In recent times, a plethora of different electronic signature systems are emerging.
Until a few years ago, when we spoke of electronic signature or e-signature only digital certificates came to mind. These could have been qualified (previously called recognised) or not, sometimes used with a cryptographic card, generating the so-called qualified signature.
Yet, e-signatures based on digital certificates do not solve all the possible needs. This is the reason why, in recent years, we have witnessed the rise of different systems such as handwritten e-Signatures (biometric signature), remote electronic signatures based on evidence of the process or even electronic signature systems based on digital certificates with centralised signature keys in a secure hardware security module (HSM).
In this post we will briefly describe each e-signature, its legal framework and its correct denomination.
e-signature or digital signature?
Lately, we have read several articles distinguishing the two concepts depending on the technology they are using, if the signature is based on PKI (digital signature) or not (e-signature).
Actually, the term digital signature does not appear in the EU regulation (eIDAS). Conversely, other legal systems do make this distinction, such US’, which distinguishes between e-signature and digital signature, or some Latin American legislations, such as Colombia’s, which clearly establishes this distinction.
In my opinion, the terminology is a minor matter, as it finally depends on the regulation that we are applying. Anyways, commonly we talk about three types of signature levels, which we will call electronic to simplify:
- Simple electronic signature
- Advanced electronic signature
- Qualified electronic signature
Simple, advanced or qualified e-signature
If we look at the Regulation (EU) No 910/2014 (eIDAS), the three types of electronic signatures are defined as:
- Electronic signature “means data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign”. We see that in reality the term “simple signature” does not exist either, but we use such term to refer to a first basic level of signature without more attributes.
- Advanced electronic signature “means an electronic signature which meets the requirements set out in Article 26”. These requirements are “a) it is uniquely linked to the signatory; b) it is capable of identifying the signatory; c) it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and d) it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable”. Obviously, the legislator was thinking about the public key technology (PKI) when he defined the advanced e-signature, but the technological neutrality principle prevents from limiting it to this.
- Qualified electronic signature “means an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures”. That is to say, the qualified electronic signature is one based on a public key that also uses a secure signature creation device and a qualified certificate.
For an e-Signature to be considered qualified, several conditions must apply: a certificate with characteristics and requirements of prior identification of the signer by an audited entity and enabled to do so must be used, the keys on which the certificate is based have to be issued on a cryptographic card or equivalent server device using a double factor of authentication, etc.
For all the above reasons, the qualified electronic signature is not easy to achieve and has quite a few limitations in terms of usability but, as a counterpart, it is granted by law the maximum guarantees and the functional equivalence with the handwritten signature.
As we discussed in a previous post, the difference between “advanced” or “simple” electronic signature is of little value in practice.
In Europe – and except for very specific cases such as the Spanish Administrative Procedure Law (LPAC 39/2015), which grants a special value to the advanced firm with a qualified certificate (not qualified eSignature) – the difference between “advanced” or “simple” electronic signatures may be have a certain theoretical interest, but little practical interest. In fact, the only signature to which the law grants certain presumptions, even with its limitations, is to the qualified e-signature. Any other type of signature is required to prove its value in trial. Therefore, the important thing will not be so much its consideration of “simple” or “advanced” eSignature but its probative force.
Handwritten electronic signature or biometric signature
The handwritten electronic signature receives different names: biometric signature, graphometric, digitised… This king of e-signature is the traditional handwritten signature, the handwritten one which is materialised using digital media instead of paper. For this reason, the term we like best is handwritten e-signature or electronic handwritten signature.
This type of signature requires a special analysis and addressing.
Despite its main characteristic of being obtained through digital means, it does not stop being a handwritten signature. That is precisely the reason why it does not need to look for a functional equivalence with the handwritten signature, because it already is such.
In fact, its way of creation, authenticity grant and integrity are much closer to the handwritten signature on paper one than the electronic signature. It should therefore always be admitted in those processes that require a handwritten signature in any legal system – except if the case that use of paper is required, which is not frequent.
