Tech Transfer News: E-Signature 101
Due to the explosive growth of the Internet and advances in communications technologies, more and more businesses are interacting electronically rather than face-to-face. In many jurisdictions, parties may “sign” (and thereby bind themselves to) a contract by any means so long as there is an intention to authenticate the document. Online transactions via website checkouts, fax machines and, in some cases, email are treated no differently. By increasing their online presence, businesses have been able to offer their products and services in a more cost-effective and expedient manner. Unsurprisingly, however, the ease of Internet transactions has raised concerns that were previously not applicable to traditional, handwritten signatures and contracts. This article will discuss some of the electronic signature (e-signature(s)) technologies that have evolved to account for these concerns and why businesses may still be reluctant to implement them.
HISTORY OF SIGNATURES
The concept of affixing a personal or descriptive mark to an object traces back to the first-known writers, the Sumerians, who applied seals to their works as a means of authentication. Evidence of handwritten signatures on contracts later surfaced in the Roman Empire around AD 439. Today, as in the days of Roman Emperor Valentinian III, the purpose of a party’s signature remains largely the same:
- The party has reviewed and accepted the terms of the contract;
- The party has the authority to accept the terms of the contract; and
- By way of signing, the party has the present intention to authenticate the contract.
In many jurisdictions, absent coercion, the manner in which a signature is made is insignificant. For example, in the United States, a signature can be “made manually or by means of a device or machine, and by the use of any name, including a trade or assumed name, or by a word, mark, or symbol executed or adopted by a person with present intention to authenticate a writing.” Indeed, courts have found simple marks like an “X”, typewritten names and the use of personal stationary to evidence the requisite intent. With an emphasis on function over form, it is not surprising that a U.S. court found that a telegraph could constitute a signature in as early as 1867.
TYPES OF ELECTRONIC SIGNATURES
While the nomenclature may vary, there are generally three categories of e-signatures—each providing a different level of security via certainty:
- "Simple” e-signatures
- Advanced e-signatures (sometimes referred to as secured or digital signatures)
- Qualified e-signatures
Each category represents a shift in focus. Whereas, the original purpose of a signature was to evidence intent, the latter categories serve to assure a recipient that the signature is reliable and that the content and signer can be trusted. Whether a country will accept an e-signature as the legal equivalent of a handwritten signature depends upon the category under which it falls.
Simple E-Signatures can generally be defined as: (a) a sound, symbol, process or other electronic data, which (b) is attached to or logically associated with (c) a contract or other record and (d) is executed or adopted by a person (e) with the intent to authenticate the record.
Some examples include clicking “I agree” to software terms, typing a name at the end of an email, an affirmative text message, entering a PIN number and sending a telegraph via Morse code. In determining whether a record has been “signed,” many jurisdictions consider whether or not there was an intention to execute or adopt the sound, symbol, etc. for the purpose of signing. Simple e-signatures allow for quick and efficient online transactions and account for a majority of online shopping. However, as any victim of identity theft can attest, they are not without their shortcomings. There is a degree of uncertainty that the signing party is who actually the named party or that any contract terms have not been altered.
Advanced E-Signatures are generally defined as: (a) simple e-signatures that are: (b) uniquely linked to the signatory, (c) capable of identifying the signatory, (d) created using a means that the signatory maintains under its sole control, and (e) linked to the related record in such a way that a change to the record is detectable.
Cryptography technologies, like those in Adobe PDFs, Microsoft Word and other word processors, are a common way of achieving this. These programs use a two “key”-paired system called Public Key Infrastructure (PKI). A record is encrypted with one key and can only be decrypted with the other. For example, a party uses its private key to “sign” the record by creating and encrypting a unique fingerprint or “digest.” The encrypted digest is sent to a recipient who attempts to decrypt the digest using a second key (which may be publicly available). If successful, then the recipient knows it came from the intended party. A recipient can also check the digest’s integrity by creating a second digest using its key. If the digests do not match, then the record has been altered.
