Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1
ThinkDox LLC
What is a signature in the digital age?
Understanding the how certify user understanding and building legal...
2
ThinkDox LLC
Contents
Overview.............................................................................................
3
ThinkDox LLC
Overview
THE SIGNATURE REPRESENTS A VARIETY OF PROCESS CONTROLS AND IDENTITY USE CASES THAT IT IS DIFFICULT...
4
ThinkDox LLC
Our advice on this is to take advantage of the need for other documents that users will actively seek out
s...
5
ThinkDox LLC
What we do find overall is that from a products perspective what used to be separate e-signature and digita...
6
ThinkDox LLC
Electronic Signatures types selected for Further Analysis
The following electronic signature scenarios will...
7
ThinkDox LLC
reasonable assurance level that documents filed by that attorney and “signed” in the web site by clicking o...
8
ThinkDox LLC
• the evidentiary rules of that jurisdiction are met
Information submitted via password protected secure we...
9
ThinkDox LLC
The key hurdle here is often price. Many organizations struggle to justify the cost of digital signature te...
Upcoming SlideShare
Loading in …5
×

Digital signatures whitepaper_thinkdox

363 views

Published on

A analysis of the reasons to choose a digital wet signature versus simply using existing technology such as AD tracking or ECM technologies.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Digital signatures whitepaper_thinkdox

  1. 1. 1 ThinkDox LLC What is a signature in the digital age? Understanding the how certify user understanding and building legal defensible digital born processes. Author: Christopher Wynder, Ph.D Presented: 2016-06-08
  2. 2. 2 ThinkDox LLC Contents Overview.................................................................................................................................................................... 3 Introduction to electronic signatures.................................................................................................................... 3 Market trends and forces.......................................................................................................................................... 4 Defining signatures by example ................................................................................................................................ 5 1 Autograph........................................................................................................................................................... 5 2 Handwritten / pencil on contract....................................................................................................................... 5 3 Email................................................................................................................................................................... 5 4 Email with signature block ................................................................................................................................. 5 5 “I accept” button................................................................................................................................................ 5 Electronic Signatures types selected for Further Analysis ........................................................................................ 6 Use Cases for each of the types of signatures possible ............................................................................................ 6 Scenario #1 – Email with Signature Block Scenario Description. .......................................................................... 6 Scenario #2 – Information Submitted via Password Protected Web Site Scenario Description........................... 6 Scenario #3 – Documents Signed with 3rd Party Validation Scenario Description............................................... 7 Scenario #4 – Documents Signed with Digital Signatures Scenario Description................................................... 7 General case law on digital signatures- basic requirements for using any of the above:......................................... 7 Email with Signature Block.................................................................................................................................... 7 Information submitted via password protected secure web site......................................................................... 8 Documents signed with 3rd party email account or social media profile validation............................................ 8 Digital signatures generally have the highest assurance levels of all electronic signatures..................................... 8 Making a Decision ..................................................................................................................................................... 8 Internal Users ........................................................................................................................................................ 8 External Users........................................................................................................................................................ 8 Final Thoughts ........................................................................................................................................................... 9
