DIGITAL SIGNATURES – LEGAL RECOGNITION, APPLICABILITY AND CHALLENGES UNDER THE INFORMATION TECHNOLOGY ACT, 2000 BY - HITEN LAKHANI & ADITYA SHARMA
‘DIGITAL SIGNATURES – LEGAL RECOGNITION, APPLICABILITY AND CHALLENGES UNDER THE INFORMATION TECHNOLOGY ACT, 2000’
AUTHORED BY
- HITEN LAKHANI,
Amity Law School,
Noida
CO-AUTHOR -
ADITYA SHARMA
Campus Law Centre,
Faculty of Law, Delhi University
ABSTRACT
The digital age has transformed how we conduct business, communicate, and handle legal matters. Among the innovations, digital signatures have become essential for verifying the authenticity and integrity of electronic
documents. Unlike traditional handwritten signatures, digital signatures use cryptographic techniques to securely sign
documents electronically. This paper delves
into what digital signatures are, how they differ from electronic signatures,
and their legal recognition under the Information Technology Act, 2000.
Also, this paper outlines how digital signatures are created, issued, and
validated, emphasizing their
advantages over simpler electronic signatures.
However, the implementation of
digital signatures comes with its own
set of challenges, including cross-border issues, security concerns, and the need for standardization. The
paper also reviews relevant case laws that highlight the growing importance of digital signatures in India’s legal framework.
While digital signatures offer a secure and reliable method for handling
electronic transactions, ongoing
efforts are needed to address these challenges and ensure that our legal and
technical systems keep up with
advancements. By tackling these issues, India can strengthen its digital economy
and make electronic
transactions more trustworthy.
SCOPE AND OBJECTIVE OF THE STUDY
·
To understand what digital signatures are, how they
differ from electronic signatures in accordance with the Information Technology
Act, 2000.
·
To study how the digital signatures are created, who
can issue digital signature certificate and their validity under the legal framework
of India.
·
To study the procedure for issuance of a digital signature
certificate and legal provisions concerning digital signatures under Information
Technology Act, 2000.
·
To highlight the Judicial Interpretation.
1.
Introduction
The digital revolution has fundamentally transformed the way we conduct business,
communicate, and engage in legal transactions. Among the many
technological advancements, digital
signatures have emerged as a critical tool for ensuring the authenticity,
integrity, and non- repudiation of
electronic documents and communications. A digital signature is a cryptographic technique
that provides a secure and verifiable way to sign
documents electronically, thus replacing traditional handwritten signatures. This technology has been increasingly
adopted across various sectors, including finance, healthcare, legal services, and government operations.
Despite the apparent benefits, the implementation of digital signatures
is not without challenges. These
challenges range from technical issues, such as ensuring interoperability and
security, to legal and regulatory
hurdles, such as cross-border recognition and compliance with varying national standards. As businesses and
governments continue to adopt digital signatures, it is crucial to understand the legal frameworks that govern their use
and the obstacles that may impede
their effective implementation.
1.1
What is
a Digital Signature?[1]
A signature is more than just a mark; it’s a personal expression of one’s
identity. In the legal world and in everyday transactions, a signature carries
a lot of weight. When you sign a document,
it’s your way of saying that you’ve read and understood everything in it,
checked the details, and agreed to it with confidence.
In contract law, a signature is essential because it signals that you’ve
accepted an offer. As technology has
advanced, the way we sign things has also changed. With the rise of online transactions and emails, there’s also a
higher risk of data being compromised. That’s why online signatures have become increasingly important, so they help keep
things secure in our digital world.
1.2
Difference Between Digital Signatures and Electronic Signatures:[2]
An electronic signature[3]
is more about showing agreement to a document without necessarily confirming the accuracy of its content. It could be
as simple as attaching an image to indicate that a party consents to the document.
However, electronic signatures are more vulnerable to tampering and can be misused more easily than digital
signatures. They are harder to verify in terms
of time and location, and there are instances where someone else could affix
the signature without it being traced.
On the other hand, digital signatures offer stronger protection and are
much harder to tamper with. If any
changes are made to a document and it’s returned to the original signer, the
digital signature will show as
invalid. Unlike electronic signatures, digital signatures use a unique passkey that is shared only between the
signer and the original recipient. They also provide a timestamp, which is crucial for legal disputes, as it helps
prove the document’s authenticity in court. Digital signatures clearly identify the individuals involved, offering a level
of certainty that electronic signatures do not.
