As we move deeper into the information age, there has been an increasing need to conduct transactions remotely. In today's world, keeping up with the competition, whether it be in businesses or in the job market, requires at a minimum, that people are empowered with tools to make authorisations and payments, and communicate remotely on any device at any time. In the aftermath of COVID-19, this trend has accelerated as employees increasingly want to work from home. Electronic signatures are a part of the infrastructure that facilitates a mobile "on the go" workforce that needs to be connected 24/7.
Electronic signatures take on specific meanings depending on the legal jurisdiction in which the transaction is being conducted, but there is a common thread across all jurisdictions. Generally, an electronic signature is considered to be a digital indication of a person's intent to agree to the content of a document or a set of data to which the signature is affixed. Legislations in most countries have made electronic signatures as legally binding as traditional wet-ink signatures for most transactions. In some cases, however, jurisdictions require additional security hardening techniques for the electronic signature to be considered legally binding. Nevertheless, in most of the cases that you are likely to encounter, a signatory's intent will be legally bound by the terms of the electronically signed document, or data set.
Electronic signatures can take a number of different forms, including:
In its most basic form - a typed written font, an image, or a drawn depiction - electronic signatures are accepted in most parts of the world for most types of transactions. Nevertheless, there are a number of techniques that are often applied to elevate its security, reliability, and legal strength. These techniques are typically provided by private entities.
Document Track and Trace, and Audit Trail: Basic electronic signatures can be strengthened through the use of a third party to maintain document security and transaction verification. Electronic signature companies are able to validate and track the different versions of a document as signatories sign and date the document in real-time, in order to prevent unauthorised changes to a document during the signing process. Furthermore, a permanent record of the transaction is usually stored, a record that captures pertinent signatory identification data such as IP address, date and time zone, email address, and device specifications.
The Use of Public-Key Infrastructure (PKI): Yet further security hardening can be done by using cryptographic keys and certificates to validate the document signing process. Using a public key algorithm such as a RSA or SHA, private and public keys are generated, both of which are mathematically linked. The private key is used to encrypt the signature-related data of the signatory, resulting in encrypted data that can only be decrypted by using the public key. A digital certificate is issued to the signatory, a certificate that contains the public key of the signatory, information about the signatory, expiration dates, and the digital signature of the certificate's issuer. Upon exchanging the signed document the certificate is used to verify that the public key belongs to the signatory, that the signature in the document is a true representation of the signatory's signature, and that the document has remained unchanged since it was signed by the signatory.
Digital certificates are issued by trusted third-party certificate authorities (CAs), and both the party sending the document and the person signing it must agree to use a given CA.
The Use of Qualified Certificates and Qualified Devices: One of the highest levels of security hardening can be accomplished by using qualified devices to create the signature and the private key. Qualified devices include smartcards, SIM cards, USB sticks, and other "remote signature creation devices" that have been approved by a national competent authority. A qualified certification is also used to conduct a similar level of verification as that done when using PKI. Generally, a qualified certification is one that is issued by a qualified provider - a provider that has been granted that status by a recognised national entity.
The benefits of electronic signatures can not be ignored and include such items as boosting productivity, saving costs, speeding up workflows, and enabling greater sales turnover. The full benefits vary by the industry in which this technology is used, and we have a number of articles that go into detail about the benefits for each respective industry. On the other hand, one must be clear about the use case for this technology, as not all transactions can be verified through the use of electronic signatures. Furthermore, the range of acceptable transactions varies by the legislation, and the type of electronic signatures.
In jurisdictions such as the European Union, the only type of electronic signature that is universally accepted in all transactions is a Qualified Electronic Signature (QES). In other jurisdictions, some transactions or documents are excluded entirely. There is no universal rule that can be applied to determine which transaction qualifies and which does not, as each legal jurisdiction is different. Nevertheless, in most of the jurisdictions that we have covered, documents such as wills, court documents, land titles, deeds, and property titles, cannot be signed with electronic signatures.