Lexing®, the first international network of lawyers dedicated to technology law, has been created on an initiative of Alain Bensoussan, the founder and managing partner of Alain Bensoussan-Avocats, a law firm headquartered in Paris (France) specialized in IT and new technologies.
Lexing® allows multinationals to benefit from the assistance of seasoned lawyers worldwide with established competence in the field of new technologies in their respective countries. Techniques and businesses are the same in all countries; the only differentiating factor is the law applicable to them.
Based on this observation, Alain Bensoussan has decided to set up a global network built on the same concept he successfully applied to his Parisian law firm to bring together lawyers who each combine unique expertise in technology and industry with a thorough knowledge of law. Leveraging the network, Lexing members are adept at providing clients with a global, tailor-made solution consistent with the legal rules of all countries. Besides their local language, most network members also speak English and French.
With lexing, Alain Bensoussan-Avocats and the network members service the needs of international clients or those with international needs. The lexing network offers international clients of each member the same high-quality services as they are used to have locally. The lexing network currently boasts 22 member law firms Legal news on the members’ respective countries is published on this blog and on the lexing pages of Twitter, Facebook, Linkedin and Google+.Practice Areas:
Expertise & Innovation
Founded in 1978, the Alain Bensoussan-Avocats law firm has acquired over 35 years unique expertise in technology law. It comprises a team of tech-savvy lawyers and counsels who take a hands-on approach of law, leveraging their solid skills in technology and industry and thorough knowledge of related law, thanks to a continuous watch of changes in technology and law.The firm offers a complete range of counseling, arbitration and litigation services covering the full spectrum of the technology area: Electronic banking and trading; Intellectual property; Industrial property; Merger & Acquisition; Tax law for digital companies; IT law; Internet law; Privacy and data protection; Electronic procurement; Computer crime; Digital press, media and communications; Electronic marketing; Electronic health; Telecommunications; Digital employment law; Information systems security; Risk & Compliance; Dematerialization; Electronic archives and records; Robot law; Nanotechnology law…
3. Extract from LesEchos.fr – 28 01 2014
29/01/2014 3Copyright Lexing 2014 ® Company Confidential
Widespread Use of
Electronic Signature:
- Mutual banks are increasingly
using it in their bank branches
- Objective: streamline the sale of
products via multiple channels
4. OUTLINE
1. State of Play,
by Dimitri Mouton, Demaeter
2. Choose the right signature …
if possible
3. Deploy without risk …
subject to the discretionary
assessment of courts
29/01/2014 4Copyright Lexing 2014 ® Company Confidential
5. 1. State of Play - Dimitri Mouton, Demaeter
1. A dreadful mess…
2. Digital signature 101
3. Trends
29/01/2014 5Copyright Lexing 2014 ® Company Confidential
6. 1.1 A DREADFUL MESS…
29/01/2014 6Copyright Lexing 2014 ® Company Confidential
7. PKI
Electronic signature
Authentication
Private key
Public key
Commitment
IGC
RSA
2048 bits
RGS
Certificate
CA
3+ class
2 stars
Presumption of reliability
Tablet
Secured signature
Advanced signature
Qualified certificate
Agreement on evidence
PIN code
Strong authentication
SMS
Identity theft
CRL
Timestamp
OCSP
X.509 V3
Registration authority
CSP
PSCO
RFC 3161
COFRAC
ANSSI
Electronic Signature Policy
PAdES
PDF/A
XAdES
PKCS#7
PKCS#12
French Act of 13 March 2000
French Decree of 30 March 2001
EU Regulation
CMS
Detached signature
java applet
Specific to signatory
Sole control
SSCD
Revocation
SHA256
Delegation
Signature management system
On the fly
OTP
Integrity
Non-repudiation
Guarantee of origin
Traceability
Qualified provider
Probative value
Alice and Bob
29/01/2014 7Copyright Lexing 2014 ® Company Confidential
8. AND A VARIETY OF USES …
29/01/2014 8Copyright Lexing 2014 ® Company Confidential
9. Public procurements
B-to-B contracts
Registrations
Social security declarations
Electronic commerce
Consumer agreements in branch
Notary deeds
Electronic minutes
Certificate of conformity
Diplomas
Deeds – Legality control
Deliberations
Public accounting (“Hélios”)
Building work notification
Network and pipelines
Online banking
Administrative formalities
Réseau Privé Virtuel des Avocats
Réseau Privé Virtuel de la Justice
Electronic commercial court
Official deeds
Chartered accountancyTachograph
Employment contracts
Attendance sheets
Electronic claim form
Invoices
Bank POA
Electronic certified mail
Electronic voting
29/01/2014 9Copyright Lexing 2014 ® Company Confidential
10. Types…
Scanned signature
Handwritten signature
on tablets
Electronic signature
“on the fly”
Electronic signature
With or
without
accreditation
With or without
legal opinion
With or
without stars
29/01/2014 10Copyright Lexing 2014 ® Company Confidential
11. Components of a digital service
Including electronic signature
29/01/2014 11Copyright Lexing 2014 ® Company Confidential
13. Electronic signature: hands-on definition
An electronic signature is a signature…
… covering an electronic document.