1.3
Definition of Digital Signature and
Electronic Signature as stated under Information Technology Act, 2000:
·
Sec 2 (ta) of
Information Technology Act 2000 defines
electronic signature as:[4] electronic signature means authentication of any
electronic record by a subscriber by means of the electronic technique specified in the Second Schedule and includes digital
signature.
In
simple words, an electronic signature covers not just digital signatures, but also
other electronic methods
outlined in the Act. In simple terms, it means that a person is authenticating an electronic record using electronic tools. By adopting
the concept of 'electronic signature,' the Act is flexible with technology, recognizing both the digital
signature method, which relies on cryptography, and other types of
electronic signatures that use
different technologies.
·
According to section 2(1)(p) of the
Information Technology Act, 2000 digital signature means[5] the
authentication of any electronic record by a person who has subscribed for the digital
signature in accordance with the procedure mentioned under section
3 of the said act.
1.4
Comparative table between Digital
Signature and Electronic Signature:[6]
|
Feature
|
Digital Signature
|
Electronic Signature
|
|
Definition
|
It has been defined under Section 2(1)(p)
of the Information Technology Act, 2000.
|
It has been defined under
Section 2(1) (ta) of the Information Technology Act, 2000.
|
|
Authenticity
|
It has more
authenticity as compared to the electronic signature.
|
It is less authentic as compared to
the digital signature.
|
|
Duration
|
It is valid up to a maximum of three years.
|
It has no expiration or validity period.
|
|
Security
|
It is more secure than electronic signatures.
|
It is less secure as compared
to the digital signature.
|
|
Verification
|
It has a certificate-based
digital10 verification.
|
It is verified through the signer’s identity.
|
2.
Validity of Digital Signature
The Information Technology Act, 2000 defines a digital signature as the
authentication of an electronic record by a subscriber through an electronic
method or procedure
in line with section 3[7]. This act includes
provisions to ensure
the security and authenticity of electronically filed documents by using digital
signatures. Section 5[8]
of the Act grants legal validity to
digital signatures based on
asymmetric cryptography. Each digital signature functions through a Digital Signature Certificate, which includes a
unique pair of private and public keys representing an individual's identity. Certification Agencies, designated by the
Controller of Certifying Authority (CCA),
are authorized under Section 35[9]
of the IT Act, 2000 to issue these Digital Signature Certificates (DSC). Also, they are legally admissible in a court
as stated in the provisions of the said Act.
2.1
How Digital Signatures are created?[10]
Digital signatures use a process called asymmetric cryptography, or
public-key cryptography. In this
process, two keys are created: a private key that only the person who is the
signature himself knows, and a public
key that can be shared with others. The digital signature itself is produced by applying a special mathematical formula
to both the content of the document and the signer’s private key.
2.2
Who issues Digital
Signatures?
Digital signatures are usually provided by a trusted third party known as
a Certificate Authority (CA). These
organizations confirm the identity of individuals or companies requesting
digital signatures and issue
digital certificates, which include the public key and identifying details.[11]
According to Section 24(1) of the Information Technology Act, 2000[12],
no one can issue a Digital Signature Certificate unless they have been licensed to do so by the Controller.
Following Certified Authorities have been granted a license to issue DSC:[13]
·
National
Informatics Center (NIC)
·
IDRBT
Certifying Authority
·
SafeScrypt
CA Services, Sify Communications Ltd.
·
(n)
Code Solutions
·
E-MUDHRA
·
CDAC
·
NSDL
·
Capricorn
·
Pantasign
·
IDSIGN
·
Verasys
·
XtraTrust
·
Care4Sign
·
SignX
·
ProDigiSign
2.3
Does any International Agency issue Digital Signature Certificate?[14]
There is no single global agency in charge of issuing digital signatures.
Instead, international standards and
guidelines, like those from the
International Organization for Standardization (ISO), offer frameworks for implementing and ensuring compatibility of digital signature
systems across various countries and regions.
2.4
On which
documents is a digital
signature invalid?[15]
There are certain documents where a physical signature is required through a notarial process and must be registered with the Registrar
to be legally valid. According to Section 1(4) of the Information Technology Act, 2000,
the Act does not
cover:
·
Negotiable
instruments, except cheques
·
Powers
of Attorney
·
Trusts
·
Wills
and other testamentary documents
·
Contracts
for the sale of real estate or immovable property
2.5
What is the time taken to issue a Digital
Signature Certificate and what is the validity
period of a Digital Signature Certificate?[16]
The certifying authorities may take around 2-3 days in issuing a DSC and
the validity period of a DSC is between 1 or 2 years.
