Legal Situation of Electronic Signatures

ONTARIO PERSPECTIVE



John D. Gregory

General Counsel

Policy Branch

Ministry of the Attorney General (Ontario)



OUTLINE



June 3, 1998

(updated November 2001)


Many documents with legal effect can be created under Ontario law with no signature, or even with no writing. For example, an oral contract is generally binding. (There are some exceptions.)

If writing or signature is not required, then obviously no particular form of signature is required.

Moreover, Ontario law has no general definition of "signature", and very few statutes that require a signature define the term either. A rare example is the Evidence Act, one section of which refers to a document "under the hand and seal" of a public official.

In general, signatures may be applied to a text by any means, including mechanical means.

As a result, no general rule of Ontario law prohibits or prevents the use of electronic signatures, and therefore no general rule of law stands in the way of using digital signatures (i.e. the subset of electronic signatures generated through public key cryptography).

So why might one be inclined to legislate about electronic or digital signatures?

- to get around a writing requirement then deal with a signing requirement at the same time

- to clarify how an electronic signature can be associated with the electronic record, i.e. the relationship between a group of electrons that is a message or document and another group of electrons that purports to be the signature of that message or document.

- to clarify how an electronic signature can be associated with the person whose signature it purports to be, since a group of electrons does not "look like" something from a particular person in the way that a handwritten signature does (or that we have come to understand that it does).

- to ensure that a particular technique has a particular legal result.

In essence, the rules for electronic signature are rules about association. They are rules about assurance of association.

Compare Article 7 of the UNCITRAL Model Law on Electronic Commerce: an electronic signature satisfies a signature requirement if the method of indicating origin and "approval" of contents is "as reliable as was appropriate in the circumstances".

The "appropriateness" test means variability of assurance levels. The assurance level that will allow an electronic signature to satisfy an appropriateness test will vary with the use of the signature, the threat to the assurance, the gravity of the threat, i.e. the damage done if the signature is not associated with what it purports to be associated with, and the cost of securing it to avoid the threat.

There is no single way of achieving this assurance. One may rely on any combination of security of the communications system used to contain or transmit the electrons constituting the signature, on the one hand, and security of the electrons (data) themselves.

For example, the Ontario photoradar system filed the speeding tickets it generated by electronic means with the court office, and sent them electronically to a mailing service to transfer to paper to mail to the defendants. The Provincial Offences Act requires both the offence notice (the ticket to the defendant) and the notice of infraction (the document filed in court) to be signed. The signing techniques were simple and procedural. They were appropriate for photoradar because they were used within a system run by the Ontario Provincial Police. To affect or forge a signature in the system, one would have had to take over a roadside van from the police, and infiltrate and use the computer system at police headquarters, among other challenges. And the only purposes of doing so would be to wipe out one's own ticket or issue a false ticket to someone else - acts of low value to the province, and of low value to the person who would have to make those efforts to do it. So system security was more important than data security in the circumstances.

(For more details, see John D. Gregory, "Electronic Documents in Ontario's Photoradar System", (1995) 6 Journal of Motor Vehicle Law 277.)


The basic function of a signature is to provide evidence of the origin of the signed document. Because handwritten signatures appear to give some assurance of origin, some rules of law require a signature. But as we have seen, evidence of origin may come from:

- a system that identifies the origin of the record

- a method of processing (signing) the record to associate it with a person

- information in the record likely to be within the knowledge of or to be generated by the person from whom it purports to come

- information outside the record from a trusted source





Three methods may be used to identify someone for electronic communications:

1. Who you are (biometrics, automatic actions e.g. handwriting)

2. What you have (key, smart card, other token)

3. What you know (password, pass phrase, PIN, mother's maiden name)

These are often combined, e.g. ATM access needs card and PIN.


Ontario's approaches

Ontario has taken two basic approaches to electronic signatures so far:

1. Close the system

2. Abolish the need for signatures

(Ontario statutes and regulations can be found online.)



1. Close the system

Of the electronic communications systems now in use between the Ontario government and Ontario residents, all but one are closed, i.e. their users are bound by contract with the government in some way. Many of the risks of identification are resolved.

SO:

- The means of identification can be prescribed.

- We are not dealing with communications between strangers.

- We know how to get your money (usually, up front...).



Examples of closed systems:

Electronic Registration Act (Ministry of Consumer and Commercial Relations Statutes) 1991, S.O. 1991 c. 44

4(4) Information that is filed in an electronic format may be filed only by a person who is or who is a member of a class of persons that is authorized to do so by a person who has the power to authorize such filings under a designated Act, or, if no person is authorized under the designated Act, by the Minister.



