Michele Martoni and Monica Palmirani
The next sentence reads:“ Before a digital document is signed, it must be shown to its prospective signatory in a clear and unambiguous fashion, and signatories must have confirmed that they intend their signatures to be generated, this in keeping with the technical rules herein set forth in Article 71.”
The following Article 35( 3) CAD stipulates that the foregoing requirement“ does not apply to signatures affixed through an automated procedure.”
Even so, in an earlier version, the CAD proceeded to qualify that provision by stipulating immediately thereafter that“ signatures affixed through an automated procedure are valid if the procedure itself was activated in a manner ascribable to the signatory, and so long as this person makes it manifest that he or she intended the procedure to be activated for the specific document so signed.”
The language of the provision just quoted has changed, and the rationale behind that change will be illustrated later on.
Finally, we should mention the Guide to the Digital Signature put out by CNIPA( Italy’ s National Centre for Information Technology in Administrative Government). Section 13( 2), pp. 25 – 26, of this guide reads as follows( in version 1.3 of the guide, dating to April 2009):“ It is perfectly legal to rely on automated signing procedures, so long as this is done taking certain precautions which certifiers are very familiar with, and which are also described in the law currently in force. Specifically, a signatory affixing a signature through an automated procedure must do so using a key pair different from any other such pairs in his or her possession. This makes it possible to immediately determine, when running a check, that an automated procedure was used. For similar reasons, every signing device used for automated procedures must avail itself of its own key pair, a different one for each device, even if the signatory is the same. The use of a hardware security module( HSM) offers better performance than a smart card( or USB token). One can even use applications that make it possible to enter the PIN just once to sign multiple documents, while still being clear what kind of signature is being automatically affixed and how many documents are being so signed.”
5. Points of controversy
5.1 Queries submitted to the agency for digital italy( formerly CNIPA and then DigitPA)
The most salient point of controversy is how to correctly interpret the combined effect of the provisions in Article 35( 1)–( 3) CAD. Article 35( 2) CAD, concerning non‐automated signing procedures, requires that a digital document be submitted to its signatory before a signature is affixed. Article 35( 3) CAD, concerning automated signatures, expressly sets out an exception to Article 35( 2) by providing that automated signatures are not subject to the rule requiring that a digital document be shown“ to the signatory in a clear and unambiguous fashion before the signature is affixed.”
This would seem to amount to an explicit exception to the rule requiring that the document be submitted to the signatory. On the other hand, Article 35( 3)— in its previous version, no longer current but in force at the time this contribution was being researched— proceeded to say that“ signatures affixed through an automated procedure are valid if the procedure itself was activated in a manner ascribable to the signatory, and so long as this person makes it manifest that he or she intended the procedure to be activated for the specific document so signed.” This last provision posed an interpretive problem. More to the point, it seemed to support a strict interpretation on which signatories had to expressly consent to the procedure with each document they intended to automatically sign. It followed that even if a digital document did not have to be submitted to its signatory, it was still necessary to give this person an opportunity to expressly adopt the signing procedure for each document he or she intended to sign.
The implication here, as anyone can appreciate, was that any express consent to the signing of specific documents would necessarily have to be stated by the signatory only after they had been signed. And, as we will see, this posed an insurmountable roadblock to the development of certain types of online services.
The guidelines put out by CNIPA( now called Agency for Digital Italy) stated in this regard that an automated signing procedure must give a signatory a clear picture of the nature of the documents and the number of documents he or she is about to automatically sign.
314