The lowdown on digital signatures


Disclaimer - I am not a lawyer, and just write what I see as being the case from a relatively informed point of view. Don't use this as legal advice !

Reasons for signing documents

While the reason for signing documents may seem self-evident, it is instructive to consider nonetheless - why do we sign documents ?  Well it really boils down to legal challenge. When push comes to shove, there is still no substitute to a valid, signed document to resolve the age-old "he-said she-said" impasse between disputing parties. 

So, the real test as to whether a signed document is valid is when it comes to a dispute in a court of law.

legal

 It is worth noting that a document signing technique does not have to be 100% watertight to have legal standing, it just needs to be more plausible than the alternative. In other words, if I produce an electronic document as evidence, and the opposing party produces a different electronic document or a different original, which is the court likely to accept ?  Or if as the signer I deny having signed a document is it possible to prove beyond reasonable doubt that the document could not have ended up in the state it is WITHOUT me having signed it ? 

I refer to a good document prepared for IDM Australia discussing the legality of electronically signed documents Electronic signatures and their legal validity in Australia There are  2 fundamental requirements for an electronically signed document to be valid :

  • the document must be stored appropriately and can be accessed after execution; and
  • there has been consent between the parties, expressly or impliedly, to receive information electronically.

To me this really means that you need a proper Document Management System to store your signed documents. The second point is implied in any case by virtue of the the fact that the other party has signed the document electronically - this action surely implies consent.  However, the 2 most important requirements with respect to ALL signed documents (paper or electronic) produced as evidence in court are derived from the very reasonable requirement that the document which is before the court is exactly the same document which was signed by the signer, which implies that 

  1. The signature on the document is unequivocally that of the intended signer
  2. The document has not been altered in any way since signing

All electronic signing technologies attempt to address these 2 issues with varying degrees of rigour and cost.

Signing scenarios

There are  5 broad scenarios wherein documents require signing  : 

  1.  "Contract" scenario, signed by at least 2 but often more parties. The signatures are required to ensure that that if one of the parties fails to perform duties described b a document, the aggrieved party(s) can take the recalcitrant to court and claim compensation,because the law recognises that the party has broken an agreement which is proven to have been agreed to by virtue of the signature. Think business contract, employment contract, 
  2. "Certify" scenario where the signer is stating that the content of a document is true (or in many cases that the identity of a contractual signer is verified) . Think witness statement, affadavit, tax return
  3. "Intent" scenario where the signature exists to provide an abidiing and incontrovertible record of an intent. Think Wills, Treaties, Trusts.  These typically endure much longer than the former and often after the demise of the signer.
  4. "Signoff" scenario where the signature is provided on a document as proof that a particular job has been completed. Think parcel delivery signoff, tradesman signoff, auto repair signoff. 
  5.  "Terms and conditions" scenario where the signature serves to show that a person accepts rules, risks, terms and conditions relating to the use of something. Think rental car, software, 

Each of these are subtly different in terms of  the number of parties involved, who stands to lose the most, likelihood of challenge, duration of validity, value of agreement, and history for challenges.In "contract" scenarios, for example, both parties potentially stand to lose equally in the event of the agreement being disputed, yet with "terms and conditions" and "signoff" there is little incentive for the signer to sign but plenty for the originator to have signed.  All of this influences which technique is used for electonically signing (or not) and,  importantly , who pays for it.

Types of signatures

There are 5 different types of signatures today

  1. wet signature"Wet signature" or traditional pen and paper signing. 

  2. signed copyCopy of wet signature - typically a scan or phone snapshot of the aforementioned. Electronic or photocopy. 

  3. electronic copyElectronic signature - Signer puts some kind of a mark on an electronic copy of a document or form. This usually takes the form of a representation of the signee's signature ,either scrawled on a tablet or a hand-held device with a finger or stylus, or by attachment of a picture of their signature to the document or form. Can be incorporated into a web-application framework.

