DG-BCTF Business Case - Digital Signatures to form contracts over the Internet among parties with no prior relationships

Owned by Former user (Deleted)
Last updated: Apr 28, 2015 by Former user (Deleted)
3 min read

(document status: work in progress)

There was a lot of hype in the 1990ies about digital signatures as a replacement for paper contracts and specifically, replacing wet signatures. Many countries implemented e-signature legislation to regulate the related liability issues hoping to push e-commerce and e-government adoption.

After 15 years it is fair to state that the expectations associated with the hype were consistently disappointed and the future of this application looks grim. National eID-programs failed to exceed a threshold of 1% active users (E.g. Austria, Japan, Finland). See below for a more detailed look on Estonia.  

Jane Witt wrote in 2001 "There is mounting evidence that trying to use asymmetric cryptography as a signature on a contract is like trying to fit a square peg into a round hole, and the effort to get that square peg into that round hole has created a phenomenal sink hole into which countless individuals and organizations have poured vast resources with few tangible payoffs in sight."[1] Her far-sighted analysis is still valid ten years later.

Trying the reverse engineer the (perceived) business model following points can be observed:

  • Relying Parties (those parties trusting in a document with a digital signature) are provided with an electronic signature that is in general the equivalent of a wet signature, excluding a few transactions, e.g. those that need a notary anyway.
  • There no or only very limited approaches to multilevel security. Some eID-projects assume a single level (like the Austrian citizen card) or the signature law provides a limited selection, like advanced and electronic signature.
  • To establish trust in the certificate authority there is a requirement for "sufficient financial provisions". E.g. in Austria 700,000 € minimum nominal stock capital and 300,000 € in liability coverage according to [Signaturverordnung 2008].
  • The duties of the CA are basically to keep the root key secret, vet the identity of the subject and provide a revocation service.
  • The duty of the signatory is to keep its private key secret, and sign only using certified equipment as listed by the CA.
  • The details with the burden of proof will be clarified in court decisions 10-15 years after the system is established. As one can predict now, this will not be any time soon.
  • The system can be applied in different sectors, like B2B, B2C, C2G etc.

                  Estonia: The Vanity Project of national eID

Estonia had money and political will as promising start conditions: It is a small country with 1,4 million citizens. Preparing the 2004 EU-participation, there was an urgent need to put EU infrastructures subsidies into good use and the option to create a lot of administrative structures from scratch after the departure from the USSR. A mandatory national ID-card was equipped as smart cards to facilitate both physical and electronic authentication. Internet, mobile and telebanking adoption was at the highest in Europe. Even e-voting was established, whereas activists in countries like Germany and Netherlands plagued lawmakers and lobbyists with security deficiencies and fundamental legal concerns.

It is no surprise that the ID-card is used a lot for physical authentication. In the area of electronic authentication it is competing with bank-provided authentication services, and hampered by the fact that the card needs a physical card reader. That will change when banks will terminate 3rd-party authentication services.

Yet Estonia's citizens and businesses did not pick up digital signature to any significant level. Although more than 80% of the population has PKI, its adoption rate is much slower than expected.

                  Lessons (that could be) learned

  • Free is not equaled successful. Users do not want too much friction in their processes, and security is hard to sell. Promoting a uniform approach for authentication using digital signatures failed.
  • Projects promoted by the government are inclined to prioritize Business-to-Government and Citizen-to-Government over B2B. However, the number of transactions with the government per year is insignificant for businesses and citizens in most cases.
  • General attempts to solve duty, risk and liability management are very difficult.
    • Mapping an established “token” such as the wet signature to an electronic signature without considering the differences violates the requirements of users and specific business processes.
    • Putting a large technical and legal burden on a user might not withstand challenge at court.
    • Relying parties might have a substantial risk, too. Implementations might not identify invalid signatures or invalid certificates. Even if a broken signature is detected, it is is hard to predict how the liability can be enforced at court.