Qualified E-Signatures are generally defined as: (a) advanced e-signatures that are: (b) based on qualified certificates issued by a certification authority (CA) and (c) created by secure signature creation devices.
It is the CA’s responsibility to verify that the party signing the record is, in fact, a real entity and the intended signing party. CAs and certificates reduce the risk that the PKI keys were forged, stolen or created by a fake party. For example, a company may wish to pay to its employees through an electronic payment provider (EPP) so it logs into its password-protected account to begin payment. EPP sends a message with random characters to the company, which encrypts the message with its private key. The encrypted message/digest, along with a public key and a qualified certificate, is sent back to EPP. EPP decrypts the digest with its public key and validates the certificate by contacting the CA that certified the company. If both check out, then EPP will proceed with payment. Businesses wanting further certainty may ask that the certificates be issued by an accredited CA. Accredited CAs are CAs that have been vetted as trusted entities by another entity. In turn, these first entities can be further vetted by additional entities, and so on. Such vetting entities include national to international business alliances; trade organizations; and local and national governments. At the end of the day, a business must choose whom it trusts the most.
Despite streamlining many of their practices via other technologies, many businesses choose to continue signing contracts by hand and on original paper. One survey conducted amongst government, industry associations, and businesses of all sizes found that a major reason for not adopting e-signatures is that there is a lack of legal certainty regarding their enforcement. However, this lack of certainty is not for lack of law. Many countries have already recognized the importance of e-signatures and have implemented laws regarding their enforcement.**
In an effort to enable and facilitate the use of e-signatures, the United Nations released the UNCITRAL Model Law on Electronic Signatures in 1996, which established criteria for technical reliability and advocated a technology neutral approach. The model law provided the technical criteria for an e-signature’s reliability as well as basic guidelines for assessing duties and liabilities of the signatory, the relying party and third parties (like CAs) in the signature process. These guidelines have been implemented by other countries around the world. The United States defined e-signatures in 1999 in the Uniform Electronic Transactions Act (UETA). The UETA was adopted by forty-seven states with New York, Washington and Illinois implementing their own e-signature laws. In an effort to ensure certainty, the US E-Sign Act of 2000 stated that a signature or contract would not be excluded simply because it was in electronic form. Canada defined e-signatures and advanced e-signatures (referred to as “secure e-signatures”) in its Personal Information Protection and Electronic Documents Act and subsequently regulated e-signature through regulation SOR/2005-30. Similarly, the European Union, Directive 1999/93/EC or the EU Electronic Signatures Directive directed EU member states to ensure the validity of e-signed contracts in their respective systems and to also provide for a technology neutral approach.
In Asia, many countries have also implemented laws and regulations though many still adhere to traditionally signed multiple hard copies. In Japan, the Law Concerning Electronic Signatures and Certification Services of 2000 gives legal validity to contracts that have been e-signed. India’s Information Technology Act of 2008 essentially allows for e-signatures, and in 2005, the Electronic Signature Law of the People’s Republic of China went into effect, which also endorses a technology neutral approach.
In light of today’s fast moving world where business is conducted internationally, 24/7 and at the click of a button, the need for an effective e-signature process and its abundant adoption is clear. Notably, just as business has evolved, so, too, has the purpose of an effective, enforceable signature in the electronic realm. Though there is still much work to be done to harmonize the laws and further facilitate cross-border enforcement of e-signed contracts, many countries have already recognized the need for an effective e-signature framework. It is now up to those businesses still handwriting their signatures on original paper to weigh their own risks in light of those initiatives.
The material contained in this newsletter is for informational purposes only and is not intended to be legal advice. It is understood that each case is fact-specific, and that the appropriate solution in any case will vary. Transmission of this material is not intended to create and receipt does not establish an attorney-client relationship. While the material is intended to be accurate, errors or omissions may be contained herein, for which any liability is disclaimed. Legal advice of any nature should be sought from your legal counsel.
*Sources are on file with the author.
** For the sake of brevity, the laws discussed below are intended for a general overview. Readers should consult these laws and any other applicable laws in more detail for more information.