  4. certificateDigital signature - Signer encrypts document with a unique private key. The whole process including issue of public/private key pair, encapsulation of document into an encrypted "envelope" and the reading of the decoded document are typically handled within a web application and are typically proprietory. Docusign, Adobe sign.

  5. workflowWorkflow signature - Signer signals their virtual signing of the document by (typically) entering their password as a step in a workflow. The document state is changed to an unalterable, signed state and the workflow audit trail provides proof of the transaction. This can be enhanced with dual factor authentication eg. SMS

There are sometimes combinations of these as well - for example certified copies of documents are a combination of 1 and 2,  (wet signature of certifier on photoopy of original) , or some signing applications combine 3, 4 and 5 ( provide signature fields to add a representation of a signature, control the signing through workflow and apply a digital signature) . 

All of these have their pros and cons, as well as security risks. All are used in different scenarios, and the whole landscape is continually evolving as legal challenges emerge and are overcome.

wet signatureWet signature

We have all done this, grab a pen and sign a piece of paper - primary advantage is familiarity and tradition.  And where the original document is involved, there is a relatively high degree of security - "signature experts"  can relatively accurately detect whether a signature is a real or a forgery.  The courts still consider an original document with a "wet"signature to be the ultimate trump card, (although I suspect this would ber unlikely to survive a rigorous legal challenge). In other words, if, in a court of law, I can produce an original document together with one or more sample signatures, AND I have an expert testify that they are highly likely to be done by the same person, AND that the signature is that of the person in question, AND that the document appears to have been un-altered it would be very difficult for an opposing party to convince the court that a digitally signed electronic document has a higher validity. Right now this is still the only valid signature on important "intent" documents such as Wills. 

Copy of wet signaureCopy of wet signature

This is probably the most widespread form of storage of signed documents today.How many times have we had a Word document emailed to us and had to print., sign, scan and email ? And only occasionally does the signed paper  document need to be returned.  At a guess something like 80% of all contract and signoff documents are stored in this fashion. To me it would appear that the risk of forgery is very high, I mean it really doesn't take much to photoshop a signature, insert a page or otherwise modify a PDF, image or text document. Probably the main reasons we don't have a flood of litigation in this area is the dual nature of contract documents where both parties sign and return, so there is at least one half of an original in each hand - and the fact that there is an email trail which (if available, presented and accepted by the court) can relatively convincingly show at least the process and attachments sent and returned.  I expect this to emerge as a major compliance risk soon. It only needs a couple of successful challenges and the whole practice will be forced to change to a more rigorous signing technique.

electronic sginatureElectronic signature

Most of us have encountered this when a package is delivered and we scrawl on the touchscreen to provide the proof-of-delivery. The very obvious flaws in the process (Who signed ? Is this really my signature ? What am I signing ? Where is it stored and how ? ) seem not to matter since it is really not much less secure than scribbling on a proof-of-delivery form on a clipboard. I am pretty sure that there is quite a lot of fraud in this area which probably flies under the radar as a cost of doing online business. But apart from this widespread and highly flawed practice, MOST of the signing applications today use this approach together with a web-application and workflow to  sign higher-value documents. I call this the

Electronic signature with-audit-trail

This seems to be the fastest growing area in the field with the large players all providing somewhat similar functionality. The common theme is

  • The originator (and subscription owner and payer ) uploads a document into a web-application, and a link to the web application document is emailed to one or more signers. These signers and the document to be signed are either manually added through the web-application or indirectly through integration to a CRM
  • The signer(s)  are uniquely identified by their email addresses - and in order to sign the document the signer enters the web application by clicking on the link in the email. Normally there is no need to log on or enter any kind of user details - the web application assumes that since the user could have only accessed the document by clicking on the emailed link, the person who is signing the document is the owner of that email account [1].  Usually the signer does not need to be a registered user of the web platform (although in most cases will be prompted to sign up as a marketing ploy).
  • Typically the document gets modified in the web platform, a signature field is added and often an audit-trail sheet or record of process is appended to the document.Also, and critically, an internal audit trail of the signing is added into the web-app. 
  • The user provides some kind of signature, either with the mouse, touch-screen or inserting a signature image. But this is purely cosmetic and provides a traditionally recognisable signature - the actual signature is meaningless in terms of uniquely identifying the signer.
  •  More sophisticated platforms do a "hash" or checksum of the original document which uniquely identifies its content (changing any part of the document would result in a completely different checksum) which is included in the audit-trail sheet.
  • The resultant document can be downloaded with its attached audit-sheet

