“Verifiable” E-Signatures
The transition from a world of legal documents on paper to one of electronic documents still encounters difficulties after all these years. One of the main ones seems to be the nature of the electronic signature. I recently described the focus on e-signatures as a “fetish” for its ability to distract analysis from the real issues or to create them when none really exist.
Much of the early law that intended to remove legal barriers to electronic commerce required that valid electronic signatures needed to be as reliable as appropriate in the circumstances. This requirement is misguided. It leaves the legal effectiveness of the choice of a signature method to the decision of a judge or arbitrator long after the transaction it is intended to confirm. It allows an attack on the validity of the transaction on grounds irrelevant to the intention of the parties. It is not helpful in resolving any real issues about authentication. I have gone on about this at length elsewhere.
Is there another standard than reliability that can do a better job of supporting electronic signatures? The rules for procurement by the United States federal government (the Federal Acquisition Rules, FAR) require that claims documents be submitted with a “verifiable” signature. The rule purports to apply to electronic as well as handwritten signatures. FAR define a signature as follows;
the discrete, verifiable symbol of an individual that, when affixed to a writing with the knowledge and consent of the individual, indicates a present intention to authenticate the writing. This includes electronic symbols. (s. 2.101)
This definition was interpreted in two decisions of the Armed Services Contract Board of Appeals. In Teknocraft Inc,, the Board held that this definition does not permit a document to be signed by typing ” //signed// ” above the typed name of the person alleged to be signing. In ABS Development Corporation, it held that a valid signature could not be created by typing the name of the person in a handwriting font like Lucinda Handwriting.
As the Board said in the second case,
a typewritten name … cannot be authenticated, and, therefore, is not a signature [within the meaning of the Regulations]. … That is, anyone can type a person’s name; there is no way of telling who did so from the typewriting itself. … [the purported signatory] could easily disavow them, regardless of whether he does, or ever would, disavow them.
While these decisions related to documents submitted on paper (and refused legal effect because held to be unsigned), they could apply as well to electronic signatures. The techniques mentioned would work well for electronic documents, if they were valid.
I submit that the Board got it wrong in these cases. It interpreted “verifiable” to mean “able to be verified on the face of the signature” or at least “from the document itself”. With respect, this is almost never possible with handwritten signatures and should not be imposed as a standard for e-signatures.
Any such verification must involve outside evidence, i.e. beyond the signature itself. Handwritten signatures are often illegible and convey no information beyond their existence. In any event, evidence of their genuineness may include sample of other signatures acknowledged or proved to be that of the purported signatory. It might include testimony of witnesses. It might be other evidence. For electronic signatures, the supporting evidence could include indications of origin of the signed document – metadata.
Could that evidence also include admissible statements by the purported signatory of the genuineness of the signature? If not, why not? Why is that different in kind from oral evidence of a handwriting analyst, for example? Or of a witness to the signing? (The signatures in the cases referred to here were not witnessed.) The harder case is one of attempted repudiation, where the purported signatory denies signing. But that is still a case of evidence, and courts deal with conflicting evidence every day.
I also suggest that cases of repudiation are almost certainly so rare that the advantage in practical convenience is to accept the signature in any form.
That would not prevent parties to transactions agreeing on the standards for signatures that they would accept between themselves. Not everything that can be legally effective is prudent in every case. They might prefer something more robust. For example, Patrick Cormier of Notarius, the Quebec notaries’ e-commerce facility, suggests a good e-signature should be “a permanent mark linked to fixed information, [coming] from a specific person, [that] is personal to this person, and proves his or her intent.”
For that matter, regulations about signatures on particular kinds of high-value documents might properly spell out technical standards to be met. Consider Ontario’s rules on electronic land registration, among many examples. But requiring that a signature be verifiable, without more, seems unhelpful. In the FAR cases, the claimants lost payment for work they had performed, for the lack of a signature that met the Board’s standards of verifiability. No reason of public policy or legal integrity required that result.
And in any event, as in the “fetish” argument mentioned at the outset, the real issue should not be the signature – signatures of any kind are rarely required by law – but the consent to the transaction as embodied in the signed document. Authentication of a document may be done without looking at a signature; indeed, unsigned documents can be and are authenticated. A much longer discussion of this point is found in my article in (2002), 81 Canadian Bar Review 529.
Question: Is there any Canadian equivalent to the bare verifiability standard in the US regulations? I know of the Secure Electronic Signature regulations under Part 2 of PIPEDA, but they are far more detailed than the US regulation – and so far as I know, widely ignored in practice, i.e. nobody tries to use secure electronic signatures as defined in the regulations in dealing with or within the federal government. Other authentication methods are used, some appropriately more detailed than others, but not those ones.
Great blog. The verifiability says it all and well illustrated. An interesting contrast is the EU regulation, EIdAS which has multiple levels of verifiability for qualified e-signatures based on added security like time stamps that need to be renewed annually. These exist because no single level of verifiability is perfect. There is always something that can go wrong with the signatures verifiability. Even the most secure signature technology can be shown to have some amount of unreliability.
For your question, in the federal govt, authentication in general is regulated under an OMB memo which basically references a NIST standard for authentication. SP 800-63-3 is the latest revision which has recently done pretty major changes in a good way.
There are only a couple of regulations that were passed with respect to ESIGN that are low impact.