"Pitfalls" of a simple electronic signature

The reason for writing this article was the numerous discussions that took place between stakeholders in the implementation of projects, including the functionality of a simple electronic signature ( PEP ). The concept of AED turned out to be blurry, the number of interpretations on how to sign AEP documents was multiple to the number of interested parties. The article aims to systematize the solutions used in information systems for signing PEP documents from the point of view of current legislation.

Personal handwritten signature

Historically, in the Russian legislation there is no definition of a personal handwritten signature. This question is versed in a large amount of legal literature, and the generally accepted interpretation of the term “personal handwritten signature” is the following:

Signature is a unique set of characters written by hand with the help of special design techniques (monogram, strokes, strokes) used to determine the legal capacity of an individual.

Legal capacity, according to Article 17 of the Civil Code of the Russian Federation, is understood as the ability of a person to have civil rights and bear responsibilities from the moment of birth until the moment of death. The process of determining legal capacity is called "identification" and occurs through the comparison of a person and a set of unique characteristics or characteristics inherent in this person. The minimum possible set of such characteristics, in accordance with Articles 19 and 20 of the Civil Code of the Russian Federation, includes the name of the person, the name of the person, and the place where the person mainly resides or lives (place of residence). If we go from normative concepts to technical architectural concepts, the identification of a person means the comparison of the external image of a person stored on some memory device, his first name, last name, expressed in a certain sign system and place of residence, expressed in a certain coordinate system. The physical architecture of such a comparison can be very diverse. The memory device can be either the brain or used technical means, for example, paper (drawing, photo) or electronic. Speech (sound system) or writing can be used as a sign system. As a coordinate system can be used geographic coordinate system or regulatory (administrative-territorial division). Thus, summing up all the facts historically inherent in a signature, one can give the following definition of a signature:

A signature is a unique set of characters that allows you to match a person or an external image of a person and a set of features that are unique to this person, in order to monitor the observance of rights or fulfillment of duties defined by a signed document. The minimum set of unique features that allows you to determine the rights and obligations of the individual is the name, surname of the person and his place of residence.

The relationship of the signature with the rights and duties of the individual is almost inseparable. For example, through a signature, in order to confirm the authorship of a document, the rights to this document are acquired, as well as the duty to prevent plagiarism. In a number of cases, rights and obligations are set out in the document itself, for example, in a document certifying transactions. Paraphrasing a well-known aphorism, one can say that: “We speak a signature, we mean rights and obligations, we speak rights and obligations, we mean a signature”. Rights and obligations through a signature are acquired both directly and indirectly, through the signature of another person, in cases stipulated by law. For example, rights and obligations are acquired through the signature of parents, guardians and trustees, through the signature of proxies.

Electronic signature

The regulatory document in which the definition of an electronic signature (ED) is provided is Federal Law "No. 63 of April 6, 2011" On Electronic Signature "(hereinafter FZ-63). Article 2 FZ-63 defines the concept in question as follows:

Electronic signature - information in electronic form that is attached to other information in electronic form (signed information) or otherwise associated with such information and which is used to determine the person signing the information.

It follows from this definition, and in Article 6 of the Federal Law-63 it is normatively fixed that the EA is an analogue of a personal handwritten signature, since the main purpose of both types of signatures is to identify the person who signs the information. Personal identification is a very important moment for the legal significance of an EDS. None of the types of electronic signature provides a complete guarantee of reliable identification of a person, but in the case of an unqualified and qualified electronic signature, the person personally visits a special institution - the Certification Authority (CA), accredited by the state and authorized to issue (replace) the digital signature. In the case of the PEP, the mandatory nature of reliable personal identification when issuing (replacing) an ES is often forgotten or the method of determining a person causes many disputes in technical implementation. FL-63, Article 5, paragraph 2, emphasizing the importance of personal identification, gives the following definition of a simple electronic signature:

A simple electronic signature is an electronic signature that, through the use of codes, passwords or other means, confirms the fact that an electronic signature has been generated by a certain person.

Code, passwords or other means that are elements of the probe , have a generic name - keys probe . PEP keys may have public and confidential parts. For example, when using a personal electronic mailbox identity identification in a technical solution, the mailbox address will be the public part of the key, and the password to it will be the private, confidential part. FZ-63 obliges to strictly observe the confidentiality of non-public PEP keys, since compromise leads to a loss of legal significance.

Returning to the definition of the signature, which was given in the previous paragraphs, we can expand the definition of AED , revealing the meaning of the term “a certain person”:

A simple electronic signature is an electronic signature that, through the use of codes, passwords or other means, establishes the connection of the person signing the information with a set of features inherent only to that person in order to monitor compliance with the rights or fulfill the duties defined by the signed document. The minimum set of unique features that allows you to determine the rights and obligations of the individual is the name, surname of the person and his place of residence.

