Abbie Le Brocq, Abigail Gowland, Beth Haigh and Sam Parker explain how electronic signatures work, how they differ from digital signatures, and the pros and cons of the technology
Electronic signatures are the latest phenomenon coming to the fore in a more technologically advanced world.
We all know that a classic signature is a handwritten representation of a person’s name and surname or title. It is used to verify a person’s identity, and shows that they provide consent and endorse the information contained in a particular document. An electronic signature can be used to do exactly the same. They are a legally recognised way of showing that the signer intends to adhere to the contents of the document they have signed.
The first law regulating electronic signatures was Directive 1999/93/EC , which recognised them as a legally valid form of signing a document, and admissible as electronic evidence in court. However, there were many problems when they were first introduced, mainly to do with the fact that every EU state interpreted the directive differently. This went against the purpose of electronic signatures: they were intended to speed up the legal process, but instead they started doing the opposite.
All this meant that the directive became obsolete, prompting the issuing of a new regulation that came into force on 1 July 2016: Regulation 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. This new regulation, known as eIDAS, defines electronic signatures as the data “in electronic form which is attached to or logically associated with other data in electronic form and used by the signatory to sign”.
Types of e-signatures
The eIDAS regulation has developed different classifications based on the security and assurance of e-signatures.
Basic level signatures can be anything from a simple tickbox to scanning a signature onto a device. This is the most vulnerable form of electronic signature, as there is more possibility of the document being tampered with, and the true identity of the signer is unknown.
The next classification is advanced signatures. These must meet certain requirements set out by the regulations. They must be:
- uniquely linked to the signatory
- capable of identifying the signatory
- created using electronic signature creation data that the signatory can, with a high level of confidence, use under their sole control, and
- linked to the data signed in such a way that any subsequent change in the data is detectable.
The best method to choose to meet these requirements is a digital signature – see more below.
Finally, there are qualified electronic signatures, which must be created on a signature device which has a reliable hardware and special security features which meet the requirements set out by eIDAS. The requirements are as follows.
- The confidentiality of the electronic signature creation data is reasonably assured. The electronic signature creation data used for electronic signature creation can practically only occur once.
- The electronic signature creation data used for signature creation cannot be derived, and the signature is protected against forgery using current available technology.
- The electronic signature creation data used for signature creation can be reliably protected by the legitimate signatory against use by others.
Digital signatures
One form of secure electronic signature is a digital signature. These offer more security than a traditional electronic signature. This is because a digital signature follows a specific protocol called a public key infrastructure (PKI), a set of requirements that allows the creation of digital signatures. Through PKI, each digital signature transaction includes a pair of keys: a public key and a private key. The private key is only used by the signer to electronically sign documents, whereas the public key is openly available in order to validate the signer’s electronic signature. PKI enforces additional requirements such as the certificate authority (CA) ,which protects the pair of keys in order to ensure safety and to avoid forgery or malicious use. CAs are third-party organisations that have been widely accepted as reliable for ensuring key security, and that can provide the necessary digital certificates. Both the entity sending the document and the recipient signing it must agree to use a given CA.
The digital signature can be considered as a numerical value that is represented as a sequence of characters. A digital signature can only be created by a computer; this is ultimately a process that guarantees that the contents of the message have not been altered in transit. Each digital signature is unique to each signer, much like a handwritten signature. As the digital signature is unique to the signer, it is possible to use a fingerprint, or even an ear print, as a signature.
The pros and cons of electronic signatures
Electronic signatures are becoming more popular, as they allow for quick signing of contracts between both parties, regardless of their geographical location. Before electronic signatures were introduced, contracts had to go through a lengthy process of being signed and often shipped to various locations; this process is not only time-consuming, but also expensive, including in terms of labour costs. Electronic signatures also enhance security; paper contracts can be easily tampered with, whereas electronic signature software can automatically detect minor alterations, and risks are also mitigated, as the software is able to provide alerts when suspicious activity takes place.
There are, however, some problems with electronic signatures. The parties are relying on technology, which is not always reliable. Currently, not all documents are capable of being electronically signed, due to certain formalities – this includes wills and contracts for the sale of land (although this has the potentially to change in future). And finally, and potentially of most concern, electronic signatures are not regulated like digital signatures are; it is up to each provider to make their own standards, so you have to take their word for it when they say their signatures are secure.
If you want to know more…
• …about digital and electronic signatures, below are some useful links:
- tScheme : the UK’s self-regulatory body for electronic trust service approval
- the Law Commission’s 2018 project on the electronic execution of documents
- the Government’s guide to electronic signatures .