Compliance of digital signature systems with Indian law

India has adopted the digital signature law as per Information Technology Act (ITA 2000) and declared it to be the only form of authentication of an electronic document recognized in India.

Initially there was Section 3 which adopted a system that uses hashing of a document and encrypting the hash with the private key of the person as the method of authentication.

The created “digital signature of a document of a person” was therefore …

The hash value of the document encrypted with the private key of the person”.

This digital signature file has to be embedded with the document to create an integrated digitally signed document. (Please refer to an example of incorrect use of digital signature by ICICI Bank in 2004)

Subsequently ITA 2000 was amended and Section 3A was added to introduce an “Electronic Signature” which was technically not much different from Section 3 description. In around 2015 and later in 2016, rules were framed for “E-Sign” as an alternative means of authentication of electronic documents. E-Sign technically was similar to digital signature except that the certificate was one time use certificate issued on a real time basis with an e-KYC done through Aadhaar.  I have earlier discussed certain aspects of e-Sign which I am not going to repeat here.

At this point of time, my attention was drawn to the practice of some Indian companies using “Docusign” and “AdobeSign” and using the term “Electronic Signature” for them. I have earlier expressed my strong views against FIDO system 

I have no issues with the use of document management systems along with the authentication methods which may be proprietary to any commercial entity whether it is FIDO or Microsoft or Adobe. However when companies are looking at these solutions they should not be confused with the use of the term “Electronic signature” and think they are following a system which has the approval of the Indian judicial system.

Both Microsoft and Adobe have made their MS Office and Adobe reader compatible to Indian system in a different way. But  the system where they use a hand written signature on a mobile or tablet or a touch sensitive key board may not meet the Indian legal standards . To the extent there would be a provision to import the Indian Digital signature certificate like the system used in MS Office or Adobe reader (new version) or Adobe Acrobat, it would be compatible with the Indian law.

Docusign as well as AdobeSign may require the document to be uploaded into the server and probably a copy would be retained there with the meta data.  If so, there would be a confidentiality/Privacy issue which is a separate matter to be dealt with. In case the service provider is only capturing a hash value of the document to be signed without it being uploaded to the server and then retaining the meta data along with the hash value of the document, the confidentiality concern may not be there.

However, in the digital signing process, if the private key of the service provider is used or a PGP key or a private key generated in a cloud based HSM system, the requirements of ITA 2000/8 does not get satisfied.

It is interesting to note that the website of docusign.in liberally quotes ITA 2000 and says eSignature is recognized  in India since 2000. It makes a reference to Section 3, Section 1(4) and Section 3A, as well as Section 65B of Indian Evidence Act in its summary. However the references mislead the visitor to the website to believing that the Docusign system is compatible to ITA 2000. This needs to be corrected.

These systems take the advantage of the fact that even an “Undigitally signed” electronic document is recognized in law. If there are associated information that provides more corroboration to the undigitally signed electronic document, it will be like a “Witnessed” document and will be better than not having been not so authenticated. So The docusign or AdobeSign documents fall in between the undigitally signed documents and digitally signed documents.

The Courts have two options to deal with the documents using these “Systems which are not legally recognized in India”. The first is to consider the document as a “Oral Statement duly witnessed”. They can be produced in the Courts with Section 65B certificates.

The second option is to reject the admissibility of the documents since they are neither Section 65B certified nor digitally signed.

Naavi uses a system of CEAC-Dropbox which uses the Section 65B certification along with the metadata captured by the trusted third party.

If the Courts accept the docusign or Adobe sign documents as equivalent to digitally/electronically signed documents under Section 3 or 3A, then the Courts will be acting outside the ITA 2000. It may be recalled that there was a time when Banks used to take Safe Deposit Locker agreements without any stamps affixed and a standard procedure to pay a penalty when the documents were required to be presented to the Court. The Courts (This is a 1970’s judgement probably by the Karnataka High Court against State Bank of India) took the view that this would amount to cheating the Government of the revenue and hence the regularization of the document with penalty should not be allowed as a matter of routine.

This principle should also be applied here and Courts should not permit the companies like docusign or AdobeSign or FIDO to provide services which render the services of licensed Certifying Authorities meaningless.

In the current scenario where Companies are resorting more and more to use of online documents, there is an increased interest in e-Sign and digital signatures. The Companies should put in place an E-Sign API so that any user who is required to submit a digitally signed document can use their Aadhaar number and affix their signatures as they do in case of the filing of IT return or MCA return. The Company itself should issue secured digital signature dongles to their employees, make them download their own digital signatures and use them when they have to issue digitally signed documents on behalf of the company. The designation and representative capacity of the signer can be embedded in the digital certificate as a parameter.

The cost of implementing these systems is low and should not be a constraint.

Besides these, the users can use their own digital signatures either for e-mail or for documents by using desktop e-mail applications such as outlook/Mozilla (for e-mails) and MS Office and Adobe Acrobat/Adobe DC for pdf documents.

Additionally, there are stray companies like Odessey Technologies Ltd in Chennai which did develop desktop solutions for applying digital signatures either once on a document or sequentially be multiple persons using Indian digital signature systems. Companies should explore this Make in India option and develop their document management system instead of using systems which are legally not completely acceptable. Even this company which is quite old and in a way was a pioneer in the area is not marketing its services to the individuals and is focusing only on Banks.

There is a need for some innovative companies to start developing solutions which can be used by every individual desktop user and a mobile user which are also compatible to Indian law. Ujvala Consultants Pvt Ltd of Naavi and another Software company developed a tools called “Ujvala-Bellur digi sign”  tool which was for the specific purpose of compliance with Section 7A of ITA 2000/8. This was not seriously marketed but proved that such tools are not rocket science to develop and many large companies may be able to develop such tools in-house.

Probably the Corona lock out is the right incentive for such companies and technology enthusiasts to develop such tools  which have not been developed since 2000 when the law of digital signature became a reality in India.

Naavi

This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.