4

EDIT

I added the full replies I got from HelloSign. These may perhaps help someone more expert than I am to determine if they actually provide an AdES signature. Please note that I also asked questions regarding private certificates that as far as I understand now are not required by an AdES signature.

Q: How can I identify the signatory from the document he/she signed?

A: This is outlined in the portion of our Terms of Service > Audit Trail. In summary HelloSign creates a transaction log between signing parties that help to identify signers.

Q: How sole control of the private key by the signatory is assured?

A: HelloSign Offers an Advanced Electronic Signature (AES) In order to be considered an AES the following requirements must be met: - uniquely linked to signatory - capable of identifying the signatory - created using electronic signature-creation data that the signatory can, with a high level of confidence, use under his/her sole control

HelloSign meets all requirements to be considered an Advanced Electronic Signature.

Q: How accompanying data may be checked against modification after the document is signed?

A: A document once signed can not be reopened and modified. In addition to ensure any tampering of your transaction log is detectable, we process the transactions log with hashing technology.

Q: How the signature is invalided in case the document is modified after it i signed?

A: In the event a document is contested, HelloSign will provide the transaction log which will show if any changes were made to the document after signing.

NB: This question is about a specific issue of compliance of HelloSign services with the eIDAS Regulation. It has nothing to do with other questions about DocuSign or HelloSign I have read about on this forum.

I happen to use electronic signatures now and then. In my country, Italy, as well as in most European countries, electronic signatures are in use rather widely and successfully. The most recent legislative framework that makes this possibile is called the eIDAS regulation, a Europe-wide law about electronic identification, signature and other trust services.

Several kinds of signature are allowed by eIDAS, from least secure ("electronic signature") to most secure ("advanced electronic signature" and "qualified electronic signature").

When I discovered that HelloSign was offering an "eIDAS compliant" advanced signature service I rushed to register. After a plain email verification, during which my identity was not validated, I created a PDF file and signed it. Apparently, no digital certificate had been generated. In fact, when I checked the signed document against a common eIDAS-compliant verification tool provided by the European Union and hosted by an Italian Government agency (http://dss.agid.gov.it) the document appeared to be void of any certificate.

This is quite strange, as HelloSign states in its scanty legal documentation that they provide an advanced eIDAS-compliant signature, which contradicts the fact that my identity was not verified and no digital certificates were used.

I tried to have more info about HelloSign compliance from their customer service but after a lenghty and inconclusive mail exchange all I got was several versions of "our signature is eIDAS-compliant because it is compliant with eIDAS". The final reply was something like: "if you have further doubts concering our product we suggest you consult with a local lawyer". I repeatedly asked for a technical reference but I got none.

Does anybody familiar with eIDAS more than I am (I repeat, this is a very specific issue of compliance with that regulation) share my view?

dtatti
  • 41
  • 4
  • After answering I realized which site I am on and I think this probably would be better suited for law stackexchange. Also check out https://law.stackexchange.com/questions/15540/how-can-hellosign-claim-unauthenticated-electronic-signature-process-is-legally Also can you please quote where you found that they state that they provice an **advanced** signature? I checked a few months ago and found that they seem to imply that but never actually state it. – Josef Feb 17 '17 at 09:42
  • 1
    Not so sure. What it need clarification is the techical part of the process. Compliance with eIDAS is basically technical. See below for reference to their site wrt "advanced signature". – dtatti Feb 17 '17 at 09:46

1 Answers1

0

I researched exactly this question some time ago, and here is my conclusion. I am not a lawyer so take anything I say with a grain of salt.

What I found out is that it seems like HelloSign takes great care to never actually state that they support advanced electronic signatures according to eIDAS.

eIDAS also states (quote from wikipedia) "no electronic signature should be denied legal effect or admissibility in court solely because it is not an advanced or qualified electronic signature".

What that means is, if you scribble your name in paint in a PDF, the court can't deny the legal effect of that signature because of that. They have to check if it is plausible/likely that you signed that. The same for HelloSign signatures. You can argue in court that the signature is valid and hand in the documentation that HelloSign provides. The court will then decide if the signature is valid.

What hello sign doesn't provide is a advanced or even qualified electronic signature. This might be a problem in court.

From my layman understanding, with such a signature the court would likely believe the signature is valid, and one would have to prove that it isn't. With a HelloSign signature you would have to prove that the signature is valid.

eIDAS also states that qualified electronic signatures have the same legal effect as handwritten signatures. Thats also obviously not valid for HelloSign signatures.

Josef
  • 5,903
  • 25
  • 33
  • Actually, they assert "All eSignatures through HelloSign are considered advanced electronic signatures under eIDAS and are widely accepted as legally compliant by all 28 countries in the EU." (https://app.hellosign.com/lp/electronic-signature-act). – dtatti Feb 17 '17 at 09:44
  • You are right. They seem to explicitly state that now. All I can say is that I personally see no way how they can comply with [Article 26](http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32014R0910&from=EN#d1e2403-73-1) of the eIDAS regulation. – Josef Feb 17 '17 at 09:50
  • 1
    This reply their customer service make me share your opinion --- Q: How sole control of the private key by the signatory is assured? A: HelloSign Offers an Advanced Electronic Signature (AES) In order to be considered an AES the following requirements must be met: - uniquely linked to signatory - capable of identifying the signatory - created using electronic signature-creation data that the signatory can, with a high level of confidence, use under his/her sole control. HelloSign meets all requirements to be considered an Advanced Electronic Signature. – dtatti Feb 17 '17 at 11:28