A Comparison of the Legal Use of Electronic Signatures

A Comparison of the Legal Use of Electronic Signatures
in the U.S.A. and in Turkey

ADMD Law Office
Darius Alam

In response to the rapid growth of electronic commerce, as well as the wide-spread use of email, fax, and online resources in the negotiation of contracts, the United States Congress enacted ESIGN in 2000 (Electronic Signatures in Global and National Commerce Act, 15 U.S.C. §§ 7001 – 7006, (2012)). The same changes caused the Türkiye Büyük Millet Meclisi (Turkish Parliament) to enact the 'Elektronik İmza Kanunu' (Electronic Signatures Law - EIK) in 2004. See Elektronik İmza Kanunu, Law No: 5070, Published in the Official Gazette on 14 Oct. 2004, No. 253551, adopted 15 Jan. 2004.

Significant differences exist between these two statutes in terms of scope, security, and fields of application. ESIGN in essence provides that electronic signatures and contracts do not fail to meet the requirements of the Statute of Frauds simply by being electronic. EIK on the other hand provides technical specifications, regulations, and guidelines for ensuring the authenticity of electronic signatures. ESIGN follows a barebones approach that relies on existing law to ensure authenticity and security, while EIK follows a technology-specific approach similar to the “Digital Signatures” statutes proposed in the United States in the 1990s.

U.S.A. - ESIGN’s Barebones Approach to Electronic Signatures

The purpose of the U.S. Congress in enacting ESIGN was to ensure that contracts would not be unenforceable simply because they were agreed to electronically, not to create new substantive contract law. ESIGN provides, “a signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form.” 15 U.S.C. § 7001(a)(1).

Under ESIGN, electronic signatures can be used for many agreements entered into electronically or involving negotiation over electronic media, however, there are a variety of exceptions. These exceptions include contracts or records regarding wills, codices, testamentary trusts, divorce or other matters of family law, and those that fall under the Uniform Commercial Code, as in effect in any State, other than sections 1-107 and 1-206 and Articles 2 and 2a. 15 U.S.C. § 7003(a). Further exceptions include court orders and notices, recall or transportation of hazardous products, cancelation or termination of utility services, health insurance and life insurance benefits (excluding annuities), and default, acceleration, repossession, foreclosure, eviction, or the right to cure, under a credit agreement secured by, or rental agreement for, the primary residence of an individual. 15 U.S.C. § 7003(b).

However, while ESIGN provides that signatures are not unenforceable solely on the basis of being electronic, it also provides that there is no requirement that anyone, aside from government agencies, use or accept electronic signatures. 15 U.S.C. § 7001(b)(2). In Prudential Ins. Co. of Am. v. Prusky, the court refused to grant a declaratory judgment stating that an insurer violated ESIGN by refusing to accept premium investment transfers by fax or electronically because of the exception in 15 U.S.C. § 7001(b)(2). See 413 F.Supp.2d 489, 494 (E.D. Pa. 2005). ESIGN further provides that a business acquire consumer consent before it substitutes an electronic notice or transaction for one the law requires to be written. 15 U.S.C. § 7001(c).

ESIGN does not establish extensive security guidelines to ensure that the signature is authentic. Indeed, it goes further and prevents states from “require[-ing], or accord[ing] greater legal status or effect to the implementation or application of a specific technology or technical specification for performing the functions of creating, storing, generating, receiving, communicating, or authenticating electronic records or electronic signatures.” 15 U.S.C. § 7001(a)(2)(A)(ii).

Accordingly, by simply providing that electronic communications are a writing for purposes of the Statute of Frauds, ESIGN in effect places the burden on the party accepting the signature to determine whether or not the signature indicates acceptance of the agreement. See Marianne Menna, Comment, From Jamestown to the Silicon Valley, Pioneering a Lawless Frontier: The Electronic Signatures in Global and National Commerce Act, 6 VA. J.L. & TECH. 12, 19 (2001).

However, relevant statutes and common law still apply to electronic signatures under ESIGN. This existing body of law provides the mechanism for ensuring that the electronic signature is a valid expression of assent to the terms of an agreement. ESIGN provides that an electronic signature can satisfy the Statute of Frauds but it does not say that it automatically makes an agreement enforceable. Therefore ESIGN does not, “limit, alter, or otherwise affect any requirement imposed by a statute, regulation, or rule of law relating to the rights and obligations of persons under such statute, regulation, or rule of law other than a requirement that contracts or other records be written, signed, or in non-electronic form.” 15 USC § 7001(b)(1).

