The advent of e-commerce and the use of the digital medium as an alternative to the physical medium have created some novel legal issues where there are no clear answers. Hence, there is a need to enact the ETA to set the basic legislative framework for e-commerce and electronic transactions. This removes existing legal impediments and instils confidence in businesses and individuals to engage in e-commerce, bringing Singapore to the forefront of international e-commerce developments and achieving our vision of turning Singapore into an international e-commerce hub.
See Section 3 for more information.
The ETA was enacted on 10 July 1998. It was then repealed and re-enacted on 1 July 2010.
It addresses the legal issues necessary to set the stage for a secure and pro-business environment for electronic commerce in Singapore.
Broadly, the ETA seeks to:
The ETA clarifies the rights and obligations of transacting parties by setting out provisions dealing with issues related to the formation of electronic contracts. It also gives legal recognition on the use of electronic records and signatures and their secure counterparts.
The ETA stipulates the duties of Certification Authorities (CAs) and their subscribers and provides for the appointment of a Controller of CAs to regulate and license CAs in Singapore.
There is an omnibus provision for Government departments and statutory boards to accept electronic filing and issue electronic documents without having to amend their respective Acts. It also allows public bodies accept the creation or retention of documents or originals and the provision of information in an electronic form. The ETA provides that government departments and statutory boards can specify the conditions and procedures for such transactions in electronic form.
See Section 25 for more information.
The ETA provides that a service provider is not subject to criminal or civil liability for third party material for which the provider merely provides access.
See Section 10 for more information.
The ETA is intended to be technologically neutral. Although the Act specifically qualifies digital signature as a form of secure electronic signature, it has also been worded broadly to accommodate all forms of electronic signatures provided they satisfy the requirements for secure electronic signature.
Under the ETA, an electronic signature shall be treated as a secure electronic signature if it can be verified, through the application of a prescribed security procedure or a commercially reasonable security procedure agreed to by the parties involved, that the signature is:
See Section 17 for more information.
There are 4 ways in which a digital signature can be given legal recognition under the ETA:
See Section 20 for more information.
The basic elements of contract formation (acceptance, offer, intention to enter into legal relations and consideration) are addressed. Conflict of laws principles for cross-border transactions are as applicable in cyberspace as they are in the tangible "real world". The use of digital signatures, especially against a backdrop of cross-border cross-certification arrangements can help to resolve some jurisdictional issues. The borderless nature of cyberspace and the relative difficulty in finding geographical reference points for such applications provide impetus for Singapore to continually work out practical and predictable arrangements (e.g. bilateral agreements) to address such issues.
The duties of a CA include using trustworthy systems in performing its services and maintaining secure procedures for the issuance, renewal, suspension, revocation and publication of its certificates.
See Section 27 to 35 for more information.
The duties of the subscriber include providing accurate and complete information when applying for certificate, safeguarding the private key and initiating suspension or revocation requests if his private key is compromised.
See Section 36 to 40 for more information.
A CA guilty of an offence under the ETA or its regulations shall be liable on conviction to a fine or to term imprisonment or to both depending on the nature of the offence committed.
See Section 25, 26, 42, 48, 51, 53, 56 and 59 for more information.
The role of the Controller of CAs (CCA) is to regulate and license the activities of CAs in Singapore. As CAs perform a trusted role in verifying the identities of parties in electronic transactions, the CCA seeks to provide the assurance that the CAs' responsibilities are met and that these services are made available with high integrity, security and service standards.
See Section 41 and 42 for more information.
The Controller of CAs will maintain a publicly accessible database containing a CA disclosure record for each licensed CA.
Electronic Transactions (Certification Authority) Regulations
In the faceless world of the Internet, transacting parties may not be able to reliably verify each other's identity. A CA thus plays the important role of a trusted third party in vouching for the identities of holders of certificates that it issues (i.e. its subscribers). The Regulations seeks to set a benchmark for the integrity and security of the services offered by CAs, thus giving electronic commerce (e-commerce) security a boost.
The Regulations aim to ensure high standards of integrity, security and service levels for licensed CAs in Singapore by:
The Regulations was enacted on 10 February 1999.
No, it is not compulsory for a CA to be licensed in Singapore, as the licensing regime that Singapore adopts is a voluntary scheme. Such arrangement mitigates over-regulating and stifling the CA industry and e-commerce which are in their budding stages.
The criteria that CAs will be evaluated against include their financial standing, operational policies and procedures, and the security of their systems.
See regulation 7,8,9 and 10 for more information.
