THE “eCommerce Act of 2000” (Republic Act 8792) established the functional equivalency and legal acceptability of digital documents vis-à-vis the physical ones. It was designed to spur the use of electronic transactions or e-commerce.
It also introduced the term “electronic signatures” and as the definition goes, “refers to any distinctive mark, characteristic and/or sound in electronic form, representing the identity of a person and attached to or logically associated with the electronic data message or electronic document or any methodology or procedures employed or adopted by a person and executed or adopted by such person with the intention of authenticating or approving an electronic data message or electronic document.”
The challenge with this is that basically any “electronic mark” would qualify to be an electronic signature: a scanned signature image, a picture or anything that the user associates with the electronic document. This is fine for functionality purposes, but in reality, it does not meet the real-world requirements of electronic transactions, which are authenticity, privacy, authority, integrity and non-repudiation. This issue was the subject in one of our meetings of the ecommerce subcommittee of the Supreme Court when we were deliberating the rules on electronic evidence. Even as the eCommerce Act was trying to avoid any specific technology (as it should), reality dictates that at that time, the only available technology, which answered all of these requirements, were PKI (public key infrastructure). PKI is the system that provides a unique “digital signature” for an entity (a device or person) via a digital certificate. And to make electronic transactions work, especially for contracts and agreements, a specific, unique and secure form of electronic signature has to be in place. A type of electronic signature that is permanently bound to the entity and is vouched for by a trusted third party (i.e., the digital signature provided within the digital certificate and issued by a competent and trusted certification authority or CA).
I have been espousing the use of digital signatures and the underlying Infrastructure that delivers it for more than two decades now, and to date, digital signature is still the only technology suited for the job.
Sadly, the use of digital signature has been confined mainly to public web servers, using it as the means to provide encrypted communications (HTTPS/SSL/TLS) to its clients. It is unfortunate because PKI/digital signatures can do more! With PKI, you can explicitly and accurately identify any person or device, secure communications, encrypt data and most of all, provide for non-repudiation (the ability to ensure that a party to a contract or a communication cannot deny the authenticity of their signature on a document or the sending of a message that they originated).
It is not as easy as it sounds. You just do not run a software and issue digital certificates and be done with it. There are standards, procedures, protocols and systems that need to be followed when an entity is to become a certification authority. It has very rigorous requirements, spanning the areas of governance, policy, processes and even detailed technical specifications. Thankfully, there are already well-established and capable entities that do this.
As a matter of fact, either due to the pandemic that forced literally everybody to work remotely or the realization that passwords are the true vulnerability of today’s information security incidents, PKI has experienced quite a resurgence lately. In my humble opinion, the time has arrived for PKI and, consequently, digital certificates, which contain digital signatures.
Unlike all the other parameters in computers and computer systems that can be spoofed, a digital certificate that has both a private key, which never leaves your hand, and a public key, which is distributed to the rest of the world, not only guarantees authenticity and privacy, but creates that trust that is essential to any type of electronic transaction.
I am probably one of the few people that drank in celebration of the news that the country, through the Department of Information and Communication Technology, finally announced the opening of the Philippine National PKI. As I have also been a participant and contributor in the early incarnations of the national government’s initiative to adopt PKI, starting from the first PKI grant of the Korean Information Security Agency to the then-National Computer Center, you can just imagine the relief (and nostalgia) that came with it.
It is also the same reason that contributed to the frustration of learning that the soon-to-be-rolled-out national ID would not have digital certificates or a smart chip for that matter. With a smart chip, I was thinking, at least we would have a storage location to put in a digital certificate or any other important data in the future. In my own opinion, despite what the purveyors would say, it still is going to be just another card to carry.
The bottom line is that ‒ without a solid, reliable and reputable electronic signature, which is the PKI/digital certificate/digital signature that provides the essential functions of authenticity, privacy, authority and non-repudiation and despite all the pronouncements in public ‒ any form of identification is still going to be just another card that will take up space in my wallet.