Take the Next Step Toward Electronic Signatures

by Penny Lunt

When Thomas Fredell read about passage of the Electronic Signatures in Global and National Commerce Act of 2000 (called the E-Sign Act) nearly two years ago, he expected to see e-signatures take off.

Twenty one months later, Fredell, chief development officer at Intralinks, a New York-based collaborative technology firm, acknowledges, "The reality is, it hasn't happened."

Intralinks provides collaborative workspaces for such online tasks as conducting clinical drug trials and processing syndicated loans, including exchanges of contracts. What better place to deploy e-signatures?

"We've thought about it, we've put together prototypes and we plan to provide electronic signatures," Fredell says. "The main questions for us are, what is the client-side footprint for the technology, and how easy is it for our customers to use? The technology out there is pretty good, but the client-side footprint is typically heavy."

Intralinks customers use browsers to access the collaboration system, and many have desktops that are "locked down." Requiring them to download software or plug-ins for e-signatures is not an option.

Businesses and government agencies have faced other hurdles in attempting to deploy e-signatures. The economic downturn has pushed some projects to the back burner. Larger security issues such as cyberterrorism have overshadowed interest in e-signatures.

For some, says analyst Jan Sundgren of Cambridge, MA-based Giga Information Group, concern that e-signatures are hard to deploy and untested in courts has led to hesitation. "Because E-Sign didn't specify any technology solutions, people are confused," he says. "They don't know what will hold up in court."

Another obstacle to fast adoption of e-signatures is a cultural bias in favor of paper, says David Whitaker of Goodwin Procter, a Boston-based law firm that represented banks during the drafting of the E-Sign legislation.

"Businesspeople, lawyers and regulators assume a piece of paper with an ink signature on it proves more than it does," says Whitaker. "There's an assumption that written documents cannot be altered without detection and that signatures can be proven to be legitimate."

In reality, Whitaker says, multipage legal documents regularly undergo page substitutes and reassembly after signing. And studies have shown that handwriting experts can accurately tell a real signature from a forgery only 46 percent of the time. Forty-five percent of the time, experts will deem a signature to be real when it's a forgery and vice-versa. The rest of the time, they don't venture a guess.

What Is an Electronic Signature?

The very term "electronic signature" is confusing. It's defined in the E-Sign Act as "a sound, symbol or process attached to or logically associated with a record by a person with the present intent to authenticate that record."

Every time you download software off the Internet, read the licensing agreement and click "I accept," you're using an e-signature. (The click combined with your self identification create the signature.) If you place a trade over the phone and verbally confirm that you want to buy or sell stock, the recording of your voice could be considered an e-signature. Digital signatures and images of handwritten signatures also constitute e-signatures.

The language of the E-Sign bill was intentionally vague, experts say. "The idea was to let a thousand flowers bloom," Whitaker says. "Let's let companies go with whatever kind of electronic signature they're comfortable with, understanding their levels of risk."

A handwritten signature signals intent to agree with the terms of a document, and it authenticates — at least in theory — the identity of the signer. Handwritten signatures don't have an exact parallel online.

"In the electronic world, you may end up doing the same things in a different way," says Sundgren. "The authentication may be done up front and the signal of intent may be done later."

Authentication, the act of making sure that signers are who they say they are, can be handled online in several ways. You can use a digital certificate or smart card, take a fingerprint or retina scan, ask the signer personal questions such as their mother's maiden name or you can simply accept an incoming email that matches the person's email address. A signal of intent may be created online by clicking an "I accept" button, by signing one's name on an e-signature pad or by appending a signature image to a document.

What Will Hold Up in Court?

"As infrequently as paper records were attacked in the past, electronic records will be attacked substantially more," predicts attorney Randolph Kahn, founder and principal of Kahn Consulting in Chicago. He is senior Legal Advisor to Cohasset Associates and a member of ABA, AIIM and ARMA committees on records management and information security.

Kahn believes the central element of a secure online process will be evidence that the participants are who they say they are so that they can't repudiate the transaction. Yet authentication isn't addressed by current e-signature legislation.

