Recent decades have witnessed an increasing interest in ensuring the authenticity and confidentiality of electronic communication and electronic commerce. In response to the rapid growth of electronic commerce, as well as the wide-spread use of email, fax, and online resources in the negotiation of contracts, Turkey has enacted a statute dealing directly with electronic signatures, namely E-Signature Law No. 5070 (the “Law”, Published in the Official Gazette on 14 Oct. 2004, No. 253551, adopted 15 Jan. 2004).

Security

EIK addresses the security of electronic signatures in depth through imposing liability on Digital Certificate Service Providers (hereinafter Providers) and through detailing the technical requirements for an electronic signature to be secure enough to be valid.

Art. 5 of EIK provides that “a secured electronic signature has the same effect as a handwritten signature.” Therefore, agreements signed with non-secured electronic signatures are not enforceable under EIK.

EIK defines a secured electronic signature as, “a signature which

• is connected exclusively to the signatory;
• is generated by a tool to create a secure electronic signature only at the discretion of the signatory;
• allows for the detection of the signatory through a digital certificate; and
• allows for the detection of any subsequent changes to the signed electronic data.”

Digital certificate

EIK Art. 4. EIK also defines a digital certificate as, “an electronic registration linking data of the signatory verifying the signature to the signatory’s identification information.”

EIK further requires the presence of a time stamp in the electronic signature. EIK Art. 3, Para. f. A time stamp is defined as, “a registration verified by the digital certificate service provider for the purpose of identifying the time that the electronic data was produced, changed, sent, received or recorded.”

Authenticity

EIK’s system not only provides technical specifications for the enforceability of electronic signatures, but provides a requirement for ensuring the authenticity of the signature through the digital certificate requirement. Digital certificates must themselves reach a minimum level of security and provide for authentication and verification in order to be “qualified digital certificates.”

Non-qualified digital certificates cannot be used in the electronic signature process, and there are ten conditions for a digital certificate to be a qualified digital certificate. EIK Art. 9. They include that the certificate must contain, “data to verify the signature corresponding to the data generating the signature” (EIK Art. 9, Para. d), “identification information to be able to determine the Signatory” (EIK Art. 9, Para. c), and “identification information for any separate person acting on behalf of the Certificate holder, if necessary” (EIK Art. 9, Para. 5), and the certificate’s serial number.

Digital certificates

The regulation clarifies that qualified digital certificates comply with ETSI (European Telecommunications Standards Institute) profiles, namely the ETSI TS 101 862 Certificate Profile. BTIK 2006/DK-77/207, Annex, Art. 4. The regulation further provides that, “the keys of certificates given must be compatible with the size of the key and algorithm found in communiqué 3” [a public key authentication protocol]. 

In addition to laying out the technical specifications for a valid electronic signature, EIK imposes liability on Providers. EIK Art. 13. EIK defines ‘Providers’ broadly as “public institutions and establishments, and natural or private legal persons who provide services related to electronic signatures, time stamps, and digital certificates. EIK Art. 8. Providers are liable to users of digital certificates under existing principles of liability. EIK Art. 13. Providers are also liable to third parties for damages arising from the breach of the provisions of this law. 

Foreign Providers

Foreign Providers can also provide digital certificates for use in Turkey, however, liability then extends to the Providers in Turkey who accept such digital certificates. EIK Art. 14. EIK provides, “Where digital certificates given by a digital certificate service provider situated in a foreign country are accepted by a digital certificate service provider in Turkey, said digital certificates are considered qualified digital certificates. The digital certificate service provider in Turkey is liable for losses arising as a result of using these digital certificates.” EIK Art. 14. Providers must also take out insurance policies against damages arising from the law, or to fulfill their obligations under the law. EIK Art. 13.

e-State

Aside from EIK, the Turkish Government has put in place e-Devlet (e-State), a web-based service that allows citizens to access necessary data, documents, and records and report issues and submit documents securely online. This platform functions as a sort of electronic signature for the purposes of dealing with government organizations.

The system is run by the state-owned company Türksat Uydu Haberleşme Kablo TV ve İşletme, A.Ş. (Turksat), which is responsible for maintaining adequate security.

The e-signature may be defined as a string of electronic data used to identify the producer of an electronic
document; in much the same way as a hand-written signature identifies an individual.