As the US and the UK start catching up with mainland Europe, China and South Korea on adopting electronic signatures, have you ever wondered how valid they are?
The signature process has always been susceptible to fraudulent activity, but as technology evolves perhaps this process can at last be secure, proper and have a significantly reduced chance of being abused.
An electronic signature is typically a depiction of your supposed signature in an electronic format. It could be a scan of an image, a photograph of a written / wet signature, a selected squiggle, or anything that is not handwritten. Anything could be used and chosen at the will of the signatory.
It’s the type of electronic signature that dictates how secure and trusted you may perceive it.
There are currently three types of electronic signatures:
1. A simple electronic signature
The most common type people would be familiar with. You receive an email with an attachment. They have pre populated the document with a name where it needs to be signed. You select a generated signature image and click a button to confirm you are happy before returning it.
The document is now electronically signed by that person regardless of who completed the process.
Why would anyone use such an inappropriate protocol? Reason: because it’s very efficient. Documents get signed quicker, yet exposes one or more party to potential fraud. The average signee in such protocols has much more of an appetite for efficiency than managing risk. Unless we thrive in a trusted society? Although if we had that then why would we require a signature in the first place?
Some of the e-signature applications on the market seem to recognise the issue and are looking to enhance their propositions. DocuSign, a popular e-signature solution with 200+ million users, has the following warning in medium sized print:
‘By selecting Adopt & Sign. I agree that the signature and initials will be the electronic representation of my signature and initials for all purposes when I (or my agent) use them on documents, including legally binding contracts – just the same as pen-and-paper signature or initial’
With simple e-signatures, it’s impossible to know who actually ticked the box, and, if someone is going to falsify a signature, they will most likely falsify the ticking of this box as well.
Fundamentally, the issues with this type of signature are:
How do you know the name of the person that signed actually signed?
Was the signatory aware that they have signed?
Was the person authorised to sign in the first place (if on behalf of a company, or an agent)?
2. An advanced electronic signature
This type of signature requires a key or certificate associated with it that needs to be linked by an electronic identifier (identity) of the signatory. This could easily be illustrated by having an application on your mobile phone that a signatory needs to use in order to validate that their signature on an electronic document was actually done by themselves.
The advanced e-signature represents a more secure level of signing compared to the simple e-signature. The risk in this case is that if someone can access one’s phone or steal their access to the linked electronic identity, which is probably more common than we think.
3. A qualified electronic signature
This is an electronic version of having your signature witnessed ‘as done on pen-and-paper’. It’s the same as an advanced e-signature with the added security of electronic validation of the signature by a third party Trust Service Provider (TSP). When a signatory validates their electronic signature on an electronic document on the app on their phone, the TSP looks at all the associated ‘matching’ criteria and validates that everything is in order. Each country has their own dedicated TSPs and they commonly originate from publicly owned companies or institutions, for example the Post Office.
Our question is now, if you were responsible for governance and selecting a solution for your company, which would you go for?