Archive for May, 2008

"This is legal, right?" – Electronic Signatures & The Law

,,,,,,

This entry is the third in our “What is an Electronic Signature, Anyway?” (Part One / Part Two) educational series.

First, a disclaimer.  This blog entry is not intended to provide legal advice.  You should discuss issues relating to the use of electronic signatures in your business with your own legal counsel and compliance officers.

With that out of the way, welcome back to our series on electronic signatures.  Up to now we’ve covered what can be defined as an electronic signature, and how one can provide assurance as to the validity of an electronic signature.  However, our clients and customers are mainly concerned with one thing:  are electronic signatures legality and admissible in a court of law?  Will my contract be null and void if use this electronic signature pad?  Will my account documents be tossed out because they’ve been digitally signed?  Can I accept electronic signatures on my contracts?

Only your legal counsel can answer these specifically, but, in this lengthy entry, we can offer some very high-level information on the applicable laws, what is meant by legal effect versus admissibility, the availability of case law, and where you can go to find out more information.

 

Laws

In 2000, President Clinton digitally signed into law the Electronic Signatures in Global and National Commerce Act (E-SIGN Act).  This public law provides that:

a signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form; and (2) a contract relating to such transaction may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic record was used in its formation.

At the state level, the Uniform Electronic Transactions Act (UETA), passed by 48 US States, provides much the same protections to electronic signatures and records. (The remaining 2 states have other legislation covering electronic signatures.)

Note that neither piece of legislation specifies a particular electronic signature technology.  In fact, the E-Sign Act states that:

The term ‘‘electronic signature’’ means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.

By keeping the legislation technology-agnostic, the law doesn’t create a bias and also does not have to be changed as technology changes.  It therefore has the added benefit of allowing for a wide spectrum of electronic signature technologies (click-thru, signature pad, biometrics, digital signatures, etc), as long as the systems provide a signature that is “attached” to the electronic document needing to be signed, and provide evidence to the fact that the signatory actually signed the electronic document, showing an “intent to sign.”  The laws do prohibit the use of electronic signatures on certain legal documents such as wills and adoption papers, though.

Other US laws and regulations provide guidance in specific industries.  For instance, 21 CFR Part 11 covers the use of digital signatures in communications with the Food and Drug Administration.  This is a good time to mention that laws are not the only things to be concerned about when it comes to electronic signatures.  You also have to be aware of any regulatory standards or recommendations that may be in place for your industry. 

Using the pharmaceutical industry again as an example, the SAFE-BioPharma Association ( Signatures and Authentication for Everyone), interested in promoting the use of electronic documents and reducing costs, created a technical, legal & business model around the use of electronic signatures among pharmaceutical manufacturers, clinical investigators and regulators.    In fact, SAFE requires the use of digital signatures, and has certified (and recently re-certified) PDF-based digital signatures in Adobe Reader®, Acrobat®, and LiveCycle® Digital Signatures within the SAFE standard.

Outside of the US, most countries have electronic signature laws in place, as well, though they vary in complexity.  For the 27 member states of the European Union, Directive 1999/93/EC on a Community Framework for Electronic Signatures (EU Signature Directive) provides an in-depth legal framework for electronic signatures and their validity inside and between EU countries.  It creates several categories of electronic signatures, with so-called “Qualified” signatures required to be legally accepted and valid in all EU member states.  The high assurance requirements around Qualified Electronic Signatures (QES) do point to digital signature technology, with a requirement for a ‘Secure Signature Creation Device’ and best practices around key generation, storage, and certification of the providers of the signing credentials themselves.

Adding to the fun, EU member states are required to individually transpose EU Directives into their own legislation.  Certain countries decided to tweak the text on the way to implementation, and in so doing, created another layer of complexity that makes working with cross-border electronic signatures quite a challenge!

Note that electronic signatures applied in the US may not be provided legal admissibility in the European Union, especially on documents like electronic, or e-, invoices.