It is important to understand that the downloaded document IN NO WAY provides any guarantee of the 2 fundamental requirements of signed documents, that is signer identity or unaltered content. This is discussed in more detail later. 

digital signatureDigital signature

Digital signatures vary from the electronic signature with-audit-trail  described above in that the signer is identified not only as the person who owns a particular email address, but also as the owner of a digital certificate private key issued as part of a PKI infrastructure.  The implication of this is that there is more certainty around the identity of the signer, additionally there is an additional ability to encrypt and/or encode the document to prevent its viewing by unauthorised third parties and subsequent alteration. Often a hash or checksum is generated from the document content and combined with the digital certificate to provide irrefutable evidence of the authenticity of both document and signer.  However, the drawback (as with any PKI technology) is the delivery and security of the private key.  2 things need to happen to make PKI work - the user needs to get the key in a secure manner and also needs to keep the key in a secure manner. These requirements invariably imply a login to the signing application and registration BEFORE any signing by the signer - in other words the signer needs to be a known entity to the web-application. In practice this is quite cumbersome  - the signer, who will likely receive multiple signing requests at different times from different providers, will need to manage multiple logins and potentially certificates to different systems which is onerous to keep track of. In most cases signers don't really care how they sign as long as it is easy. Most applications therefore offer standard electronic signing with digital signing reserved for "enterprise"or "high-value"customers. However, even the use of a digital signature might be called into question in court if there is reasonable grounds to suspect that the private key has been used by someone other than the person to which the key has been issued.

The use of a private key issued by a publically accessible certificate authority is the only way in which a downloaded, signed document can remain valid independantly of the web-application. 

 

workflow signatureWorkflow signature

Workflow signatures provide a simple yet highly effective form of signing which overcomes one of the main concerns around electronic signatures in that the identity of the signer is better guaranteed by virtue of the fact that login to the workflow tool must occur for this to be possible (this of course also means that the signer must be a willing , known party to the signing workflow application, which is only really viable if the web-application is an already-used tool for the recipient ) . The addition of a second factor (eg. SMS or email keyword ) makes it much easier to assert that the person who entered their password to move the document to the signed state was beyond doubt the person for whom the document was intended.  , Some providers use this technique together with the digital signature techniques described above to provide the most robust electronic signing soution available. Of course the security is totally dependant on the security of the resultant audit-trail , but this is in reality no different from the "electronic signature with audit trail" so common today. 

Viewers and storage

There are 2 fundamental ways in which signed documents are viewed and/or stored - standalone (or outside of the signing application) and integrated (incorporated into the signing application) .  It is important to note that NO document, even an original wet signature document, can be considered as completely valid standalone because without a reference signature and some proof of identity, the original signature cannot be associated with an individual.  Even a digitally-signed document with a public CA-issued private key requires access to the signing authority to validate the user. And as mentioned previously, a stand-alone document without reference to the securely-stored, online audit trail is really not secure at all, even with audit-sheets, stamps and seals attached as images - while the audit trail sheet attached looks official and seems the real deal, but unfortunately it is only for reference (although quite often there are links which take you straight to the online audit trail). It is a relatively trivial task to edit the document with commonly available editors, and change the audit trail and content. Irrespective of the document format (the de-facto standard seems to use PDF as the signed document format )  unless a  standalone document has a custom viewer which is able to do transparent lookups to certificate authorities and/or work with proprietory document "envelopes" it will not be possible to transparently validate a stand-alone document. And at this stage there are no standards covering the entire validation lifecycle although the PDF format does have some signing capabilities (for which you of course need the proprietory Adobe viewer - which costs and is not particularly cost-effective for signers who really don't want to pay for a viewer when there are free ones available )

