…Has it mixed up the meaning of electronic signatures and digital signatures?
I have had to tweak an article I wrote in 2011 on the treatment of “electronic signatures” and “digital signatures” by the Electronic Transactions Act, 2008 (Act 772) since I find it still relevant having noticed that the recent Cybersecurity Act, 2020 (Act 1038) in repealing Sections 118 and 136 of Act 772 did not take the opportunity to deal with the confusion with digital signatures in Act 772 which is relevant in cybersecurity.
Act 772 seems to be referring to “electronic signatures” whilst talking about “digital signatures” or vice versa and this gets me confused. In my opinion there is a distinction between an “electronic signature” and a “digital signature” and I stand to be corrected in my understanding.
My understanding of “electronic signature” is that it is data in electronic form which can be attached to, or logically associated with other electronic data and which serve as a method of authentication. Basically, it is a digitised version of a handwritten signature. This therefore means that the following may fall under electronic signatures:
- A hand signed signature in ink, scanned and electronically delivered
- Electronically typed (Computer) signature and electronically delivered
- An electronic typed name and electronically delivered
- An electronic symbol that is electronically delivered
The above attached to an electronic document may not be a safe way of authenticating a document but acceptable as long as the signatory accepts having signed the document. After all in the offline world, in the use of hand written signatures, I guess a person relying on any signature bears the legal consequences of failure to take reasonable steps to verify its authenticity or making sure that it has been signed by the person who purports to have signed it. There need not be any special provision in the digital world but a more secured form of electronic signature is needed for users to rely on electronic documents since the points of failures with respect to fraud are numerous on the digital platform hence the need for “digital signatures”.
My understanding of “digital signature” is that it can be said to be an advanced and most secured form of electronic signature where the use of cryptography techniques is employed. Do I really have to explain cryptography? No just google it but it involves the use of Private and Public Key Infrastructure where both parties (the signer and the one relying on it) have a registered digital certificate from a certificate service provider. More confusing I guess. Sorry but just google if you wish to understand this technology since this article is not about the technology but the legal issues.
A “digital signature” should therefore be able to uniquely identify and be linked to the signatory by way of authenticity; be created using means that the signatory can maintain under his sole control by way of non-repudiation/security and must be linked to the data to the extent that any subsequent change of the said data can be detected by way of integrity of the data. This is what makes this form of electronic signature the most secured. The digital signature is therefore another form of electronic signature. In effect, where cryptography techniques are employed in electronic signatures we have a digital signature and this is not the same as a digitised handwritten signature.
GHANA’s POSITION UNDER ACT 772
Ghana has given legal recognition to electronic information subject to certain exclusions as satisfying the requirement of where the law requires documents to be in writing. Where information needs to be retained or presented in its original form, it is also satisfied by an electronic record once ‘there is reliable assurance of the integrity of the electronic record and is capable of being displayed to the person to whom it is to be presented’
Integrity according to the Act 772 refers to ‘…whether the information has remained complete and unaltered…’
With respect to authentication and validity of electronic documents by way of signatures, Act 772 states that:
S10(1) Where a law requires the signature of a person, that requirement is deemed to be satisfied in relation to an electronic record if a digital signature is used.
S12 A person may sign an electronic record by affixing a personal digital signature or using any recognized, secure and verifiable mode of signing agreed by the parties or recognized by the industry to be safe, reliable and acceptable.
The Ghanaian law with respect to signatures on electronic documents seems to move towards being technology specific with the use of ‘digital signatures’ but interestingly the meaning of ‘digital signature’ as per the Act in my opinion is a bit of a misnomer as to my general understanding of its as stated earlier.
S144 of Act 772 however gives the meaning of ‘digital signature’ as:
Data attached to, incorporated in, or logically associated with other data and which is intended by the user to serve as a signature
The above to me is more of defining an ‘electronic signature (e-signature)’. It even gets complicated under S10(2b) of the Act, when a digital signature is deemed to be authentic if:
The means of creating the digital signature was, at the time of signing, under the control of the signatory and not another person without duress or undue influence.
The challenge here is that the wording ‘means of creating’ and ‘…under the control..’ portray the use of some encrypting technology such as possession of a ‘private key’. If that is the case, then the meaning given to ‘digital signature’ under S144 is ambiguous and not too clear.
The complication with electronic signatures gets exacerbated when S15 of the Act under ‘Notarisation, acknowledgment and certification’ the Act states that:
Where a law requires a signature, statement or document to be notarised, acknowledged, verified or made under oath, that requirement is deemed to be satisfied if the electronic signature of the person authorised to perform those Acts is affixed to an electronic record.
