Echosign
Was I alone ignorant of Echosign before that client dragged me into using it?
Recently, a client sent me a document for signing through Adobe’s Echosign service. At first I was surprised by this new eccentricity. However, a contract is a contract so I just signed it. I printed the signature – not out of suspicion of the technology but as material reminder to look into Echosign later on. It rested on my desk until Simon’s reminder about Lexum’s column which made me look around to retrieve the name of the signing system: Echosign. A proven leader in web contracting and eSignature solutions said the web site. Are we entering an era of easy to use digital signature? Could this be that simple? Before trying answering that I just want to move time back to the first years of electronic commerce.
In the nineties, I was teaching at the Faculty of Law at the University of Montreal a course on Internet technologies. At the time, the scene of ecommerce technologies was vibrant. In my course four weeks were dedicated to the presentation of emerging tools and approaches: Cybercash, FirstVirtual, CyberCoin, NetCheque, Digicash, Millicent and SET. FirstVirtual was a “virtual” bank and the consumers had to call them by phone in order to provide their credit card number to get a personal identifier that would be used to pay. Believe it or not, for some time, FirstVirtual was the leader in Internet payments. Cybercash was another darling of virtual payment. Cybercash required the installation of a digital wallet on the consumer’s computer and the seller was also to install some sort of software on its server. Payment information could then circulate between these proprietary software devices. Digicash was the most innovative system developed by a well-known cryptographer David Chaum to make possible anonymous payment – really anonymous – yet capable to prevent fraud and double spending – a pure marvel. Digicash never took off: the appetite among bankers and authorities for an unbreakable anonymous payment system was not as big as Chaum’s genius. The biggest hack of them all was very corporate: Secure Electronic Transaction (SET). SET was pushed by everyone who counted at the time: VISA, MASTERCARD, IBM, ORACLE and Netscape. It was a complete cryptographic solution capable to protect consumer privacy, prevent fraud, and at the same time to ensure payments.
At the end, a much more minimalist approach emerged as the F-150 of electronic payments. Netscape developed protocols to secure web communications, Secure Socket Layer (SSL) and Hypertext Transfer Protocol Secure (HTTPS). The e-businessmen of the time, Bezos at Amazon and others, turned their back on the super-hacks in favour of a very basic approach to ecommerce: payments with credit card over a SSL secured channel. This modest solution progressively led to the disappearance of the übersophisticated e-payment solutions.
Back to Echosign and digital signatures: could it be that again the mere action of typing one’s name at the end of a document on a web site while being protected by the simple SSL (nowadays renamed Transport Layer Security (TLS)) will put an end to the search for a useful and simple, yet secure way of signing? I am inclined to think so. For sure a lot of the success of the approach depends on how much you trust Adobe, the current owner of Echosign. If you accept to entrust their service with your contracts to be signed, then your co-signers and yourself will have a safe site where to mark your approval. I believe that we could have finally found a product usable and simple to move in the cyberspace the signing act without too much suffering.
Clearly, however, this may not qualify as a “secure electronic signature” as defined in PIPEDA and the relevant regulation: Secure Electronic Signature Regulations, SOR/2005-30. That later piece provides for a detailed description of the preparation of a digital signature in the context of using asymmetrical cryptography, digital signature certificate, certification authorities and what-not. I wonder if real life procedure for signing will not establish itself to serve real life business purposes and if consequently the framework based on personal authentication described in our laws will not remain limited to the narrower field of government uses.
It goes without saying that I have no interest in Adobe, the owner of the Echosign brand and software. I did not check competing products, such as Docusign or Rightsignature. A comparison of these offerings can be found on FindTheBest. I am interested in reading what your experience with these products is.
SEND. SIGN. DONE. – as they say.
Daniel Poulin
The Echosign system seems to respond to two questions frequently asked of electronic signatures:
* Does the signer know what document his/her computer actually put the e-signature on?
* Does the signer or relying party know that the signed document has not been altered – intentionally or accidentally – between signing and reliance?
The answer depends, as Daniel notes, on trusting Adobe’s technology to work securely.
The question that Echosign does not answer is this:
* Who signed the document?
Echosign is a self-certifying system. The signer certifies him/herself. No trusted third party says that the signer is associated with the signature, or with the computer. Nothing gives assurance that the purported signer was operating the computer that used the Echosign system.
So should someone asked to rely on the signature do so? The answer may well be Yes. There may be other evidence of who signed, and adequate reasons for reliance.
As Daniel says, this system would not satisfy the federal government’s Secure Electronic Signature Regulations, which really require the Government of Canada’s PKI system.
The Hague Conference on Private International Law has been promoting electronic certificates of authenticity (apostilles) under its Apostille (Legalization) Convention. One method it has mentioned as a possible source of e-apostilles is the Adobe signing system (even before Adobe bought Echosign a couple of years ago, and still now.) I have mentioned this prospect here and here.”>
Is it appropriate for public bodies to rely on Echosign to certify the authenticity of public documents, and for recipients of those documents to rely on them?
BTW the “Find the Best” comparison of signing systems says that EchoSign supports only typed signatures, but the screenshot example above shows Daniel’s handwritten signature. How does that work? Is Echosign certifying only the typed description of the signature, and not the digitized handwritten signature accompanying it? Or has EchoSign greater capacity than the rating site acknowledged?
I work for Adobe Echosign and love the conversation. Happy to answer a few of the questions from above. The short answer is Yes, we provide further functionality than detailed above or on “Find the Best.”
1. Signer Authentication — “Who Signed the document”:
Echosign uses several steps to authenticate the signer. These include Email and geo-location; Out of bandwidth signing password or PIN; Biometric signature (handwritten signature); 3rd party web identity (and login credentials); KBA, Knowledge-based identity powered by RSA.
2. Audit Trail:
This provides the chain of custody of access to the document, actions taken by each person AND who signed it. It even includes the where it was signed and on what device/computer. The Audit Trail is included with each document sent for approval and/or signature.
3. PKI Security and Certificates
– Adobe Echosign PKI to Certify the Authenticity and Integrity once a document is signed by all parties.
– All documents are encrypted both as transmitted and at rest.
4. Canadian laws
Adobe Echosign complies with the Canadian laws mentioned here as well as Canadian Uniform Electronic Commerce Act (UECA) of Sept 1999 and PIPEDA of April 2000.
I am happy to provide documentation or give further detail. Feel free to reach out directly.
Chad Seps, Adobe Echosign, 408-536-4943 or cseps@adobe.com