Explaining the Creation and Verification of Electronic Signatures: What is their Legal Effect?

In online interactions, there is no need for face-to-face communication. Therefore, it is necessary to verify whether the sender and receiver of the information are indeed who they claim to be, and whether the information has not been tampered with during transmission.

In this article, we will explain how to create digital signatures using encryption technology, which is an effective method for this purpose, and how to authenticate them.

What is an Electronic Signature?

The “Japanese Electronic Signature Law (Law Concerning Electronic Signatures and Certification Services)” defines and regulates the ‘electronic signature’ applied to electronic documents, as well as the business that performs its authentication, and stipulates the legal validity of electronic signatures.

In this Japanese Electronic Signature Law, an ‘electronic signature’ is a measure taken for information that can be recorded in electromagnetic records, and it is considered to meet both of the following two requirements:

1. The electronic signature indicates that it was created by the person themselves (authenticity)
2. It is possible to confirm whether or not the electronic signature has been altered (integrity)

According to Article 2, Paragraph 1 of the Japanese Electronic Signature Law, if an electronic signature that only the person themselves can perform is made, it is presumed to be genuinely established, just like a document signed or sealed by the person themselves (Article 3 of the Japanese Electronic Signature Law).

Legal Effect of Electronic Contracts

A contract is established when the other party accepts the intention to conclude a contract that indicates the content of the contract (Article 522 of the Japanese Civil Code), and it is not always necessary to create a document. However, if a contract dispute arises, evidence that can be submitted to court is required.

Regarding this, Article 228, Paragraph 1 of the Japanese Civil Procedure Law states that “a document must prove its genuine establishment” to use a contract as evidence in court. When submitting a paper document as evidence, if the document has the signature or seal of the person themselves or their agent, the document is presumed to be genuinely established (created by the person’s intention) (Article 228, Paragraph 4 of the Japanese Civil Procedure Law).

In response to this, the legal effect of electronic contracts was organized by the Japanese Electronic Signature Law.

Authentication Services for Electronic Signatures

In order to make an electronic contract have evidential power in court, it is necessary to meet the requirement that “it was created by the person themselves”. Unlike a signature on a document that can be confirmed by looking at the document, an electronic signature is electronic data, so a means of proving whether it was made by the person themselves is required.

Regarding this, Article 2 of the Japanese Electronic Signature Law states:

Japanese Electronic Signature Law (Definition) Article 2

Paragraph 2: In this law, “authentication services” refers to the business of proving that the matters used to confirm that the user (hereinafter referred to as “the user”) or another person has made an electronic signature are related to the user in response to the request of the user or another person.

Paragraph 3: In this law, “specific authentication services” refers to the authentication services performed for electronic signatures that meet the standards set by the ministerial ordinance as those that can only be performed by the person themselves according to their method.

As such, the Japanese Electronic Signature Law anticipates that a third party will prove that an electronic signature is made by the person themselves, and calls this business “authentication services”. Among them, it defines the authentication services performed for those that meet the standards set by the ministerial ordinance as those that can only be performed by the person themselves as “specific authentication services”.

Currently, the authentication technology adopted as the standard for “specific authentication services” is PKI (Public Key Infrastructure) technology using a cryptographic method called public key cryptography (Article 2 of the Japanese Electronic Signature Law Enforcement Regulations). “Specific authentication services” refers to the business of using this technology to encrypt electronic documents and verify the person themselves, and to issue electronic certificates to prove whether the electronic signature is the person’s own. This authentication service is allowed to be performed by private companies, and the third-party institutions that perform the authentication services are called “electronic certification authorities”, and their certification standards are stipulated in Article 4 and following of the Japanese Electronic Signature Law.

Electronic Signatures and Timestamps

Electronic signatures and timestamps are “evidence” that guarantee “when”, “what”, and “who” in the internet society, and they are a powerful means to verify the originality of electronic documents.