If it is crucial to remember that, just as the pen and paper technology has few derivatives and its use is consensual to guarantee the integrity of the document and its authenticity, in its electronic aspect it is necessary to take into account a great number of factors that causes the biometric signatures not to be all the same and therefore to not share the same legal guarantees.
Centralised key management systems
Traditionally, electronic signature systems based on digital certificates required that the owner of the signature keys “physically” kept them under his exclusive control.
With the enactment of the eIDAS Regulation, while the use of the keys is still under its owner’s control, introduces the important novelty that allows the certification service provider that issues the certificate to maintain the keys under their custody in a secure centralised signature creation device.
The definition of an e-signature as advanced or qualified will finally depend on several factors, the most important being that the issued certificate is qualified or not, that the keys have been generated and can not be extracted from the device itself and that the server device that stores the signers’ keys is considered a secure signature creation device (certificate) and that the user access to the keys requires a two factor authentication.
The use of this type of services has significantly improved the usability of the signature based on digital certificates compared to the traditional system. While it is definitely the best system in a many situations, it still suffers important limitations since these are usually expensive systems and they require the user to identify himself before the certificate issuing provider. This decisive constraint forces to look for a solution that can satisfy the needs for an e-Signature for “non-enrolled” users.
Remote e-signature or evidence-based electronic signature
In different occasions, we are faced with specific situations that require obtaining the signature of a person remotely (that is with us not in person), and that person does not have a digital certificate or a device capable of collecting his signature’s biometric features with adequate guarantees. Therefore a different e-signature mechanism is required.
The so-called remote signature or e-signature can be considered a “simple” or advanced e-signature depending on its configuration, but it can never be a qualified signature, since in order to receive such consideration it would require the use of a qualified certificate and a secure signature creation device, as we have seen in the previous section.
In this case, the greater or lesser legal value of an e-signature is obtained through a series of evidences of the signature process by a third party unrelated to the transaction which grants that the signature can be attributed to the person in case of litigation. The chances of success in this litigation will fundamentally depend on the quantity and quality of the evidences collected, which may include:
- Signatory’s email address
- IP address from which operations are executed
- Mobile phone no. where the SMS with the signature key (password) is received
- One–time password (OTP)
- Handwritten signature on the device
- Browser from which the process was performed
- Single use certificate
- Time stamp
- Long-term signatures
These systems are very easy to use, but the evidence they provide – by themselves and individually – is difficult to defend in court because of the difficulty in proving that it was that person and not another one who accessed the email and signed on their behalf (for example).
The system’s security improves considerably with the sending of an SMS to the signer’s mobile phone as a “two factor authentication”. In other systems, as is the case of VIDSigner’s service, the signature process is legally completed adding on top of that the need for the signer to make a handwritten signature on their device (third factor).
In this case, the biometric signature does not have the same quality as the one we saw in the previous case, nor would it be valid per se in court, but through the merging of evidence – email, SMS and handwritten signature – this king of e-signature becomes a strong evidence.
As we have repeated many times, there are no “more legal” signatures than others, since Article 25 of the eIDAS Regulation and most of the world legislations make clear that “an electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures”.
Except for the qualified centralised or traditional signatures, which do establish an evidentiary presumption (although it does not make it an irrefutable proof) and that has very specific use cases, there are other systems that can constitute an evidence as robust as this and that adapt perfectly to each concrete use case.
At Validated ID, we have always worked to cover all of our clients’ need as well as committed to deliver signature services that provide the maximum legal guarantees for the process. Therefore we can count on a multi-channel signature service that allows, depending on the needs of the client, using centralised digital certificates, biometric signature, remote signature, automatic stamps and even NFC cards, all of them combinable and compatible with each other.
If you want to know more about the different types of electronic signatures and VIDsigner’s capabilities, you can request more information through our contact page.