WACOM esignature Solutions
July 3, 2017 | Author: Leslie Greer | Category: N/A
Short Description
Download WACOM esignature Solutions...
Description
WACOM eSignature Solutions Compliance with European e-Signature legislation WHITE PAPER
www.dlapiper.com
CONTENTS 1.
INTRODUCTION.................................................................................3
2.
CONTRACTUAL VALIDITY AND ENFORCEABILITY...........................3
3.
CONTESTING HANDWRITTEN SIGNATURES ...................................4
4.
THE E-SIGNATURE DIRECTIVE ........................................................4
our legal advice and
5.
VALIDITY AND ENFORCEABILITY OF ELECTRONIC SIGNATURES .6
business insight to the
6.
DESCRIPTION OF WACOM´S ESIGNATURE SOLUTION ..................8
From the quality of
efficiency of our legal teams, we believe that when it comes to the way we serve and interact with our clients, everything matters.
Wacom | October 2013
7. WACOM´S ESIGNATURE SOLUTIONS SATISFY THE EUROPEAN REQUIREMENTS OF ELECTRONIC SIGNATURES ..................................9 8. WACOM´S ESIGNATURE SOLUTIONS CAN BE CONFIGURED AS A QUALIFIED ELECTRONIC SIGNATURE SYSTEM...................................10 9.
ESIGNATURES LEGISLATION OVERVIEW AROUND THE WORLD 11
10.
DRAFT TRUST SERVICES EUROPEAN REGULATION..................11
11.
CONCLUSION................................................................................12
DLA Piper | 2
1.
INTRODUCTION
involved is sufficient to establish a contract: no formal requirements such as a written document, registration or
This white paper reviews the legal effectiveness of
signatures are needed to enter into a valid contract.
Wacom´s eSignature solutions in relation to European regulatory principles for electronic signatures. In the first
Contracts can be entered into verbally, in writing,
part of this white paper, we frame the main questions of
electronically or even implicitly. There are certain
contractual validity and enforceability. We briefly
exceptions to this rule in various jurisdictions. Such
summarise the Electronic Signature Directive's central
exceptions often include real estate contracts, public
definitions and scope. We further analyse the overall
procurement contracts, consumer contracts and family
European contractual landscape from the perspective of
law contracts such as wills. For such contracts, specific
validity and enforceability of electronic contracts by
formalities need to be fulfilled in order to conclude a
broadly outlining when electronic signatures are adequate
valid contract.
and when qualified electronic signatures may be useful. While there are some exceptions, the vast majority of In a second part, this white paper describes the main
contracts can be entered into by the mere consent of the
features from a legal point of view of Wacom´s
parties and no signature or other specific formalities are
eSignature solutions. We review these key features in our
required to conclude a valid contract.
analysis of the legally binding nature of Wacom´s eSignature solutions signatures. We conclude that when correctly implemented, from a
When surveying the legal landscape, it is reasonable to estimate that the legal validity of the vast majority of contracts does not require specific formalities.
legal perspective, Wacom's eSignature solutions meet or even exceed the requirements of an electronic signature
The second question relates to the enforceability and the
as defined in Article 5.2 of the E-Signature Directive.
legal principles in obtaining proof of concluded agreements. The second question is important, as there is
Furthermore, adequate configuration of the technical and
a difference between the existence of a valid contract and
procedural safeguards of Wacom´s eSignature solutions
being able to enforce the contract by proving its
can make it an excellent additional tool to increase the
existence and its contents.
trustworthiness of a qualified electronic signature system in accordance with Article 5.1 of the E-Signature
The legal rules regarding the evidentiary value and the
Directive.
enforceability of contracts vary by jurisdiction. In civil law countries, such as Belgium and France, which may
2.
CONTRACTUAL VALIDITY AND ENFORCEABILITY
serve as an example of the rules of evidence in existence in continental Europe, a distinction is made between
When dealing with electronic signatures in the context of
unrestricted
and
restricted
evidence.