The ambiguity in my opinion with the above are:
- It suggests that documents can be electronically notarised or made under oath with an ‘electronic signature’, however under S(4h) it is stated that the Act does not apply to ‘swearing of affidavits or statutory declarations before Commissioner for Oaths or Notary Public’.
- This is also the first time the term ‘electronic signature’ is being used in the Act and no meaning has been given to it unless it is referring to “digital signature”
S(11) of the Act is headed ‘Equal treatment of digital signatures’. Under this it states that:
Except as provided in this Act, the provisions of this Act do not exclude, restrict, or deprive of legal effect, any method of creating a digital signature which
- Satisfies the requirement of the Act
- Meets the requirement of other statutory provisions, or
- Is provided for under a contract
The above section also is confusing with the use of ‘digital signature’. What is meant by the wording ‘.. method of creating a digital signature..’. There are quite a number of methods in creating ‘electronic signatures’ which includes ‘digital signatures’ as the most secured. Was this section intended to read ‘Equal treatment of electronic signatures’?. In my opinion there is a misapplication of the use of the terms ‘electronic signatures’ and ‘digital signatures’ with respect to what is intended in Act 772.
Sections 25 to 27 of Act 772, deals specifically with e-government services and basically provides that public bodies are to amongst others:
- Arrange to carry out their functions electronically or online
- Accept electronic filing of documents
- Accept payment electronically
This is a positive development for the provision of e-services, the challenge however seems to be with respect to electronic signature where it allows a public agency to determine by notice in the Gazette:
‘the type of electronic signature required where the electronic record has to be signed’
‘the manner and format in which an electronic signature shall be attached to, incorporated in or otherwise associated with electronic record’
‘…the public agency may designate an authentication service provider as the preferred service provider’.
The above gives too much leeway to different public agencies to come up with various electronic signature formats without any uniformity. This will not make the e-services an enjoyable experience and very much ‘producer centred’. Would the e-citizen need to remember all the e-signature requirements for all the multiple public agencies she deals with? As mentioned earlier, the Act does not define what an ‘e-signature’ is.
In as much the Ghanaian law is giving legal recognition to the use of ‘digital signature’ it somehow does not give the needed confidence required to encourage its usage. Under the law:
S13 A person who relies on a digital signature shall bear the legal consequences of failure to
- take reasonable steps to verify the authenticity of a digital signature or
- take reasonable steps where a digital signature is supported by a certificate, to either verify the validity of the signature or observe any limitation with respect to the certificate’
The above is a statement of fact with respect to “electronic signatures” where the duty of care like the offline world is placed on the person relying on the signature. With respect to “digital signatures” the duty of care should rather be placed on providers of digital signature services to the extent that they are liable in damages for being negligent should any person rely on their certification as the UK provides. Should S13 be refering to “electronic signatures’?
The emphasis being made in this provision concerning “digital signatures” is a bit scary and could have been left out. What an encouragement for us to go online? We are already scared of doing business on the digital platform and the Act is telling us we are sort of on our own. Well again I guess it depends on the intended meaning of “digital signature” in the Ghanaian context which to me is confusing since there is the need for cryptography support services for this form of electronic signature certification to be deployed. The providers of cryptography support services are supposed to be licensed so how can the Act say you are on your own if you use their services without verifying the authenticity of their product. What tool is the ordinary Ghanaian supposed to use to do this? It is analogous to saying, every trotro passenger must authenticate the driving license of the driver before boarding else you are on your own.
CONCLUSION
I have no doubt in my mind that the framers of the law intended to make sure Ghana adopted a more secure form of authenticating electronic documents which is good for cybersecurity but it seems we have in the process mixed up or interchanged the meanings of “electronic signatures” and “digital signatures”.
Who are framing the e-laws? Are they the traditional lawyers or the IT experts. In my opinion they should be what I will call “IT compatible lawyers” and “law compatible IT experts” who can appreciate both the legal and technological ramifications of what we adopt and how we adapt it to our present circumstances to ease the confusion. For me I remain confused with the treatment of digital signatures and electronic signatures under Act 772. It will be interesting to know how the lawyers and courts will be dealing with cases that may come up in this area of law. I guess we will have to cross the bridge when we get there.
The author holds an EMBA (IT Management) an LLB and an LLM (IT & Telecommunication)