The evolution of trade, personal relationships and the interaction of citizens with the public administrations over the last twenty years, has developed rapidly and has transformed the concept of personal identity. The identity of the person has traditionally been based upon the association of the individual with distinctive acts or signs of an analogical nature: in this way, an individual proves who he or she is by contrasting their person with an official document in which their photograph and personal data appear, with their initials or signature being the apparent and distinctive sign which associates the document with its bearer. In order to carry out certain acts, the presentation of the identity document and the signature are unavoidable requirements because the identity is verified when appearing in person.
However, currently, a long list of acts and legal transactions exists which are carried out remotely using telematic means. Let’s consider the way in which we interact with banks nowadays: physical presence in a branch is not necessary any more for most operations which are carried out via applications installed in mobile phones, tablets or computers. In these cases, the user does not use a digital signature, but alphanumeric identification codes, followed by private passwords which are used to validate operations. In other cases, the digital signature is the acceptable form for allowing an individual or legal entity to interact via telematic means, as happens with the public administration. In any case, there is no doubt that the digitalisation of the economy is a logical and consolidated trend, given that technology imparts at least two invigorating elements: the speed of the transactions and the simplicity of the processes which allow decision making.
The development of the digital economy, also known as the “on-line” economy carries with it several burdens that hinder its development. Each country has specific legislation and technical requirements for the creation of digital signatures which are not recognised in other countries, and which prevents the performance of on-line operations due to a lack of reciprocity in their recognition. Furthermore, there is a perception of a lack of legal security in on-line transactions, due to their exposition to cyber-attacks and identity theft.
European Union Regulation 910/2014 was passed in an effort to solve said problems, an essential element thereof being the digital identification of persons operating “on-line”. The concept of qualified digital signatures was created, to be recognised in all of the Member States, on the basis of homogeneity as regards the technical requirements to be met by the legislation of each State in order to control the creation of such signatures. Even though this of the utmost importance, it is still not enough in order to achieve the objective, because there is still an element missing for completing the concept of digital identity – the establishment of a safe way of linking the individual or legal entity to their digital signature, given that the certificates of digital signature operate via electronic devices which may be stolen or used without the knowledge or against the will of their owner. Such non-consented or overlooked use may lead to completing fraudulent transactions or even the creation of false digital profiles, with enormous damage to the person concerned.
So if the digital profile of persons currently focuses not so much on what people say they are, but instead what their digital footprint leaves behind through operations carried out on line, this fraudulent use of digital signatures is able to create a false image of the user which shall give rise to numerous practical consequences such as being categorised in high-risk financial groups, being excluded from certain job offers, being penalised in insurance premiums or medical insurance, or even worse situations. The disassociation between the person who holds the digital signature and their acts is a serious risk in as much as the generally accepted principal is that a general identity accompanies the electronic device, which generates the expression of acceptance for any transaction, however, without a medium which allows the verification that the user of this device is the person in question or any other duly authorised person. One might object that each user is responsible for the custody of the electronic media or devices that store the electronic signature, and although this argument is correct, the danger is not averted and it does not provide a solution to cases of non-consented or overlooked separation of the person from the electronic device in which the digital signature is kept and from which on-line transactions are carried out. To accept the syllogism that if the transaction had been carried out using a legally valid digital certificate, then it must correspond to the holder thereof, is a dangerous half-truth, as it ignores the problem of identity theft.
Therefore, it is not sufficient to create a framework of legal and technical rules which regulate the creation of qualified digital signatures which are recognised among the Member States of the European Union. It is necessary to establish technical methods, which allow us to reasonably ensure that the person who proceeds to carry out an operation online via an electronic device coincides with the owner thereof or authorised person, otherwise, the danger of identity theft is not eliminated, but simply masked. Until this is possible, neither will it be possible to properly discuss legal security in online transactions and this brings with it the doubts regarding the system and the slowing down of the process of the conversion to the digital economy.
It seems probable that the generalised use of the Network as a medium for carrying out transactions shall mean that said transactions shall be of increasing legal significance and economic volume. This is the importance of the problem which we are facing. Currently, the use of the electronic certification operates by a mere click of acceptance, so that what happens next are acts of legal and economic relevance which are associated with the holder of this certification and constitute a presumption of authenticity regarding the expression of will and the identity of the person expressing it. This does not seem acceptable and it does not have a place in a legal system in which frequently the intervention of a public authority (e.g. a notary public) is an essential condition for carrying out certain acts, such as the purchase and sale of real estate property, the signing of financial contracts etc. On the other hand, it seems logical and reasonable to demand that in order for said presumption to be fulfilled, the holder of the qualified digital signature must employ determined formulas, algorithms or technical elements of another type inextricably associated to a person, with the purpose of proving the person to be the holder of the signature and proving his or her will to carry out the transaction. A system which ensures the relation of the identity between the user of the digital signature and its owner would complete the concept of digital identity, give the system legal security and thus allow the development of markets in sensitive areas, such as transactions with financial products, which given their significance, do not yet trust in the Network, only in conventional analogical methods.
Eduardo Vilá
Vilá Abogados
For more information, please contact:
15th November 2019
