By He Fang Wang Bo King & Wood Mallesons
When sending red packets on WeChat or making purchases on Taobao for the first few times, one might have this question in mind or for their friends: is it reliable, sending or receiving money with just a tap on the smartphone or a click of the mouse? They are no magic, just increasingly popular applications of electronic signature, or e-signature, in our daily life in an era of Internet and digital technology. In addition to the e-commerce scenarios above, it is already a common practice to transmit and retain files in electronic formats for business activities. However, legal instruments which are customarily regarded as more rigorous than e-commerce transactions are still generally forbidden or unnoticed for the application of electronic signature. In practice, when it is required to execute legal instruments officially, people would still print them out and affix their seals or signatures physically as they traditionally do. This would inevitably incur significant time costs for the execution process. Moreover, given the persistent issue of “fake stamps”, this time-consuming traditional approach may not necessarily render a higher reliability.
There are two reasons behind this: firstly, due to lack of applicable laws and regulations on e-signature, judicial practitioners have long been without authoritative rules to rely on and thus tend to not recognize the authenticity of electronic legal instruments; secondly, it is still widely believed by the general public that electronic documents are vulnerable to tampering thus impossible to ensure its authenticity.
The Electronic Signature Law of the People’s Republic of China, released in 2005 and amended in 2015 (“E-signature Law”) provides legal grounds to determine the validity of electronic legal instruments. As computer science and cryptography advance and technologies become more robust to safeguard e-documents from tampering, public perception has gradually changed, hopefully leading to the popularity of electronic legal documents one day.
Based on the E-signature Law, this article provides an overview to e-signature, including its definition, how to create an e-signature, its application and its recognition in judicial practice. We hope our readers may find it useful in the practice related to electronic legal instruments.
What is Electronic Signature?
1.Functions of physical signatures
To understand the concept of e-signatures, it may be helpful to briefly examine the concept, functions and features of physical signatures (including handwritten signatures, thumb prints and affixed seals). By physical signature, it means a kind of marks or the process of leaving such a mark. It serves the purposes of: (1) identifying the signatory; and (2) indicating the signatory’s acceptance of the content of the signed documents. These two functions are based on certain consensuses (or assumptions):
- One handwritten signature or affixed seal corresponds to one unique signatory: this assumes that each individual has his own handwriting and seals and it is impossible to counterfeit seals or forge signatures;
- It is presumed from the signature or seal on hard copies of documents that the signatory has recognized what it is in the documents. This is based on the assumption that a rational person would not sign or affix his seal on a document without reading it first; and
- A document, once signed or sealed, would not be subject to alteration. This is further based on the assumption that it would be technically impossible to alter the content of a document as having been printed out on a hard copy or the signature or seal affixed on these hard copies.
2.Concept of e-signatures
Just like the understanding to physical signatures, electronic signature can also be interpreted two-folded. Firstly, it refers to a type of data. In Article 2, the E-signature Law, by borrowing the functions of physical signatures, defines e-signature from the perspective of its functions and effects as follows: “for the purposes of this Law, electronic signature means the data in electronic form contained in and attached to a data message to be used for identifying the identity of the signatory and for showing that the signatory recognizes what is in the message. The data message as mentioned in this Law means the information generated, dispatched, received or stored by electronic, optical, magnetic or similar means.” In Article 13, it further sets forth the conditions for a reliable electronic signature, namely “(1) when the creation data of the electronic signature are used for electronic signature, it exclusively belongs to an electronic signatory; (2) when the signature is entered, its creation data are controlled only by the electronic signatory; (3) after the signature is entered, any alteration made to the electronic signature can be detected; and (4) after the signature is entered, any alteration made to the contents and form of a data message can be detected”. It is also expressly provided in Article 14 that “a reliable electronic signature shall have equal legal force with handwritten signature or the seal”.
