The State Of Understanding Electronic Signatures

There’s this wonderful thing called eIDAS, or Regulation (EU) 910/2014 that is a direct EU law regulating the use of electronic signatures, electronic timestamps, seals, delivery services and electronic identification. It gives the eletronic world accross Europe a unified and legally binding way to sign and exchange documents and to identify online.

The promise of the regulation, almost 4 years after it was passed, has not been fulfilled, alas. Few organizations and institutions accept qualified electronic signatures, not to mention advanced ones, or any secure delivery services.

The trust services industry hasn’t progressed too much in providing a usable and accessible service either, with maybe a few exceptions. And that’s maybe partly because of the lack of demand.

What I want to be able to do, and what the spirit of the regulation I believe is, is that with my qualified electronic signature (QES), which is equivalent to a handwritten signature, I should be able to sign all sorts of documents — labour contracts, NDAs, any contracts; or any official document that a government institution provides, and they should not be able to say “no, give us a paper signature”.

The reality can’t be further from that — I just got a response from the Dutch trade register that they do NOT accept qualified electronic signatures and require a paper one. Previously I got refusals from companies accross Europe (a payment provider, a payroll company, an IT company) to acknowledge my electronic signature on their documents and instead required I sign them by hand and even snail-mail the documents.

It is as if the regulation doesn’t exist. My instinct is to blame the lawyers who are too often far from being technical and who have no idea what an electronic signature is, and therefore shy away from recognizing it — they are often unaware of Regulation 910/2014 and even if they are, the usual mode of thinking is “this doesn’t apply to us”.

But what IS a qualified electronic signature? It is a signature that you can place on an electronic document from your home or even while on the move. It is equivalent to a handwritten one in legal terms, but it is actually more secure —once a document is signed, it cannot be changed by anyone (without breaking the signature validity). The signer cannot deny having signed it, and you don’t need weird things like “sign on every page” to confirm the integrity of a contract, because the signature applies to the whole document. How does that work? It gets the document as a sequence of 1s and 0s, puts them into a one-way function that transforms the document into a unique fingerprint. No other document has the same fingerprint, and the same document would always yield that same fingerprint. Then that fingerprint is encrypted in a way that you can prove only the person who holds a secret key is able to make that encryption. That secret key (called private key) is stored on a device that does not allow the key to be extracted, which means that nobody but the owner can get access to that key (unless the physical access to the device is compromised; in which case the owner of the device could immediately cancel his so called “certificate” and no further signature with his secret key will be considered valid). The whole process is a technical masterpiece and it is practically impossible to forge.

The owner of the signature is verified in person by a trust service provider that issues the aforementioned certificate, and therefore it is certain that the signer is indeed the person who they claim to be. The trust service providers have responsibility, backed by big fines, if their process is compromised.

On the side of usability there‘s much to be desired, as smartcards (the secure devices that hold the secret key) are often hard to get running, but once you get them running, you should, allegedly, be able to never touch paper again.

Allegedly, because too many people, organizations and institutions don’t understand that. And they are denying the legal effect of qualified electronic signatures.

When a company or an institution denies accepting my QES I try to argue using particular articles from the regulation, but usually to no avail. They insist on handwritten signatures and would even settle for ones obviously attached by photoshop (or paint!). Obviously these are not real signatures, but they wouldn’t care, as long as it resembles a handwritten one (they do pass as electronic signatures as well, but certainly not “qualified” ones, and so not equal to handwritten).

It is frustrating when a company denies that, but even more frustrating when a government institution says “nah, we just don’t care about that law”. And this is all accross Europe. (Estonians, you are probably wondering what am I talking about, but your electronic oasis is on the border of a paper based desert).

Could the eIDAS regulation be written better in order to facilitate the process of accepting electronic signatures? Given the success of GDPR (the data protection regulation) in terms of hype generation, I think it could — if national regulators could fine any company or institution that did not accept QES, then “eIDAS compliance” would be hot and every organization would have made sure their processes allow for accepting electronically signed documents.

Now… nobody cares and there’s nobody you can complain to (except courts, I guess, but even I’m not THAT frustrated by sending paper mail). It’s just a regulation that harmonizes how electronic trust services are used, but not that they must be accepted by everyone. That might have been the idea, as the actual enforcement is a bit too “brave” a policy, and maybe countries had the position of “we don’t do that here, so don’t force us to do it”, but how hard is accepting an electronic document whose legal effect is guaranteed to be the same (while technically superior) to the paper one?

If I were to change the Regulation, I’d put a clause saying “No organization can deny the effect of qualified electronic signatures” (next to the already existing one saying roughly the same) and “In case of infringements of article X, the supervisory bodies shall impose administrative fines up to XX EUR”.

And then not only I will be happy with my niche desire to NOT send paper mail and travel abroad to do basic stuff, but the whole digital environment will improve — companies will more easily work with their partners (who won’t be able to deny their electronic contracts), with their customers, with the institutions, who won’t require them to do anything other than click a button.

Harmonizing the electronic signature landscape was a good step, but I think was not enough to move the legal world to the digital realm.