E-Signatures vs. Digital Signatures
Tuesday July 3’s Wall Street Journal had an article entitled “Signing Up for E-Signatures”. You can read the WSJ excerpt here, or go to this person’s blog who has copied the whole thing.
The software for computerizing pen-and-ink signatures on contracts, mortgages and other important documents was too complicated for most people to use…
I have just written a letter to the editor to respond to this article. Here is what I wrote:
Dear Editor,
I happened to read Ms. Buckman’s article “Signing Up for E-Signatures” in Tuesday’s Wall Street Journal. I would like to provide some information on the drawbacks and alternatives to E-Signatures. My company, Gemini Security Solutions, Inc. is a small information security consulting firm focused on the life sciences and financial sectors. As a result we work closely with customers that have to make decisions about signing technologies on a regular basis.
The largest problem with E-Signatures is that it essentially locks the user into using and maintaining one single vendor’s solution forever. I’ll provide an example from the pharmaceutical sector. 21 CFR Part 11 (the FDA regulation on electronic records and electronic signatures) requires “accurate and ready retrieval throughout the records retention period.” A common minimum records retention period in the pharmaceutical industry is two years beyond the ‘life of the product’. In the case of medical devices inserted into individuals (intraocular lenses, stents, etc.) this would be the remaining lifetime of the patient—in some cases 75+ years.
E-Signatures do not bind the information which is signed to the identity of the signer. They just make a reference of the fact that at a given date, a given user signed or approved a record. The system and information must be protected to ensure authentication of the user is done accurately, and careful logging is performed to give auditors something to examine if a record comes into question later. However, there are no standard mechanisms for performing the authentication of the users, and no standard formats for storing the E-Signature or even the logging information. If you wish to examine the validity of a signature after a certain date, you either have to use the same product that captured it, or reverse-engineer their formats. In 21 CFR Part 11, E-Signatures are only permitted in “closed systems”, meaning the electronic records will never be leaving that system.
E-Signatures should be contrasted with Digital Signatures. Digital signatures require the use of a public key infrastructure (PKI) and use certificates and private keys to provide stronger signature capability suitable for open as well as closed systems. A digitally signed record binds the signer’s identity to the data they sign. Any change to the data can be instantly detected and the signature invalidated (as opposed to E-Signatures, where only a careful examination of the logs by an auditor will reveal this change, assuming the change is made through the product and not at some lower level). Standard interoperable formats such as Cryptographic Message Syntax (CMS) can be used, allowing the movement of signed records between systems and between vendors.
Much fuss has been made about the difficulty of managing a PKI, certificates, and smart cards. The last seven years has brought great strides in the simplicity and commoditization of security technologies such as PKI. Modern operating systems (Windows, OSX, etc.) all come with PKI support throughout the desktop — PKI is used behind the scenes to validate signed executables, secure websites, etc. Applications such as Microsoft Office, Adobe Acrobat, and many others come with support for PKI-based digital signatures and encryption. While PKI technology can be used for authentication, signatures/approvals, and confidentiality, E-Signatures only provide a solution for signatures/approvals. A PKI can enable organizations to replace all passwords with certificate-based authentication, and provide the capability to perform persistent digital signature and strong encryption. The cost savings in avoiding password resets alone can often provide a sufficient return on investment, and combining this with the advantages of using electronic workflows and documents instead of pushing paper makes clear the value of PKI.
Sincerely,
Peter Hesse
President, Gemini Security Solutions, Inc.
July 10th, 2007 at 4:35 pm
Dear Editor,
I also read Ms. Buckman’s very interesting article on “computerizing pen-and-ink signatures” in July 3rd 2007 issue of the Wall Street Journal. I only wish to add a little more to Peter Hesse’s assessment in a few short bullets:
1) Standard digital signatures, on the Web, can be as easy to use as any other approach to providing an electronic-signature capability. My company has enabled hundreds of successful deployments repeatedly proving this in both regulated and non-regulated business applications.
2) The largest problem with a non-standard E-Signature is that it essentially locks the user into using the same “pen and cartridge” for the life of the contract! In some markets, like life sciences, this could mean using the same pen and ink for decades. All the signature technologies referred to in the article are non-standard and proprietary. So what happens if the “pen and cartridge” manufacturer does not last for decades?
3) There is an overwhelming mindset in the EU market that won’t accept non-standard proprietary E-Signatures and such deployments are unheard-of in practice there. It seems to be a result of the way the Europeans are interpreting their legislation for Electronic Signatures (EU Directive 1999/93/EC for Electronic Signatures)—in Europe the prevailing view is no forms of the proprietary E-Signature are acceptable, and also that EU requirements can only be met using standard digital signatures. This is a piece of information most of your readers, doing international business, may appreciate.
4) Inside the four walls of a company, proprietary electronic signatures are probably good enough; however, outside of your company, there is only one choice with built-in features that allow signed transactions to conveniently stand the test of the legal system—standard digital signature build in user authentication and document verification.
5) When a document or record comes into question, the company will have to hire auditors to examine the records of the document and the signature(s) in question. The previously mentioned features of standard digital signatures will ease the auditing process, lowering associated costs but more importantly these features enable the company to more often avoid misunderstandings, and audits, altogether.
Many Thanks
John Marchioni
Vice President Business Development, Americas, ARX, Inc.