Secondly, e-signature refers to the process (or method) of producing such data. For example, just as explained in Item (4) of Article 34 that “the creation data of an electronic signature means such data as the characters and codes that are used in the course of the electronic signature and that reliably connects the electronic signature with the electronic signatory”.
It is evident from the above that the E-signature Law in defining e-signature, actually stipulates its forms (i.e. data in electronic form contained in a data message), functions and effects without specifically limiting the approaches or technologies used to implement e-signatures.
Technical Implementation Approaches of E-signatures
As noted above, the existing legislation only sets forth the forms, and the requirements of the functions and effects for e-signatures without specifying the approaches or technologies used to implement e-signatures. Thus in theory, more than one form of data message and e-signatures may be accepted by the law. As long as an e-signature is created in the way as required under the law, it will have equal legal force with a handwritten signature or seal.
Technical implementation for e-signatures may take various approaches, including:
- Digital signature which uses Public Key Infrastructure, or PKI–based public key technology;
- Signature based on data extracted from biological characteristics (including palm print, voice and iris); and
- A key code, password or personally identifiable number (PIN) that enables the receiver to identify the sender.
So far, the first technical implementation has been validated in judicial practice. Employing three core elements digital signature, certification authority and trusted time stamp, it utilizes public key cryptography technology to ensure the reliability of an e-signature and is one of the most widely accepted e-signature technical implementations globally. This section provides a concise introduction to how it works.
Digital signature is a specific technical implementation of e-signatures. As a technical term rather than a legal one, digital signature is not defined in legislation. The term carries double meanings as well. Firstly, it represents a type of data attached to electronic documents, enabling the receiver of an e-document to detect any alterations made to the e-document by anyone. Secondly, it may refer to the set of methods and processes used to create such data.
The following illustrative diagram shows the process in which digital signature works. When sending a data message, the sender firstly runs the data message through a hash function (HASH) to generate a message digest which is then encrypted with a private key. The resulting encrypted message digest is the digital signature of the data message. Next, the digital signature will be sent to the receiver along with the data message. Using the same hash function, the receiver firstly computes another message digest from the data message received and then uses the sender’s public key to decrypt the digital signature. If the computed message digest is the same as the one decrypted, then the receiver can establish that the digital signature is validly from the sender.
About hash function (HASH): A hash function is a specific data processing method which takes more than one forms. The most widely used hash functions include MD5 and SHA. Hash functions share certain common features and can be thought of as a black box which transforms the data message at the input to the digest at the output. The black box has the following characteristics:
- It takes a variable-size input bit stream and returns a fixed-length output bit stream;
- It is easy to compute the output from the input but it is computationally infeasible to revert, i.e. finding the input with a given output value; and
- The output length is far less than the input and as such the possibility of collision exists in theory, i.e. two different inputs may hash to the same output. However, it is computationally infeasible to find two collision inputs.
About private key and public key: Private and public keys are used in asymmetric cryptography with which:
- Public and private keys work in pairs and one public key corresponds to one unique private key;
- Data encrypted with a public key can only be deciphered with the corresponding private key and vice versa; and
- A private key is privately kept by the encryptor and a public key is openly available.
From the above, it is to note that the digital signature has the following features: (1) the creation data of a digital signature, namely the private key, is kept by the signatory. Thus when the signature is entered, its creation data are controlled by the signatory; (2) after the signature is entered, if the signatory makes any alteration to the electronic signature, namely to the hash value of the message digest, it will be easily detected as such alteration will lead to decryption failure or the digest deciphered with the public key different from the digest hashed from the data message received; and (3) after the signature is entered, if the signatory makes any alteration to the data message, it can also be easily detected as the characteristics of hash functions, the altered data message will be hashed to a different digest from the one generated with the original data message.”
Comparing the features of digital signature and the requirements for e-signature as set forth in the E-signature Law, it can be seen that digital signature does not guarantee the private key exclusively belongs to an electronic signatory. This issue is addressed by certification authorities.
