Recently i received an email from one of the prospective clients for executing (signing) a non-disclosure agreement (which came as an attachment to the mail) by just sending a “yes, I agree” reply to the email. We felt this approach as an over simplification of a due process of execution and just a mail confirmation is not a fool proof mechanism for either of the parties to prove a contractual obligation. Also, it raises certain fundamental questions: Is this approach acceptable to an organization from compliance (and a subsequent audit) perspective? Most importantly, whether a simple mail confirmation is a valid way to execute a legal document as per the applicable laws in India? Is this equivalent to an Electronic Signature?

Many countries including US, Canada and the EU have passed legislation permitting use of electronic mode of executing documents. In India too, the IT Act 2008 has introduced a few additional provisions in the IT Act 2000 towards this direction. As per the amended provision, a contract will not become unenforceable if an electronic mode is used to express an offer and its acceptance. This modified provision provides for a greater acceptance to an electronic contract. The significant change in the IT Act 2008 is the replacement of the term “Digital Signatures” with “Electronic Signatures” in almost all the provisions in the Act. Apparently, this leads to a confusion and many have misinterpreted the term “Electronic Signature” to mean any form of authentication including a “Click Wrap” acceptance.

What is an Electronic Signature and how is it different from Digital Signature?

Many of us quite often use these terms interchangeably. But it can be noticed that the term “Electronic Signature” is very wide term and “Digital Signature” is only one of the many kinds of electronic signatures. As per the definition in IT Act, “Electronic signature” means authentication of any electronic record by a subscriber by means of the electronic technique specified in the IT Act and it includes digital signature.

To make an electronic mode of signature valid, it should comply with the following conditions prescribed by IT Act:

(a) it should create a “Signature Creation Data” and linked to the signatory  and not to any other person.

(b) such data should be under the control of the signatory and no body else at the time of signing.

(c) any alteration to the electronic signature made after affixing such signature should be detectable.

These criteria correspond to the use of private key in the encryption of the hash value in the current system of digital signature. For the purpose of understanding, an hash function means an algorithm mapping of one sequence of bits into another set known as hash result, such that an electronic record yields the same hash result every time the algorithm is executed with the same electronic record. A “Digital signature”  is one of the modes of Electronic Signatures in which any person by use of a public key can verify the electronic record. The private key and public key are unique to the subscriber and constitute a functioning key pair.

At present a public key infrastructure (PKI) based digital signature system is the only mode of Electronic Signature that satisfying the legal requirements in India. Hence the possibility of any other system being considered as “Electronic Signature” in replacement of digital signature is very remote. Other applicable provisions of law in India are also got amended to be in line with the above changes. As per the new definition, (in the Indian Evidence Act) evidence means “all documents including electronic records produced for the inspection of the Court”. Similarly, Section 464 of Indian Penal Code deals with situations when a person is said to make false document or electronic record. Section 466 deals with forging of electronic records.

Conclusion:

For any authentication system to be considered as an “Electronic Signature”, there must be some data exclusively under the control of signor and there should be a mechanism to identify any change of data after the signature is affixed. If any person is under the illusion that a confirmation over email is equivalent to an Electronic Signature, they are of course mistaken.