Digital Signing Through the Eyes of a Lawyer
Perhaps because signing is such a natural part of every adult’s life, it is not often that we think about or discuss why we need to sign something. Whenever we have a document that seems to include something important, we kind of assume that it has to be signed. Putting our signature on a document somehow makes it more important.
Legally speaking, though, signing does not necessarily make a document more important nor does it make it more official. An unsigned document or letter may have just as much legal effect as a signed one. This is not to say that signing is not important or necessary. To the contrary, signing has several functions and yes, sometimes the law even requires signatures for legal effect. But most of the time we sign documents not because the law requires it, but because we choose to do so.
Why do we sign?
There are two main reasons why we sign documents. First, when someone has signed a document, we can assume that he or she has read it or at least has seen it and has had an opportunity to read it. A signature is not the only way to prove this, but it is the easiest way. If your signature is on it, you have seen it. It is pretty hard to argue with that. But for this function to work, we need to be able to tie the signature to an actual person.
Secondly, a signature often marks agreement to something stated in the signed document. For example, if someone signs a contract, it means that this person has agreed to the terms and conditions of that contract. It is the act that makes the contract legally binding with regard to that person. Again, this is not the only way that we can prove that a person agreed to something, but it is the easiest one to track. If your signature is on a document next to a statement that you agree to what is stated in the document, it is hard to argue that you did not agree. But only, if we know it was you who signed it.
Signatures also have other functions. A signature marks the fact that the document is final, not just a draft and it helps to ensure that the signed document will not be modified after signing. It also has a cautionary effect. Most people realise that when they sign something, they will be bound by it. This hopefully makes them think twice before giving their signature. And finally a signed document is the easiest way to prove to anyone what each person, who signed the document, agreed to. There will be no need for people who were not involved in the signing process to go through an extensive amount of evidence about what each party agreed to. A document with a signature attached to it is enough. But again, signature is enough only if we can link the signature to an actual person.
Features every electronic and digital signature should have
Many regulations regarding electronic and digital signatures exist in the world, like the eIDAS Regulation in Europe or UETA and E-SIGN in the US. These regulations are designed to establish the fact that electronic and digital signatures can be accepted as well as to provide technical requirements for certain types of signatures. While these regulations are certainly useful and necessary, they do not in my opinion answer the most important question: what features an electronic or digital signature should have in order for it to actually serve its purpose?
In order to answer this question, I would like to come back to why we sign. The two main functions of a signature are to make sure that a person has seen a document and/or that this person agrees to that document. A signed document is an easy way to make this visible to everyone, even if they were not involved in the signing process. But as mentioned before, all of these functions only work if we can link a signature to an actual person. How do we do that?
In case of paper documents, if someone denies signing a document, we can compare this person’s handwriting (or signatures we know for sure this person has given) to the signature on the document. Experts are able to tell the probability that the signature on the document was given by that person. But this only works if we have an original document with a handwritten signature available. An image of the signature will not work as it does not include enough evidence for experts to draw conclusions. Thus, in the digital world we need something different.
Several solutions have been offered in the digital world to tie a signature to a person. Audit trails, signature confirmation sheets (with information about who, when and how signed) and other information have been provided. This information of course can be useful to try to identify the person who signed. But it does not provide direct evidence about the signer’s identity. All we know is that someone using a specific computer or a specific e-mail address or access to a link provided to a specific e-mail address signed a document. What we do not know is whether the name provided in the signature is the actual name of the person who clicked “sign”. This information alone is not enough to identify the person who signed.
Of course, we could find other evidence to show that a signature was given by a specific person. For example, if we know that a signature was given by a person who has access to a specific e-mail, we could provide additional evidence about who uses this e-mail and thus identify the person. But in this case my question is: if every time someone denies giving a signature we have to go through the trouble of finding evidence to show that this person used a specific e-mail, then what is the use of signing at all? Why not simply send an e-mail stating “I received” or “I agree”? The evidentiary value of such an e-mail would be pretty much the same as that of an electronic or digital signature which only ties the document to a specific e-mail address.
The best way to tie a signature to an actual person is to verify the identity of that person. To do that, the natural way is to ask the person to show a document issued by a reliable person, e.g. a state. This is what we would do in the real world – if someone we do not know comes up to us and claims that he or she is a certain person, we would ask to see their document to make sure that it is in fact that person. Thanks to face recognition and other technologies, it is now possible to securely check someone’s document online. This verification information can then be securely tied to the person’s signature device. As a result, every time a signature is given, it is securely tied to an actual person. Thanks to cryptography and other security measures, we can be sure that every signature of the person was actually given by that person and the document that was signed cannot be changed later.
.ID signature solution was built with these principles in mind. Every user of the .ID solution can be verified based on a government issued travel document, e.g. a passport. This enables identification of users from most countries. Verification information is then tied with the person’s identity and digital signing certificate. Every time a user signs a document, real verified user information is attached to the document in a secure envelope. Using cryptographic tools, the envelope is signed, making it impossible to tamper with the documents inside. The signed document can be shared using .ID Docs platform or the envelope can be downloaded and sent via e-mail. I personally like to be in control of my documents and where I store them, so for me the ability to download the envelope without losing the possibility to verify its contents later is an important feature.
.ID uses XadEs signature format, which I like because it does not tamper with the documents that I sign. Instead a secure envelope is created around the signed files, which keeps the documents intact. Another important advantage of this signature format is the ability to sign any file. This means you can add your text files, spreadsheets, pdfs and any other files into one envelope and sign it without the need to turn them into .pdf files first. This is very handy if you need to sign a document with annexes that come in different formats – pdfs, images, spreadsheets, CAD files, etc. It saves a lot of time. If you have ever tried to print a spreadsheet with a lot of data on it or turn it into a .pdf file in a meaningful way, you know what I mean. The envelope solution allows you to sign all the documents quick and easy. Later everybody who has the signed envelope can use the files inside the way they were intended and extract any information from them. But because you always have the signed secure envelope with untampered files inside, you can always check that the information extracted from the files is true.
The .ID signature solution is similar to Estonian ID solutions and uses the same signature format. I started frequently using ID solutions and digital signature when I started working at a law office some 13 years ago. Ever since Estonia has evolved into a truly digital society – there are very few things that you cannot do digitally. I use digital signatures every day and quite frankly cannot imagine living without it. I can get lots of stuff done without even leaving home (or even bed). It gives me a lot of freedom that I value and of course saves a lot of time.
With the .ID family of products Agrello attempts to bring this digital society to the world.
 Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market
 Uniform Electronic Transactions Act
 The Electronic Signatures in Global and National Commerce Act