More than patriotic: Independent e-signature technology
Connecting state and local government leaders
No one denies that John Hancock signed the Declaration of Independence. An e-signature should provide same irrefutable verification for centuries to come.
As agencies adopt electronic document software in the continuing digitalization of government services, they must source the right technology to assure that what is signed electronically today is still valid 25, 50 or 100 years from now. Just as no one denies that John Hancock did, in fact, sign the Declaration of Independence, e-signatures must provide irrefutable verification for centuries to come.
Because the definition of a compliant “electronic signature” under the Electronic Signatures in Global and National Commerce Act and the Uniform Electronic Transactions Act is relatively broad in nature, e-signature architecture varies across solutions. Most e-signatures can fit into one of two varieties: independent and dependent.
Independent e-signatures
Independent e-signatures are defined by the autonomy and freedom associated with their technology. Also referred to as “digital signatures,” independent e-signatures directly and permanently embed into the signed document itself the signature’s advanced cryptographic information, which holds the legal, digital evidence of a signature.
Wherever the digital document goes, so goes the signature and the data to certify the signature. Independent e-signature technology uses published standards and public key infrastructure (PKI) to show documents are indeed valid and unchanged. As such, any free, dedicated PDF viewer can display not only a visual representation of the signer’s signature (a drawn signature or font-based signature), but also the digital proof of that signature, even offline. Any changes to the document or signature are immediately detectable, even years after the signing occurred. Therefore, proving the integrity and provenance of an independent e-signature is not dependent on a vendor, signer or any proprietary technology.
Published rules governing PKI require that the owners of private keys maintain the secrecy of those keys so no one else can reproduce the signature, meaning independent e-signatures are unique to each individual signer. Cloud-based systems can now manage those keys transparently, eliminating the complexity historically associated with that task.
Finally, through comprehensive audit trails, independent e-signature technology also tracks and records all data relevant to the signing process from its inception – including signer authentication, document presentation and all signing and other data input events – with a highly granular level of monitoring and tracking that enables a high level of self-sustaining, legally defensible evidence that will support an e-signature’s validity for the long term.
Dependent e-signatures
Dependent e-signatures, by contrast, do not include the same advanced evidence or cryptographic technology. Existing outside of PKI and published standards, their framework is much more loosely defined, which can present challenges to a signature’s long-term legality.
Dependent e-signature solutions often apply images of a signature (or a representative text) to an uploaded document. While that image of a signature may travel with a document, the digital evidence that supports the validity of the signature does not. Instead, a web link ties that image back to an e-signature vendor’s server, accessible by an Internet connection.
While a dependent e-signature may look and feel much like an independent e-signature to a signer, its fundamental shortcomings can present significant legal challenges to those relying on the e-signed documents.
For one, links fail over time. “404 Not Found” errors are commonplace on the Internet, and if such errors occur within the scope of a document’s life cycle, the signature may be found to be invalid.
And while there are a number of published international standards in place for independent e-signatures – such as ISO 32000-1 (PDF), X.509, RSA and DSA – there are essentially no guidelines in place for dependent e-signatures. Many e-signature vendors use proprietary technology that may not be discoverable or accessible in the future.
Deploying e-signatures in the government space
For the scope of government work, transactions and processes, independent e-signature technology provides the highest level of assurance. E-signatures could be used to authorize housing agreements, employment contracts or procurement bids, and so they may need to be legally defensible for many years. In fact, the technology behind these signatures is already part and parcel of many federal government programs, including the Common Access Card (CAC) and Personal Identity Verification (PIV) card systems.
By maintaining independence within e-signature technology, government agencies can:
Exercise control: Government offices control where documents reside and can access evidence offline if needed.
Promote long-term thinking: With adherence to international, published standards, e-signature evidence will always be discoverable.
Keep evidence in plain sight: Providing immediate and complete access to evidence, independent e-signatures offer the highest level of transparency over the signing process, which ensures that signatures and documents maintain their integrity.
Assure safety: Because of the above, there is a decreased risk of signatures being compromised by external factors, like hackers, technology obsolescence or changing vendor relationships.
Independence is a revered concept in all levels of American government. In an age where so many processes are becoming increasingly dependent on the Internet and web-based services, it provides an impetus to use efficiency-driving technology like e-signatures without being tied to any one technology or business.
NEXT STORY: NIST drops NSA-backed random number generator