Electronic Contract Conclusion Methods – Part 2
In connection with modern technologies evolution, foremost the Internet and mobile devices, new sale and services conclusion channels are arising. Yet, this enterprise is facing a number of issues. The regular hard copy contract signing does not quite fit with latest ‘electronic processes‘.
Therefore a number of companies are looking for alternative ways of signing their paperwork, hence new ways of concluding contracts with their clients.
This article is a short contemplation of the various possible ways from two key perspectives. I have denominated these Ease of Use and Credibility as axes of the magic quadrant that makes up the list of the main contract conclusion methods.
It should be emphasized that the following facts and ideas are closely tied with the Czech (Internet, financial and legal) environment.Magic Quadrant
In the first part of the article I introduced particular methods and the magic quadrant, which I remind below for clarity.
A Few Comments on the Chart Content
Electronic Signature Based on Qualified Certificate
I have marked this electronic signature as the most credible one.
There are three reasons for that:
- This technology, which is based on asymmetric cryptography, can demonstrably provide a high level of security, ‘uniqueness of the signature’ and non-transferability of a signature to another document. The document is also impossible to alter after signing etc.
- Participation of the second (neutral party), which verifies the identity of the signature (private key) owner and confirms the validity of the certificate. Let us compare with signing of a hard copy at a branch, where the identity verified (and possible witness of who signed the document) is by an employee of one of the parties, i.e. a possibly biased person /biased representative of a body.
- This method is directly rooted in Law, which gives a clear and unambiguous advice and guidance for organizations to implement the method, as well as to courts as for which parameters to verify if the validity of the signature (document) is to be verified.
The case of a recognized electronic signature perfectly matches with what I call real security, and with what I call formal enforcement. Yet, there is one, unfortunately crucial disadvantage. This method is practically not used; the major part of the population does not possess personal qualified certificates. Even after 14 years since the establishment of the relevant law, this method is not particularly widespread and is barely used in the Czech Republic for signing contracts and similar documents by the client, which is our primary concern in this article. I dare say if this method has not become a common practice in such a long time it may not ever happen. Not in its current form, where the most limiting factor, in my opinion, is a too short period of validity of certificates issued. The necessity to have a pair of keys made again each year, as well as the relevant certificate (which moreover is not for free), along with the usual issues of safe storage and use of the private key (e.g. compared with a hand-written signature that is with me without having to make any effort, and which is virtually impossible to steal) is the reason why this method is marked above as the most difficult to apply in practice. This is despite the fact that if a person had the key and various organizations would enable this option (unfortunately I do not know of any) s/he could safely sign contracts from the comfort of one’s home and deal with everything online. But that is a big IF ...
Hard Copy Signature with ID Verification
Whether you are signing at a branch or remotely and your identity is verified by a courier, the result is the same – the ID is checked and the document is hand-written signed, which deems in both cases the same credibility. A bank might trust its own employee more, on the other hand, a courier is an independent third party. Just in the case of a courier there is no need to go to a branch (from the perspective of a client), which can mean there is no need to have a branch (from the perspective an organization). Therefore the remote hard-copy signature is marked as easier.
Many people will probably be surprised at how little on the right on the scale of credibility I have marked the hard copy signature. This depends on how much we are used to this method and how much we trust it (regardless of objective reality). It does not cease to fascinate me how much deal is made of each possible security loop hole in various forms of electronic signatures. If such a method may not be proven 100% secure, it is almost considered impossible to apply (use the signature / present the document in court, etc.) While in the case of an el. signature you need a hacker with very special knowledge, skills and equipment; with a hard copy signature all you need is a paper, printer, stapler and the ability to read and write.
The technology of a hard copy signature does not ensure that:
- The time of the signature is possible to prove.
- The document does not get altered after signing it (in the case of multi-page documents it is very easy to replace any page, perhaps all, except for the one with signatures; and binding stickers do not resolve this issue, in my opinion).
- The signature cannot be stolen (in the sense obtaining an original which can assist in learning how to forge it).
Also identity provability based on signature has its limits. The society and the legal system have believed in inimitability of hand-written signatures and the ability of signature specialists to verify whether a certain person has signed (written) a piece of document or not. I have no personal experience with a signature specialist; however, I have this practical experience with a signature specimen. When disbursing a mortgage I did not manage to 'replicate' my own signature (created about a year prior to this event). I was not able to sign it the same way so that the bank would recognize it, even after I requested my signature specimen, according to which I was trying to practise. In other words, the handwritten signature completely failed as a means of proving my identity.
A person’s writing generally changes over time. My notes from high school look completely different than my university notes; and, they look different than I write now. Even in the short term, a person does not sign the same, not even under the same conditions. Not to mention that external conditions such as a pen, pad, position of signing, and mental state affect the circumstances such as pressure, tilting, speed, degree of simplification and other aspects. A signature specialist naturally assesses these circumstances to a certain extent, yet the result is always a degree of assessed signature similarity, and an expert’s estimate of whether it is sufficient. A signature specialist’s assessment simply is not something 100% reliable; and, often a signature expert is not able to provide a clear statement whether the given signature is genuine.
To sum up, in terms of real security, I feel that a hard copy signature is perceived as perhaps too credible. The reason for this is precisely and merely because it has been used for so long and as extensively that no one dares ‘meddling’ in it. This provides the document signing parties with a method of legal security and foremost a peace of mind that is paradoxically greater than other methods available, which are indeed inherently safer, but which the court or public do not comprehend that well, as there is no sufficient precedent and no one is sure how a dispute about these would be ruled.