"E-Sign and the Uniform Electronic Transactions Act (UETA) only answer the question, 'Is it a signature?'" says Whitaker of Goodwin Procter. "They don't answer the question, 'Is it your signature?' If someone got on the Internet, identified himself as you, tried to buy software and clicked on the 'I accept' button, the burden of proof would lie with the software company trying to enforce the electronic signature. The entity accepting the electronic signature has to be comfortable with the risk level."

E-Sign and UETA do include customer consent provisions. "UETA says a consumer can agree to do business electronically either explicitly or implicitly by virtue of his actions [such as buying an item online]," Whitaker explains.

The E-Sign bill qualifies consent, stipulating that if consumers are entitled by law to receive written disclosures, then they must first demonstrate their ability to receive those disclosures electronically (for instance, by downloading sample PDF files) and then receive and accept the disclosures before they can give consent. This can be a cumbersome process that may drive customers away.

$500 Worth of Protection

For documents and transactions that don't require heavy security, a few low-cost e-signature options exist. Clickwraps (where the customer clicks "I accept") are the most common form of e-signature on the Web.

Microsoft Office XP lets users digitally sign documents, spreadsheets and presentations. "Office XP can use either a digital certificate that you were assigned and delivered from another source or one that's generated by the Microsoft Certificate server inside the operating system," explains Victor Wheatman, vice president and research area director at Gartner, Stamford, CT.

Adobe Acrobat 5.0, which sells for less than $250, provides password protection on PDF documents. And using JavaScript, companies can create their own password protection for documents posted on a Web server.

"Password protection on a document provides what we call $500 worth of protection," says Gartner's Wheatman. "You would pay someone $500 to recover a document that you can't recover because you forgot your password. A simple password may be relatively easy to get at. On the other hand, it's only providing access to one document or transaction. This level of security may be enough for certain applications where you want to keep the data in a document secret."

When stronger security is called for — for example, when vast sums of money, a trade secret or a high-value customer relationship is at stake — then you need a stronger e-signature. Digital signatures, process signatures, XML signatures and biometric signatures all provide greater degrees of authentication and nonrepudiation.

Digital Signatures

Unlike the umbrella term "electronic signature," the term "digital signature" is much more specific. It's a data item that vouches for the origin and integrity of a document or message. A digital certificate can be issued by the organization initiating the approval process or by a certificate authority such as VeriSign, RSA, Baltimore Technologies or Entrust.

A certificate contains the holder's name, a serial number, expiration dates, a private key that "signs" documents and messages through encryption, and a public key that the recipient uses to decrypt the message. Cryptography binds the digital signature to a document. If someone changes the terms and conditions or prices in that electronic document, the signature will be invalid.

Most people consider digital signatures to be the most robust technology available. But the strength of a digital signature depends on the rigor of its registration process. In some cases, a certificate authority may register new private key holders by simply asking users to type in their email addresses. In other cases, the certificate authority asks registrants for several pieces of private information, such as Social Security numbers, the last four digits of their drivers licenses or the amount of the last check they wrote.

If even greater security is called for, registrants could be required to appear in person at the certificate authority's premises with multiple forms of identification.

But even in this approach, one caveat to the effectiveness of digital signatures is that users must keep their private keys private.

"That private key is on a computer or on a smart card and you've got to protect it, otherwise someone could get a hold of it and sign with it," says Sundgren.

While digital signatures may be the strongest form of authentication to date, they are, by most accounts, expensive and difficult to manage, either internally or using a third-party certificate authority.

"Managing a large collection of people with certificates is a huge logistical problem," notes Jothy Rosenberg, chief technology officer at GeoTrust, Wellesley Hills, MA. "Companies typically have to buy and install software and train people to manage certificates for employees or customers."

GeoTrust manages digital certificates as a hosted service for $5,000 to $10,000 a month. Competitors VeriSign, Entrust, Baltimore, Netscape and RSA also offer digital certificate products and services.

The Process Signature

A "process signature" records the steps taken along the way to the final signing of an electronic document. A regulator or judge can examine this audit trail to determine the intent of the person to sign the document. "It's evidence that the person participated in the transaction that can be thought of as another type of electronic signature," says Sundgren.

