Dan Puterbaugh, Director of Strategic Development for Adobe, is an expert of mobile signatures. Speaking recently at an ESRA event, he laid out the future of how we as consumers will sign documents and authorizations.
He opened by saying: “I think a lot of times when I talk to people in the US, they ask, ‘Why? Why would you do a presentation on this? There’s not a lot of complexity there.’”
He continued: “But I want to talk about it because of the EU. In 2016, the EU passed a new electronic signature law that allowed remote signatures and for the first time gave a specific type of signature the exact same legal status as a handwritten one. The US law says that if you need a signature, you can use an electronic one, but it doesn’t explicitly say that a particular type of electronic signature will have the same status as a handwritten one.
“That’s causing a shift in status in the EU that could impact everyone. A lot of companies do business in the EU. But even if you’re operating only on North America, what’s happening in the EU is interesting because if you remember a few years ago, we were using regular credit cards while the EU had switched to smart cards with the embedded chip. And I think the US took the attitude that it wasn’t needed and was too expensive. But what happened was because of the additional security and because of all the data breaches involving credit cards, the US moved to that.
“So I think there’s something like that coming for North America because there’s a highly secure form of electronic signature that’s becoming more prevalent in the EU.”
Three categories of e-signatures
Puterbaugh explained the three types of electronic signatures.
Standard electronic signatures: Those are the ones everyone knows.
Advanced electronic signatures: They are what are usually called digital signatures: an electronic signature married to an authenticating digital certificate.
Qualified electronic signatures: They have two special characteristics: Every member state must recognize a qualified e-signature from another state, and qualified e-signatures are given the same status as a handwritten one.
Puterbaugh explained: “The issue is that using these signatures with digital certificates is an enormous hassle. I had thought it was like pre-check, where you go somewhere secure and someone checks everything out, but in the EU it often involves getting in your car, going to a drugstore like a Walgreens, handing a bunch of forms to someone who was barely trained in this, and having that person put the forms in a big stack of paperwork that will eventually go somewhere.
“That has been seen as a real barrier. I was recently in the EU and the European Commission is very concerned about that.”
He continued: “The other painful thing is that, once you have the digital certificates, they’re very painful to use. People have smart card readers and USB keys that they carry around. They’re physical forms of the digital certificate, but the problem is that you’re not going to be executing digital signatures in the field on a smartphone. You have to go back to your office.
“I was at a conference in the EU where we were talking about this and a guy told me he was a lawyer in Italy., He said he has a safe with USB keys for eight of his managing directors. Once a week, he has to insert each USB key and put in a PIN to sign documents on their behalf.
“This is like dealing with printers, which haven’t evolved since 1994. Digital certificates were developed during another era and they’re alien to how we do business today.”
Solving the pain points
Puterbaugh said: “But we’re starting to see these pain points solved, thanks to smartphones and the cloud. They’re coming together to solve the authentication and execution problems. This is important because it could drive adoption in the US and the rest of the world.
“Regarding authentication: What we’re starting to see is a form of video authentication that is a person-to-person process where you, through your laptop or smartphone, go into an encrypted chat with someone and go through a series of steps to prove who you are. It’s much better than having to drive to the drugstore.
“Many companies are offering this. It’s similar to e-notary. It’s a slam dunk way of authenticating someone’s identity, as long as you do it properly. I always say something is a trend if someone, especially Germans, want to regulate it. The German regulatory body has promulgated a set of guidelines around this. There are videos about it on YouTube that are worthwhile viewing.”
He continued: “The person doing the interview has training in forged IDs. You have to get explicit consent because it will all be recorded. It has to be done in real time, without interruption. There are guidelines to check for artifacts and other things to trick people. Many IDs in the EU have holograms and other watermark technology that you can only see when they’re in motion. You can’t replicate that process with a photo – there are many ways that still images can be forged.
“An interesting thing about it is what I call ‘the dance.’ If I’m doing this authentication, not only will I have someone show me their ID and show me all corners of it, as well as let me hear their voice, but to ensure that the other person is a real person occupying the same space, I have them block part of their face, block part of their ID, and so forth.
“They then require two-factor authentication. The entire video is passed on to someone else to authenticate it. The whole process takes three to five minutes to get a digital certificate.”
Executing the certificate
Puterbaugh then said: “When it comes to executing the certificate, the element that was handled by smart card readers and USB keys is now handled by the cloud. There are a number of different standards being developed around it. Specifically, ETSI (European Telecommunication Standards Institute) is developing a standard that talks about how you’re going to go about developing a standard for executing an advanced but remote qualified e-signature. It isn’t finalized yet, but it’s inevitable.
“What we’re driving toward in the EU is an idealized world where you have something that’s relatively easy to use that you can execute off your smartphone but satisfy the most white-knuckled compliance officer that you’re trying to talk into allowing you to use e-signatures. There’s always been this back-and-forth between something that’s easy to use and something that’s hyper-secure. Now we can have both.
“The timeframe for this is the next few years. There are companies doing it and standards being developed.”
There was one question: “Do you see this style of frameworks coming to North America any time in the near future?”
Puterbaugh replied: “That assumes the US government can legislate anything, but I would say that having talked to a number of people in other jurisdictions, such as India and Japan, they are looking at the EU law as the model they might want to adopt. Likely it will be a matter of if you want to do business outside the US, you will need to know about this. If not today, soon.”