Summary: An E-signature Deployment Maxim: 1. Replaces the handwritten signature; 2. Legally permissible; 3. Evidence of intent; 4. False identification avoided/minimized; 5. Easy to use, affordable and widely compatible.
(Maxim: A brief expression of a general truth, principle, or rule of conduct http://www.thefreedictionary.com/Maxim )
There are two basic reasons why I created the e-signature maxim in the form of a list:
First, the qualities listed are distinct and to large degree independent of each other. Unfortunately in most cases e-signature proposals concentrate on a few of these demands and are often largely ignorant of the others. One should address all five issues in parallel.
Second, even when the suppliers of products and services adequately satisfy some items on the list, they tend to be silent about missing requirements when they market their solution. And so the legal demands can get mixed and mutually confuse the legal and technical requirements of a project.
The following maxim was developed over many years. It is intellectualy rooted in the European Union legal environment and its system of related technical standards, but I believe that the abstract generally holds for legal systems worldwide.
It is organized in two groupings. The inner triplet group (ie. demands 2-3-4) forms the core set of the legal requirements. It is presented this way because people very often suppose that law sets just one demand. But like any kind of 'validity', one should follow several directions of demands at the same time. Demands 1 and 5 are presented because the law is not everything that matters in the real world. So let us now discuss the maxim in less telegraphic language:
Electronic signature deployment maxim:
- Electronic signature should substitute for the handwritten signature in computer applications, satisfying and providing that:
- its usage is legally permissible
- it is the trustworthy evidence of the expression of the will of the signatory,
- its abuse is made impossible or minimized and,
- its usage remains relatively easy, affordable and widely compatible.
The maxim is carefully crafted. Still I would provide some short explanation what the individual demands should mean and why are they important.
1. Written signature equivalency. We need something what resembles the function and purpose of the traditional handwritten signature as it is widely understood by the public. This demand addresses both the societal needs and presents an example to be followed in the integration of IT with the quality of human decisions.
Requirement number 1 provides a great selling/buying benefit and sociological vehicle that explains to future e-signature users what they are supposed to do.
2. Legally permissible. We deploy e-signature only when the law allows it. In many scenarios it may be just enough that the law does not prohibit the use of the e-signature for the given business or government task. When the law puts special demands on the technical features of the e-signature, they shall be satisfied. Otherwise we waste the effort and money since the resulting electronic transaction is invalid. This demand is ultimately controlled by what the law allows.
The sad fact regarding requirement number 2 is that it is usually very annoying to both the buyer and seller. But the law normally sets the limits because of good reasons.
3. Evidentiary (non-repudiation). The relying party needs to use the e-signature + signed document as evidence. The core function of the signature is to serve as the evidence of the expression of authorization by the signatory in litigation. Stronger e-signature technologies may mean more credible evidence. And, the signatory should not be able to repudiate the e-signature which carries his credentials on the legal level except for few traditionally narrow circumstances like physical or mental coercion, or case of error. This demand is ultimately a legal requirement.
Requirement number 3 addresses the ultimate purpose of the traditional handwritten signature in the law. Without this function the entire idea of e-signature is useless. The party relying on the e-signature might wish that there is no possibility of repudiation, but it is a shortsighted approach.
4. Attack-tolerant. The signatory party needs to be protected from the possibility that somebody else created his e-signature and would not be able to legally repudiate it. The relying party should also be protected against any spoofing attacks as well but its situation is easier. This demand is ultimately a legal requirement.
Requirement 4 is usually not told to the employees (natural persons) loudly or they do not understand its importance. And please note that demands 3 and 4 are partially strongly contradictory.
5. Simplicity. Nobody likes the opposite and of course it would hinder acceptance. Complexity often harms the security too. This demand is an economy and security requirement.
And last, requirement 5 is clear to everybody but it is not understood that it is nearly always in the strong contradiction to demands 2, 3 and 4 and that some compromise is necessary.
Successful deployment of the e-signature addresses all listed demands in balanced manner.
Easy to Say, Hard to Do
I believe that it is possible to develop the type of the e-signature that satisfies the maxim and supports the EU Directive on electronic signature framework that was approved in December 1999. But again currently, pan-EU penetration of electronic signature is still very low among public.
This is likely because demand 5 has not been fully satisfied either via technology or process. And while may satisfy demand 5 in some manner, they are usually rather weak in meeting demands 2-3-4.
Thus, when any organization wishes to deploy e-signature according to the maxim demands, at this point, it needs to gain the essential expertise from cryptology, law, IT security, standardization as well as of the products/services on the market and subjects that are available. But it is very difficult to accommodate this expertise and become confident enough to promote e-signature and the risk of assuming the responsibility for it.
The same knowledge gap and resultant hesitation is present among most public officials that should promote the e-signature development on many levels: city, state, EU itself.
Generally one may have two areas of concern. The first one is that of the hesitation. I believe that this point is realistic as a reasonable person senses that there are some unknown background demands and uncertainty. And thus these persons become paralyzed with doubt and so the e-signature projects do not move forward. But there are also brave or foolhardy persons that take the second approach; that present or implement a chosen approach and in-turn reject or marginalize subsequent reports that any unsatisfied demands really exist. In my opinion the companies and organizations should make the investment to acquire the necessary know-how and deploy e-signature technology confidently.
But be aware that a large part of any e-signature project is 'horizontal'. That is, the organization will first deploy e-signature technologies and procedures among its employees regardless of the work tasks or business applications. The 'vertical' part comes later when they may add the e-signature to specific software applications that serve specific business tasks. Normally organizations will implement the biggest ROI applications first. But in this case, one should scope and build the e-filing “horizontal” infrastructure according to the heaviest risks and load of any application that may be implemented in the future.
Finally, the relevant EU authorities may over time help in the establishment of the e-signature market by selecting specific standards or profiles that create mutual compatibility. This in turn will hopefully create the critical mass of persons which will use mutually compatible electronic signatures. But if and when that time comes is “written in the wind”.