Today we're bringing you Part 3 of our three-part series on e-signature legality and compliance (here's Part 1 and Part 2). We've written this series to help clarify the key differences between different e-signature vendors. These seven rules will help you choose a vendor that your legal and compliance teams will support.
E-Signature Rule 5
The electronic form of signature must be attached to or associated with the electronic record being signed, and each signature should be produced according to established standards. The signature should be independently verifiable, without relying on the electronic signature service or website to be validated.
What’s interesting about association and integrity in the electronic world is how different they are from their counterparts in the paper world. With wet ink, the signature is absorbed onto the page (so it's "associated" with the document), and because of that, it becomes more difficult to change the document as changes would be more noticeable ("integrity").
In the electronic world, association and integrity are not always tied together like they are in the paper world. Images of a person’s signature may be pasted onto a page while playing no role in proving the integrity of the electronic record. With types of technology, the signature actually ensures both association and integrity.
This is not to say that one is inherently better than the other, as both can meet the unique requirements of association and integrity. But it’s critical for organizations to ensure that the technologies can prove integrity not only over the content of the document being signed but also the association of the signature to that signed content.
Association can oftentimes be accomplished by using proprietary means, which may not be easily defended if the e-signature vendor goes out of business. To avoid this problem, there are existing international standards for electronic signatures. For example, the ISO PDF specification includes very detailed digital signature capabilities and is not specific to any one vendor.
A compliant electronic signature service should produce each signature on electronic records according to existing, published standards and not rely on the signature service itself to be validated.
Some documents need to be trusted not just for months or years, but decades or longer. Organizations that rely on these kinds of documents need to be mindful of how their electronic signature systems deal with this issue.
Here are some questions that any legal and compliance team should ask when determining an electronic signature strategy:
- What format are the documents produced in? Is it proprietary?
- Are documents and signatures human-readable and also accessible using free viewing software (e.g., Adobe Reader)?
- Is each electronic signature a permanent and inseparable part of the document?
- Is the signature linked in any active way with the vendor that produced it? If that vendor no longer exists, will the legal evidence disappear?
- Can the signatures be validated without having to interact with the electronic signature service that produced it? In other words, to validate a signature do you need to check back with the e-signature vendor? What happens if that vendor goes out of business or is no longer engaged?
- Does each signature rely on international cryptographic and document standards, such as RSA, DSA, SHA, PAdES and PDF?
- Can the electronic signatures be validated in the long-term?
- Will the format of the documents contribute to their standing?
- Are the systems used for signing based on well-known cryptographic tools?
E-Signature Rule 6
The electronic signature solution must identify and authenticate a person using at least two factors of authentication, including something you know (email password) and something you have (for example, a mobile phone with SMS text message access). Particular forms and documents may require higher levels of authentication, based on the level of risk involved.
As the memorable New Yorker cartoon mused years and years ago, “On the Internet, no one knows you’re a dog.”
That's why it's essential that any e-signature system puts methods into place to authenticate each signer's identity. But those methods can vary widely, and you must carefully link the risk profile of every transaction to a particular level of authentication to be sure that the transaction will be defensible over time.
We recommend that you set a firm minimum standard for authentication to eliminate any variances. We recommend using two-factor authentication, where a user is required to show something they know (access to an email account) and something they have (a mobile phone to receive a text message with a unique password generated at the time of signing).
Experience has shown us if an organization doesn't set a base level, most organizations will choose to go with a lowest common denominator approach, shifting risk in the process and potentially introducing evidence concerns in the longer term.
E-Signature Rule 7
The electronic signature solution must provide a means to preserve the integrity of the signed record that is (a) portable, (b) independently verifiable, (c) tamper-evident, (d) granular, and (d) verifiable in the long-term.
As we’ve mentioned, including integrity among these requirements is an essential part of an electronic signature because it is so easy to tamper with electronic documents.
In fact, we recommend organizations mandate how integrity is applied to an electronic document. It's best to use standards-based digital signature, where the fingerprint of the electronic record is encrypted with a signing credential such that the tampering of the document can be easily detected.
Digital signatures are governed by specific international standards and are the technology behind secure web transactions (SSL).
