Covering Your Digital Assets

Covering Your Digital Assets

Is an electronic "signature" on an electronic document, produced with a couple of keystrokes, as valid as a "signature" hand-drawn in the presence of witnesses? In Australia, for now, the answer appears to be "yes and no".

Practically since the signing of the Magna Carta, legal determinations have revolved around the contents of written documents and the written signatures of the parties to those documents. However, with e-commerce rapidly redefining the way in which business is conducted and with uncertainty increasingly the name of the game, pressure has inevitably grown for a significant rethink. For business and government alike, the most urgent legal question to address has been how the law ought to deal with documents and signatures that are represented in bits and bytes, rather than strokes of a pen on paper. The Australian government, like others around the globe, has risen to the task at hand.

Odette Gourley, an intellectual property and e-commerce lawyer and partner with Minter Ellison, says for government and business the news from the legislative front is good. In recent times, Gourley has been reassuring clients worried about whether they could safely maintain all their records electronically. "I'm telling them ‘go for it' - that it's okay to rely on electronic record-keeping," she says.

"You still need to have all of the same disciplines as with any record-keeping system that there is for business to business, but there are now a number of areas in which the law really does recognise electronic records and doing business electronically," Gourley says. "I'm very bullish about it, very confident about it."

Still, there are important provisos for business to bear in mind. For instance, an electronic signature can only be created with special software and authentication procedures. Unless all parties have the same software, or software capable of recognising someone else's electronic signature and authenticating it, and have agreed to use the same authentication procedures, there will be problems.

There's also another concern. While the Commonwealth Electronic Transactions Act will only govern transactions covered by federal law, most of Australia's commercial activity is conducted under the laws of the states. Some state governments are moving faster than others on providing complementary legislation, and there are differences in the proposed laws for each state, leading to some uncertainty for players on Australia's electronic commerce landscape.

That leaves businesses to consider whether the jurisdiction has passed an equivalent Act to the Evidence Act 1995 of the Commonwealth. If you're litigating outside one of these jurisdictions, then you may not be able to prove your case. Kim Heitman, a lawyer and the chairman of Electronic Frontier Australia, is concerned the federal Act may end up oppressing people who rarely check their e-mail. He says typically the use of e-mail as the sole means of communicating to clients of finance companies, insurers and government may be crucial in terms of response time.

Heitman judges the Victorian Bill is better than the federal or NSW Bills, and says he's impressed by the WA Bill, which was before state parliament at the time of writing. It contains a number of useful clauses, such as conditional consent to electronic communications and that all laws are subject to the Bill unless explicitly excluded by regulations. The WA government has indicated in the second reading speech and explanatory memorandum that only critical signings such as wills and powers of attorney will be excluded from the ambit of the Bill by regulation.

Virtual Silence

Until last year Australian law was virtually mute on the legality of contracts and transactions in cyberspace, despite a raft of legislation requiring people to provide information in writing, to sign documents to give them validity or to retain information contained in documents. We all knew certain contracts had to be in writing before being considered valid, but was an electronic document considered to be "in writing"?

To provide some much needed answers, the federal government set up the Electronic Commerce Expert Group, which recommended that the government "enact comprehensive framework electronic commerce legislation, by which all other laws in Australia will be interpreted".

Early in 1999, the federal government also announced its Strategic Framework for the Information Economy. That document identified the government's priorities for action with regard to Australia's IT&T infrastructure and its goals for ensuring Australia was well positioned to exploit the full potential of the information era. "A Strategic Framework for the Information Economy - Identifying Priorities for Action" detailed strategic priorities aimed at ensuring that "the lives, work and well-being of Australians are enriched, jobs are created, and the national wealth is enhanced, through the participation of all Australians in the growing information economy".

The government also established the National Electronic Authentication Council (NEAC) in October 1999 with a mission to enhance business and consumer confidence in e-commerce systems through overseeing the development of a national framework for electronic authentication of online communications. Then late in 1999, the Australian Parliament passed the Electronic Transactions Act - designed to put electronic transactions and paper transactions on an equal footing - as part of a range of measures to make it easy for business to communicate and deal with government electronically. Changes to the Evidence Act to facilitate electronic record-keeping, amendments to the Copyright Act introducing technology-neutral copyright rights, provisions in court rules and decided common law cases in relation to evidence have also gone a considerable way to encouraging business to rely solely on electronic records.

Electronic Transaction Act

The Electronic Transaction Act (ETA) received Royal Assent in January 2000. Before July 1, 2001, the ETA applies only to laws of the Commonwealth prescribed by regulation. From July 1, 2001, the ETA will apply to all laws of the Commonwealth unless they have been specifically excluded from the application of the Act.

The basic purpose of the Act is to give validity to the transferral and storage of information by electronic means including e-mail. The Act specifies that where contractual provisions call for or allow information to be passed from one party to the other, this can validly occur via e-mail or other electronic means. The only exceptions are where the contract provides to the contrary or the recipient makes it clear that they do not consent to the use of electronic communication.

