Understanding the Legal Requirements for Electronic Signatures in Ethiopia
In December 2018, Ethiopia adopted the Electronic Signature Proclamation No.1072/2018 in order to create a conducive legal framework to promote electronic commerce and electronic government service. The Proclamation provides legal recognition to electronic signatures to promote trust in electronic communication and to verify the identity of participating parties, authentication of messages, and ensure non-repudiation. This legal memo briefly analyses the current legal regime of Ethiopia with respect to Electronic Signatures.
The Meaning and Nature of Electronic Signature (E-Signature)
Under the current legal framework of Ethiopia, an Electronic Signature refers to information in electronic form, affixed to or logically associated with, an electronic message, which may be used to identify the signatory in relation to the electronic message and to indicate the signatory’s approval of the information contained in the electronic message.
A digital signature is an electronic signature that uses an asymmetric cryptosystem and meets the following requirements: a) it is uniquely linked to the signatory; b) it is capable of identifying the signatory; c) it is created using a private key that the signatory has sole control; and d) it is linked to the electronic message to which it relates in such a manner that any subsequent change of the electronic message or the signature is detectable. An Electronic signature includes but is not limited to digital signature.
An electronic signature shall be considered reliable if: a) the means of creating the electronic signature is, within the context in which it is used, linked to the signatory and not any other person; b) the means of creating the electronic signature was, at the time of signing, under the control of the signatory and not any other person and was done without duress and undue influence; and c) any alteration made to the electronic signature after signing is detectable.
An electronic signature has the same legal effect as a paper-based one. An electronic signature is admissible in any legal proceeding.
Certificate for Electronic Signature
Digital signatures rely on asymmetric cryptography, also known as public key cryptography. An asymmetric key consists of a public and private key pair. A private key means the key used to create a digital signature. A public key means the key used to verify a digital signature created using a private key. The public key can be publicly shared, while the private key shall be securely stored. Especially the private key is used by the signatory to sign a document. In contrast, the public key is used by anyone verifying that it is actually the signatory’s private key that has been used to sign the document. A Certificate for Electronic Signature is electronic data that links public key to the person named in the certificate and confirms the real identity of that person. Under Ethiopian law, a digital signature supported by a valid certificate is deemed to be a reliable electronic signature.
Any certificate for electronic signature should contain the following information: 1) the name and address of the subscriber; 2) personal information or other specific attributes of the subscriber; 3) public key which corresponds to the private key of the subscriber; 4) the digital signature of the certificate provider; 5) the certificate identification code, 6) the type of algorism used; 7) the validity period of the certificate; 8) the name and address of the certificate provider and other information that verify the certificate provider; 9) recommended reliance limits of the certificate; and 10) the type of transactions the certificate can be used.
Certificate Provider
The Information Network Security Agency (INSA) is the root certificate authority that is empowered to issue licenses to certificate providers and monitor their activities and operations, ensure the trustworthiness and the overall security of the cryptosystem, and issue working procedures and standards for certificate providers.
A person cannot operate as a certificate provider without first obtaining a valid license from INSA. To be eligible to apply for a certification license, the applicant should not be a private individual, a body corporate established outside of Ethiopia, or a person convicted of an offense and not reinstated after completion of the punishment. The validity period of a certification license is five years. However, a licensed certificate provider may submit an application to INSA for the renewal of the certification license within 60 consecutive working days before the date of expiry of the license.
A certificate will be issued after verifying: One, the applicant is the person to be named in the certificate. Two, if the applicant is acting as an agent, the certificate provider should confirm that the agent is duly authorized to have custody of the subscriber’s private key and to request the issuance of a certificate. Three, the information to be contained in the certificate is accurate and adequate. Four, whether the applicant owns a private key that corresponds with the public key to be listed in the certificate. And lastly, confirm whether the corresponding public key to be listed in the certificate verifies the digital signature created by the applicant’s private key.
Data Protection
Certificate providers are required to keep the custody of information related to certificate issuance, suspension, revocation, or related services for two years. They must keep personal information confidential unless the disclosure is required. As a result, certificate providers are required to use secure and trustworthy systems and products.
Dispute Resolution
A National Crypto Council comprising members drawn from the concerned bodies is to be established to handle complaints and to provide general policy directions on complaints of certificate providers relating to license, renewal, suspension, and related services provided by the INSA Root Certificate Authority. However, a complainant who is not satisfied with the decisions of the Council may appeal to the Federal High Court.
A subscriber, a person named in a certificate, may submit a complaint to the INSA in writing, within 30 working days after the provision of the service, for any administrative grievance regarding certificate works and services. After receiving the complaint, the INSA shall give an appropriate decision on the matter within 30 working days. A complainant who is not satisfied with the decisions of the INSA may appeal to the Federal High Court.
Disclaimer: The views and opinions expressed do not reflect the official policy or position of DABLO. The writing is not intended to be, and should not be used as, a substitute for taking legal advice in any specific situation.
©2023 DABLO Law Firm LLP