Home arrow News arrow 20/06/2010 Comments on the Legal Admissibility of Biometric Signatures
20/06/2010 Comments on the Legal Admissibility of Biometric Signatures PDF Print E-mail
Comments on the Legal Admissibility of Biometric Signatures

David V. Bowen, Audata Ltd. 

The CIC biometric signature software, based on software originally written in the UK for the Atomic Energy Authority, has been in active commercial use for almost 20 years.  During that time one of the most frequently asked questions is “Are Biometric Signatures Admissible in Court [in the UK and Europe]?”  The question has been augmented by a major government campaign to support Public Key Infrastructure (PKI) signatures, and by thought (resulting in a published standard) about the legal admissibility of electronic documents. 

This brief note draws these strands together to offer comments on the current situation as to the legal weight of biometric signatures on electronic documents, stored and managed electronically. 

This note is not formal legal advice, and is offered by a company which has worked with Communications Intelligence Corporation (CIC) (and its predecessor, PenOp) since 1998. 

In 1998, Dr. Ian Walden, a consultant to Bird & Bird solicitors (in London), wrote on “Legal Aspects of the PenOp Signature under English Law”.  Since the PenOp technology is the direct precursor to the CIC technology, and since English and Welsh Law are congruent in matters of evidence and signatures, the article is still relevant.  Dr. Walden concludes that a biometric signature would be legally valid and that the PenOp technology includes features which allow forensic analysis and expert supporting testimony.  
Since then, two significant changes have further supported biometric signatures on electronic documents.  One is the standard for legal admissibility of electronic documents, and the other is EU and UK legislation on electronic signatures. 

Legal Admissibility of Electronic Documents
(DISC PD 0008, 0009, and 0010; BIP 0008, and now BS 10008:2008). 
For 12 years now, the British Standards Institute (BSI) has developed and published standards for managing electronic documents to ensure their admissibility in evidence.  These standards emphasize the following points, all of which are directly supported by CIC biometric signatures, or require a process environment, in which CIC signatures operate well: 

  • Create the document in a defined process for a defined purpose 
  • Record evidence of the purpose, date, and authority of the document (supported by CIC SignIt) 
  • Ensure authenticity, accuracy and reliability of the document 

CIC’s SignIt software operates as an advanced biometric signature;  it captures the ceremony of signing (reason, place, person), the signature, and the date and time;  it also locks the contents of the signed document to the signature, so any change in the document will be detected and will invalidate the signature.  SignIt therefore strongly supports the BSI standards for legal admissibility. 
In passing, note that CIC’s SignIt software is actually stronger than normal “pen and ink” signatures: 

  • SignIt cannot be tricked by tracing over an authentic signature 
  • SignIt detects and notes any change to a document after signing
  • SignIt captures a date, place and reason which are bound to the signature

In the discussion offered by Blythe (Dr. Stephen E. Blythe, Richmond Journal of Law & Technology, Vol. XI, issue 2, 2005,  “Digital Signature Law of the United Nations, European Union, United Kingdom and United States:  Promotion of Growth in E-Commerce with Enhanced Security”) four levels of signature security are described.  While biometrics are assigned to level three in this paper, the CIC SignIt software (and software development kit, SDK) are actually at level 4.  That is because the CIC patented technology does indeed verify the contents of the message (or document) in all cases, and can be built to verify the source of the message (or document).  Thus the CIC technical approach to biometric signatures is equal to (as good as, for security) a PKI solution. 

Biometrics (best for people) and PKI (best for computers)
In passing, also note that, for a variety of reasons, biometric signatures have a valid place alongside PKI signatures. 
PKI signatures rely on a model of computers breaking the numerical code;  this means that they are normally said to “expire” after 90 to 180 days.  PKI signatures also rely on a network of “trusted providers” (certificate authorities) from whom you must buy your replacement PKI signatures.  Finally, PKI signatures are not memorable, so they need to be stored on a computer and accessed via a login password.  This makes it easier to find and use a PKI signature (just by looking on a stolen laptop) than it would be to crack the code.  To summarize, PKI signatures work well for computer to computer interactions.  They do not work so well as signatures for people to add to a document. 
The benefits which PKI is seen to provide are: 

  • The message contents are verified 
  • The message source is verified (if required)   
  • Third party, forensically testable components are used 
  • Keys (pairs of large numbers) are easily read and managed by computers 
  • Key validity can be assessed from key providers (certificate authorities) 

