What is Electronic Timestamping and how does it work?
It has been customary throughout the centuries to record events and all related information, notably the date of the event, in registers. Record-keeping has been an essential element in the development of organized human societies. Thus, already in ancient Rome, bankers chronologically recorded all deposit and withdrawal transactions in their registers. The same applied to auction records, trade records, and others. The Templars used similar registers in the 12th and 13th centuries and even created a secret code verification system that allowed pilgrims to travel without having to carry any belongings, goods or cash on their person. In the 9th century, the ancestor of the banknote, called "flying money" or "Fey-thsian", made its appearance under the Tang dynasty and involved a system of deposit registers and dated receipts. In 14th-century France, the Church established the use of parish registers, precursors of civil registries, in which baptisms, marriages and burials were recorded and dated and which were often used as evidence during trials.
The practice of associating a date or even a time with an event or a document, also called “timestamping”, has its roots in the need to produce evidence to assert or confirm a right or an obligation during a dispute or litigation. Administrations often ask citizens to provide an extract of a birth certificate not older than three months. The reason for this request is not related to the birth as such, but to the person's status at the time of the request. Indeed, the birth certificate also mentions important events creating rights or obligations (marriage, divorce, civil partnership, guardianship, etc.). The affixing of the stamp and the date by a registrar on the extract provides this proof.
But how do you verify the existence of electronic data? The digitalization of entire sectors of economic activity has led to the need for electronic timestamping, to verify both timing and content. In many areas such as intellectual property, personal data protection and IT, it has become essential to prove the existence of specific data at a specific date and time. In the absence of such proof, a person could be denied rights which are rightfully theirs and/or be wrongly penalised.
In our previous article we briefly introduced you to the general principles of timestamping. Today we are going to go deeper and guide you through the process of electronic timestamping; what it is, how it works and lastly, how it operates in a legal context. On this last point, electronic timestamping raises many questions, notably as to the reliability of the process. The debate on the probative value of emails is still recent. Everyone knows how easy it is to change the local time on a computer or a computer system. Consequently, a new law had to be introduced to regulate electronic timestamping systems and thus set certain technical requirements to guarantee their reliability as evidence.
What is electronic timestamping?
All computer systems are equipped with a real-time clock which indicates the current date and time for various operations carried out on the device, such as creating a file or sending an email. These clocks keep accurate time even when the device is turned off, because not only are they powered by a battery located on the computer's motherboard, but they are also connected to the Internet. As such, this internal computer clock already provides a form of electronic timestamping, but it is unreliable. Not only can we manipulate the date and time within the software, but we can also tamper with the system clock to change the date and time associated with records in the event logs, the file system or in database transactions.
To achieve the same reliability as provided by a registrar stamping a certificate, the initial regulations called for the participation of a trusted third party in the electronic timestamping process. Timestamping was defined for the first time in article 1 of the decree of 20 April 2011 as the “mechanism associating a representation of data at a particular time and attesting to the existence of the representation of this data at this instant by means of a timestamp token [which] includes a stamp from the electronic timestamping service provider established using the signature data of the timestamp token”. This definition of electronic timestamping therefore presupposes the use of a trusted service provider, which de facto excludes certain forms of electronic timestamping.
A few years later, in 2014, the European Union regulation on electronic identification and trusted services for electronic transactions in the internal market, known as the eIDAS regulation, was adopted. It aims to allow the free circulation of timestamp tokens and therefore facilitate trade for more than 400 million people. In this regulation, electronic timestamping is defined more largely as "data in electronic form which binds other data in electronic form to a particular time establishing evidence that the latter data existed at that time".
In other words, electronic timestamping is a process whereby a date and time can be electronically bound to other data in electronic form to certify, either with or without the intervention of a trust service provider, of its existence or execution at a given moment and also to attest to its content at that precise time.
What are the two recognized types of electronic timestamping?
The eIDAS regulation mentions two categories of electronic timestamps:
- Non-qualified or simple electronic timestamping;
- Qualified electronic timestamping.
The regulation does not provide a specific definition for simple electronic timestamping. It is understood that a timestamping process that does not meet the conditions indicated in the eIDAS regulation is of the non-qualified type.
Conversely, article 42 defines qualified electronic timestamping as fulfilling the following conditions:
- It binds the date and time to data in such a manner as to reasonably preclude the possibility of the data being changed undetectably;
- It is based on an accurate time source linked to Coordinated Universal Time; and
- It is signed using an advanced electronic signature or sealed with an advanced electronic seal of the qualified trust service provider, or by some equivalent method.
