The president of Kenya assented The Business Laws (Amendment) Act, 2020 that made amendments to various laws in Kenya with the aim of facilitating the ease of doing business in Kenya. The amendments have been made to partly keep up with the dynamic business environment influenced by the advancement in technology.
One Key amendment was the recognition of electronic signatures in contracts. Section 3(6) of the Law of Contract Act has been amended to include; –
(a) in the definition of the word “sign” by inserting the words “physically or by means of an advanced electronic signature” immediately after the word “initial”.
This amendment affects Section 3 of the Law of Contract Act which specifically addresses the need for certain contracts to be in writing and signed for them to be valid and legally binding. These contracts include transactions that affect any disposition of land and contracts that create obligations between two or more parties e.g contracts for the sale of goods and services.
The Amendment further goes to ambiguously define an “advanced electronic signature” as a signature which meets all the following requirements; —
(a) is uniquely linked to the signatory;
(b) is capable of identifying the signatory;
(c) it is created using means that the signatory can maintain under his sole control; and
(d) it is linked to the data to which it relates in such a manner that any subsequent change to the data is detectable;
These requirements are the basic known requirements of certifying the validity of a document that has a mark of the signatory.
The amendment and recognition of electronic signatures in Section 83P of The Kenya Information and Communications Act reflects Kenya’s intention of transforming the business landscape from an analogue to a digital landscape. The Act states;
Where any law provides that information or any other matter shall be authenticated by affixing a signature or that any document shall be signed or bear the signature of any person, then, notwithstanding anything contained in that law, such requirement shall be deemed to have been satisfied if such information is authenticated by means of an advanced electronic signature affixed in such manner as may be prescribed by the Minister.
The provisions give validity to any electronic signature affixed in any document. Electronic signatures are being used by businesses and the government, e.g Certificates of Incorporation issued after registration of a company in Kenya bear the electronic signature of the registrar of companies. This is given validity by section 83S of the Kenya Information and Communications act.
An electronic signature does not need to have a specific form or mark as is the traditional norm as long as they are unique to the signatory, capable of identifying the signatory, created by a means that is solely under the signatories’ control and are able to identify any subsequent changes made to the original. These are the four fundamental requirements of electronic signatures.
Another example of the use of electronic signatures in private and commercial scenarios is when undertaking online transactions with a bank. The login username and password are uniquely linked to the account owner. Initiating an online transaction can only happen if the account owner is logged into the system, most banks typically send a One-Time Passcode (OTP) through a third party, this can be through SMS, E-Mail or an independent Key generator. After the transaction is authorized and executed, a confirmation receipt is sent to the account owner with a unique system generated reference code, that is used to identify the transaction and the owner.
The use of electronic signatures is not set in stone and varies with different scenarios. All these variations however have on constant issue, the ability to verify electronic signatures and identify any subsequent changes made to the original. This is a key issue that the needs to be addressed in the wake of the amendments and recognition of electronic signatures.
Verification of Electronic Signatures
Signatures are used for certification and verification, and as such a hierarchy can be used to identify how advanced an electronic signature needs to be for it to be acceptable depending on the circumstance. In scenarios where the subject matter involves a dispute, allocation or ascertaining rights between two or more parties e.g court pleadings and orders, or a will and final testament of a deceased person, verification is Key to ascertain the rights associated with the respective subject matter. E.g. if a will is challenged in court on the grounds that the signature of the deceased is a forgery, the party alleging the claim may call a document examiner as an expert witness to verify the validity of a signature, this is mostly done by comparing the questionable signature with a known specimen. The method is not 100% effective however, it has been the norm in practice. The use of electronic signatures in sensitive documents can be ranked high in the hierarchy.
Electronic Signatures can be verified using Digital Signatures. A digital signature is basically a mathematical scheme used to verify the authenticity of digital documents and messages. Digital signatures are created and verified by using cryptography, the branch of applied mathematics that concerns itself with transforming messages into seemingly unintelligible form and back into the original form. This however should not be confused with the more commonly known use of cryptography in encryption to secure data.
Digital signatures use what is known as “public-key cryptography”, which is often based on the use of algorithmic functions to generate two different but mathematically related “keys”. One such key is used for creating a digital signature or transforming data into a seemingly unintelligible form, and the other one for verifying a digital signature or returning the message to its original form. This might seem confusing, however for reference, a person’s handwriting can be used as an analogous comparison to a digital signature. It is virtually impossible to effectively forge an individual’s handwriting, especially in long sentences. Any forgery can be identified even by an untrained eye.
Digital signatures are created through a computer language which is impossible for a human being to process. It is a language that can only be verified by a computer. In this scenario the verification is done by virtue of two Keys, a private, and a public key. A private key can only be generated by the signatory and a public key is ordinarily widely known and can be relied on by third parties for verification. Although the keys of the pair are mathematically related, if an asymmetric cryptosystem has been designed and implemented securely it is virtually impossible to derive the private key from knowledge of the public key.
Digital signature verification thus occurs when a digital signature is compared to the original message and a given public Key, it can then be determined if the digital signature, in our case, electronic signature was created for the same message (signature & document) using the private key that corresponds to the referenced public key.
Certification Authorities
To associate a key pair with a prospective signatory, a certification service provider (or certification authority) issues a certificate, an electronic record that lists a public key together with the name of the certificate subscriber as the “subject” of the certificate and may confirm that the prospective signatory identified in the certificate holds the corresponding private key. Section 83 E accommodates the establishment of electronic certification providers through the issue of a license, these can be private or public.
The Certification Authority can be unique to specific sectors e.g the legal sector including advocates, and the judiciary substantially exchange documents that verify the validity of a fact. Signatures are used to validate documents that ascertain facts, e.g court pleadings, affidavits and correspondence between parties that can be used as evidence in court. In such sensitive sectors it is essential for documents issued by makers to be verified before they can be acted on or used for reference purposes. This is even more crucial as the Judiciary in Kenya is transforming to the Integrated Court Management System that will adopt electronic filing of court pleadings. The Civil Procedure Act (rules) have already been amended to accommodate the same.
To ensure security, and documents signed are valid, a certification authority can be established to cater for specific needs. The Judiciary and the Law Society of Kenya can create a Certification Authority that issues certificates that can verify electronic signatures made by stakeholders in the legal sector. The certification authority can then create a public registry that can be used to verify the validity of electronic signatures, for avoidance of doubt this will not be manually undertaken but automatically done through software issued to stakeholders or through a public URL that can be accessed by anyone to verify the validity of a document or electronic signature. This public registry can be accessible to other agencies and companies. E.g the land registry can use the public keys to verify a transfer of land has been handled and signed by an advocate because each advocate has a unique private key issued to them.
The use of Certification Authorities is not limited to the legal sector but can be used in the medical sector as well. E.g pharmacies can verify electronic prescriptions issued by doctors. The public keys should be available to a wide variety of persons, many of whom are not known to the signatory, where no relationship of trust has developed between the parties. To that effect, the parties involved must have a degree of confidence in the public and private keys being issued, this can be cultivated through the issue of keys by a regulated Certification Authority.
To conclude this piece, with dynamic changes taking place as a result of advancement in technology, the four fundamental requirements of electronic signatures must be upheld, and as such electronic signatures should be widely used and accepted as long as they are unique to the signatory, capable of identifying the signatory, created by a means that is solely under the signatories’ control and are able to identify any subsequent changes made to the original. The infrastructure has been established by the Kenya information and Communications Act and The Business Laws (Amendment) Act, 2020.
For more information on this article or legal advice on Electronic Commerce contact;
Lee Mutunga