Silanis introduced one of the first process signature solutions with QuickenLoans (read "Electronic Signatures Begin to Make Their Mark"). As customers receive and sign documents on the QuickenLoans Web site, Silanis' ApproveIt Web Server records all the screens the user sees as well as the customer's mouse clicks and time spent reviewing each document.

Whitaker of Goodwin Procter explains that process signatures mimic paper-based processes. "In the lending market, one issue that turns up regularly is whether or not the lender provided the correct information in a timely manner to the customer," he says. "A common defense raised by borrowers when a loan goes into default is that the lender did not provide information in a timely or appropriate manner. Lenders produce a pile of documents with receipts, signatures and dates on them to show that the information was provided in a timely basis."

Using a process signature, the lender could replay for a judge the entire electronic process.

"This would be the equivalent of having a video recorder hanging over the customer's shoulder the whole time he or she is going through the process in a loan officer's office or at the closing table," Whitaker says. "On the other hand, anything the lender did wrong will also be recorded for the world to see."

Aside from Silanis, Boston-based Tower Technology also offers process recording software called WebCapture. This software records Web session pages that comprise an e-business transaction.

XML Signatures

Another emerging form of e-signature is the XML digital signature. Experts — including Wheatman of Gartner — say this technology is very close to becoming a standard. Whereas digital signatures sign an entire document, the XML digital signature allows portions of a document to be signed.

"You can lock the template of the form itself so no one can change it," says Wheatman. "You can sign just one section that you're authorized to sign and pass the document through to your supervisor, who can sign her chunk of the document."

E-Form vendor PureEdge of Victoria, BC, has been offering its own version of XML signatures through its Internet Commerce System for a few years. This software allows users to design, deploy, complete and digitally sign XML e-forms. PureEdge recently teamed up with Tower Technology to provide electronic processes and a record of all the steps taken along the way for a completely XML-based, recorded transaction.

Fort Knox Security

If a system is carefully constructed, almost any of these technologies could provide industrial-strength e-signatures. And for the ultimate in security, a number of additional tools are available:

Smart Cards. We're looking at smart card readers built into keyboards," says Sundgren of Giga. "If you have a digital certificate or smart card protected by a password, you have two-factor authentication — something you know and something you have — and that's pretty strong."

Signature Pads. This is a strong way of signaling intent because the person is signing in a traditional way," says Sundgren. "It's hard for them to argue that they didn't know what they were doing. A signature pad also offers a biometric signature, so you could use it to authenticate the signature as well."

Interlink Electronics, Camarillo, CA, makes an ePad that has been used by insurance agents to let customers sign applications in their homes electronically.

Separation of 'Church and State.' If your company is managing digital signatures or simply IDs and passwords, make sure that the same people don't manage both the passwords and the IDs. This approach will help ensure the sanctity of both, points out Randolph Kahn. "Anybody who has access to someone else's ID and a password could create an electronic signature," he says.

Where to Start

Companies considering the use of e-signatures should evaluate their paper-based processes to determine where the risks are acceptable. Whitaker of Goodwin Procter says a thorough assessment requires "a partnership between the IT people, the businesspeople and the company's attorneys to establish what's possible, what makes sense and what the right risk curve and capital investment curve [look] like."

In deciding which documents and processes require which types of e-signatures, companies have to weigh the value of the underlying transaction and the confidentiality of the information. Does anybody have a motive to change the document after it's been signed? It may turn out that vacation requests that have always required a handwritten signature could be handled without any type of signature. But patent information or a $10 million purchase order would clearly require strong authentication and signal of intent.

The biggest risk isn't that people will get information while it's in transit over open networks, Wheatman contends. "There's a big mess of data going over the Internet, so it's security by obscurity," he explains. "Most of the threat still comes from internal sources: people who understand the processes and know where to find the valuable information."

Sundgren advises Giga's clients to start applying e-signatures to low-value transactions and gradually work their way up to higher security.

"As you work up to more important and secure processes and documents, make sure you have the flexibility to migrate to a more secure solution such as PKI combined with smart cards," he concludes.