Blog

eSignatures: product or service? Resposibility is the key

Choosing an eSignature service over a product is not only a technological or economic decision. Many other factors come into play, that are arguably even more important.

From a technical point of view, the difference between service and computing product could be summarised with that of cloud and on-premise software: the first is not physically present in the device (computer, tablet, mobile) and is based on the internet, while that the second is a program that is installed on the device. But there has already been a lot of talk about the advantages and disadvantages of consuming services on the cloud compared to more traditional architectures based on software installation, and it is not here where we will deal with them.

When we talk about using office applications or CRMs in general, it may be that the purely technological and financial aspects are the most relevant that come in value. But, when facing processes with a high legal component, such as the signing of informed consent forms, we include in the equation to evaluate the office application or CRM a third element, perhaps the most important of all: responsibility.

The use of third-party services for the formalisation of transactions of legal relevance is not new, notaries have been assuming this role for hundreds of years as a provider of trust services. The role of notaries (both public and private) and modern providers of electronic trust services is the same: providing legal security, guaranteeing neutrality and the parties’ assumption of responsibility.

The benefits of electronic signatures services

Basically, the benefits are the same elements of trust that we mentioned earlier:

ViDsigner trusted eSignature

Legal Certainty

Legal security, understood as the “principle in national and international law which holds that the law must provide those subject to it with the ability to regulate their conduct certainty of the right “[1].

Using an electronic signature service instead of installing a software provides the assurance that a there is a third party – a specialist that is accountable for the correct adaptation to the regulations at all times and that, if required, will provide sufficient legal evidence.

As an example, the difference would be the same as if you are writing a contract by yourself or if a law firm is taking care of it. In both cases we obtain the same outcome: a contract. In both cases we will use the same tool: a word processor. But obviously we obtain a higher confidence, greater legal security when the writer is an expert.

Neutrality

Another principle to take into account is that of the evidentiary symmetry. Meaning, in a more colloquial way, one should not be both judge and party.

Are you sure that your signature software is not manipulable? Being you the custodian and system operator, do you consider that an IT expert would not doubt in court about the reliability of the presented evidence that you have generated yourself?

We will go later into the necessary technical aspects to forge that security, but without a doubt, the use of third parties helps to clear up those uncertainties.

Unlike in the paper world, which intrinsically offers certain guarantees of non-manipulation, in the digital world, non-manipulation can only be guaranteed by those who control the environment. That is why, given that it is not advisable for the environment to be controlled by one of the parties, the regulatory evolution leads us more and more towards the use of trusted third parties, such as the recent European regulation eIDAS.

Responsibility

Probably the most valuable aspect of electronic signatures services is that of responsibility. What happens in the event of a system glitch? And what if the system is not legally as robust as we were told in the first place? Who is held responsible?

The assumption of responsibilities is intrinsic to the provision of services and this is what grants additional value to it: when you entrust your money to a bank, it assumes its responsibility as guardian of that money. Obviously they put all the necessary security measures so that nothing happens, but if someday they rob that bank, it must take its responsibility.

When you install a safe in your house and you put your money into that box, you will put all your effort into protecting it. As a matter of fact, the more time passes and the more valuables you have to protect, the more you will spend money in security services (alarm, guard, etc.). Obviously there are safes more secure than others and very strong additional security measures, but … if there is a theft or a fire, who is going to take responsibility? Who will return the money? The box manufacturer?

Risk management

Weather a software or a service, any electronic handwritten or biometric signature product pursues the same objective: being strong enough to be presented as legal evidence in case of litigation as the proof that a certain document was signed by a certain person. For this reason, the choice between one solution and another should be made on a risk assesment basis, as we would do for any other security element.

In a risk assesment – once the assets, their threats and vulnerabilities have been detected – the risk must be calculated as the product of the event’s probability and its impact:

  • RISK=PROBABILITY*IMPACT

The risk is therefore the probability of a certain impact on an asset. When calculating the potential risk, the evaluation of the impact is crucial. The total risk depends on the vulnerability and the impact, although the impact has a greater importance when calculating the risk, since any person would prefer the combination between a low impact and a high potential to that of a high impact with a low potential.

In the case at hand, it is very important to reduce the system’s vulnerabilities by implementing mechanisms that make the signature a robust evidence. This is because, although the probability is not very high, the impact is high, since in the worst case scenario, the absence or non-admission of a firm in a process such as obtaining an informed consent can entail important legal responsibilities.

We consider that ViDSigner is today the electronic handwritten signature system that provides more elements and higher quality over any other product or service, which is equivalent to less vulnerability, and has its biggest differential value in its contribution to reducing the impact.

eSignature risk management

Probability: How does ViDSigner help reducing vulnerabilities?

