Vaultie

Understanding e-signatures

In an increasingly digitized world - which has been even more rapidly implemented and embraced due to the Covid-19 crisis, calls for moving legal documents towards “e-signing” have become a roar. The pace at which the industry has responded has been staggering. We’ve seen the adoption of virtual commissioning and notarization and virtual witnessing of wills has come up with a makeshift process that allows witnesses to maintain social distancing by adding a few more steps with the aid of video and “wet” (in pen) signatures.

While heavier adoption of remote signing is touted to eventually become the standard for legal services, its complete integration comes with some pitfalls. As thousands of lawyers learn the technology, many deduce that remote signing will indeed create opportunities, but may also leave both the practitioner and client susceptible to additional risks when incorrectly used. 

Digital signatures are not all-equal but instead operate a bit like chefs’ knives. Each type has its strengths in different situations and knowing when and which tool to use can make a big difference in the final outcome. Choosing the right signature tool can have an effect on your ability to mitigate risks of fraud, enforceability, and verifiability. While hopefully, you’ll never need to prove a document's legitimacy, knowing how each signature does it could inform which one to use.

At its core, a remote signature needs to reliably associate the person with the signature, and reliably associate the signature to the document. There are different levels of doing this,. Some digital signature companies will employ multiple or all of these characteristics into their signature. You’ll have to find what works best for you. 

Here’s a quick breakdown of each type of remote signature accepted in Canada (use case dependent), how they work, and what risks they may leave you and your clients open to. 

Electronic signature

A signatory uses some form of electronic marking (finger drawing on a tablet, sign and scan, an email) to make a marking on a document. This is legitimate under the Electronic Commerce Act, 2000, S.O. 2000, c. 17 for use in business cases but provides lessened ability to authenticate the integrity of the document since there is no digital tether to the document that could prove its source. This is usually the most cost-effective option but can have doubts raised surrounding its reliability because the links between the signatory and document can create plausible deniability along with heightened risk or fraud. Where could they be used: low risk and everyday commerce.

Digital Signature –

A signatory signs a document using public-key cryptography (e.g.: logs into their account) which is associated with the document. This is the method used by most remote signature companies and is a notch ahead of an electronic signature. The logic is that because nobody else should have the password, and the account was accessed, it was the intended signatory who signed it. A digital signature can allow us to verify that a signature took place, but cannot be verified in hard copy or by a third party without special skills and knowledge. They cannot create original copies of documents. While currently the standard for most business transactions, digital signatures become riskier when we expose it to places where a password (or the security questions) can be compromised, or the financial stakes are very high. For example, a relative may be capable of signing a document, with access to a password or knowledge of security questions (my whole family knows my mother’s maiden name), making this an inappropriate method for very sensitive or high-risk documents. Where they could be used: everyday business, higher risk commerce with reputable counterparties.

Biometric Signature –

A signatory performs both an electronic and digital signature which is authenticated through the use of a biometric instead of a password (facial recognition, fingerprinting, iris scans), When there is a method of confirming the biometric, this can drastically reduce your instances of fraud, but does require specific consent to use. Where they could be used: These are legitimate anywhere a digital signature could be used, but add an extra layer of safety if the biometric can be verified.

Three more recent developments in digital signatures are, in my opinion, more critical to expanding the use cases for digital signatures in the legal industry. These didn’t exist three years ago, but their development is making the case for more serious considerations in expanding digital signatures in legal services. All are fully legal for digital signature in Canada.

KYC integrated digital signatures –

A KYC integrated digital signature tests the authenticity of a government-issued ID before using it as a reference to authenticate the person, sometimes through a biometric. The passing of both the biometric and ID test can be referenced in the digital signature. Depending on when in the process this is done, this can leave a practitioner with nearly zero doubt as to who signed a document. Where these could be used: high stakes commerce, anywhere a practitioner does not know a signatory, notarizing and commissioning.

Blockchain-enabled signatures/documents –

Blockchain-enabled signatures allow a signatory to create a permanent reference to their document, unalterable and time-stamped. When combined with encryption, the document can be verified by anybody the user chooses to share it with. This verifiability means that a signatory or a lawyer can create a permanently referenceable original copy, that can be linked directly to any subsequent copies made (making them certified true copies). Blockchain-based digital signatures are the only method that can offer comprehensive third-party verifications of documents. This is where we think the law could be setting the standard for highly sensitive documents. Instant verifiability declutters the friction associated with verifying the authenticity of documents. This method when combined with the next, allows a user to create a signature with definitive proof as to who signed a document, when they signed it, and exactly what they signed. Where they could be used: Virtual commissioning, real estate transactions, immigration, or other high-importance documents. If a third party needs to be able to verify your document, this is your best option.

Verifiable Credentials –

Verifiable credentials are user-controlled credentials that certify a user’s ability to make assertions about their rights surrounding a document. This is the same technology that enables digital drivers’ licenses and COVID- anti-body certifications in some jurisdictions. With these, a user can control how, when, and to whom their proof of signature is shared which provides unprecedented privacy and security for the client since everything is in their control. With the use of Verifiable Credentials, documents can show ironclad links between the physical signatory and digital document. Where they could be used: Notarization, other high importance documents.

The verifiable credential allows everything to be tied together to provide as close to bulletproof as possible when determining the authenticity of a digital document.

An example of how these can create a bulletproof digital signature is.

  1. A user scans a government-issued ID which is tested for authenticity.
  2. Facial recognition biometric tests prove the user, in fact, matches the ID.
  3. Documents are signed with a KYC integrated digital signature, including a facial recognition element compared to the original government ID uploaded.
  4. A verifiable credential is created, proving all of the above, and is tethered with the document to a blockchain.
  5. When printed/emailed, the document can have its integrity checked against the original copy and the signatories' selfie can be displayed giving any verifier proof as to who signed a document, at the moment they signed it. Without exposing that data insecurely.

Using remote signing is going to be of greater use in the future for many lawyers. Understanding how each one works should help you make a more informed decision when protecting your client’s interests.