This article has been written by Saswati Soumya pursuing the Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho.
This article has been published by Oishika Banerji.
An Aadhaar number can be authenticated by another entity for identification, so that such person can receive a subsidy, benefit or service, for which the expenditure is incurred from, or the receipt from, forms part of Consolidated Fund of India. Before the passage of the judgment, any entity- be it a corporate or an individual, was allowed to state that an Aadhaar number must be used to establish the identity of an individual for “any purpose”, under “any contract” and not as per law. Section 57 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, benefits and services) Act, 2016 (“Aadhaar Act”) was attacked to be unconstitutional on this basis. This was declared unconstitutional because it would lead to commercial exploitation of an individual’s biometric and demographic information by private entities. Since this would impinge on the right to privacy of such individuals, this section was declared to be unconstitutional. It is to be noted that, identity information in respect of an individual includes Aadhaar number, biometric information and demographic information. Biometric information includes a photograph, fingerprint, iris scan and such other biological attributes of an individual as may be specified by the regulations under the Aadhaar Act. Demographic information constitutes information relating to the name, date of birth, address and other relevant information of an individual, as may be specified by the regulations under the Aadhaar Act to issue an Aadhaar number. However, it shall not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history. The immediate effect of the Aadhaar judgment was that private entities cannot use Aadhaar numbers for authentication. By virtue of this judgment, the banks cannot force the mandatory linking of Aadhaar with bank accounts & the telecom companies cannot mandate Aadhaar based e-KYC for issuing mobile connections.
It is evident that the aforesaid concepts do not include the concept of electronic signature and the realities of e-contract, wherein parties may not know each other or may not see each other. The two basic essences of e-contracts rest on consensus ad idem and quid pro quo. The Information Technology Act, 2000 provides a framework for legally recognizing the transactions that are carried out via exchange of electronic data and other means of electronic communication, which involves the usage of alternatives to paper-based methods of communication. However, if the contract relates to the sale or conveyance of immovable properties, or the contract relates to capturing the interest in such property, then it is required to be on paper. The following documents cannot be electronically signed and must be executed using traditional “wet” signatures in order to be legally enforceable, namely, (a) negotiable instruments such as promissory note or a bill of exchange other than a cheque, (b) powers of attorney, (c) trust deeds, (d) wills and any other testamentary disposition and (e) real estate contracts such as leases or sale agreements.
The electronic equivalent of a physical signature or a handwritten signature is called an electronic signature. The UNCITRAL Model Law on electronic signatures provides the technical aspects of electronic signatures as well as the model law for authentication and verification of such signatures. “The common purpose of e-sign techniques is to provide functional equivalents to (a) handwritten signatures, and; (b) other kinds of authentication mechanisms used in a paper-based environment (e.g. seals or stamps).” The definition of electronic signature could have multiple interpretations such as a digitized version of hand signatures & PIN or OTP based e-sign etc, thereby referring to different modes of electronically signing a document. Section 5 of the IT Act, 2000 provides legal recognition to electronic signatures and prescribes that, wherever law requires authentication by signing, it shall be sufficient if the signatory affixes an electronic signature in the manner prescribed by the Government. Section 2(a) of the IT Act, 2000 specifies the meaning of an electronic signature. “An electronic signature means authentication of any electronic record by a subscriber through the electronic technique specified in the Second Schedule and includes a digital signature.” The two electronic authentication techniques that are specified in the Second Schedule of the IT Act, 2000 are Aadhaar, i.e., Aadhaar e-KYC or other e-KYC services, i.e., offline Aadhaar e-KYC, PAN-based e-KYC.
From an authentication perspective, the electronic signature of users plays a critical role for identification purposes. It is an application of legal technology generally and optical character recognition (“OCR”) technology specifically in the space of authentication of documents. The issue of electronic signature can be viewed from the perspective of contract act, stamp law and also from the perspective of the law of evidence. These points of view will enable answering the question about understanding whether or not an agreement that is insufficiently stamped will be considered as admissible evidence or not. In all the perspectives, the analysis has to be made if the electronic signature can be “attributed” to a person or not. In simple terms, this would mean that the signature would be attributed to the signatory if he/she is the originator. If the originator has authorized another person to sign on his/her behalf, then the signature would still be attributed to the originator. In the scenario wherein a contract is executed by an information system that is programmed to operate automatically by the originator, then the execution or the signing of such a document shall also be attributed to the originator.
Furthermore, Article 13 of the Model Law on Electronic Commerce states that “ In the case of a paper-based communication, the problem would arise as the result of an alleged forged signature of the purported originator. In an electronic environment, an unauthorized environment may have sent the message but the authentication by code, encryption or the like would be accurate.” From a contract law perspective, such identification is important for evaluating the enforceability of the contract and assessing if such a contract would be considered as a valid instrument or not. Additionally, the documents need to be evaluated from the perspective of Sections 65A and 65B of the Evidence Act, 1872 that provides for recognizing electronic records and admissibility of electronic records. For copies of electronic records, a certificate under Section 65B (4) is mandatory, which shall identify the record and shall describe the manner of production of such copy. It shall give details of the device that is involved in the production of an electronic record. Such a certificate must be signed by appropriate personnel, i.e., “a person occupying a responsible official position concerning the operation of the relevant device or the management of the relevant activities”. Such certificate shall not be required if the original document is being produced as a piece of evidence before the court of law.