However, certain requirements must be satisfied for the valid use of electronic transferral or electronic storage of information. The most significant of these specifies that there must be a reasonable expectation that the information would be readily accessible so as to be usable as a subsequent reference. In addition, where parties have experienced difficulties in the transfer of information, or have yet to successfully communicate electronically, any party wishing to rely on electronic transferral of information for the service of notices under a contract should seek confirmation from the other party that any notice has been received.

Jamie Salloum, legal officer with the Attorney General's Information and Security Law division, advises that at the time the information is given it must be reasonable to expect that the information would be readily accessible so as to be usable for subsequent reference. The readily accessible requirement is objective and means only that the information contained in the communication can be accessed and used by others. Therefore, software necessary to allow information to be read should be retained, Salloum says.

The reasonableness element has been inserted to make clear that a person is only required to comply with the provisions at the time the information is given. A person should not be subject to any ongoing obligations in relation to the use of an electronic communication by, for example, ensuring that the communication is regularly updated to take account of the latest developments in technology. Salloum says the provisions should also be read subject to other laws that deal with access to information, such as the Disability Discrimination Act 1992.

The recipient of the information must have given their consent to the transferral of such information via electronic means. Consent for the use of electronic communications may be express or implied by conduct, and may be granted subject to conditions. Minter Ellison says while there's a large body of law dedicated to determining when consent should and should not be implied, it is preferable to expressly state in the contract whether the use of electronic communication is agreed. Express statements will limit potential confusion and disputes.

Timing Is Everything

Some uncertainty still surrounds the issue of when and where an electronic communication is deemed to have been sent and to have arrived. This is particularly important where contracts contain time bars or prescribed locations for the service of notices.

Section 14 of the ETA provides default rules to determine when, and from where, an electronic communication is sent and when and where it was received. The rules depend on whether the recipient has told the sender to transit the electronic communication to a particular information system or not. Where the recipient has given specific directions and the communication is transmitted in accordance with these directions, subsection 14(3) says that the communication is received when it enters the designated information system. In all other cases, subsection 14(4) states that the electronic communication will be received when it comes to the attention of the recipient.

The Attorney General's department says Section 14 applies depending on whether the parties to the communication have agreed otherwise and whether the parties have designated a particular information system for the communication. Parties may agree to vary these rules to determine the time and place of dispatch and receipt in their dealings with each other.

As a result, unless otherwise agreed, the Act deems an electronic communication to have been dispatched at the moment it enters a single information system outside the control of the originator. So in the event of a communications failure, a notice can be deemed to be served without the person on whom it is being served actually receiving that notice.

Further, where the information system (for example, e-mail, mobile phone text) has been designated, the time of receipt of the electronic communication is, unless the parties have otherwise agreed, the time the electronic communication enters that information system. In this case, a notice may be served despite the fact that the recipient may have neither seen the notice nor actually received it.

Unless otherwise agreed by the parties, any electronic communication sent is deemed to have been sent from the originator's place of business and deemed to have been received at the addressee's place of business. Minter Ellison says the place of origin and receipt of an electronic communication may be of significance from a jurisdictional perspective or where a contract specifies that notice is to be served in a particular office or location.

Parties to a contract should seriously consider whether they wish to have these rules apply to them, Gourley advises. If not, the use of electronic transmission should be expressly governed by or excluded within the terms of the contract.

The laws also create another difficulty. They mean that every e-mail message and any document in other forms of electronic communication and storage are legally classified as documents. That means they will be discoverable in the event of litigation. Minter Ellison says business should follow the general rule that e-mail is not a private conversation. "If you would not put something in a letter or (more significantly) if you would not like to hear it repeated in court, do not put it in an e-mail."

Special Responsibilities

Taken together, the provisions impose special responsibilities on IT managers and CIOs, says Phillips Fox e-commerce guru Andrew Chalet. "You have to get in place a system where you know when you've received an e-mail; you've received a notification for example under the Electronic Transactions Act.

"It effectively gives a default notification procedure - for example when notifications are made online if there's no separate provision regarding when you judge that notification to have been received, or if it's been received, then the Act will say it's been received and if it has and when it has," Chalet says. "Part of the test of that is deciding when an e-mail has entered a receiver's information system."

Chalet says IT managers have to clearly be able to identify when notification has reached their system.

Second Set of Books

It's clear that from a legal perspective conducting electronic commerce means keeping verifiable, reliable electronic records every step of the way.

Gourley says while the law facilitates business relying solely on electronic records, the question for systems managers is how to manage the risk of destruction of electronic records. "Now, in fact, it's easier to keep a second set of electronic records than it is to keep a second set of hard copy, so there are a whole host of efficiency reasons why moving to sole reliance on electronic record-keeping is the way to go," Gourley says.

But while the advice may be legally sound, it's not something relied on at Gourley's own law firm. "As a law firm, do we rely solely on Electronic Record Keeping? Well, no way. We've still got our hard copy.

