Electronic signature: what if we talked about the "link"?

Date : Publié par

The conceptual approach

This approach takes us back to the very concept of signature, which it should be remembered that there was no definition in the Civil Code before Law No. 2000‑230 of 13 March 2000. To give the electronic signature the same legal value as the handwritten signature, it was necessary to question the characteristics of the handwritten signature, which of course identifies its author but is also inextricably linked to its medium, literally embedded in it and cannot be removed without damage. This link therefore had to be an intrinsic quality of the electronic signature, and the European and French implementing texts on the electronic signature endorsed the use of asymmetric encryption cryptographic infrastructures, making it possible to create for a signed electronic document the equivalent of the link between ink and paper.

The technical approach

This approach involves diving into the steps involved in creating an electronic signature via a so‑called "public key infrastructure" (PKI), which uses asymmetric encryption techniques. 

Assuming the signatory of the deed has been previously identified, the document in electronic form is first the subject of a cryptographic operation consisting of creating a "fingerprint", or "hash" of it. This fingerprint is unique for a given document, and it ensures that it has retained its integrity because if the document is modified, the fingerprint changes.

The fingerprint of the document is then encoded with the signer's private key, which is unique. The private key/public key pair is generated by the trust service provider either for a certain period or for a few minutes corresponding to the signing operation, and is then referred to as a "certificate on the fly”.

Technically, the "electronic signature" is the file resulting from the encoding of the fingerprint with the signer's private key. This file is unique for a given document and a given signer, and it is inextricably linked to both the document via its fingerprint, and the signer via its private key.

The criterion of "univocity" mentioned in Art.26 of the eIDAS Regulation and included in the criteria of the advanced signature means that the same electronic signature cannot be generated for two different signatories.

This subtlety is important because implicitly, it means that an electronic signature cannot be advanced if it has not been generated with a nominative private/public key pair (and therefore a nominative electronic certificate). This feature differentiates the advanced signature from the simple signature, which is often produced by encoding the finger print of the document with the private key of an electronic seal assigned to the trusted service provider. In such a case, the uniqueness of the signature is not guaranteed because if a standard document (e.g. terms and conditions) is signed by signatory A and by signatory B, the electronic signature file will be the same. On the contrary, it will be different if each signer uses a private key (a named certificate) since each key being unique, the resulting signature file will not be the same for A and for B.

 The opportunistic approach

The technical approach is currently totally ignored by the French judge, which is not surprising insofar as it is undeniably complex. For the judge, there is a link as soon as there is a common reference between the signed document and the evidence file.

Why not: since the evidence file generated by the trust service provider is necessarily linked to the transaction and mentions the identity of the signatory, the fact that this file includes the reference of the signed document can be seen as the link between the deed and the signature identifying its author of Art. 1367 (2) of the Civil Code.

Unlike the technical approach, this type of link exists regardless of the level of eIDAS signature, whether it is simple, advanced or qualified, if the evidence file fulfills this expectation.

This is an opportunistic approach because it is not based on a technical reality and could even be subject to fraudulent manipulation. But it has the merit of being easy to understand and it is widely adopted by the players in the field, whether they are trusted service providers, professionals who implement the signing process, or judges.

And in the end?

In the end, we believe that the correct understanding of the link mentioned in the French and European legal texts defining the electronic signature is the technical approach. This reflection is currently not at stake insofar as disputes over electronic signatures concern small amounts and are not subject to a rigorous examination of the system by legal experts specialized in this field. It is too early to know how things will evolve for the moment, but perhaps it is worth keeping in mind these few subtleties...

Also read

GDPR information obligation hit by a knife

Date : Publié par
By a judgment handed down on February 14, 2024 (Social Chamber, No. 22-23.073), the Court of Cassation undermined the supposedly absolute nature of the right of individuals to be informed of the processing of personal data concerning them.

Scanned signature is a dubious practice

Date : Publié par
On March 13, 2024 (Commercial Chamber, 22-16.487), the Court of Cassation issued a very interesting ruling on the limits of using scanned signatures to attest to the identity and consent of their author.