ARTICLE: RETHINKING THE E-SIGNATURES DIRECTIVEsas-space.sas.ac.uk/5578/1/1951-2765-1-SM.pdf ·...

9© Pario Communications Limited, 2011 Digital Evidence and Electronic Signature Law Review, Vol 8

This paper aims to explore possible avenues forthe future development of the EuropeaneSignatures Directive, and more generally of acommon European legal framework for trustservices. It builds on the observation that theeSignature Directive has largely been unable tosupport an internal market for certification serviceproviders, i.e. entities that issue signaturecertificates or provide other services related toelectronic signatures.1 Part of the problem liesundoubtedly in non-legal factors, including thestill uncertain business case for certificationservice providers: is there sufficient marketinterest for citizens and businesses in spendingmoney on digital signatures, or do simpler, moreflexible and cheaper e-signature solutionssuffice? However, it is also clear that the Directiveitself is too ambiguous on crucial points, and doesnot consider the essential link between e-signatures and ancillary services. The currentreview of the Directive is an opportunity to remedythese problems.2

IntroductionIn recent years, e-signatures have enjoyed increasingattention at the European policy level. As such, this is

not surprising: both in the private and public sector,more and more sensitive transactions are conductedelectronically, increasing the need for mechanisms thatenable trust. E-signatures are a primary example of sucha tool, given their stated purpose of serving as amethod of authentication.3

Unfortunately, this increasing policy interest in e-signatures is largely caused by a relatively gloomyobservation: advanced e-signatures (known as digitalsignatures elsewhere) in the European Union andelsewhere function largely in the context of closedpublic key frameworks. As long as a signatory remainswithin that specific context – e-banking applications,national e-government services, professional documentmanagement systems – the policy frameworkestablished within that context provides clearly for anyproblems. But as soon as he attempts to use a digitalsignature outside of that policy framework, digitalsignatures are virtually unused.4 This is a fairlydisappointing and sobering conclusion for a technologythat was entrusted with the seemingly simple task ofreplacing the hand written signature. Hand writtensignatures are at best a moderately reliableauthentication tool, whose value stems mainly from thefact that people have been used to them for a long time,rather than from any objective security characteristics.And yet, modern technology has failed to come up witha similarly simple, flexible and universally acceptedelectronic equivalent.

To some extent, this observation is a matter of

By Hans Graux

1 As defined in Article 2.12 of Directive 1999/93/ECof the European Parliament and of the Council of13 December 1999 on a Community framework forelectronic signatures, OJ L 13, 19.01.2000, p. 12 (e-Signatures Directive).

2 Supported by the ongoing study SMART 2010/008‘Feasibility study on an electronic identification,

authentication and signature policy (IAS)’. The EUhave awarded the contract to DLA Piper, Brussels,supported by subcontractorsPricewaterhouseCoopers, SEALED, Studio NotarileGenghini and time.lex. The author a co-contributorto this study.

3 As stated in Article 2.12 of the e-Signatures

Directive.4 Dr Aashish Srivastava considered the problems of

electronic signatures for his PhD, and some of hisfindings can be found at ‘Businesses’ perceptionof electronic signatures: An Australian study’,Digital Evidence and Electronic Signature LawReview, 6 (2009) 46 – 56.

RETHINKING THEE-SIGNATURESDIRECTIVE: ON LAWS, TRUST SERVICES,AND THE DIGITALSINGLE MARKET

ARTICLE:

10 Digital Evidence and Electronic Signature Law Review, Vol 8 © Pario Communications Limited, 2011

perception and expectation. It is debatable whether it isa problem if no open interoperable market develops forcomplex e-signature services. The observation aboutthe current limitations of PKI based signaturetechnologies is mainly valid for e-signature technologiesthat rely on strong identification and authentication ofthe signatory. While these can offer substantial benefitsin terms of trustworthiness and security over simplertechnologies, it is not clear whether they are relevant inrespect of the realities of today’s digital market, wheretrust seems to be based as much on subjective factorssuch as reputation as on objective securityconsiderations. One might reasonably wonder if there issuch a significant business opportunity in higher qualityelectronic signatures. If there was a genuine demand forthis type of interoperability, would not the market havespontaneously gravitated towards it?

None the less, certain applications clearly have higherobjective security needs. The financial sector is a goodexample, as are higher value transactions such aselectronic public procurement. In these cases, the lackof interoperability between advanced signaturesolutions is inefficient (how many smart cards can yourwallet realistically contain?) and encourages badsecurity practices (how many of those cards currentlyhave the same PIN?). For these reasons alone,interoperability would be desirable as a device tostimulate confidence in the digital market, to avoidneedless costs, to enable high value trusted electronicservices, and to facilitate the uptake of such services byeveryday citizens.

Background and scope of the eSignatureDirectiveMuch of the issues covered in the introduction aboveare also reflected in the e-signatures Directive, or moreformally, Directive 1999/93/EC of the EuropeanParliament and of the Council of 13 December 1999 on aCommunity framework for electronic signatures. ThisDirective states its purpose in article 2: it aims “tofacilitate the use of electronic signatures and tocontribute to their legal recognition. It establishes alegal framework for electronic signatures and certaincertification-services in order to ensure the properfunctioning of the internal market.”

The Directive aimed to ensure that legal uncertaintiessurrounding the value of e-signatures would notbecome a barrier to the budding e-signatures market inthe European Union, or perhaps more accurately, thatsuch uncertainties could reasonably be kept to a

minimum. The elimination of any kind of legaluncertainty was (and remains) a practical impossibility,due to the large variety of approaches to e-signaturesand their technical characteristics. The European lawmaker had to tread a fine line between flexibility(allowing different technologies with different degreesof reliability) and legal certainty (ensuring thepredictability of the legal value of at least some types ofe-signature).

This resulted in the compromise that is now relativelywell known. Conceptually, the Directive creates threetiers of e-signatures:

1. The basic e-signature concept, i.e. data in electronicform which are attached to or logically associatedwith other electronic data and which serve as amethod of authentication;

2. The advanced e-signature concept, i.e. an electronicsignature which:

(a) is uniquely linked to the signatory;(b) is capable of identifying the signatory;(c) is created using means that the signatory canmaintain under his sole control; and(d) is linked to the data to which it relates in such amanner that any subsequent change of the data isdetectable.

In practical terms, the advanced e-signatureconcept currently implies the use of PKI technology,and is therefore not entirely technologically neutral.

3. The advanced electronic signatures which arebased on a qualified certificate and which arecreated by a secure-signature-creation device,commonly referred to as qualified electronicsignatures. This is also the terminology that will beused in this article.

When considering legal certainty however, the Directivecontains only two tiers:

1. All e-signatures benefit from a non-discriminationrule (article 5.2), meaning broadly that their legaleffectiveness and admissibility as evidence in legalproceedings cannot be denied merely on thegrounds of being electronic or of not complying withone of the requirements for qualified signatures. Ofcourse, this does not eliminate the possibility of e-

RETHINKING THE E-SIGNATURES DIRECTIVE: ON LAWS, TRUST SERVICES, AND THE DIGITAL SINGLE MARKET


signatures being rejected for any number of otherreasons, including for instance the use ofinsufficiently reliable technologies, taking intoaccount all circumstances which are relevant to thecase (e.g. the behaviour of the parties after an e-signature has been created).