  1. It guarantees that you are signing what you see (WYSIWYS)the guarantee that what the signer sees is what he’s really signing is one of the biggest headaches of any eSignature system (whether handwritten or not). At this point it is essential that the signer sees what he is signing on the signature device itself, that is precisely why ViDSigner uses only tablets and not signature peripherals. Still, this is not enough.

The signature system’s security depends not only on the algorithms or technology used, but also on the integrity of the platform on which it is deployed. For this reason the usage of trustworthy service providers is needed, which are able to guarantee that the document that is shown to the signer is the one that appears and that when he stamps his signature, that signature corresponds to that document unequivocally. ViDSigner keeps the document in custody throughout the signature process, so neither party has access to it for its manipulation.

  1. Use of standards: ViDSigner uses international standards in all its technological phases. It collects biometric data and codifies it according to ISO/IEC 19794-7 and ISO/IEC 29109-7:2011 and uses the PAdES LTV (Long Term Validation) PDF standard[3] in the electronic signature part that surrounds the document, which guarantees that once the documents are signed, these can be validated in the long term by any person and with total independence of the provider (ViDSigner is not technically required at all).
  1. Data encryption: the encryption of biometric data is an essential precondition that any biometric signature system must comply with. But the way in which this procedure is carried out varies between the different solutions. ViDSigner relies in any case on independent third parties for the encryption key’s custody, which is all documented and protocolized and periodically renewed to reduce the risk of breakdown.
  1. Long-term signatures: as mentioned above, ViDSigner uses the long-term signature standard PAdES-LTV, which allows signed documents to be validated over time without additional requirements.
  1. Single-use certificates: ViDSigner uses a key and a unique certificate for each signature issued exclusively for us by the Certification Services Provider Firmaprofesional. From the security point of view, the single-use certificate allows diversifying the risk of breaking the private signature key, which, if it occurs, would only affect that signature. From the technical point of view, the certificates are included in the Adobe trust list and are individually issued for each signer (with their name and ID), which enables the signer to identify himself with his signature.
  1. Time stamps: besides allowing the construction of long-term signatures, the time stamps provide evidence of the moment in which the signature was recorded, which has an important value as evidence in itself and as a guarantee that the signature did not it occur at a later stage at the interested party’s convenience. As with certificates, ViDSigner relies on Firmaprofesional’s time stamps.
  1. Context evidence: The preparation of the test following the above guidelines is already a fairly robust test, given the amount of evidence collected, its quality and how it is handled. On top of this, ViDSigner records the exact moment in which the document was digitally signed and the device used, the OS version, the app version. Furthermore, additional evidences can be collected such as: geolocation information, supplementary biometric evidences (eyepieces, fingerprints, …) or capture and official physical documents (ID, passport, …) validation systems.

Impact: How does ViDSigner help reducing the impact?

Question. What happens if – due to a technical problem – the products or services stop working temporarily? Have you calculated the consequential costs?

  1. SLA. The service level agreement is an element of enormous value that provides trusts. In ViDSigner we give a 24/7 service, self-imposing severe penalties in case of service failure or unavailability. This is something that no software product is able to offer because it is not under their control and which service providers often skimp on if they offer it.

Question. How long would it take to register a new signing device? And a new centre? Have you calculated the resulting costs?

  1. Immediate availability ViDSigner does not require installations or deployments, you only need to download an app and enter an enrollment code for it to start working. Being cloud-based, the infrastructures replicates themselves automatically absorbing the existing demand without any impact on the systems.

Question. Can the service provider or your own systems offer the capabilities of a platform such as MS Azure? Have you calculated what it would cost to have a similar infrastructure “in house”?

  1. Microsoft Azure. Our services are provided in the Microsoft Azure Cloud. Azure, apart from being considered by many as the best technological service, is the undisputed leader in terms of security and privacy. In fact, it was the first platform to obtain the approval of the European Union in terms of data protection and to adopt the Cloud systems privacy ISO 27018. ViDSigner is provided in high availability and georeferenced mode, the on-premise equivalent would increase the solution prices in a considerably.

Pregunta. What type of responsibility does the product manufacturer or service provider assume in case of litigation?

  1. Responsibility. In ViDSigner we have a civil liability insurance to cover unforeseen contingencies that may arise.

Question. Does the manufacturer have a third party report that endorses the system? Is it signed by an eSignature recognised authority? Have you verified that what you are going to implement complies with the third party’s report?

  1. Legal report issued by a recognised professional. Despite not being a guarantee of success, having the best possible paper trail is always a good safeguard in case you have to go to court.