In Sawyer v. Mills, the Supreme Court of Kentucky held that a recording of another party verbally agreeing to the terms of an agreement taken without his notice did not make the agreement enforceable, as surreptitiously recorded audio, even if considered to be an electronic signature under 15 U.S.C. § 7001, is “tantamount to forgery.” See 295 S.W.3d 79, 88 (Ky. 2009). In In Re Cafeteria Operators, the court held that while emails could constitute an electronic signature under ESIGN, it was still necessary for them to fulfill the other requirements of contract law, i.e., to indicate willing acceptance of an agreement. See 299 B.R. 411, 417-18 (Bankr. N.D. Tex. 2003). In Cafeteria Operators, the emails did not indicate a “meeting of the minds” and therefore no contract was formed. See 299 B.R. at 418. In Hugh Symons Group, PLC v. Motorola, Inc., the Fifth Circuit Court of Appeals held that while an email could satisfy the requirements of the Statute of Frauds under ESIGN, the email in question did not because it did not express a final agreement but rather an invitation to continue negotiations. See 292 F.3d 466, 469-70 (5th Cir. 2002).

The courts have so far broadly constructed what constitutes an electronic signature under ESIGN. ESIGN states that, “the term ‘electronic signature’ means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.” 15 U.S.C. § 7006. In Campbell v. General Dynamics, the First Circuit Court of Appeals held that an email, even one unsigned, could function as an electronic signature for the purposes of ESIGN. See 407 F.3d 546, 556 (1st Cir. 2005). In Specht v. Netscape Communications Corp., the Second Circuit Court of Appeals held that clicking on a “Yes” box indicating acceptance of the license terms in an end user license agreement (EULA) constituted an electronic signature under ESIGN. See 306 F.3d 17, 27 (2d Cir. 2002).
ESIGN is further complicated by the existence of a preemption clause that allows for state legislation to control in certain situations. 15 U.S.C. § 7002(a). This clause contemplates three scenarios: 1) the state has adopted the uniform version of the Uniform Electronic Transactions Act (UETA); 2) the state has adopted a modified version of UETA; and 3) the state has adopted some other electronic signatures legislation. 15 U.S.C. § 7002(a); 15B Am. Jur. 2d Computers and the Internet § 146; Mike Watson, Comment, E-Commerce and E-Law; Is Everything E-Okay? Analysis of the Electronic Signatures in Global and National Commerce Act, 53 BAYLOR L. REV. 803, 839 (2001).

If a state has adopted the uniform version of UETA, then UETA will apply. 15 U.S.C. § 7002(a)(1). This is not problematic, as ESIGN contains the same language and provisions regarding electronic signatures as UETA. See Watson, supra at 838-39.

However, if a state has either adopted a modified version of UETA or different legislation, the test under Section 7002(a)(2) of ESIGN will apply to determine whether the state law is preempted. 15 U.S.C. § 7002(a)(2). The test requires that the state law contain provisions consistent with ESIGN for use of electronic signatures, that the state law contain no requirements for a specific type of technology or security device, and lastly that any State law passed after the adoption of ESIGN reference ESIGN. 15 U.S.C. § 7002(a)(2).

Turkey - EIK’s Technology Specific, Security-centered Approach to Electronic Signatures

In contrast to ESIGN, EIK addresses the security of electronic signatures in depth through imposing liability on Digital Certificate Service Providers (hereinafter Providers) and through detailing the technical requirements for an electronic signature to be secure enough to be valid. EIK’s focus on security and authentication creates a new framework for electronic signatures rather than relying heavily on existing contract law as ESIGN does. EIK conforms to European standards through Turkish involvement in CEN (European Community For Standardization).

Art. 5 of EIK provides that “a secured electronic signature has the same effect as a handwritten signature.” Therefore, agreements signed with non-secured electronic signatures are not enforceable under EIK.

EIK defines a secured electronic signature as, “a signature which a) is connected exclusively to the signatory; b) is generated by a tool to create a secure electronic signature only at the discretion of the signatory; c) allows for the detection of the signatory through a digital certificate; and d) allows for the detection of any subsequent changes to the signed electronic data.” EIK Art. 4. EIK also defines a digital certificate as, “an electronic registration linking data of the signatory verifying the signature to the signatory’s identification information.” EIK Art. 1.