2. Only qualified signatures benefit from theequivalence rule (article 5.1), meaning that thesesignatures are automatically considered to satisfythe legal requirements of a signature in the samemanner as a hand written signature, and that theyare always admissible as evidence in legalproceedings.

In effect, the system of legal certainty in the Directive isremarkably binary: qualified signatures are endowedwith legal certainty, and other types of e-signatures arenot. This situation can be affected substantially byadditional rules, such as by specific laws declaring otherforms of e-signature to also be equivalent to handwritten signatures, or more typically by contractualarrangements in which the relevant parties makeseparate arrangements on the legal validity andadmissibility of e-signatures in advance.

The conceptual framework in European e-signaturelaws is thus very much centered around e-signatures asa tool for emulating hand written signatures. While themarket access and internal market rules (articles 3 and4 of the Directive) apply to all types of certificationservice providers and certification services, the onlyprovision in the Directive that governs the legal effect ofthese services is focused on achieving equivalence withhand written signatures. This observation may appear tobe trivial, but it is not. From a technical perspective, thecryptographic process of signing specific data can servemany other functions which have little to no logicalconnection to a hand written signature. As examples,one might consider:

1. The identification of a person (entity authentication)may use identical technologies, yet there is nointention of achieving equivalence to a hand writtensignature.

2.The use of electronic stamps or seals, where aentity signs a document to authenticate it on behalfof a legal person (e.g. a company seal oradministrative stamp), or even on behalf of an

computer system or process, in which hand writtensignatures may be entirely inappropriate or evennonsensical as an analogy.

3.Authorization management, where the user wantsto demonstrate a certain legal mandate (e.g. toconfirm the status of doctor, lawyer, notary public,etc) or access/usage right (e.g. the status ofemployee, citizenship, or simply of being an adult).In these cases, equivalence to a hand writtensignature may not necessarily be the desired goal.

4.Time stamping, where the equivalence to a handwritten signature is irrelevant, since the onlyintention is to add a trustworthy time reference to aspecific transaction.

The Directive is only marginally relevant to all of these functions. This is not to say that it has no effect on them:

1. First, the e-signature itself is defined as “data inelectronic form which are attached to or logicallyassociated with other electronic data and whichserve as a method of authentication” (emphasisadded). This definition makes no explicit or impliedreference to the purpose of creating a substitute fora hand written signature; indeed, based on thisterminology alone, all of the examples above couldbe said to be covered by the definition of anelectronic signature, since they are all methods ofauthentication (either entity authentication or dataauthentication).5

2.Second, the notion of a “certification-service-provider” is very broadly defined in the Directive as“an entity or a legal or natural person who issuescertificates or provides other services related toelectronic signatures” (emphasis added). Again, thedefinition is so broad that virtually all types ofauthentication service providers could be said to becovered.

None the less, even under this broad interpretation ofthe Directive’s terminology, the Directive does notprovide a material legal framework for the servicesmentioned above. Admittedly, the market access andinternal market provisions of the Directive (mainlyarticle 4.1) apply, meaning that Member States may

5 Stephen Mason, Electronic Signatures in Law,(2nd edn, Tottel, 2007), 4.5 also illustrates thisissue.



establish the rules which apply to service providersestablished on their territories, and that they may notrestrict the provision of services originating in anotherMember State. However, with respect to the legal valueof trust services, the relevant provisions of the Directive(article 5 of the Directive) are only meaningful when thesignatory aims to create a substitute for a hand writtensignature. In all the other examples mentioned above, itis impossible on the basis of the Directive to link anylegal value to a service, other than perhaps to state thatits electronic nature does not invalidate it outright. Aslegal support to a trust service goes, this would appearto be a relatively weak endorsement.

In conclusion, the implicit focus of the Directive isquite clearly on enabling electronic tools that emulatetraditional hand written signatures to be recognized asa form of e-signature. It aims to achieve this effectthrough a number of simple and logical rules andprinciples. These will be discussed in the followingsection, as they may be relevant when resolving thetrust issues that the Digital Single Market currentlyfaces, as will be commented below, at least from thelegal perspective.

The main principles of the eSignature Directive The rules established by the Directive addresses thelegal, technical and trust landscape required to allow aninteroperable e-signatures market to function, with astrong focus on digital signatures. The conceptualframework (definitions of e-signature tiers and CSPs)has already been briefly explained above, as has theapproach of the legal effect of e-signatures. However,the other building blocks also deserve someconsideration, if only to help explain why the Directivehas not been able to achieve the desired purpose.

As a basic foundation of the Directive, the free marketprinciple (or more accurately: the internal market rules)are a logical consequence of treating certificationservices as a market service. To enable the internalmarket, it is vitally important that Member Statescannot set arbitrary barriers to foreign CSPs. This goalhas been implemented via article 4 of the Directive,declaring that “[e]ach Member State shall apply thenational provisions which it adopts pursuant to thisDirective to certification-service-providers establishedon its territory and to the services which they provide.Member States may not restrict the provision ofcertification-services originating in another MemberState in the fields covered by this Directive.” CSPs arethus largely governed by a country-of-origin rule, which

ensures that they do not need to comply with 27materially different sets of rules if they choose tooperate in all 27 Member States.

As a technical tool, advanced e-signatures alsorequire a minimum common technical framework toensure their operation. This technical framework is notincluded directly in the Directive as such. Indeed, thatwould have been a poor strategic choice, given therelative procedural complexity of renegotiating aDirective, which would make it very difficult to keep thetechnical framework updated. Instead, the Directivecontains only a fairly high level set of requirements inits four annexes, relating to:

Annex I: requirements for qualified certificates

Annex II: requirements for certification-service-providers issuing qualified certificates

Annex III: requirements for secure signature-creation devices

Annex IV: recommendations for secure signatureverification

With respect to technical standardization, the Annexesdo not aim to provide guidance for specificimplementation or assessment activities, as they are fartoo generic for that purpose. Instead, the Directiveforesees the possibility of providing additional guidancethrough Commission Decisions, to be taken upon theadvice of an “Electronic-Signature Committee” createdunder article 9 of the Directive, thus colloquially knownas the “Article 9 Committee”. This Committee may:

1. clarify the requirements laid down in the Annexes;

2.clarify the criteria that Member States should applywhen designating a body to determine theconformity of secure signature-creation-deviceswith the requirements of the Directive;

3.clarify “generally recognized standards forelectronic signature products”, notably byestablishing and publishing reference numbers ofsuch standards in the Official Journal of theEuropean Communities. When this has been done,the internal market provisions of article 3.5 requirethe Member States to presume that meeting thosestandards also implies compliance with the

12



requirements laid down in Annex II, point (f)(relating to the requirement for CSPs issuingqualified certificates to use trustworthy systemsand products which are protected againstmodification and ensure the technical andcryptographic security of the process supported bythem), and in Annex III (requirements for securesignature-creation devices).

