BIOMETRICS AS ELECTRONIC SIGNATURES

Questions

Can an electronic signature be anything one wants it to be? For example, can biometric data be an e-signature and have the same force in law? For example, the Ontario Works Act (S.O. 1997 c 25 Sch. A) section 76(1) provides authority to use a PIN, password, biometric information or a photographic image in place of a signature "to authenticate the individual's identity and to act as authorization or of consent to a transaction "

Does section 10 of the Uniform Electronic Commerce Act envisage the same sort of thing for other program legislation? If one were to use biometrics, one would want it to have the same force in law that a signature does re: non repudiation of transactions. Comments?

Proposed Answer:



* There is no magic in law to something being biometric or not. What we are talking about is a method to communicate electronically what is now communicated by ink on paper.

* what is communicated by ink on paper for a signature is (i) identity of signer, (ii) intent to sign - for some reason or another, and (iii) link of signature with signed document - e.g. I signed that contract, not this one....

* the biometric information goes to (i) and not the others. There is no problem having the information provided separately, as long as the three elements can be combined. Many people's ink signatures are unreadable but perfectly valid. (It is arguable that a handwritten signature is a kind of biometric, but that's another issue.) If one wants to rely on an illegible ink signature, one has to use outside evidence of who signed. That may a typewritten or printed name on the signed document, or external evidence that that particular mark has been made on other occasions by the person you are alleging signed the one in question.

* We should not overstate the reliability of an ink-on-paper signature. It is good enough for many reasons, but there are many ways to make it more secure by adding witnesses, notaries, bank certificates, personal property security etc. Likewise electronic signatures will have a range of degrees of assurance, some more acceptable than others for particular purposes.

* I think an electronic signing system has to have an act of signing, an identifiable action at an appropriate time that shows that the signer intends to sign. Biometric access control would not be enough. It may be considerably less than a "ceremony" of signing, but I am doubtful about the automated addition of "signature" data to a message without an act of the purported signer that shows an intention to sign, and not just to create and send a text.

* qualifications of the previous statement:

- intent to sign may be separate from reason to sign. In other words, the legal effect of the signature has to be shown from the context, most obviously from the words in the signed text. That is true for paper documents and electronic documents. You will have to show what the person is signing. Obvious when you say it, but don't forget that it's not just the evidence of signature you need to make good use of something, you need to show what was signed and why.

- many transactions do not need a signature. Participants in such transactions will need assurance of who participated. That can be provided by biometric information. Further, access control - to goods or services - can be done by biometric info that does not have to constitute a signature, just an identification. There may be an implied representation - "I, the holder of this biometrically activated token, am entitled to the goods or services I am now asking you to provide to me" - but just accepting the goods or services is likely to constitute the representation, so you don't need a separately identifiable act of signing. (If someone could understand that the goods or services were being provided free to anyone who came along, without the need to show entitlement, then this would be different, but there are few enough public or private services provided on that basis these days.)

- you might have a system that relied on biometrics for access control and then a separate application or presentation of biometric information as an act of signing. You would have to be able to prove later that the two presentations occurred and that the person knew why he or she was presenting the information the second time.

* There is no such thing as non-repudiation. There are many reasons why someone may claim not to be bound by a transaction. There are many reasons why someone can deny having done something. People who need to rely on information or on a signature will take steps to make the functions of the signature operate reliably. (How reliably is a cost-benefit question, among other things.) Some kinds of evidence are better than others. Biometric information that is first collected in a reliable identification and authentication process and that is then recollected (checked, validated, verified) at the time of use or signature is likely to be pretty reliable. As a result, attempts to repudiate identity may well fail. It's not biometrics that will show integrity of the information being presented or signed, but there are technical ways of doing this using encryption.

In my view "non-repudiation" is not separate from evidence of source and integrity (and possibly transmission) of a document. The better your evidence of these facts or qualities, the less likely the alleged source is going to be to repudiate the document persuasively. Someone will have to decide whether the evidence is reliable enough to act on - the relying party in the first instance, ultimately a court or arbitrator, probably. (See my forthcoming article, "The Myth of Non-Repudiation".)

* The Uniform Electronic Commerce Act would ensure that an electronic signature - see the definition, which includes intent to sign and link to the document - will be valid where the law requires a signature. Where the law does not require a signature, the signature provision of the UECA will not apply. However, the UECA also says in general that no information is invalid or ineffective in law solely because it is in electronic form. You will have to prove why your identification of source is reliable, but if you can do that, the electronic form will not be a barrier to your proof. I do not think you need any separate legislation on signatures to use biometrics as you see fit.

* I am aware of nothing in the Evidence Act (federal or provincial) that would prevent the admissibility of electronic evidence into court. The federal amendments in Part 3 to Bill C-6 and the provincial amendments passed as part of the (Ontario) Red Tape Reduction Act 1999 do not deal directly with this. They deal in particular with satisfying the best evidence rule ("use an original where possible") and authentication in the evidentiary sense ("there is evidence capable of supporting a finding that this document is what it purports to be.") I know of nothing that addresses biometric evidence in particular. (I have not read lately the Indentification of Criminals Act, a federal statute on fingerprinting. I do not know why it would apply to our proposed uses in any event.)

* For a thorough examination of biometrics and signatures, see the article by R. Jueneman and R.J. Robertson in the special issue of Jurimetrics in 1998 on electronic security and the law.


[John D. Gregory - March 31, 2000]