Biometric signatures rely on the normal act of signing, which all of us are used to seeing, doing and accepting.  Biometric signatures ask each person to use their normal signature.  (In practice, it may be modified slightly to make it more suitable for the computer algorithms:  more points where the pen is lifted; a slightly longer signature, including a middle name, for people who have a very short signature at present; perhaps a flourish to add complexity.)  Biometric signatures cannot be stolen (although signature stamps can be stolen with a laptop and password).  Biometric signatures are much more difficult to forge than pen and ink signatures.  In short, biometric signatures are best used when people are signing documents. 
The CIC biometric signatures provide equal (or better) security to PKI: 

  • The message contents are verified 
  • The message source is verified (if required)
  • Third party, forensically testable components are used (CIC signature plug-ins and macros)  
  • Handwritten signatures are easily read and managed by people, and easily stored in computers 
  • Signature validity can be assessed from a database (signature record) 

EU and UK Law 
The EU E-Commerce Directive 2000 (2000/31/EC) and E-Signatures Directive 1999 (1999/93/EC), as implemented by the UK Electronic Communications Act 2002 and the Electronic Signatures Regulations 2002, encourage free e-commerce among EU member states, and provide that advanced e-signatures are admissible in legal proceedings and may not be discriminated against. 
The elements of an advanced e-signature are: 

  • A unique link to the signatory (the handwritten signature, especially if stored in a database) 
  • Able to identify the signatory (the signature includes the name (and role, if required) of the person) 
  • Created under the sole control of the signatory (a handwritten signature, or even a stamp released by a unique personal password, meets this criterion) 
  • Linked to the document so that any change in the document is detected (CIC software routinely does this) 

Therefore CIC biometric signatures are “advanced e-signatures” within the meaning of EU and UK law.  This means that biometric signatures are admissible under UK law. 

However, note that admissible is not the same as “effective”;  the value as proof or evidence of a signature (and of the document that the signature attests and the ceremony by which the signature was attached) is decided by courts on a case by case basis. 

These issues are addressed by Prof. Chris Reed (JILT 2000 (3), “What is a Signature?”).  In particular, he notes that “there is a long history of judicial recognition of new forms of signature”.  These forms include, without limitation, rubber stamps, printed signatures (e.g. bank notes), initials, marks, seals, images of signatures, and “pp” signatures.  Prof Reed specifically quotes Goodman v. J Eban where the Court of Appeal decided that a rubber stamp signature was valid.  Much of their wording would apply, mutatis mutandis, to a biometric signature on a digital document.  Prof. Reed concludes that a signature is a process.  It is exactly this process (the signing ceremony) that the CIC SignIt software collects, encodes and displays. 

Similar conclusions are reached by Christina Spyrelli (JILT 2002 (2), “Electronic Signatures:  A Transatlantic Bridge?  An EU and US Legal Approach Towards Electronic Authentication”). 

A blog from Adobe (John B. Harris, 30 May 2008, http://blogs.adobe.com, ‘“This is legal, right?” – Electronic Signatures & the Law’) confirms that there is no specific US case law relating to electronic signatures, neither for PKI nor for biometrics.  This is probably true for European law as well. 

A partial solution to the problem of absent case law would be to get one or more law schools to hold moot courts around the subject of electronic (and specifically biometric) signatures.  While not binding, this would ensure that the legal issues were properly explored and published. 

In a thoughtful article, Gavin Jones (Hertfordshire Law Journal 1(1), 101-106, 2003, “Failings in the Treatment of Electronic Signatures”) identifies the risks (or properties) necessary to a valid signature: 

  • Privacy 
  • Authentication 
  • Integrity 
  • Non-repudiation  (from origin to receipt) 
  • Authorization 
  • Audit 

All of these are provided with CIC’s SignIt signature tools. 
It is therefore likely that any document, correctly signed with the CIC SignIt software, would be admissible and effective in a UK or EU Court. 

Next >
Copyright 1998 - 2010 Audata Ltd. All rights reserved.
Audata Ltd, 30 Salisbury Road, Canterbury, Kent, CT2 7HH, UK
Tel: +44(0)203 303 0354 Email: info@audata.co.uk
Audata Ltd. is registered in England, number 355 1839.