The Regulations do not require licensed CAs to provide trusted time-stamping services. There is currently no legislation that regulates the provision of such services. The government may enact new legislation in this area subsequently if it is necessary to ensure the integrity and to promote the use of such services.
See regulation 10 for more information.
Although the licensing scheme is a voluntary one, there are certain benefits for a CA to be licensed such as:
A CA's licence will be revoked if the CA is wound up or at the request of the CA. The Controller of CAs may also revoke or suspend the CA's licence if it fails to comply with any mandatory conditions pertaining to the issuance/ renewal of the licence.
See regulation 11 and 12 for more information.
Security Guidelines for CAs
The Security Guidelines for CAs is a set of security criteria for the management, systems and operations of CAs. It supplements the Electronic Transactions (CA) Regulations. All licensed CAs are required to comply with the mandatory requirements stated in the security guidelines.
The security guidelines cover the whole life cycle of certificate management - from identification and key generation to suspension and revocation. The sections of the security guidelines are Management and Obligations, Certificate Management, Key Management, Systems and Operations, and Application Integration.
The suitably qualified independent party should have in-depth security and technical competence in PKI and cryptographic engineering to review the critical security components of the CA system. Formal certification of the CA software and cryptographic modules would also be considered as meeting the "suitably qualified independent party review" requirement where the security certification was awarded by a reputable certifying body.
The following (together with ET(CA) Regulations Part V Regulation (27)) should be taken into consideration when an incident occurs:
The "hot" disaster recovery site shall be sufficiently secure so that full service of the certificate directory can be reinstated within the time-critical period stipulated under the ET (CA) Regulations (30).
Sensitive personal information may include but not limited to:
Formal certification is not mandatory. However, the independent party who reviews the systems should verify that they are indeed compliant to FIPS 140-1 or 140-2 standards.
Coverage for application security risk assessment should be limited to the certificate management software.
Licensing Process
The entire licensing process involves 4 parts:
An application has to be accompanied by the following documents:
Provided that all the required information and documents are in order, the application can be processed between 12 to 15 weeks.
The application/ renewal fee payable is S$5,000 in respect of each submission. In addition, the applicant must also pay an annual licence fee of S$1,000 for the entire duration of the licence upon approval of the application.
An auditing firm is generally considered as independent of the CA being audited if the former is not directly involved in the design, supply, implementation and operations of the CA systems. The auditing firm must make a formal declaration of its independence to the CA and the Controller.
See regulation 10(3) for more information.
The financial auditing team must include a CPA or someone with equivalent qualification. The security auditing team must include a CISA or someone with equivalent qualification and possess demonstrable expertise and experience in the area of public key infrastructure.
See regulation 10(2) for more information.
Yes, a re-audit is necessary. The auditors can recommend whether a full or partial audit is required.
Yes, a CA must be minimally insured against liability arising from errors or omissions on its part, its officers or employees.
See regulation 7(1) for more information.
Digital Signature
A digital signature is an electronic form of a real world hand-written signature. Instead of applying to paper documents, digital signatures are applied to electronic documents. Like hand-written signatures, digital signatures can be used to prove the authenticity of electronic documents. Someone who reads a document that is digitally signed by you can be assured that the document came from you. In addition, he is also assured of the integrity of the document, i.e., the document is complete and has not been modified in any way.
On the Internet, it is difficult to tell where your messages truly come from. If you receive an email from familiar email address, you may assume that your friend sent it. But not many people realise that it is not difficult to fake an email by assuming another person's identity on the Internet. Even when you access a familiar Web site, you can never be sure about the Web site's authenticity, because a hacker on the Internet may have created a fake one to lure you into giving him your credit card number. With digital signatures, you will be able to verify that emails came from people you know and that Web sites are authentic. Digital signatures provide trust on the Internet.
Yes, digital signatures are recognised by Singapore law. The ETA, enacted in July 1998, states that digital signatures will be given legal recognition. The ETA also provides for a licensing scheme for CAs - where the digital certificates issued by licensed CAs are automatically accorded validity in court, unless proven otherwise. Many other countries have also enacted laws to recognise digital signatures. Some of these countries are Germany, Italy, USA and Malaysia.
