In the process of digital transformation, one of the first questions we ask when assessing a change from the traditional system to an electronic system for signing documents and contracts by our customers, suppliers, employees, etc., is the legality of this type of signature.
The short and resounding answer is YES: the electronic signature is fully supported by current legislation in virtually every country in the world. In some cases there is a stricter law and in others more permissive.
We will analyze the eIDAS regulation, the most demanding law regarding the electronic signature, which is currently the one followed by the member countries of the European Union and legal model of many other countries.
First of all, it is important to keep in mind that the legislation defines what is understood by electronic signature and makes a classification by types, but does not give specific examples of when one type of signature or another should be used, if not we are the ones that must interpret it and apply the type of signature that we consider most appropriate.
Once this point is clarified we will see the definition of electronic signature according to the eIDAS regulation:
“Electronic signature”: means the electronic data attached to other electronic data or logically associated with them that the signer uses to sign.
For example, in the case of a contract or document in pdf that has been signed electronically, the signature would be considered to the data attached to the pdf itself that are generated in the signing process and that contain the information of the same.
Depending on the conditions that the electronic signature meets, one can distinguish between:
- Electronic signature.
- Advanced electronic signature.
- Qualified electronic signature.
According to Article 25, no legal effects or admissibility will be denied as evidence in judicial proceedings to an electronic signature simply because it is an electronic signature or because it does not meet the requirements of the qualified electronic signature.
That is, any electronically signed document can be admitted as evidence in a trial.
This same article includes the following points:
- A qualified electronic signature will have a legal effect equivalent to that of a handwritten signature.
- A qualified electronic signature based on a qualified certificate issued in a Member State shall be recognized as a qualified electronic signature in all other Member States.
What are the differences between the electronic signature, the advanced electronic signature and the qualified electronic signature
In accordance with the legislation, the differences lie in the requirements that are required of each one:
Electronic signature: Data in electronic format attached to other electronic data or logically associated with them, which the signer uses to sign.
Advanced electronic signature: The electronic signature that meets the requirements of article 26, that is:
a) Be linked to the signer only
b) Allow the signer’s identification
c) Have been created using electronic signature creation data that the signer can use, with a high level of trust, under his exclusive control.
d) Be linked to the data signed by it in such a way that any subsequent modification thereof is detectable.
Qualified electronic signature: An advanced electronic signature that is created by a qualified electronic signature creation device and that is based on a qualified electronic signature certificate.
With these definitions we can reach the following conclusions:
In order to achieve the degree of qualified electronic signature, it is essential to have a certificate, but it is not worth any certificate nor is that this certificate in any “place”.
The certificate with which we sign must be qualified, that is to say that it has been issued by a qualified service provider, and those recognized publicly by the EU states will be considered. In the case of Spain; those that appear on this list.
In addition, this qualified certificate must have been created on a qualified device, that is, it is not enough for us to have a qualified certificate and download it to our equipment for example, but that the qualified certificate must have been created directly on a qualified device, such as it can be a cryptographic card or a secure server (HSM), as long as they are certified as “qualified”.
In practice, all this means that it is complicated and impractical that we, our customers, suppliers or employees have the necessary means to carry out a qualified electronic signature. There are scenarios where this type of signature is absolutely necessary, but in most cases we can go to another modality: the advanced electronic signature.
Luckily, the advanced electronic signature allows a high level of security, since, unlike the “simple” electronic signature, it guarantees the identification of the person and the non-alteration of the document once signed, but the requirements that the qualified electronic signature involves are not necessary.
What is required then to reach an advanced electronic signature level?
As we mentioned at the beginning, the legislation defines and enumerates the requirements of this type of signature, therefore it can be achieved by different means as long as these are met.
Let’s look at some examples in which the mechanism used can be considered an advanced electronic signature:
Signature with certificate
The digital certificate is an identification and signature mechanism, which is uniquely linked to the signer. It allows identification; it is an essential condition to obtain a certificate to verify our identity previously. Both the access to the signature request and the certificate are under the exclusive control of the signatory person. Any modification that could occur after the signing of a document using this mechanism will be easily detected.
Biometric signature is considered to be the one that collects biometric data such as speed, inclination, pressure… For the capture of this data it is essential to have the appropriate devices for this purpose such as tablets with stylus and signature pads.
Our rubric links us uniquely. Thanks to the biometric data, it will be exclusively the signer who performs the rubric on a device prepared for it. Once the biometric signature has been collected, the document will be signed with a certificate and time stamp that guarantees that it has not been altered later and if so, it can be detected.
Our Viafirma Documents tool has various certifications that consider our biometric signature as an advanced electronic signature.
● Advanced Digitalized Handwritten Signature Certificate, by EADTrust, with certificate number: FMDA-2018-013
● Forensic graphical report – applied calligraphic expert, by MARÍA ISABEL SALGADO RODRÍGUEZ expert in Calligraphic Expertise Documentscopy and Psychography by the Institute of Psychography of Madrid (IPSIGRAP).
Signature using temporary use code sent to mobile
The signature using a temporary use code sent to the mobile phone is widespread in many digital sectors such as online banking. It is known as OTP code (One Time Password). It has the following characteristics:
It is linked to the signer only. The signer has a mobile phone with a phone number.
- Identify the signer. The telephone number is personal and belongs exclusively to the signer.
- In many countries, for many years, a mobile phone number cannot be obtained without a verification process of the user’s identity similar to the issuance of a digital certificate. For example, in Spain the issuance of a mobile SIM requires this identification by the operator, as well as the signing of a contract. Therefore, a mobile line is necessarily linked to a natural or legal person.
- The signature must have been created using means of creation of the signature that the signer can use with high level of trust and under his exclusive control. Both access to the signature request (sent to the signer’s email or to his own mobile phone), as well as the temporary SMS code (sent to the signer’s mobile phone), are under the exclusive control of the signatory person.
- During the OTP SMS signature process, the signature operation is therefore linked to the signer through that mobile phone number.
- It is linked to the signed data so that any subsequent alteration can be detected.
The OTP code is not essentially random. The system uses the hash summary of each page of the document to subsequently obtain a random code based on those hashes. The system stores the code that will be sent to the user’s mobile device, and the positions of the hashes it has used (which are random). Therefore, a link can be made between the content of the document and the calculated OTP, and subsequently, validate the signed document. It is statistically impossible for two different documents to give the same OTP code with the same hash calculation positions. In this way, with the OTP SMS signature, the signed content can be linked to the signing operation.
The document signed by OTP SMS will be subsequently signed with a certificate and time stamp allowing verifying any subsequent modification of it.
All these examples can be considered advanced electronic signature. However, in the case, for example, that the document has been signed with a rubric made with the finger or with the mouse, or that the temporary code for the signature has been received in an email, we will be talking about electronic signature “simple” because with the data collected in the signing process the identity of the signer cannot be linked to the signature. (Biometric data cannot be obtained in the first case, in the second case, no identification process is necessary for an email account).
This is important to point out because there are multiple “simple” signature solutions on the market, with a clear legal and security difference and that are not easily distinguishable by the user. Actually in the document the difference between one type of signature and another will not be visually appreciated. In all cases we will see some graphic stamps or signatures included in the document, but the difference is, as we have seen, in the data that are collected during the signing process and that are linked to it. About these data, evidences and signatures in a signed document, we will talk soon.