E-signatures v.s. digital signatures under Vietnamese law
Under the Law on E-Transactions, an e-signature (chữ ký điện tử) is defined as being created in the form of words, script, numerals, symbols, sounds or in other forms by electronic means, logically attached or associated with a data message, and being capable of identifying the person who has signed the data message, and being capable of identifying the consent of that signatory to the contents of the signed data message.
According to Article 24.1 of the Law on E-Transactions, an e-signature of an individual affixed to a data message will be legally equivalent to the signature of such individual affixed to a written document if:
· the method of creating the e-signature permits to identify the signatory and to indicate his/her approval of the contents of the data message; and
· such method is sufficiently reliable and appropriate to the purpose for which the data message was originated and sent.
Accordingly, if an user being an individual of an e-commerce website, who can be identified by his/her username, password, and other means of verification (e.g., OTP code), clicks on a confirmation button of an online order then such action can be regarded as creating and affixing an e-signature to the online order by the individual user. This is because:
Elements of an e-signature |
Analysis of the individual action |
Created in
the form of words, script, numerals, symbols, sounds or in other forms by electronic means. |
The “Accept”
or “OK” buttons in the online order form exist in the form of words and are created by electronic means. The e-commerce
website may qualify as an electronic means under the Law on E-Transactions. This is because electronic means is defined as “a means that operates based on electric, electronic, digital,
magnetic, wireless, optical, electromagnetic
technologies or similar technologies”. |
Associated
with a data message |
Each online
order could qualify as a “data message” (thông điệp dữ
liệu). Under the Law on E-Transactions, data message is defined to mean “information
created, sent, received and stored by electronic means”. Since the online order is created and stored via the e-commerce
website’s system – an electronic means, it is regarded as a data message
under the laws. Presumably, each time the individual user selects “Accept” or
“OK” buttons when using an e-commerce website’s order system can prove that
such selection is associated with a
particular order. |
Capable of
identifying the person who has signed the data message |
In order for an
individual to select “Accept” and “OK” buttons when using an e-commerce
website’s order system, such individual must have logged on an e-commerce
website’s order system using his/her user ID and password. Therefore, it is
possible to identify the individual who
has accepted an online order. |
Capable of
identifying the consent of that signatory to the contents of the signed data
message. |
The words
“Accept” or “OK” can arguably mean
consent. Therefore, if the website system can identify that the individual
select “Accept” and “OK” buttons then
the website system can also identify the consents of the individual about the
contents of the data message as required by law. |
The Law on E-Transactions defines a person using e-signature (e-signatory) to mean a person who controls the electronic signing program and uses such equipment to certify his/her will regarding the signed data message. Electronic signing program is defined to mean “a computer program established to operate independently or through equipment, information system, other computer programs in order to create an e-signature typical for the person who signs data messages”. The website system designated for its users to log on and approve the content of the Register may be regarded as electronic signing program. As such, the individual user, by using the website system via his/her user ID and password to create or verify the content of an online order, appears to qualify as e-signatory under the Law on E-Transactions.
On the other hand, under Decree 130/2018, a digital signature is defined as “a type of e-signature created by transformation of a data message using an asymmetric cryptosystem whereby the person having the initial data message and public key of the signatory may accurately determine:
· whether such transformation is created with a private key corresponding to the public key in the same key pair, and
· whether the data message has been altered since the transformation.
The e-signature created by an individual user using an website system is not a digital signature because it does not involve any key pairs.