Digital identities


The Supreme Court of India has ruled that the right to privacy is a fundamental right. The judgment, which will impact the lives of over 1.34 billion Indians, comes as the Indian government is seeking to roll out a biometric database (Aadhaar) linking personal details with iris scans and fingerprints. Petitioners had challenged the government's move to make Aadhaar mandatory. The Supreme Court’s judgment, which overruled an earlier lower court judgment declaring that the right to privacy is not a fundamental right, does not however invalidate Aadhaar. The validity of the scheme will be tested separately by the Supreme Court.

The US National Institute of Standards and Technology (NIST) has issued "Notice and request for nominations for candidate post-quantum algorithms". The NIST observes that, once the quantum computers are built and widely available, the entire public-key cryptography of today may be obsolete, and all the encrypted documents may become compromised. While the deadline for submissions of the ideas is set to end of November 2017, NIST acknowledges that, most likely, the work could be widely-tested within next 20 years only, The Register reports.

Although blockchain technology is mainly associated with the e-commerce and e-money and virtual currencies sectors, online cryptocurrency journal The Merkel has identified a trend that is bringing blockchain closer to digital identities. The journal reports that a number of blockchain startups are focusing on using the technology to create digital identities, and are seeing a promising growth in this segment of the market.

A study by the Open Identity Exchange project has found a significant change in UK online users' willingness to allow access to their social networks and online accounts for identity verification purposes, compared to a previous study in 2013. Government identity verification standards in the UK require tests against the activity history of an identity, to complement more traditional tests. The study aimed to understand the extent to which users might be willing to allow access to their accounts as trustworthy evidence when creating a digital identity.

The new eIDAS Regulation (EU Regulation No 910/2014) is applicable in the EU as of 1 July. To support this new regulation, the European Telecommunications Standards Institute's Technical Committee on Electronic Signatures and Infrastructures (TC ESI) has published a set of standards for trust services providers (TSP), electronic signatures, electronic seals and electronic time-stamps. The set includes a total of 19 European Standards along with guidance documents and test specifications.

From 1 July 2016, new EU rules on electronic signatures, seals, timestamps, electronic delivery service and website authentications, as well as electronic documents (see eIDAS Regulation) have started to apply across member states. The regulation, which aims to ensure uniformity across the EU, will allow users, businesses, and public administrations to carry out legally-valid electronic transactions across borders. Among others, an electronic signature will be recognised in the same way as a handwritten one, across the EU. Andrus Ansip, Vice-President of the Commission for the Digital Single Market, said that 'life will become easier in a wide range of areas, from filing tax returns, enrolling in a foreign university or remotely opening a bank account to authenticating internal payments for online shopping or bidding in online tenders.'

Broadly speaking, digital signatures are linked to the authentication of individuals on the Internet, which affects many aspects, including jurisdiction, cybercrime, and e-commerce. The use of digital signatures should contribute to building trust on the Internet.

Digital authentication in general is often considered to be part of the e-commerce framework, as it is aimed at facilitating e-commerce transactions through the conclusion of e-contracts. For example, is an agreement valid and binding if it is completed via e-mail or through a website? In many countries, the law requires that contracts must be ‘in writing’ or ‘signed’. What does this mean in terms of the Internet? Faced with these dilemmas and pressured to establish an e-commerce-enabling environment, many governments have started adopting legislation on digital signatures.


When it comes to digital signatures, the main challenge is that governments are not regulating an existing problem, such as cybercrime or copyright infringement, but creating a new regulatory environment in which they have no practical experience. This has resulted in a variety of solutions and a general vagueness in the provisions on digital signatures. Three major approaches to the regulation of digital signatures have emerged.

The first is a minimalist approach, specifying that electronic signatures cannot be denied because they are in electronic form. This approach specifies a very broad use of digital signatures and has been adopted in common law countries: the United States, Canada, New Zealand, and Australia.

The second approach is maximalist, specifying a framework and procedures for digital signatures, including cryptography and the use of public key identifiers. This approach usually specifies the establishment of dedicated certificate authorities, which can certify future users of digital signatures. This approach has prevailed in the laws of European countries, such as Germany and Italy.

The third approach, adopted within the EU Electronic Signatures Directive (adopted in 1999), combines these two approaches. It has a minimalist provision for the recognition of signatures supplied via an electronic medium. The maximalist approach is also recognised through granting that ‘advanced electronic signatures’ will have stronger legal effect in the legal system (e.g. easier to prove these signatures in court cases). The EU Directive on digital signatures was one of the responses at multilateral level. While it has been adopted in all EU member states, a difference in the legal status of digital signatures still remains, and this has been seen as a barrier to the cross-border use and interoperability of digital signatures.  This barrier is to be overcome with the entry into force, starting July 2016, of a Regulation on electronic identification and trust services for electronic transactions in the internal market, which keeps the approach of the 1999 Directive, while requiring member states to recognise qualified electronic signatures based on qualified certificated issues in any of the other EU member.