Regarding this last condition, the eIDAS regulation leaves room for innovation and the development of a method ensuring a level of security equivalent to the advanced electronic signature or the advanced electronic seal. It is up to the trust service provider to demonstrate that its method meets the requirements set out in the eIDAS regulation.
How does electronic timestamping work?
Electronic timestamping (with use of a trust service provider) is a “process which links the representation of a data to a particular time". To apply a timestamp to data in electronic form (example: a contract, software source code, an invoice, an electronic medical prescription, a price indication, a ticked box on a form, access to an information system), a unique identifier must be generated through use of the hash function. This step is essential in order to create a reliable and unique representation of the data; that is, a virtual fingerprint. This is then transmitted to the timestamping service authority, which combines the digital fingerprint with the exact date and time based on Coordinated Universal Time (UTC). The reliability of this combination is guaranteed by means of a timestamp token, which is a type of signed certificate containing:
- the digital fingerprint or representation of the data;
- the UTC date and time;
- the timestamp token seal.
Under the French decree on electronic timestamping, the timestamp token seal allows the identification of “the electronic timestamping service provider that issues it and ensures a link with the timestamp token to which it is attached.” It is the combination of the timestamping authority’s private key and a public key, communicated to the user by means of an electronic certificate.
At the end of the timestamping process, the timestamping authority sends all these items to the user and also archives them.
The legal admissibility of electronic timestamping as evidence
Timestamps, even when electronic, are admissible as evidence in the courts of the European Union.
Thus, a non-qualified electronic timestamp is admissible in court, in particular when evidence can be produced by any means. In point of fact, article 41§1 of the eIDAS regulation establishes a principle of non-discrimination as regards electronic timestamping, accepting it as evidence in court at the same level as manual timestamping, even if it does not meet the requirements of qualified electronic timestamping. The same holds true for non-qualified electronic registered delivery services.
In Switzerland, the SCSE regulation of 2016 provides a legal framework that is similar to eIDAS. Although SCSE does not provide specifications on the technical standards that need apply, the Swiss Federal Council recognizes as valid, processes that have been implemented in line with eIDAS standards. As with eIDAS, SCSE grants a higher probative value to certificates issued by qualified trust service providers.
Presumption of reliability in favor of qualified electronic timestamps
Contrary to the simple electronic timestamp, a qualified electronic timestamp shall enjoy the presumption of the accuracy of the date and the time it indicates and the integrity of the data to which the date and time are bound (article 41§2 of the eIDAS regulation). This provides a significant advantage in the event of litigation or dispute, as it allows to reverse the onus of proof and the burden of proof can be shifted onto the party challenging the reliability of a qualified timestamping system. In this context, a part of the doctrine equates qualified electronic timestamping with the electronic version of the legal concept of "certain date".
By extension, in France, article L100 of the postal and electronic communications code states that electronic registered delivery is the equivalent of physical registered mail as long as it meets the requirements of article 44 of the eIDAS regulation, especially as regards the use of a qualified electronic timestamp. In this case, the data sent and received by means of a qualified electronic registered delivery service benefits, among other things, from a presumption as to the integrity of the data and the correctness of the date and time of sending and reception. In fact, an electronic timestamp applied to registered mail has an advantage over physical registered mail, because electronic timestamping not only certifies the date but also the content, which physical registered mail does not.
Thus, when Vaultinum, a trusted third party in the electronic timestamping process, timestamps electronic documents such as an invoice, a reference price or a deposit, the Vaultinum stamp both provides a certain date to the documents in question as well as attests to their content at the time of affixing the timestamp token. As such, this content cannot be altered.
Vaultinum has long been providing physical and electronic timestamping services as part of its activities as a trusted service provider, particularly for the deposit and archiving of digital assets or records.
The opinions, presentations, figures and estimates set forth on the website including in the blog are for informational purposes only and should not be construed as legal advice. For legal advice you should contact a legal professional in your jurisdiction.
The use of any content on this website, including in this blog, for any commercial purposes, including resale, is prohibited, unless permission is first obtained from Vaultinum. Request for permission should state the purpose and the extent of the reproduction. For non-commercial purposes, all material in this publication may be freely quoted or reprinted, but acknowledgement is required, together with a link to this website.