Online, identification is far more important than signature

Posted on by

1        Introduction

Identity is a much bigger notion than signing things. In our daily lives and social interactions, we rarely encounter situations that require our signatures, so most of the time people are not being bothered with signatures. Signatures are primarily used for communication with government and for concluding special types of dealings or contracts where trust issues or know your customer(KYC) obligations sets higher standards for providing evidence of authenticity. But the fact that we rarely use signatures in our daily lives, does not mean that signatures are not important. This essay aims to express why identity is much more important than the signatures in cyberspace by explaining the difference between the functioning of signatures and the identity in the online world. In this context, the following sections will discuss the notion of signatures and identity.

2        Signatures

The most common known form of a signature is manuscript signature which is basically the name of the signatory written by his own hand on a piece of paper. Signatures provide three basic functions: evidencing the identity of the signatory, evidencing the intention to sign and evidencing the intention to adopt the contents of the document by the signatory.[1] However, it is not a common practice in both civil and common law countries to define by law what a signature is.[2] But a signature can be defined in two ways: the first is defining the signature according to the forms it takes and the second approach is defining the signature according to the functions it fulfills in daily life. 

Civil law countries usually adopted the first approach(the form-based approach) and common law countries adopted the second approach(the functional approach).[3] So, civil law approach requires a formal act of will that creates a connection between the signatory and the document(usually a hand-written name)  while common law approach embraces not only formal acts but all kinds of acts which can evidence the identity and the intention of the signatory. That also means that the common law approach is more convenient for adopting all new ways of signing, because the only criteria sought would be whether the functions of the signature are fulfilled or not. This is particularly true for electronic signatures which can be defined as “data in an electronic form in, affixed to or logically associated with, a data message, which may be used to identify the signatory in relation the data message and indicate the signatory’s approval of the information contained in the data message”.[4] So, if an e-signature could indicate that it can perform the functions of the signatures stated above, it would be regarded as valid according to the functional approach. 

E-signatures may range from a simple typing of a name on an electronic document to scanned manuscript signatures,  biometric records and digital signatures which differs in terms of the level of security they provide.[5] Particular attention should be given to the digital signatures which employ a pair of asymmetric keys and utilize a Public Key Infrastructure (PKI)– a private key kept by the sender to encrypt the message and a public key available to the public to decode the message, because digital signatures are often deemed to provide a higher degree of security than other e-signatures in the online world.[6]

This higher degree of security not only comes from the mathematical functions or the algorithms that make it nearly impossible to discover a private key from the disclosed public key but also comes from the extrinsic evidence provided by third parties which also increases the level of authenticity. Just like the need for comparing a traditional signature on a document with other signatures of the signatory to provide extrinsic evidence that the document is actually been signed by the signatory; the identity of a digital signature’s signatory is further evidenced by institutions called Certification Authorities(CAs) that perform necessary identity checks and when satisfied issue an electronic certificate which includes, inter alia, a certification of the signatory’s identity and of his public key.[7]

Digital signatures not only evidence the identity of the signatory, but also evidence the adoption of the document signed. Because, signing digitally means encrypting the one way hash value of the digital content of the document(message digest) by the signatory’s private key, which in return proves that the content of the document signed has not been changed and the integrity of the signed text is preserved and by doing so it logically binds the digital signature with the document signed.[8]

All these algorithms and the underlying technology of the signing process makes the digital signatures many orders of magnitude harder to forge than manuscript signatures.[9] and a qualified electronic signature[10] “greatly exceeds the legal standards of proof on the balance of probabilities (for civil cases) and beyond reasonable doubt (for criminal cases)”.[11] However, digital signatures have little usage online in daily transactions. Of course, PKI technology, certificate based encryption technology like SSL in “https” sites or other forms of e-signatures are widely used online. But qualified signatures by the meaning of Regulation (EU) No 910/2014 has not adopted widely usage. Because the cost of running the system and acquiring a qualified electronic signature by individuals is the main barrier. Furthermore, the most important thing in making transactions online is identification and authentication, where there are lots of cheaper methods for identification than the qualified e-signatures, online. Hence, in the next section, the concept of identity and the reasons why it constitutes a much broader and important concept in the cyberspace will be discussed.