Through this process, two main Commission Decisionswere taken: Decision 2000/709/EC6 establishing theminimum criteria for conformity assessment bodies, andDecision 2003/511/EC7 publishing reference numbers tothree generally recognized standards8 for electronicsignature products which create a presumption ofcompliance with part of the qualified electronicsignature requirements. Perhaps surprisingly, neitherone of these Decisions was ever updated, despitedevelopments in global e-signature standardizationinitiatives.9

Finally, the Directive also incorporated a trustinfrastructure to support certification service providers.Essentially, the trusted (or untrusted) state of anelectronic signature is a function of many factors, one ofwhich is the role of a trusted third party. In the absenceof a trusted third party (e.g. a simple e-signatureconsisting of a text file appended to an e-mail, wherethe text file and e-mail are both solely created by thesignatory), an e-signature has a limited ability toprovide confidence in the text that has been signed,where the authenticity of the e-mail is uncertain. Inthose cases, the signature amounts to little more thanthe word of the signatory, which was already reflected inthe signed text without any signature. Through theinvolvement of a trusted third party (such as the CSPissuing signature certificates in a PKI-based advanced e-signature system), relying parties have a moresubstantial anchor to which they can attach confidence.If they know that the issuer is trustworthy, then thatremoves at least one possible area of doubt.

A significant issue is how a relying party candetermine whether such a trusted third party is in factto be trusted.10 The Directive provides a solution to this

question through the concepts of supervision,conformity determinations and accreditation:

1. Member States must establish appropriatesupervision schemes, in which (at a minimum) CSPsestablished within their borders that issue qualifiedcertificates to the public are supervised (article 3.3of the Directive). Since qualified certificates are aprerequisite to creating qualified signatures, thisimplies that qualified signature solutions bydefinition benefit from some degree of supervision,thus improving their trustworthiness.

2.As noted above, the second component of aqualified signature (apart from the qualifiedcertificate) is the use of a secure signature-creation-device. The Directive specifies that Member Statescan designate bodies with assessing thecompliance of such devices with the requirementsof the Directive (as laid down in Annex III). Suchfindings of conformity are to be recognized in allMember States (article 3.4).

3.Finally, Member States are also allowed tointroduce “voluntary accreditation schemes aimingat enhanced levels of certification-serviceprovision” (article 3.2 of the Directive). MemberStates can use such schemes to institute qualitylabels, or to define ‘trust levels’ of signature typesin an effort to make the market more transparentand intuitive to consumers and service providers. Itis important to recognize that “enhanced levels ofcertification-service provision” does not necessarilyimply a high reliability of e-signature solutions;even basic (non-advanced) e-signatures may besubject to voluntary accreditation, irrespective oftheir objective reliability. The Directive requires thatthe conditions related to such schemes must be“objective, transparent, proportionate and non-discriminatory”, to avoid market distortions.However, since accreditation schemes are bydefinition established at the national level, theytend to enable trust at the expense of

6 2000/709/EC: Commission Decision of 6November 2000 on the minimum criteria to betaken into account by Member States whendesignating bodies in accordance with article 3(4)of Directive 1999/93/EC of the EuropeanParliament and of the Council on a Communityframework for electronic signatures (notifiedunder document number C(2000) 3179) (Text withEEA relevance) OJ L 289, 16.11.2000, p. 42–43.

7 2003/511/EC: Commission Decision of 14 July 2003on the publication of reference numbers ofgenerally recognised standards for electronic

signature products in accordance with Directive1999/93/EC of the European Parliament and of theCouncil (Text with EEA relevance) (notified underdocument number C(2003) 2439) OJ L 175,15.7.2003, p. 45–46.

8 Notably the following standards: CWA 14167-1(March 2003): security requirements fortrustworthy systems managing certificates forelectronic signatures - Part 1: System SecurityRequirements; CWA 14167-2 (March 2002):security requirements for trustworthy systemsmanaging certificates for electronic signatures -

Part 2: cryptographic module for CSP signingoperations - Protection Profile (MCSO-PP); CWA14169 (March 2002): secure signature-creationdevices.

9 For an 11-page exhaustive list of standards acrossthe globe, see Stephen Mason, ElectronicSignatures in Law, Appendix 3.

10 On this topic, note chapters 11, 12 and 13 inStephen Mason, Electronic Signatures in Law.

13



Apart from technical complexity, the European advanced e-

signature market in 1999 was developing rapidly, with relatively

few services being made available as stand-alone products for the

public in most EU Member States

interoperability, since foreign service providers areless likely to have a business case for seekingvoluntary accreditation in another Member State,even if their signature solutions objectively meet orexceed the requirements of the voluntary scheme.

On the basis of these trust enablers, each Member State must have a supervisory body to supervise CSPsissuing qualified certificates to the public. In addition, it may also have an accreditation body to manage anyvoluntary accreditation scheme, and it may have one ormore conformity assessment bodies to determine thecompliance of any supposed secure signature creationdevices. Conceptually, this approach is sound, as itensures that the legal and technical framework arelinked through a workable supervisory framework.

Thus, the Directive provided a basic legal frameworkthat established the main legal, technical and trustbuilding blocks. While clearly slanted towards state ofthe art PKI solutions, this was considered to beappropriate to sustain an interoperable e-signaturesmarket.

Effect on the e-signatures marketA cursory examination of current EU initiatives involvingor requiring the cross border use of e-signatures (e.g. inrelation to e-procurement, e-justice, e-invoicing, theimplementation of the Services Directive, or anyexchange of authentic e-documents) shows that theeSignature Directive has largely failed to achieve thisobjective. Even leading initiatives in this area are stilldeveloping or piloting solutions, twelve years after theadoption of the Directive. Solutions for cross borderinteroperability either require closed contractualframeworks – essentially cutting out the influence of theDirective to a large extent – or abandon the high-security, high-certainty goals of the Directive byadopting simple (non-PKI) e-signature solutions or byreducing the trust assurances to relying parties. In

effect, even if one accepts that the eSignature Directivehas helped create a market for advanced e-signatureservices at the national level, any beneficial effect onthe internal market (i.e. at the cross border level) ismodest at best.

The present positionA number of factors can be identified that may be partlyresponsible for the lack of an internal market foradvanced e-signatures, or more generally for the lack ofcross border interoperability. It is important to recognizethat not all of these factors are related to the EUframework for advanced e-signatures as brieflydescribed above. For one, it is inherently difficult toprovide an appropriate legal framework in atechnological area which evolves very quickly, notably inorder to respond appropriately to security challenges.This is especially true in relation to advanced electronicsignatures, where new standards are continuouslydeveloped and algorithms are deprecated whenweaknesses become apparent.

Apart from technical complexity, the Europeanadvanced e-signature market in 1999 was developingrapidly, with relatively few services being madeavailable as stand-alone products for the public in mostEU Member States. Finally, as was already noted in theintroduction to this article, the business case for theadvanced e-signatures as a separate service (i.e. inisolation from applications in which they are intended tobe used, such as e-banking) remains uncertain. All ofthese elements made it inherently complex to create alegal framework that would enable a flourishing internalmarket for advanced e-signature services.

Nevertheless, the current EU framework is clearly alsonot without its flaws, and a number of issues can beclearly linked to the lack of an internal market. Anexhaustive study of these issues and their effect wasconducted on behalf of the European Commission in2010 under the acronym CROBIES (Study on Cross-



Border Interoperability of e-signatures), which isavailable for online consultation.11 Briefly summarized,the CROBIES study identified, amongst other things, thefollowing weaknesses and criticisms:

1. The legal framework is unclear and ambiguous oncertain important points. For instance, opinion issplit in the Member States on the question ofwhether the concept of a ‘signatory’ can includelegal entities, i.e. whether an e-signature can beascribed directly to a company rather than to theperson signing on behalf of that company. Similarly,it is still debated whether a secure-signature-creation device (SSCD) must undergo an affirmativeconformity assessment by a designated body, orwhether such an assessment is merely advisable toremove or reduce doubts on its status.

