A properly executed Electronic Signature has legal blessing, but the politicians and lawyers don’t tell us exactly how to do it. Fortunately there is a growing body of standards and numerous case studies demonstrating effective implementation of Electronic Signatures in practice.
One way to begin is to take the legal process and match it to the corresponding technical process. One industry group has written a document called SPeRS as an attempt to create guidelines for creating legally enforceable electronic contracts. We can take the elements of SPeRS, particularly as they differ from the process that may be followed in the hardcopy world, and see how that maps to available technologies and standards.
(One note here: It is clear that electronic signatures in the form of electronically recorded signatures for credit card transactions have been used for a long time. Longer than the existence of SPeRS. The intent of the ESIGN law, and other related laws, are to enable the use of electronic signatures by reducing the fear that these methods will not be legally upheld. SPeRS, MISMO and other groups advancing electronic transaction standards are just offering well reviewed guidelines for methods to minimize the ability of a bad guy to repudiate an electronic transaction.)
Figure 1 diagrams an ESIGN compliant electronic signature process which we will discuss.
Figure 1: Esignature Process
Some key features of SPerS signature process (full summary here) are:
1. Evaluate and Select the Proper Signer Authentication Strategy (SPeRS 1)
One essential part of the process will be a determination of how to insure that the person that is creating the electronic signature is who they claim to be (Signer Identity) and is authorized to execute the transaction (Signer Authority). As in all commercial transactions, the employing party will apply some form of risk-benefit analysis on what credentials will be required to reduce the incidence of fraudulent transactions.
This is clearly an area that may present special challenges when conducted purely in cyberspace. It often is dealt with in a tiered fashion based on the value of the transaction and the identity of the parties. One set of credentials and associated limits may be applied for known and trusted parties and another may be used for unknown or untrusted parties.
The subject of authentication is a good topic for future expansion.
2. Obtain Consent to Use Electronic Signatures and Records (SPeRS 2-1)
One essential part of the process will be the consent to proceed with an electronic contract. This may be implied consent, but for most transactions of non-trivial value with unrelated parties it is recommended that a “Consumer Consent Disclosure” be presented prominently and affirmed by the consumer prior to the execution of the primary transaction. Sometimes this consent process may be required by rule of law, a FTC report on the effects of the Consumer Consent Provision of ESIGN can be found here.
This presentation/affirmation transaction should be maintained in the record of the primary transaction as part of the signing process.
If the consumer consent disclosures are employed then it is incumbent upon the signing system to confirm the ability of the consumer to access the materials that will be electronically provided. This may be done by having the signer visit a special website to access their agreements.
Issues surrounding the access and display of electronic transaction records are discussed in SPeRS section 3. To summarize: make sure that they are viewable, easily understood, comply with relevant laws and consider privacy implications depending upon the access method selected. Maintaining an auditable record of participant access is highly recommended.
3. Select a Signature Technology and Process (SPeRS 4)
There are several issues to be considered when selecting an appropriate signature technology. More detail can be found in the Electronic Signature Technology pages.
A key concern when selecting an electronic signature technology is whether the transaction is done in-person or solely in cyberspace. If a signature is done in-person, then a wealth of traditionally accepted methods for authentication exist. The in-person transaction implies that the participants will interact with a trusted agent of the transaction creator who can verify acceptable identification criteria, explain the process and witness the signature. It also means that special hardware may be provided for capturing the signature, the most common being the electronic signature pads commonly deployed at retail point of sale locations. The collected handwritten signature, a record of any agent collected credentials, the time of the transaction, other optional evidentiary data and the participating agent’s credentials are associated with the transaction to form an electronic signature.
If transactions are not done in-person then the most common technology in current use is the “click-wrap” or “click-through” technology. This is a process based signature which records the act of clicking the “I agree” (or similar) button and associates this act with the provided authentication credentials, the time, the authenticated transaction and possibly other evidentiary data to form an electronic signature.
The signature process must confirm the intent of the person signing. This may be done using check boxes that are affirmatively clicked, buttons and/or displayed transaction text prior to affirmatively signing the record or contract.
The process and the signature data that is recorded must be usable to attribute the person signing to the signature. If the signature is an electronic handwritten signature then the signature itself is a characteristic of the individual that signed the document. If a click-wrap signature process is being used then the authentication data being associated with the signature shall have been confirmed within the same user session as the signature being attributed.
The options for technologies to implement this are discussed further in the Technology sections.
4. Storing the Signed Electronic Record
After a document has been electronically signed it must be maintained in a fashion that will protect it from being modified and insure that it is accessible to all parties entitled to access it.
The designers of an electronic document process must insure that they are properly maintaining these records to comply with legal, customer and risk management requirements. This electronic vaulting is a topic of its own, the only twist added by the incorporation of electronic signatures is to insure that the electronic record and its associated signature and audit data are all made available as needed.
Subscribe to Esignature Post feed
It is rather funny that when doing online to do business, it’s so much harder apparently to do something like sign a document.
Why is it that businesses can sign their paper documents with ease without relying on third party expertise, yet when they try to use electronic signatures, they seem to be hit by all of these competing standards bodies and companies with competing technologies. You’d never have guessed that paper and pen were so sophisticated!
Not much activity here, but in my opinion your piece is pretty good overall. The process outlined is certainly something that should be followed (it’s not much different than what’s done with paper today). Note that authentication need not take place up front, though it’s often preferable. As long as the authentication occurs in that same session, the prior authorization (willful action of signing) is validly associated with that party.
A key consideration is how much authentication do you do with your paper process, should you be migrating such documents online. Often, companies do no authentication (no ID is checked). Most allow a transaction to proceed if the person also pays for it (get paid before delivering!).
Transaction storage is an issue to consider. Digital signatures certainly provide a way to create a reliable electronic record.
It is important to know how accessible your signed documents are. What does it mean to use a company’s software to sign a document they prepared and also store and just give you access to it through their system? It makes sense to allow all parties to have their own independent copies that don’t rely on another to hold and validate. If you use an online signature service, what happens to your documents if that service goes away? It makes sense to allow a parties to store their own copies. Anything less should be suspect unless it’s a low-valued transaction in which you may not even keep a paper record if it has little importance to you.