So given that the only real security comes from the web application, it would seem that unless you use a Document Management System which incorporates electronic signing as an integral part of its operation you are required to manage  2 document management systems, one for signed documents and one for all other business documents. Even the integrations with popular document repositories still require this - although you have your signed copy stored in your document repository, the audit-trail and another copy of the document are still retained in the signing web-application.

Risks

The first point which should be made is that there are very few legal cases either internationally or in Australia which are on record where digital or electronic signatures are a central point. In fact in the handful which do exist, the signing technology is not questioned, rather the authority of the signer to sign the document (there are cases where both the originator of the document or the signer are called into question) . There are, however , plenty of legal cases on record where the use of electronic signatures or even just an email trail are recognised as forming a valid contract. There are incidentally plenty of historic cases where paper signatures have been challenged but given that it is the de-facto standard for hundreds of years, it is a surprisingly low percentage per year.  So on the surface electronic/digital signatures would not appear to be a huge litigation risk, but I am not sure that I would rely on the lack of lawsuits as the basis for ignoring the potential risk, for 3 fundamental reasons :

  1. The technology is relatively new and legal processes are slow. There may be plenty in the pipeline .
  2. Most cases undoubtedly get settled out of court, it is only really where large sums of money are involved that the cost of litigation is justified. 
  3. If a ruling is made against a particular technology on the basis that it is fundamentally flawed, the door is wide open to any plaintiffs who have signed using this technology by virtue of the precedence principle.

It is also worth bearing in mind that only a fraction of the document scenarios are in fact "contract", and it these where sums can be large and litigation seems most likely . The types of "signoff" and "terms and conditions" are typically smaller sums and usually a large corporation against an individual, where the large corporation would have the muscle to force out-of-court settlement of just accept the loss as a cost-of-business  (although it should be noted that there is a case where a plaintiff won the case by virtue of the fact that it was not able to be proven that she had read the terms and conditions) . "Intent" is not really done much digitally although this will change and there will undoubtedly be a legal challenge against a digitally certified will sometime in the future."Certify" is probably the other area where litigation is likely (tax fraud, misrepresentation of truth) .

The main risks which should be considered when looking at electronic signatures are :

1. Signer / originator identity and authority

To what extent can we guarantee that the person who signs is in fact the person  who we WANT to have sign the document and the person who really DID sign the document ?   (this is true of both signer and originator) This uncertainty seems to be the main legal challenge factor relating to contract electronic signatures. In the traditional contract signing scenario, all parties meet, exchange handshakes and sign. There is little doubt as to identity and authority.  With electronic signing, very often the person who is signing is only identified by an email address, often entered into the signing web-application manually. To me the a fundamental question is 

Is an email address sufficient to identify someone ?

In a contractual sense it is hard to know whether the individual we wish to engage with is in fact the person bound to an email address. It is reasonable to assume that an email address is not duplicated, however to what extent do we validate that the individual is bound to the email address ? The following questions should be answered

  • Is the email address a "generic"email address not particularly linked to any one person eg. admin@mysite.com.au
  • Is the email route encrypted and unable to be intercepted ? After all , for most signing platforms all that is required is to get the link URL contained in the email 
  • What is the possibility that this URL link could be derived artificially ? 
  • Is the email login reasonably secure ?
  • Does the signing system have the ability to associate a single email address with multiple users ? 

Is the login to the web-application secure and bound to a particular user ?

