Free Spirit Magazine, RAK Free Trade Zone, January 2012
Recently I signed a contract with a party abroad where the other party insisted on using an archaic process. The contract needed to be printed on coloured paper with their letterhead on it. They sent me two unsigned copies by courier because they wanted me to sign first. I signed and sent them both copies back and they returned one signed copy: counting three courier shipments in total. Shortly after I had a delightful experience on the other end of the efficiency spectrum. I was sent an email with a link to a website where I could view a purchase order which I was asked to sign online. The signing entailed nothing more than typing my name.
After signing I was sent the signed pdf and at the website, for which I was not required to create an account, I have access to a complete track record of the transaction: when the document was created, when it was sent, when I viewed it, and when I signed it.In the last instance I electronically signed the purchase order. Laws giving legal recognition to electronic signatures have been on the books in most countries for more than a decade. The EU for instance passed an electronic signature directive in 1999 requiring EU member states to amend their laws in order to ensure that an electronic signature is not denied legal effectiveness and admissibility as evidence in legal proceedings solely on the grounds that it is in electronic form. This is one of the essential points in all electronic signature laws, although usually exceptions are made. For instance in the UAE documents related to personal status, documents relating to sale, purchase, or lease (in excess of ten years) of real estate, notarized documents, and negotiable instruments only have legal validity in paper form. In addition other laws may also determine that other documents are only valid if executed in paper form.
Surprisingly though, the use of electronic signatures to conclude agreements has not taken off until 2011. What could be the reason for the slow adoption world-wide of the use of electronic signatures? The main reason in my opinion is that e-signature solutions have not been available until recently that were able to sufficient evidentiary value in court and are at the same time easy to use. Signing an email with your name typed at the bottom is an electronic signature too but because it is too easily repudiated by the signatory this is for many types of agreements not considered acceptable.
The question, then, is not whether electronic signatures have legal standing but whether they provide an equivalent level of evidence of fraud (or the lack of fraud) as do handwritten signatures. A signature, whether handwritten or electronic, is applied to authenticate a writing. The strength of a signature is determined by how well it achieves this objective. Three security features determine the strength of a signature:
-
Signer authenticity, which is concerned with assurance of identity of the signatory.
-
Data integrity, which is the assurance that data has not been modified since the signature was applied.
-
Non-repudiation, which is concerned with providing evidence to a third-party (e.g. a court) that a party participated in a transaction, and thereby protect other parties in the transaction against false denials of participation.
“Electronic Signature” is a generic, technology-neutral term that refers to all of the various methods by which one can “sign” an electronic record. They can take many forms and can be created by many different technologies. Examples of electronic signatures include: a name typed at the end of an e-mail message by the sender; a digitized image of a handwritten signature that is attached to an electronic document (sometimes created via a biometrics-based technology called signature dynamics); a secret code or PIN to identify the sender to the recipient; a code that the sender of a message uses to identify himself; a unique biometrics-based identifier, and a digital signature (created through the use of public key infrastructure (PKI) cryptography).
“Digital Signature” is simply a term for one technology-specific type of electronic signature. It involves the use of public key cryptography to “sign” a document. PKI makes it possible to establish signer authenticity. PKI makes use of digital certificates which are issued by a Certification Authority (CA), which is the entity that confirms that this identify embedded in the certificate is indeed that of the signer.
Electronic signature laws in the EU-countries and many other countries such as Canada, Singapore and the UAE tend to favour the use of digital signatures. The EU directive on electronic signatures differentiates between basic, advanced and qualified electronic signatures. An advanced electronic signature requires that it is uniquely linked to the signatory, it is capable of identifying the signatory, it is created using means that the signatory can maintain under his sole control, and it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable. Advanced Digital Certificates can be issued by Certification Authorities after verification of the owners email address. A qualified electronic signature makes requires an Advanced Digital Certificate for which the private key must be stored on a secure signature creation device (SSDC), eg. a smart card. Qualified Certificates can only be issued by Certification Authorities following a face-to-face verification of the user and government-issued photographic identification. The UAE ID cards also contain a private PKI key which can be used in conjunction with a smart card to generate a qualified digital signature.
Only a qualified electronic signature has to be considered legally equivalent to a hand-written signature as per the EU directive (although member states are free to take a more permissive approach). That means in legal proceedings that, if it is proved that the signature is a qualified one, the alleged signatory must provide evidence that questions, beyond reasonable doubt, its security in order to repudiate his authorship. In case of a basic or advanced signature the evidentiary rules work in reverse: the other party is the one who must provide evidence that supports the reliability of the signature.
The USA, New Zealand, Australia and the UK have taken a different approach where there is no built in bias for the use of qualified certificates and digital signatures. The laws in these jurisdictions are technology-neutral.
Unfortunately costs and inconvenience have severely inhibited the adoption of digital signatures, in particular qualified digital signatures.
Whileas digital signatures created with a SSCD were provided with a “safe haven” status in many countries; non-digital electronic signatures might still provide acceptable levels of proof in legal proceedings. Current E-signature offerings can now provide the authentication, integrity and non-repudiation qualities needed for conducting transactions on which one can legally rely:
It is now possible capture the biometric properties of a hand-written signature signed on for instance a tablet or smart phone. Signing properties such as speed, pressure, rhythm can be recorded and attached to the properties of the (pdf) document that is signed. Legal experts define this kind of e-signing as a legal surrogate equivalent to the conventional method of signing with ink on paper.
Another approach is to use a central server to keep establish a legally meaningful audit trail of every step of the signature process and mathematically associating that audit trail with particular electronic document content and uniform time of signoff. The audit trail records contextual information such as signer’s email address, date and time of the transaction, IP address of the endpoint device, and geo-location (if available).
In addition to one of the above advanced digital signatures can be used. If the private key is stored on the server of the software solution provider advanced digital signatures can be provided in the background by an e-signature provider, without the user even knowing. In this case the user doesn’t have to store the private key himself and ensure that he has it installed on whatever device he is signing from. Private keys for advanced signatures can be provided by a software provider as part of the online account opening process, since issuing these doesn’t require face to face identification. Digital signatures serve the added function that it will seal the document: i.e. the document cannot be modified after signing without becoming invalid.
These technologies are now starting to be taken into widespread use due to the spread of tablets and smart phones enabling the capture of biometric signature data and, second, due to the increasingly popular Software as a Service (SaaS) software delivery model. SaaS enables establishing an audit trail and centrally managed signing keys for digital signature. It is no coincidence that the e-signature solutions that have seen strong growth are provided by companies based in the “technology-neutral” jurisdictions.
The scope of this article is too small to cover all the different options to look out for in the various software offerings. Suffice it to say that the core consideration when selecting the e-signature software is whether the offered signature types are strong enough for the purpose for which you intend to use them and the jurisdiction in which you hope to enforce your contractual rights. A simple button “i agree” on a website might be sufficient when placing an order for an advertisement but not when buying a house. In most situations ideally the solution supports several signature types.
The savings that can be obtained with implementing an e-signature solution can be significant particularly if your business is handling many documents. Business processes have been automated in the last two decades to a large extent. Despite this, a document is still often printed on paper when a signature authorisation is required, thereby creating the need for physical routing of paper for the purpose of obtaining signatures. Reintroducing paper into the workflow increases processing time spent, time spent on coordination, the scope for errors, and organisational costs. Aside from the obvious savings on ink and courier costs that can be realized probably the biggest benefit that implementing an e-signature solution can provide is that it facilitates a fully electronic document workflow.
This article first appeared in Free Spirit Magazine, January 2012.