Certification authorities are composed of Certificate Authority (“CA”) and Registration Authority (“RA”). RA verifies the identity of a user and successful of which, will tell the CA to issue a digital certificate as requested by the user. The digital certificate contains among others, a public key and the information of the certificate holder.
Given that one public key corresponds to one unique private key and certification authorities are trusted third parties, digital certificates issued by CAs, by incorporating the public key and the information of the certificate holder, solve the issue that the private key should exclusively belong to an electronic signatory.
In addition, certification authorities also manage the interchanges between the directory server (for storing digital certificates), the Web server (for secure communication) and the operating system interfaces as well as other components. These components are part of a larger network called Public Key Infrastructure (“PKI”).
3.Trusted time stamp
Time is of the essence for legal instruments (contracts, for example). For a traditional hard copy instrument, the time of formation is generally indicated by specifying the execution date in the document. As it is a common perception that signed documents are difficult to alter, the execution date or even an antedate specified in a hard copy instrument will be preferably presumed to be the de facto date of execution unless it proves otherwise by, among other things, the postmark of a post office (as a trustworthy third party).
Time stamp is a term in computer science and refers to a sequence of characters or encoded information identifying when an e-document is created. For an e-document created on a personal device, such time depends on the system clock of that device which is free to change. As such, the time stamp of e-documents created on personal devices is disqualified for valid evidence as it would be almost impossible to establish its tamper-resistance.
In contrast, a country’s standard time, managed by its time service center is authoritative. “Trusted time stamp” is the electronic certificate issued by a trusted time stamping authority (“TSA”) to evidence the creation time of an e-document.
Applications of E-signatures
Article 3 of the E-signature Law specifies that e-signature may be used in a contract or other documents or certificates in civil activities except in the following instruments: (1) those involving marriage, adoption, inheritance and other personal relations; (2) those involving transfer of any rights or interests in land, premises or other immovable property; (3) those involving suspension of water supply, heat supply, gas supply, electricity supply or any other public utility services; and (4) other circumstances where electronic documentation is inapplicable as provided by any laws or administrative regulations.
In the current practice, digital signatures have been used in commercial contracts between the parties of equal status, employment contracts between employers and employees and some administrative documents. We will briefly discuss the use of digital signatures in electronic contracts and administrative documents.
1.Use of e-signatures in e-contracts
(1)Concept of e-contracts
In this article, an electronic contract, or e-contract means a contract executed in the form of a data message in accordance with Article 11 of the Contract Law of the People’s Republic of China (“Contract Law”). With respect to the data message, in addition to the definition given in Article 2 of the E-signature Law as stated above, Article 11 of the Contract Law also sets forth as examples five forms of a data message, i.e. telegram, telex, fax, electronic data exchange and e-mail.
In accordance with Article 11 of the Contract Law, a contract executed in the form of a data message is a written contract as if it were executed in a hardcopy form. This means the Contract Law recognizes the formal validity of an e-contract. Articles 4 through 8 of the E-signature Law clarifies the authenticity criteria of a data message. Articles 13 and 14 of the E-signature Law specifies the requirements and validity of a reliable e-signature, providing legal ground for using an e-signature to sign an e-contract.
The authenticity criteria of a data message are mostly set forth in Articles 4 through 8 of the E-signature Law, which may be generally summarized as “readable, storable, identifiable and authentic”.
The E-signature Law prescribes the authenticity criteria of a data message in terms of its functions and effects without setting forth specific implementation approaches and steps. In another word, various technical means and approaches are theoretically available to make a data message “readable, storable, identifiable and authentic” and thus satisfy the prescribed authenticity criteria. The resulting data message will be deemed as having satisfied the formal requirements of an original specified by the laws and regulations. Any e-contract executed in the form of such data message will amount to a traditional hardcopy contract.