2.6
Use of Digital
Signature:[17]
When a digital signature is created, it's linked to the digital document or message. To verify it, the recipient uses the signer’s public key
to decrypt the signature and compare it to a value calculated from the original document. If the two values
matches, the signature is deemed valid, confirming
that the document hasn't been tampered with and was signed by the person
holding the private key.
Examples
·
Personal
Use: Individuals have the freedom to use a digital signature for
personal matters, without the need
to be physically present at a specific
location.
·
Business: Professions
like architecture, construction, and engineering often require signing tenders, market procurements, or bids.
Digital signatures provide a convenient way to give consent in these situations.
·
GST Return
Filing: When filing GST and e-filing, individuals are required to use
digital signatures.
·
Income Tax
Filing: Some businesses need to file taxes across India, and digital
signatures make this process
much more efficient.
·
ROC
E-filing: Filing with the Registrar of Companies and submitting various
documents have made digital signatures a preferred choice for many.
3.
Procedure for issuance
of a Digital Signature Certificate:
According to Section 35 of
information Technology Act, 2000[18],
Certifying authority to issue [electronic
signature] Certificate. Are:
1) Any person may
make an application to the Certifying Authority for the issue of a [electronic signature]
Certificate in such form as may be prescribed by the Central Government.
2) Every such
application shall be accompanied by such fee not exceeding twenty-five thousand
rupees as may be prescribed by the Central Government, to be paid to the
Certifying Authority: Provided that while prescribing fees under sub-section
(2) different fees may be prescribed for different classes of applicants.
3) Every such
application shall be accompanied by a certification practice statement or where
there is no such statement, a statement containing such particulars, as may be
specified by regulations.
4) On receipt of
an application under sub-section (1), the Certifying Authority may, after consideration
of the certification practice statement or the other statement under
sub-section (3) and after making such enquiries as it may deem fit, grant the
[electronic signature] Certificate or for reasons to be recorded in writing, reject
the application:
[Provided] that no application shall be rejected
unless the applicant
has been given a reasonable
opportunity of showing
cause against the proposed rejection.
According to Section 23 of information Technology Act, 2000,[19]:
The Certifying Authority
shall, for issuing
the Digital Signature Certificates, while complying
with the provisions of section 35 of the Act, also comply with the following, namely:-
1) The Digital
Signature Certificate shall be issued only after a Digital Signature
Certificate application in the form
provided by the Certifying Authority has been submitted by the subscriber to the Certifying Authority and
the same has been approved by it: Provided that
the application Form contains, inter alia, the particulars given in the modal
Form given in Schedule-IV of the said Act.
2) No interim Digital Signature Certificates can
be issued, and the Certifying Authority must generate a Digital Signature Certificate
only after receiving a valid request for either a new certificate or its renewal.
The certificate should include information or
references necessary to locate repositories that will list its
suspension or revocation if applicable.
The method of identity verification for the certificate must be detailed in the Certification Practice Statement and
approved by the Controller during the licensing process. If a new Digital Signature Certificate is issued based
on a valid existing one, and the
original is later suspended or
revoked, the Certifying Authority must investigate whether the new certificate also needs to
be suspended or revoked. Subscribers must be
given a chance to review the certificate's contents before accepting it,
and once accepted, the Certifying
Authority must publish a signed copy in a repository. If any information affecting
the certificate's validity
arises, the Certifying Authority must notify the subscriber immediately. Additionally, all Digital Signature
Certificates must have a designated expiration date.
3.1
Classes
of DSC: There are mainly four classes
of Digital Signature
Certificate[20]
Class 0 Certificates are
simply used for demonstration, helping to test and understand how digital
signature certificates work across different types of applications.
Class 1 Certificates are
provided to individuals or private subscribers and verify that the user's name and
email address are uniquely identified within the Certifying Authority's database.
Class 2 Certificates are
available for both business professionals and private users, ensuring that the subscriber's information in the
application does not contradict data from reputable consumer databases.
Class 3 Certificates are
offered to both individuals and organizations, providing a higher level of assurance, particularly for e-commerce
purposes. These certificates require individuals to appear in person before
the Certifying Authorities for issuance.