Commercial
contractual agreements, two main questions arise. The
disputes, i.e. contracts between persons and businesses
first question relates to the existence and validity of an
engaged in commerce, merchandising, trade, and sales,
electronically signed contract. The second relates to the
generally permit unrestricted evidence under such rules
probative value and enforceability of an electronically
of evidence. This means that any type of writing,
signed contract.
testimony, email or factual element is admissible and that it is at the court's discretion to evaluate their evidentiary
The first question deals with the formal requirements to
value. In settings involving private persons, including
conclude a valid contract. A guiding principle in
consumers, a general rule in some jurisdictions is that a
European
of
written act, namely a written document signed by the
"consensualism", in the sense that contracts are effected
parties who undertake obligations in the act, must be
by the mere consent of the parties. The principle is that
provided above a certain amount.
contract
law
is
the
principle
the freely given and mutual consent of the parties
Wacom | October 2013
DLA Piper | 3
It is generally accepted that the rules of evidence may be
judicial ruling based on a review of the evidence to prove
deviated from by agreement between the parties. Parties
the authenticity of the document.
can contractually agree which means of proof are required, or which evidential value is given to certain
While handwritten signatures in most contracts may be
documents in the event of a dispute. For example, parties
challenged, there are some exceptions, including certified
can agree that filling in a password or ticking a checkbox
documents and notarised acts. As an example, legislation
shall be considered as an electronic signature which
has recently been introduced in Belgium, as in other
meets the functional requirements of a handwritten
jurisdictions, to offer the possibility to certify a document
signature.
through the signature of the lawyers of the contracting parties, which has the effect to reverse the burden of
Even when restricted evidence is required (such as a
proof: it is then up to the defendant to prove that the
signed act), the rules of evidence will generally ascribe at
certified document is a forgery.
least some legal evidentiary value to unrestricted evidence (such as emails describing the content of the contract), whether as a legal rule or in practice. Taking into account the above, it is fair to say that in a majority of contractual dispute cases in Europe
Paper-based handwritten signatures do not offer absolute enforceability and may be challenged. In most cases, depending on the applicable jurisdiction, it is up to the claimant, not the defendant, to prove the authenticity of the written document, unless for instance the document has been certified or is a notarised act.
unrestricted evidence is admissible in a court proceeding. When unrestricted evidence is admissible, any type of
4.
THE E-SIGNATURE DIRECTIVE
writing, email, soft copy or electronic signature may be The European Directive on Electronic Signatures of 1999
furnished to prove contractual obligations.
harmonises the legal recognition of electronic signatures Although the rules of evidence vary from jurisdiction to jurisdiction, in most cases unrestricted evidence (such as any type of writing, email or electronic signature) is admissible when proving the enforceability of a concluded contract.
in Europe. It establishes a legal framework for electronic signatures and certain certification services on the internal market. The E-Signature Directive does not cover aspects related to the conclusion and validity of contracts. It does ensure the legal effectiveness and
3.
admissibility as evidence in legal proceedings of
CONTESTING HANDWRITTEN SIGNATURES
electronic signatures.
It is important to note that paper-based handwritten
The E-Signature Directive makes a distinction between
signatures do not offer absolute enforceability, as they
normal
can often be contested in the context of a dispute. A
signatures and qualified electronic signatures.
electronic
signatures,
advanced
electronic
paper-based handwritten signature can be challenged on the grounds that it is a forgery.
4.1 Electronic signatures
In Belgium for example, contesting a signature leads to a
The Directive provides for a very broad definition of an
reversal of the burden of proof. In such a case, a party
"electronic signature" without any explicit reference to a
may simply disavow a paper-based written signature on a
specific technology. An "electronic signature" is defined
contract. The burden of proof is then on the claimant,
in the E-Signature Directive as data in electronic form
who must establish the existence and extent of the
which are attached to or logically associated with other
contract by proving the authenticity of the handwritten
electronic data and which serve as a method of
signature.
authentication.
The
claimant
must
undertake
a
civil
proceeding regarding document forgery, involving the investigation of a forensic expert, and which requires a
The Directive explains in its recital 8 that ‘rapid technological development and the global character of
Wacom | October 2013
DLA Piper | 4
the internet necessitate an approach which is open to
The fact that such an electronic signature may not be
various
of
denied legal effectiveness and admissibility as evidence
authenticating data electronically’. The three criteria to
based on certain technical characteristics, does not imply
qualify as an electronic signature are: the existence of a
that it would receive the same legal effect as a
set of data, the set is linked to other data, and it
handwritten signature. This will only be the case if
authenticates these data. None of the criteria are further
provided for in specific laws. Neither does it affect
defined nor explained by the Directive, leaving room for
national rules regarding the free consideration of
broad interpretation. This means that every type of
evidence by the judge.
technologies
and
services
capable
electronic authentication can be regarded as an electronic signature, as long as the authenticating data are attached
4.2 Advanced electronic signatures
to or associated logically with other electronic data. This may include a PIN code, a password, a scanned
An "advanced electronic signature" as defined by the
signature, symmetric and public key cryptography
E-Signature Directive is an electronic signature which
authentication methods and biometric authentication
meets the following requirements: (i) it is uniquely linked
methods. The definition of an electronic signature in the
to the signatory; (ii) it is capable of identifying the
Directive does not even exclude the typed name at the
signatory; (iii) it is created using means that the signatory
bottom of an email or the attachment of a scanned
can maintain under his sole control; and (iv) it is linked
signature to a document. The Directive accepts every
to the data to which it relates in such a manner that any
electronic authentication method as an electronic
subsequent change of the data is detectable.
signature, whether it invokes legal effect or not, and whether the signatory approves the contents of the document or not. By taking this broad approach the Directive is able to cover every kind of authentication without having to tackle the existing legal differences between the European Member States’ legal systems.
