What you need to know about the legality of e-signatures
There has never been a better time for European businesses to switch to digital signatures and associated document management workflows. The EU Electronic Identification and Trust Services Regulation, introduced in 2014 and known as eIDAS, has made the legal framework for e-signatures more consistent and reduced the risks for adopters.
However, as is the case with any technology, some services adhere to extremely stringent regulations while others consider compliance as a less important consideration. Understanding the differences between each type of e-signature and the associated legal certainty is critical when choosing a solution.
Examples that are available today include:
- Basic e-signatures — including mouse squiggles and basic e-marks, signatures drawn on a touch screen and typed names at the end of an email, these are very easy to copy and, unlike ‘wet’ signatures, provide no legal certainty. They can be admitted as evidence in EU jurisdictions, but will easily be disputed in court.
- Biometric e-signatures — these gather information unique to the user before attaching it to a document - for example, the speed and pressure of their signature. Unlike hand-written signatures, they can only be applied and verified using expensive hardware and proprietary software, and, like basic e-signatures, are susceptible to spoofing and hacking.
- E-signatures with witness digital signatures — combining basic e-signature marks applied by the user and digital signatures applied by the service provider, these are verified using the service provider’s logs. They offer an improved level of trust and security, but not necessarily in the medium and long term. What happens if the service provider goes out of business? Without the corresponding logs, there will be no hard evidence that the user in question actually signed the document.
Advanced Electronic Signatures
All businesses require legal certainty when signing documents. To ensure documentation is legally valid, businesses should opt for Advanced Electronic Signatures (AES). This special subset of e-signatures requires each user to have their own unique cryptographic signing key based on PKI (Public Key Infrastructure) technology, which provides firm proof of the signer’s identity.
Solutions can embed not only the e-signature into the document, but also additional information such as the user’s e-ID, reason for signing and trusted timestamp to prove time of signing. Provided they conform to the PDF document signing standard PAdES, set by the European standards body ETSI, AES signatures will be legally recognised across Europe.
AES solutions, which can be easily integrated into existing software by a service provider, are the middle ground between basic and top-end EU qualified signatures - the latter requires face-to-face registration with a digital Certificate Authority (CA) and investment in special tamper-resistant hardware which, though more expensive, provides increased security that businesses dealing in sensitive data require.
AES solutions are cost-effective, easy to use and crucially provide users with the evidence needed to prove their identity or that a signature has been compromised. Where even stronger levels of non-repudiation are required, EU qualified signatures are recommended.
The benefits of switching to e-signing can be considerable. They include reduced costs, increased speed and efficiency and improved customer experience. Return on investment is rapid since relatively little capital outlay is usually required.
That said, without a solution that complies with long-term validation standards, the risks of adoption will outweigh any advantages. Businesses must conduct due diligence when assessing which e-signature is right for them. There is no value in a solution that easily integrates into employee workflows, only to fail to hold up in court when contested.
By Liaquat Khan, Technical Director, SigningHub
Read the January 2017 issue of Business Review Europe magazine.