2.The technical framework is outdated and does notlink cleanly to legal requirements. The CommissionDecision above only references three specificstandards which are partially outdated and do notunambiguously apply to some advanced e-signature creation approaches. For instance, theuse of mobile telephones or HSMs (Hardwaresecurity modules) is increasingly popular in theadvanced e-signature market, yet these are notclearly addressed by the referenced standards.12

Furthermore, the EU standardization landscape ishighly complex: beyond the aforementioned threestandards, there are around 30 otherstandardization projects whose link to specific legalrequirements is not clear. The fact that CommissionDecisions under the Directive can only create apresumption of compliance with the requirementsof Annex II(f ) and Annex III of the Directive, and notwith other requirements, makes it even harder toassess any formal value to these standardizationdocuments.

3.The trust framework is too vague to createjustifiable trust in the internal market. As describedabove, CSPs issuing qualified certificates to the

public are subject to national supervision schemes.However, the Directive merely requires that thesesupervision schemes are ‘appropriate’, withoutproviding guidance to the Member States as towhat this entails. As shown in the CROBIES study,national requirements range from a simplenotification letter to the supervision body to full andperiodically recurring audits, creating an uneventrust landscape, not to mention internal marketdistortions. Apart from this inequality, there was nohomogeneous way for relying parties to determinewhether a CSP was indeed supervised in practice,since supervision bodies did not have a commoncommunication strategy on this issue. This problemwas only addressed in October 2009 – ten yearsafter the adoption of the Directive – when aCommission Decision13 issued against the backdropof the Services Directive required supervisingbodies to use a common trusted list approach topublicly announce the supervision status of theirCSPs. Prior to that time, relying parties would needto check the supervision status of a CSP manuallyeach time they wanted to rely on a signature.Similarly, when SSCDs have undergone conformityassessments (the need of which is already unclear,as noted above), there is no common approach topublish this status, and no way to keep this statusupdated over time as potential weaknessesthreatening the SSCD status are uncovered.

Clearly, the legal, technical and trust frameworksestablished by the eSignature Directive have their flaws.It should be noted however that these flaws primarilyapply to qualified signature solutions, since questionsrelated to supervision and SSCDs are much lessrelevant to other signature types. None the less, sincethe eSignature Directive only created a clear andpredictable legal effect for these types of signatures,this can be considered a real weakness.

While important, these problems could be fixedthrough limited changes and updates of the legal,technical and trust framework. There is, however, abroader weakness in the Directive, which would require

11 Study on Cross-Border Interoperability of e-signatures (CROBIES), A report to the EuropeanCommission from SEALED, time.lex and Siemens(Version 1.0, 2010); the author helped to writethis report, available at http://ec.europa.eu/information_society/policy/esignature/crobies_study/index_en.htm.

12 For instance, see Frederic Stumpf, MarkusSacher, Claudia Eckert and Alexander Roßnagel,‘The creation of Qualified Signatures withTrusted Platform Modules’, Digital Evidenceand Electronic Signature Law Review, 4 (2007)

61 – 6.13 Commission Decision 2009/767/EC of 16

October 2009 setting out measures facilitatingthe use of procedures by electronic meansthrough the ‘points of single contact’ underDirective 2006/123/EC of the EuropeanParliament and of the Council on services in theinternal market, OJ L 274, 20.10.2009 p. 36(Corrigendum to Commission Decision2009/767/EC of 16 October 2009 setting outmeasures facilitating the use of procedures byelectronic means through the points of single

contact under Directive 2006/123/EC of theEuropean Parliament and of the Council onservices in the internal market (OJ L 274,20.10.2009 ) OJ L 299, 14/11/2009 P. 0018 –0054); as amended by the Commission Decisionof 28 July 2010 amending Decision 2009/767/ECas regards the establishment, maintenance andpublication of trusted lists of certificationservice providers supervised/accredited byMember States, OJ L 199, 31.7.2010, p. 30.

15



substantially greater changes. As noted above underthe description of the scope of the Directive, itsprovisions clearly focus principally on electronicsignatures as a substitute for hand written signatures.This emphasis disregards the reality that finding asubstitute for hand written signatures is only onepossible application of certification services. There aremany other varieties of such services, as shown in thegraphic below:

As it stands, the EU legal framework mainly covers e-signatures to the exclusion of any other service using,or ancillary to, electronic signatures, such as time-stamping services, long term archiving services,electronic registered mail, or signature validationservices. More importantly, there are cleardependencies between these services that affect theirviability in the market.

As an example, an e-signature as a substitute for ahand written signature is only meaningful if it can beadequately linked to a signatory, either as anidentifiable individual, or at least by a pseudonym.Indeed, the eSignature Directive recognizes this issue,as it defines certificates as electronic attestations“which link signature-verification data to a person andconfirm the identity of that person” (article 2.9).Similarly, advanced14 signatures under the Directivemust (amongst others) be “uniquely linked to thesignatory” 15 and “ capable of identifying the signatory”(article 2.2). Thus, when e-signatures are intended toemulate hand written signatures, identification is aprerequisite. Yet the Directive does not address how thisshould be done, other than to note that the use of

pseudonyms in certificates “should not prevent MemberStates from requiring identification of persons pursuantto Community or national law” (recital 25). Thisrequirement is echoed in Annex II (d) in relation toqualified signature certificates, noting that CSPs must“verify, by appropriate means in accordance withnational law, the identity and, if applicable, any specificattributes of the person to which a qualified certificateis issued.” Identification (either as an independentprocess preceding the issuing of signature certificatesor as a separate type of authentication service) is notharmonized by the Directive in any meaningful way.

The same observation applies to time stamping,another type of certification service that supports thedetermination of the authenticity of e-signatures. Thevalue to be given to an e-signature is partly predicatedon the mechanism used to reliably determine when itwas created. This is a crucial question, since relyingparties mainly need to be able to assess whether an e-signature was valid at the time it was created, notmerely at the present time (which may be years later).The time factor is an important pillar to thetrustworthiness of e-signatures and a valuablecertification service in its own right. Again, the Directivedoes not cover this aspect in a meaningful way.

Other ancillary services mentioned in the overviewabove build on these tools: electronic archivingdepends on time stamping,16 and electronic registeredmail requires both reliable identification of thesignatories (senders and recipients alike) and timestamping. In the absence of the basic tools, thederivative services cannot be created either.

In short, it is important to recognize that e-signaturesare a component of an ecosystem of certificationservices. When the Directive covers only one element ofthat ecosystem (and imperfectly at that, as arguedabove), new market distortions will inevitably arise.Some Member States have already made the decision ofcreating their own national legal frameworks for someof these certification services, including time stamping,electronic registered mail and archiving. In the absenceof harmonizing provisions at the European level, this iscreating new internal market barriers: a “qualified timestamping service” in Member State A may have no legalvalue in Member State B, either because Member StateB has no legal framework for this type of service, or

14 Interestingly, no such requirement applies to thebase notion of “electronic signatures”, for whichthe Directive requires that they ‘serve as amethod of authentication’ in general. This is inline with the observation made above, namelythat electronic signatures in general could beinterpreted to cover any application of

authentication services, but that the Directiveonly provides a meaningful legal framework fore-signatures as a substitute for hand writtensignatures.