3.2
Legal Provisions Concerning Digital Signatures in India[21]:
i.
Recognition of Digital Signatures:
Section
5 of the IT Act grants legal recognition to digital signatures. It states that
when a law requires information or documents to be authenticated by a signature, this requirement is
considered fulfilled if a digital signature is used, provided it follows the prescribed procedures.
ii. Authentication of Digital Signatures:
Under
Section 15 of the IT Act, the authority responsible for authenticating a
digital signature must ensure certain
conditions are met before proceeding. Specifically, the prospective subscriber must have generated the key pair
necessary for both creating and verifying
the signature. Additionally, the subscriber must have control over the use of their private key, ensuring that only they can use it to create
the digital signature.
iii. Legal Consequences of Digital Signatures:
Section
13 of the IT Act specifies that a digital signature is considered secure if it
meets several criteria. It must be
created during the validity period of a legitimate
Digital Signature Certificate and
verified using the public key listed in the sender’s certificate. The digital signature must be unique to
the subscriber who affixed it and should clearly indicate the subscriber’s approval of the associated
information. Furthermore, it must be linked to the information in such a way that any changes
to the information will invalidate the digital signature, ensuring the integrity
of the document.
iv.
Representations Made by a Certifying Authority
(CA) Upon Issuance
of a Digital Signature
Certificate (DSC)
Section
36 of the Information Technology Act, 2000, ensures the reliability of Digital Signature
Certificates (DSCs). When issuing a DSC, the Certifying
Authority (CA) makes representations
regarding its compliance with the Act, the subscriber's acceptance, key possession, functional key pair,
accuracy of information, and absence of material facts. These representations provide a framework for protecting
the interests of both the subscriber and those who rely on the
DSC.
v. Suspension and Revocation of DSCs:
A
Digital Signature Certificate (DSC) can be suspended by the Certifying
Authority (CA) under Section 37 of the IT Act if the subscriber or someone acting on their
behalf requests the
suspension, or if the CA believes that suspending the certificate is in the public interest.
Under Section
38 of the IT Act, a DSC may be revoked by the CA (Certifying Authority)in several circumstances: if the subscriber or their representative requests revocation,
if the subscriber dies or becomes insolvent, if the subscriber (in the case of
a firm or company) is dissolved or
wound up, if any material fact represented in the DSC is found to be concealed or false, if the requirements for
issuing the DSC were not met, or if the CA's (Certifying Authority) private key or security system
has been compromised.
While
the section 37 and 38 deals with suspension and revocation of DSCs, section 39
of the IT Act states that when a DSC
is suspended or revoked under section 37 and 38 of the said Act as the case may be, the Certifying Authority shall
publish a notice of such revocation or suspension.
4
Issues and Challenges faced by digital
signatures
Despite the existence
of legal provisions that is stated in this paper, the use of digital signatures is not without challenges. One of the key
issues is the jurisdictional complexity that arises in cross-border transactions. Determining the applicable law can be difficult, especially when parties are in different jurisdictions with varying legal
requirements. There are still many issues that are of a concern, as stated below:
·
Security
and Privacy Concerns
The
security and privacy of digital signatures is a critical concern. The
protection of private keys, which are
essential for the creation and verification of digital signatures, is
paramount. Legal frameworks must address issues related to key management and compromise. Furthermore, the collection and processing
of personal information associated with digital signatures raises privacy concerns. Data protection laws must be
adequately implemented to safeguard individuals' privacy rights.
·
Interoperability and Standardization
Ensuring interoperability between different digital
signature systems and platforms is essential for their widespread adoption. Standardization efforts can help promote
compatibility and facilitate
cross-border transactions. Legal frameworks should encourage the development of standards and guidelines for the
creation and use of digital
signatures.
·
Enforcement and Dispute Resolution
The enforceability of digital signatures in legal proceedings is another important
consideration. Legal frameworks must address the admissibility
of digital evidence and establish
procedures for resolving
disputes involving digital
signatures. International cooperation and dispute resolution
mechanisms can be helpful in addressing cross-border disputes.
·
Consumer
Protection
Protecting
consumers from fraud and forgery associated with digital signatures is a
critical objective. Legal frameworks
should include provisions to safeguard consumers' rights and interests. Education and awareness
campaigns can also help consumers
understand the benefits
and risks of using digital
signatures.
