e-Signature may not be Cyber Law Compliant
.  The Hyderabad-based Adeptek Software, a subsidiary of Adeptek Inc of the US, is reported to have launched a new product called "eSign". This  can capture and verify hand written signature on a digital pad using a digital pen.

The software is stated to use the science of biometrics using 41 factors involving the measurement of physical and behavioral characteristics unique to an individual in the process of signing, such as strokes, pressure applied on the pen, etc. It also uses advanced cryptography for storing the record.

The Company has reported that major clients for this product include Ford Motor Co, Dena Bank, National Insurance Corporation, Kirloskar Brothers, Lasersoft Inc and Gujarat Petro Chemicals.

In the context of the just introduced recognition for "Digital Signatures" in the ITA-2000 which became effective, it is necessary to clarify that the e-signature of the kind described is not exactly same as the "Digital Signature" required for legal recognition. The e-signature may be good enough for "Authentication", but unless it is augmented suitably, it cannot provide data integrity. Without this, the e-signature is not a complete signature. As a corollary, imagine a signature on a paper document where the contents are written in pencil. Even though the signature is authentic, the signatory will not assume responsibility for the contents since the signature doesn't protect data integrity. Similarly, the e-signature by digital pen and pad doesn't guarantee data integrity.

The Digital signature as envisaged in the Cyber Laws uses a one way hash algorithm that captures the data in a unique hash code. The asymmetric cryptography system then authenticates the hash code. This combination is what makes the "Digital Signature" server the purpose of authentication as well as "Data Integrity".

It is not clear what is the limited purpose for which the product is now being used by the Companies. It is clear however that the system will not have legal recognition as per present laws. Whether it is for internal use or for external use, it is preferable that Companies adopt "Cyber Law Compliant practices". Otherwise, they may have to regret their ignorance or short sightedness.

Naavi
November 27, 2000

Related Story in eFE

Please Send Your comments if any

.