- eSign is effective, compliant, easy to use and saves a lot of time & effort. But what exactly is a valid electronic signature in India?
- In this post, we examine a few frequently asked questions about the technical framework and legal validity of eSign in India.
eSign, or an electronic signature, is a legally recognised and enforceable method of digitally signing agreements, forms and other documents. eSigns have helped to do away with the need for physical signatures - enabling people and businesses to enter into agreement with parties located far away, in just a matter of seconds.
Types of eSigns
eSign types in India can be classified into 2 different categories:
Commonly used Tier 1 eSign types (IT Act recognised 'electronic signatures') are:
An eSign which uses Aadhaar credentials to verify the signer’s identity, and can be used remotely without the need of any separate physical device. All you need is a mobile or a computer. A number of regulated entities work behind the scenes to help make this possible and ensure that the eSign is safe, verifiable and secure.
- DSC Tokens
DSC Tokens, available in the form of USB devices, can be procured from certain regulated entities after performing an eKYC check with them. Once your identity is authenticated, you are issued a DSC Token secured with a password which is known only to you. The DSC Token has to be inserted into a computer to digitally sign any document.
Commonly used Tier 2 eSign types include:
- Virtual Signatures
Virtual Signatures are nothing but an electronic representation of one’s physical wet-ink signature. Service providers across the world let you affix such signatures to electronic agreements. Users are usually provided an option to either draw their signature electronically or choose from a computer-generated template of their name, which can be placed anywhere on the electronic agreement as per the user’s choice.
- Clickwrap
A clickwrap contract is an online contract in which the user signifies their consent to be bound by the terms of the contract by clicking a button – usually a “Yes / No” or an “I agree / I disagree” button.
- Email exchange
Commercial contracts are often entered into through an exchange of emails. The Supreme Court has also in various judgements accepted and reinforced the freedom that parties have to choose any method of electronic execution for entering into eContracts. In Trimex International FZE, Dubai v. Vedanta Aluminum Limited, (2010) 3 SCC 1, the Supreme Court upheld the validity of a contract entered into via an exchange of emails
Are eSigns secure?
Any signature, be it physical or electronic, is supposed to ensure 3 things:
- Authentication
The identity of the parties signing the document should be clear
- Integrity
The document cannot be changed unilaterally once the signature has been affixed
- Non-repudiation
The parties cannot deny their acceptance of the terms and conditions of a document at a later stage
Tier 1 eSigns such as Aadhaar eSign and DSC Tokens rely on a combination of asymmetric cryptography and hash function. To understand how electronic signatures perform the 3 functions of a signature much better than any other form of execution we need to understand these 2 terms.
Hashing function
The Explanation to Section 3(2) of the IT Act details what exactly a hash function is:
A hash function is, essentially, an algorithm that creates an alphanumeric “representation” of an electronic record - known as a hash result. Every time the hash function is run on a specific document - the same hash result will be generated. Just like your fingerprint “represents” you in a unique way, a hash result is a unique alphanumeric code that represents an electronic record.
There are 2 immutable characteristics that arise from a hashing function:
(a) You cannot reconstruct the electronic record from the hash result
(b) No two electronic records can produce the same hash result
Asymmetric Cryptographic System
An asymmetric crypto system is a system of encryption and decryption that is performed through a secure key pair.
A secure key pair consists of two keys:
(a) PRIVATE KEY - A function which encrypts a piece of information. A private key is confidential - being known and controllable only to the owner of the secure key pair
(b) PUBLIC KEY - A function which decrypts the piece of information encrypted by the private key. Unlike a private key, the public key is public - it is known and controllable by anyone.
A key doesn’t mean a physical key. Instead a key - in crypto parlance - refers to a code that is used to perform an encryption or decryption function
The keys in a key pair are inextricably linked. A private and public key in a secure key pair only work with each other and no other keys. So if, in a key pair, a private key encrypts a piece of information, this information can ONLY be decrypted by its corresponding public key. Similarly, a public key CAN ONLY be used to decrypt information that is encrypted by its corresponding private key.
The secure key pair establishes the identity of the signer. How, you ask? Countries around the world have set up neutral, heavily regulated authorities known as Certifying Authorities. These Certifying Authorities first conduct a KYC to establish the identity of the signer. Upon successfully verifying the identity they issue a secure key pair to the signer which is unique to her.
Through the interplay between hashing function and asymmetric crypto system, electronic signatures ensures that:
(1) Identity of the signer is established (Authentication function)
(2) The eSigned document has not been tampered with (Integrity function)
(3) The parties cannot deny their acceptance of the terms and conditions of a document (Non-repudiation).