"I think all business is still to some extent using hard copy for current matters and I think there's a difference between what you do for current matters and what you do for long-term record-keeping," Gourley says.

As another Phillips Fox partner, Robin Shute, points out, electronic information is not as easy to find as paper and can be inadvertently disposed of either as upgrades occur or space is cleared for new information. Businesses beware!

Sign on the Digital Line

The phrase "electronic signature technology" can generate some confusion, as the terms digital signature and electronic signature are often used interchangeably. In fact, they are two quite different things.

Electronic signatures refer to the broader, overall category of e-signature technologies, which don't necessarily have to be based on cryptography (encoding). Instead, they may be based on biometrics (reading fingerprints or voices) or the digitisation of a regular, hand-written signature.

A subset of electronic signatures - digital signatures - uses cryptography to convert data into a secret code for transmission over a public network. These technologies are often considered the most secure and reliable form of electronic signature because they use public-key infrastructure technologies to ensure that the electronic message has not been altered during transmission.

Say you wanted to draft and complete a contract with a customer using a digital signature. To do so, you'd first have to acquire a digital certificate - the electronic equivalent of an ID card. Several companies, including VeriSign and Entrust Technologies, are licensed to issue such certificates. Once you sign up, the provider transmits the certificate to your computer. You also receive two digital keys - one private and one public.

To sign a document, you enter a password or PIN and affix your electronic signature - the private key - to the document. The person or company receiving your document would then use the public key to unlock your certificate and verify that the signature is valid. Once confirmed, they could sign the document using their own digital tools and return it to you. Throughout the process, the software documents the date and time of each signing, while built-in security measures ensure that the documents haven't been altered anywhere along the process.

Three categories currently serve the electronic signature market. The first category - includes Entrust Technologies, Litronic and VeriSign - provides digital certificates. The second group - including eOriginal, iLumin and signOnline - sells software and other infrastructure required for electronic signature transactions to take place. The third category - which includes DataKey and OS Crypto - sells hardware such as smart cards, fingerprint scanners and retina-scanning devices designed to add a biometric element of safety to electronic signature transactions.

There are several ways a business can implement electronic signature technology. One of the most basic is within the company's e-mail program. In this manner the massive amounts of information associated with personnel matters, such as benefits, could be posted to an intranet. Employees could then use digital certificates to direct changes to their superannuation plans, healthcare benefits, personnel records and so on.

Companies can also extend digital signatures outside corporate walls. Using an extranet, a company could set up electronic signatures with its business partners, suppliers or buyers, allowing those parties to order materials, goods and services securely online without the hassle of sending paper documents back and forth via fax or FedEx.

Ultimately, the concept will likely extend to business-to-consumer transactions as well, though this area looks likely to proceed more slowly. "On the business-to-consumer side, the issue of case law and precedent will be more important," says James Van Dyke, senior analyst with New York City-based Jupiter Communications, an Internet research and advisory company. "Because businesses no longer have to send paperwork to their customers under this law, it is perceived as taking a lot of power out of consumers' hands. Privacy groups and consumer rights groups are going to be very active when it comes to this topic, and businesses will proceed with caution."

By J Brown

There Oughta Be a Law

According to Minter Ellison technology and communications lawyer Anne Trimmer, Australia is still dragging its feet and failing to take a leadership role in providing certainty in e-business. Trimmer says at best the Electronic Transactions Act is a minimalist first step into the world of e-commerce, particularly when compared with the Electronic Signatures in Global and National Commerce Act that President Clinton signed into law on June 30.

"The American legislation sets the framework for international e-commerce transactions by embracing provisions which promote the worldwide acceptance of electronic signatures," Trimmer says. "Furthermore, the US law requires the American government to reduce or eliminate any impediments which may discourage the commercial world from using such signatures," she says.

The principles underpinning the US law to which Trimmer referred include:the removal of paper-based obstacles to electronic transactions based on the UNCITRAL Model Law; the right of parties to a transaction to determine appropriate authentication technologies and implementation models for their transactions with the assurance that the technologies and implementation models will be recognised and enforced; the right of parties to prove in court or other proceedings that their authentication approaches and transactions are valid; and a non-discriminatory approach to electronic signatures and authentication methods used in other countries.

"By encompassing only the first of these four principles, the Australian Act falls well short of providing a strong basis for a fully functioning global e-commerce environment," Trimmer says. "This means that there is now a significant gap between the Australian and American legislation in an area where it is obvious that complementary approaches are called for," she says.

Trimmer has called on the Commonwealth to consider additional action to address the outstanding areas of international e-commerce identified in the US Act so that we do not end up poles apart from the rest of the world's leading trading nations.

"If that doesn't happen, our ability to participate in global e-trade will be severely restricted," Trimmer says.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Attorney General's DepartmentCartaDatakeyEntrustEntrust TechnologiesFedExILuminJupiterJupiter CommunicationsLitronicMinter EllisonMinter EllisonNEACPhillips FoxPhillips FoxProvisionVeriSign Australia

Show Comments