  3. 3. 3 ThinkDox LLC Overview THE SIGNATURE REPRESENTS A VARIETY OF PROCESS CONTROLS AND IDENTITY USE CASES THAT IT IS DIFFICULT FOR ORGANIZATIONS TO ENVISION HOW “BITS AND BYTES” CAN REPLACE THE WET SIGNATURE. THE KEY IS TO REALIZE WHAT THE SIGNATURE REPRESENTS AT THE PROCESS LEVEL RATHER THAN AT THE ABSTRACT ALL ENCOMPASSING IDEA LEVEL. Introduction to electronic signatures Electronic signatures are part of the management of process and records. Signatures represent authentication and certification of information presented as being both accurate but also endorsed by a person or group of people. Thus, the reluctance of many organizations to buy-in to digital/electronic authentication processes as being a replacement for the current “pen based, wet signatures.” In the digital age it is important to recognize what a signature represents is identity and acknowledgement. A wet signature was necessary in a paper based world as there was no other way to confirm a user had seen or had access to a document without their signature. In a digital age, this is no longer true, an organization’s ability to track and confirm access and modification of documents and other records are diverse and embedded into all of the applications and infrastructure that users touch. For example, most ECM and intranet technologies have audit trails that ensure that organizations know whom has accessed and/or modified a document and when this occurred. The ability to have live tracking tied to identification systems such as Active Directory reduces the need for signatures to simply for confirm information access. Overall the problem of authentication and certification of information has two major parts that affect organisational decisions to buy a digital signature software or simply use process controls to confirm identity and certify submission of information. The two major parts are; the use case for the signature and the legal requirements for the type of record being certified. While knowing and defining the use case for a signature is a key aspect of the buying and implementation process, it is a complex case-by-case decision. This white paper will concentrate on the legal requirements in Canada. [NOTE: By all legal accounts meeting the Canadian standard is more difficult that the US standard, which has been defined by case law (FRCP) and the ESIGN act] There are two major areas of records and document management where signatures-of some kind- are typically required. In large part these are typically transactional processes that confer privilege or bind the signee to do (or not do) certain behaviours, tasks or other obligations. These still need, based on current legal standards, some kind of active acknowledgement on the part of the user. These typically fall into one or two different use cases for an organization 1. DISSEMINATION OF INFORMATION-CONFIRMING RECEIPT AND COMPLIANCE WITH POLICY Organizations struggle with making end users aware of the policies that should govern their use of corporate resources. In order for policy to be enforceable users must acknowledge that they have been made aware and that they plan to comply. From a digital signature perspective; the key to how they can be used are: are the findability of the policy documents as well as the adoption of the portal/intranet site.
  4. 4. 4 ThinkDox LLC Our advice on this is to take advantage of the need for other documents that users will actively seek out such as vacation request, insurance forms, etc. Often this is part of a larger Information management issue, it is important to take a step back and see how signatures fit into a larger context of audit, certification and compliance. For many organizations, the simple audit trail that user X has seen the document meets the legal requirements The move to robust third party digital signature technologies will require changes to current process, policy and management. The value of signatures to acknowledge having seen a policy needs to be balanced with both the budget cost and the time to manage cost. This type of use can be handle as part of an effective information management strategy that may be able to be embedded into existing processes by using audit trail and AD. 2. ENSURING LEGALLY BINDING AGREEMENTS FOR PAYMENTS, CONTRACTS AND RESTITUTION The more tangible problem is confirming that an internal or external client/user has in fact opened and at a very minimum skimmed the documents so that as an organization the limitations and expectations outlined in a document can be enforced. For internal use cases, these types of legally binding documents outline penalties on end users, the ability to enforce these penalties is directly tied to the organizations ability to uniquely identify a single user and tie their acknowledgement of the rules to their breaking of the rule. For external use cases, organizations need the protection conferred by a signature. The signature represents a unique ID that is ties directly to an understanding of the obligations that the external user has made (or expects) of the organization. This is a complex issue that likely requires third party technologies. The rest of this whitepaper examines the issues surrounding legally enforceable certification and authentication i.e. digital signatures. Most vendors that sell stand alone e-signature technologies will manage the auditable database for you and will work through email. Market trends and forces All of the vendors in the stand alone e-signature market typically offer management of the documents in a Software as a Service model. This is because in order to justify the cost, most organizations are asking for a system that can be used as part of a e-commerce strategy. Overall the digital signature/e-signature market is currently in flux. Many ECM and Productivity suites (Google Docs and Office 365) have internal e-signature systems that can be used for iunternal electronic authentication, meaning that many organizations that do not have the need for the more robust technologies. Having said that there are a few products that are focused on robust e-signature/digital signatures.