Question. Does the manufacturer have an experienced legal team to support you in court if required? Have they offered it to you?

  1. Legal assistance in court. Our own legal team will go to court together with the client in case of litigation to demonstrate the system’s validity, involving the certification provider services and, where appropriate, notaries who have intervened in the service.

Pregunta. ¿Dispone el fabricante de un equipo jurídico propio con experiencia para apoyarte en juicio si se requiere? ¿Te lo han ofrecido?

  1. Asistencia en juicio. Nuestro propio equipo jurídico se personará junto al cliente en caso de litigio para demostrar la validez del sistema, involucrando a los prestadores de servicios de certificación y, en su caso, notarios que han intervenido en el servicio.

Responsibilities in the event of an issue

What is going to happen if I have a problem? Who is going to be held responsible for it? It depends on the type of problem, if it is a technical or legal problem. Let’s see both cases.

eSignature responsibility

TECHNICAL PROBLEM

On-premise solution: if there is a technical problem – for example, a server is damaged or the devices’ new operating system update is not compatible with the client that you have installed or any other problem that results in an unavailability – you will have to buy a new device and reinstall the requirements. The impact on both cost and time is very high. Among the hidden costs that we will have to assess in the event of this type of event are those on which the technical staff typically incurs: the operating cost of the unavailability and the necessary replacement equipment.

If the solution is in “appliance” mode, how long will it take the manufacturer to send, install and configure a new device? How many resources would it require on your part?

The responsibility for the unforeseen losses will fall in any case on the systems department.

ViDSigner: the probability of a technical problem in ViDSigner is very low, since it only depends on two elements: a common tablet (it is recommended to have a backup device in case of possible malfunctions) and an internet connection.

In the unlikely event of a service failure, if it is down and this becomes unavailable to the client, not only will it not produce costs for the client, but ViDSigner assumes very severe penalties in the service invoice.

It is clear that the responsible in this case is ViDSigner.

LEGAL PROBLEM

On-premise solution: if a judge declares invalid the provided evidence of an eSigned consent because of any of the vulnerabilities detected above – for example, that there is no way to prove that what one of the parties signed is really what he thought or that no time stamps are being used and it cannot be guaranteed that the signature was not made at a later time at the interested party’s convenience – the manufacturer might be held responsible, but he will always avoid liability arguing (as it actually happens) that the system is secure but he does not control the installation environment.

On the other hand, the evidence that has not been provided at the time of the proof construction (when the document is signed) can not be provided at a later stage. In other words, if the interested party stopped using time stamps – long-term signatures or non-robust systems – for financial reasons, because of the uncertainty of the WYSIWYS, in the evidentiary phase they can not be complemented. That is, you will not be able to include a signature stamp, nor the appropriate format, nor reinforce the system. And worst of all, all the signatures that have been made to date can be considered virtually void, which converts a risk with low probability into one with very high probability.

Probably the manufacturer will not go with you in the litigation because it has not assumed contractually its responsibility and, in the event that he has done so, it will be carried out by people without the needed qualification.

The responsibility in this case will fall on the company and finally divert on the legal department that gave the approval to the deployment of a solution with a high level of risk.

ViDSigner: as explained, ViDSigner has the highest level of legal technical guarantees, reducing potential vulnerabilities to a minimum.

  1. ViDSigner features a report developed by Spain’s leading legal expert in electronic signatures – and one of the most internationally recognised – which, first of all already provides a documentary evidence in court.
  1. ViDSigner will always go to court with its the client in case of litigation when required to reinforce solution’s legal value. ViDSigner legal team has more than 15 years exclusive experience in the electronic signature field, and can count on the CISA accreditation in security audits.
  1. ViDSigner is the first party interested in collaborating in the trial. For this purpose it has created its own forensic tool for biometric signatures comparison based on the ISO standard and makes it available to any expert.
  1. ViDSigner has civil liability insurance as a backup in case everything else fails.

We are aware that there may be situations of unknown risk and therefore unforeseen, for this reason we will always accompany the client in the resolution.

No obstante somos conscientes de que pueden darse situaciones de riesgo desconocidas y por tanto no previstas, por lo que siempre acompañaremos al cliente en su resolución.

Conclusiones

The obvious conclusion of all the above is that not all systems should be measured according to the same standard, especially dealing with heterogeneous solutions such a service vs. a product supply.

Cost is an important factor to take into account, but it should not be the only, nor the main one. A simple risk assessment should put on the table the hidden costs and those produced by the impact of an incidence – often highly relevant – and take into account that its responsibility will inevitably fall on the client himself, and implicitly on those who could have foreseen the problem and who, even thought hey had the right information, did not put it into value.

More information

Leave a Reply