Ink marks paper Cryptography guarantees a link between the signatory and the document
29/01/2014 13Copyright Lexing 2014 ® Company Confidential
14. Certificate: What is it for?
• A certificate is an “ID card” issued
by a “Certification Authority” (CA) or
a “CertificateServiceProvider”(CSP)
• It can serve as a tool to:
– authenticate (control access)
– sign (electronic signature, seal, timestamp)
– encrypt (confidentiality)
29/01/2014 14Copyright Lexing 2014 ® Company Confidential
15. PKI
• PKI (Public Key Infrastructure), also known in French as “Infrastructure
à clef publique” (ICP) or “Infrastructure de Gestion de Clefs” (IGC) is a:
Set of technical and human means
implemented to issue certificates
• Certification Authority (CA): in charge of the PKI
– Establishes rules (Certification Policy)
– Is responsible for their compliance
• Registration Authority (RA): registers holders
• Certification Operator (CO): operates machines
• Revocation Authority, Validation Authority: perform additional roles.
29/01/2014 15Copyright Lexing 2014 ® Company Confidential
17. • Technical generation:
– Fingerprint (hash) of the document
– Sealing by private key
• Additional elements:
– Signatory certificate and related certification chain
– Time-stamping token
– Proof of certificate validity (CRL or OCSP)
Signature process
29/01/2014 17Copyright Lexing 2014 ® Company Confidential
18. Verification process
• Technical generation:
– Fingerprint of the document
– Fingerprint initially sealed
– Comparison between the two values
29/01/2014 18Copyright Lexing 2014 ® Company Confidential
19. Validity of the certificate
The document has been signed by the certificate holder…
But who is he?
• Check the technical validity of the certificate.
– If invalid WARNING!
• Review the certificate holder:
– If I don’t trust this CA WARNING!
– If I trust this CA:
• Compare the signature date with the certificate validity date
• Check the Certificate Revocation List
• Everything is OK if: the name on the certificate is the same as the signatory name.
But
Was the signatory empowered to sign?
Is the document signed correct regarding its form? its substance?
Next step after technical verification: legal verification!
29/01/2014 19Copyright Lexing 2014 ® Company Confidential
21. Signature formats
• AdES = Advanced Electronic Signature
• 3 formats:
– PAdES = PDF format
– CAdES = CMS / PKCS#7 format
– XAdES = XML format
• Choice is to be made according to the constraints of the project
• All allow to include the same elements
29/01/2014 21Copyright Lexing 2014 ® Company Confidential
22. Various levels of certificates
• The level of security offered by a certificate depends on:
– the registration procedures
– the token holding the private key (physical/software)
– the commitments of the Certification Authority
• The different levels set by the French General Security Reference
System (RGS) correspond to legal realities:
* Remote Registration
Software token
“Simple” electronic signature
** Face-to face registration
Physical token
“Secure” electronic signature
*** Face-to face registration
Secure physical token
Qualified certificate
“Presumed reliable” electronic signature
29/01/2014 22Copyright Lexing 2014 ® Company Confidential
23. Trust rules
• Trust means you feel secure
• But trust does not mean you don’t need to be careful!