Rules for the Toronto Region E-filing Pilot Project, Ontario Regulation 223/97 to revise R.R.O. 1990 c. 194, Regulations under the Courts of Justice Act. (i.e. part of the Rules of Civil Procedure)

1.02 In these rules, "participant" means a law firm or legal department listed in the Schedule that has been trained in the use of and has purchased the software selected by the Ministry of the Attorney General for the e-filing server at the court office in the Toronto region.

[These rules were made permanent by the Civil Rules Committee on March 31, 1999.]



Land Registration Reform Act, R.S.O. 1990 c. L.4, as amended by S.O.1994 c. 27,

s. 85(3)

20(2) A person shall not submit an electronic document unless the person is authorized to do so by the Director [of Land Registration].

23(2) A person shall not deliver an electronic document to the electronic land registration database by direct electronic transmission unless the person is authorized to do so by the Director.



2. Abolish the need for signatures

Since the contract and the communications system set up under the contract can establish sufficient security of origin of the electronic records, it is often not necessary to rely on a signature to show their origin.

One can find the functional equivalent of a signature without using anything that anyone might call a signature. Whether the software identification methods should be called a signature - the function defines the term - is open to debate.



Land Registration Reform Act, as amended S.O. 1994 c.27, s 85(3)

21. Despite section 2 of the Statute of Frauds, section 9 of the Conveyancing and Law of Property Act or a provision in any other statute or any rule of law, an electronic document that creates, transfers or otherwise disposes of an estate or interest in land is not required to be in writing or to be signed by the parties and has the same effect for all purposes as a document that is in writing and is signed by the parties.



Business Regulation Reform Act, 1994 S.O. 1994 c. 32

10(1) The Lieutenant Governor in Council may make regulations,

(c) authorizing or requiring forms, that businesses are required to file under this Act or a designated Act, to be signed by electronic signature or by signature copied or reproduced in the prescribed matter;

(d) authorizing or requiring forms, that businesses are required to file under this Act or a designated Act, to be filed without signatures.

Ontario Regulation 442/95 under the Business Regulation Reform Act, 1994

3(2) A business that files a unified form in an electronic format under subsection (1) is not required to sign the form by electronic signature or by signature copied or reproduced in any other manner.



Courts of Justice Act, Rules of Civil Procedure, Toronto E-filing regulation

This regulation does not require any of the nearly 100 forms it prescribes to be signed, unlike some of the paper equivalents.

The only signed document is proof of service (the key concept for the civil litigation system), which is not filed by e-filing but which must be kept at the serving lawyer's office for inspection on demand.



Prescribing Appropriateness to Reinforce Assurance

The general flexibility of the law on the form of signatures, and thus of electronic signatures, is very useful to designing programs that rely on information technology. It would be unfortunate to restrict this flexibility by setting global standards that might prevent solutions such as the ones mentioned so far.

Sometimes the legal or policy implications of a program will demand a level of trust in the origin of the records that cannot be met by the security of the system. Sometimes they will demand assurance of the integrity of the records (i.e. that they have not been altered) as well as of their origin.

To satisfy these demands, some programs will have to find other ways to reinforce assurance. They may have to focus on the data more than on the system that carries the data.

When they prescribe higher levels of assurance, they may also prescribe the legal consequences of achieving them.



Risk Factors

How accessible are the data to unauthorized users?

physical access controls

electronic access controls

secure networks

awareness of accessibility

What is the incentive for unauthorized users to block or alter the data?

financial incentive

policy incentive

How hard it is to detect that data have been blocked or altered?

how soon can problems be detected?

how hard is it to fix problems or restore accurate data?

Who bears the loss if data are blocked or altered ?

public interests

private interests

third party interests

How hard is it to protect the data against unauthorized blocking or alteration?

cost of protection

protection vs ease of use of data communications

Who is best able to protect the data against unauthorized blocking or alteration?

originator vs carrier vs recipient vs user

What is the incentive to repudiate data after they have been created or sent?

credibility of allegations of blocking or alteration



Reality Check: paper vs electrons ("atoms vs bits")

What risk do we accept for paper records and written signatures? We do not need to create the electronic equivalent of an armoured truck when we entrust paper for the same program to an envelope with a simple first-class stamp.