  5. 5. 5 ThinkDox LLC What we do find overall is that from a products perspective what used to be separate e-signature and digital "wet signature" products are now being merged by vendors so that it is a single product that gives you the option for a wet signature with the e-authentication/certificate backbone or just the signature. Defining signatures by example 1 Autograph A basketball player autographs a basketball. The purpose of that signature is an “autograph” left on a physical object as a keepsake. 2 Handwritten / pencil on contract A handwritten, pencil signature on the last page of a multi-page contract, together with the other pages being initialed. In this case, the signature on the last page is explicit evidence of the intent of the party to submit to the terms of the contract, whereas the initials on the other pages are also “signatures”, but with a different purpose. It is the signature on the last page that carries evidence of the signing party to submit to the terms of the contract, whereas the initials carry evidence that the pages are what they purport to be - the pages that were part of the original contract, as opposed to pages that could have been substituted in the absence of initials. 3 Email An email header containing a full name and email address. To the extent that email address can be traced to a specific individual, that the account is not shared with someone else; then such email header possesses signature attributes, but what is the purpose? The form of an email header only suggests an implicit purpose inherent in all email headers: to identify the source of the email. There is no implicit or explicit purpose of binding one’s self to the content of an email only because of an email header. 4 Email with signature block An email with a block signature. This example is different from the previous one. If the email header (name and email address) can be traced to an account of a named individual and such account is not shared, the addition by that named individual of a block signature carries explicit evidence of the intent of the signatory to be bound by the content of the email. In this case, it is the combination of the email headers and signature block that forms the complete electronic signature. 5 “I accept” button Clicking “I accept” at the bottom of a long End-User License Agreement (“EULA”) when installing software on one’s personal computer. Software companies often make it impossible to install their software unless the user clicks “I accept” at the bottom of the software EULA. In such cases, do we have a signature? Going back to the definition of a signature, and applying it to the process of installing a software on one’s personal computer, we find all the attributes of a signature: the EULA must have been signed by the owner of the computer, otherwise the software would not have installed; it must be the owner that clicked “I accept” - assuming the owner has a password protected account on the computer, has exclusive access, etc.; and the explicit purpose is plain because of the button label “I accept” under the EULA. This example illustrates how an electronic process can be designed in a way to reflect the attributes of a signature, even if there is no analogy with the ceremonial, traditional handwritten signature.
  6. 6. 6 ThinkDox LLC Electronic Signatures types selected for Further Analysis The following electronic signature scenarios will be considered for application to the Canadian legal system: • standard email with signature block (no encryption) • password-protected user account on web site allowing submission of information • documents signed with third party social media profile or email account validation (e.g. Adobe EchoSign) • digital signatures Digital signatures are electronic signatures implemented with Public Key Cryptography (PKC) and supported by a Public Key Infrastructure (PKI). They are a subcategory of electronic signatures and have higher assurance levels than other electronic signatures. They also have lower convenience levels. Digital signatures, because of their higher assurance levels and cryptographic implementation, are often implemented with 1, 2 or 3 factor authentication. These “factors” are elements that must be present at the signing event: - “something only the user knows”: a password or a PIN, for example - “something only the user could have at the time of signing”: a smart card or USB token, for example - “something that relates the digital you to the physical world””: a thumbprint or retina scan, for example Use Cases for each of the types of signatures possible Scenario #1 – Email with Signature Block Scenario Description. In this scenario, a person is using their own email account and the following assumptions apply: • The account is only used by one person • The account password is reasonably secure • The account uses the real name of the person as its display name • The account can be personal, work-related, ISP-provided or online (e.g. yahoo or gmail) • The account is used by the person on a regular basis (i.e. not an account opened to conduct a single transaction) In addition to the above assumptions, when the user wishes to “sign” an email, it is assumed that a signature block would be appended at the end of the email. Email as a secure signature is difficult to legal defend as the number of free, one-off email address has expanded greatly. It should be noted that for internal processes where the email address is used for communication and all of the above assumptions can be confirmed, an email address as a legally binding signature is acceptable in the court of law. Scenario #2 – Information Submitted via Password Protected Web Site Scenario Description. In this scenario, a person is using a secure web site (with a SSL connection) together with username and password credentials. This web site belongs to the recipient of the signed information. The recipient controls the issuance of user accounts. For example, a court could have an e-filing web site and only issue user accounts to attorneys that present themselves in person to the court house. Upon verification of their Law Society and identity credentials, they would be granted a username and password for the e-filing web site. In this example, the recipient of the “signed” information is the court. When the attorney logs into the web site, the court can have a
