National Appeals Chamber (KIO) stories: how the KIO was fooled with regard to an electronic signature

A December KIO ruling dealt with an IT aspect of the qualified electronic signature. A contractor had purchased an electronic signature from a trusted supplier, but despite this, the ESPD signed using the electronic signature was invalidated.

Despite the contractor’s bid being selected as the winning bid in the tender, the contractor lost the tender contract when a rival appealed. It was demonstrated that the contractor’s proposal for the subject of the tender contract lacked a feature required under the TToR. On this basis alone, the contractor’s bid should have been rejected, while the KIO ruled on a different objection. This concerned features of the qualified electronic signature. The contractor was fully justified in its belief that the electronic signature had the proper features because the signature was valid and had been purchased from a trusted supplier.

This case was specific because the tender was for purchase of computer hardware and software, and the contractors taking part probably had above-average knowledge of computer-related matters. The contractors focused on this aspect when examining whether the contracting authority had made the right choice of contractor.

ESPD with SHA-1

The complainant asserted that the successful rival had not confirmed that it had the requisite track record and that it was eligible for admission to the proceedings. The rival had submitted an ESPD with an electronic signature that did not fulfil legal requirements. The complainant pointed out specifically that the signature did not comply with Art. 10a(5) of the Public Procurement Law, because it was submitted using SHA-1. Under art. 137(1) of the Trust Services and Electronic Identification Act of 5 September of 2016, SHA-1 cannot be used to submit advanced electronic signatures or advanced electronic stamps beyond 1 July 2018. Meanwhile, the successful contractor had used a signature of that kind on 3 September 2018. There is no mention however in Art. 10a(5) of the Public Procurement Law, or anywhere else in that act, of SHAs.

The KIO reiterated in its ruling the argument made by the complainant, that from 1 July 2018 onwards SHA-1 could no longer be used, and that this applied not only to certificates, but also to any signatures submitted. It found moreover that this obligation was intended for both commercial operators and public authorities whose systems include a function generating signatures. The complainant cited information released by the Minister of Digital Affairs on 1 March 2018 recalling SHA-1 with regard to use for advanced signatures and electronic stamps, posted on the National Certification Centre website.

The proverbial “garden path”

According to the statement released by the Minister of Digital Affairs, applications for submitting or authenticating an electronic signature must be adapted to support SHA-2, as SHA-1 was no longer recommended by the European Telecommunications Standards Institute (ETSI) (see ETSl TS 119 312). On the other hand, the statement specifically said that SHA-1 could still be used for the purpose of authentication.

The KIO found on this basis, influenced by the interpretation dictated by the complainant, that the tender participant had not exercised due diligence and had failed to comply with the Trust Services and Electronic Identification Act, because it had placed a signature on an ESPD using SHA-1. The KIO found that the contractor should have adapted the applications for submitting or authenticating an electronic signature first to make them suitable for SHA-2, while “the tender participant does not appear to have done this”. Although the KIO could only make assumptions in this regard, it concluded that the signature on the electronic ESPD was simply invalid, even though this is not stated in the Public Procurement Law, the Trust Services and Electronic Identification Act, or the cited information released by the Minister of Digital Affairs.

A less secure signature is still a qualified signature

The KIO was tricked, because the grounds for the ruling were quickly contested by the IT community when the ruling was published. The criticism focused in particular on the conclusion that SHA-1 posed a risk of a file not being properly authenticated. The recommendation to switch to authentication using SHA-2 does not render a signature invalid. Current technical knowledge still supports the conclusion that the signature is sufficiently secure.

Above all, art. 137 of the Trust Services and Electronic Identification Act, which was the grounds for the ruling in question, does not provide for invalidation of a signature authenticated using SHA-1, and neither does it state that a signature of that kind does not constitute a qualified electronic signature. This also does not follow from art. 10a(5) of the Public Procurement Law, or even the regulation implemented into Polish law, no 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.

Trust services at a higher level

The fact that the Polish act requires public authorities and trust service suppliers to switch to a more secure signature does not mean that any currently applicable provision of law is grounds for contesting the validity of a signature that uses SHA-1. It is simply due to suppliers being forced to use SHA-2 that these signatures, which are more secure, will be the only ones functioning on the market in the near future. Therefore, a bid signed using SHA-1 cannot be invalidated under Art. 89(1)(8) of the Public Procurement Law.

Under Art. 180(1) of the Public Procurement Law, an appeal can be filed only in cases of actions or failure to act on the part of a contracting authority in a manner that breaches the Public Procurement Law. Acceptance by a contracting authority of a document signed using SHA-1 is not a breach of that act, especially Art. 10a(5).

Danger of incorrect interpretation of the switch to electronic forms

In a ruling of 10 December 2018 (KIO 2428/18), the KIO began a dangerous trend with respect to interpretation of circumstances in which a contractor’s qualified electronic signature is incorrect. While the case concerned a contractor whose bid would have been rejected anyway due to not fulfilling the TToR, the incorrect signature related solely to the initial ESPD declaration, because the proceedings were being conducted prior to the complete switch to electronic forms. There was a possibility, therefore, of the shortcomings in the incorrect signature being rectified. Despite this, the ruling in question is highly relevant to the Polish public procurement market; it shows how much at variance Poland is with the EU approach, and opens up the way for objections on IT grounds in future proceedings without them being accurately examined by experts and without regard for EU law, which is applicable in Poland directly.

Anna Prigan, attorney-at-law, Infrastructure, Transport, Public Procurement & PPP practice, Wardyński & Partners