Richard Oliphant looks at the emergence of cloud-based digital signatures. He argues that this development should help to allay concerns about the cross-border validity and enforcement of electronic signatures, and establish a new standard for executing client transactions
In 2018, the Law Commission launched a consultation on the electronic execution of documents in England and Wales. The consultation stressed the lingering uncertainty over the use of electronic signatures where statute imposes formalities such as a requirement that a document be signed or made in writing (for example, a contract for the sale of land under section 2 of the Law of Property (Miscellaneous Provisions) Act 1989). The consultation noted that this uncertainty was hindering the use of commercial e-signing platforms such as Adobe Sign and DocuSign. The consultation would strive to “ensure that the law governing the electronic execution of documents, including electronic signatures, is sufficiently certain and flexible to remain fit for purpose in a global, digital, environment”.
In its subsequent report, ‘Electronic execution of documents’, published in September 2019, the Law Commission analysed the current law of England and Wales in great depth. This law is a hybrid of European law (EU Regulation No 910/2014 (eIDAS)), national legislation (the Electronic Communications Act 2000 (ECA 2000)) and case law relating to both electronic and non-electronic signatures.
As law firms become more aware of cloud-based signatures, they have the potential to become the new de facto standard for executing client transactions
The report confirmed that current law does accommodate the use of electronic signatures: “An electronic signature is capable in law of being used to execute a document (including a deed) provided that (i) the person signing the document intends to authenticate the document and (ii) any formalities relating to execution of that document are satisfied.”
The Law Commission also clarified that where a deed is required to be “signed in the presence of a witness”, the witness must be physically present and observe the signature. The report recommended setting up a multidisciplinary industry working group to “consider the practical and technical issues” associated with the electronic execution of documents. It recommended that the working group’s brief include advising the government on the feasibility of video witnessing (and attestation) of deeds. This is a welcome proposal, but practitioners should note that a video function for witnessing is not yet fully integrated into the market-leading e-signing platforms.
It is tempting to think that the Law Commission’s strong endorsement of electronic signatures would be the catalyst for law firms to wholeheartedly embrace e-signing platforms. Contrary to popular myth, law firms are not technophobes, nor are they resistant to change and innovation. This is evident in their use of new tools such as intelligent automation for billing, time recording and conflicts clearance. Law firms are always keen to harness technology and demonstrably improve client services. In fact, many leading City law firms use DocuSign and Adobe Sign for client engagement letters and simple transactions where the parties are domiciled in England and Wales.
The real obstacle to using e-signing platforms is that many transactions have a cross-border element. This has given rise to legitimate fears that the e-signed document may not be legally valid or enforceable in overseas jurisdictions.
Electronic v digital signatures
The distinction between electronic and digital signatures is often misunderstood.
Electronic signature is defined in article 3(10) of eIDAS as “any data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign”. This can take many forms, including:
- typing a name into a contract or at the bottom of an email
- a scanned manuscript signature
- clicking an “I accept” or “I agree” button on a website
- associating biometric data, such as a fingerprint with a signature
- using an e-signing platform to generate:
- an electronic representation of a handwritten signature; or
- a digital signature using public key cryptography (PKI) and backed by a digital certificate from the platform provider (or a trusted third party) to verify the identity of the signatory.
A digital signature is essentially a more sophisticated and secure electronic signature. It uses PKI, and imposes more stringent protocols for verifying that the signatory is who they claim to be. The digital signature is bound by encryption to the document. Digital signatures are more prevalent in civil law jurisdictions and in highly regulated industries such as pharma and banking. But there are transactions for which English law mandates use of a digital, rather than an electronic signature: for instance, digital mortgage deeds filed with HM Land Registry under the Land Registration Act 2002 must be approved with an advanced electronic signature (AES) (see below).
eIDAS defines two categories of digital signature: an AES, and a qualified electronic signature (QES). An AES is defined in article 26 of eIDAS as an electronic signature that is:
- uniquely linked to the signatory
- capable of identifying the signatory
- created using electronic signature creation data (in other words, a private encryption key) that the signatory can, with a high level of confidence, use under their sole control, and
- linked to the signed data in such a way that any subsequent change in the data is detectable.