The Aadhaar judgment has not dealt with the authenticity guaranteed by electronic signatures as such. However, it has an impact on the ways of conducting authentication by private entities. Post the Aadhaar judgment, private entities have shifted from conducting online Aadhaar e-KYC to offline Aadhaar e-KYC services. This shall not mean that such entities would not follow the electronic authentication techniques that are specified in the Second Schedule of the IT Act, 2000. In 2019, the Aadhaar and other laws (Amendment) Act, 2019 was passed. This amended Section 11A of the Prevention of Money Laundering Act, 2002. This dealt with verification of identity by a requesting entity, i.e, (“RE”). This amendment allowed an RE, a banking entity, to carry out verification of identity by authentication under the Aadhaar Act. The same year also witnessed the amendment of the Second Schedule of the IT Act, 2000. Under this amendment, the word “other” was inserted after Aadhaar e-KYC. Post the amendment, the provision read as “e-Authentication technique using Aadhaar and other e-KYC services”.
The above legal landscape has enabled private entities to enter into the space of Aadhaar based services especially electronic signatures. On the other hand, if email or another form of authentication is used to sign a document electronically, then it is prudent to follow industry best practices that need to be followed in order to satisfy the requirements of the IT Act, 2000, namely;
(a) A mechanism for verifying the identity of the party be included. This can occur when a verification request is sent to a unique email address or when a OTP is sent to the signing party’s mobile phone number,
(b) The consent of the signing party is obtained to conduct business electronically,
(c) The signing party’s intentions of signing the document electronically by using a particular method be demonstrated,
(d) The process is tracked securely and there are audit trails that logs each step, and
(e) The final document is secured with a tamper evident seal.
From a contractual perspective, a contract signed by electronic signature must exhibit that the reliability conditions are followed. This holds true for the two types of methods wherein electronic signatures are used and are thus deemed to have the same legal status as handwritten signatures, namely,
(a) There are electronic signatures that combine an Aadhaar identity number with electronic Know Your Customer (eKYC) method such as one time password. This method is known as the eSign online electronic signature service; and
(b) There are digital signatures generated by an “asymmetric crypto system and hash function”. In such a system, a long term ( 1 to 2 year ) certificate based digital ID is issued to the signer. This is stored on a USB token and this is used along with a personal PIN in order to sign a document.
The additional conditions called as reliability conditions need to be followed in both these methods in order for such e-signatures to be valid under the Indian law,
(a) The element of uniqueness must bind the signature with the signatory. In simple terms, this means that the electronic signature must uniquely link the person who is signing the document and not with any other person. Such a condition is met with digital signatures by a certificate based digital id.
(b) Secondly, there should be an element of control by the signatory over the data that is used to generate the signature at the time of signing the document. This occurs by directly affixing the e-signature to the document.
(c) If there is any alteration to the affixed e-signature, or in the document to which the signature is affixed, then it must be detectable. This happens via encrypting the document via a tamper evident seal.
(d) An audit trail of steps that are taken during the signing process should be present.
(e) The signer certificates are needed to be issued by a Certifying Authority (“CA”) that is recognized by the Controller of Certifying Authorities that is appointed by the IT Act, 2000. It is to be noted that, an e-signature or a digital signature certificate can be issued by a CA that is licensed by a Controller of Certifying Authority. For a document signed using an electronic signature to be valid, then all the above reliability conditions need to be satisfied.
The Aadhaar e-Sign is the most common electronic signing technique. Its validity stems from a notification titled “Electronic Signature or Electronic Authentication Technique and Procedural Rules, 2015”. A valid electronic signature’s definition encompassed Aadhaar eSign, since the same got inserted into Schedule II of the IT Act, 2000. The power of the central government to do this stemmed from Section 3A of the IT Act, 2000.
The eSign Service Provider (“ESP”) is an important stakeholder because it is a central facility that facilitates the Aadhaar eSign transaction between the signatory, UIDAI and the Certifying Authority. On the other hand, an application service provider (“ASP”) is an entity that allows signatories to Aadhaar eSign documents. There must be an agreement between an ASP and an ESP for this process. It is to be noted that, ESP is the entity that provides the backend functionality and the ASP is the entity that provides the front end functionality. The following diagram shows the way in which Aadhaar eSign works behind the scenes.
The relevance of an electronically signed document can be traced to the provisions of the Evidence Act, 1872 with Aadhaar Act, 2000, namely Section 47A, 67A, 85A, 85B, and 85C. Thus, private entities can enter this space and enable Aadhaar eSign services.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: https://t.me/joinchat/L9vr7LmS9pJjYTQ9