Since most signing web-applications also allow access to signing through a login there is the risk that the identity of the either the signer OR originator of the document can be challenged if it can be shown that the login is shared or otherwise not bound to an individual. There are cases where this has successfully been challenged (Williams vs Crocker) where the person who logged in was not authorised to make a contract of this type because the username/password were shared. 

2. The signing web application

Security of audit trails and documents

In most products the web-application itself end up being a document store with associated audit trail records. By and large, in order to make the interface as user-friendly as possible the audit-trail / document can be accessed without a login through an obfusctated URL (like https://na1.documents.adobe.com/public/viewAgreement?tsid=CCFCIBAA3AAABLblqZhCsWx1ovZ-ZR40sCkmI_qgPKUmjjMTiJEQRBBap_MMntICohSZZy_0KArsSTSogoNkzlb7TpP7wC9LPWbar0tX-& )   or from a link from with the downloaded  document (typically the signature provides this link ) ,  https://na1.documents.adobe.com/verifier?tx=CCJCHBCAABAAFAGj3BbyjQ3lSLin6Pgp1GOaOTndI7zN ) 

Whether this is good practice or not is up to debate, it is true that to guess the URL is almost impossible, however it would be possible to take an existing URL and modify the downloaded PDF document to point to this. There would be no indication that you were actually accessing an audit trail of another transaction, and unless you looked carefully at the details it could pass muster. It is conceivable that you could craft a transaction which even passed detailed examination with perhaps only changes on some key dates or users. Unlikely, but possible...

Internal document security

Possibly more concerning is the fact that key documents are stored in a cloud application which is not designed as a robust DMS, and the security measures /document retention/ backup strategy might not fit your security requirements. Also, what is the situation if you decide to change to another service provider - do you need to keep an account valid (and probably paid) in order to be able to access your signed documents and audit trails ?  Because remember that unless you have access to AT LEAST the audit trails downloaded documents cannot be certified as valid. While the obfuscated URL approach is fine for small numbers of documents, once you have signinficant numbers of signed documents you would want to sort / search / order - and of course provide some kind of access control around them.  For example it would not be acceptable to have the projects team access the staff employment contracts etc.  Before siging up to a provider it is worth examining this aspect.

 

How Webrecs minimises your risk

Webrecs provides an integrated workflow signature process for documents stored in the Webrecs repository which 

  • Reduces the risk of the wrong person signing since all signers are known to Webrecs and already registered
  • Eliminates the "dual repository" phenomenon (one for signed documents and one for all others )
  • Eliminates the risk of unauthorised access to signed documents or audit trails. All access requires username / password login
  • Reduces the risk of the wrong document being sent for signing (errors in copy / paste ) 
  • Can minimise the risk further through the use of digital certificates and dual-factor authentication 

 

 


Comments (0)


Add a Comment





Allowed tags: <b><i><br>Add a new comment:


Summary

Digital signatures and electronic document signing are becoming widespread. Are they legal ? When can they be used ? How do they work? We debunk some of the myths and expose some of the uncomfortable facts ...

Latest Posts

Latest Comments

Webrecs Xero Plugin

Xero is easy to use online accounting software that's designed specifically for small businesses. http://xero.com

The Webrecs - Xero integration allows you to :

  • Key invoices easily and quickly from online documents
  • Automatically use Xero contacts, chart of accounts and tracking codes
  • Upload seamlessly to Xero awaiting approval
  • Access the invoice document directly from Xero
  • Save Xero reports to Webrecs
  • CHECK OUT A QUICK VIDEO

Easy integration with Xero

Webrecs actiTIME Integration

actiTIME is a web-based timesheet system for companies of any size and any business type

http://www.actitime.com/

The Webrecs - actiTIME integration gives you :

  • Seamless login from your Webrecs dashboard
  • Backups of your timesheet data as well as your documents
  • Secure Web access to actiTIME for all users
  • An actiTIME dashlet on your Webrecs dashboard

Manage time together with documents

Webrecs Class Plugin

Class is a cloud-based SMSF accounting system. http://classsuper.com.au

The Webrecs - Class integration provides :

  • Transparent login from Webrecs to Class
  • Display of Class Dashboard and/or Fundweb in Webrecs dashlets
  • Optional access for trustees and/or advisers
  • Data keying from online documents directly into Class (rollovers, contributions, dividends, investments etc)
  • Storage of and controlled access to all SMSF documents
  • Background synchronisation of all SMSF entity data between Class and Webrecs CRM including fund, trustee, member, auditor, accountant and adviser.

