Your Signature In E-trading

Updated: May 26 2002, 05:30am hrs
A digital contract note What’s that That could be the likely reaction of an ordinary reader. The more sophisticated reader may wonder if the words mean a contract note between two parties doing business over the internet where the hand-written signatures of the two parties are digitised or in other words, scanned. Well, they would be partly right and partly wrong.

A digitally signed contract note is, well, a contract note that establishes a legally enforceable relationship between two or more parties doing business transactions over the internet but the signatures of the parties are digital in nature and not digitised.

A digital signature is like a paper signature, except that it is fully electronic. Based on public-key technology, a digital signature is impossible to forge, making it more secure than a paper-based signature. Having a contract or transaction secured with a digital signature provides verification to the recipient that the transaction originated from the sender and that it was not altered in transit.

Specifically, digital signatures serve three specific e-business purposes:

Authentication
Proving that a user is who he says he is. Example: Suppose someone calls a bank in the US and says, This is Michael Jackson. If Michael Jackson has an account there and the teller recognises his name, that is identification and when the teller asks Michael Jackson for his social security number, that is authentication.

A person’s digital signature is unique and as a result, it provides strong authentication of an individual when that individual signs a contract or e-business transaction.

Non-repudiation
Jhoota Singh hires Sachha Singh to paint his house. Jhoota Singh agrees to pay Rs 2000 for the job. After Sachha Singh does the job, Jhoota Singh claims he never made the agreement. Sachha Singh needs to prove that Jhoota Singh did make the agreement, such as a signed contract.

Once a contract or transaction has been digitally signed, the signatory cannot disclaim or "repudiate" the signature. This means that both parties to an online transaction are bound to the terms of the deal- and thus both parties to the transaction are protected from online fraud.

Data Integrity
Ensuring that data has not been altered, corrupted, or tampered with. Example: If a student cracks into the school attendance database and changes his "days missed" from 9 to 0, integrity is violated. Included in a digital signature is a protection to the signed data against any accidental or intentional tampering. The value of an online transaction cannot be compromised without detection, once it has been digitally signed.

The businesses where digital signatures can be used is virtually endless, ranging from purchase order systems, patent filings, legal agreements, licenses, time cards and automated forms processing to contracts and remote financial transactions or inquiries. However, in this article we shall restict our discussion mainly to digital contract notes which is the terminology used for digital signatures in the stock broking business.

As per Sebi guidelines, all brokers have to issue a contract note confirming the trades done on a particular day, by the customer. A contract note is issued in the prescribed format and manner, establishing a legally enforceable relationship between the broker and the customer for the trades stated in that contract note.

Now the question is — Can a digitally signed contract note (DSCN) replace the above-mentioned mandatory contract note prescribed by Sebi Definitely yes. The Information Technology Act 2000, establishes legal validity and enforceability of digital signatures to electronic records. With the passing of this Act, Sebi has permitted issuance of digitally signed contract notes vide a circular, dated December 15, 2000.

In fact, ICICIdirect.com has eliminated paper completely from its web trading platform and has become the first firm to issue a digitally signed contract note to its clients. It issues contract notes for 22,000 transactions per day. These used to be physically mailed to investors earlier. With the introduction of the new system, the investor receives a legally valid contract note electronically. This new service is expected to save around Rs 6 crore to the online broker.

ICICIdirect.com COO Anup Bagchi, however, maintains that "improved customer intimacy is the main reason for incorporating this facility into our business process. The contract notes are available immediately after market hours on the same day, which becomes a boon for customers in remote locations. The customer can now collect his contract note at his convenience."

No more disturbances of a courier delivery at inconvenient hours or missed courier deliveries. Also, the customer does not need to maintain paper records of contract notes. ICICIdirect.com says that it can improve customer service by delivering historical contract notes to the customer that he can view later and print. There is also no issue of trust as the company uses the familiar Trust brand "Verisign" with individual contract note verification.

How it actually works for ICICIdirect.com is like this: The customer logs on to the site www.icicidirect.com and in the customer service section, they are able to view the DSCN. The DSCN would be made available to the customer by evening on the trading day itself. It would also allow the customer to verify the authenticity of the note, view and print the DSCN published on the site. The DSCN would also be stored on the site for future reference.

For those who are technology-oriented, the process can be explained better with the following example of a digitally signed e-mail- Suppose A and B wish to correspond electronically. A wants to assure B that he originated the electronic message and that its contents have not been tampered with. A can do so by signing the message with his digital signature.