Contrary to some other existing legal instruments and guidelines (e.g. UNCITRAL model law on electronic signatures, US E-Sign Act) the Directive does not consider the approval of the contents by the signatory as an essential element of an electronic signature. The signatory’s approval thus needs to be specified by other
According to Article 5.2 of the E-Signature Directive,
means, for example in the text of the signed document, or
such an electronic signature may not be denied legal
by referring to a ‘signature policy’ which includes
effectiveness and admissibility as evidence in legal
approval. Although the legal definition is being
proceedings solely on the grounds that it is (i) in
formulated in a technology neutral way, in practice, it
electronic form; (ii) not based upon a qualified
refers mainly to electronic signatures based on digital
certificate; (iii) not based upon a qualified certificate
signature technology or, in other words, making use of
issued by an accredited certification service-provider; or
public key cryptography.
(iv) not created by a secure signature-creation device.
It therefore seems that mainly public key cryptography
The effect of this article is that Member States may
systems meet the requirements of the Directive’s
neither draft or maintain regulation nor endorse or
definition. In this sense, an advanced electronic signature
authorize private rules with a view to condemning the
is essentially a digital file containing a hash of the
use of an electronic authentication tool solely by virtue of
document obtained by encryption with the private key of
its electronic format or non-qualified nature. Hence, this
the signatory. Other parties can verify the advanced
general acceptance rule of electronic signatures means
electronic signature with the corresponding public key of
that Member States may not draft legislation forbidding
the signatory. An accompanying digital certificate
the use of electronic authentication tools for legal
confirms the signatory as the owner of its public key.
purposes solely on the grounds that they are in electronic form.
The E-Signature Directive does not confer to the advanced
electronic
signature
a
specific
legal
effectiveness different from a (normal) electronic
Wacom | October 2013
DLA Piper | 5
signature. The Directive instead uses the concept of the
minimum requirements can be found in the definition of
advanced electronic signature, namely a signature using
an ‘advanced electronic signature’ and in Annexes I, II
public key cryptography, to define "qualified electronic
and III to the Directive.
signatures", which are advanced electronic signatures who satisfy certain specific legal criteria (as described
In order to be qualified, an advanced electronic signature
below).
must be made on the basis of a qualified certificate. A certificate is an electronic confirmation which links the
The main difference between (normal) electronic
data for verifying the signature to a natural or legal
signatures and advanced electronic signatures is that the
person and which confirms the identity of the person. As
technical security of a public key cryptography system is
described in Annex I of the Directive, a "qualified"
generally considered to be higher than certain legally
certificate must contain specific mandatory information
accepted (normal) electronic signatures such as a PIN
and must be issued by a qualified certification services
code. An advanced electronic signature must therefore be
provider. The E-Signature Directive contains in its
considered to be more trustworthy. Trustworthy systems
Annex II requirements for such qualified certification
generally confer more evidential weight. It should
services providers, which in practice means an accredited
nonetheless be noted that from a legal standpoint, the
commercial certificate authority or a governmental
particular technical method used may only be an element
certificate authority. Such a certificate authority then
to be taken into account at the discretion of the courts
certifies the ownership of a public key by a named person
when evaluating the overall evidentiary value in a
or legal entity by issuing a digital certificate.
particular case. In a particular case, the trustworthiness of a given public key signature may be questioned for
The signature must also be created by a secure-signature-
instance, while in other circumstances courts may
creation device. This implies that the configured software
consider a PIN to provide sufficient evidence given the
or hardware used to implement the data for creating the
facts of the case.
signature, complies with requirements relating to the trustworthiness of the data handled by the device as
4.3 Qualified electronic signature
described in Annex III of the E-Signature Directive.
A "qualified electronic signature" is an advanced
This paper will review below how the legal requirements
electronic signature based on a qualified certificate and
for qualified electronic signatures defined in the E-
which is created by a secure-signature-creation device.
