The dematerialization of proof of consent is the foundation of the digital society of tomorrow. Like any major societal change, the advent of this new technology has caused its share confusion and resistance. A brief summary of key points you should know.
We can begin by listing those things that do not constitute an electronic signature. Checking a checkbox, a double click, and a scanned signature are initial steps in establishing consent, but under no circumstances are these considered formal proof of consent because there is no way to ensure the link between the person giving the consent and the document, nor to establish the duration of this consent. This type of consent can be adequate if the document to be signed never changes, as in the case of Terms of Use or a license agreement. However, this method of providing consent would be inadequate for a user-specific document, like a contract or a mandate. Jurisprudence supports this position, emphasizing the unreliability of checkboxes and scanned signatures.
To circumvent these issues, electronic signatures use encryption technology. A series of numbers is produced that links the identity of a person to the document he or she is approving. This series of numbers is then included in the signed document, which is usually a PDF. A document that is signed in this manner does not usually contain anything resembling a handwritten signature. Instead, it uses an electronic signature verification mechanism that will reveal any alterations made to the document over time.
To ensure that the signed document is actually the same document that was shown to the customer, the signature procedure relies on a sort of “electronic notary.” This is a third party that is required to be independent of the contracting parties. This third party attests, by means of the process it uses, that it is impossible to falsify the document at the time of signing.
Finally, to ensure that the identity used to sign is that of the actual person who signs the document (the signatory), a sort of electronic ID card is used. This is called an “electronic certificate.” This certificate is issued by a certification authority. European Directive 1999/93 makes a distinction between two types of certificate:
– The “qualified” certificate is issued after verification of identity based on identifying documents, which are usually presented in person. The certificate is stored inside a protected physical token, such as a card with an embedded microchip, or an encrypted USB token. In certain conditions, signatures provided with this type of certificate are presumed to be valid. In case of challenge, it is the responsibility of the entity questioning the validity of the signature to provide proof.
– The “non-qualified” certificate is issued upon receipt of several more or less reliable proofs of identity, depending on the degree of mutual familiarity between the contracting parties. This certificate, which is based on a contextual relationship, is not reusable. It is called a “temporary certificate,” and the procedure that employs this type of certificate is called “cloud signing.” With this certificate, there is no presumption of validity, but it cannot be legally refused on the basis of lack of proof as long as the procedure used identifies the signer and guarantees his or her connection with the document that was signed.
Both of these certificate types produce advanced electronic signatures. The Directive even specifies that an advanced electronic signature that has been used to sign a document cannot be revoked.
Although there is presumption of validity for electronic signatures based on a “qualified” certificate, you should nonetheless take into account the level of difficulty in acquiring them. At present, the “temporary” signature is the type most commonly used in distance contracts, such as e-commerce transactions.
With increasingly strong identification methods, such as single-use codes sent by SMS and social networks, it would not be surprising to see the electronic identification process eventually overtake traditional identification documents (like ID cards). The result will be that qualified and non-qualified certificates will converge and reach the same level of authority, which could mean that digital identity would be more secure than “real” identity.