When A clicks on the digital signature option on his e-mail application, a mathematical formula known as a hash function is applied to the message. The message is converted to a fixed length string of characters called a "message digest." The digest acts as a "digital fingerprint" of the original message. If the original message is changed in any way, it will not produce the same message digest when the hash function is applied again. A’s software then encrypts the message digest with his private key, producing a digital signature of the message. He transmits the message and digital signature to B.

B uses A’s public key to decrypt the digital signature, revealing the message digest. Since only A’s public key can decrypt the digital signature, he is able to verify that A was the sender of the message. To verify the message content, B’s software applies the hash function to the message he received from A. The message digests should be identical. If they are, B knows the message has not been changed and he is assured of its integrity.

Assuming that the above example was too taxing for the normal (read non-technical) reader, the following description is as simple as it can possibly get. Every individual can generate his or her own pair of keys. The capability of doing that is built into every personal computer or on smart card operated devices like mobile telephones, etc.

There are two keys. One key is termed as a private key, the other key is termed a public key. The public key is kept under the sole custody of the individual. Anything that is locked or encrypted with one key can be decrypted or unlocked with the other key. In the electronic world, if a person wants to sign a piece of data or information, he encrypts it with his private key. Because the private key is in his sole custody, anything encrypted with his private key is deemed to be his digital signature.

Now, how do you know a particular private key belongs to a particular individual A certifying authority comes into the picture to solve this problem. The certifying authority takes the public key, verifies an individual’s identity offline and stamps his public key saying that it really belongs to him.

In India, the IT Act 2000 states that if a certificate is issued by a licensed certifying authority, then that digital signature is considered valid in the Indian court of law and is awarded the same status as any other signature. The license is awarded by the Controller of Certifying Authority (CCA) which is a part of the Ministry of Information Technology.

Safescrypt is the first and only licensed certifying authority in the country. It is an affilite of Verisign, the provider of the Public Key Infrastructure (PKI) Technology and the world’s largest trust services provider. It issued the first digital signature certificate in India to IT Minister Promod Mahajan and the second one to RBI Governor Bimal Jalan on February 6, 2002. Promod Mahajan used his digitally signed certificate and sent a digitally-signed mail to the Prime Minister.

One of the best examples of what digital signatures can actually do, is what Safescrypt did for one of the state governments of India. Safescrypt built an application for electronic storage of property deeds while the concern was that anybody could come in and change anything in the electronic systems where the information regarding property documents was available. Safescrypt PKI enabled it by which the person who feeds it in actually digitally signs the electronic document. Once it is signed, it becomes tamper proof. In other words, even if the same person who feeds in the data were to change it, there will be evidence which will show that he has changed it.

To give another example about the applicability of digital signatures, RBI has come up with guidelines for internet banking that mandates use of digital signatures or PKI Technology. Earlier, banks did not permit clearance of very high value cheques over the Net due to security concerns. However, this technology will enable them to offer greater facilities.

Sounds great. However, coming back to DSCNs, why are broking houses not gunning for it Why is ICICIdirect.com the only one An official from HDFC Securities says, "Mentally, people in India are still not comfortable with the idea of doing everything electronically. Previously, our clients used to get a lot of physical documents like ledgers, bills, cheques etc. but now all this is being done online and this is the only physical document that we send to them, so they would not like to part with it."

Sharekhan.com executive director Jaideep Arora says that though his company has not launched DSCNs so far, "it is definitely in the pipeline as it reduces costs substantially along with giving surety that the documents do not get lost in transit." Eventhough he has received a mixed response for the product from his clients so far due to various issues, one of them primarily being an income-tax related discussed below, he feels that the benefits that the customer derives from it would surely change their mindset in due course.

Mr Arora said that the most important issue that has been raised by Sharekhan’s customers is that there will be lack of any physical documents while filing income tax returns. As per income-tax regulations, physical contract notes of all the broking transactions entered into by an assessee during the year have to be filed with tax authorities.

A similar feedback was received from the HDFC official, who said that one section of HDFC’s customers felt that they would be inconvenienced if the hard discs crash and the digital contract notes cannot be retrieved in time for income-tax purposes.

Incidentally, Mr Arora hopes to solve this issue by sending printouts of the digital contract notes at the end of the year to the customers, thereby saving on mailing costs throughout the year, which is the main benefit of digital contract notes for online brokerage houses.