15 For a critical analysis of this concept, seeStephen Mason, Electronic Signatures in Law,4.9.

16 Stefanie Fischer-Dieskau and Daniel Wilke,‘Electronically signed documents: legalrequirements and measures for their long-termconservation’ Digital Evidence and ElectronicSignature Law Review, 3 (2006) 40 – 44


16


because the legal framework is different. In practicalterms, the time stamping service provider has no way oflearning about possible issues other than to seek legaladvice on a country by country basis, in order todiscover whether its service has any value outside of itsnational borders, and what changes might be necessaryto satisfy national legal requirements. This wouldappear to be a textbook example of the type of barrierthat the European internal market should aim to avoid.

Based on these observations, it would appear that theeSignature Directive is in serious need of review, at aminimum to fix the smaller issues mentioned above.However, this may also be a good opportunity tobroaden the legal framework to ensure that certificationservices are more comprehensively covered and toavoid further barriers in the internal market. Obviously,the lessons learned from the eSignature Directiveshould be considered if this broader approach is taken.

Trust in the digital single market: whatrules, if any, are required?The EU Digital Agenda and its perspective on IAS The Digital Agenda was published as a Communicationof the European Commission in 2010,17 and contains thecommon European strategy for creating “a flourishingdigital economy by 2020”. It outlines a number ofpolicies and actions that support this objective, groupedaround various action areas. For the purposes of thisarticle – examining the challenges and options for theeSignature Directive – the most relevant action arearelates to improving trust and security.

The Digital Agenda positions e-signatures in thebroader context of trust and security challenges in theinformation society, which include such topics asmisappropriation of identity, fraud, cyber crime, dataprotection, privacy-by-design, and critical informationinfrastructure protection. E-signatures (and electronicidentities) can be considered as mechanisms that cancontribute to building viable solutions on each of thesepoints.

The Agenda correctly stresses the necessity ofensuring the trustworthiness of technology as aprerequisite to its use in practice. It has been observedabove that this was one of the main issues of thecurrent EU framework for advanced e-signatures:objectively, there are no sufficient assurances withrespect to advanced e-signatures from other Member

States. Complexity and user friendliness are equallyimportant: end users will never accept foreign advancede-signatures if they first have to learn what an SSCD isor if they have to check the supervisory status of acertificate. End users should not be confronted withthese questions in their normal use of electronicsignatures. However, the eSignature Directive currentlydoes not provide appropriate tools to develop secure,reliable and easy to use signature creation andvalidation solutions that can enable end users to rely onadvanced e-signatures without worrying about thetechnological, legal and operational minutiae. Thedevelopment of such solutions would first requireexisting ambiguities in the Directive and thesurrounding framework to be coherently addressed.

Recognizing that the Directive has been unable tomeet its stated purpose of “facilitat[ing] the use ofelectronic signatures and contribut[ing] to their legalrecognition” (article 1 of the Directive), the DigitalAgenda proposes a revision of the e-signaturesDirective, “with a view to provide a legal framework forcross-border recognition and interoperability of secureeAuthentication systems.”

It is worth noting the interesting phrasing of theproposed action set out in the Agenda: the revisionshould result in a legal framework for ‘secureeAuthentication systems’. The Commission might havealso simply called for a revision focusing on ‘secureelectronic signatures’, and this would appear to havebeen the more intuitive choice if there had been nointention of contemplating the scope of the e-signaturesDirective. The choice of phrasing, focusing on‘eAuthentication systems’ in general, suggests that theCommission might be open to explore further options.

The specific challenges relating to electronicidentification undoubtedly play a role in this particularphrasing. Indeed, the Agenda contains a further relatedaction, namely to propose by 2012 a Council andParliament Decision “to ensure mutual recognition of e-identification and e-authentication across the EU basedon online ‘authentication services’ to be offered in allMember States (which may use the most appropriateofficial citizen documents – issued by the public or theprivate sector)”. This action could be used to addressone of the current challenges in relation to electronicidentification: while innovative EU projects (such as thelarge scale pilot STORK18 ) have developed functioningtechnical solutions to eID challenges, there is currently

17 Communication from the Commission to theEuropean Parliament, the Council, the EuropeanEconomic and Social Committee and theCommittee of the Regions, A Digital Agenda forEurope – 26.8.2010; COM(2010) 245 final/2.

18 https://www.eid-stork.eu/.

17



no broader legal or policy framework to move thesepilots into operational solutions for the general public. A Commission Decision could clarify this point, byensuring at a minimum that Member States have a listof electronic identification methods from other MemberStates that they agree to treat as equivalent.

Thus, the Agenda seems to have a strategy to improvethe trustworthiness of eAuthentication systems, albeitwithout specifying at this stage exactly what thosesystems might entail, beyond the obvious candidates ofe-signatures and electronic identities.

The needs of the Digital Single MarketWhile the summary above focuses on the trust andsecurity aspects of the Digital Agenda, it should berecognized that the Agenda takes a much broaderperspective, and correctly notes that the EU has in manyrespects failed to bring about a true Digital SingleMarket, in which on-line service borders are eliminated(or at least reduced) in the same way as for the offlinesingle market.

Specifically, the Agenda notes that:

“[t]he internet is borderless, but online markets,both globally and in the EU, are still separated bymultiple barriers affecting not only access to pan-European telecom services but also to what shouldbe global internet services and content. This isuntenable. First, the creation of attractive onlinecontent and services and its free circulation insidethe EU and across its borders are fundamental tostimulate the virtuous cycle of demand. However,persistent fragmentation is stifling Europe'scompetitiveness in the digital economy. It istherefore not surprising that the EU is falling behindin markets such as media services, both in terms ofwhat consumers can access, and in terms ofbusiness models that can create jobs in Europe.Most of the recent successful internet businesses(such as Google, eBay, Amazon and Facebook)originate outside of Europe[3]. Second, despite thebody of key single market legislation oneCommerce, eInvoicing and e-signatures,transactions in the digital environment are still toocomplex, with inconsistent implementation of therules across Member States. Third, consumers andbusinesses are still faced with considerableuncertainty about their rights and legal protectionwhen doing business on line. Fourth, Europe is far

from having a single market for telecom services.The single market therefore needs a fundamentalupdate to bring it into the internet era.”

These observations seem entirely correct, and can alsobe applied to eAuthentication services in general. Therecent Public consultation on electronic identification,authentication and signatures19 have provided somesupport of the Digital Agenda’s statements from theperspective of others with an interest or concern in thematter, asking among other points which trust buildingservices and credentials should be considered forregulation at the European level in order to ensure theircross-border use. The 418 respondents to the questionprovided the following replies:

For which of the following trust building services and credentialsshould legal or regulatory measures be considered at EU-level in orderto ensure their cross-border use?

