Secure digital signatures: moving forward in a crisis

The current situation around the COVID-19 pandemic presents a massive challenge for the legal profession in how to conduct business and transactions when the usual means of doing so are no longer available. Electronic communications are of course a way to deal with it, but there has historically been a reluctance to simply transfer everything to email and attachments.

The core of the issue is this: How do I trust what I see in front of me? And how do I prove its validity? These questions are perfectly fair. However, some of the arguments solicitors encounter when using their digital signature are not the answer. Replies like “We are not set up to accept digitally signed offers”, and “The law has not yet been changed to permit digital signatures”, not only illustrate the reluctance, but a downright misunderstanding of the inherent value and possibilities digital signatures have to offer. The purpose of this article is to “debunk the myths” and set the scene for the broader use of secure digital signatures.

Legislative backdrop

We, in Scotland, were not the first jurisdiction to introduce smartcards for members of the legal profession. Other countries in Europe pioneered the initiative, especially Italy and Spain. The Law Society of Scotland saw the benefits of the smartcard, and in particular the secure digital signature, and took steps to introduce these here. This resulted in the Requirements of Writing (Scotland) Act 1995 being amended by the Land Registration etc (Scotland) Act 2012 and the Electronic Documents (Scotland) Regulations 2014, with the result that Scots law now confers equivalent status and standards of validity on documents created in electronic form in compliance with the new law to those given to paper documents (with the exception of wills and testamentary writings, which must be created and signed in traditional form).

There remained a doubt about whether it was competent to scan in your “signed on paper” document and deliver it by email. In addition to permitting execution in counterpart, the Legal Writings (Counterparts and Delivery) (Scotland) Act 2015 removed this doubt, with the result that electronic delivery is competent for documents created and signed on paper as well as for electronic documents.

What is a qualified electronic signature?

Everyone is familiar with simple electronic signatures already – typing your name at the bottom of an email is exactly that. There are several levels of electronic signatures, and depending on what is being signed, different types can be utilised. The Technology Committee of the Law Society of Scotland has published a guidance note on electronic signatures.

The highest level of electronic signature is a qualified electronic signature (QES) – which is the type of digital signature that is issued with the Society’s smartcard. It is “qualified” because several stringent conditions need to be fulfilled to obtain one. One of these conditions is that the means to use this signature, i.e. the underlying certificate on the chip and the PIN code needed to apply it, are under the sole control of the signatory at all times. This means that only the signatory actually named in the QES can sign the document in question. In addition, once the signature is applied, the document is basically set in stone. The secure digital signature, the one that counts, is embedded in the bits and bytes of the document in its electronic form. Any attempt to change the document or its content will invalidate the signature and it will show as such. This is the essence of the security afforded.

Pen versus keyboard

As to proving the validity of the applied signature, every electronic signature can be interrogated, be it by checking the metadata of an email header or double-clicking on the signature line in an electronic document. The difference is the amount of information available. Metadata from an email will show IP address and timestamp, but it will not prove the name of the person who really typed it up and sent it off. QES interrogation provides all sorts of information, e.g. validity status, signatory, timestamp, underlying certificate data. In addition, all this information does not disappear when the mail server gets cleaned later on: it is part of the signature and available as long as the document exists. What’s more, no set-up is required to validate a QES on the computer. Where previously recipients looked to check that the document was signed at the bottom of the page, they now simply click the signature on the screen.

It is fair to ask: Why do we still trust that a paper form sent in the mail is really coming from a law firm? Because it says so on the letterhead? How can we prove the wet signature at the bottom is really that of a solicitor? Because the name appears in print below the line? Because it’s always been this way?

Less than 40 years ago, paying in cash was the norm for everyday transactions, be it at the grocer’s, the cobbler’s, or the pharmacy. Now, everyone has a debit card with chip and PIN, and uses it for one specific purpose. The smartcard with its digital signature is no different. The profession needs to move away from the notion that only paper is true and a pdf scan of a signed document is the maximum electronic involvement possible. We all need to view the current crisis as a challenge (and an opportunity), and embrace it to move forward. Will it be as easy as flicking a switch? Probably not. Workflows will have to be restructured or at least tweaked, the idea of only trusting paper and wet signatures must be re-evaluated, and going back to the way things were before, once this crisis is over, is simply not going to be an option. However, despite the initial hurdles, this is an opportunity for the legal profession in Scotland to transform the way it does business in the time to come.

The future is digital: the future is now!

For more details and step-by-step guides on how to apply and verify the smartcard’s digital signature, visit the SmartCard page.