From a simple tick in a box or the addition of a name at the bottom of a document, to sophisticated and highly secure certificated processes, electronic signatures, which can now be used on legal documents such as commercial contracts, are used increasingly. But how should you use them and which type works best for you?
The latest eIDAS Regulation which came into effect on 1 July 2016 has simplified e-signatures to create a single digital market, creating a more user-friendly framework. Electronic signatures can use single factor authentication such as a password or PIN code; they can also include multiple authentication steps to increase levels of security.
There are three main types of electronic signature: simple, advanced and qualified electronic signatures;
- Simple electronic signatures can be as simple as a name below an email address or ticking ‘I agree’ on a website. This category of signature has wide level of interpretation and there is no real evidence as to who the signer really is. It is for this reason that simple electronic signatures are considered to be of the lowest level of security.
- Advanced electronic signatures have a higher level of security: they ensure that the signer can only be the individual from whom the signature has been requested. This reduces the risk of impersonation and identity theft. To further protect the signature, time stamping can also be used to ensure maximum integrity.
- Qualified electronic signatures – these are created through a qualified electronic signature creation device. This category of signature will be based on a qualified certificate which benefits from mutual recognition in all Member States.
So what requirements does my signature need to meet?
In order for an advanced signature to be compliant with eIADS Regulations, it must be:
- Uniquely linked to the signer
- Capable of identifying the signer
- Created using signature creation data that the signer can use under their sole control
- Linked to the signed data in such a way that any subsequent change in the data is detectable
What are digital signatures?
Digital signatures are created by a type of cryptography using two software ‘keys’. The information which forms the signature is encrypted by means of a private key known only to the signatory.
Anyone with access to the public key can use it to decrypt the information and confirm that it could only be signed by someone with access to the private key. Digital signatures use a certificate-based digital ID to authenticate the signer’s identity.
Most people will have experience of using programs such as DocuSign. These e-signature providers provide a platform for multiple people to legally sign a document electronically. When considering whether to use electronic signatures for your business, you should consider your unique regulatory environment, your risk profile and your specific business requirements.
Risks from relying on digital signatures
The most commonly-used mechanisms for electronic signatures typically balance ease-of-use with some level of risk:
- There is no level of certainty that the person who signs a document has legal authority to do so. The same risk applies to traditional signatures on a printed page but people tend to exercise more caution before they sign a physical document on behalf of an organisation. It’s too easy to click ‘I agree’.
- When archiving an electronically signed document, you need to be able to trace the document back to the infrastructure which evidences the signature – a simple printed document extracted from a digital system lacks that evidence.
- As technology advances, so will the integrity of electronic signatures. In 10 years’ time, reliance on a document signed with today’s technology might look inadequate.