Number % of total of replies number of

replies to this question

Certified electronic documents in general 270 64,59%

Electronic seals 216 51,67%

Time stamping 219 52,39%

Certified delivery of mail 195 46,65%

Authorisations/mandates 194 46,41%

Long term archiving 191 45,69%

Electronic transferable records 136 32,54%

Official delivery address 119 28,47%

Others (please list) 68 16,27%

Pseudonyms 67 16,03%

Anonymous agents 47 11,24%

None 26 6,22%

Thus, only 6,22% felt that no further trust servicesrequired any regulation. Respondents who chose thisanswer and provided additional comments frequentlystated that regulations were unnecessary or too rigid,and that standardization, accreditation schemes andprivate sector initiatives would be adequate to addresscross border challenges.

Among those who felt that new regulations could bevaluable, certified electronic documents in general –without further definition in the consultation – were themain service type chosen for further regulation (64,59%of respondents), with electronic seals and timestamping each also being mentioned by more than half

19 For an overview of the consultation’s questions,approach, and the contributions received, seehttp://ec.europa.eu/information_society/policy/e

signature/eu_legislation/revision/pub_cons/index_en.htm.


18


of respondents. As to whether electronic identificationshould be regulated at the European level, this wasasked as a separate question. A majority of respondents(65,07%) indicated that they would favour a Europeanlegal framework of some sort for electronicidentification.

The issues related to advanced e-signatures havealready been discussed at length above, but similarconsiderations apply to other digital services. Considera simple and realistic scenario: an internationalundertaking wants to digitize its paper documentarchives throughout the EU, including invoices and avariety of contracts. New contracts will be created andsigned electronically wherever possible, but – as amatter of commercial realism – the company knows thatmany contracts will still initially be signed on paper,before being converted. The issue is whether thispossible in the EU.

Technically, the answer is yes. All the requiredtechnologies have existed for decades. Legally, theanswer is no. The company would need to assess whichdocuments can be digitized, and under what conditions.The answer to that question depends from MemberState to Member State, and will include questions onthe types of contracts, paper formalities withoutelectronic equivalents (e.g. seals), specific nationallegislation, archiving requirements, use and type ofsignatures, time stamping, notarization, etc. Anycompany brave enough to conduct an assessment onthis point will probably get only two clear results: a verylarge legal report from at least 27 lawyers across 27Member States filled to the brim with gray areas andcaveats, and no reliable way to move forward with asingle harmonized approach.

This is just the customer perspective. Consider thesituation from the service provider’s point of view.Assume that a CSP wants to provide archiving services,including assurances of long term legibility, integrity,and time stamping. The first question any customer willask, is whether the service can be relied on, and whatassurances the service provider offers. In the absence ofa harmonized legal framework, the provider can onlyreply that its service is technically and operationallystate of the art, and that it is (presumably) legal underits own national laws. Whether the archived contentactually has any value in other Member States if legalaction arises in 15 years will depend on the national lawthat will be applied to the legal action.

In the year 2011, this state of affairs is nothing short

of a tragedy to the economic development of Europeanbusinesses. Barriers that stifle the legal usability ofservices across the European Union – both from theperspective of service providers and from theperspective of service users, as noted above – harmEuropean economic growth and stunt the adoption ofmore efficient technologies. The potential for costsavings in the EU for innovative e-authenticationsystems – which includes the scenario above – must besubstantial. At a time where everyone is looking forboth cost cutting and innovation – typically in that order– this is an opportunity that the EU should not miss. Amere framework for e-signatures – even if thechallenges mentioned above are resolved – with asmaller scale solution for eID recognition will notprovide an answer for the scenarios above.

Options for the futureA future legal framework for IAS services inEurope: a not-so-modest proposalThe Digital Agenda has unambiguously announced arevision of the eSignature Directive, which will probablystrive to fix at a minimum the shortcomings summarizedelsewhere in this article, together with a possibleDecision to ensure mutual recognition of certain eIDsbetween Member States. This would undoubtedly be agood step forward for the EU. None the less, a moreambitious vision is discussed below, a vision that would– hopefully – be capable of addressing the scenariosmentioned above.

This vision builds on a simple but powerfulobservation: e-authentication systems (to use theterminology of the Digital Agenda) are similar in mostrespects, but differ in small important details. This canalready be witnessed in the terminology as discussedabove: the definition of an electronic signature aspresented by the Directive (“data in electronic formwhich are attached to or logically associated with otherelectronic data and which serve as a method ofauthentication”) is broad enough to potentially cover e-signatures (in the equivalent-to-hand-written sense),eID and time stamping, among many others. It is worthconsidering whether a similar policy framework is alsopossible, and even desirable, for these related services.

As a starting point, it is possible to consider priorexperiences across the Member States. The need for alegal framework for ancillary services (time stamping,company seals, electronic registered e-mail, long termarchiving) has been known for some time, and some



Member States have been active in this field. To namebut a few examples:

1. Austria, as one of the leading EU Member Statesin this area, has implemented legislationregulating not only e-signatures, but alsoelectronic identification, through the 2004eGovernment Act.20

2. Belgium adopted a generic legal framework forcertain trusted services in 2007,21 includingelectronic registered mail, time stamping andelectronic archiving. Despite a recent update forthe rules on electronic registered mail in 2010(integrated into the general e-signatures Act),executive rules were never fixed, and the lawremains largely inoperative at present. However,new legislation in this area is planned for the nearfuture.

3. The Czech Republic has implemented rules fortime stamping in its e-signatures Act of 2000.22

Interestingly, the law uses the same logic andterminology (‘qualified time stamp’) that is also invogue for e-signatures.

4. Estonia, as another technology leader in the EU,has a legal framework23 that supports (and indeedrequires) time stamping, digital stamps(advanced e-signatures created by legal entities),and official e-mails.

5. Similarly, Finland has adopted an Act on strongelectronic identification and electronicsignatures.24

6. Germany likewise introduced the notion ofqualified time stamping in its e-signatures Act.25

7. Italian law contains rules on electronic registeredmail.26

8. The Slovakian e-signatures Act contains specificrules for time stamping.27

9. The Slovenian e-signatures Act recognizes theconcept of a time stamp as being comparable toadvanced e-signatures, with the same rulesapplying by changing those things which need tobe changed;28

10. Finally, the Spanish Act on Electronic CitizenAccess to Public Services29 recognizes e-signatures, e-seals (company signatures), andtime stamping.

This listing is neither fully up to date nor exhaustive. Itspurpose is merely to illustrate that a significant andincreasing number of Member States have recognizedthe important role of e-authentication systems otherthan mere e-signatures, and that they have provided alegal framework for such services. When doing so, theselaws are often integrated or at least closely aligned withgeneral e-signature rules.

This is important for two reasons. First, it suggeststhat the principles and challenges for various e-authentication systems are similar, and that it might bepossible to address them in unison. Second, it alsoshows a potential internal market barrier. If timestamping service provider A can guarantee the legalvalue of its services in one country (for instance,because it is considered a qualified time stampingservice in that country) but not in another country (forinstance, because that country has no rules, or worseyet, different ones), then that creates a market barrier.This is a challenge for the EU to address, as it was analmost identical observation that led to the adoption ofthe e-signatures Directive.30

The sections below will examine what such a policyframework for e-authentication services might look like,and how it could be structured. As with e-signatures,this policy framework should consist of a legalframework, a technical framework, and a trust

20 E-Government-Gesetz.21 Wet van 15 mei 2007 tot vaststelling van een

juridisch kader voor sommige verleners vanvertrouwensdiensten/ Loi du 15 mai 2007 fixantun cadre juridique pour certains prestataires deservices de confiance.