3          The concept of identity

One of the most difficult issues in the online world is to tell someone is actually the person he claims to be. Even in the real world, it is difficult to say somebody is actually the person he says he is without relying on extrinsic evidence like an official identity card, an attestation of a trusted third party or the previous signature samples of the signatory. As mentioned above, one of the functions of the signatures is evidencing the identity of the signatory. In the online world, there is no manuscript signature sample to compare with, so manuscript signatures are replaced by qualified signatures which provides extrinsic evidence about the identity of the signatory with the help of the testimony of third parties called certificate authorities or trust service providers.[12]

However, people rarely need even manuscript signatures for their daily transactions in real life. Usage of qualified e-signatures is also rare in the same way because people do not need to use them to perform most of the transactions online. Even sometimes the identity of the individual does not matter at all in the physical or online world, because the only thing matters is whether the individual has made the payment or not. Notwithstanding an online sales business does not care about the true identity of the customer, an implicit identification process takes place through the payment service provider or card scheme while deducting funds from the cardholder’s balance. Moreover, most online sales businesses require their customer to authenticate their identity based on some credentials like an account or username provided to the customers by the online business sale itself. That is to say, even the online businesses that do not care about the true identity of the customers, usually need to identify their customers in different ways. Because that kind of identification is needed in order to differentiate a particular customer from others or for other various reasons like keeping track of their sales history or giving particular sets of services for identified customers.

People tend to think of identity as the name of a person. But there are many other things than names that identify a person. Indeed, individuals do have multiple identities and identifiers in both online and in the physical world. Identities associated with people can be divided into three: personal or psychological identity, social identity, and legal identity. [13]  Legal identities are fixed identities, on the other hand, both personal and social identities are variable identities which change and evolve constantly in one’s life and they should not be commingled with legal identity. Individuals have multiple social identities that may be linked directly or indirectly to their legal identities, online. [14]

All kinds of identities also feature two aspects: personality aspect and attributes. Personality aspect is about knowing who a person is and the ability to singularise that person from others. Whereas, there are various types of attributes aspects of the identity, like age, location, qualifications, authority to able to do something etc. Depending on the particular type of transactions we deal in our daily lives, sometimes the personality aspect of the identity does not matter, but sometimes the attributes of the identity does not matter. For example, as mentioned above an online sales business does not care about who a particular customer actually is, as long as he makes the payment. Likewise, an online adult content provider or an alcohol seller does not care about the true legal identity of the customer but care about the age attribute of his identity in order to comply with laws and regulations.

As the social identities of an individual evolve during his lifetime, the concept of identity itself is also evolving by the emergence of new technologies. Online identity has passed through four broad stages during its evolution since the advent of the Internet: centralized identity(administrative control by a single authority or hierarchy), federated identity(administrative control by multiple, federated authorities), user-centric identity(individual or administrative control across multiple authorities without requiring a federation), and self-sovereign identity.[15]

Today, legal identities of individuals are issued by governments and if the government revokes the credentials of an individual, he will lose his identity. Online identity has been suffering from the same centralized control.  People were required to create different accounts and identities for each and every personalized web service provider on the internet. That means that users are locked in to a single authority who can deny or revoke their identity anytime it wants and since online identities are centralized, “the removal or deletion of an account effectively erases a person’s online identity which they may have spent years cultivating and may be of significant value to them, and impossible to replace.”[16]

That is to say, centralization of identity gives power to the centralized entities, not to the users.[17] Besides, forcing the users to create numerous identities over numerous websites without even giving control of the identity to them, also caused the balkanization of identities. Federated and user-centric identity concepts like single-sign-on authentication methods, Facebook Connect or Google Plus login mechanisms showed up as an answer to this problem. However, even if the user has been given the ability to control some aspects of his identity, each individual identity provider(like Facebook or Google) still remained as an authority that can control and revoke the identity of the individual whenever it wants. So the balkanization problem turned in to an oligarchy problem where the power of centralized authority was now divided among several powerful entities. [18]

Additionally, people care more about their privacy as technology invades intrusively all aspects of their lives, so they tend to prefer pseudonymous social identities online rather than disclosing their true legal identity. People want to still be served without disclosing their true persona. This expectation can be exemplified as follows: one’s identity card should be able to prove to a pub that the individual concerned is over 18 years old without telling the pub who that individual actually is which is none of their business.[19] In some countries, elements of this new vision are already under use.[20] In Germany, a system created to link identity cards to service-specific virtual identities for enhancing the privacy of citizens[21] which enables, inter alia, age verification for the activation of age-restricted adult content such as video-on-demand.[22] Same functionality will likely be an inseparable part of identification schemes in the future by which people can still be identified and served without revealing their full identity but rather revealing only some aspects or attributes of their true identity.