Here’s a short video to explain how it works:
For a more detailed analysis of everything that takes place behind-the-scenes to help make an electronic signature happen, please read chapter 3 of our Laws of eSign book.
In this section so far we have only discussed Tier 1 eSigns. What about Tier 2 eSign types such as virtual signatures?
Virtual Signatures, by default, do not come with the safeguards of asymmetric cryptographic and hashing algorithms that electronic signatures come with. To mitigate this - a new class of Virtual Signatures, known as “Secure Virtual Signatures” has come up. Unlike normal Virtual Signatures, Secure Virtual Signatures come with ADDITIONAL layers of authentication to eliminate disputability. These additional layers could be capturing the photo and location of the signer, backing each virtual sign with a neutral electronic signature etc.
Is eSign legal in India?
The definitive answer to this question is a resounding YES.
Section 5 of the Information Technology Act, 2000 grants electronic signatures legal validity identical to wet-ink signatures.
That is - an “electronic signature” is seen as legally identical to a wet-ink physical signature - even if its form and design may be different.
What exactly is meant by an “electronic signature” though?
In many global jurisdictions, electronic signature can be any digital representation of a sign e.g a stylus based representation.
Electronic signatures in India on the other hand are very specifically defined under the IT Act.
As per Section 2(ta) of the IT Act, an electronic signature can only be one of two specific things:
- An electronic technique specified in the Second Schedule of the IT Act (elaborated more in Section 3A and Schedule II of the IT Act)
- A digital signature (elaborated more in Section 3 of the IT Act)
Tier 1 eSign types such as Aadhaar eSign and DSC Tokens that we discussed earlier fall under the category of ‘electronic signatures’ as defined in the IT Act. Documents eSigned using Tier 1 electronic signatures enjoy a number of favourable presumptions under the Evidence Act, 1872 which we will discuss in a subsequent post.
But what about Tier 2 eSign types such as virtual signatures? Are they not a legally valid method of executing documents electronically?
They definitely are. “Electronic signatures” – as defined under Section 3 and Section 3A of the Information Technology Act are NOT the only way to execute electronic records. The IT Act and the Contract Act both allow for another way – or rather ways – to execute documents digitally.
Section 10 of the Indian Contract Act, 1872 (Contract Act) defines a contract:
An essential part of a legally valid contract is that it needs to have been made by the free consent of the parties. While Section 13 defines what consent is, Section 14 of the Contract Act lays down when consent is said to be free.
So the next question that naturally arises is, if the parties are entering into an agreement by their free consent, and they agree to the terms of the contract in the same sense, then how can they convey such consent?
The process for conveying consent to enter into a contract is laid down in Section 3 of the Contract Act:
As per Section 3, parties to a contract can agree on any manner of acceptance - oral, by letter, by email or even whatsapp. The contract act does not restrict the modes of acceptance for a contract. Here a signature is merely an option and not a mandate. That’s why agreements entered into orally are perfectly valid under law as long as parties have given consent in a way that meets the 3 conditions laid down in Section 3. With oral contracts this usually happens through a simple handshake. But since it can be difficult to prove such oral agreements later on in Courts, commercial contracts are mostly (if not always!) entered into by writing down the terms of the contract – either on paper, or in digital form (eContracts).
With the growing dependence on electronic means to reach commercial agreements and to give effect to Article 11 of the UNCITRAL Model Law, the Parliament introduced Section 10A to the IT Act via an amendment in 2008, explicitly recognizing eContracts under Indian law.
Section 10A simply clarifies that the applicability of Section 3 of the Contract Act applies to electronic execution as well. The wide latitude to choose the method of conveying consent under Section 3, now specifically includes electronic execution within its ambit. Section 10A does this by categorically stating that a contract cannot be denied enforceability just because it was executed electronically. Therefore, any electronic means can be used to execute and enter into a contract as long as the three ingredients of Section 3 are met, i.e., there should be an act or omission, which intends to convey the consent of the party, and has the effect of conveying it.
Let’s come back to Virtual Signatures. Users are usually provided an option to either draw their signature electronically or choose from a computer-generated template of their name, which can be placed anywhere on the electronic agreement as per the user’s choice.
The act of affixing this digital representation of one’s handwritten signature signifies the person’s intention to enter into and be bound by the terms of the contract. Since this signature gets affixed on to the document, it has the effect of communicating the consent to the other parties to the contract. Hence virtual signatures satisfy all the conditions for conveying consent under the Contract Act, and are legally valid means of signing documents.