(2)Use of digital signatures in signing e-contracts
In practice, four parties are generally involved when an e-contract is executed using digital signatures:
- Certification authorities which shall (i) be established in compliance with the E-signature Law, the Administrative Regulation for Commercial Encryption Codes, the Regulation for Protection of Computer Information System Security and all other applicable PRC laws and regulations, and (ii) at least have obtained and maintained a valid Certificate for a Designated Producer of Commercial Encryption Products, a License for Sale of Commercial Encryption Products and a Certificate for Models of Commercial Encryption Products;
- Signatories to the e-contract;
- An e-contract service platform (intermediary); and
- A trusted third party time stamp authority, which is the UniTrust Time Stamp Authority (www.tsa.cn) at present in China.
The relationships among the four parties are as shown in the figure below:
For the functions of the certification authorities, please see above for details. The main role of the e-contract service platform is to interact with the certification authorities and the trusted time stamp authority on behalf of the signatories to the e-contract and performs identity authentication, digital certificate application, time stamping, e-contract storage etc., to simplify e-contract execution for signatories.
There are a number of e-contract service platforms in China, including the relatively popular yunsign.com, fadada.com, tsign.cn, BestSign and DocuSign. These platforms generally work in the same way with similar functions and user processes.
2.Use of e-signatures in signing administrative documents
Figure 2 above shows an e-contract signing system model where an e-contract service platform and certification authorities facilitate the e-signing process and which is based on the use of digital signatures to ensure the authenticity of data messages.
Similarly, the system model shown in Figure 3, which also uses digital signatures to ensure the authenticity of data messages, is derived from Figure 2 by replacing the “E-contract Service Platform” with an e-government platform of different functions. This model may also be used for reliable data communications between the public and governmental authorities.
In data communications between the public and government authorities, typical use scenarios of the model shown in Figure 3 currently include electronic patent and trademark applications, electronic tax declaration and cross-border e-commerce import clearance (to the public data center China E-port).
Take electronic patent application for example. The National Intellectual Property Administration (CNIPA) has developed (has had developed) an electronic platform for online submission of patent applications (which is equivalent to the e-contract service platform as shown in Figure 2). Upon establishment with the approval of the CNIPA, patent agencies may apply to the CNIPA for launching electronic submission services. The CNIPA will then apply to certification authorities for digital certificates and key information on behalf of the patent agencies and distribute the private keys to them. Thus the patent agencies may be able to digitally sign their submissions and submit them to the CNIPA in the form of data messages. The CNIPA may determine the authenticity of the data messages submitted by patent agencies and their identities by verifying their digital signatures. The electronic submission of trademark agencies is similar with that of patent agencies.
In addition, Chapter 4 of the Administrative Regulations of Guangdong Province for Industrial and Commercial Registration (Draft) deliberated by the Standing Committee of the People’s Congress of the province specifically provides for the “whole-process electronic registration” and clarifies the legal force and effect of electronic files, documents and signatures. It provides that “in the whole-process electronic registration, an electronic file or document with an electronic signature shall have the same legal force and effect as its hardcopy” and that “an electronic signature used in the whole-process electronic registration shall have the same legal force and effect as a manual signature or a physically affixed seal.” Therefore, the industrial and commercial registration of enterprises is expected to adopt an electronic form based on digital signatures.
Recognition of E-signatures and E-contracts in Judicial Practice
Up to date, no cases arising from the validity of any administrative documents signed by using e-signatures are available. The following are some precedents concerning the validity of e-contracts.
1.Cases concerning the validity of e-contracts signed with digital signatures
Case 1 (judicial): (2015) Shen Fu Fa Min Er Chu Zi No. 1164 ((2015) 深福法民二初字第1164号). The plaintiff and the defendant executed the Loan and Guarantee Contract and the Guarantee Agreement in question on the website of Hepai Online, an e-contract service platform providing digital certificate and other intermediary services for users. The People’s Court of Futian District, Shenzhen City, Guangdong Province straightforwardly found such contract and agreement legal and valid in accordance with Article 14 of the E-signature Law.
