16

These days many locations ask you to give your signature on a digital signature pad/device.

As I am situated in Europe, the EU directive 1999/93/EC seems to regulate it. From what I have found out so far from a device's perspective, to comply with the directive it would have to:

  • have a private key embedded in the device which is signed by a trusted CA, with which the handwritten signature and document are encrypted
  • ensure that the private key only exists in the device and is not extractable (some companies also offer iPad solutions, so the private key probably isn't a must)
  • pressure sensitive capture surface, so that the signature's biometrics can be captured

But what else should one look for in the device/solution to make sure that the signatures accepted on the device are as valid as their paper counterparts (for example can hold up in court)?


This question was featured as an Information Security Question of the Week.
Read the Dec 19, 2014 blog entry for more details or submit your own Question of the Week.

Indrek
  • 173
  • 9
  • 2
    Very interesting question. What use-cases are you looking at? I'd personally like to see if anyone knows how well these work as authenticity verification measures in court, especially in recorded postage scenarios with couriers. – Polynomial Oct 30 '12 at 14:45
  • The main use-cases would be similar to courier's - asking for a confirmation that the person has been handed or has read a set of documents. But I'm not sure if it legally makes much difference whether you're confirming that you received something or signing a contract. – Indrek Oct 30 '12 at 14:49
  • Yeah, that's what I figured. The problem is that in order to assume that such a signature is legitimate, you must assume no possibility of malintent by the courier. In a perfect world, that'd be fine, but there's no way to make such a guarantee in reality. I've personally had a case where a courier has signed for my package because he couldn't be bothered to deliver it that day. – Polynomial Oct 30 '12 at 15:09

2 Answers2

8

I don't think there are going to be any guarantees. If there is not previous case law on topic, then I would expect this to come down to an assessment of credibility, based upon the testimony of the people involved, possibly testimony from expert witnesses, and the rest of the circumstances surrounding the court case.

Keep in mind that the legal process doesn't treat signatures as absolute ironclad guarantees; they consider them as part of the totality of the evidence.

If you want to think about how to ensure this will stand up in court, I would have two suggestions. First, talk to a lawyer. (Legal advice is not our strength on this site.) This is the most important advice I can give you: talk to a legal expert.

Second, I would suggest thinking about this from an adversarial perspective. Imagine you were an expert witness hired to demolish the credibility of the signature in court. What would you be your line of attack? What would you say, to try to convince a judge or jury that the signature doesn't prove anything? Then, think about what processes or mechanisms you can put in place to make those arguments less compelling. Note that complex technical mechanisms that are hard to explain to a jury are not likely to be an effective rebuttal; you need to look for something that will be persuasive in a courtroom, which is not necessarily the same thing as what mechanism will be most effective from a technical perspective.

My guess is that, for a low-value transaction, you probably don't need any crypto. If you've captured a signature that appears to match how Alice signs her name, that's probably going to be good enough for a low-value transaction. Conversely, for a high-value transaction, I'm skeptical about whether these devices are going to be persuasive in court, no matter how much fancy crypto you've thrown into them. We have decades of familiarity and experience with wet ink signatures on paper, and we understand their failure modes a lot better than we do digital signature pads. Look at UK's chip-and-pin, for instance; it has suffered from multiple serious security flaws (found primarily by security folks at Cambridge), even though their scheme has lots of fairly reasonable crypto that was designed and intended to stop such attacks.

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • Yeah, the legal part of this is a whole different story (even the laws differ between EU states). But what I would like to know is what's the best you can get on the technology side. – Indrek Nov 01 '12 at 06:50
3

EU directive 1999/93/EC (and its upcoming replacement) enforces legal equivalence between a qualified electronic signature and a handwritten signature in all Member States, and "some legal value" for other types of advanced electronic signatures. However, this directive do not address "handwritten digital signatures" but actual electronic signatures, as standardized for instance by PAdES or CAdES. In other words, 1999/93/EC will not help you here, and I doubt technical measures alone will ensure that this kind of signature is accepted in court.

edit:

Several companies offer tablet-based solutions claiming to be 1999/93/EC AdES compliant, which I don't believe.

First, advanced electronic signatures which provide legal equivalence with an handwritten signature require the usage of a qualified certificate (1999/93/EC article 5.1) : tablet-based solutions obviously do not belong to this category.

For the non-qualified advanced electronic signatures, I share the view of Concise European IT Law:

"Although the definitions are being formulated in a technology neutral way, they implicitly refer to certificate-based public key cryptography, also known as 'digital signature' technology."

In practice only certificate-based signatures provide the interoperability intended by the directive, due to the various national transpositions of the AdES definition. For instance, Czech Republic's Act 227/2000 requires that an AdES be

"created and attached to a data message using means that the signatory can maintain under his sole control"

Most (if not all) tablet-based solutions will fail the "attached" part. In fact, a scribble captured on a tablet (with or without biometrics) is reusable with any document, contrary to a proper digital signature.

sam280
  • 116
  • 3
  • Can you add a reference as to why you believe 1999/93/EC "advanced electronic signature" doesn't take into account handwritten signatures in digital form? By now I have found one company that actually claims all their signature products are compliant with 1999/93/EC: http://www.softpro.de/en/academy/electronic-signatures-legal.aspx – Indrek Nov 05 '12 at 18:05
  • Thanks for the edit! But what if the device has private key embedded in it, that can't be read and only exists on the device? This way the signer would still have his unique "means" and the owner of the signature pad can prove, that the signature was actually given on the same device, not copy-pasted. – Indrek Nov 11 '12 at 17:26
  • In your scenario the private key is the mean used to bind the handwritten signature to the data. As per CZ law above, unless this private key belongs to the signer and the pad is under his sole control, this won't be considered an AdES in this country. – sam280 Nov 11 '12 at 19:43