Qualified electronic digital signature: problems and risks
The first known case of apartment misappropriation with a forged electronic digital signature (EDS) occurred in May in Russia. The owner of an apartment on Tverskaya ulitsa in Moscow noted that a person other than him was indicated as the apartment owner on utility bills for his apartment. The apartment owner went to Rosreestr and found out that he had given his apartment to someone in Ufa as evidenced by documents in Rosreestr. This was done remotely by signing documents with his electronic digital signature although the apartment owner says that he has no digital signature and never had any.
A second similar case came to light within less than a month. There are also known cases of registration of bogus companies, registration of CEOs and other corporate frauds committed with electronic digital signatures.
The Russian Civil Code sets out that a qualified EDS has the same legal force as a handwritten signature in cases provided by law. There are 2 types of EDS:
- A simple qualified electronic signature consists of a username and password confirming that an electronic message is sent by a specific person.
- An enhanced qualified electronic signature is confirmed by a certificate from a certification center accredited by the Ministry of Communications. Documents signed using such signature are treated as paper documents signed by hand.
With access to someone’s enhanced EDS, it is possible to dispose of their property without limitation, including sell or donate it.
An enhanced EDS cannot be lawfully obtained remotely as it is necessary to go to an accredited center in person with an application and passport to collect the password. But if someone colludes with an employee of such center, then it is possible to obtain an enhanced EDS with the fraudster’s passport details. About 500 certification centers operate in the country, and there is no single register of signatures.
Why is this happening?
How certification centers work is the cause of this problem. The incidents described above arise because the identification of clients required by certification centers is not sufficient, and sometimes they result from direct violation of the law. Certification centers are not state organizations but commercial companies. They make money from the sale of EDS and seek to derive as much profit as possible so sometimes they do not strictly follow procedures. The issuance of fake certificates is therefore not a problem encountered in individual certification centers. It is an endemic problem that needs to be tackled by federal legislation. If anything, it is a global problem of PKI (public key infrastructure) technology which is at the heart of Federal Law No. 63-FZ.
EDS are often forged as follows:
- Unlawful actions in certification centers, including:
- EDS issuance with no proper verification of documents and identity;
- Reuse of EDS by certification centers;
- EDS issuance with fake documents or without documents.
- Remote issuance of qualified certificates with no personal contact between the applicant and the certification center’s employee when documents are submitted electronically.
In the first case, violation of the law is obvious. The problem with remote issuance arises because, although Federal Law No. 63-FZ requires to submit a passport for EDS issuance, it does not set out how this document must be provided. The law is unclear and may be erroneously interpreted as an absence of prohibition to issue enhanced qualified certificate remotely. Certification certificates use this loophole, relying on the absence of express ban in the law as well as the discretionary nature of civil law resting on the well-known principle that “what the law does not expressly prohibit is permitted.” Any third party can therefore get an electronic signature without going to a certification center in person, and tax, financial and legal risks as well as other adverse consequences can arise for EDS owners.
It is possible to check who and when a certificate has been issued by contacting the police.
State authorities are aware of the problem with EDS, and the State Duma is already working on a bill tightening the requirements for certification centers and providing that the Federal Tax Service of Russia is only body authorized to issue EDS to legal entities and that the Central Bank of Russia is only body authorized to issue EDS to credit organizations. These amendments have not yet been adopted and could still be changed before the bill is passed as law, so this question arises: what can be done today to minimize risks?
To fend off the above situations, Rosreestr recommends submitting an application barring any transactions with real estate property without personal participation. Upon receipt of such application, Rosreestr makes a special record in the State Register of Real Estate Property that even a person with a notarized power of attorney cannot conduct any real estate transactions without the real estate owner’s physical participation.
This application may be submitted in Rosreestr online personal account or in person in a multifunctional center for provision of state and municipal services anywhere in Russia even if the owner is not region where his/her property is located. This service is provided free of charge, and the appropriate record is made in the State Register of Real Estate Property within 5 days of application submission.
It is possible to fend off registration of legal entity, CEO, etc. with EDS in a similar way by submitting an application to tax authorities. This is done by filling out application form 38001 and submitting it to the relevant registering tax authority, i.e. Tax Office No. 46 in Moscow and Tax Office No. 15 in St. Petersburg. The application form may be submitted in person or by a representative acting under a notarized power of attorney.