Case 2 (employment arbitration). The claimant surnamed Zhang registered an account on the e-contract service platform fadada.com with his eID-embedded ICBC finance IC card and concluded an online employment contract with a Shanghai-based employer. Later he challenged the validity of his online signed employment contract and claimed a double payment of his salary from the employer in accordance with relevant provisions. In July 2016, the Arbitration Commission for Labor and Personnel Disputes, Jiading District, Shanghai rendered an arbitration award. It was decided that the parties concerned, on the basis of equality and voluntariness, executed the disputed employment contract in an electronic form via an e-signature platform recognized by the state and that such employment contract was in compliance with relevant provisions of the E-signature Law and thus authentic and valid. The court therefore rejected the claims made by the claimant.
On 26 September 2016, this case was reported in the Light of Science program on CCTV-10. In the program, Mr. Guo Hongjie, a special advisor to the Ministry of Industry and Information Technology, was invited to explain the hot issues such as electronic identity (eID) for citizens issued by the Ministry of Public Security, e-signature and electronic notes.
2.Other selected cases concerning the authenticity of data messages or e-contracts
As stated above, the prevailing laws only prescribe the requirements for the functions and effects in respect of the authenticity of data messages. Thus the technical implementation approaches to meet such requirements are theoretically not unique and digital signature is just one of them.
The table below lists some recent cases in which the courts recognized the authenticity of e-contracts/data messages. As shown by the selected cases, if any other evidence or technical implementation proves the authenticity of data messages, the judiciary will neither exclude such data messages from evidence nor deny the validity of the e-contracts signed by using these data messages.
|Case No.||Court||Cause of Action||Brief Introduction|
|(2016) Yun 0111 Min Chu No. 3711 ((2016) 云0111民初3711号)||The People’s Court of Guandu District, Kunming City, Yunan Province||Loan contract dispute||
The plaintiff Li Yuyun and the defendant Hong Zhengkun signed the Loan Contract in question in an electronic form on the online transaction platform operated by Kunming Small and Micro-sized Financial Transaction Services Co., Ltd. Later a dispute arose from such contract and the plaintiff sued to the court.
The court finally determined that where the plaintiff and the defendant had entered into a contract respectively with the operator and manager of the electronic transaction platform, any e-contract executed between the parties to the transaction using e-signatures and data messages was valid if it had been agreed that a contract might be so executed.
|(2011) Jin Yi Shang Chu Zi No. 3006 ((2011) 金义商初字第3006号)||The People’s Court of Yiwu City, Zhejiang Province||Loan contract dispute||
The defendant Zhejiang Risheng Import and Export Co., Ltd. and the plaintiff China Construction Bank Corporation Yiwu Branch executed the Online Banking Services Agreement for Enterprise Customers in question. Pursuant to such agreement, the defendant applied to the plaintiff to become an enterprise customer of its online banking services and at the same time also applied for a certificate of such enterprise consumer and set its password. It was also agreed that the certificate and password of the borrower would be the only valid credentials to verify its identity when it entered and transacted in the online banking system.
Thus the plaintiff and the defendant signed the Security Pledge Contract concerned in an electronic form. Later a dispute arose from such contract and the plaintiff sued to the court. The court straightforwardly ordered the defendant to repay the loan on the ground of such e-contract. That means such e-contract was found valid.
|(2011) Hang Bin Shang Chu Zi No. 178 ((2011) 杭滨商初字第178号)||The People’s Court of Binjiang District, Hangzhou City, Zhejiang Province||Loan contract dispute||
The defendant, through a person surnamed Ke/E/A, concluded with the plaintiff the Loan Contract in question in an electronic form at a loan service website. The plaintiff then granted loan to the defendant’s verified real-name Alipay account under such e-contract. Later a dispute arose from such e-contract between the plaintiff and the defendant.
