The Difference Between E-Signatures and Digital Signatures
As society becomes ever more reliant on digital processes, traditional mechanisms of conducting business have become more automated, with a number of industry sectors eager to tap into an in increasingly tech-savvy consumer base. While the last ten years have seen a plethora of electronic communication devices enter the marketplace, there has also been a demonstrated need for companies to replace paper-based processes with more efficient models, and e-signatures built on digital signature technology are leading the way.
While e-signature has become commonplace in digital processes, there are still misconceptions as to how digital signature technology fits into the picture. Electronic signatures have been recognized as a legal concept in federal law since the year 2000, but to the average person, a digital signature is the same thing. However, e-signatures and digital signatures are clearly distinct, and this is evident in their core functions.
An electronic signature is, like its paper equivalent, a legal concept. According to the U.S Electronic Signatures in Global and National Commerce Act, an e-signature is an "electronic sound, symbol, or process attached to, or associated with, a contract or other record and adopted by a person with the intent to sign a record."
Digital signatures, on the other hand, refers to the encryption / decryption technology on which an electronic signature solution is built. A digital signature alone is not a type of electronic signature. Rather, digital signature encryption secures the data associated with a signed document and helps verify the authenticity of a signed record. Used alone, it cannot capture a person's intent to sign a document or be legally bound to an agreement or contract.
A solution that simply digitally signs documents often lacks feature sets commonly found in best-in-class e-signature solutions, including an out-of-the-box user interface (UI), as well as transaction management and advanced workflow customization capabilities used in more complex transactions that touch the customer.
The bottom line is that when looking for a solution to manage your signing processes, it’s important to ensure that it is built on digital signature technology to guarantee the integrity of the document and underlying signatures. Without digital signatures, your document-based transactions may not be legally binding, putting you and your organization at risk in the event of a compliance or legal case.
What’s a Digital Certificate
Digital signatures use Public Key Infrastructure (PKI) and rely on public and private keys in order to ensure that the underlying digital transactions are secure. When you sign a document electronically for example, you need assurance that all participants in a transaction are using valid keys.
That’s where the role of the digital certificate comes into play. A digital certificate is an electronic document issued to a signer by a Certificate Authority (CA) or Trust Service Provider (TSP) and binds a public key with the signer’s identity. The legal definition of an electronic signature always includes language around signer identity, which is why best-in-class eSignature solutions use digital certificates as part of the e-sign process to authenticate the signer.
The purpose of the certificate is to validate and certify that an e-signature corresponds to a specific signer, since it contains data related to the identity of signer (e.g., name, ID number, signature keys, certificate issuer, etc.). Certificates are often stored on signature creation devices such as secure smart cards, tokens and centrally in a Hardware Security Module (HSM) in the cloud, and are required to create a digital signature. During the signing process, the signer’s certificate is cryptographically bound to the document using the signer’s private key.
Types of Digital Certificates
Depending factors such as geography, industry and the risk profile of the transaction, organizations may have different requirements for digital certificates and how they are managed. There are multiple ways in which signing can take place and this largely relates to where the certificates are stored:
- Server-signing Certificate: The signer is securely authenticated and document is digitally signed with the trusted certificate in the cloud (or on-premises for applications deployed in-house).
- Local-signing Certificate: The signer’s identity is attached to a personal certificate (locally stored on a PIN-protected smart card, USB token or computer) that digitally signs the document.
According to Forrester, "the US predominantly opts for simpler e-signature authentication" and have adopted for the advanced e-signature (AES) that uses several forms of authentication and a common server-signing certificate hosted in the vendor’s cloud service. Firms in the EU on the other hand "place a higher priority on authentication" and may require an AES coupled with strong forms of authentication or the Qualified E-Signature (QES), which relies on third-party digital certificates. In Belgium, for example, all citizens are issued electronic identity (eID) cards that include a unique digital certificate and used for processes such as a signing contracts and agreements. This creates a QES, in accordance with the requirements of the EU’s eIDAS regulation.
The Importance of Digital Signatures
Sending documents for e-signature is a quick and easy process. Once all e-signatures are captured, look for an e-signature solution that packages and secures the final e-signed document using a digital signature. The e-signature solution should apply the digital signature at two levels:
- At the signature level to prevent tampering with the signature itself
- At the document level, to prevent tampering with the document’s contents
This double layer of security ensures the integrity of the document. With tamper-evident controls such as these, all parties involved in a transaction can trust the integrity of a signed document. Since e-signatures are only as good as the security that protects them, it's important that any attempt to tamper with any part of the document, for example adding or deleting words or replacing pages, should be visible.
