# Signatures - a question of trust
Rolf Riisnæs is a partner in the law firm Wikborg Rein in Oslo. More than that he is also a Doctor at Law - and knows more about the legal aspects of electronic signatures than most anyone. In addition to assisting clients with privacy issues and acquisition of complex IT-systems, information security and e-management he got his doctorate in law with a thesis on digital certificates and certificate services back in 2006. He is the man the government contacts when they bump into challenges managing governmental departments online. Among other things he contributed to the government's policy on e-management, acquisition of eIDs for login into public services and the new policy on the Norwegian national eID. You can tell when asking him about electronic signatures - the subject is not as straightforward as it seems. Not online, and not at the bottom of the page.
Is that true?
– Yes, and that is interesting. We have rules on how to interpret something written, but no such requirement exists for signatures. For a long period it’s been obvious: a signature is your name written in ink or pencil. But we don’t have to go back too far to find the use of seals, proving to those who couldn’t read, that something was signed.
And if we go even further back, they used house marks?
– Yes, but even after the beginnings of written language other methods have been used. Even signets and seals have more in common with electronics signatures than handwriting.
# The origin of electronic signatures
The dawn of electronic signatures started forty years ago. Even though the technology itself is old, it’s only recently digital signatures have gained momentum as the technology is used by companies, individuals - in public management and communication. Before we get to that, we need to go back and see where it all started.
It is summer in Dartmouth, USA and the year is 1956. A young mathematician at Stanford University named John MacCarthy dabbles with the term “artificial intelligence”. As a matter of fact he is the man coining the phrase - and arranges a conference in the college town. The subject? Artificial intelligence. During six to eight warm summer weeks tens of mathematicians and scientists brainstorm on what it means. One of the participants is John Nash - who in 1994 won the Nobel prize in Economics, becoming even more famous because of the movie “A beautiful mind” from 1998.
In the years following the conference McCarthy developed an understanding of the future of computers reminiscent of modern day cloud computing. Early on he envisioned an everyday life where regular people would be able to connect to large computers whenever they needed. As if they could use computers and software the same way they bought electricity and water - whenever they needed. At the very beginning of the 70’s the very same McCarthy attends a conference in France. He held a lecture talking about something he calls a “Home Information Terminal”. He imagined an apparatus that would connect to a bigger, shared computer through the telephone grid. Here you would be able to find any kind of information like books, magazines, newspapers, scheduled flights, public information - and private files. Sound familiar? It’s no wonder. This is after all what the internet proved to become. The rest is, as they say, history.
With the need and opportunity for access to any kind of personal information stored on a computer, arose the question of how to apply signatures to an electronic medium the same way as one did with important documents. The question was - how on earth would you achieve such a thing in a user friendly and safe manner?
Two scientists who took on the challenge were the americans Whitfield Diffe and Marthin Hellman. In 1976 they described a solution they called “one-way-authentication”. The term “digital signature” was however suggested by Adi Shamir, Ron Rivest and Leonard Adleman in an article published in 1977. Their solution was based on asymetric encryption. In other words with both a private and a public key. One of the keys would be known to both parties, while the other was only known to the one who would sign or receive the message.
– Rivest, Shamir and Adleman wrote in their paper that the time for electronic mail would soon be upon us and that we had to safeguard two important qualities of paper mail: Its privacy and the possibility of signatures. Based on a traditional view of letters, signed and delivered in a closed envelope.
But what is the misunderstanding?
– The assumption that because we are used to letters and written documents being signed, electronic mail would also need a signature. The need for signing emails have proven to be greatly exaggerated. We do not seem to care whether or not emails are signed, or not. Bruce Schneier - a renowned current cryptologist - once wrote that “electronic signature” probably is the largest terminological mistake in the history of cryptology.
What does he mean by that?
– Handwritten signatures have a strong connection to the person signing, but not so much to the actual document. Electronic signatures on the other hand are closely linked to the document, but not to the person. The traditional signature is part of a process. A pen or a pencil and the use of paper. But a signature without any of these accessories, are meaningless - unless you are chasing an autograph. And if you’re not a celebrity your autograph never has any inherent value. It is dependent on the circumstances around it. And you cannot easily electrify a signature.
