The Case for An Urgent Review of
the Advanced Electronic Signature Verification Requirements in
the ECT Act
In a world that has been struck by a pandemic that will forever change the way we work, businesses across the globe have had to adapt to working digitally. Fortunately, there are many apps and platforms that enable people to do just that.
One aspect of working digitally that is often overlooked is the signing of legal documents. In many business processes we need to sign off documents but in our mad scramble to digitally enable ourselves, for many companies this is something that was overlooked.
Thankfully, due to the provisions of the Electronic Communications and Transactions Act (ECTA) passed in 2002, it is perfectly legal to sign most documents digitally (see piece on digital signing of documents here and here).
Some professions however require a higher level of signature, called an advanced electronic signature (AES), as required by ECTA and various other laws. Some of these professionals include attorneys, advocates, doctors, auditors and other commissioners of oath, and credit providers regulated by the National Credit Act.
ECTA and other laws make provision that some documents usually signed by these professionals need to be signed with an AES to be legal, usually due to the risk or legal status associated with the document. As part of the process of being issued with an AES, a person has to undergo a face-to-face verification process with the provider of the AES. This process entails an in-person meeting with the individual as part of the identity verification process.
In a world struck by COVID-19, where people are encouraged to practice social distancing and where these professionals can and do work from home, this requirement has become physically and legally impossible to meet. This means that the economic contribution that these professionals can make (in a time where every South African has to do whatever he/she can to keep our economy going) is now limited by the piece of legislation that states as part of its core purpose “to promote universal access to electronic communications and transactions and the use of electronic transactions by SMMEs”.
ECTA is based on a UN general law for the enablement of digital signing across the globe and was adapted to South African purposes. One major oversight in the legislation was the fact that manual, paper-based processes are required in a piece of legislation that had the intention of giving effect to electronic commerce and transacting.
In a study of global signing laws and best practices one will find that while almost all these laws are based around the UN model law, ECTA is one of very few that has this in-person verification requirement. Many laws have the requirement of strong identity proofing, which is fundamental to the security underlying digital signatures. Fortunately, technology has it made it possible to conduct almost fool proof identity verification of individuals without requiring their physical presence.
Technologies such as mobile biometrics, face recognition with liveness detection make it possible to match biometrics to photo ID’s and provide a positive proof of identity. Add to this algorithm to check the veracity of identity numbers and access to databases confirming identity details and you have a system that is even more reliable than in person or face-to-face identity verifications.
So, with all this technology, the aim of ECTA to enable digital commerce and the advent of a pandemic like COVID-19 and others to follow, the time has come for the provisions of ECTA to be revisited.
Two specific sections of ECTA in respect of AES needs to be reviewed. The first one is section 38, which reads as follows:
Criteria for accreditation. -
(1) The Accreditation Authority may not accredit authentication products or services unless the Accreditation Authority is satisfied that an electronic signature to which such authentication products or services relate-
(a) is uniquely linked to the user;
(b) is capable of identifying that user;
(c) is created using means that can be maintained under the sole control of that user; and
(d) will be linked to the data or data message to which it relates in such a manner that any subsequent change of the data or data message is detectable;
(e) is based on the face-to-face identification of the user
In the model laws and the standards governing digital signing, the provisions of (a) to (d) are generally accepted and required for a strong digital signature. Under eIDAS the European Regulation for the electronic identification and trust services for electronic transactions, the provisions of (a) to (e) above are required for an advanced electronic signature. There is however no reference to the provisions of (e).
The recommendation under Section 38 of ECTA would be the simple addition of wording such as:” or is based on other strong identify proofing that provides an equivalent assurance”. This will bring it in line with the global standards that current govern identify proofing for advanced electronic signatures in most countries.
The second section of ECTA that require revision would be Section 14 under the Regulations. Section 14 reads as follows:
14. Requirements for issuing certificates. -
(1) Upon receipt of an application, a certification service provider must-
(a) establish the identity of the person or entity applying for a certificate, which must include face-to-face identification of the subscriber or authorized key holder;
(b) establish and maintain a demonstrable and auditable process to confirm that face-to-face identification was undertaken; and
(c) ensure that the persons performing the face-to-face identification have undergone appropriate training in comparing a subscriber with a photo in an identity document or passport and in identifying fraudulent identity documents and passports.