The main and practically the only way of legal comparison of a person with a set of features inherent in this person is the presentation of the original identification document, which is the identity card issued by the state bodies (UL). The identity card contains a photo, a surname and a name, and also an indication of the place of residence, i.e. all the required set of features established by law for identification. The rules for issuing such a certificate always prescribe it to be received personally by the owner and no one else, and this fact is legally significant: at the time of issuing the certificate, a connection was established between the person, his photo, his first and last name, and his place of residence. Consequently, the task of giving the PEP legal significance comes down to the task of determining the connection between the state UL and the PEP keys. FL-63, in article 9, paragraph 2, emphasizes the importance of defining such a bond, obliging to prescribe the rules for determining the person signing the electronic document in agreements on the recognition of electronic documents.

"Pitfalls" of a simple electronic signature

All information systems (IS) can be divided into public and private, considering the circle of users who have the ability to create or send electronic documents. If, for access to the IP, a person is obliged to go through the procedure of checking the original UL , then such an IP will be closed, which is accessed by a strictly defined circle of persons. An IP, access to which has an indefinite number of persons who have not passed the verification procedure of the UL , will be public. All corporate IS is a closed IP, since the person who got access to it went through the workplace registration procedure with the presentation of documents and the conclusion of an employment contract.

Let us consider the main ways of signing PEP documents that have developed in the Russian realities.

The first way is to conclude an agreement that the parties recognize documents sent from the electronic mailbox, signed by EGP . In this case, the public key is the e-mail address, the confidential key is the password to the e-mail box. Legally significant such probe will be subject to the following conditions:

1. Mail service is closed, i.e. access to it has a strictly defined circle of persons who have passed the procedure for verifying the original ID;
2. The PEP public key is contained in the document to be transmitted (FL-63, Article 9, paragraph 1);
3. The mailbox password is strictly confidential, known only to a single, specific person who has passed the verification procedure of the UL original before receiving the password ( PEP key) and this is fixed in the agreement (FZ-63, article 9, item 2);

When using corporate e-mail, all these conditions are usually met, since corporate mail belongs to the closed IP, the address of the sender's mailbox is contained in the transmitted message, the password to the corporate personal mailbox is known only to a strictly defined person. In contrast, the use of public postal services that provide e-mail services to an indefinite number of persons levels out the legal significance of such an IEP.

The second way to sign PEP documents is to conclude an agreement that the document created in some information system is signed by the user of the account. Here, the login to the account serves as the public part of the key, the account password is the confidential. The method has been very widespread and the most diverse application. This PEP is used by various Internet services, including Internet banks, many participants of the stock market, this method is used on the federal and regional portals of public services. In addition, this method is used internally to impart legal responsibility to the performers when setting targets in the corporate control system of executive discipline. The transfer of task statuses in such a system means the signing by the PEP of its obligations to fulfill the task and penalties for their non-fulfillment, if it is agreed in the employment contract. Such PEP will be legally significant under the following conditions:

1. The agreement establishes an unambiguous and non-interpretable connection of the public part of the key PEP (login) with the account user's UL ;
2. The closed part of the key PEP is strictly confidential and this is fixed in the agreement;

Based on these conditions, it follows the method of obtaining the login and password of the account. Obligatory, explicitly or implicitly, upon receipt of the login / password, there must be a procedure for checking the UL original. The easiest way to verify the original UL is to oblige the future IP user to make a personal visit to an authorized institution and present the original UL . So do all government organizations and most banking institutions. You can get an account in the state unified identification and authentication system (ESIA) only by a personal visit to an authorized institution, be it the Certification Authority, the Rostelecom Center, the Multifunctional Center (MFC) or the Post of Russia. As a login, the SNILS is used, which has an unambiguous connection with a person and his UL . The introduction of authentication functionality in its IP, through integration with the ESIA , actually means the issuance of a legally significant PEP to the user, since all legal requirements are complied with. But the remote issuance of the username / password of the account, without a personal visit, so that the username / password receives the status of a legally significant PEP , presents certain difficulties. There is no easy way to verify the data that the user remotely enters when registering with the IC for accuracy.
')
The remote identification infrastructure in our country is still in its infancy and, in fact, only ESIA solves this problem. If there is no integration with the ESIA or integration with the state information system of interdepartmental electronic interaction (SMEV), the electronic services of which allow to compare the SNILS or the serial number of the passport with the name and surname, then it is rather difficult to obtain legally significant PEP . One of the possible technical solutions is the complication of the PEP signing procedure with an additional confirmation code sent to the mailbox located on the closed service. In this case, as discussed above in the description of the first method of signing the PEP , such PEP keys appear as the address of the closed mailbox and the confidential password to it. A full PEP will consist of five keys: account login, account password, confirmation code, mailbox address, mailbox password, where two keys - the account password and the mailbox password - are confidential. The connection of the probe with the original UL goes through the procedure of receiving the address and password to the mailbox in a closed service. All these points are better to register in the agreement, as required by the Federal Law-63.