Signature Directive apply to Wacom´s eSignature solution. If all requirements related to the qualified
A core principle of the E-Signature Directive is that
electronic signature are met, then such a digital signature
Member States are obliged to confer to certain types of
file is automatically assimilated and legally presumed to
electronic signatures the same legal effect as paper-based
be equivalent with a handwritten signature.
handwritten signatures (Article 5(1)). This guarantee applies to qualified electronic signatures who meet the criteria fulfilling some minimal technical security requirements: only advanced electronic signatures which are based on a ‘qualified’ certificate and which are created by a ‘secure’ signature creation device have this
The use of an electronic signature or advanced electronic signature implies that such signature may not be denied legal effectiveness and admissibility as evidence in legal proceedings. A qualified electronic signature is automatically legally assimilated with a handwritten signature.
advantage. Member States must ensure that these types of electronic signature satisfy the legal requirement of a signature in relation to data in electronic form in the same way as a handwritten signature satisfies the requirement in relation to paper-based data. These signatures are also be admissible as evidence in legal proceedings. The conditions for meeting the technical
Wacom | October 2013
5.
VALIDITY AND ENFORCEABILITY OF ELECTRONIC SIGNATURES
We have noted above that the majority of contracts in Europe can be entered into by the mere consent of the parties and no signature or specific formalities are
DLA Piper | 6
required to conclude a valid contract, although there are
electronic
exceptions such as real estate contracts and public
facsimile would have satisfied the requirements of
signature
in
a
computer-generated
procurement contracts, which require a handwritten
the Insolvency Act in terms of signing a proxy
signature.
voting form. It has also been made clear in a ruling from the UK Appeals Court that the conclusion of
Given the limited use of electronic signatures, it is
whether or not a contract is binding does not only
premature to talk about solid case law in 2013 at national
relate to the use of a (handwritten or electronic)
or EU level addressing the legal effect of electronic
signature but should primarily depend on the
signatures. In only a few countries has the meaning and
intention of the parties. In other words, all elements
validity of an electronic signature been tackled directly in
necessary to make a contract may well exist within
court.
e-mail exchanges, as they may not, depending on what the real intention of the parties was.
From these limited cases, we can infer that in most contractual dispute cases in Europe, the type of evidence
Estonia. Concerning the value of documents used in
admissible in court is unrestricted and any type of
or exchanged through court proceedings, there has
writing, email, soft copy or electronic signature may be
also been a decision of the Tallinn Administrative
used to prove contractual obligations, although rules of
District Court in Estonia ruling that digitally-signed
evidence vary from jurisdiction to jurisdiction and may
documents must be considered equivalent to
require a handwritten signature in certain cases.
handwritten ones in court proceedings.
Greece. In Greece, the Court of First Instance in
Spain. The legal value of the electronic signature
Athens acknowledged recognition of a debt
was explicitly pronounced in Spain where the Court
submitted to the other contractual party in the form
of First Instance of Madrid ruled that an electronic
of an electronic message (e-mail) as a legal act
contract between private parties was null and void
binding the debtor. In its ruling, the Greek court
on the grounds that it did not bear an electronic
accepted that an e-mail address satisfies the legal
signature.
functions of a signature (unique identification of the signer, unique link between the signatory and his e-
Sweden. In Sweden, the Administrative Supreme
mail address) and, thus, can be considered as the
Court ruled that an electronic signature does not
electronic equivalent of the handwritten signature.
suffice for an administrative legal act to be valid,
According to the Greek judge, the inherent security
insofar as the administrative law requires a
problems (e.g. risks of third party intrusions to the
handwritten signature. In other words, the Court
computer and e-mail system) that could possibly
affirmed the general rule of the Swedish electronic
constitute a hindrance to the recognition of such
signatures law that an electronic signature can be
equivalence should not be considered as a
regarded as the equivalent of a handwritten one, on
‘weakness’ of the e-mail (electronic signature) per
condition that the legal requirement satisfied by the
se but rather as a risk that should normally be borne
handwritten signature can also be satisfied by
by the message recipient.
electronic means. By ruling thus, the Court did not go any further in determining what functional
Netherlands. By contrast, confronted with the same
requirements the electronic signature should fulfil in
question the Dutch judge ruled that the e-mail
order to have probative value.
message could not be granted any legal value because of the evident security risks of the e-mail
A normal electronic signature cannot in principle be
communication (especially, within open systems).
denied legal effectiveness and admissibility as evidence in legal proceedings, although this does not imply that it
United Kingdom. In the same context, a UK Court
is an equivalent alternative for a handwritten signature.
confirmed by a ruling in obiter dictum that an
Wacom | October 2013
DLA Piper | 7
As a result, the European legal landscape with regards to the two main questions of validity and enforceability may be broadly summarised as follows, depending on specific rules varying from jurisdiction to jurisdiction. (Normal) Electronic Signatures Validity
Qualified Electronic Signatures
Electronic Qualified signatures are electronic sufficient to signatures may be conclude a valid useful in a minority contract in most of cases to cases. conclude a valid contract.