A QES is an AES that fulfils two further requirements: it must be supported by a “qualified certificate” issued by a “qualified trust service provider”, whose credentials have been recorded in a “trusted list” published by an EU member state (article 22 of eIDAS); and it must be created by a “qualified electronic signature device” (article 3(23) of eIDAS). Traditionally, this device was a physical smartcard or USB token designed for desktop usage, but cloud technology now enables – and eIDAS explicitly allows – signatories to create and validate digital signatures in the cloud with a mobile device such as a tablet or smartphone.
A QES provides the highest level of admissibility in EU courts and has the equivalent legal effect of a handwritten signature (article 25(2) of eIDAS). Moreover, a QES based on a qualified certificate issued in one EU member state benefits from mutual recognition across the whole EU. It is unclear at the time of writing whether the mutual recognition of QES will be preserved in the UK when the transition period under the Brexit withdrawal arrangements ends on 31 December 2020.
How does an e-signing platform generate cloud-based digital signatures?
Before the advent of cloud technology, a signatory would create a digital signature by using a PIN and a digital ID stored on a smartcard or USB token that plugged into a desktop computer. This was cumbersome, inflexible and expensive. It is perhaps unsurprising, therefore, that digital signatures were not widely adopted in England and Wales.
Cloud technology now makes it possible for a signatory to sign documents with a digital signature via a web browser or mobile application. The public and private encryption keys and the signatory’s digital certificate to prove their identity are all hosted in the cloud. This has simplified the process for authenticating the signatory and using platforms like Adobe Sign and DocuSign to execute documents with a digital signature.
Let us consider the digital signature workflow on the Adobe Sign platform. When a document is ready for signature, it is uploaded to the platform. The signatory must obtain a digital certificate from a third-party trust service provider (TSP) (or certification authority) to verify their identity. This requires proof of identity, such as a driving licence or passport, and the TSP will deploy machine-learning to examine watermarks and security features to validate that the submitted ID document is authentic. Adobe Sign then asks the signatory to provide a PIN (issued by the TSP) or a one-time password (OTP) for authentication purposes. Once authenticated, the signatory uses the private key hosted by the TSP to encrypt a digital fingerprint of the document, called a “hash”. The encrypted hash becomes the digital signature of the signatory and is cryptographically bound to the document. Finally, the document is certified with a tamper-proof seal and the platform generates a digital audit trail. This records who created and opened the document, who signed it, including their email and IP address, the timing of the signature, and (on compatible mobile devices) the geolocation of the signatory. In a dispute over the authenticity or integrity of a document signed via the platform, the digital signature and audit trail are admissible in evidence in legal proceedings (section 7 of the ECA 2000).
Why law firms should opt for digital signatures
Law firms’ reluctance to use e-signing platforms for client transactions is understandable. We live in an era of economic globalisation, and many law firms – especially those in the City – predominantly advise their clients on international transactions. Transactions are commonly entered into with an overseas company or may be subject to foreign law and/or the jurisdiction of foreign courts. It is therefore vital that the transactional documents are executed in a manner that will ensure their recognition, registration or potential enforcement in all relevant jurisdictions. This can be problematic. It forces lawyers to grapple with conflicts of law issues, and a consequential preference has evolved for what law firms perceive to be the safer choice of manual signatures over electronic signatures.
In fairness, it is also true that the leading e-signing platforms have been equally reluctant to market their digital signature product to law firms. There are several reasons for this. From my own experience as the former EMEA GC of DocuSign, one key reason was that the digital signature workflow was considered too clunky in comparison with the smooth workflow for an electronic signature.
But fast forward to 2020, and cloud-based digital signatures are now simple to deploy. They offer law firms several compelling advantages over electronic signatures.
- They are more secure and reliable, as the digital signature is encrypted and bound to the document itself.
- A TSP verifies the identity of the signatory so that the other party to the document has greater assurance that the signatory is who they purport to be. By contrast, the basic authentication tool for an electronic signature is an email address – which may easily be spoofed.
- Once the signatory has been authenticated by a TSP, they can reuse their digital certificate to digitally sign other documents via the e-signing platform.
- Digital signatures carry more evidential weight in any court dispute over the authenticity or integrity of the document.
- The use of PKI substantially reduces the risk of repudiation in a cross-border deal. The signatory is the only person with access to the private encryption key and cannot deny they created the digital signature.
- QES is the ‘gold standard’. It has the equivalent legal effect of a handwritten signature and benefits from mutual recognition across all EU member states.
As law firms become more aware of cloud-based digital signatures, they have the potential to become the new de facto standard for executing client transactions.