  7. 7. 7 ThinkDox LLC reasonable assurance level that documents filed by that attorney and “signed” in the web site by clicking on a web page button are, in all likelihood, signed by that lawyer. Under this scenario, would signed transactions conducted by the lawyer be deemed “signed” under the Signature Assessment Framework? Scenario #3 – Documents Signed with 3rd Party Validation Scenario Description. In this scenario, a document is sent to an online third party. The third party verifies that the document sender holds credentials to a specific named email account, or social media profile (e.g. Facebook or LinkedIn). The sender is then allowed to sign the document in a way that reflects the credentials verified. Services offered by such third parties also allow sender to specify other signers, whose credentials are verified in the same way. An example of this service is Adobe EchoSign. The following assumptions apply in this scenario: • The 3rd party account (for example, an DocuSign account) is held by one individual only • The signer using 3rd party validation is validating with email accounts compliant with assumptions under scenario #1 • If the signer validates with social media profiles instead of email accounts, then such social media profiles are protected by passwords that are reasonably secure and hard to guess The end result of signing under this scenario is a document that bears: • visual indications of signatures • a document signing transaction number that can be verified by anyone on the 3rd party web site • upon such verification, an audit report that shows who signed the document at what time using what credentials (which email account or social media profile) Under this scenario, would the document be considered effectively signed under the Signature Assessment Framework? Scenario #4 – Documents Signed with Digital Signatures Scenario Description. This scenario envisions the use of digital signatures in conjunction with a supporting Public Key Infrastructure with the inherent security assumptions. An example of this service is Notarius, used by several professional associations. General case law on digital signatures- basic requirements for using any of the above: A typical evidentiary rule that has emerged in legislation and case law with regards to the integrity of electronic documents is how to apply the rule of “best evidence” when dealing with electronic documents. Typically, adducing evidence to the effect that • the IT system containing the electronic document or information, at all material times, was working well; and • there is no reason to believe the system was tampered with, is sufficient. Most if not all jurisdictions define electronic signatures either casting a very wide net, stating that an electronic signature is any electronic information associated with a document with the intention of signing the document; or with a much narrower scope, effectively corresponding to digital signatures and excluding other electronic signatures. Email with Signature Block There should be no legal impediment to recognizing emails with signature blocks as validly signed documents if • it meets the criteria defined in Scenario 1
  8. 8. 8 ThinkDox LLC • the evidentiary rules of that jurisdiction are met Information submitted via password protected secure web site In this scenario, the recipient of the information has a secure web site and issues user credentials (username and password) to anyone that has a need to submit “signed” information via the web site. The identity of the person is verified before the user credentials are issued. In a case like this, the entire process from account issuance to submission of information via the web site should be taken into account in characterizing the “I submit” button (for example) as a valid signature. Again, a factual assessment against the Signature Assessment Framework in this study will help determine if the signature can be relied upon Documents signed with 3rd party email account or social media profile validation 3rd party validation (e.g. Docusign), when the 3rd party is trusted, is an effective means of tying the holder of an email account or social media profile to a specific signature, with the possibility of later verifying the signature transaction. These characteristics enhance several assurance levels (when compared to emails for example) and should therefore be taken into account in assessing the reliability of such signatures. Digital signatures generally have the highest assurance levels of all electronic signatures. However, one must factually assess the associated Public Key Infrastructure because a digital signature is only as good as its supporting PKI. In addition, there should always be a way in law for a signer to contest the validity of a particular signature, even if digital, because all electronic signatures have a weaker association with their signer compared to handwritten signatures. Making a Decision The key factor in the move from “blue ink” signatures to a digital-based signature is user type. Internal Users Organizations with an EDRMS-electronic records and document management system (AKA ECM) have all of the technology that they require for internal processes to be legally binding. Many now include the ability to provide a digital version of a wet signature via touch screen or mouse. Since this wet signature is now attached to the login information, it has all of the required elements to be legally binding regardless of document type. The key hurdle is often internal policies that require specific forms of signature rather than a certification of identity and recognition to comply with the terms of the document that have read. External Users Organizations looking to contractually bind non-employees require a system that can be: A. Deployed to outside of the firewall, in a secure manner. B. Provide the full identity, certification, and, audit of time and location control that meets the legal obligations outline above. C. Be multi use case. This should include web parts for e-commerce scenarios, contract signatures, notices of understanding, etc.
  9. 9. 9 ThinkDox LLC The key hurdle here is often price. Many organizations struggle to justify the cost of digital signature technologies for any single use case. Final Thoughts The key to defining your signature needs is understanding the role of signatures in your business process(es). As we move further into the digital age and mobile becomes a key work device, requiring a pen-based signature will be a limitation in your audience rather than a low expense tool for assuring legal status of a document or process. The limits that most organizations face are not based on legal requirements but in internal change management. Prior to investing in expensive technology it is best to review the process goals and ensure proper requirements gather has been performed rather than simply send out an RFP and chose a technology.

×