Before creating digital signatures, you will need to register yourself with a Certification Authority (CA). The registration process is to accurately identify yourself to the CA so that the CA can vouch for your signatures to be recognised by everyone else on the Internet. It is similar to the process of getting your bank to recognise your hand-written signature - after registering your signature with your bank, you can use the same signature subsequently to perform banking transactions. In the electronic world, the CA will issue you with a digital certificate, which acts like your passport on the Internet, telling everyone what your digital signature should look like. The digital certificate, together with a secret code, called the private key, can be stored in a smart card. When you need to sign an electronic document, you will then insert the smart card into a smart card reader attached to your computer. Your digital signature can only be created by entering a password to activate the private key stored in your smart card. Hence, you will need to protect your smart card and password securely so that no one else can forge your digital signature.
Non-repudiation is a property of a system in which a person cannot deny actions that he had performed or committed to. Digital signatures generated based on asymmetric cryptography have a non-repudiation property, in the sense that the person who created the signature cannot deny that he/she has done so.
The integrity of a message refers to the completeness and correctness of the message, i.e. it has not been altered. Digital signatures can be used to prove the integrity of an electronic message.
The first step in the process of validating a digital signature is to verify that the corresponding digital certificate is valid. The public key in the certificate, which indicates how the signatory's signatures should look like, is then used to verify if the digital signature is authentic. The process also verifies that the contents of the digitally signed document or record have not been tampered with since the fixation of the signature. The application software you are using (e.g. email software or Web browser) usually performs the whole process.
Some of the banks in Singapore that have introduced banking services on the Internet make use of digital signatures for added security. Stock trading firms that have gone online are also making use of digital signature technology. Other examples include the public sector online services such as the Integrated Land Information System by the Ministry of Law, and the CPF PAL Internet Online system.
Cryptography
Cryptography is the science of disguising information by transforming a piece of data into something that seems totally random. The transformation process, known as encryption, usually involves an electronic key, which is just a string of digital bits functioning like a key to a lock in the physical world. Encrypting a piece of data is like putting the data into a safe and locking it with a key. By performing the reverse transformation (decryption), which may require the same key or a different key, the original data can be retrieved.
Public-key cryptography is a kind of cryptographic system that uses two electronic keys. One key is kept private to the user while the other key is made known to the general public.
A public-key infrastructure refers to the whole system of digital certificates, certificate servers and Certification Authorities (CAs).
A message digest is a small piece of data that results from performing a special mathematical function, called the hashing function, on a piece of electronic data. Hashing functions have the property of being difficult to reconstruct the original data from a message digest. Message digests are used in creating digital signatures.
Private keys are usually stored in smart cards. When you need to sign an electronic document, you will insert the smart card into a smart card reader attached to your computer. Your digital signature can only be created by entering a password to activate the private key stored in your smart card. Hence, you will need to protect your smart card and password securely so that no one else can forge your digital signature.
Certification Authority (CA)
A CA is a relied-upon entity that issues, publishes, suspends and revokes digital certificates. The CA's basic role is to verify and vouch for the identity of subscribers and to provide certificate management services. A CA acts like a trusted electronic notary public, telling everyone who the valid users are and what their digital signatures should look like.
Without CAs, there will be no trusted entity that issues digital certificates to us. It will be difficult to verify the authenticity of digital signatures since there are no digital certificates to tell us how each user's digital signature should look like.
This is a list of digital certificates that have been revoked due to various reasons. Certificates may be revoked when critical information on the certificate is no longer accurate, or when the private key associated with the certificate is compromised.
Yes, there are CAs in Singapore. The first public CA in Singapore is a company called Netrust. ID.Safe is a second CA that is being created.
Digital Certificate
A digital certificate is an electronic document that ties each person's or organisation's identity to his/her public key. It contains certain digitally signed information, including the identification information of the person to be certified, the public key, purpose and scope of the usage of the key, name of CA, etc. Digital certificates are signed by the CA, so that users can verify that the certificates are authentic. A digital certificate used in conjunction with the private key of the subscriber, serves as a form of electronic identification, much like a digital passport.
To obtain a digital certificate, you will need to register yourself with a CA. After verifying your identity with reliable identification documents, the CA will issue you with a digital certificate.
A digital certificate is like your passport on the Internet, telling everyone what your digital signature should look like. Without a digital certificate, the parties you transact with would not be able to verify that you digital signatures are authentic.
Digital certificates are digitally signed by the issuing CA. By checking the authenticity of the CA signature on the certificate, you will be able to verify that a digital certificate is valid. This is usually done by the application software (e.g. email software or Web browser) that you are using. The application software should also check the expiry date of the digital certificate and the Certificate Revocation List (CRL) to determine if the digital certificate has been revoked.
Glossary of Terms