Relevant Case Laws
a)
In the case of Trimex
International FZE Ltd. vs. Vedanta Aluminum Ltd. and Ors. (2010)[22], the Delhi High Court reinforced the growing importance
of digital signatures in the digital
age, particularly within electronic transactions. The court affirmed that when
digital signatures are used in
compliance with the Information Technology Act, 2000, they carry the same legal weight as traditional
handwritten signatures. This ruling highlighted the critical role digital signatures play in ensuring
the authenticity, integrity, and security of electronic documents, marking a significant step in the acceptance and validation of electronic transactions in India’s legal framework.
b)
A landmark judgment in the realm of digital signatures
is the State of Maharashtra v. Dr. Praful B. Desai[23] (2003) case. In this case, the Supreme
Court of India affirmed the validity of
digital signatures and electronic records under the Information Technology Act,
2000. The court highlighted the crucial role of digital
signatures in enabling
secure electronic transactions and recognized them as
legally valid methods of authentication. This judgment was instrumental in shaping the legal foundation for electronic
commerce in India, setting a precedent for the acceptance of digital signatures in legal proceedings.
5.
Conclusion
The legal recognition of digital signatures in India under the
Information Technology Act, 2000, has
paved the way for their widespread adoption and use in electronic transactions.
Digital signatures offer a reliable and secure means to
ensure the integrity, authenticity, and non- repudiation
of electronic records. As digital transactions continue to grow in importance,
the role of digital signatures will only become more critical.
However, to fully realize the benefits of digital signatures, it is
essential to address the challenges associated
with their secure generation and use. Measures must be taken to prevent the
misuse of digital signatures, such as unauthorized access to private
keys and the creation of forged signatures. Additionally, ongoing efforts
are needed to ensure that legal frameworks and technical standards
keep pace with technological advancements, particularly in areas like blockchain and quantum computing. By
addressing these challenges and promoting the secure and responsible use of digital signatures, India can further
strengthen its digital economy and enhance
the trust and reliability of electronic transactions.
[1] Subodh Asthana, All You Want to Know about Digital
& Electronic Signature - iPleaders, Key Highlights (June 21, 2019), https://blog.ipleaders.in/digital-electronic-signature/.
[2] Archana Balasubramanian, Digital Signature And
Electronic Signature - Legal Framework, IT and Internet (June 24, 2021), https://www.mondaq.com/india/it-and-internet/1083500/digital-signature-and-electronic-signature-legal-
framework.
[3] Webtel Electrosoft Pvt. Ltd., Https://Webtel.In
https://webtel.in/Blog/e-signature-laws-in-india/210.
[4] Information Technology Act, 2000, No. 21 of 2000 (India),
§ 2(1)(ta)
[5] Information Technology Act, 2000, No.
21 of 2000 (India), § 2(1)(p)
[6] India Filings, https://www.indiafilings.com/learn/electronic-signature/.
[7] Information Technology Act, 2000, No. 21 of 2000 (India),
§ 3
[8] Information Technology Act, 2000, No.
21 of 2000 (India), § 5
[9] Information Technology Act, 2000, No.
21 of 2000 (India), § 35
[10] Mitesh Boral, Law of Digital Signatures
in India, (Mar. 18, 2024), https://www.linkedin.com/pulse/law-digital-
signatures-india-vijay-pal-dalmia-2a4fc/.
[11] legal Service India, Digital Signature Certificate, https://www.legalserviceindia.com/articles/article+8.htm.
[12] Information Technology Act, 2000, No.
21 of 2000 (India), § 24(1)
[14] (Apr. 9, 2024), https://ijarsct.co.in/Paper17031.pdf.
[15] Digital Signatory Validity in India, (Mar. 31, 2021),
https://www.khuranaandkhurana.com/2021/03/31/validity-of-
digital-signatures-in-india/.
[16] legal Service India, Digital Signature Certificate, https://www.legalserviceindia.com/articles/article+8.htm.
[17] Subodh Asthana, All You Want to Know
about Digital & Electronic Signature - iPleaders, Key highlights (June 21, 2019),
https://blog.ipleaders.in/digital-electronic-signature/.
[18] Information Technology Act, 2000, No. 21 of 2000 (India),
§ 35
[19] Information Technology Act, 2000, No. 21 of 2000 (India),
§ 23
[22] Trimex International Fze Ltd. v. Vedanta Aluminum
Ltd. (2010)
[23] State of Maharashtra v. Dr. Praful B. Desai (2003)