Electronic Biometric Signature
This method combines the advantages of a classic hard copy and electronic signature.
It has the following benefits of hard copy signature:
- Everyone is able to sign a document; a client does not need anything else, but his/her own hand.
- The comfort is the same as when signing a hard copy, which is a method clients are accustomed to.
- Possible to assess by a signature expert.
Additionally, this method does away with (or reduces) some of the downsides of hard copy signatures. It does so with the means of regular digital signature, based on a key and certificate-cryptographic procedures ensuring that:
- The document is not possible to alter after signing it (or detect changes).
- It is possible to prove when the document was signed.
- The biometric data (characteristics of the signature) can be read only by designated individuals (and not everyone who gets hold of a document with a signature).
Biometric signature also offers more possibilities for a signature specialist analysis compared with a hard copy signature.
That is why an electronic biometric signature is marked as more credible than a hard copy one.
On the other hand, it is not clear yet whether such a signature can be seen as the ‘vouched electronic signature’ according to the Electronic Signatures Act (or under what conditions it would be), and to what extent it is/ it is not necessary to literally abide by other points of this act, as it is primarily designed for electronic signatures based on certificates, where there no biometrics is available and keys and certificates have a different role than in the case of biometric signatures. The relevant ruling in respect of biometric signatures is still being anticipated.
In addition to the benefits of a hard copy signature, the biometric signature has disadvantages inherent to hand-written signature and its analysis. Therefore, a biometric signature is not as much on the right on the scale of credibility as electronic signature based on qualified certificate is.
When One of the Two Usual ‘Security Elements’ is Missing
I have marked the following methods as more or less comparable regarding the credibility:
- Transfer from a personal bank account.
- Remote hard copy signature.
- Electronic signature without biometrics with ID verification.
I have listed these based on the following contemplations.
The signature in itself is actually useless in the case of electronic non-biometric signature. It is more of a psychological effect on the client’s side, and about identity having been verified, together with the fact that there was someone to witness the very act of signing by the given person.
Remote hard copy signature lacks such an effect, however, a handwritten signature is attained, which can (theoretically) serve to re-authenticate (prove) the identity of the signatory in the event of a dispute.
Thus both of these two methods contain one "security feature" that are both combined in a hard copy signature at a branch. Therefore, in comparison with this method, they are about half as credible.
The transfer from a bank account is then at the level of an electronic non-biometric signature , as I come from the fact that once again there is no signature of a document that could prove something, yet there is both authentication (mediated by the bank) and a demonstrable "act of consent."
As far as ease of use is concerned, a transfer from a bank account can be made from home through internet banking, whereas submitting a paper document is more complicated. The question is where to mark the electronic non-biometric signature. This depends on several factors. I have outlined here the situation of signing at the branch. If such a signature was made by an agent visiting a client or a financial advisor directly at a meeting the method would be marked much higher. Yet, in the field a hard copy contract can also be signed, or an el. biometric signature can be captured with a signpad. I do not state this whole alternative trio for the sake of keeping the chart reasonably clear.
Methods Without Any ID Verification
Electronic signature without biometrics captured at home is actually at the level of a signature copy. It is just a picture, but it is easier than having to scan or fax. Either way, there is no way of verifying who provided the signature or what time it was made (no authentication), nor is it possible to verify it backward (from the signature itself).
Consent Online / On the Phone Without Authentication
As the very simplest I perceive clicking on a button "I agree" on the site, or verbal consent expressed in call with a telemarketing agent. Regarding credibility, in both cases, again, we have to believe the person "on the other side of the channel" is the one who they claim to be. In addition, no explicit document containing any identification of the client is created here. So the question is, to what extent are these methods applicable when the law requires a contract in writing.
Signing through a Text Message
You can find a variety of Text Message loans online. You can also find banks that promise things like "signing a contract using the Text Message code" or "to open an account you just need to send a text message" etc. Personally, I have done some research and practically examined similar statements as to distinguish what is reality and what is a lie (ehmm marketing). Yet, I have not found any real "signing through a text message". Contrary to the advertising claims after several steps online, involving copying a text message code, once followed by signing a hard copy contract handed to a messenger (verification of identity and even a copy of an ID made by a phone), the second time it was followed by sending yet another code in registered mail, which again means authentication (by a post attendant) and a signature provision (takeover). Other cases, involving a text message code, included a transfer from a personal bank account, which in my opinion made up the true essence of the method used.
The only exceptions that I know of are cases that I would not denominate as contract conclusion, but as authorization of the act performed within a relationship based on some previously concluded (framework) agreement. This is not a conclusion (of an independent) contract between the entities that "do not know each other" yet (i.e. are in no relation), which is the case of our concern in this article.
This is the reason why the "text message method" is not listed in the chart, though some may have expected it there.
The issue of alternative signing contracts is quite a hot topic today. Banks, credit card companies, insurance companies, Telco operators and others in the Czech Republic have recently been looking into or are currently working on biometric signatures at branches and "in the field", as well as trying to speed up and simplify online service conclusion and resolve the problem of contracts "online signing". Perhaps my magic quadrant and this article will help someone in the initial orientation in the issue, or it may inspire you to come up with your own ideas.