 

Legal Effect vs. Admissibility

We’ve tossed these terms around in this entry, so it’s probably time to clarify the difference between the two.  While lawyers around the globe may cringe at my over-simplification, here we go…

“Legal effect” pretty much means that, yes, the court will accept that an “electronic signature” is a “signature” as already defined by precedent and law.  So, in other words, an electronic signature and a wet ink signature are equivalent in most respects, and they can be brought into trial.

However, just like their wet ink counterparts, each document intended to be entered into evidence in a trial will need to be assessed for its “admissibility,” whether it’s signed with ink or a digital certificate.  Does it represent the intent of the signatory?  Has the document been altered?  Who had the right to sign this document?  How was the signature derived, and what controlled access to the document for its signature?  These questions come into play no matter the type of signature.

However, wet ink signatures have been in use for quite a long time and have established a certain amount of credibility.  Electronic signatures, on the other hand, are a newer phenomenon, and thus may be more subject to the critical eye of the court.  This is where the concept of assurance, as described in the previous entry in this series, can come into play.  Higher assurance signature methods that authenticate the signer, use document fingerprinting (‘hashing’) to provide integrity, and store signature keys (and thus, the “pen”) in a secure manner, are more likely in the long run to be provided with the benefit of the doubt than those signature technologies which provide lesser assurance.

So, in the end, your electronic signature may be a legal signature, but it could be tossed out of court if the judge feels that the signature process did not provide the appropriate level of assurance.

 

Case Law 

Well, we’d love to point you to a particular case which ruled this or that technology admissible or signatures captured on these types of documents were OK, but there are none.  In the United States, there are likely hundreds of cases that cover subjects related to the use of electronic documents and e-discovery, but none that specifically cover challenges to electronic signatures.  While this could mean that cases are being handled in arbitration (outside the courts), or that challenges have not been filed, it is all the more likely that the courts have been holding electronic signatures as accessible.  

What the future holds, no one is certain.  The EU Signature Directive provides a clear sign that assurance does play a role in admissibility.  Will the ideas of the Directive take hold in other countries around the world?  How will US and state case law react to increasing numbers of electronic signatures?  We’ll keep watching…and we’ll keep you informed!

The good thing is that with Adobe products like Acrobat and LiveCycle you are gaining the ability to sign electronic documents (PDF) with a spectrum of electronic signatures, whether they’re electronically captured on a tablet PC, created with digital certificates, or even required to be compliant with the EU Signature Directive.  You can rely on Adobe’s global expertise in the field and years of collaboration with our Security Partner Community to meet your electronic signature needs, no matter the requirements.

 

Links

Here are some links to continue your reading.  Again, be sure to confer with your legal counsel on these topics.

  • ABA Digital Signature Guidelines Tutorial – A great starting point for understanding digital signatures from the American Bar Association.
  • The Sedona Conference® – Though focused primarily on electronic records, this educational non-profit organizations provides substantial coverage of related case law and issues that may come into play.
  • Electronic Signatures & Records Association (ESRA) – This association brings together vendors and business owners in its efforts to extol the benefits of electronic signatures and documents.  Adobe is a board member of the Association.

 

Next in our “What is an Electronic Signature, Anyway?” series will be an exploration of real world examples of electronic signatures in action around the world today and what the implications are for the businesses implementing them and the customers using them.

Long Term Preservation for Digital Signatures

,,,

     Time is a critical component in establishing the sequence of activities in real life. It is an equally important aspect of the value proposition of digital signatures that establishes the authenticity and integrity of a document or transaction. Certificates have a significantly shorter life span than the demands records management requirements place on a document. So, how does one create long term records of compliance for digitally signed documents?  Will the digital signature become invalid when the signing certificate expires? The key to unraveling this problem is first to establish the point in time the validation takes place.

    Let us start with an example of a home loan document that I digitally signed in 2005 when the interest rates were so low. Next, let us define that my certificate used to sign had a validity period of three years, 1 Jan 2004 to 31 Dec 2006.  So, technically any attempt to validate the signatures after 31 Dec 2006 would be somewhat troublesome. Surely it would be easy if we mimicked the paper based workflows. The financial institution that honored my wet ink signature for the life of the document should have a similar experience with a digital signature. After all, the undeniable (non–repudiable) fact is that the signature was valid at a previous point in time and there should be a way to present this fact. The rest of the article describes the mechanism of accomplishing this using Adobe Acrobat or Adobe Reader.