EIK further requires the presence of a time stamp in the electronic signature. EIK Art. 3, Para. f. A time stamp is defined as, “a registration verified by the digital certificate service provider for the purpose of identifying the time that the electronic data was produced, changed, sent, received or recorded.” EIK Art. 3, Para. f.

EIK's system not only provides technical specifications for the enforceability of electronic signatures, but provides a requirement for ensuring the authenticity of the signature through the digital certificate requirement. Digital certificates must themselves reach a minimum level of security and provide for authentication and verification in order to be “qualified digital certificates.” Non-qualified digital certificates cannot be used in the electronic signature process, and there are ten conditions for a digital certificate to be a qualified digital certificate. EIK Art. 9. They include that the certificate must contain, “data to verify the signature corresponding to the data generating the signature” (EIK Art. 9, Para. d), “identification information to be able to determine the Signatory” (EIK Art. 9, Para. c), and “identification information for any separate person acting on behalf of the Certificate holder, if necessary” (EIK Art. 9, Para. 5), and the certificate’s serial number (EIK Art. 9, Para. f).

The Bilgi Teknolojileri ve İletişim Kurumu (Information and Communications Technologies Authority – BTIK), then called the Telekomünikasyon Kurumu (Telecommunications Authority - TK), the administrative agency empowered to regulate this field under EIK Art. 3, Para. j, issued a regulation in 2007 further defining the technical process for issuance of a valid qualified digital certificate. This regulation, entitled “Nitelikli Elektronik Sertifika, SİL ve OCSP İstek/Cevap Mesajları Profilleri” [Qualified Digital Certificate, SIL (Certificate Cancellation List), and OCSP (Online Certificate Status Protocol) Request/Response Message Profiles], ensures that qualified digital certificates comply with European norms and standards. See Bilgi Teknolojileri ve İletişim Kurumu, Decision No.: 2006/DK-77/207, Date: 18 Apr 2007.

The regulation clarifies that qualified digital certificates comply with ETSI (European Telecommunications Standards Institute) profiles, namely the ETSI TS 101 862 Certificate Profile. BTIK 2006/DK-77/207, Annex, Art. 4. The regulation further provides that, “the keys of certificates given must be compatible with the size of the key and algorithm found in communiqué 3” [a public key authentication protocol]. BTIK 2006/DK-77/207, Annex, Art. 4.1.5.

The public key architecture must comply with the international standard RFC 3739 Internet X.509 Public Key Infrastructure: Qualified Certificates Profile. BTIK 2006/DK-77/207, Annex, Art. 9.[4]. The regulation also provides in-depth technical guidelines for the generation and use of additions to the public key so that modifications will be supported but conform to CEN standards. BTIK 2006/DK-77/207, Annex, Art. 4.2. There are also similar guidelines for the cancellation of an electronic signature, including a requirement for compliance of the cancellation algorithm with CEN standards. BTIK 2006/DK-77/207, Annex, Art. 6; 6.1.2. This regulation not only ensures that Turkish electronic signatures comply with European standards, but provides a high level of security for the digital certificate. BTIK 2006/DK-77/207, Annex, Art. 1; See generally TK 2006/DK-77/207 incl. Annex.

BTIK also issued a 2006 decision further clarifying the security requirements for the electronic signature generation and verification process. BTIK set forth formats that meet the requirements for electronic signatures under EIK in its decision on “Procedures and Basis Regarding the Formats of Secured Electronic Signatures and Applications for Secured Electronic Signature Generation and Verification.” Bilgi Teknolojileri ve İletişim Kurumu, Decision No.: 2006/DK-77/353, Date: 01 Jun 2006. BTIK stipulated that Providers should ensure that the electronic signature generation processes and signed electronic data conform to CWA 14170 (Security Requirements for Signature Creation Applications) set forth by CEN within six months. BTIK 2006/DK-77/353, Art. 1. BTIK recommended the ETSI TS 101 733 or ETSI TS 101 901 formats. TK 2006/DK-77/353, Art. 2. This decision keeps electronic signature law in Turkey in compliance with European norms. See BTIK 2006/DK-77/353.