Qualified Enforceability Electronic signatures are electronic admissible as signatures may be evidence in most useful as evidence court cases. in a minority of court cases. Table 1. Validity and enforceability of electronic signatures
Any kind of electronic signature can be used in the event of a signature requirement imposed by law. According to Article 5.2 of the E-Signature Directive, (normal) electronic signatures may not be denied legal effectiveness and admissibility as evidence in legal proceedings. The more trustworthy the used technology, the more trustworthy the signed document, but the risk remains that a judge does not trust the technology, and hence decides that the formal signature requirement has not been met. Using a qualified electronic signature will automatically lead to the fulfilment of the signature requirement.
For 5% of contracts as an estimate, the use of a qualified electronic signature is explicitly required by law.
In exceptional circumstances national laws may impose the use of qualified electronic signatures: local laws need to be checked in such circumstances for specific requirements, sometimes even additional requirements, such as a qualified electronic signature generated by an electronic identity card (eID) 6.
DESCRIPTION OF WACOM´S ESIGNATURE SOLUTION
The eSignature solution from Wacom which we tested consists of a software application (Wacom´s Sign Pro PDF software) and a signature pad (STU-500 series),
Our analysis shows that from the perspective of the
combining aspects of handwritten and digital signatures.
intended use of electronic signatures as a means to create
Wacom informs us its eSignature solutions also work
valid contracts and from an enforceability point of view,
with other signature software vendors in a similar way.
electronic signatures are often adequate and qualified electronic signatures may be useful in a minority of circumstances, unless they are required in exceptional circumstances. When surveying the legal landscape, it is therefore reasonable to broadly estimate based on our research:
The Wacom STU signature pad and signature display is a special sensor panel with a superimposed display, as well as a signature stylus. When the user moves the stylus across the signature pad, the sensors record the position and state of the stylus in real time and store this electronic signature data in the software application. The
For 80% of contracts as an estimate, no signature requirements are imposed by law for validity or enforceability reasons.
signature panel's display allows visual inspection of the
In the vast majority of cases, any kind of electronic signature can be used. As courts decide on the value of the evidence presented to them, the more trustworthy the technology used, the more trustworthy the signed document, the more evidential weight will generally be conferred.
The software application Wacom Sign Pro PDF in turn
For 15% of contracts as an estimate, signature requirements are imposed by law for validity or enforceability reasons.
Wacom | October 2013
signature by the user and the relying party.
collects and stores a wide range of information, including:
A full record of the pen movement with time, including its position, pressure and depending on the device being used, the pen angles.
A cryptographic message digest, or hash, is calculated, namely a sequence of data of a
DLA Piper | 8
fixed length which acts as a shortened reference to the original document, using the information identifying the document being signed.
key and on the chain of trust placed by relying parties in the software and hardware systems used. It is important to note that the signatory's public key is linked to a certificate which can be either self-signed or certified by
Contextual information about the signing event, including the name of the person, the date and time, and the data that identifies the computer system used.
a certification authority. Additionally, the appended signature image file includes a forensic record containing the full biometric and
When the user signs on the signature pad, the signature
contextual data of the signing, which can be retrieved in
data stream is encrypted and transferred in real time to
the context of a legal proceeding when ascertaining the
the client PC – without storage in the signature pad. The
authenticity of the signature through forensic analysis.
software application generates an image file of the signature as captured by the user's movement on the signature pad. Using steganography, which is a cryptographic technique for concealing data, the captured data, which includes the biometric, hash and contextual data, is used to modify the signature image without
The underlying mechanics of including a handwritten electronic signature from a Wacom signature pad into a document are equivalent to commonly used public key cryptography signing techniques, with the key addition of a visual signature image containing a full forensic record of the signing.
visually altering its appearance. The software application then appends the signature image file to the PDF document, giving the appearance of an inked signature on paper, while including the full forensic record within the image.
7.