    Adobe Acrobat 8.0 provides the ability to validate the signature at three relevant points in time that is determined by the relying party. The default is the validation at “Secure” time. Secure time is the timestamp signature time that is part of the digital signature. A signer can use a timestamp server of choice by configuring the Time Stamp Authority security setting in Adobe Acrobat. This is a user preference that is tucked in the security preferences section. It can also be tuned within an organization.  Alternatively, if the signing certificate has this information in the signing certificate, it is used to automatically include the timestamp signature at the time of signing. 

    Click Options for Long Term Validation of Signatures to view the demo.

    Including timestamp signature is a good first step but is not sufficient information for a relying party to validate the signature in the future. Including the revocation information of the signer’s certificate along with the timestamp signature now provides the relying party enough information to validate the signature at a future point in time.

    The relying party with the two pieces of information (secure signing time and revocation information of the signer’s cert) now has the “default” experience that the signature is always verified at the secure signing time and immediate access to the revocation details that were evaluated at that secure time. If required, the relying party can also verify the signature at “Current” time. Current time represents the time on the relying party’s computer clock at the time of validation of the signature.

Flexibility in identifying and authenticating users – Part One

Rights management is used to manage usage rights to protect sensitive documents, ensuring that only authorized users have access to protected information. At its core, this is dynamic protection based upon user identities. To facilitate this, the system must know which individual users should have access to secured content.

Flexibility in identifying and authenticating users ensures that protection can be transparently integrated into preexisting infrastructure, and is central to effective deployment. The benefits should be clear: fast deployment, easy administration, and quick to achieve a return on investment.

LiveCycle Rights Management ES provides four fundamental types of authentication to the end-user: anonymous authentication, username/password authentication, Kerberos SSO authentication, and Smartcard/Certificate authentication. These enable out-of-the-box deployment into a variety of authentication infrastructure, along with allowing for substantial mechanisms for customization and integration.

In today’s topic, let me explain some of the possibilities and benefits associated with the first three authentication type:

Anonymous authentication

This type of authentication completely skips identifying the end-user! By granting “guest-level” access to content, end-users need not authenticate prior to being authorized to open content. This allows several workflows:

  1. Authors can distribute content and still control them through the “yank and replace” revocation mechanism. For example, an author can distribute a price sheet or a data capture form, and make sure that only the latest version of content can be viewed.
  2. Even though individual end-user identity is unknown, authorization can be controlled based upon IP address or the number of times content has been viewed. Further, detailed (though anonymous) audit records can keep track of how frequently documents are opened.

Username/password authentication

This is typically the most familiar authentication dialog within LiveCycle Rights Management ES:

RMLogin.jpg

This dialog is the gateway to the powerful “username/password” authentication; it provides out-of-the-box functionality to authenticate users against a variety of directory systems, as well as create a custom integration with other credential providers.

For example, you can authenticate users against supported LDAP directories (e.g., Microsoft Active Directory, Sun Directory Server, IBM Domino LDAP, Novell eDirectory, etc.) that you already have deployed. But there’s no need to limit yourself to LDAP users. We provide two out-of-the-box mechanisms for managing user accounts for customers without existing directory infrastructure: “invited users” and “local users”. Think of these accounts as being stored “locally” within our own built-in directory. Administrators can manage these accounts using our built-in APIs and GUI, and the facility exists for end-users to quickly and easily provision their own accounts.

In all these cases, the end user simply enters his username and password upon opening a document and the server automatically queries the relevant system to verify credentials and further authorize the user. If the administrator chooses to allow it, the end user can also instruct the client to remember his credentials, which will securely cache credentials and not bother him to authenticate for subsequent documents. For many customers, this can enable an inexpensive form of “Single Sign-On” (SSO), since end users would see an authentication dialog at most once, and likely forget they are opening protected content.

