How to recognize a secure digital contract?
Going from paper to digital contracts has been "a brutal process". It's just not human nature to trust machines; so how can we become more confident in digital contracts?
About one hundred years ago, the paper contracts of the world were probably very content. Their lives were so free, and roaming. I mean, they were carried around the world, maybe got to see Europe from the steam train. And then they got to fly! Across the Atlantic, perhaps, snoring inside a leather suitcase. But then the trips became shorter, and paper contracts were instead transported by taxi between companies in Oslo, Berlin or New York.
Eventually, humans were able to just fax the paper. Also a digital way of getting hold of that signature, rather than physically meeting the person to sign. Then people were able to take pictures of the paper: Because the paper was going to be included at all costs, right?
The click of a mobile button, a quick scan and then sent as an attachment in an email. But, there is a but.
The signing portals must earn our trust
Today, there are many simpler digital solutions for contracting – apps that can be trusted just as much as the paper. Yet many still cling to the white sheets. And perhaps secretly hate the clunky and slow copy machine that constantly beeps for ink, or glows red and makes noises for reasons as inexplicable as the boss's metaphors.
The transition to digital life has been - and still is - brutal.
“For many, adopting digital contracts is still about establishing trust in something new and unfamiliar," says Norway's foremost expert on digital contracts, Rolf Riisnæs. Riisnæs is a lawyer who, for more than 25 years, has assisted Norwegian authorities in understanding and managing digital opportunities and challenges. For many years he has been a partner in the law firm Wikborg Rein in Oslo.
"Modern digital contracts are quite different from the more 'semi-digital' contracts of the last 20 years," says Riisnæs, who specializes in IT contracts, electronic signatures and privacy. He is quite simply the foremost legal expert in the field of signatures in Norway.
So what makes a digital contract secure and trustworthy?
Three types of security: Who, What and What If
When we talk about contracts of a certain importance, and it has or should be done digitally, we want to be sure of three things in particular. First of all, we need peace of mind about who's involved, then there's peace of mind about agreeing on what you want to agree on, then there's peace of mind that the signature and the agreement can be enforced if disagreements arise between the parties.
“A contract assumes that two parties have agreed on something, something that can happen in many different ways; it could be an email, a call or a text. If this agreement is of great importance to the parties, it should therefore be formalized," says Riisnæs.
We've actually been using electronics for a long time, right up until the actual contract was to be signed. Scanning, printing. But then we still signed ... on a sheet of paper. Now the paper is gone. Signing often takes place on a screen.
“You have to choose to trust those who develop and operate the new digital tools," Riisnæs says.
”One of the ways to do that is to log in with BankID?”
"Yes, that can be an aspect of it. It helps to ensure confidence that you know who has approved and signed the document," he says.
Today a common approach is to allow the actual signing to take place in a so-called signing portal.
“A place that both parties can access. So that one of the parties can see what it says, can nod and say 'yes, this is what we agreed on', and now I confirm that very thing. First by pressing confirm, then by signing the document, so that you can later prove that it was me who pressed it," says Riisnæs, who also has a PhD in digital certificates.
Checking an "e-name" against a real passport
But let's take a few steps back. Because; earlier in the process, you may need to be sure that the people involved in signing the agreement have not been or are not currently involved in any criminal activity. Whether that has to do with money laundering or any other dirty tricks.
This part certainly is not easy to ask for if you only have a piece of paper in your hand. But with secure, certified digital solutions, this job can be done for you.
You'll be able to sleep well at night if you can be sure that the person signing - when you might never meet them in real life - is who they say they are. Clarifying identity isn't easy if someone you meet is just holding a pen. Anyone can hold a pen. In principle, anyone can also sign a digital contract, but with the right digital platform, this work will also be done in a subtle way.
The reason:
“An electronic ID or an electronic certificate will both confirm who the person involved is, and the format means that some further investigations may be automated," says Riisnæs.
Those who work for Signicat, for example, will be able to match and approve the person and the name they want to sign against their own passport. Even if they never show it to any real people there and then.
"There are now services that can provide real-time verification of facial biometrics using a mobile camera via an app, while at the same time the person presents their passport or other recognized identification document that the verifiers can recognize," says Riisnæs.