22 Zákon č. 227/2000 Sb., o elektronickém podpisua o změně některých dalších zákonů (zákon oelektronickém podpisu).

23 Digitaalallkirja seadus, RT I 2000, 26, 150.24 Laki vahvasta sähköisestä tunnistamisesta ja

sähköisistä allekirjoituksista, 7.8.2009/617.25 Gesetz über Rahmenbedingungen für

elektronische Signaturen (Signaturgesetz -

SigG) vom 16.5.2001 (BGBl. I S. 876).26 Through the Codice dell’Amministrazione

Digitale (the current version is DecretoLegislativo 30 dicembre 2010, n. 235); RobertaFalciai and Laura Liberati, ‘The Italian certifiede-mail system’, Digital Evidence and ElectronicSignature Law Review, 3 (2006) 50 – 54.

27 Zákon č.215/2002 Z.z. o elektronickom podpisea o zmene a doplnení niektorých zákonov –TheSlovakian Act (‘as amended’ or ‘v zneníneskorších predpisov’) was consolidated in2009 (§9 of this Act still explicitly refers to timestamping (Časová pečiatka – time stamping)),see http://www.zbierka.sk/zz/predpisy/

default.aspx?PredpisID=208862&FileName=zz2009-00076-0208862&Rocnik=2009.

28 Zakon o elektronskem poslovanju inelektronskem podpisu.

29 Ley 11/2007, de 22 de junio, de accesoelectrónico de los ciudadanos a los ServiciosPúblicos.

30 For example, see the table of diverging nationallegislations on p. 4-5 of the 1998 Proposal for aEuropean Parliament and Council Directive on acommon framework for electronic signatures, athttp://ec.europa.eu/information_society/policy/esignature/docs/com1998_0297en.pdf. The tableis strikingly similar to the list above.



framework, all of which must be clearly aligned andattuned to business reality. The emphasis in thesections below will be on the possible regulatoryframework – provisionally designated as an e-authentication Directive – but observations on thetechnical and trust aspects will be added to clarify howthis could work in practice.

Basic principles of e-authentication services The fundamental concept behind a more comprehensiveframework for e-authentication services is theobservation that all service providers in this area sharecertain similarities, and the policy framework shouldreflect this. Broadly, an e-authentication Directive couldbe structured as follows:

Logically, the common section would specify thecommon characteristics of all e-authentication services.Subsequent sections would thereafter focus on specificservices and their unique characteristics. As with thecurrent eSignature Directive, it is possible to envisagetechnical elements that require greater flexibility andmore frequent updates to be adopted separately viaCommission Decisions.

Consistency and comprehensivenessAn important question is how e-authentication serviceswill be defined, and which types of service providersshould be covered by such a Directive. The commonelement of e-authentication services can be derivedfrom the current definition of e-signatures (which, asnoted above, is not inherently linked to the emulation ofhand written signatures): an e-authentication service isany type of information society service31 which serves asa method of authentication of electronic data. Thisdefinition is technologically neutral, and is sufficientlybroad to cover most of the services mentioned above.

Based on this generic definition, the Directive candefine subtypes of e-authentication services, usingsimilar technologically neutral language. As a basicrequirement, electronic signatures (both for naturalpersons and legal entities), electronic identification andtime stamping would be obvious candidates forinclusion. These are the fundamental building blocks tomake other e-authentication services work, and are thuscrucial to an e-authentication framework.

To provide for the full potential of e-authenticationservices, it would be appealing to include other servicesin a common Directive, including electronic archiving,digitization, validation services, and electronicregistered mail. It should be acknowledged, however,that the addition of new services may also createunforeseen complexities. To mention two examples: thedigitization of paper documents cannot unequivocallybe considered to be an information society service,since it is not necessarily provided at a distance; andthe introduction of rules for electronic registered mail asan internal market service may well have interestingoverlaps with existing EU regulations for postalservices.

Apart from the different definitions, most of theCommon Section of the Directive would borrow heavilyfrom the existing eSignature Directive, as the principles


31 Building on the definition provided by theeCommerce Directive 2000/31/EC, which in turnwas based on the definitions of Directive98/34/EC, as amended.

As with the current eSignature Directive, it is possible to

envisage technical elements that require greater

flexibility and more frequent updates to be adopted

separately via Commission Decisions


of this Directive – if not necessarily the details behindtheir implementation – are fundamentally sound. Basicprinciples of the common section would include:

1. Internal market rules, based on articles 3 and 4 ofthe eSignature Directive. The basic rule for all e-authentication services would be free marketaccess, without prior authorization schemes, andapplicability of the rules of the service provider’scountry of establishment.

2.The introduction of two basic tiers of services:general e-authentication services (as determined bythe definitions) and qualified e-authenticationservices. As is currently the case for e-signatures,general services need not meet any additionalrequirements (other than respecting applicablelaws, such as the national transpositions of theData Protection Directive), and benefit from a non-discrimination principle (i.e. they may not be deniedlegal value on the grounds that they are electronicservices or on the grounds that they are notqualified, comparable to the phrasing of article 5.2of the eSignature Directive). In contrast, qualifiedservices would:

a. Be granted a clear legal effect, to beestablished in the relevant specific section.

b. Need to satisfy basic quality requirements.Common quality requirements for all qualifiede-authentication services would includeindependence, liability (comparable to article 6of the e-signatures Directive), availability ofsuitably qualified staff, insurance coverage tosatisfy its potential liabilities, etc. The commonsection should only specify requirements thatapply to all qualified e-authentication services;requirements that apply only to specific e-authentication service types can be specified inthe relevant specific section.

3.The introduction of a mechanism for recognizingequivalent non-European e-authentication serviceproviders, similar to the principles in article 7 of theeSignatures Directive.

4.Rules in relation to supervision, voluntaryaccreditation, and conformity assessments. Thesewill require some changes compared to the presenteSignature Directive:

a. Supervision should remain mandatory forqualified e-authentication service providers,and should still be undertaken by nationalsupervisory bodies. However, minimumrequirements for appropriate supervisionshould be set through a Commission Decision,and national supervisory bodies should publishthe supervised status of service providersthrough trusted lists. This would address theweaknesses of the eSignature Directive asdescribed in the introductory section.

b. Voluntary accreditation may still be undertakenat the national level by any body designated tooperate such a national voluntary accreditationscheme in the Member State. However, as animportant terminological point, it may be usefulto no longer describe such accreditation as‘permissions’ (the way the current Directivedoes in article 2.13), since this often makes itvirtually impossible to distinguish legitimatevoluntary accreditation from forbidden priorauthorization. Rather, it may be advisable tosimply refer to them as what they should be:quality assurance schemes.

c. As a new element, the e-authenticationDirective should also permit the establishmentof European voluntary accreditation schemesthrough Commission Decisions. This is a simplebut very potent addition to address a crucialproblem with accreditation schemes: currently,they may be beneficial at the national level, butthey cause disruptions in the internal market.The introduction of common EU levelaccreditation schemes could address this: anEU accreditation scheme could determinequality requirements that Member States agreeon to enable interoperability in cases where aservice does not meet the qualified level, but isstill ‘good enough’ for a specific horizontal orvertical application domain. By way ofexamples, one might consider:

i. An EU accreditation scheme formalizing theSTORK Quality Authentication Assuranceframework, thus allowing any e-ID means tobe assessed and accredited against thisframework.

ii. An EU accreditation scheme for e-



procurement, identifying the types of e-signatures accepted for public procurementportals.

iii. An EU accreditation scheme for legalservices, identifying the basic requirementsfor e-ID providers in the legal servicessectors (e.g. bar associations, Ministries ofJustice, professional bodies of publicnotaries).

iv. An EU accreditation scheme linkinginternational schemes to their Europeanequivalents, which could facilitate theestablishment of internationalinteroperability of e-authentication services,with the benefit of a clear legal basis.