Single sign-on SMSF dashlets

Webrecs Confluence Integration

Confluence is popular Wiki software by Atlassian.

http://www.atlassian.com

The Webrecs - Wordpress integration gives you :

  • Seamless login from your Webrecs dashboard
  • Backups of your Wiki data as well as your documents
  • Secure Web access to Confluence for all users
  • A Confluence dashlet on your Webrecs dashboard

Host your Wiki as well as documents

Webrecs Drupal Integration

Drupal is a major open source Web Content managment system

http://drupal.com/

The Webrecs - Drupal integration gives you :

  • Seamless login to Drupal from your Webrecs dashboard
  • Backups of your Web content as well as your documents
  • Your Web site hosted in your subscription **
  • A Drupal dashlet on your Webrecs dashboard

* Conditions apply

Manage your website with your documents

Webrecs Google Docs Plugin

Google Docs is a Google web platform allowing editing and sharing of files between Google users. The coolest thing about it is that Word, Excel and Powerpoint documents can be viewed and edited in the browser.

The Webrecs - Wordpress integration gives you :

  • Check out Word, Excel and Powerpoint documents into Google docs
  • Edit these documents and collaborate on them directly in Google docs (no Miscrosoft required)
  • Check them back in when finished

* Note: There are limitations on the complexity of documents which can be rendered eg. macros in Excel and some advanced formatting options across the board.

Easy editing of Word, Excel and Powerpoint

Webrecs Jira Integration

Jira is the world's leading issue-tracking software by Atlassian

http://www.atlassian.com/

The Webrecs - Jira integration gives you :

  • Seamless login from your Webrecs dashboard
  • Backups of your issue-tracking data as well as your documents
  • Secure Web access to Jira for all users
  • A Jira dashlet on your Webrecs dashboard

Host your issues together with documents

Webrecs Wordpress Plugin

Wordpress is a major open source Web Content managment system

http://wordpress.com/

The Webrecs - Wordpress integration gives you :

  • Seamless login to Wordpress from your Webrecs dashboard
  • Backups of your Web content as well as your documents
  • Your Web site hosted in your subscription **
  • A Wordpress dashlet on your Webrecs dashboard

* Conditions apply

Manage your website with your documents

Webrecs Shared Drive Integration

Dropbox, Google Drive and OneDrive are file hosting services which provide background desktop synchronisation

http://www.dropbox.com/

https://www.google.com.au/drive/

https://onedrive.live.com/about/en-us/

The Webrecs - Shared Drive integration gives you :

  • Seamless integration between the document storage of Webrecs and the shared drive
  • Push and pull documents between Webrecs and the shared drive with a click of a button
  • Single "source of the truth" - no chance of accidental deletion or corruption
  • Efficient versioning - Webrecs files will only be updated if changes have been made
  • Controlled sharing of individual entities / clients / folders - unshare when the project / task / engagement is complete
  • The strong background sync capabilites of the shared-drive systems with the feature-rich, secure and compliant Webrecs system

Sync your documents with desktop storage seamlessly

Webrecs Zapier Integration

Zapier is a powerful integration platform which lets you transfer data to and from different Cloud applications based on event triggers eg. new document created, new customer added etc.

http://www.zapier.com/

The Webrecs - Zapier integration gives you :

  • Webrecs triggers on documents, entities and CRM actions
  • Webrecs actions to be performed based on arbitrary triggers from other Cloud software
  • Ability to customise without coding

Integrate with other Cloud software