10 years after the enactment of the Israeli Electronic Signature Law, electronic signatures are poorly adopted in Israeli e-commerce. The Law clearly failed to meet its expectations. Major projects include only two prominent ones by the government –
- Reports made by public companies to the Israeli Securities Authority and the Tel-Aviv Stock Exchange must be signed digitally. This required the issuance of only a few thousands e-signatures;
- Value Added Tax reports submitted to the Tax Authority must be signed electronically. First introduced in steps, this provision should apply to all businesses in Israel as of 2012. The requirement has the potential to encompass tens of thousands of signatures and as such it recently boosted the approval of a new Certificate Authority.
Smart IDs and e-signatures
For years, the government is planning to issue smart ID cards to Israeli citizens that may include electronic signatures. The Electronic Signature Law was amended in 2010 to allow for this. The project was not yet launched although it finally seems to be forming. Whether or not Israeli citizens will ask for e-signatures on their ID cards, is still to be seen.
There are various reasons for the slow adoption of electronic signatures in Israel. Some of which may have nothing to do with the Law: the lack of government enthusiasm to support e-signatures; the fact that the Law was introduced during the hurdles of economy in 2001 – 2003 which deterred organizations, such as banks and insurance companies, from acquiring new technologies etc. However, the Law in itself as well as rigid and slow regulation and more may be counted upon the reasons may have had some responsibility to the current situation.
Secure Electronic Signature
The Israeli Electronic Signature Law, 2001 was enacted in the footsteps of European and international legislation. It is confusingly named: while its title implies that it deals with Electronic Signatures ("a signature that is electronic data or an electronic sign that is attached to or associated with an electronic message"), it actually centers on “Secure Electronic Signature”. And as it focuses on that particular type of signature, it favors another one – the "Certified Electronic Signature"…
“Secure Electronic Signature” is an electronic signature which meets the following requirements: It is unique to the owner of the signing device; it enables apparent identification of the owner of the device; it is created using a signing device that can be maintained under the sole control of its owner, and it enables identification of any change to the electronic message subsequent to signing.
A Certified Electronic Signature is a secure electronic signature for which a Certification Authority ("an authority that issues electronic certificates, and is registered in the Registry under the provisions of this Law ") has issued an electronic certificate regarding the signature verification device (usually, a public key) required for verifying it.
Uncertainty Amongst Companies
The Law uses neutral terms, in order to spread its wings over electronic signature technologies other than PKI. With its regulations, it provides several ways to recognize a Secure Electronic Signature, the most prominent of which being an approval by the Certification Authority Registrar in the Ministry of Justice. Alas, in the past decade not even one signature device was recognized as producing the coveted Secure Electronic Signature… This had the effect of creating uncertainty amongst companies contemplating to adopt e-signatures technologies.
For any law requiring a signature – such requirement may be fulfilled, in respect of an electronic message, by use of a certified electronic signature only (article 2 of the Law). Back in 2001 when the Electronic Signature Law was approved by the Knesset (the Israeli parliament) there have been over 600 laws that required signature for legal actions to be effective. This in itself should have given major boost to the adoption of certified electronic signatures. However, during most of the time since the enactment, only one CA was approved and registered (currently there are two). Coupled with the above provision, this created a de-facto monopoly for e-signatures in Israel and acted to deter organizations from introducing electronic signatures into their processes. ILITA, the Israeli Law, Information and Technology Authority governing the Law, had recently recommended dropping this provision from the Law. However, to date, no bill was introduced to amend it.
Pros of Certified Electronic Signatures
If indeed article 2 of the Electronic Signature Law will be taken out, Certified Electronic Signatures will still have major pros over Secured Signatures:
- A Certified Electronic Signature is presumed to be a secure electronic signature (article 4 of the Law) due to the fact that prior to any issuance of an Electronic Certificate, registered CAs must check the applicant's signature verification device (typically, public key) and assure its compliance with the standards detailed in the Law's regulations.
- Immediately upon discovery that his signing device has been compromised, the owner of a Certified Signature shall only have to notify the CA that issued his electronic certificate (the CA in its turn must include the Certificate in its revocation list – CRL). In contrast, the owner of a Secured Signature must notify upon the discovery that his signing device has been compromised, anyone who might reasonably rely on his electronic signature based on routine relations between them and anyone whom he knows will probably rely on his electronic signature. This, of course, is a much heavier burden to carry.
Slow adoption of e-signatures in Israel may be attributed to various factors. Provisions of the Electronic Signatures Law and the regulation that followed are one of them. Clearing the way to a wider introduction of e-signatures and the benefits they carry, must include amendments to the Law and flexible regulation.