Creation and Transmission of Electronic Signatures

The creation and transmission of electronic signatures are currently carried out in the following flow using the “public key encryption method”, which uses a pair of private keys and public keys, and a method using a hash function.

1. The creator applies to the certification authority for the use of an electronic certificate.
2. The certification authority verifies the identity, confirms the correspondence of the private key and the public key, and then generates a private key used to encrypt the document and a public key used to decrypt the document.
3. The certification authority issues an electronic certificate of the public key registered by the creator.
4. The creator accepts the electronic certificate from the certification authority.

On this basis, the sender will use the electronic certificate to send electronic data.

1. The sender converts the electronic data into a hash value (also known as a message digest) using a hash function. A hash function is a function that converts data (input value), such as personalitys and numbers, into some numerical value (output value).
2. This hash value is encrypted with the private key corresponding to the public key certified by the electronic certificate. This act is called an “electronic signature”.
3. The sender combines the electronic data (plaintext) and the electronic signature and sends them to the recipient along with the electronic certificate.
4. The recipient separates the received data into electronic data (plaintext) and electronic signature, and generates a hash value from the electronic data (plaintext) using the same hash function as the sender.
5. The electronic signature is decrypted using the sender’s public key to obtain the hash value.
6. By comparing the hash values obtained in 4 and 5, if they match, it can be confirmed that the electronic data is from the sender and has not been tampered with.

Due to the nature of the hash value, if the content of the electronic document is exactly the same as when the electronic signature was made, the hash value created and the hash value decrypted will be exactly the same, and if even one personality is different, a completely different hash value will be generated.

Therefore, by confirming the match of the two hash values, it can be confirmed that the electronic document has not been tampered with.

Timestamp

Although the content of the document can be confirmed to be unaltered by the match of the hash values of the electronic document and the signature sentence, in addition to this, the “timestamp” (TS) is used as a proof that the document existed “when” (existence proof) and that the content of the document has not been altered since that time (non-alteration proof). Timestamps, along with electronic signatures, are considered an effective means of verifying the originality of electronic documents.

The user sends the hash value of the original data to the Time-Stamping Authority (TSA), and the TSA sends the TS with the time information added to this hash value to the user. By confirming the match of the hash values of the electronic document and the timestamp, it can be proven that the content has not been tampered with.

Data Storage

Companies and individual business operators are obliged to keep accounting documents such as orders and contracts for 7 years (or 10 years), and according to the Electronic Bookkeeping Law (Law on Special Cases concerning the Preservation Method of National Tax-related Books and Documents created using Electronic Computers), even in the case of electronic transactions, it is obligatory to keep transaction information as data (Article 10 of the Electronic Bookkeeping Law).

For long-term storage of these electronic documents, according to the Enforcement Regulations of the Electronic Bookkeeping Law, it is necessary to “attach a timestamp related to the business certified by the General Foundation Japan Data Communications Association” to the electronic document (Article 3, Paragraph 5, Item 2 of the Enforcement Regulations of the Electronic Bookkeeping Law), and it is required to “be able to confirm information about the person who keeps the electromagnetic record or the person who directly supervises the person” (Article 8 of the Enforcement Regulations of the Electronic Bookkeeping Law).

Summary

Digitalization of documents has become the foundation for business process reform and improving customer service, and the importance of record-keeping and management through digitalization is increasing day by day.

Even in the case of electronic contracts, their validity is recognized, and they can be used as evidence in court. The trend towards digitalization in contracts between businesses is rapidly progressing. It is necessary to understand various laws and regulations related to electronic contracts and respond appropriately.

Guidance on Measures by Our Firm

Monolith Law Office is a legal office with high expertise in both IT, particularly the internet, and law. In recent years, the use of electronic signatures has been increasing, and the need for legal checks is growing more and more. Taking into account various legal regulations, our firm analyzes the legal risks associated with businesses that have already started or are about to start, and aims to legalize them as much as possible without stopping the business. Details are described in the article below.