Smart IDs and e-signatures
Uncertainty among companies
Advantages of certified e-signatures
Ten years after the enactment of the Electronic Signature Law 2001, electronic signatures are still poorly adopted in Israeli e-commerce. The law has clearly failed to meet expectations, with only two prominent projects introduced by the government:
- Reports made by public companies to the Israeli Securities Authority and the Tel Aviv Stock Exchange must be signed digitally. However, this required the issuance of only a few thousand e-signatures.
- Value added tax reports submitted to the Tax Authority must be signed electronically. Introduced in stages, this provision should apply to all businesses in Israel as of 2012. The requirement has the potential to encompass tens of thousands of signatures, and as such it recently boosted the approval of a new certificate authority.
For years, the government has been planning to issue smart identification document (ID) cards to Israeli citizens. The ID cards may now include e-signatures, following a 2010 amendment to the law. The project finally seems to be forming, but has already courted controversy (for further details see "New biometric ID database raises significant privacy concerns"). Whether Israeli citizens will ask for e-signatures on their ID cards remains to be seen.
There are a number of reasons for the slow adoption of e-signatures in Israel. Although some of these reasons may have nothing to do with the law - including a lack of government enthusiasm in support of e-signatures and the fact that the law was introduced during the economic hurdles of 2001 to 2003, which deterred organisations (eg, banks and insurance companies) from acquiring new technologies - the law in itself, as well as rigid and slow regulation, has contributed to the current situation.
The law was enacted in the footsteps of European and international legislation and focuses on:
- the admissibility and evidentiary effect of e-signatures;
- the duties of owners of signing devices; and
- the operation and regulation of certificate authorities.
The law is confusingly named - while its title implies that it deals with e-signatures in general (ie, "a signature that [contains] electronic data or an electronic sign that is attached to or associated with an electronic message"), it actually centres on "secure electronic signatures", and more specifically favours "certified electronic signatures".
A 'secure e-signature' is defined as an e-signature that:
- is unique to the owner of the signing device;
- enables apparent identification of the owner of the device;
- is created using a signing device that can be maintained under the sole control of its owner; and
- enables identification of any change to the electronic message subsequent to signing.
A 'certified e-signature' is further defined as a secure e-signature for which a certification authority (ie, "an authority that issues electronic certificates, and is registered in the Registry under the provisions of this Law") has issued an electronic certificate regarding the signature verification device (usually a public key) that is required for verifying it.
For any law that requires a signature, under Article 2 of the Electronic Signature Law such requirement may be fulfilled in respect of an electronic message only by use of a certified e-signature. When the law was approved by the Israeli Parliament (the Knesset) in 2001, over 600 laws required signatures for legal actions to be effective. This in itself should have boosted the adoption of certified e-signatures, yet for the majority of the decade that has passed since the enactment, only one approved certificate authority was operative (currently there are two). Still, only a few projects use e-signatures.
The law and its regulations provide several ways to recognise a secure e-signature, the most prominent of which is an approval by the certification authority registrar from the Ministry of Justice. However, over the past decade no signature devices have been recognised as producing the coveted secure e-signature, thereby creating uncertainty among companies that have contemplated adopting e-signature technologies.
Implementing e-signatures involves both technological and psychological barriers. Legal certainty is therefore of the essence, yet it is unclear whether an organisation can satisfy its needs with a secured e-signature that it produces through its in-house IT systems, or whether it should acquire the more expensive certified e-signature from an approved certificate authority. The Israeli Law, Information and Technology Authority, which governs the law, recently recommended that the above-mentioned Article 2 be dropped. Nevertheless, to date, no such bill has been introduced.
Advantages of certified e-signatures
Even if Article 2 of the law is eventually omitted, certified e-signatures will still have major advantages over secure e-signatures, as follows:
- Under Article 4 of the law, a certified e-signature is automatically presumed to be a secure e-signature, as before an electronic certificate can be issued, the registered certificate authority must check the applicant's signature verification device (typically, a public key) and ensure its compliance with the standards detailed in the law's regulations.
- Immediately upon discovery that its signing device has been compromised, the owner of a certified signature need notify only the certificate authority that issued his electronic certificate (in turn, the certificate authority must include the certificate in its revocation list). In contrast, upon discovering that its signing device has been compromised, the owner of a secured signature must notify anyone that might reasonably rely on its e-signature based on routine relations between them and anyone that it knows will probably rely on its e-signature. This is a much heavier burden to carry.
The slow adoption of e-signatures in Israel may be attributed to various factors, including the law and the regulation that followed. Clearing the way to a wider introduction of e-signatures and the benefits that they carry must therefore include amendments to the law and more flexible regulation.
For further information on this topic please contact Haim Ravia at Pearl Cohen Zedek Latzer by telephone (+972 9 972 8000), fax (+972 9 972 8001) or email ([email protected]).