E-sign with confidence: a practical guide
Although e-signatures have been around for a while now, today we rely on them more than ever before. That's partly due to the pandemic and a booming remote work culture, but it's also a result of ongoing digitalization. People open bank accounts without ever going to a bank; companies hire new employees without ever seeing them. Doing things remotely is the new norm, but when legal commitments come into play, mistakes can be costly.
Legal commitments typically crystallize into contracts. Essentially, a contract establishes common ground by indicating the conditions of an agreement. It also identifies the parties (two or more) that take part in the agreement, clearly stating who they are. Finally, a contract holds long-term value, holding both sides accountable for their commitments. In case one of the parties fails to keep their word, the other party can enforce it to perform as promised.
In practice, these objectives boil down into three crucial elements:
As briefly noted before, every contract should clearly state who the two (or more) parties are. It's not just about noting down the name of each signee but also being 100% sure that the very same person signs the contract. Signing in person eases the struggle –you may always confirm the identity of a signee by asking them to provide a valid ID. But what about remote signing?
Naturally, you shouldn't sign any contract unless you agree with the stated conditions and are ready to play your part in the deal. That's where another issue – tampering – comes into play. How can you make sure nobody modifies the agreement after signing it?
Obtaining a physical copy of a hand-signed contract is one way to mitigate this risk. Another security measure is signing every page of a multi-page contract. But these tips don't apply to remote signing, so estimating the risk and choosing an e-signature with an adequate security layer is key.
As a final point, every contract has to lock in the two entities (together with the conditions of the contract) in a sustainable and reliable way. Only then will the contract be reliable, enforceable, and fair.
Dependability is directly linked to trust relationships. Naturally, it's easier to trust someone when you already have a lasting relationship and a good track record of legal agreements. But what about someone you just met and don't really know much about?
That's where the different security layers of e-signatures really shine.
What sets eIDAS-regulated e-signatures apart from the rest?
There are three types of eIDAS regulated electronic signatures: simple (SES), advanced (AES, not to be confused with the cryptographic algorithm AES), and qualified (QES). They all carry a certificate, which connects the user's identity to their e-signature. A certificate sets regulated e-signatures apart from, for example, images of scanned hand-written signatures. While a scanned image of a signature is easy to copy, everyone can use it, and it's simply not reliable. Since this type of signature doesn't carry a direct tie to the signer's identity, either, how can you trust it? Well, in most cases, this trust is just an assumption.
Even at a lower security level of SES, eIDAS-regulated signatures are non-transferable – only the owner of the signature can use it. Besides, all three signatures have tampering detection features.If someone changes the contents of a document signed with an electronic signature, it can be detected. In case a document is signed with a QES, attempting to replace the signature with a forged one will also be prevented since QES are only available after successful identification.
It's important to follow the formal requirements, but ultimately the choice boils down to one important question: Do you already know and trust who you're signing with? The lower the initial trust is, the higher the security layer of your e-signature should be.
- Robert Hoffmann, Security Officer at ZealiD
SES, AES or QES: which one to pick?
Ultimately, the choice is based on the basic principle of trust. Are you certain about the other signer's identity, and can you prove it in case something goes wrong?
Signing with SES and AES is based on trust relationships. Both parties need to trust that the other one is exactly who they claim to be. That's because there is no third party who could check and verify both identities from a neutral standpoint. Thus, as a rule of thumb, you should not use SES or AES with someone you have never dealt with.
In real-world situations, SES is mostly used for internal operations and agreements. Those include, but are not limited to, corporate VPN access, internal sign-offs, and documentation. Since companies and their employees already know each other and already share legal commitments, the stakes for internal impersonation are low. Similarly, AES prevails in prolonged relationships between users and service providers. AES, for example, will be useful for issuing a SEPA mandate to your insurance.
QES is where the third party – the licensed trust service provider – comes in. Trust service providers have to meet high-security standards and are regulated by eIDAS. As a third party, they can guarantee both parties that the identity of the other signee is true. ZealiD achieves this by verifying each user's identity through ID check and manual vetting (verification of the presented identity evidence by trained personnel) as part of the registration process.
In practice, QES adds a strong layer of security when signing parties don't know each other at all. This includes remote work contracts, which are becoming more and more common. It's also a strong choice in situations where the stakes are high, such as long-term contracts or initial signing with a new bank or insurance company.
That said, although these tips should point you in the right direction, every situation is different. Contact your legal advisor to make a decision that will follow the rules in your geographic and business area.