Are you starting to sense that your pulse is slowing down a bit?
Are you told to log in with BankID?
Well, computers are exposed to many threats. They are not a so-called "secure signing environment". That's why many have wanted to move the entire environment to a more secure location. Handled by suppliers and signing portals we can trust.
“When you sign electronically, what you really have to trust is the technology. You also need to be able to check who has signed. A digital certificate is often used to achieve this," Riisnæs says.
That's why a secure signing portal should always use a digital certificate. A digital certificate is an electronic document that links a signing ID or "key" to a person. The certificate links this key to a name and date of birth, but this is often not enough.
“That's why BankID, for example, also contains information such as your national identity number”, he says.
When you are presented with a piece of paper in front of you and then sign it, you are sure of what you have agreed to. No-one can change the text afterwards without you noticing it.
"But when you sign digitally, you're not usually signing the document itself, but use a kind of digital fingerprint. Ultimately, what you actually sign becomes codes that no human can understand," says Riisnæs.
At least as safe as paper
Are you perhaps still a little skeptical? And still think paper is the safest way to go? Well, digital solutions are at least as safe when it comes to trusting that the person who has signed is who they say they are.
“Right?”
"Yes, I believe so," says Riisnæs.
“Are they even better than paper in some cases?”
"Yes, digital contracts provide better documentation. In other words, there's a high degree of certainty that you can later substantiate who was involved in the process and that the content of the document that was signed is unchanged, i.e. that the content hasn't changed since the time of signing," says Riisnæs.
Question: Are you now able to recognize some of the ways in which digital contracts are structured? As mentioned before; it's all about what you can and cannot do.
Signicat: Increased usability and security
Ask yourself the question; are you able to conduct a background check? Can you be sure that the right face is behind the correct "digital pen"? Can you yourself see if the agreement has been tampered with? Are you asked to use BankID to log in?
If the answer is yes to these then you're on reasonably safe ground. But only if you've been careful in advance – to draw up a solid agreement and have agreed with all parties on what it should say. Also, you should know who is actually authorized to sign on behalf of the company.
“Are you familiar with Signicat, Rolf?”
"Absolutely, Signicat is one of the companies that has helped to increase the usability and security of contracts and signatures in such apps," says Riisnæs.
"They provide an app, called Dokobit, which takes care of all this?”
"A solution like Dokobit can help to simplify some formal check-points. But then you have to assume that parties who wish each other well in advance of these points have come to an agreement on a document, which they now want to get signed to ensure documentation for what has now been agreed," says Riisnæs.
He continues.
"Such a solution will then provide documentation that can be stored and be useful evidence if you later want to make sure who was involved and what was agreed," concludes Rolf Riisnæs.
5 ways to recognize secure digital contracts
1) You can conduct a solid background check
The people signing will naturally be someone with a history. If that person's “story” has a big or small "black dot" on it, you should know about it. If you have the opportunity to check the reputation of those who will be part of your agreement, that's a great advantage. The same thing applies to checking whether they are a politically exposed person or engaged in money laundering.
2) Only the person you invite to sign can open the document
You're dealing with a safer signing portal when you understand that only intended people - as in, those you've invited to sign - have access to your documents in the app. They must then authenticate themselves with an e-ID that matches the intended person. But it's not enough that only this is covered!
3) You know who has actually signed
To confirm that the right identity is behind the right signature, it's important to ensure that you know for sure who has signed. For example, is BankID being used as a login solution? Is face recognition with simultaneous passport presentation in video format happening? If yes, good.
4) You'll know if the text has been tampered with
If someone unauthorized has accessed your documents in one way or another, you should know about it. All signed documents should be secured against forgery so that you have the opportunity to detect if this has been done. In other words, you can use a secure signature to verify that the text has not been tampered with.
5) You get notified of audit changes
When you have access to review all actions performed by those authorized to sign, you know you're dealing with a good digital contract. When you can see all actions performed by users, those who will be signing, in a detailed list of events, you can relax more. It's important that you can see that someone has changed something, if so be. But also what, when or who! Not all digital signing portals allow you to do that! Dokobit does.