WACOM´S ESIGNATURE SOLUTIONS SATISFY THE EUROPEAN REQUIREMENTS OF ELECTRONIC SIGNATURES
According to the definition of (normal) electronic signatures in the E-Signing Directive, data in electronic
Immediately after the image file has been inserted, a hash is calculated for the entire document body and the image signature file. The document hash is encrypted with the
form must be attached to or logically associated with other electronic data and serve as a method of authentication.
user's private key, to which either a self-signed certificate is associated, or a certificate delivered by a certificate
Based on the mechanics of the system described above,
authority.
we can conclude with confidence that from a legal perspective, Wacom's eSignature solution, if correctly
The integrity of the document can be checked by recalculating the document hash and comparing it with the hash of the document at the time of signing. To obtain the original document hash, it must be retrieved from the image file, and decrypted using the signer's public key. Checking the document hash is carried out automatically by PDF viewers such as Adobe Reader. If the original hash is identical to the newly calculated hash then this is an indication that the document has not been changed since signing. Copying the signature image file into a different document would result in a different hash and the document would be marked as having been changed. The level of confidence in the authenticity of the hash therefore rests, similarly to other public key cryptography systems, on the trustworthiness of the signatory's public
Wacom | October 2013
implemented, meets the requirements of the electronic signature definition under European law. This means, according to Article 5.2 of the E-Signature Directive, that a signature captured with a Wacom eSignature solution may, in principle, not be denied legal effectiveness and admissibility as evidence in legal proceedings solely based on the grounds of its technical specifications. This does not mean that such a signature automatically acquires the same legal validity as a paper-based handwritten signature, unless, depending on the actual implementation of the system, the Wacom eSignature solution can legally be considered to be a qualified electronic signature. The Wacom eSignature solution has three important additional features from a legal perspective to strengthen its enforceability as an electronic signature, compared to
DLA Piper | 9
other commonly accepted electronic signatures such as a
E-Signature Directive and its aims, a certificate
PIN code or a password or a scanned signature file.
containing a public key and the identity of the owner delivered by an accredited commercial certificate
First, a handwritten signature alerts the signer that he or
authority or a governmental certificate authority, if
she is about to ascribe legal consequences to his or her
correctly implemented, should fulfil the definition of a
actions. The act of placing a signature signals the intent
qualified certificate.
to assume obligations in a way which may not be apparent from, for instance, entering a PIN code. This is
Wacom´s eSignature solutions can be configured for use
an important component in contract formation, since
with such qualified certificates. A signatory's public key
contracts, as a principle, are entered into by the mutual
using Wacom's eSignature solution is linked to a
consent of the parties. The act of signing helps in proving
certificate, which can be either self-signed or certified by
the willingness of the signatory to be bound by legal
a certification authority. If Wacom´s eSignature solution
obligations and therefore deducing consent.
is properly configured for use with qualified certificates linked to each signatory, then the first legal requirement
Second, the unique visual nature of the signature serves
of a qualified electronic signature system could be
the purpose of identifying the signatory and verifying the
fulfilled.
consent of the signatory with the content of the agreement under which the signature is placed.
Second, a qualified electronic signature requires the use of a secure-signature-creation device. Such a device is
Third, in the event that the validity of the signature is
defined in Annex III of the E-Signature Directive as a
challenged, the Wacom eSignature system permits to
combination of hardware and software used to implement
conduct a forensic investigation by taking into account
signature-creation-data (which means unique data, such
the full biometric and contextual data contained in the
as private keys) and which meets the following
signature file. This may prove to be an additional
requirements:
advantage to prove the tie between the identity of a signatory and a signature, as additional biometric and contextual data, which includes how the signature was placed and the time of signing may be decisive in
"1. The device must ensure, by appropriate technical and procedural means, at least that: a)
generated signature-creation-data are unique and remain secret;
b)
signature-creation-data cannot with reasonable assurance be derived and the signature is protected against forgery using currently available technology;
c)
signature-creation-data can be reliably protected by the signatory against the use of others.
forensic investigations. 8.
WACOM´S ESIGNATURE SOLUTIONS CAN BE CONFIGURED AS A QUALIFIED ELECTRONIC SIGNATURE SYSTEM
A qualified electronic signature
is
automatically
assimilated with a paper-based handwritten signature. As described above, the E-Signature Directive defines a "qualified electronic signature" as a public key cryptography signature, essentially a hash encrypted with the private key of the signatory, with the crucial
2. The device must not alter the data to be signed or prevent such data from being presented to the signatory prior to the signature process."
additional requirements, first, that it must be based on a
These requirements will only be met by taking into
qualified certificate and, second, that it must be created
account the entire hardware and software environment of
by a secure-signature-creation device.
which Wacom´s eSignature system will form a part. Some components of the signing system will inevitably
The first requirement is using qualified certificates. A
involve elements which are not part of Wacom´s
digital certificate certifies the ownership of a public key
eSignature system, such as the computer hardware and
by the named subject of the certificate. Taking into
operating system which runs the Wacom eSignature
account the legal requirements described in the
software
Wacom | October 2013
application.