At global level, in 2001, UNCITRAL adopted the Model Law on Electronic Signatures, which grants the same status to digital signatures as to handwritten ones, providing some technical requirements are met. This model law served as inspiration for the Common Market for Eastern and Southern Africa (COMESA), which integrated this approach into its more wide Model Law on Electronic Transactions, adopted in 2010.

The International Chamber of Commerce (ICC) issued a General Usage in International Digitally Ensured Commerce (GUIDEC), which provides a survey of the best practices, regulations, and certification issues.

Public key infrastructure (PKI) initiatives are directly related to digital signatures. Two main organisations involved with PKI standardisation are the ITU and the IETF.

Privacy and digital signatures

Digital signatures are part of a broader consideration of the relationship between privacy and authentication on the Internet. Digital signatures are just one of the important techniques used to identify individuals on the Internet. For instance, in some countries where digital signature legislation or standards and procedures have not yet been set up, SMS authentication via mobile phones is used by banks for approving customers’ online transactions.

The need for detailed implementation standards

Although many developed countries have adopted broad digital signature legislation, it often lacks detailed implementation standards and procedures. Given the novelty of the issues involved, many countries are waiting to see in which direction concrete standards will develop. Standardisation initiatives occur at various levels, including international organisations (the ITU), regional bodies (European Committee for Standardization – CEN), and professional associations (the IETF).

The risk of incompatibility

The variety of approaches and standards in the field of digital signatures could lead to incompatibility between different national systems. Patchwork solutions could restrict the development of e-commerce at a global level. The necessary harmonisation should be provided through regional and global organisations.




More and more standards and guidelines developed by ISO cover issues related to data and information security,


More and more standards and guidelines developed by ISO cover issues related to data and information security, and cybersecurity. One example is the 27000 family of standards, which cover aspects related to information security management systems and are used by organisations to keep information assets (e.g. financial data, intellectual property, employees’ information) secure. Standards 27031 and 27035, for example, are specifically designed to help organisations to effectively respond, diffuse and recover from cyber-attacks. Cybersecurity is also tackled in the framework of standards on technologies such as the Internet of Things, smart community infrastructures, medical devices, localisation and tracking systems, and future networks.


In line with its mandate to contribute to the harmonisation of international trade law, UNCITRAL has drafted s


In line with its mandate to contribute to the harmonisation of international trade law, UNCITRAL has drafted several documents of relevance for matters concerning Internet and jurisdiction. Examples include the Model law on electronic commerce (1996), the Model law on electronic signatures (2001), and UN Convention on the use of electronic communications in international contracts (2005), and the Technical Notes on Online Dispute Resolution (2016). E-commerce continues to be an area of interest for the Commission, which has a dedicated working group focused on the legal dimensions of issues such as identity management, trust services, electronic transferable records, cloud computing, etc.


The core mission of the IETF is to develop technical standards for the Internet, ranging from Internet protoco


The core mission of the IETF is to develop technical standards for the Internet, ranging from Internet protocols (e.g. IPv4 and IPv6) and the Domain Name System (e.g. aspects related to the functioning of Internationalised Domain Names), to routing systems and security issues. Areas of work covered by IETF working groups include applications (e.g. real time communication and audio/video transport), Internet protocols, operations and management (e.g. DNS operations, routing operations, network configuration), routing (e.g. inter-domain routing, tunneling protocol extensions), security and transport (e.g. authentication and authorisation, IP security maintenance and extensions, and transport layer security).


COMESA has developed an e-learning platform


COMESA has developed an e-learning platform for delivering training in various areas to both staff members and other stakeholders from COMESA member states. Courses offered through the platform range from leadership training to public procurement. The organisation also uses an online system known as COMESA 24/7 Online for building the capacity of COMESA and its members in monitoring the implementation of programmes and education on trade topics. Through a five phase programme, COMESA is putting all its knowledge center resources online through a web information management system.


In establishing its digital single market, the EU has progressively developed a dense 


In establishing its digital single market, the EU has progressively developed a dense copyright legislation corresponding to a set of ten directives, which harmonise essential rights of authors, performers, producers and broadcasters. To ensure EU copyright rules are fit for the digital age, the European Commission has recently presented legislative proposals to modernise the EU legal framework, in order to allow more cross-border access to content online and wider opportunities to use copyrighted materials in education, research and cultural heritage; and have a better functioning copyright marketplace.


In 2005, the UN General Assembly adopted the


In 2005, the UN General Assembly adopted the UN Convention of the Use of Electronic Communications in International Contracts. The Convention (entered into force in 2013) is aimed at facilitating the use of e-communications in international trade, and it contains, among others, provisions on the signing of electronic communications or contracts. It outlines criteria for the recognition of electronic signatures (irrespective of the technology used): an electronic communication is considered signed if the signing method (i.e. electronic signature) is capable of identifying the signatory and indicating the signatory’s intention in respect of the information contained in the electronic communication.



Other Instruments

COMESA Model law on electronic transactions



Internet Governance Acronym Glossary (2015)
An Introduction to Internet Governance (2014)


OECD Digital Economy Outlook 2015 (2015)


The GIP Digital Watch observatory is provided by

in partnership with

and members of the GIP Steering Committee


GIP Digital Watch is operated by

Scroll to Top