Technical reliability and legal security of the electronic signature

If you’d like to put an end to never-ending signing sessions, late-night preparations and misplaced originals, you definitely should learn about electronic signature. 

Many industries have already adopted electronic signing (insurances, banks, notaries, among others); moreover, recent legal precedents have definitely been leaning toward a pragmatic yet supportive position regarding electronic signature over the past few years.

When it comes to electronic signatures, technology and law are closely intertwined: the better the technology used, the greater its probative value and its legal security. Thanks to the recent considerable technological and regulatory evolutions, it is nowadays highly unlikely that a reliable electronic signature can be legally challenged.

It is therefore by evaluating the robustness of an electronic signature technology that we can ensure its probative value; let us clear this topic up for you.

Brief reminder of the legal framework

The European eIDAS Regulation of July 23, 2014 introduced a standardized and robust technical-legal framework for “trust services” (such as electronic signatures). Applicable throughout the European Union since July 1, 2016, it defines three types of electronic signatures (Simple, Advanced or Qualified, depending on the reliability of the authentication process) and includes many new mandatory technical standards for each type of signature (published by the European Telecommunications Standards Institute (ETSI)).

Compliance with the regulatory and technical standards applicable to each type of signature is ensured by the certification issued by a national control authority to each service provider before it begins to operate. Once certified, the company becomes a “Trust Service Provider” (TSP). Regular audits are carried out thereafter.

The different types of electronic signatures

Legally, there is no difference in validity between “Simple”, “Advanced” and “Qualified” signatures. Their admissibility in court cannot be challenged in any European Union country. “Qualified” signature simply benefits from an increased presumption of reliability.

By default, a “Simple” signature does not meet the requirements of the “Advanced” or “Qualified” categories. The verification of the identity of the signatory is usually done by sending a One-Time Password (OTP) to the signatory’s cell phone after he or she clicks on a link received by email.

The signatory is the only one to have access to the code unless his/her mailbox AND cell phone have been compromised.

The “Advanced” signature must meet the following regulatory criteria:

1. uniquely linked to the signatory;
2. enable the signatory to be identified;
3. created using electronic signature creation data that the signatory can, with a high level of confidence, use under his or her sole control; and
4. linked to the data associated with that signature in a way that any subsequent change of the data is detectable.

In practice, these requirements are met by combining the sending of an OTP code on a mobile device, with another factor that establishes the signatory’s identity with certainty, such as automated ID verification.

In addition to the hacking of the mailbox and the theft of the cell phone, the forgery of an “Advanced” signature would require that the forger has at least a copy of the signatory’s ID.

The “Qualified” signature corresponds legally to an “Advanced” signature with reinforced technical requirements and requires a face-to-face verification of the identity of the signatory (by physical meeting or video conference). The advantages of the electronic signature (mobility, speed) are largely diminished by this process, which explains why the “Qualified” signature is not used much today (most providers do not even offer it).

Legal transaction management platform Closd integrates Simple and Advanced electronic signatures provided by DocuSign and CertEurope, both Qualified Trust Services Providers compliant with the eIDAS regulatory requirements.

Advanced electronic signature on legal transaction management platform Closd requires a triple authentication of the signatories:

• Password-protected personal workspace;
• Automated ID verification;
• OTP code sent by text message.

An audit trail is also generated and archived for each identity verification and electronic signature.

These procedures meet legal and jurisprudential requirements and ensure the validity and probative value of signatures made on Closd.

The technology behind the signature

An electronic signature has no graphic representation. The image usually affixed to the document has only a symbolic value. Its validity and probative value lie in the digital data integrated into the document, which guarantees both its integrity and the authentication of the signatory:

• An “encryption certificate” issued by a trusted authority that proves that the identity of the signatory has been previously and duly verified;
• A “fingerprint” of the document (materialized by a unique character string) to ensure that it has not been modified since the signature (the slightest difference in the document would modify the generated fingerprint).

1. The signatory proves his/her identity
2. The provider emits a certificate proving the signatory’s identity
3. A unique fingerprint is calculated for the document
4. A signature server combines these elements to generate an electronic signature.

Once it is signed, the document is scanned by a PDF reader (such as Adobe Acrobat Reader) that determines whether the electronic signature is valid. When the document is opened, the PDF reader detects and verifies the digital signature data. Also:

• It recalculates the “fingerprint” of the received document and ensures that it corresponds to the fingerprint of the document calculated at the time of its signature;
• It inspects the “encryption certificate” to ensure that it is valid and that the identity of the signatory is certain.

If one of these two elements is missing or modified, a message automatically warns the user that the signature is not valid.

Why you can trust current technologies

The European eIDAS regulation has considerably simplified the situation: the certification of an electronic signature provider ensures that it complies with a set of regulatory and technical standards that guarantee the reliability of the process. The European Union’s updated “trust list” is available online.

The reliability of an electronic signature can therefore be easily proven by :

• The certification of the service provider by a national agency for the security of information systems;
• The evidence is constituted by the various authentication techniques of the signatory described above.

As far as the verification of an electronic signature by the PDF reader is concerned, it is based on a “chain of trust” principle. The encryption certificate is validated by the Certification Authority (CA) that issued it (the electronic signature provider), itself validated by an Authority with a higher level of trust, and so on, until it reaches a Root Certification Authority (Root CA), the final link in the chain (usually private companies acting as trusted third parties for a multitude of uses). The PDF reader is able to check the reliability of each level: if one of the links in the chain is missing, it will not validate the electronic signature.

In spite of all these factors, habits are difficult to change since the barriers to these technologies are essentially psychological. The idea that one can indubitably authenticate a remote signatory still has a long way to go. However, a reliable electronic signature is more complicated to forge than a handwritten signature. Moreover, it is the only reliable means of transmitting originals electronically: legal precedents in most countries frequently point out that a scanned original can neither authenticate the signature nor express consent.