[Pakistan took an important step in the Cyber Law area on
September 11, 2002, by promulgating the Electronic Security Ordinance 2002 (ESO
2002) similar to the Information Technology Act 2000 (ITA-2000) of India. We are
analysing some of the important provisions of this ordinance.]
The central purpose of ESO 2002 like its Indian
counterpart ITA-2000 is to provide legal recognition to the system of Cyber
Contracts to promote E-Commerce. To enable development of legally recognizable
Cyber Contracts, the ESO 2002 defines what is an Electronic Document, and what
is an Electronic Signature and then proceeds to accord legal recognition to
both. It also defines the time and place attributable to the execution of an
electronic document.
Let's now analyse in detail how ESO 2002 has approached the
definition of Electronic signature.
Section 7 of the ordinance provides that "Affixation of
Signature" in any law will be deemed satisfied by "Electronic Signature (ES)"
or "Advanced Electronic Signature( AES)".
It is interesting to note that just as ITA-2000 talks of
Digital Signature and Secured Digital Signature as two types of authenticating
an electronic document, ESO-2002 talks of two different types of Electronic
Signature.
According to Section 2(n) of the ordinance, "Electronic
Signature" means any letters, numbers, symbols, images or any combination
thereof in electronic form, applied to, incorporated in or associated with an
electronic document, with the intention of authenticating or approving the
same in order to establish authenticity or integrity or both.
On the other hand, according to section 2(c),"Advanced
Electronic Signature" has been defined as an Electronic Signature which is
either
i) Unique to the person signing it, capable of identifying
such person, created in a manner or using a means under the sole control of
the person using it, and attached to the electronic document to which it
relates in a manner that any subsequent change in the electronic document is
detectable; or
ii) provided by an accredited certification service
provider and accredited by the Certification Council as being capable of
establishing authenticity and integrity of an electronic document.
It can be observed from the above definitions that an
ordinary Electronic Signature need not be of the type such as the PKI based
digital signature. It can even be a password used for authentication purpose.
Secondly, the Advanced Electronic Signature can either be
one provided by a licensed Certification Service Provider or any other system
that is capable of unique identification and data integrity protection.
This can be interpreted to mean that any digital signature
system issued by an service provider who is not licensed by the Certification
Council can also be called an "Advanced Electronic Signature" if it
technically performs the desired functions.
Section 17 of the Ordinance specifically states that
"Nothing in this ordinance shall impede or in any way restrict the rights of
any certificate service provider to engage in the business of providing
Certification Services without being accredited". It is only expected that no
person shall hold himself out as an accredited certification Service provider
unless he has been so licensed.
The penal provisions applicable to a Certification Service
Provider such as "Violation of Privacy" and "Negligence in Not Revoking a
Certificate when required" can however be interpreted as applicable to both
licensed and unlicensed Certification Service Providers.
Further, the Advanced Electronic Signature is not specific
to any one technology such as the PKI technology and can adopt any other
system as well. This has also been supported further under Section 8, where it
has been conformed that the proof of an electronic signature can be proved in
"Any Manner" to verify the originator and his intention. On the other hand if
an advanced electronic signature is affixed, there will be presumption to the
identity of the originator, his intention and data integrity.
The distinction of the Electronic Signature and Advanced
Electronic Signature is therefore unambiguous.
It is interesting to observe the contents of ITA-2000 in
respect of provisions similar to Electronic Signatures and Advanced Electronic
Signatures and debate if there is any ambiguity in the Indian law in this
respect.
ITA-2000 refers to "Digital Signature" and "Secured Digital
Signature" which can be considered the two types of authentication permitted
for an Electronic Document.
According to Section 2(p) of ITA-2000, Digital Signature
has been defined as
".. authentication of any electronic record by a
subscriber by means of an electronic method or procedure in accordance with
the provisions of section 3".
According to Section 3, Digital Signature has to use
Asymmetric Crypto System and a Hash Function.
PKI system is therefore the only approved form of Digital
Signature in India.
Again, Under Section 2 (q), Digital Signature Certificate has
been defined as
..a Digital Signature Certificate issued under sub-section
(4) of section 35.
Section 35 refers to applying for a Digital Certificate to a
Certifying Authority who has been defined under Section 2(g) as follows.
Certifying Authority" means a person who has been granted a
license to issue a Digital Signature Certificate under section 24;
From the foregoing it can be presumed that "No Digital
Certificate Can be issued unless the Certifying Authority is licensed as per the
provisions of the ITA-2000". The Courts will therefore be obliged to reject
presentation of any evidence in the form of authentication that is not using a
digital certificate issued by a licensed Certifying authority.
Digital Signature definition as per ITA-2000 is therefore
bound not only to the PKI technology, but also to the system of licensing. This
is an important difference between ITA-2000 and ESO 2002.
Looking at the definition of "Secured Digital Signature" as
per Section 15 read along with sections 14 and 16, it appears that "Secured
Digital Signature" is also a "Digital Signature" with a Security procedure as
agreed to between the parties. From the different inter linkages provided in
these sections, the two terms Digital Signature and Secured Digital Signature
cannot be distinguished as to the manner of their affixation or their purpose.
When ITA-2000 discusses the presumptions as to the person
authenticating an electronic document or data integrity of a digitally signed
document, it refers to "Secured Digital Signature". This therefore gives room to
a thought whether the law envisaged defining "Unsecured Digital Signature to
include digital signatures backed by Certifying authorities not licensed in
India. However since the two types of digital signatures are otherwise not
distinguishable as to the technology or purpose, there appears to be no
purpose served by defining two types of digital signature where one is called a
"Secured Digital Signature" and the other is not.
Take off:
ESO-2002 has avoided the confusions that are
inherent in ITA-2000 regarding the definition of the term Secured
Digital Signature and has also provided for the flexibility of different
technology being used. The recognition of digital signatures issued by
unlicensed signatures avoids the serious problems Indians have to contend with
when entering into Cyber Contracts across the borders where the foreign party
to a contract would like to use a digital certificate issued to him by his
country's certifying authority who might not have been licensed in India. We
have to wait for an amendment to ITA-2000 for removal of this anomaly.
