he is sceptical of a solution). He lists barriers to the use of PKI, including the lack of accepted standards (not for want of attempts at different levels to create them) and the resulting lack of interoperability of systems.
He concludes by analyzing what a digital signature is capable of doing (five lines) and what no e-signature can do (three pages). No e-signature system can show for sure, says Mason, that the person alleged to have sign actually did so. Further, the link between the signature actually created and the person is often very weak. Control of the computer used to sign often depends only on a password, and passwords are notoriously breakable. Even smart cards used for access are very vulnerable. Digital signature laws are inclined to 'solve' this problem by creating presumptions of attribution of signed documents to the owner of the devices that created the signature. This is inappropriate, according to Mason.
His discussion boils down to this. The owner of the signature creation device, or the person whose signature one wants to rely on, has little incentive to accept voluntarily the risks of liability just for having such a signing device. But the relying party in turn may have limited means of verifying the status of the purported signatory's security system. The intermediary body, or 'trusted third party', who acts to certify the identity of the signatory, may have little real assurance either. Getting to the right degree of assurance is very time-consuming and thus expensive, which can either price the certificate out of the market or lead to demands for legislation to relieve the certification authority from liability. We see again the difficulty of making such systems work in an open market (undistorted, or unassisted, by legislation.)
The following chapter is called Liability, a short chapter that summarizes the risks faced by the various parties who use electronic and for digital signatures. There is some overlap with previous discussions. The chapter says how liability can be incurred and the types of loss that can ensue. It does not deal with the work of UNCITRAL in its Model Law on Electronic Signatures, which sets out criteria for trustworthiness of a system and indicates, at a very high level, how parties might find themselves liable under national law. Nor does Mason's discussion deal with methods to shift the risks, by contract or legislation. (The chapter has been abbreviated in the latest edition, apparently.) Mason notes that governments have tended to pass over these topics in silence. The chapter concludes with a list of additional risks of digital signatures in particular.
The book then deals with questions of evidence, which makes sense, since as noted at the outset, the principal function of a signature is to provide evidence of a link between a person and a document. Much of this chapter deals with evidence in the context of digital signatures, such as the evidentiary value of a certificate. Mason deals with the claim of 'non-repudiation' – that a digital signature can prevent someone from later denying that he or she signed the document. Non-repudiation 'is a dangerous term', he says. If one could prove that the systems were really as good as they claim to be, then one could directly prove attribution of the signature and not do it indirectly by proving the reliability of the system. But proving this in practice is hard and thus repudiation will sometimes be possible.
This leads to questions of whether or how a digital signature system should be supported, and to renewed discussion of presumptions, this time from the point of view of allocation of the burden of proof. The work of UNCITRAL is considered in detail. Mason compares some of the rules to those about the use of signatures on rubber stamps, with a lengthy digression about the use of seals in Japanese law and practice. He does not mention the common – in some parts of the world – practice of banks to refuse acceptance of machine-generated signatures without an undertaking of the client not to dispute such signatures on the grounds of forgery. In other words, a contract allocates the risk to the client, which gains the convenience of the mechanical signatures. Evidence questions disappear.
Any presumption depends on proof of facts to support it, and proving facts about computers raises a number of issues beyond the scope of this book. Mason refers the reader at this point to his companion work on electronic evidence. (Electronic Evidence, 2nd ed., London: LexisNexis:Butterworths, 2010).
The book ends with a short chapter on data protection and privacy, setting out some of the organizations that have influenced the law on the topic and then describing the threats to privacy that exist with digital and other electronic signatures. It is more of a reminder that the issue exists than an examination of it in depth. The chapter closes with a couple of pages about a decision of the Privacy Commissioner of Canada on the privacy implications of requiring people to provide a biodynamic signature on a signing pad to take delivery of goods, rather than giving a signature on paper. The requirement was held to be unreasonable under Canadian law.
Neither the privacy chapter nor the book as a whole offers a general conclusion. Here is mine.
Mason gives a thorough overview of the law applicable to electronic signatures, but it is not a neutral one. He has strong opinions on how the law has been developing, with a clear preference for technology neutrality and for the reasoned extension of existing principles to the electronic world. The key differences between signatures on paper and the electronic kind are evidentiary rather than substantive: a signature has to perform similar functions whatever its medium, but demonstrating how an electronic signature was created and how it was linked to the text alleged to be signed presents new issues. He is particularly critical of the claims made for digital signatures and much of the legislation that provides for their use.
My own view is that he is very largely right in his views. Electronic signatures are not a conceptual problem in Canadian law – and my common law background may make me more sympathetic to him. Practical problems can be resolved over time, or by legislation that targets particular problems. As Mason notes in his preface, civil law countries tend to prefer to specify the technology and legislate the use of digital signatures – though the EU Directive allows any form of e-signature that the parties accept. So one finds much ado in legislation about arguably less than meets the eye.
While the analysis is thorough, expert and (in my opinion) correct, it must be said that the book is sometimes uncomfortable to read. It cries out for a strong editor to take unruly sentences in hand, to fill in faulty ellipses, to choose the right word. Repetition is doubtless inevitable when covering so many aspects of a complex topic. Nevertheless essential elements of the nature of a signature are discussed in several chapters in ways that make one wish that the whole topic had been covered at once. Perhaps the discussion of principles should have preceded the description of legislative regimes, to avoid the need to anticipate parts of the principled analysis to understand the legislation, then starting over in the general parts.
Several times the text says that an issue is discussed, or also discussed, elsewhere, but does not say where. Inserting cross-references after the text is completed would be helpful. The juxtaposition of topics within chapters is sometimes hard to understand as well, or less well flagged in the headings than it could be. Some digressions could use more explanation of their relevance.
That said, Mason's book remains a valuable source of learning about the nature of signatures and what the migration to electronic signatures means in law. He is a good guide to the legislation and the cases, and while his opinions provide a theme for the tour, he does not mislead or omit important landmarks. The international perspective gives an unusual depth to the analysis. One can understand why there has been a market for three editions of this comprehensive work.