For
instance,
if
Wacom´s
DLA Piper | 10
eSignature solution is configured for use with a private
Countries with a less flexible approach towards the use
key from an accredited certificate authority stored on a
of electronic signatures for legal transactions. For
smartcard, then the steps related to key generation and
standard legal transactions no additional technical criteria
storage will occur outside the scope of the Wacom
are required but the use of specific electronic signature
eSignature system.
technology is often promoted by law (e.g. by introducing a presumption of conformity for specific electronic
To fulfil the legal requirements associated with qualified
signature technology).
electronic signatures, the hardware and software systems used must ensure adequate levels of trustworthiness. The
Countries with a stringent approach towards the use of
fulfilment of the legal requirements for secure-signature-
electronic signatures for legal transactions. Technology
creation devices described above depends on the
related to specific requirements need to be taken into
technical and procedural aspects of Wacom´s eSignature
account when using electronic signatures for standard
solution configuration as a crucial component within
legal transactions.
such a system. Based on DLA Piper's comparative research in the When adequately configured, a qualified electronic
various jurisdictions regarding electronic signatures, the
signature system using Wacom´s eSignature solution a
flexibility of such legislation around the world can be
component can be used to create digital signatures which
summarised in the following illustration.
have the legal effectiveness of a paper-based handwritten signature. Based on the legal requirements for qualified certificates and secure-signature-creation devices, the proper configuration of the technical and procedural safeguards of Wacom´s eSignature solutions makes it an excellent additional tool to increase the trustworthiness of a qualified electronic signature system. 9.
ESIGNATURES LEGISLATION OVERVIEW AROUND THE WORLD
around the world have varying levels of flexibility
Figure 1: Flexibility of eSignature legislation around the world. © DLA Piper UK LLP.
towards electronic signatures. Certain jurisdictions have
Depending on the intended use of the Wacom eSignature
adopted
solution
Legislative initiatives enabling electronic signatures
enabling
legislation
regarding
electronic
and
its
configuration,
compliance
with
signatures, while others have a more stringent regulatory
applicable laws when using electronic signatures should
approach. Broadly speaking, the legislative situation in
be assessed on a case by case basis, although such
various countries may be categorized into three groups:
compliance is likely to be more straightforward in less stringent regulatory environments (green and yellow in
Countries with a flexible approach towards the use of
the illustration above), depending on specific technical
electronic signatures for legal transactions. In these
requirements in the jurisdiction concerned.
countries, no specific technical requirements are being mandated when using electronic signatures for standard legal transactions. Still, for specific transactions and for specific sectors, additional technical criteria may be required.
10. DRAFT TRUST SERVICES EUROPEAN REGULATION The upcoming Trust Services European regulation provides a new definition for electronic signatures. The current definition of the E-Signatures Directive states that an electronic signature means "data in electronic
Wacom | October 2013
DLA Piper | 11
form which are attached to or logically associated with
the definition, it can be argued that systems such as
other electronic data and which serve as a method of
Wacom's
authentication".
handwritten signature of the signatory and on public key
eSignature
solution,
based
on
both a
cryptography offer an additional advantage over other Under the Draft Trust Services Regulation, the emphasis
common
moves away from authentication towards the intention of
cryptography,
the signer. In the Draft Trust Services European
signature may increase the confidence of the signatory in
Regulation, an electronic signature means "data in
the usage of his or her signature creation data as opposed
electronic form which are attached to or logically
to other methods.
systems
based
insofar
solely
that
on
public
placing a
key
handwritten
associated with other electronic data and which are used by the signatory to sign". (Emphasis added). Since the act
We can conclude that under the upcoming Trust Services
of placing a signature strongly indicates intent, it follows
Regulation definitions, the legal compliance of Wacom´s
that the Wacom eSignature system fits the definition of
eSignature solution to the applicable electronic signature
an electronic signature in the upcoming Trust Services
requirements is likely to remain equivalent or higher
European Regulation.
under the future Regulation.
Similarly, an advanced electronic signature is defined in
The upcoming Trust Services Regulation places a greater emphasis on the intent and control of the use of signature data by the signatory. The use of handwritten electronic signatures such as Wacom´s eSignature solution is in line with such regulatory objectives.
the current E-Signature Directive as "an electronic signature which meets the following requirements: (a it is uniquely linked to the signatory; (b it is capable of identifying the signatory;
11. CONCLUSION (c) it is created using means that the signatory can maintain under his sole control; and
Wacom´s eSignature solution (signature pads and
(d) it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable."
displays from the STU and DTU series and Wacom Sign
The requirements of this definition seems to mainly
related to the handwritten signature, contextual data such
cover aspects of public key cryptography. In the
as the system used and a cryptographic hash of the
upcoming Trust Services European Regulation, the
original document and the signature combined.