Recently, a confirmation code sent as an SMS to a phone number has been used as the key to the PEP . It is necessary to understand that the key PES , in this case, is not so much a code, namely a telephone number, as one of the signs belonging to a certain person. The legal significance of this method of signing the probe is strongly dependent on which of the keys establishes a connection with the original STR . If, in addition to the phone number, there is also a key in which such a link is fixed, then adding another key simply creates a variant of some enhanced PEP . If it is implied that it is the telephone number that establishes such a connection, then the legal significance of the AED depends strongly on the method of establishing the connection. Remote verification of the telephone number in conjunction with the UL is unrealistic, only a personal visit can guarantee the accuracy of such verification. Considering this moment, the Resolution of the Government of the Russian Federation of August 13, 2016 N 789 was adopted, in which changes were made to the “Rules for using a simple electronic signature when rendering state and municipal services” (hereinafter referred to as the Rules). In clause 4 of the Rules the following condition was added:

In the case of using a mobile radio telephone subscriber device to use a simple electronic signature, the subscriber number of the mobile radio telephone communication device must be confirmed by the user in the appropriate register of the federal state information system “Unified system of identification and authentication in the infrastructure that provides information and technological interaction of information systems used to provide state and municipal electricity services hydrochloric shape.

The rules in paragraph 16 (1) establish the procedure for such confirmation:

When an applicant appears for personal reception, the creation (replacement) and issuance of a key of a simple electronic signature on the basis of a written application is carried out by the key issuing operator upon receiving from the applicant, an individual, a response sent using a mobile radio telephone subscriber device to a request sent by the unified identification system operator authentication in accordance with the requirements established by the Ministry of Communications and Mass Communications of the Russian Federation to the subscriber number of the device Mobile radiotelephone communications specified in the application for issuing a simple electronic signature submitted to the key issuing operator.

The state does not provide for any other method, except for a personal visit to prove the connection between the telephone number and the UL . If the information system is integrated with the ESIA , you can use information about the phone, contained in the ESIA, and this EEP will be legally significant. If there is no possibility to integrate with the ESIA, then, when using the phone number as the sole key to the PEP , the agreement should provide for a method of establishing a connection between the phone number and the UL original in order to give legal significance.

The agreement on the recognition of electronic documents signed by the PEP , which FZ-63 obliges to conclude between the participants of electronic document management, should be considered separately. Above, considering various types of AEDs , we have identified the basic requirements for such an agreement, but the question of the procedure for concluding an agreement is rather debatable, since it is incorrect to sign the AED . The solution of this issue depends on the technical solutions used in a particular IP. Two options are common:

The first option to conclude an agreement is a personal handwritten signature of the parties. This option should be chosen if a personal meeting of the parties is envisaged for issuing the PEP keys (checking the originals of the identity card).

The second option to conclude an agreement is an agreement of accession, according to article 428 of the Civil Code of the Russian Federation. It is convenient for the interaction of citizens with various organizations through the Internet. The option is legally admissible, as FZ-63 does not require identification of the person when concluding an agreement on the recognition of electronic documents signed by the EGP . The public nature of the contract of adherence establishes the fact that the organization recognizes documents signed by any individual using the probe , if the probe of an individual satisfies the conditions listed in the agreement. Reverse recognition, i.e. Recognition by an individual PEP of an employee of an organization is usually not required, since, in the overwhelming majority of cases, organizations sign documents sent to individuals using a qualified electronic signature. This is dictated by the fact that for legal entities, besides the legal significance of the signature, it is also important to ensure that the document remains unchanged after signing.

Epilogue

The infrastructure of public keys, which must be deployed when using an unqualified and qualified electronic signature, is difficult to use in practice for most people whose interests lie outside the sphere of IT. A simple electronic signature is a fairly convenient alternative to the infrastructure of public keys, mainly for individuals, as well as in the internal electronic document flow between employees of the organization. But, as in any process, there are some nuances in the AEP signing procedure. I hope this article will help all interested parties to see these pitfalls, and take them into account in the design of an electronic signature infrastructure.

References to sources:

1. Civil Code of the Russian Federation
2. Federal law "On electronic signature" of 06/04/2011 N 63-FZ
3. Resolution of the Government of the Russian Federation of 25.01.2013 N 33 “On the use of a simple electronic signature in the provision of state and municipal services” (along with the “Rules for the use of a simple electronic signature in the provision of state and municipal services”)