It would go beyond the purposes of thiscontribution to assess for each of theseexamples whether they make business andpolicy sense or whether they are conceptuallysound; but based on discussions in relation toe-ID and e-signatures – including thecontemplated Commission Decision relating tothe mutual recognition of e-IDs – it wouldappear that there is a clear need for suchinstruments. Rather than a one-off Decision fore-IDs, it might be beneficial to establish a re-usable approach to establish such EU wideschemes when there is a need and benefit forEuropean administrations, businesses andcitizens.

d. Conformity assessments in relation to e-authentication devices (such as SSCDs in thecase of qualified e-signatures) will require aclarification whether such assessments aremandatory or optional, and who should providethem. At any rate, when a conformityassessment is granted, there will be a need topublish the assessment status in ahomogeneous way, to ensure that they areactually useful at the European level. Again, theuse of trusted lists (as is currently already donefor CSPs issuing qualified signature certificatesto the public) would be a good instrument forthis.

5.Finally, a mechanism will need to be defined for theestablishment (or more accurately, the referencing)

of standards at the European level. This can bebased on the current approach, with a Committeeevaluating the need for such standards andformalizations through Commission Decisions.However, the requirement of occasional updateswill require some further attention, either bymaking the Committee permanent, or by clarifyingthe legal value of updates of referenced standards.

Addressing specific e-authentication services Separately from the Common Section, the details inrelation to individual e-authentication services – mainlytheir specific requirements and legal effect at thequalified level – should be regulated in separatesections. As an alternative, consideration might be givento implementing the e-authentication Directive as a pureframework directive, consisting only of the commonsection as presented above, and to which specific e-authentication services can be added through separateregulations whenever they are justified. This wouldcertainly offer the benefit of flexibility. However, theneed for urgent progress for e-authentication services –in keeping with the timing of the Digital Agenda – wouldseem to amply justify the creation of a morecomprehensive instrument.

The main challenge in this respect is obviously thedefinition of clear legal effects for qualified services.While the legal effect of qualified e-signatures(equivalent to hand written signatures) now seemsobvious, it would also be necessary to define the legalvalue of qualified identities or qualified time stamps.

However, this is not an insurmountable obstacle. Themost difficult type of qualified authentication service isprobably the qualified electronic identity, which lacks aclear physical analogy. Since an electronic identity isfundamentally a collection of electronic attributespertaining to a specific entity, the legal effect of aqualified electronic identity could however beaddressed by regulating the reliability of theseattributes and the liability model behind theircorrectness, in much the same way as the eSignaturesDirective already does. With respect to qualifiedcertificates – a prerequisite for the creation of qualifiedelectronic signatures – article 6.1 states thatcertification service providers issuing qualifiedcertificates to the public are as a minimum liable

“for damage caused to any entity or legal or naturalperson who reasonably relies on that certificate:

(a) as regards the accuracy at the time of issuance



of all information contained in the qualifiedcertificate and as regards the fact that thecertificate contains all the details prescribed for aqualified certificate;

(b) for assurance that at the time of the issuance ofthe certificate, the signatory identified in thequalified certificate held the signature-creationdata corresponding to the signature-verificationdata given or identified in the certificate;

(c) for assurance that the signature-creation dataand the signature-verification data can be used ina complementary manner in cases where thecertification-service-provider generates themboth;

unless the certification-service-provider proves thathe has not acted negligently.”

Similarly, such a certification service provider is alsoliable for damages resulting from a failure to registerrevocation of the certificate (article 6.2). Limitations onthis liability may be indicated in the certificate itself(articles 6.3 and 6.4).

This liability model certainly has its flaws, notably thelack of any explicit obligation to act on indications thatthe information in the certificate is no longer correct,and the rather broad flexibility of the liability mitigationoptions. None the less, this approach of providingassurances of identity through liability may be as viablefor qualified identities as they are for qualifiedsignatures. While qualified identities would not benefitfrom an intuitive equivalence rule, they would at leastprovide the assurance of monetary compensation.

Of course, stronger approaches could also beconsidered, but are likely to be much less palatablefrom a political or practical perspective. A significantlymore far reaching approach to regulating the legal valueof qualified identities would be to require MemberStates to ensure that the constituent attributes areadmissible as evidence in legal proceedings and benefitfrom a refutable legal presumption of correctness.However, this approach is unlikely to hold much appealfor certain Member States with a strong tradition ofofficial identity documents, who might perceive thismodel as encroaching upon their monopoly of issuingstrong credentials. It may also not appeal due to thereversal of the burden of proof, as it would then be forrelying parties to show that the end user’s identityclaims would not be correct, which might be a costlyand complicated process. For these reasons, a lighter

liability based approach might be preferable.

Concluding notesThe observations above on the weaknesses of the e-signatures rules are not new, and it is clear that theseambitious suggestions for an e-authenticationframework are incomplete and imperfect. The goal ofthis contribution was however, not to draft a near-finalDirective, or to convince the reader that all the answersare readily available.

Rather, this paper aims to make and justify a fewobservations:

1. The current European framework for e-signatures isbuilt on healthy principles, but flawed in manyimportant respects. These issues need to be fixed.

2. E-signatures are not the only type of authenticationservice. Authenticity is a basic building block fortrust and security in the information society. Byfocusing exclusively on e-signatures, the Europeanpolicy framework will remain incomplete.

3. There is a business opportunity in establishing acoherent and comprehensive framework forauthenticity services. So far, the European Unionhas failed to do this. Is it possible for a person tocreate, sign and store any type of contractelectronically, anywhere in the EU, and be sure thatit will still be enforceable in 15 years? This is asimple question, and there is no clear affirmativeanswer. That is not acceptable in the year 2011.

Ultimately, the aim of this paper is to add to thediscussion on policy, and provide at least one avenuefor progress. It is certainly not the only availablesolution, and may not be the best one. But one thing isclear: the EU needs to be more ambitious. And it cannotafford to wait.

© Hans Graux, 2011


Hans Graux is a bar lawyer and founding partner at theBrussels based law firm time.lex, which specializes in ICT lawand ICT policy challenges. In addition, he is an affiliatedresearcher at the Interdisciplinary Centre for Law and ICT atK.U. Leuven.

http://www.timelex.eu/

http://www.icri.be

ARTICLE: RETHINKING THE E-SIGNATURES DIRECTIVEsas-space.sas.ac.uk/5578/1/1951-2765-1-SM.pdf ·...

Documents

Transcript of ARTICLE: RETHINKING THE E-SIGNATURES DIRECTIVEsas-space.sas.ac.uk/5578/1/1951-2765-1-SM.pdf ·...