Weak Chain of Trust Strong Chain of Trust
29/01/2014 23Copyright Lexing 2014 ® Company Confidential
25. “Autonomous” electronic signature
• The signatory
purchased a certificate
from a CA
• He possesses an
electronic signature tool
on his workstation
• He autonomously signs
on his workstation
29/01/2014 25Copyright Lexing 2014 ® Company Confidential
26. Electronic signature by applet
• The signatory
purchased a certificate
from a CA
• The signature tool is
included in the service
• The signatory signs
on his workstation
when using the service
29/01/2014 26Copyright Lexing 2014 ® Company Confidential
Server
27. “On the fly” electronic signature (1/4)
• The signatory has
no certificate and
no e-signature tool
• The server displays
the contracts and
he gives his agreement
29/01/2014 27Copyright Lexing 2014 ® Company Confidential
Server
28. • The server
checks the identity
of the signatory
by sending him a
challenge by SMS
“On the fly” electronic signature (2/4)
29/01/2014 28Copyright Lexing 2014 ® Company Confidential
Server
29. “On the fly” electronic signature (3/4)
• The server generates a
dual signature key
• It generates a
certificate in the name
of the signatory
• It uses the private key
to sign the document
• Then it destroys the
private key
29/01/2014 29Copyright Lexing 2014 ® Company Confidential
Server
30. “On the fly” electronic signature (4/4)
• Document is signed
on the server!
• For the next signature,
a new certificate
will be generated
29/01/2014 30Copyright Lexing 2014 ® Company Confidential
Server
31. Virtual smart card (1/3)
• The signatory
does not need an
electronic signature tool
• His certificate is stored
on the server in a
secure area (HSM)
• The server displays the
contract and he gives
his agreement
29/01/2014 31Copyright Lexing 2014 ® Company Confidential
Server
32. • The server
checks the identity
of the signatory
by sending him a
challenge by SMS
Virtual smart card (2/3)
29/01/2014 32Copyright Lexing 2014 ® Company Confidential
Server
33. Virtual smart card (3/3)
• Document is signed
on the server!
• For the next signature,
the same certificate
will be used
29/01/2014 33Copyright Lexing 2014 ® Company Confidential
Server
34. Signature on a tablet
• Clients see the contract
when in the bank branch
or in store
• They affix their
handwritten signature on
the tablet
• An electronic signature is
generated “on the fly” in
addition to the
handwritten signature
29/01/2014 34Copyright Lexing 2014 ® Company Confidential
Server
35. Electronic seal
• Documents are produced
via an automated process
and sent to the server
• The server has
a certificate in the name
of the legal entity
• The electronic seal is an
“electronic signature” of
the legal entity
• It can be affixed
automatically
29/01/2014 35Copyright Lexing 2014 ® Company Confidential
Server
36. THE Trend …: “rematerialization”
First name Last Name
Address
Invoice
From XYZ
amounting to a proof of domicile
Services……………… €123
“First name Last name Address XYZ €123”
29/01/2014 36Copyright Lexing 2014 ® Company Confidential
37. First name Last Name
Address
Invoice
From XYZ
amounting to a proof of domicile
Services……………… €123
Exploitation of 2D-DOC code
“First name Last name Address XYZ €123”
Technical verification
Visual verification
29/01/2014 37Copyright Lexing 2014 ® Company Confidential
38. 2. How to choose the electronic signature?