The court determined that the disputed loan contract was valid in accordance with the E-signature Law.
3.Issues on e-signatures in the current judicial practice
The validity of e-signed data messages and contracts is an emerging issue that entails relatively complex technical knowledge. For the moment, the judiciary has not accumulated extensive relevant trial experience. In the adjudication, the judiciary may have cognitive biases on “e-signature creation data”, “e-signature”, “digital signature”, “user password” and other concepts. This may result in deviations of the criteria applied in the judicial practice for the validity of data messages and e-contracts from the provisions of the E-signature Law. The following are two cases for example:
In the case (2008) Zhe Min Er Zhong Zi No. 154 ((2008) 浙民二中字第154号), the plaintiff surnamed Yang opened an account with the defendant, a futures trading company, and thus might login the defendant’s information system with his username and password (which was set by the plaintiff himself and unknown to the defendant) to authorize the defendant to trade futures on his behalf. Afterwards, the plaintiff denied that a particular order was not authorized by him, giving rise to a dispute with the defendant. Accordingly, he sued to the court. In the second-instance trial, on the ground of the privacy, uniqueness and confidentiality of a user password, the Zhejiang Provincial Higher People’s Court determined that the user password was a reliable digital signature and of the same force and effect as his manual signature. It further decided that the authorization granted by the plaintiff to the defendant was valid as it was actually an electronic letter of authorization.
Similarly in the case (2014) Shen Zhong Fa Shang Zhong Zi No. 249 ((2014) 深中法商终字第249号), the plaintiff Cai Jianguo obtained a debit card from the Bank of China Limited Shenzhen Branch Jinxiu Sub-branch and set by himself his password which was unknown to the defendant. The plaintiff might withdraw cash from an ATM installed by the defendant with his debit card. In order to do so, it was required to provide his debit card and enter his password. Later an unauthorized withdrawal was made from the plaintiff’s debit card. Shenzhen Intermediate People’s Court believed that the defendant was at fault for failure to identify the forged debit card. It also believed that the user password of the plaintiff was private, unique and confidential and amounted to be an e-signature. On the basis of such belief, the court presumed that the plaintiff was at fault for the leakage of his password. Finally, the court decided that the parties should bear their respective liabilities.
Instead of presenting a comprehensive analysis of the application of law and the results of the judgments in the two cases above, we will simply discuss the ascertainment of facts and the findings regarding e-signature in the adjudication. Zhejiang Provincial Higher People’s Court found that the user password to login the platform was a private key used in asymmetric encryption and that it was a digital signature, which may leave some room for further discussion. Likewise, Shenzhen Intermediate People’s Court also held that the user password was a digital signature. As a matter of fact, considering the definition of e-signature creation data set forth in Item (4), Article 34 of the E-signature Law and the roles of a user password and a private key throughout the e-signing process, both the user password and private key are e-signature creation data and the user password itself does not constitute an e-signature. It is to note that, in the two cases above, the court certainly should examine whether the user password was private, unique and confidential as it was crucial to determine the reliability of the generation of the data messages and e-signatures. However, we also consider that the court should also have examined at the same time: (1) what are the specific means for the information system of the defendant to create and transmit, and for the recipient to receive and verify, the data messages and e-signature; and (2) whether these means satisfy the authenticity criteria of data messages prescribed by the E-signature Law. Pursuant to the legal requirements for the validity of an e-signature and an e-contract, the court may render unbiased results of adjudication only if it has completely examined and confirmed whether the data messages and e-signature were reliably created, transmitted and received as proven by the party with burden of proof.
In light of the above judicial practice, e-contracts are relatively easily found valid at present if they were signed using the system model as shown in Figure 2. For administrative documents, whether they may be practically executed in an electronic form depends on the building of the e-government platforms of the competent administrative authorities. If any data message is submitted or exchanged by using an e-government platform designed, and in accordance with the operational procedures specified, by the competent administrative authority, such data message is generally found valid.