Legal Security for Transformations of Signed Documents: Fundamental Concepts

Transformations of signed documents raise questions of technical and organisational nature which render the legal security of the transformed document doubtful. In particular, digital signatures of originals break depriving documents of probative force. This report elucidates legal problems, and introduces fundamental concepts of legally secure document transformations in a deliberately generic, applicationindependent way. A process analysis of transformations of signed documents is carried out to elicit common security requirements. This leads to the solution approach transformation seal, a cryptographically secured container used to ensure legal security for transformed documents by securing the content’s integrity, attesting a transformation’s correctnes, and attributing it to a responsible party. 1 Modern Legislation Governing Electronic Transformation and Archiving The principal regulation of legal issues related to the electronic transformation and archiving of documents was created as early as 1996 in the UNCITRAL Model Law on Electronic Commerce [1] (UMLEC). Since its inception, the UMLEC has served as an inspiration for the most developed countries in the preparation of national legislation, and the European Commission draws on it in the drafting of European legislation addressing certain aspects of electronic communication, e.g., the recently adopted EU Directive 2004/17/EC uses the UMLEC’s definition of a data message (Article I (11)). 1.1 UNCITRAL Model Law The UMLEC presumes a consistently applied technology neutral approach and distinctions between the notions of ‘data message’, ‘writing’, ‘original’, ‘signature’, ‘legalisation/notarisation’, ‘legal effect/evidential weight’, and ‘document archiving’. Basically, the UMLEC defines a writing at the lowest requirement level as anything in any form and on any carrier that may be reproduced and read for the purposes of subsequent reference [1, Article 6]. Therefore, any e-mail messages or any texts in electronic form ought to be viewed writing as well as data messages, regardless of the level of security that may apply to them, or regardless of whether their source is apparent, let alone trustworthy. Further, the UMLEC defines an ‘original’, not only with regard to the form of the original document, but also with regard to the integrity of content of it [1, Article 8]. Therefore, an n-th electronic copy of a document is deemed to be an original if the integrity of its content from the moment when it was generated in its final form can be proved. In particular, this notion was adopted in the US. In France and the UK, this provision of the UMLEC was commented to the effect that it is difficult, currently, to talk about an original document in electronic form, and that this notion ought to be abandoned altogether. Contrary to that, it was necessary to focus on stipulating general conditions pursuant to which documents in any form (on paper or in electronic form) have full legal effect/evidentiary weight comparable to that of original documents on paper. If such conditions were satisfied, it would be possible to present the court for instance with an electronic document containing information from a document that was originally on paper, and the court ought to give such document legal effect identical with the legal effect afforded to the original document. The problem with this notion arises in situations where the law expressly requires that an original be submitted. There are only a few such provisions, however, and they can be amended. The UMLEC also stipulates general conditions that affect the full legal effect/legal force of electronic documents [1, Article 9(2)]. This provision places an emphasis on securing the integrity of information, authenticity of the originator and credibility of the process of generation, storing and communication of data messages. The satisfaction of such conditions is to a significant extent influenced by requirements regarding a credible (authenticated) electronic signature. The UMLEC sets out the requirements applicable to electronic signatures in its Article 7. Owing to the principle of technological neutrality, it was impossible to adopt for general electronic signatures the same concrete presumptions which exist it in the EU Directive 1999/93/EC and national laws in EU member states with respect to authenticated electronic signatures based on asymmetric cryptography. Such legal presumptions concern precisely the equivalent of a handwritten signature (proof of authenticity) and the integrity of content. A part of the professional practise now views their absence as a drawback e.g., in the USA where the principle of technological neutrality was also adopted. The UMLEC distinguishes between these general conditions and electronic legalisation/notarisation. It merely recommends in this regard that any obstacles contained in national laws that prevent legalisation through electronic means be removed (e.g., changing the requirement of affixation of an official seal, etc.) [2, Article 6]. This recommendation was implemented in all the countries referred 3 e.g. Czech Act on Electronic Signatures, Act No. 227/2000 Coll., as amended 4 Directive 1999/93/EC to below. The UMLEC further expressly regulates electronic transformation and archiving of documents (Article 10), drawing there on the notions of original, data message and full legal effect/evidentiary weight, and in essence merges all the requirements mentioned above. Section (1) of the said provision sets out the following three (sets of) requirements applicable to a data message that ought to meet the requirements for long-term archiving of documents in any form: – requirements applicable to the data message (information contained therein needs to be accessible so as to be usable for subsequent reference); – the data message needs to be retained in the format in which it was generated, sent or received (i.e., the original format), or in a format which can be demonstrated to represent accurately the information generated, sent or received (this provision is expressly directed at transformation of documents on paper into electronic form); and – such information is retained as enables the identification of the origin and destination of a data message and the date and time when it was sent or received.