For example, at SIGNiX we use digital signatures for every signature and initial on each document. This creates a highly detailed log of events in the lifecycle of a document. With SIGNiX, each signature can be easily viewed in real-time, offline, with just the PDF document at hand.
However, there are many other e-signature vendors that only apply a digital signature as a "seal" at the end of the document or when the document is downloaded from the service. This eliminates any sort of evidence as to when each individual signature occurred or whether the document changed in any way during the signing process. When this happens, the integrity of the document is not linked to the signatures in any appreciable way.
Often, these same vendors will require you to check back with them to find out if each signature is valid. That is, instead of all of the information being embedded within the PDF, the user must open a browser window back to the vendor’s service to validate the information.
In our opinion, this creates vendor lock-in, because the legal evidence to support the document is intimately tied with the vendor itself, instead of giving you the evidence within the document. That means that if an organization is asked to defend a document, the vendor will need to be a part of that process.
This in turn begs the question: What if the vendor decides to charge you for access to that legal evidence? What if the vendor goes out of business? What if the vendor changes its methods five years later?
You should seriously consider the implications of this "lock-in," especially when it comes to high value transactions that could come into question years later.
This problem can be even worse when a vendor’s signatures don’t use digital signatures (a more secure type of electronic signatures) or standards at all and instead provide only password encryption on the document. This encryption can be easily broken leaving no evidence of the tampering.
You must decide on the importance of the following items as they relate to integrity and verification of signatures:
- Portability / independent verification—Does the integrity travel with the document, or is it inherently linked to a service? Can each signature be verified independently of a service?
- Tamper-evidence—Does the solution produce signed documents that are tamper-evident in real-time in freely available PDF readers? Is the tamper-evidence associated with each signature or simply at a document level, applied sometime after the signatures took place?
- Granularity—Can each signature be verified? Does each signature add to the integrity of the document? Can the solution show the state of the document at each signature event?
- Long-term verification—Can the e-signature solution produce signed documents and audit trails that can independently provide sufficiently defensible information? Is the integrity and intent information granular enough to defend each signature in the future without having to resort back to the vendor?
We understand these are complex issues, but they do go to the heart of the question regarding integrity and legal defensibility over time.
The 7 Rules in Review
1. All electronic signatures must meet the ESIGN, UETA and GPEA definition of electronic signature.
2. All signatures on a single document must use the same electronic signature technology, or at the very least successive signatures should not flatten or otherwise destroy evidence of previous signatures. Alternatively, if a document requires multiple signatures from multiple signers, the same signature technology should be used so that each signature on the document retains intent, integrity and information relating to the transaction.
3. The electronic form of signature must be executed or adopted by a person with the intent to sign the electronic record, (e.g., to indicate a person’s approval of the information contained in the electronic record). Not only must this intent be captured at the time of each signature, but it must also be captured for each individual signature and be provided as granular evidence within the electronic signature system’s audit trail.
4. Each signed document must be backed by an audit trail that captures intent to sign for each individual signature and provides granular, consistent, timestamped evidence as to every step in the entire signature process.
5. The electronic form of signature must be attached to or associated with the electronic record being signed, and each signature should be produced according to established standards, including those listed below. The signature should be independently verifiable, without relying on the electronic signature service or website to be validated.
- ISO 32000-1 (PDF)
- PDF Advanced Electronic Signatures, CMS Advanced Electronic Signatures, XML Advanced Electronic Signatures
- FIPS 186-4 (RSA, DSA, ECC)
- SHA2 hashing
- RFC 3161 timestamps
6. The electronic signature solution must identify and authenticate a person using at least two factors of authentication, including something you know (email password) and something you have (for example, a mobile phone with SMS text message access). Particular forms and documents may require higher levels of authentication, based on the level of risk involved.
7. The electronic signature solution must provide a means to preserve the integrity of the signed record that is (a) portable, (b) independently verifiable, (c) tamper-evident, (d) granular, and (d) verifiable in the long-term.
To get SIGNiX's blog updates sent to your email, subscribe by clicking here.
John B. Harris joined the SIGNiX team as Director of Product Management in 2012. He focuses on rigorously tying customer needs, industry trends, and technology innovations to specific product requirements, while also contributing to SIGNiX’s marketing efforts and driving a product strategy that enhances SIGNiX’s leadership position.