Protect the Digital Agreement at Three Key Points
Digital signatures are among the most important components of an e-signature program, and they can drive security, legal validity, and records management efficiency when using an electronic signing method. As such, creating an electronic signature should not happen in an official setting without the support of a digital signature. Here are three key reasons why digital signatures are so important:
1. Protecting the signature at the point of signing
A digital signature is an encrypted file that travels with the electronic document that needs to be signed and returns with it after the transaction has been completed. The file contains and captures metadata about where the electronic document traveled, which accounts opened it, the IP address of the devices that signed it, the precise timing of the interaction, and other key information. All of this data protects the validity of the signature.
A digital signature captures information such as, the device that an electronic document is signed on, user credentials of the signatory, and the pathway that the data traveled between destinations. This information provides multiple tiers of signature verification, protecting the signing process in entirety.
2. Protecting the signature in storage
An electronic record needs to be stored for a significant amount of time, and the duration varies based on specific industry laws. It is often key to be able to verify that the signature has not been changed over time. A digital signature that is attached to the electronic signature features underlying technology will show whether the form has been tampered with. It is, essentially, a digital watermark on the e-signature that verifies that the transaction has been completed and seals the file. Anything that breaks that seal is recorded in the digital signature, making it extremely difficult to tamper with the electronic file.
Not all e-signature solutions are created equal in this regard, and many do not offer a long-term validation (LTV) capability. Make sure that the solution you choose meets the following digital signing requirements:
- A distinct digital signature entry should be embedded into the e-signed PDF for each signer in the transaction.
- Each entry should provide details such as the signer's digital certificate (i.e., a local- or server-side signing certificate), timestamp, and the signer's information (e.g., email address and IP address).
- Signed documents should be able to be verified offline (independent of the e-signature solution) through a one-click verification process to validate the integrity of the signed document. Look for "Signature is LTV enabled" in the signature panel of the e-signed PDF.
3. Protecting the signature on mobile devices
Smartphones and tablets are pervasive technological tools, and as far as convenience is concerned, they are perfect for e-signing. However, they may not feature the security and data protection features needed to secure the transaction. A digital signature works around this problem by collecting critical metadata in a customizable format. If you need a digital signature to gather more user authentication data to verify a person using a smartphone, it can be configured to perform that task. The result is an operational climate in which you can safely have users sign electronic forms on a mobile device without creating any risk.
Meeting Regulatory Requirements
Organizations in sectors like government, healthcare and financial services always have regulatory concerns looming over them, forcing them to adapt their operations in light of legal guidelines impacting the industry. Government agencies, hospitals and banks are getting more sophisticated all the time and moving to electronic processes at a breakneck pace. Having to halt all of the momentum and innovation to print documents, mail them, get them signed, make sure they are correct and store them can have an immense negative impact on organizations. Many organizations want to transition away from these legacy document processes, but any effort to do so must meet regulatory guidelines.
Regulatory plans get tricky because most regulations don't tell you how to comply, they tell you the result you need to get. As such, organizations in sectors facing stringent requirements need to find technologies that get them the results they need. When it comes to protecting data in transit, encryption is a common theme. Effective authorizations are also key. Digital signatures provide these functions and serve as the catalyst that makes e-signature software a perfect fit in many regulatory settings.
Putting it All Together: Capturing and Securing Evidence with Digital Signatures
When combined, e-signatures and digital signatures form a holistic solution to document agreements and ensure the source file that preserves the record is safe, secure, and verifiable. The result is a way to have users sign documents in the easiest most convenient way possible without making any sacrifices in the courtroom.
To ensure that your digital contracts are legally enforceable, look for an electronic signature solution that captures a comprehensive audit trail and uses a digital signature to protect and tamper-proof it.
Collecting strong electronic evidence can be accomplished by capturing the full electronic signing process experienced by the signer. This includes the exact appearance and order of all the web screens, documents, and legal disclosures that were presented, along with how long a person spent on each page and all the actions they took during the review and signing process, like clicking buttons to accept, sign, initial, and confirm.
The more evidence an organization captures about what process was used, the greater the chance that the signed document will be enforced in a court of law. And that's something most organizations contemplating e-signatures can stand behind. While many e-signature solutions on the market may meet the baseline requirements outlined by the ESIGN Act, organizations looking to minimize the risk of unenforceable records should aim to set the bar higher by choosing an e-signature solution built on digital signature technology.
We also have a handy infographic detailing the differences and how they work together.