Pro PDF) combines three types of data to create secure handwritten electronic signatures, namely biometric data
definition emphasises additionally that the signatory must have a high level of confidence in his or her sole use of the signature creation data. An advanced electronic
The
trustworthiness
of
public
key
cryptography
signatures rests on the level of confidence by relying
signature is defined as "an electronic signature which
parties in the certificate tying a signatory's public key to
meets the following requirements:
his or her identity and on the chain of trust placed in the
(a it is uniquely linked to the signatory;
software
and
hardware
systems
used.
Wacom´s
eSignature solution use of a signature image additionally
(b it is capable of identifying the signatory;
serves both for the signatory and relying parties as a
(c) it is created using electronic signature creation data that the signatory can, with high level of confidence, use under his sole control; and
visual confirmation of the intent of the signatory to be
(d it is linked to the data to which it relates in such a way that any subsequent change in the data is detectable." (Emphasis added).
record of the signature which may be used for
Since systems that provide a high level of confidence in the sole use and control by the signatory are favoured by
bound by the content of contract in which it is inserted. Crucially, the signature image contains a full forensic investigative verification purposes. From a legal perspective, we can conclude with confidence that Wacom´s eSignature solution meets or even exceeds the requirements of the electronic signature
Wacom | October 2013
DLA Piper | 12
definition in the E-Signature Directive, if correctly implemented. This means that according to Article 5.2 of the Directive, it may not be denied legal effectiveness solely based on technical characteristics. According to the provisions of the E-Signature Directive, an electronic signature does not automatically acquire the same legal validity as
a
paper-based
handwritten
signature.
However, from the perspective of the intended use of electronic signatures as a means to create valid contracts and from an enforceability point of view, electronic signatures are often adequate. As courts decide on the value of the evidence presented to them, the more trustworthy the technology used, the more trustworthy the signed document, the more evidential weight will generally be conferred. Wacom’s eSignature solution provides important evidentiary value by combining biometric, contextual and cryptographic data. Furthermore, adequate configuration of the technical and procedural safeguards of Wacom´s eSignature solution can make it an excellent additional tool to increase the trustworthiness of a qualified electronic signature system. When adequately configured, a qualified electronic signature system using Wacom´s eSignature solution as a component can be used to create digital signatures which have the legal effectiveness of a paper-based handwritten signature in accordance with Article 5.1 of the E-Signature Directive. Under the upcoming Trust Services Regulation, the legal compliance of Wacom´s eSignature solution to the applicable electronic signature requirements is likely to remain equivalent or even higher.
Wacom | October 2013
DLA Piper | 13
About the author DLA Piper is a global law firm with 4,200 lawyers located in more than 30 countries throughout the Americas, Asia Pacific, Europe and the Middle East. DLA Piper's technology practice has deep industry sector experience that allow us to provide valuable practical advice and innovative solutions over and above our firstrate base of technical know-how. Our practice counts many of the world's largest high profile IT as clients.
This white paper contains data and information upto-date and correct to the best of our knowledge at the time of preparation. The data and information comes from a variety of sources outside our direct control, therefore DLA Piper UK LLP cannot give any guarantees relating to the content of this white paper. Ultimate responsibility for all interpretations of, use of, data information and commentary in this report remains with you. DLA Piper UK LLP will not be liable for any interpretations or decisions made by you. © DLA Piper UK LLP.
Professor dr. Patrick Van Eecke is Partner at DLA Piper's Brussels Office and head of the Internet law group. He is a specialist in e-commerce and egovernment, digital signatures and PKI as well as data protection issues. Dr. Van Eecke advises both governments and enterprises on the legal compliant implementation of e-signature solutions and is experienced in drafting and negotiating PKI related legal documents, such as Certification Practice Statements, Certificate Policies, Signature Policies and Relying Party Agreements. He is extensively involved in diverse research and consulting projects for the European Commission, international bodies and several national governments, including the European Commission and the United Nations. Patrick has been named Belgium's leading lawyer and is ranked one of the world's top 20 IT lawyers in the "Guide to
the
World's
Leading
Telecommunications
Technology,
Lawyers".
Patrick
Media is
& also
recommended by the Legal 500 and Chambers as one of the top legal advisors in Brussels. Patrick obtained his PhD at the University of Leuven having as subject “The legal status of electronic signatures”. He is teaching IT law at the University of Antwerp, at King's College and Queen Mary University in London, United Kingdom. He is the author of diverse legal articles and books on electronic commerce, computer
crime,
electronic
signatures,
electronic
contracting and privacy and is a regular speaker on national and international conferences.
Wacom | October 2013
DLA Piper | 14
View more...
Comments