With the emergence of distributed ledger and blockchain technology, a new way of identification method called self-sovereign identity has also emerged. It came up with the idea that by using the distributed ledger technology that places the identification data under the control of the individual itself, no centralized entity would have the control of the identity, but rather individuals would own and be in control of their online identity.[23] With self-sovereign identity, the individuals’ digital existence would be independent of any single organization and nobody can take it away from them.[24] They can control their self-sovereign identity as a digital record or container of identity transactions, they can add more data to it or ask others to do so, they can reveal some or all aspects of their self-sovereign identity for some the time or all of the time, claims made about their identity can be self-asserted or asserted by a 3rd party whose authenticity can be independently verified by a relying party.”[25]

4        Conclusion

Identity online represents a much broader concept than signatures and it is a dynamic concept that changes and evolves constantly. Signatures offline or online, provide only evidence for authenticity and identity. In the digital world, there are much more other ways than using signatures for identification and authentication. However, individuals have multiple social identities that may be linked directly or indirectly to their legal identities online, and as opposed to legal identities, personal and social identities are variable identities which change and evolve constantly in one’s life. People care more about their privacy as technology invades intrusively all aspects of their lives, so they tend to prefer pseudonymous social identities online rather than disclosing their true legal identity. This need will likely shape the identification schemes in the future in a way that people can still be identified and served without revealing their full identity but rather revealing only some aspects or attributes of their true identity.

[1] Chris Reed, ‘ What is a Signature ’ (2000) 3 the Journal of Information, Law and Technology (HILT) .

https://warwick.ac.uk/fac/soc/law/elj/jilt/2000_3/reed/, Accessed 6 Jan 2019.

[2] ibid.

[3] ibid.

[4] UNCITRAL, The Model Law on Electronic Signature with Guide to Enactment 2001 , (United Nations Publication: New York, 2002), p.1, available at: http://www.uncitral.org/pdf/english/texts/electcom/

ml-elecsig-e.pdf, Accessed 6 Jan 2019.

[5] Minyan Wang, The Impact of Information Technology Development on the Legal Concept – A Particular  Examination on the Legal concept of Signatures, International Journal of Law and Information Technology Vol. 15 No. 3 Oxford University Press 2006 pages 253-274, page 256.

[6] ibid , page 254.

[7] Reed, above, n 1.

[8] Digital Signature Standard(DSS) FIPS PUB 186-4, National Institute of Standards and Technology(NIST), July 2013, https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf, Accessed 07.01.2019, pages 9-14.

[9] Reed, above, n 1.

[10] Regulation (EU) No 910/2014 on on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (eIDAS Regulation), OJ L 257/73, 28 Aug 2014, Article 3(12).

[11] Chris Reed, Beyond BitCoin – legal impurities and off-chain assets, Queen Mary University of London, School of Law Legal Studies Research Paper No. 260/2017, page 9.

[12] eIDAS Regulation, above, n 10, Article 3

[13] David Birch, Identity is the New Money, London Publishing Partnership 2014, page2.

[14] ibid, page2.

[15] Christopher Allen, ‘The Path to Self-Sovereign Identity’ (Life with Alacrity, April 25 2016).

[16] Andrew Tobin & Drummond Reed, ‘The Inevitable Rise of Self-Sovereign Identity’, Sovrin Foundation White Paper September 2016, updated March 2017, https://sovrin.org/wp-content/uploads/2017/06/The-Inevitable-Rise-of-Self-Sovereign-Identity.pdf, Page 7.

[17] Allen, above, n 15.

[18] ibid.

[19] Birch, above, n 13, page 25.

[20] ibid, page 24.

[21] ibid, page 24.

[22] POSTIDENT, https://www.deutschepost.de/en/p/postident/postid.html, Accessed 7 Jan 2019.

[23] Reed, above, n 11, page 14.

[24] Tobin, above, n 16, page 8.

[25] ibid, page 8-9.