In addition to laying out the technical specifications for a valid electronic signature, EIK imposes liability on Providers. EIK Art. 13. EIK defines 'Providers' broadly as “public institutions and establishments, and natural or private legal persons who provide services related to electronic signatures, time stamps, and digital certificates. EIK Art. 8. Providers are liable to users of digital certificates under existing principles of liability. EIK Art. 13. Providers are also liable to third parties for damages arising from the breach of the provisions of this law. EIK Art. 13.

Foreign Providers can also provide digital certificates for use in Turkey, however, liability then extends to the Providers in Turkey who accept such digital certificates. EIK Art. 14. EIK provides, “Where digital certificates given by a digital certificate service provider situated in a foreign country are accepted by a digital certificate service provider in Turkey, said digital certificates are considered qualified digital certificates. The digital certificate service provider in Turkey is liable for losses arising as a result of using these digital certificates.” EIK Art. 14. Providers must also take out insurance policies against damages arising from the law, or to fulfill their obligations under the law. EIK Art. 13.

Aside from EIK, the Turkish Government has put in place e-Devlet (e-State), a web-based service that allows citizens to access necessary data, documents, and records and report issues and submit documents securely online. This platform functions as a sort of electronic signature for the purposes of dealing with government organizations (similar to the functions contemplated in ESIGN in 15 U.S.C. § 7001(b)(2)). See 15 U.S.C. § 7001(b)(2); Elektronik Haberleşme Kanunu (Electronic Communications Law - EHK), Law No.: 5809, Art. 67, Para. b, Published in the Official Gazette on 10 Nov 2008, Adopted on 5 Nov 2008; Bakanlar Kurulu Kararı (Decision of the Council of Ministers - BKK), e-Devlet Kapısının Kurulması, İşletmesi ve Yönetilmesine İlişkin Karar (Decision Regarding the Establishment, Operation, and Management of the E-State Portal), Decision No.: 2006/10316, Date: 24 March 2006.

The authority to establish e-Devlet was given in EHK, and provides that a level of security be established for accessing these services through provision of an electronic identification number, used in conjunction with the official identification number. See “e-Devlet,” https://giris.turkiye.gov.tr/Giris/, Accessed on 09 Jul 2013.

The system is run by the state-owned company Türksat Uydu Haberleşme Kablo TV ve İşletme, A.Ş. (Turksat), which is responsible for maintaining adequate security. See “e-Devlet,” https://giris.turkiye.gov.tr/Giris/, Accessed on 09 Jul 2013; T.C. Başbakanlık (Office of the Prime Minister of the Republic of Turkey), E-Devlet ve Bilgi Toplumu Kanun Tasarısı Taslağı (Proposed Legislation for the Law for E-Devlet and Information Society) Art. 20 “Identity Verification and Authorization.”

In their decision establishing and providing for e-Devlet, the Council of Ministers stated that the security of the system is a goal of the project. BKK 2006/10316. The system also allows for the use of an electronic signature for use of government services and information in accordance with EIK. See “e-Devlet,” https://giris.turkiye.gov.tr/Giris/, Accessed on 09 Jul 2013.

Conclusion

Perhaps because of its more detailed and technical nature and the imposition of liability on Providers, EIK allows for electronic signatures in far more areas than ESIGN does. EIK allows for secured electronic signatures to have the same effect as written signatures in all areas except for surety agreements and in those relatively few legal transactions subject to an official form or some other essential formality that has to take place on paper (e.g., incorporation of a company). EIK Art. 5. However, the ability to use electronic signatures in more applications under EIK comes with greater costs, both monetary and regulatory, to ensure the security and authenticity of the electronic signature.

ESIGN, on the other hand, makes contract formation through electronic media easier in the areas in which it is allowed. Because of the courts’ broad construction of the definition of an electronic signature, as well as the broad statutory language, it allows contracts to be formed electronically through emails, electronic forms, and even audio recordings. There is no need for a separate technological system to create and verify an electronic signature as in EIK. This is in line with how people use modern technology, where an email or clicking a box is often an assent to the terms of the agreement. However, it is conceivable that relying on the existing body of contract law could result in comparatively more litigation than under EIK, where it is clear whether or not an electronic signature satisfies the detailed technical requirements.

Furthermore, the barebones approach of ESIGN leaves many areas of law where electronic signatures would not be enforceable. Both systems allow for the use of electronic signatures in online government services. See 15 U.S.C. § 7001(b)(2); EHK Art. 67, Para. b.

Publications