BIOMETRICS AS ELECTRONIC SIGNATURES
Questions
Can an electronic signature be anything one wants it to be? For example, can biometric data be an
e-signature and have the same force in law? For example, the Ontario Works Act (S.O. 1997 c 25
Sch. A) section 76(1) provides authority to use a PIN, password, biometric information or a
photographic image in place of a signature "to authenticate the individual's identity and to act as
authorization or of consent to a transaction …"
Does section 10 of the Uniform Electronic Commerce Act envisage the same sort of thing for other
program legislation? If one were to use biometrics, one would want it to have the same force in law
that a signature does re: non repudiation of transactions. Comments?
Proposed Answer:
* There is no magic in law to something being biometric or not. What we are talking about is a
method to communicate electronically what is now communicated by ink on paper.
* what is communicated by ink on paper for a signature is (i) identity of signer, (ii) intent to sign - for
some reason or another, and (iii) link of signature with signed document - e.g. I signed that contract,
not this one....
* the biometric information goes to (i) and not the others. There is no problem having the information
provided separately, as long as the three elements can be combined. Many people's ink signatures are
unreadable but perfectly valid. (It is arguable that a handwritten signature is a kind of biometric, but
that's another issue.) If one wants to rely on an illegible ink signature, one has to use outside evidence
of who signed. That may a typewritten or printed name on the signed document, or external evidence
that that particular mark has been made on other occasions by the person you are alleging signed the
one in question.
* We should not overstate the reliability of an ink-on-paper signature. It is good enough for many
reasons, but there are many ways to make it more secure by adding witnesses, notaries, bank
certificates, personal property security etc. Likewise electronic signatures will have a range of degrees
of assurance, some more acceptable than others for particular purposes.
* I think an electronic signing system has to have an act of signing, an identifiable action at an
appropriate time that shows that the signer intends to sign. Biometric access control would not be
enough. It may be considerably less than a "ceremony" of signing, but I am doubtful about the
automated addition of "signature" data to a message without an act of the purported signer that shows
an intention to sign, and not just to create and send a text.
* qualifications of the previous statement:
- intent to sign may be separate from reason to sign. In other words, the legal effect of the signature
has to be shown from the context, most obviously from the words in the signed text. That is true for
paper documents and electronic documents. You will have to show what the person is signing.
Obvious when you say it, but don't forget that it's not just the evidence of signature you need to make
good use of something, you need to show what was signed and why.
- many transactions do not need a signature. Participants in such transactions will need assurance of
who participated. That can be provided by biometric information. Further, access control - to goods
or services - can be done by biometric info that does not have to constitute a signature, just an
identification. There may be an implied representation - "I, the holder of this biometrically activated
token, am entitled to the goods or services I am now asking you to provide to me" - but just accepting
the goods or services is likely to constitute the representation, so you don't need a separately
identifiable act of signing. (If someone could understand that the goods or services were being
provided free to anyone who came along, without the need to show entitlement, then this would be
different, but there are few enough public or private services provided on that basis these days.)
- you might have a system that relied on biometrics for access control and then a separate application
or presentation of biometric information as an act of signing. You would have to be able to prove
later that the two presentations occurred and that the person knew why he or she was presenting the
information the second time.
* There is no such thing as non-repudiation. There are many reasons why someone may claim not to
be bound by a transaction. There are many reasons why someone can deny having done something.
People who need to rely on information or on a signature will take steps to make the functions of the
signature operate reliably. (How reliably is a cost-benefit question, among other things.) Some kinds
of evidence are better than others. Biometric information that is first collected in a reliable
identification and authentication process and that is then recollected (checked, validated, verified) at
the time of use or signature is likely to be pretty reliable. As a result, attempts to repudiate identity
may well fail. It's not biometrics that will show integrity of the information being presented or signed,
but there are technical ways of doing this using encryption.
In my view "non-repudiation" is not separate from evidence of source and integrity (and possibly
transmission) of a document. The better your evidence of these facts or qualities, the less likely the
alleged source is going to be to repudiate the document persuasively. Someone will have to decide
whether the evidence is reliable enough to act on - the relying party in the first instance, ultimately a
court or arbitrator, probably. (See my forthcoming article, "The Myth of Non-Repudiation".)
* The Uniform Electronic Commerce Act would ensure that an electronic signature - see the
definition, which includes intent to sign and link to the document - will be valid where the law
requires a signature. Where the law does not require a signature, the signature provision of the UECA
will not apply. However, the UECA also says in general that no information is invalid or ineffective in
law solely because it is in electronic form. You will have to prove why your identification of source is
reliable, but if you can do that, the electronic form will not be a barrier to your proof. I do not think
you need any separate legislation on signatures to use biometrics as you see fit.
* I am aware of nothing in the Evidence Act (federal or provincial) that would prevent the
admissibility of electronic evidence into court. The federal amendments in Part 3 to Bill C-6 and the
provincial amendments passed as part of the (Ontario) Red Tape Reduction Act 1999 do not deal
directly with this. They deal in particular with satisfying the best evidence rule ("use an original where
possible") and authentication in the evidentiary sense ("there is evidence capable of supporting a
finding that this document is what it purports to be.") I know of nothing that addresses biometric
evidence in particular. (I have not read lately the Indentification of Criminals Act, a federal statute on
fingerprinting. I do not know why it would apply to our proposed uses in any event.)
* For a thorough examination of biometrics and signatures, see the article by R. Jueneman and R.J.
Robertson in the special issue of Jurimetrics in 1998 on electronic security and the law.
[John D. Gregory - March 31, 2000]
|