The practice of associating a date or even a time with an event or a document, also called “timestamping”, has its roots in the need to produce evidence to assert or confirm a right or an obligation during a dispute or litigation.
But how do you verify the existence of electronic data? The digitalization of entire sectors of economic activity has led to the need for electronic timestamping, to verify both timing and content. In many areas such as intellectual property, personal data protection and IT, it has become essential to prove the existence of specific data at a specific date and time. In the absence of such proof, a person could be denied rights which are rightfully theirs and/or be wrongly penalised.
In this article, we’ll guide you through the process of electronic timestamping; what it is, how it works and lastly, how it operates in a legal context. On this last point, electronic timestamping raises many questions, notably as to the reliability of the process. The debate on the probative value of emails is still recent. Everyone knows how easy it is to change the local time on a computer or a computer system. Consequently, a new law had to be introduced to regulate electronic timestamping systems and thus set certain technical requirements to guarantee their reliability as evidence.
Sommaire
- What is electronic timestamping?
- What are the two recognised types of electronic timestamping?
- How does electronic timestamping work?
- Pourquoi utiliser l’horodatage ?
- Quels documents peut-on horodater ?
- La reconnaissance juridique de l’horodatage électronique comme preuve numérique
- Présomption de fiabilité en faveur des horodateurs électroniques qualifiés
What is electronic timestamping?
Timestamping origins
All computer systems are equipped with a real-time clock which indicates the current date and time for various operations carried out on the device, such as creating a file or sending an email. These clocks keep accurate time even when the device is turned off, because not only are they powered by a battery located on the computer’s motherboard, but they are also connected to the Internet. As such, this internal computer clock already provides a form of electronic timestamping, but it is unreliable. Not only can we manipulate the date and time within the software, but we can also tamper with the system clock to change the date and time associated with records in the event logs, the file system or in database transactions.
Timestamping definition
To achieve the same reliability as provided by a registrar stamping a certificate, the initial regulations called for the participation of a trusted third party in the electronic timestamping process. Timestamping was defined for the first time in article 1 of the decree of 20 April 2011 as the “mechanism associating a representation of data at a particular time and attesting to the existence of the representation of this data at this instant by means of a timestamp token [which] includes a stamp from the electronic timestamping service provider established using the signature data of the timestamp token”. This definition of electronic timestamping therefore presupposes the use of a trusted service provider, which de facto excludes certain forms of electronic timestamping.
A few years later, in 2014, the European Union regulation on electronic identification and trusted services for electronic transactions in the internal market, known as the eIDAS regulation, was adopted. It aims to allow the free circulation of timestamp tokens and therefore facilitate trade for more than 400 million people. In this regulation, electronic timestamping is defined more largely as “data in electronic form which binds other data in electronic form to a particular time establishing evidence that the latter data existed at that time”.
What is the purpose of electronic timestamping?
Electronic timestamping is a process whereby a date and time can be electronically bound to other data in electronic form to certify, either with or without the intervention of a trust service provider, of its existence or execution at a given moment and also to attest to its content at that precise time.
What are the two recognised types of electronic timestamping?
The eIDAS regulation mentions two categories of electronic timestamps:
1. Non-qualified or simple electronic timestamping
The regulation does not give a specific definition of simple electronic timestamping. It is understood that a timestamping process that does not meet the conditions set out in the European eIDAS regulation is of a non-qualified type.
2. Qualified electronic timestamping.
Conversely, article 42 defines qualified electronic timestamping as fulfilling the following conditions:
- It binds the date and time to data in such a manner as to reasonably preclude the possibility of the data being changed undetectably;
- It is based on an accurate time source linked to Coordinated Universal Time; and
- It is signed using an advanced electronic signature or sealed with an advanced electronic seal of the qualified trust service provider, or by some equivalent method.
Regarding this last condition, the eIDAS regulation leaves room for innovation and the development of a method ensuring a level of security equivalent to the advanced electronic signature or the advanced electronic seal. It is up to the trust service provider to demonstrate that its method meets the requirements set out in the eIDAS regulation.
How does electronic timestamping work?
Electronic timestamping (with use of a trust service provider) is a “process which links the representation of a data to a particular time”. To apply a timestamp to data in electronic form (example: a contract, software source code, an invoice, an electronic medical prescription, a price indication, a ticked box on a form, access to an information system), a unique identifier must be generated through use of the hash function. This step is essential in order to create a reliable and unique representation of the data; that is, a virtual fingerprint. This is then transmitted to the timestamping service authority, which combines the digital fingerprint with the exact date and time based on Coordinated Universal Time (UTC). The reliability of this combination is guaranteed by means of a timestamp token, which is a type of signed certificate containing:
- the digital fingerprint or representation of the data;
- the UTC date and time;
- the timestamp token seal.
