Electronic signatures, or e-signatures, are a means of signing documents in the same way that documents and agreements are signed using a written signature on hardcopy documents. Electronic signatures can come in any form that the parties to a contract agree on, but in general fall into three distinct categories.
Simple e-signatures
These are direct analogues of normal signatures, and do not have any properties that allow the recipient to confirm the identity of the signature or authenticity of the signature. They can be as simple as just writing your name at the bottom of an e-mail, ticking a box that says ‘I agree’, or including a scanned copy of a signature in a document.
Some types of digital signatures may also be simple e-signatures. If you were to sign a document using PGP you may also be using this type of e-signature. The signature does not tell others about your identity except where they are able to infer it from previous communications, signatures and the web of trust.
Advanced e-signatures
These provide assurance of the authenticity of the signature and the identity of the person signing it. They are typically based upon digital signatures and issued by a Certificate Authority (CA).
Qualified e-signatures
These provide the same assurances as e-signatures using digital certificates that are:
- Created by hardware devices, and stored only on hardware devices
- Issued only by qualified trust service providers overseen by a Supervisory Body (in the UK, the Information Commissioner’s Office)
Electronic signatures are regulated within the EU by Regulation 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS). This replaced the previous Electronic Signatures Directive 1999/93/EC. Specific provisions in UK law are set out in Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (the UK eIDAS Regulations). Further information on eIDAS is available on the ICO website.
Practical use of e-signatures
You may be thinking about e-signatures to solve issues including:
- Replacing hardcopies of agreements with electronic documents
- Managing the workflows associated with large numbers of documents
- Identifying customers and suppliers when entering agreements
- Ensuring the integrity of a document shared between two parties
- Preventing the existence of an agreement being challenged (nonrepudiation)
Different types of e-signature are appropriate for each of these problems. Careful analysis of the problems and the types of e-signature are required.
You should think about the legal, business, and security risks you already accept where traditional signatures are used. It is commonplace for even critical business decisions and contracts to be based on trust instead of rigorous identity checks.
E-signatures can introduce new risks to the organisation: a stolen digital certificate or compromised end-user device allows for perfect forgeries of digital signatures to be created in a way that is not possible with traditional signatures. You may need further controls such as smartcards to protect against these risks.
Online verification of signatories is difficult unless performed by a third party such as a CA or federated authentication infrastructure. Fraudsters are very good at creating e-signatures that will mislead as to the person or organisation they come from. A common practice is for a web application to allow a contract to be formed through an invitation to sign into a site using an e-mail containing a unique URL. Identification of the signatory relies on the unique URL staying secret, and this is dependent on the security of the e-mail. You may find it easier to share login details for the application in a telephone call or meeting.
Colleagues need to be trained in the use of e-signatures and their risks. Poor training can result in e-signatures being used for inappropriate purposes, or as requirements change over time. If the identity of signatories is important and not performed by a third party, end-users of e-signatures need to know how to verify identity to an appropriate level of rigour, and how to refuse politely when this cannot be done.
You may wish to update contracts so that they explicitly acknowledge the use of e-signatures. Adding instructions for what the other party should do if they receive an e-signature that doesn’t follow the form set out in the contract could help identify security incidents.