1. Regulation on Digital
process
1. Absence of choice
2. Choice
29/01/2014 38Copyright Lexing 2014 ® Company Confidential
39. 2.1 REGULATION ON DIGITAL PROCESS
29/01/2014 39Copyright Lexing 2014 ® Company Confidential
40. Prerequisites: Regulation
Le papier sauf …Electronic law
Paper required
unless...
agreement on
evidence
Obligation to
process electronic
documents
Right to
create electronic
documents
Law of 13 March 2000
(e-signature/e-evidence)
Before 2000 Law of 21 June 2004
(LCEN)
Law of 4 August 2008
(modernization of economy)
Agreement on
evidence
ad
probationem
French State
required to receive
electronic invoices
ad
validitatem
Order of 8 December 2005
(e-government)
29/01/2014 40Copyright Lexing 2014 ® Company Confidential
41. Yes, it is possible, but … 3 scenarios
Prefilled
e.g.: pay slip or declaration of interest
Imposed
e.g.: electronic certified mail
Free
… for the moment
4129/01/2014 Copyright Lexing 2014 ® Company Confidential
42. And even if it is possible …
“Art. 1316-4 of Civil Code is not everything…”
“Whereas the employer complains that the judgment found that the dismissal was unfair, whereas
according to the ground of appeal, if a party contests the authenticity of an email, it is up to the judge
to determine whether the conditions laid down in articles 1316-1 and 1316-4 of the Civil Code for the
validity of an electronic document or signature are met;
Whereas by asserting that the manager of AGL Finances “is the author and the sender" of an email
whose authenticity was contested, on the grounds that the employer [did] not prove that the sender’s
address mentioned on the email is wrong or that the company mailbox has been hacked" and that “in
any event, such a hacking could not be attributed to Ms. X...”, without checking, as it was required to
do, whether that email had been established and maintained in conditions that guarantee its integrity
and whether it contained an electronic signature resulting from the use of a reliable identification
process, the Court of Appeals decision has no legal basis under Articles 287 of the Code of Civil
Procedure , 1316-1 and 1316-4 of the Civil Code;
But the provisions invoked by the ground of appeal are not applicable to an email produced to prove a
fact, as its existence can be established by any means of evidence, which are assessed at their
discretion by the trial judges; accordingly the ground of appeal is unfounded.”
French Cour de Cassation, social chamber, 25 Sept. 2013
4229/01/2014 Copyright Lexing 2014 ® Company Confidential
43. First Thing First…
• Do you need to prove a right or a fact?
• Free proof or imposed proof
– Imposed = civil matters
– Free … more or less everything else
• criminal, administrative, employment matters
29/01/2014 43Copyright Lexing 2014 ® Company Confidential
44. The question is therefore…
1. Do I need it?
(investment management)
2. If you can move mountains, you can move molehills…
(risk management)
29/01/2014 Copyright Lexing 2014 ® Company Confidential 44
45. 2.2 ABSENCE OF CHOICE…
29/01/2014 Copyright Lexing 2014 ® Company Confidential 45
46. Example of a “no choice” scenario
To be presumed reliable within the meaning of above-mentioned
Article 2 of Decree of 30 March 2001, the electronic signature
procedures available to judges, registry officers and persons
authorized under Article R. 123-14 of the Code of Judicial
Organization must meet the three stars (***) level of the
General Security Reference System (RGS). In addition, the
signature must be secure and be created by a secure process
certified in accordance with the conditions laid down in Article 3
of said Decree. The procedure for filing and registration of the
identification and credentials data of these persons is subject to
the initiative and responsibility of the Ministry of Justice.
French Order of 18 October 2013 on electronic signature of court decisions issued in civil matters by
the Cour de cassation
4629/01/2014 Copyright Lexing 2014 ® Company Confidential
47. Another example… with less legalese
• “The documents of administrative authorities may be subject to an electronic
signature. The latter is validly applied only by use of a method, compliant with
the rules of general security framework referred to in Article 9 point I, which
allows identification of the signatory, guarantees the link of the signature with
the document to which it is attached and ensures the integrity of said
document.”
• “The electronic certificates issued to administrative authorities and their agents
in order to ensure their identification in the context of an information system are
subject to a validation by the State under conditions laid down by decree.”