This authentication type, however, is much more flexible than basic username/password integration with directory services. We can enable integration with any credential system that traffics in two user-inputted strings. This is because LiveCycle Rights Management ES can dynamically customize this authentication dialog, and because a customer can develop a custom authentication provider integration via the server-based “SPIs”.

For example, some of our financial industry customers have leveraged their existing account management infrastructure, allowing their customers to authenticate via their existing account number and PIN to their policy-protected banking statements. Others have used these SPIs to integrate with one-time password (OTP) systems to enable multi-factor authentication.

Kerberos SSO authentication

Those customers who want the ultimate “transparent integration” with existing authentication infrastructure can choose to enable Kerberos-based single sign-on (SSO). This is an outstanding option for those who feel that “clicks ‘R’ bad”, and never want to be impacted with an authentication dialog.

Because end users never see an authentication dialog when opening a protected document, and frequently forget are accessing protected content, they often think of this authentication type as “magic.”

Based upon technology built into Microsoft Windows clients and Microsoft Active Directory on the server, Kerberos SSO allows LiveCycle Rights Management ES clients to securely use the credentials entered the end-user used when logging into his machine to authenticate directly with the Rights Management server.

Next time: A deep dive on smartcard/certificate authentication and the benefits to customers.


Need more information on how your organization can effectively manage and protect your intellectual property? Further information can be obtained at http://www.adobe.com/go/rm or by contacting Adobe

Enabling signing in Adobe Reader

We have all encountered situations where obtaining a signature of an appointed authority/specific individual was the only item on the checklist for completing a transaction. Starting in Acrobat 8, this is a very easy task for collecting signatures in your ad-hoc workflows. Navigate to the Advanced menu item on the toolbar in Acrobat 8.0 and select the "Enable usage rights in reader" option. This option allows the recipient of the document to sign as long as they have Adobe Reader 8.0 or higher version.You will see the following dialog box confirming the usage rights. Notice that one of the usage rights granted is the ability to digitally sign the specific document for which the rights have been granted.

For large volumes of data collection on these documents or forms, there is a corresponding Adobe LiveCycle Reader Extensions ES product that must be licensed.

2008 Adobe Security Partner Summit, or What You Missed on My Vacation

Two weeks ago, Adobe held its annual 2008 Security Partner Summit.  The Summit is designed to offer partners the chance to see where our products are headed, to learn how they can best leverage the security capabilities in those products, and, most importantly, to interact directly with our product management & engineering teams to affect the future course of our products.  The Summit also provides Adobe with a great opportunity to listen to what our partners are hearing from their customers and how the changes we make in our products impact their business.

Partners in attendance were able to gaze into the future of both Adobe Acrobat and LiveCycle ES.  They also heard the latest on Adobe’s…

  • thought leadership on electronic signatures;
  • EMEA partner strategy and unique regional requirements; and
  • Rights management capabilities and partnering opportunities.

For Adobe, partners are absolutely essential when it comes to matters of security as we define it: electronic / digital signatures, authentication, and rights management / encryption.  Our philosophy is to build robust capabilities into our own products and then adapt to particular customer needs through the careful selection of partners who can bring these solutions into being.  Whether it’s a handwritten electronic signature required to open an account at a bank branch office, single sign-on authentication into a LiveCycle administration portal, or certifying the US Federal Budget, our Security Partner Community is part and parcel of our ability to deliver powerful, compelling security solutions to clients the world over.

If you are a developer or systems integrator working with Adobe products and focusing on security, you owe it to yourself and your customers to join Adobe’s Solution Partner Program and Adobe’s Security Partner Community (SPC) .  As a member of these two programs you’ll get access to a wide variety of benefits, including invitations to the annual Security Partner Summit & our MAX Conference

If you’re already a member of our Solution Partner Program, but haven’t yet reached out to the SPC, what are you waiting for?  Adobe’s next Security Partner Summit is scheduled for 5-6 May 2009…we look forward to seeing you there!

And oh…about my speech relating security to my vacation in the Bahamas?  Well, you had to be there.  ;-)