Digital signature to operate in the United States
Digital signature has been with us for many years, both on a personal user-level as well as a user in an organization, either for our banking transactions or with public administration, and although we are all aware of its use, not all signatures called «digital» or «electronic», have the same security levels and are regulated in the same way in all the countries by setting the main differences and similarities between Europe and US. I talk about this on this post.
Although the concept of digital signature as a signature by electronic means with legal validity, non-repudiation, authenticity of the signatory and integrity of the signed is something that is clear in all countries of the world, not all countries legislate the development and implementation of models of digital signature or electronic signature in the same way as it is called in many countries or by some professionals who use both terms, as I commented on two of my previous posts:Electronic signature and digital signature: Synonyms or different concepts? Why do we call the digital signature electronic?
In its early times, digital signature in Europe was governed by Directive 1999/93/CE of the European Parliament and the Council by which it established a community framework for the use of the digital signature. However, with this directive was way far from establishing a common denominator in the old continent, each member country of the EU just developed their own legislation in this area.
In 2014, the new Electronic Signature European Regulation (eIDAS) was approved and its main objective was the interoperability of the digital signature of the State Members of the EU, among other aspects of interest such as trust and electronic identification services: time stamping, websites authentication, etc.
This European model is copied by Latin America countries who see in it a successful case to follow.
Why doesn’t the US unify its digital signature law?
Well, if you look at the US scenario, we can see that it still has a long way to get to the situation in which Europe is in at present, since the US today is not considering an interoperable model of digital signature for the whole country, since the US has currently two types of laws for the digital signature regulation: federal nature (E-Sign Act) and state nature (UETA).
Since the year 2000, the Electronic Signatures in Global and National Commerce Act, known as the E-Sign Act, delimits its sphere of action among the different States of US.
However, this law is based and shares certain points with the broader national law which regulates digital signature and dates back to a year before (1999) called Uniform Electronic Transactions Act, commonly known as UETA and whose jurisdiction in addition to comprise the 47 US States applies to territories of the country.
While much remains to be clarified in these laws, both share that digital signature vs electronic signature have the same validity as the manuscript signature, although we cannot ignore the fact that for this to be such, it is essential that this were a certified electronic signature and sustained by cryptography based on public key (PKI – Public Key Infrastructure) and both the signatory and the person who receives the signed document may provide for the record of its action as evidential value.
Hence, the US acknowledges the validity of the digital signature platforms through the contract granted by Central Services Administration or GSA (General Services Administration) of which its acquisition is available by Federal, State and Local Governments of the US and available to REALSEC as well.
As I commented previously, and seeing the US outlook in terms of digital signature legislation, we see that the framework with regard to Europe is very different and that much still needs to be done. But it also should be noted that in the US these laws do not establish differences between what the safe digital signature is (signature based on digital certificates), electronic signature or advanced signature according to Europe (generic expression, associated with electronic data, but without the legal and juridical validity that provides the digital signature as an instrument of identification and authentication- for example, the creation of a PDF signed by its author could be a case of electronic signature, since it identifies the author but has no legal validity or authentication security) or the the digitized signature (or simple signature) that is simply the signature that once written manually on a piece of paper, it is then scanned and pasted into a document without more science or verification.
Within the concept of electronic signature, the US includes all types of digital, electronic or digitized signatures without differentiating their safety levels and this is a big mistake because the only safe digital signature there will be is the one that is based on cryptographic technology which lies in an HSM (Hardware Security Module), which is the only one that will provide legal validity to the process , authenticity both to the undersigned as signed and therefore prevent being the victims of cybercrime.
Therefore, I hope that the US becomes motivated to follow the European model of digital signature interoperability and sides for other services of e-trust, among other aspects.