Identification marks or signatures is not a modern concept but has been following from the stone age where mankind used to draw pictures on the cave walls and later, with the help of symbols and writing names, it used to express their identity. Further, this system got more conceptualized and a formal tradition of using Signature as a representation in the form of a mark or symbol specific to an individual that represents his identity. Be it a king, who used coins, seals to assert their identity or you are making a stylish, round and curvy design widely called Signature.
With time, that small or big, simple or curvy signature assumed much importance. It is an understood concept that the time when a person puts his/her signature on a document, it signifies knowledge, acceptance or obligation on his/her part. Now, with the advent of technology and an increase in online transactions, e-signature has assumed an important place in cyberspace.
So, what is a Digital Signature or more commonly called as Electronic Signature (in short e-Sign.)? Though both words are used interchangeably Digital Signature and Electronic Signature (hereinafter e-Sign.) are not the same. A digital signature is one of the kinds of e-Sign. The digital signature, e-Sign. or the signature on a paper the old-fashion way, their intentions are the same, agreeing with the terms. But they have different legal weight and a different technological perspective.
An e-Sign includes all types of electronically approval methods. It may be an audio file, graphical stamp or even clicking the 'Agree' tab in the Terms and Conditions tab, etc. It can be as simple as pressing 'place order' in an e-commerce transaction or as complex as 'biometric signature' in filling KYC form while purchasing a SIM Card.
Digital Signature was first used in the mid-19th Century, where the contracts and business transactions were carried out using telegraph machines in which Morse code encryption signature was used to verify the authenticity of the signer. The legality of digital signatures was upheld in a New Hampshire supreme court ruling as early as 1869.
In 1996, the UN published the UNCITRAL Model Law on Electronic Commerce which gave uniform standards for digital signature for e-business and e-commerce. Model law was prepared in response to upgradation in the means of communication like using computerized or other modern techniques in doing business. Article 2(a) of the Model Law defines an electronic signature as a means of data in electronic form in which a data message is affixed which may be used to identify the signatory about data message and to indicate the signatory's approval of the information contained in the data message. Article 7 of the UNCITRAL Model Law enshrines certain requisites of an electronic signature. It talks about the reliability of the e-signature, tractability of the person making such a signature.
Taking note of UNCITRAL Model Law on Electronic Commerce, Indian govt. legalized E-authentication by passing the Information Technology Act, 2000 (hereinafter IT Act). Like the handwritten signatures, Digital signature was started being treated with the same legal value and the electronic documents that have been digitally signed were given seen at par with the regular paper documents.
Under Indian law, a Subscriber is defined under Section 2(zg) of the IT Act which defines subscriber as ‘A person whose name is in Electronic Signature Certificate’. Section 2(p) of the IT Act defines digital signature as ‘Authentication of any electronic record by a subscriber by any means of an electronic method or procedure in accordance with Section 3 of the IT Act’. Section 2(t) of the said Act defines an Electronic Signature as ‘An electronic record to be electronically signed by the subscriber by the means of electronic technique as specified under the Second Schedule’. It also includes a digital signature within the definition of e-Sign. In simpler terms, a digital signature is a digital code which is generated and authenticated by public-key encryption and is used to verify electronically transmitted document and sender's identity.
As the above definition suggests, Encryption or Cryptography is the widely used method to secure important messages. Under this method, the message is encrypted or codified in a format unreadable to the ordinary people and only the individual having the requisite know-how of decrypting the code can read it. Remember the example of biometric information while filling the KYC form, we discussed above? This is how the sharing of information works.
The digital signature is created and verified by using the Public Key Infrastructure (hereinafter PKI Technology). It requires two keys which are public-key which is used to encrypt the information and a private key for decrypting the information. The public key is shared whereas private key is available only to its possessor. The public key is just like an email address and the private key is like that email address's password. Though the public key is shared with the receiver while the other one, remains available to the individual itself. For example. If A wants to send a digitally secure email to B, A must encrypt it with B's public key. Once B receives the encrypted email, he can decrypt the mail by using the private key.
Digital Signature Certificates (hereinafter DSC) are the electronic format of physical or paper certificates. These certificates serve as an electronic proof of identity of an individual’s identity. It is used to access information or services on the internet or to sign certain documents digitally. It essentially contains the public key of the person holding it, along with contact details and the digital signature of the Certifying Authority. The main purpose of such a certificate is to show the trustable authority appointed and regulated by the government which has attested the information contained in the certificate. Certifying Authorities are subject to the provisions of the Information Technology (Certifying Authority) Rules, 2000. Currently, there are a total of nine licensed Certifying Authorities in India. Information related to all the Certifying Authorities is available on the website of the Controller of Certifying Authorities.
These certificates are generally issued on USB token which contains the DSC based digital ID, along with a person PIN, to sign a document.
There are three types of Digital Signatures: Class-1, Class-2, Class-3 certificates. These signatures are classified based on security levels. Class 1 Certification doesn’t carry any legal recognition as it is done on the basis of e-mail address and not direct verification. Class-2 Certificates has legal recognition as person’s identity is verified against a pre-verified database. In case of Class-3 certification, Person’s identity is verified through his/her physical presence before the Registration Authority. It is the highest level of certification. Generally, Class 2 certification is required for signing the documents
Section 3 of the IT Act allows users to authenticate an electronic record by affixing his digital signature on it. Section 3A of the aforesaid act introduces the concept of electronic signature. It states that an e-Sign. Can only be used if:
Further on, Section 3A(2) lays down when an Electronic Signature can be considered to be reliable. It states that an electronic signature or electronic authentication can be considered to be reliable if:
But how does the receiver would know that the digital signature used by the sender truly belongs to the sender? Section 17 of the IT Act provides for the appointment of Controller of Certifying Authorities (CCA) by the Central government. Any interested party can apply to the Controller to be appointed as a Certifying Authority. It also certifies the Digital Signature of the certifying authorities.
Offenses related to e-Sign. generally, includes identity theft, the publication of forged electronic signature certificate, a certificate with a fraudulent purpose, etc
Section 66C of the IT Act provides for fraudulent use of the electronic signature of any other person. If found, punishment includes imprisonment for up to three years and will be liable to pay fines up to one lakhs.
Section 71 of the act provides for Misrepresentation or suppression of material fact in order to Controller or Certifying Authority in order to obtain a license or electronic signature from. It is punishable with imprisonment of up to two years and a fine up to rupees one lakh. Section 73 of the IT Act provides for publication of electronic signature certificate which:
In either of the three situations mentioned above, if the electronic signature certificate has been published by any person, he shall be punished with imprisonment which may extend up to two years or with a fine up to one lakh rupees
Section 74 of the act provides for punishment for creation, publication or providing of electronic signature certificate for fraudulent or unlawful purpose with imprisonment for a term which may extend up to two years or with fine up to one lakh rupees
Also, Section 463 of the Indian Penal Code provides definition for Forgery which includes preparing false document or electronic record with the intent to cause damage, or to support any claim or title, or to enter into any express or implied contract and punishes the person with imprisonment which may extend up to two years or with fine.
After ‘Jio’ coming into the networking industry and recent outburst of people using internet in India, online transactions and contracts have also grown significantly. This not only has increased the acceptance but demand of stronger protection which is currently fulfilled by digital signature. Also, with the Government of India’s initiative focus on digital infrastructure and Aadhar coming up, where one must give his biometric and demographic data, classified as one of the DSC. One can apply e-Sign. to any online document by authenticating their identity through e-KYC Method. This has helped in increasing acceptance of e-Sign