Under the French decree on electronic timestamping, the timestamp token seal allows the identification of “the electronic timestamping service provider that issues it and ensures a link with the timestamp token to which it is attached.” It is the combination of the timestamping authority’s private key and a public key, communicated to the user by means of an electronic certificate.
At the end of the timestamping process, the timestamping authority sends all these items to the user and also archives them.
Why use Timestamping?
Digitalisation of exchanges
The digitalisation of entire sectors of the economy has created a need for electronic timestamping to provide proof of the date and content. In many areas, such as intellectual property, personal data protection, or IT, it has become essential to be able to prove the existence of data at a given moment. Without this proof, a person may be denied rights that are legitimately due or be wrongly penalised.
Cost reduction
Since globalisation, the cost of sending and returning documents via traditional postal services has been significant. Indeed, most transactions require timestamping and a signature. In the long run, this back-and-forth of documents impacts the cash flow of companies involved in the transaction. Thanks to digital timestamping, the need for express mail is eliminated, replaced by simple clicks. The time and cost savings are considerable when you factor in the cost of a token. The system of timestamping tokens, or time marks, allows tracking of the document’s changes (modifications, deletions, additions, etc.).
Traceability of timestamped documents
Calibrating the timestamping with atomic clocks ensures the traceability of documents and enhances digital security. Any modification without a timestamp questions the document’s integrity. With the 2014 European eIDAS regulation, legislators have established certain technical requirements for electronic timestamping systems to ensure their evidential reliability.
Which documents can be timestamped?
Timestamping can be useful in many sectors. Here are a few examples:
- E-commerce, to justify reference prices for promotional operations (Omnibus Law)
- Supply chain, to track and control the origin of products
- Banking and insurance, to securely archive information transmitted online
- In general, to assist all companies that issue invoices, to enforce payment deadlines and calculate late payment penalties
The legal recognition of electronic timestamping as digital evidence
Timestamping, even electronic, is admissible as evidence in the courts of the European Union.
Thus, non-qualified electronic timestamping is acceptable in court, especially when evidence can be provided by any means. In fact, Article 41§1 of the European eIDAS regulation establishes a principle of non-discrimination regarding electronic timestamping, accepting it as legal evidence in the same way as manual timestamping, even if it does not meet the requirements of qualified electronic timestamping. The same applies to non-qualified electronic registered delivery services.
In Switzerland, the 2016 SCSE regulation provides a legal framework similar to the eIDAS data protection law. Although SCSE does not specify technical standards that must be applied, the Swiss Federal Council recognises processes implemented according to eIDAS standards as valid. As with eIDAS, SCSE assigns a higher evidentiary value to timestamping certificates issued by qualified trust service providers.
Presumption of reliability in favor of qualified electronic timestamps
Contrary to the simple electronic timestamp, a qualified electronic timestamp shall enjoy the presumption of the accuracy of the date and the time it indicates and the integrity of the data to which the date and time are bound (article 41§2 of the eIDAS regulation). This provides a significant advantage in the event of litigation or dispute, as it allows to reverse the onus of proof and the burden of proof can be shifted onto the party challenging the reliability of a qualified timestamping system. In this context, a part of the doctrine equates qualified electronic timestamping with the electronic version of the legal concept of “certain date”.
By extension, in France, article L100 of the postal and electronic communications code states that electronic registered delivery is the equivalent of physical registered mail as long as it meets the requirements of article 44 of the eIDAS regulation, especially as regards the use of a qualified electronic timestamp. In this case, the data sent and received by means of a qualified electronic registered delivery service benefits, among other things, from a presumption as to the integrity of the data and the correctness of the date and time of sending and reception. In fact, an electronic timestamp applied to registered mail has an advantage over physical registered mail, because electronic timestamping not only certifies the date but also the content, which physical registered mail does not.
Thus, when Evidency, a trusted third party in the electronic timestamping process, timestamps electronic documents such as an invoice, a reference price, or a deposit, Evidency’s token assigns a certain date to the documents in question and certifies their content at the moment the timestamp token is applied. As such, this content cannot be modified.
Evidency offers flexible timestamping solutions to suit your needs:
- Prove the compliance of promotional prices
- Ensure the traceability of the supply chain
- Provide proof of an event
- Guarantee compliance with standards and prepare for audits
Evidency’s electronic timestamping solution is easy to implement and simple to use.
Disclaimer
The opinions, presentations, figures and estimates set forth on the website including in the blog are for informational purposes only and should not be construed as legal advice. For legal advice you should contact a legal professional in your jurisdiction.
The use of any content on this website, including in this blog, for any commercial purposes, including resale, is prohibited, unless permission is first obtained from Evidency. Request for permission should state the purpose and the extent of the reproduction. For non-commercial purposes, all material in this publication may be freely quoted or reprinted, but acknowledgement is required, together with a link to this website.