Institutions avoiding Digital Signatures are putting themselves and their users at risk

Pakistan has introduced ETO 2002 almost two decades ago. The Law is quite clear for the necessity of Data Integrity and Non-repudiation which assurance that someone cannot deny the validity of provided data and confirm his/her consent in the form of Digital Signature/Advanced Electronic Signature. Unlike any digital/scanned signature card, the digital signature applied to any transaction or data cannot be reproduced/duplicated for other data. This protects all the stakeholders involved in electronic transactions.

ETO 2002 has been incorporated in many regulatory frameworks /rules like PRISM OPERATING RULES- 2018, Companies Act- 2017, and The Sales Tax Act of Pakistan however no serious effort was made to adopt Digital Signatures/Advance Electronic Signatures for the public services. Digital Signatures/Advanced Electronic Signatures is still the only technology confirming Identification, Authentication, Integrity of data, remote capturing of consent (intention of doing transection), and non-repudiation.

Data subject:

Data subject refers to any person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, location data, or via factors specific to the person's physical, physiological, genetic, mental, economic, cultural, or social identity.

Identifying the relationship between data and data subject:    

Data increasingly drives enterprise decision-making, but it must support a variety of changes and processes to go from raw form to formats more practical for identifying relationships and facilitating informed decisions. Therefore, data integrity should be a top priority for all institutions.

Importance of maintaining data integrity:

Maintaining data integrity is very important for several reasons. For one, data integrity ensures recoverability and search-ability, traceability (to origin), and connectivity. Protecting the validity and accuracy of data also increases stability and performance while improving reusability and maintainability.

Non-repudiation:

Non-repudiation is the assurance that someone cannot deny the validity of something. Non-repudiation is a legal concept that is widely used in information security and refers to a service, which provides proof of the origin of data and the integrity of the data. In other words, non-repudiation makes it very difficult to successfully deny who/where a message came from as well as the authenticity and integrity of that message.

Digital signatures (combined with other measures) offers non-repudiation when it comes to online transactions, where it is crucial to ensure that a party to a contract or a communication can't deny the authenticity of their signature on a document or sending the communication in the first place. In this context, non-repudiation refers to the ability to ensure that a party to a contract or communication must accept the authenticity of their signature on a document or the sending of a message.

Data integrity can be compromised without Digital Signatures

Data integrity can be compromised in a variety of ways, making data integrity practices an essential component of effective enterprise security protocols. Data integrity may be compromised through:

·        Transfer errors, including unintended alterations or data compromise during transfer from one device to another

·        Human error, whether malicious or unintentional.

·        Bugs, viruses, hacking, and other cyber threats

·        Compromised hardware, such as a device or disk crash

·        Physical compromise to devices

Since only some of these compromises may be adequately prevented through data security, the case for Digital Signature, data backup becomes critical for ensuring data integrity. Digital Signature is included in best practices to confirm the data integrity and preclude the entering of invalid data during data processing. It also supports error detection/data validation to identify errors in data transmission, and security measures such as data loss prevention, access control, data privacy through encryption, and more.