E-Signature Legality and Best Practice
We are often asked whether signatures captured with our technology are legally binding. This is a complex question, but the simple answer is "yes"!
Here are the caveats...
- Our technology is totally capable of capturing signatures in a way that is both legally binding and verifiable. However, this absolutely does rely on the entire framework surrounding the actual technology and manner of the capture.
- For example: If you capture a signature with our technology, and in your systems save this signature as a bitmap file on disk, then this is NOT a legally compliant way of storing and attributing legal signatures.
- If you capture a signature without technology and save the signature WITHOUT cryptographically binding it to the document/data being signed then, again, this is NOT a legally compliant solution.
So (to be more positive!)
- If you capture a signature with our technology, and cryptographically bind the signature to the document/data being signed, saving this data securely, then this IS a legally compliant solution.
This is made simple and straightforward by using our:
FREE Software Developers' Toolkits
FREE Technical Support
FREE Plug-Ins for common office applications (Microsoft Word, Microsoft Excel, Adobe PDF files)
IDSL Business Support
Useful Information, Links and FAQs
Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A31999L0093
Electronic Execution of Documents
https://lawcom.gov.uk/project/electronic-execution-of-documents/
While companies that provide PIN signature stamps may claim that their technology is legally-compliant because it qualifies as an “electronic sound, symbol, or process,” it falls far short of the holistic requirements enumerated above.
As a practical point, each and every one of these “signatures” is identical in form and composition, as if they were made with a single rubber stamp. The appearance of the signature on a document is not a record of a person’s signature, but rather a result of a particular password being typed. A forensic examiner that views the signature image cannot determine its point of origin since any person could have typed the PIN or password.
As such, PIN signature stamps fall short of the authentication requirements of criterion (4) listed above. Should a password become compromised, each and every document a person had ever signed with the PIN method would be questionable, since each signature appears identical and it cannot be proven which are authentic and which are fraudulent. For these reasons, businesses are advised to invest in an electronic signature technology that creates a unique electronic record for each signing instance, and not to rely on a “rubber stamp” technology.
PKI digital signatures and certificates are simply a more complex version of “rubber stamp” technology, except that a larger (often 128-bit) encryption number is used, meaning it is too large to be remembered and typed. Portability is also limited because the key is permanently linked to a host computer, or a “secure” smart card which can be lost, stolen, or hacked.
Signatures drawn with a mouse are generally not considered legally valid because they cannot be authenticated, which is a requirement of all eSign laws. There are several reasons that mouse signatures cannot be authenticated, including that they are not repeatable for the same signer, they are not captured accurately from a biometric perspective, and there are no mouse-captured exemplars with which any document examiner could make a comparison. In addition, mouse data is available to any application running on the PC, and therefore mouse signatures are not secure.
In the United States, electronic signatures are covered under the Uniform Electronic Transactions Act (UETA) and Electronic Signatures in Global and National Commerce (ESIGN) law. Passed by the US Congress in 1999 and 2000, respectively, these two laws serve as the framework for electronic commerce implementation in the United States, as most state-level E-commerce laws are identical to UETA or a slightly altered version.
In Europe and the UK there are corresponding laws passsed by the EC and HM Government, and these laws specify exactly what constitutes a valid electronic signature, as well as the conditions under which it is legally binding.
Essentially:
An electronic signature is a “sound, symbol, or process, logically associated with a document” such that it is:
1. Unique to each user
2. Under the sole control of the signer
3. Linked to a document in such a way as to prevent tampering, and
4. Capable of being authenticated
Several different methods and technologies exist for attaching “electronic signatures” to documents according to these stipulations. Two common types of signature technology that are widely available yet differ greatly in substance are PIN/Password signature stamps and digitized handwritten signatures. A PIN/Password stamp inserts a single fixed signature image into each signed document when a user types a password or PIN. Digitized handwritten signatures are captured with special pen-and-tablet systems that convert a user’s signature accurately into pen events or a summary image. These methods have different ramifications for security and authentication.