The definition of a signature in the just-passed Electronic Transactions Act may be sufficiently loose to delay uptake by mainstream business, says one of the country’s digital certification specialists.
An appropriate transmission infrastructure could also take time to evolve, say the banks.
Typical businesses and their IT departments wanting to move safely into applying the ETA to practical electronic services may wait until the courts have set a few precedents, says Ron Segal, business development manager at Baycorp ID Services.
Because the act leaves the definition of an electronic signature still loose, he says, there is a danger that businesses driven by their customers’ preference for low cost and ease of use may be tempted to go with a less secure definition, which could run into subsequent danger of security breach or legal problems.
An electronically signed document should meet the requirement that the “signature” was linked to and under the control of the signatory and no other person, and that any alteration to the signature or document should be able to be detected.
If someone simply entered a password to access a secure website and uploaded an electronic document to a database, and that database had an associated audit routine that periodically scanned any changes to the documents on it, it might be argued that all the conditions had been fulfilled and the password qualified as an electronic signature, Segal suggests.
This would fly in the face of the normal concept of an electronically signed document as one whose information is mathematically compounded with the information in the signature, so that it can be recognised as the product of the signatory and no one else.
With such looseness in mind, most businesses would probably wait for major organisations like banks and government departments to move first, and handle any legal battles.
In the IT department, normal backup precautions could possibly invalidate the secure status of a digital certificate used for electronic signing, because it could not have been said to be under the control of the signatory exclusively, Segal says. At the very least, stringent processes for safeguarding such backups will have to be clearly defined in any system that uses them.
“I think we’re looking at about a year and a half before we get a significant increase in digital signature use,” he says.
Bankers’ Association chief Errol Lizamore, meanwhile, welcomes the act as establishing a benchmark for electronic transaction systems and authentication, but says appropriate “structures and business models” will still have to be developed to conduct robust authentication and transmission of documents to the satisfaction of companies and their clients, and at a reasonable cost.
A full public key infrastructure, on the scale already used in Australia, for example, is quite costly, he says, and work will have to be done on scaling it back for an economy and companies of the size typical in New Zealand.
He doubts there will be a sudden flow of pent-up applications from the banks, though he points out that they already have their own highly secure and proprietary systems, within which secure electronic documents are already respected.