Ordinance 2005-1516 du 8-12-2005 on the electronic exchanges between citizens and administrative
authorities (Art. 8)
4729/01/2014 Copyright Lexing 2014 ® Company Confidential
48. 2.3 TIME TO CHOOSE!
4829/01/2014 Copyright Lexing 2014 ® Company Confidential
49. A complex reality
• 4 legal concepts (Decree of 30 March 2001)
– Simple
– Secured + Digital
– Presumed reliable
• Geographical approach:
– Advanced (Dir. 1999/93/EC of 13 December 1999)
Secure (Decree of 30 March 2001)
– Digital signature / Electronic signature
• At least 3 technical realities:
– RGS: one star (*)
– RGS: two stars (**)
– RGS: three stars (***)
RGS = General Security Reference System
3 DEGREES OF RELIABILITY
=
3 SIGNATURES
29/01/2014 49Copyright Lexing 2014 ® Company Confidential
50. Where choice is possible …
Click
Electronic signature
Secured electronic signature
Digital signature
Electronic signature presumed reliable
5029/01/2014 Copyright Lexing 2014 ® Company Confidential
51. Basic method
Create
evidence
• One signatory / Several signatories
• One document / a series of documents
• One channel/ Multi-channel
• Geographic distance
Administer
evidence
• Produce it in urgency (summary procedure)
• Produce it in specific conditions (criminal; supervising entities)
Manage
dispute
• Electronic signature presumed reliable – High risk for evidence to be contested
• Amount is high and risk for situation to be deadlocked
• Amount is not the essential element (high risk for low value contracts to be contested)
• Be careful of false hopes - Technical expertise ahead
29/01/2014 51Copyright Lexing 2014 ® Company Confidential
56. Legal approach
• “Where a statute has not fixed other principles,
and failing a valid agreement to the contrary
between the parties, the judge shall regulate the
conflicts in matters of documentary evidence by
determining by every means the most credible
instrument, whatever its medium may be.”
French Civil Code, Art. 1316-2
29/01/2014 56Copyright Lexing 2014 ® Company Confidential
62. Having an agreement on evidence is not enough;
Need to organize evidence and access to evidence
Evidence record
Evidence trial
Agreement on
evidence
Vision of
the situation
Technical
justification
Legal basis Basis
Organization
of evidence
Access to
evidence
29/01/2014 62Copyright Lexing 2014 ® Company Confidential
64. Feasibility study
(Yes or No)
Legal impact study
(Go or No Go)
Legal basis
(public sector –
e-government)
Compliance review
(legal opinion)
Electronic
document
management
policy
Platform
terms of access
(on line)
Employee
information
Data Protection
Authority
(CNIL)
Insurance
29/01/2014 64Copyright Lexing 2014 ® Company Confidential
65. Risk of “legal bug”
Do not get confused…
Agreement
related to
evidence
Agreement
related to
digital process
29/01/2014 65Copyright Lexing 2014 ® Company Confidential
67. Delegation of
electronic
signature
Terms of use
of e-signature
book
IS Policy
(adaptation)
Internal Audit
(reliable audit trail)
Provider
governance
Provider
audit
Legal watch
Right of access
unit
Crisis
management
29/01/2014 67Copyright Lexing 2014 ® Company Confidential
68. 4. BUT IS IT ENOUGH?
29/01/2014 68Copyright Lexing 2014 ® Company Confidential
69. Security aspects of digital process
Electronic
Signature
Identity
management
Certificates
Confidentiality
Archiving
Traceability
TimeStamping
29/01/2014 69Copyright Lexing 2014 ® Company Confidential
70. Security is everybody’s business
• Application developers must take account of security…
• But a global vision is needed!
• Involvement and responsible attitude from each stakeholders is essential for
technical and legal security measures to be fully efficient.
29/01/2014 70Copyright Lexing 2014 ® Company Confidential
72. Next Breakfast Meeting
Mayors and MPs:
How to protect your e-reputation & name
February 12, 2014
Speakers:
Virginie Bensoussan-Brulé & Claudine Salomon
29/01/2014 72Copyright Lexing 2014 ® Company Confidential