Some program examples



BUSINESS NAMES REGISTRATION

- puts on public record names under which corporations or partnerships carry on business, e.g. 123456 Ontario Inc does business as "Certs-R-Us"

- purpose: public notice, accessibility of legal person (the corporation)

- legal impact of wrong data: low

- benefit of submitting wrong data: low to none

- incentive for unauthorized blocking or alteration: none

- network: relatively open

- paper equivalent: signatures on forms never checked

- electronic rule: no signatures required

- authority: Business Regulation Reform Act

NOTE: The business registration system (Ontario Business Connects) is the one current example of an Ontario program that uses something close to an open system, since many applicants have no previous contact with the government. At present electronic queries and filings are done mainly from a network of workstations across the province, but they have recently begun to be transmitted on the Internet as well.

For most purposes the network is a one-stop application form for business licences.


PERSONAL PROPERTY SECURITY ACT FILING



- puts on public register a notice that security has been taken on personal property

- purpose: to protect purchasers of the property and to create priority among secured creditors

- legal impact of wrong data: serious to filer, none to public, might benefit third parties

- benefit of submitting wrong data: none

- incentive for unauthorized blocking or alteration: low?

- network: closed (subscribers only)

- paper equivalent: signatures never checked

- electronic rule: no signature

- authority: Electronic Registration Act (MCCR Statutes) 1991




PROVINCIAL OFFENCES ACT - ELECTRONIC TICKETING

- creates, signs, files provincial offences tickets electronically and can generate mailed offence notice to defendant

- purpose: to create court file for prosecution, in some cases to give notice of charge to defendant

- legal impact of wrong data: serious to prosecution, may benefit defendant or mislead, low to public generally (tickets used for minor offences only)

- benefit of submitting wrong data: none

- incentive for unauthorized blocking or alteration: medium for defendant, low to none for others

- network: closed (provincial offence officers and court only)

- paper equivalent: signatures important

- electronic rule: regulated electronic signature

- authority: Provincial Offences Act

NOTE: The electronic ticketing provisions of the Provincial Offences Act were used for photoradar, as noted earlier. They are not now in operation for any provincial offences administered by the province. Some municipalities are processing parking tickets electronically, but these are not filed individually with the court in electronic format.

The statute and regulation follow.



Provincial Offences Act as amended S.O. 1993 c. 31 s 1(27)

76.1(1) A document may be completed and signed by electronic means in an electronic format and may be filed by direct electronic transmission if the completion, signature and filing are in accordance with the regulations.



Ontario Regulation 497/94, "Electronic Documents".

2(1) A document is properly signed in an electronic format if the document contains a code, name or number of a person that is capable of identifying the person as the originator of the document and the code, name or number,

(a) is generated by electronic means at the same time as the document being signed or on completion of the document; and

(b) is reasonably secure against unauthorized use.

2(2) A code, name or number is presumed reasonably secure against unauthorized use,

(a) if the physical means of generating it are themselves protected; or

(b) if the electronic means of generating it are themselves a secure code or if those means are protected by a password issued in confidence to the originator of the document.


LAND REGISTRATION

- transfers of interests in land are recorded in provincial land titles offices (the electronic transfer will apply only to the Land Titles Act, which over the course of the program will replace the Registry Act for all land in Ontario)

- purpose: to constitute the official record of ownership of land in Ontario

- legal impact of wrong data: high

- benefit of submitting wrong data: high

- incentive for unauthorized blocking or alteration: high

- network: closed (subscribers only)

- paper equivalent: signatures important

- electronic rule:

- signatures not needed on transfer documents

- digital signatures needed on filed documents

- private keys issued by land registration authority

- some keys identify lawyers, who have special rights to sign

- electronic register prevails over private paper records

- legal authority: Land Registration Reform Act



NOTE: This system is not yet in general operation, but several counties are now using it.


COMPULSORY AUTO INSURANCE CERTIFICATE

- certifies that the applicant for issue or renewal of auto licence plate tags has valid auto insurance, when applying at a Service Ontario electronic kiosk.

- purpose: to get evidence that applicant for plate or renewal of plate has auto insurance as required by law.

- legal impact of wrong data: medium to low; a yes-or-no question. Real offence is not having insurance, not filing a false certificate.

- benefit of submitting wrong data: medium - get plate when not entitled to it

- incentive for unauthorized blocking or alteration: none

- network: closed (dedicated kiosks, for the moment)

- paper equivalent: signature (usually?) not checked

- electronic rule: click on "I agree" icon after "do you certify?" text

- authority: Compulsory Auto Insurance Act giving Minister discretion on forms

NOTE: The real offence is not having insurance, and not the filing of a misleading return. So the government would not need the signature to prosecute, if it were found to be inappropriate. An applicant can submit false information on this on paper too - the electronic signature makes it no less certain to be accurate. The person who makes the electronic certificate is traceable through credit card, vehicle information, and maybe even the insurance policy number, if accurate.


