Thanks to its capacity to ensure the integrity of signed documents and the authentication of signatories, the electronic signature (e-signature), is a real guarantee of security for businesses – especially for their legal departments.
The technology is now widely used in all sectors of activity and essential for digitalised customer journeys. The current health crisis – and the resulting need to work remotely – has reinforced this ‘integrity’ of a document, and authentication of a signatory, or preservation over time. From a legal point of view, there is a focus on the key elements that an efficient electronic signature service must guarantee.
An electronic signature is a reliable identification process which allows for a deed – whose integrity has been guaranteed – to be linked to a duly identified person: the ‘signatory’.
Electronic Signatures and Their Integrity
Firstly, it should be noted that integrity is defined as-
“the state of something that has been preserved in its original state, without having been modified.”
In all electronic-signature processes, integrity is technologically assured from the time of the signature using a cryptographic timestamping process. This guarantees the integrity and authenticity of the document at a precise date and time, and that it has not been modified since that date.
When timestamping is qualified under the European eIDAS regulation, the date, time, and occurrence of any processing, as well as the integrity of the document, may not be challenged.
Once the document is signed, it is preserved under conditions which guarantee its integrity over time. This is an essential requirement. Nevertheless, problems may arise when a signed document is intended to be preserved for very long periods of time. In short, it is possible the technologies and algorithms that guarantee the technical security of electronic timestamping will no longer be capable of ensuring said guarantees, because of technological progress.
It is therefore advisable to protect oneself in the long term against technological issues which may compromise the demonstration of any electronic evidence’s reliability.
This guarantee may be ensured in several ways:
- The signed document may be stored in an Electronic Safe, providing a legally admissible archiving service. This is to ensure the filed document is indeed the original when subsequently retrieved.
- The signed document may be preserved under conditions allowing it to receive an additional timestamp at regular intervals, thereby extending the reliability of the integrity noticed on the date of the initial signature over time (preservation with probative value referring to the ETSI EN 319 142-1 standards).
Verification of the Signatory’s Identity
Different levels of signatures can be adapted to your needs. The eIDAS regulation outlines three signature levels: simple, advanced, and qualified. In addition, because of commercial practices, a fourth level has been developed: advanced with qualified certificate.
The guarantee of the signatory’s identity will be stronger or weaker depending on the chosen signature level.
The simple electronic signature..
Is issued without any verification of the signatory’s identity. The identity of the signatory and their related information (telephone number, email address, etc.) are completed by the person wishing to have the document signed. They are often communicated in advance based on the future signatory’s declaration.
This level of signature is recommended for acts with a low probability of repudiation. It may also be used for customer journeys by integrating reinforced identity-verification measures for future signatories, independent of the signature operations (KYC process).
The advanced signature, on the other hand…
Is based on reinforced means of identification. In short, this requires the creation of a personal certificate (a numeric identity facilitating the identification of the signatory and linking this identity to a pair of cryptographic keys). The information contained in this certificate is completed by the person requesting the creation of the certificate, and its accuracy is verified by the Certification Authority according to the ID document delivered by the signatory. The level of identification offered in this case is more reliable.
For the advanced signature with qualified certificate, issuance of such a certificate requires the delivery of an ID document and a face-to-face meeting between the future certificate holder and the registration operator. The latter may then verify the person in front of him is indeed the same person who appears on the ID document, and that the information indicated on it is accurate. The certificate issued is so named as ‘qualified’.
Finally, the qualified signature…
The highest level under the eIDAS regulation, is established via a qualified certificate and a qualified signature-creation process. It benefits from a presumption of reliability, which implies the reversal of the burden of proof: meaning that any person disputing the signatory’s identity must prove its inaccuracy.
The Legal Implications of Electronic Signatures
When the electronic signature is finalised, it demonstrates the identified author’s agreement to the obligations contained within the deed, whose content has been accepted and whose integrity may not be challenged.
Article 25 of the eIDAS regulation states that all other levels of signatures remain admissible in court, provided that the person producing the signed document demonstrates the reliability of the process, particularly in terms of identification of the author or integrity of the signed document.
This becomes much easier when the document has been signed using a qualified Trust Service Provider’s (TSP) platform, offering reinforced guarantees allowing for:
- the verification of the signatory’s identity when a certificate is issued as part of the signature operations.
- the presentation of all information concerning the signed documents, to prove evidence in the case of dispute or litigation; and
- the assurance of the reliability of a technical signature procedure that must comply with the strict technical, organisational, and security standards imposed by the eIDAS Regulation.
It is important to note that, from a legal standpoint, the qualified electronic signature is the only equivalent to a handwritten signature (Article 25 of the eIDAS regulation). Ironically, it is the least used tool in the world of business. This may be because of the myths surrounding the cost and complexity in integrating this within a customer journey.
Simple, advanced, or qualified. Today, the benefits of electronic signatures are recognised across the world. So what are you waiting for? The electronic signature: once you have tried it, you will not look back!
Take a look at some of our other Hub Resources around Electronic Signatures.
William Baldari is Head of Legal and Compliance at Universign.
An eIDAS qualified Trust Service Provider, the Universign SaaS platform provides electronic signature, electronic seal and timestamp services.
If you would like to discuss this article and its contents further, please contact Franck Decourty, Alliance Officer at Universign.