(2) A certification service provider may issue a certificate to any entity or person that
has applied for a certificate only after the certification service provider has complied with all of the practices and procedures set forth in the certification service provider's certification practice statement and certificate policy, including procedures regarding face-to-face identification of the prospective subscriber.
The second part of the legislation that needs to be revisited is the requirement for the signature of a subscriber agreement by hand. Section 4 under the Regulations issues under ECTA states:
(3) During the identification and authentication of a subscriber or applicant as contemplated in subregulation (3), a handwritten signature must be obtained by the certification service provider from the subscriber or applicant and the certification service provider should be able to prove that the subscriber or applicant was actually present and identified and accepted the certificate
There is little point to allowing digital means of identity verification if there is still a requirement for the accompanying agreement to be signed by hand. This regulation should be replaced to allow for digital means of accepting a subscriber agreement, as long as that acceptance can be linked to the individual accepting the agreement. Again, the ECT Act creates a digital contracting regime and allows for digital signing of contracts, so a provision that requires this process to be started off by hand, does not accord with the whole intention of the legislation.
Developments in the Law
A lot of development in South African laws that make the case for a review of the AES provisions in ECTA have taken place over the last few years and these added with the requirement to be digitally enabled in our new economy serves to strengthen the case for a review of the laws.
First, we had a change in the digitisation of the court system, with the implementation of a digital court filing system called Case Lines, which allows legal practitioners to upload court documents. One of the aspects that has not been given due attention is the requirement for signing pleadings with an AES. In August 2017 the Rules of Court for the Johannesburg Civil courts were updated to allow for the use of AES to sign summonses and pleadings.
Because there was no digital court filing system at the time, these pleadings still had to be certified in person, by a person in the employ of the attorney, essentially negating the entire point of an AES. Now, with a digital court system, the case of signing these pleadings with an AES has become more important than ever.
Next there was the proclamation of the Electronic Deeds Registration Systems Act 19 of 2019, which also allows for the electronic filing of documents in the Deeds Office. In terms of this act, any signature applied to a document has to an AES.
In recent posts by some divisions of the courts in South Africa, urgent matters are to be heard over digital media such as Zoom and will be live-streamed to the public, as hearings are supposed to be public.
In terms of Section 18 of ECTA, affidavits can be commissioned using an AES, which would make it possible to still submit affidavits to court and for proceedings to be hampered as little as possible.
When one is confronted with the practicalities of enrolling every attorney and advocate in a face-to-face fashion, it quickly becomes apparent that with the best of intentions, the progress in digital laws and the operations of our courts will greatly be hamstrung if we don’t allow for an equivalent process to face-to-face verification.
Add to this requirement of the COVID-19 lock down where there is a need for special measures to be taken, there has never been a greater need for an urgent update to the legislation. Such an update would not need significant research or review, since the model law has been in existence for several years and many countries have successfully implemented the requirements.
Some additional value-adds in updating the verification requirements would include the ability for police officers to take affidavits without requiring physical presence, for pension funds to continue operating normally, for credit providers to sign credit agreements without a face-to-face interaction with the applicant, all while still ensuring that they are dealing with the correct individual. All of this will assist in a more normal functioning of many industries in South Africa in a time where we need our economy to be stimulated as much as possible.
We need to recognise that international business travel will never resume at the levels before COVID-19 and that many countries will be looking at concluding contracts digitally. A law that is aligned with international laws and best practice, is not just in the interest of everyone doing business in South Africa, but in the interest of doing business outside of South Africa.
This article is as much a suggestion for the alignment of our laws with international standards and laws as it is a plea to the South African government to build on the exceptional leadership it has shown in helping the South African economy survive the COVID-19 pandemic. A simple modification to a law that is in dire need of an update to align with the times could play a large part in enabling the professional services sector in South Africa to operate more fully and assist the economy in surviving this pandemic.