Recent examples

Ontario Works Act, 1997 (S.O. 1997 c. 25 Sch A) s. 76(1)

Ontario Disability Support Program Act (S.O. 1997 c. 25 Sch B) s. 57(1)



Electronic Signature

Where this Act or the regulations require an individual's signature, one or more of the individual's personal identification numer (PIN), password, biometric information or photographic image may be used in the place of his or her signature to authenticate the individual's identity and to act as authorization of or consent to a transaction relating to an application for or the receipt of assistance.

[This provision is not currently in use.]



Ontario Business Corporation Act (as amended by the Red Tape Reduction Act 1999, Bill 12, First Reading April 27, 1999, Schedule of MCCR provisions)

s. 1(1) "Electronic signature" means an identifying mark or process that is,

(a) created or communicated using telephonic or electronic means,

(b) attached to or associated with a document or other information, and

(c ) made or adopted by a person to associate the person with the document or other information, as the case may be.

"Telephonic or electronic means" means telephone calls or messages, facsimile messages, electronic mail, transmission of data or information through automated touch-tone telephone systems, transmission of data or information through computer networks, any other similar means or any other prescribed means.


Summary : the present

Where the risks are low, the province does not put more demands on electronic signatures than on paper signatures.

Where the risks are high, the province increases the demands on electronic signatures just as it does on paper signatures.

The higher the level of assurance needed, the more detailed and formal the legal regime becomes to support it.

Compare the line or two of statute and regulation for electronic signatures, or no signatures, under the Business Regulation Reform Act or the Electronic Registration Act (supported by technical standards for records at the option of the Director) with the fuller requirements of the Provincial Offences Act and the detailed prescriptions of the Land Registration Reform Act.

Ontario does not need a single high-security system to show the origin of electronic records for provincial programs and services. Program needs vary, and programs vary to suit the needs appropriately.

See John D. Gregory, "Electronic Legal Records: Pretty Good Authentication?" in the Proceedings of The Official Version: A National Summit to Solve the Problems of Authenticating, Preserving and Citing Electronic Legal Information (Canadian Association of Law Liberians, Kingston, 1998). See also "The Authentication of Digital Legal Records", (1999), 6 The EDI Law Review 47.



Forecast for Ontario

PUBLIC SECTOR DIGITAL SIGNATURES

Some provincial uses of information technology will:

- demand high levels of assurance of the source of the information

- rely on confidentiality of the data as well as on trust in their origin

- require assurance of the integrity of the data

- use vulnerable communications networks such as the Internet.

- look to digital signatures to serve these demands.

Ontario has contracted with Entrust Technologies Inc to provide Public Key Infrastructure services to the government.

A number of potential users of digital signatures have been identified, notably in health, social services and justice. Children's Aid Societies have started using them for transferring information on vulnerable children.

The technical work in building a GO-PKI is launched.

The policy work in building uses for a GO-PKI is at a very early stage

The legal support work for the GO-PKI and government use of it is embryonic.

(The federal government has introduced broad supporting legislation in Bill C-54, which awaits a final round of debate in the late spring of 1999.)


PRIVATE SECTOR DIGITAL SIGNATURES

Some parts of the private sector are using closed-system, subscriber-only digital signatures, notably the Bank of Nova Scotia

Some parts of the private sector, particularly industry consortia, are working on public key infrastructures for their members, at least.

No one in the private sector has approached the government of Ontario for legal support for electronic commerce or electronic delivery of services in general, much less digital signatures. (The province has been approached about electronic evidence.)

Ontario lawyers from both public and private sectors are engaged in a project led by the Uniform Law Conference of Canada to remove legal barriers to electronic commerce. The Conference is expected to adopt a Uniform Electronic Commerce Act in August 1999. It is likely to restrict itself to provisions from the UN Model Law on Electronic Commerce. The signature rule from the Model Law was mentioned earlier.

The Uniform Law Conference adopted in 1998 a Uniform Electronic Evidence Act, to promote greater certainty in the admission of computer-generated records in legal proceedings. That Act does not deal expressly or specially with signatures. Bill C-54 includes amendments to the Canada Evidence Act based on the Uniform Act. Ontario's Red Tape Reduction Act 1999 (Bill 12) implemented the Uniform Act as part of the Ontario Evidence Act, now section 34.1.

Ontario has no current plans to regulate the use of electronic or digital signatures by the private sector generally or to licence certification authorities.

Ontario is represented on the Canadian delegation to the United Nations Commission on International Trade Law's working group on electronic commerce, which is considering electronic commerce. UNCITRAL adopted a Model Law on Electronic Signatures in 2001.