# Seals, house marks and autographs
In other words a signature isn’t as simple as your autograph and doesn’t signify anything. But then what does it take to make an electronic signature signify something?
– Like I said, it’s a common misunderstanding that a signature has certain effects, says Rolf Riisnæs. – To understand why this is the case, we have to look closely at the traditional signature. It had its advantages. It was easy to learn and easy to use. A signature on a piece of paper doesn’t pretend to be anything else. It exists in a given time. You cannot alter it without revealing that you have tried to do so. It can also make a document unique. Let’s say you copy a document in your possession, also duplicating the signature. You still have the original. That document is attributed some legal effects. A document signed electronically cannot easily be distinguished from another.
Ah, I get it.
– Yes. A signature is a way to fixate a specific message at a given time. In certain contexts a signature also means something symbolic.
– Signing a document has been, if not solemn, something serious. Just think of deeds, marriages and wills.
– Especially. And old shares. A lot of this seriousness has to do with paper. Again context is key. Signatures don’t work very well in a vacuum, and only have meaning when existing alongside something else. A signature can have many functions. Sometimes it can identify the person signing. But that presupposes it even being legible. That is probably why you sometimes have to write your name in block letters, along with your signature on important documents.
– The signature can also link the signer to the content of the document. However it’s important to remember that traditional signatures are written on just one of the pages, either the first or the last of a document that may well have several pages. So the link between the signer and the rest of the document may not be that strong. A signature may also denote the difference between a draft and the final document. Signing something makes it final. Imagine going back and forth in a negotiation, right? It’s only when the parties actually sign the document that they say: “Ok, now we agree.” The signature is the symbol of something going from temporary to final.
– There are examples where there is a direct connection between the signature and the agreement only becoming legally binding when both parties have signed. As an example this applies to public procurement. But it is something else entirely if we’re talking about you buying my book. “Can you buy a copy of my book?” I’d say. You answer “yes, please”. “Ok I’ll send a contract for you to sign,” I might reply. However the deal has already been made. All the stuff happening afterwards - the actual signing - is just a way of making it formal.
Wow. I don’t think everyone is aware of that.
– No, they aren’t, says Riisnæs.
He says that this faith we have in the meaning of signatures stems from the use of paper.
– We’ve had an exaggerated faith in the mechanisms of signatures. Consider an example from my own upbringing and adolescence. At the time governmental departments used official letterheads, you know. If I got a letter from The Royal Norwegian Department of Defence on a paper like that, I would suppose it was real. I didn’t know who the person signing that letter was, and I couldn’t just read the signature to understand it neither. None the less I was confident that the letter was from the department of defence.
Today this is quite different?
– Yes. Most of us get a lot of rubbish in our mail box. It used to be, when I went to my old letter box and seeing a letter like that - I would treat that letter differently than everything else in the box. It’s been difficult to transfer this effect to electronic solutions. The sum of non verbal but quite real effects of a signature are not transferable to an electronic everyday life.
# Electrifying paper: Are traditions related to old fashioned signing transferable to digital life?
Achieving a credible solution for electronic signature wasn’t as easy as one might think. This is partly the reason why so much time has passed since the American scientists dabbled in digitalization during the 60’s and 70’s. Gradually and with a varying degree of technological maturity, transferring a handwritten signature to a digital one has become possible. Among other things it has been necessary to reconsider what consequence the tacit and tactile properties of paper has had on signatures. One of the greatest obstacles has been lack of tradition and experience.
– In Norway high school diplomas are stored in a central database in addition to the ones issued on paper to students. The Governments Admissions Office at one point asked what sort of signatures they should approve on electronic applications. Should they ask the applicants to attach a copy of their diploma to their application? No, that wasn’t necessary. They already had the database - to which they had direct access! It serves as an example of a situation where there was no need for a signature at all. The authentication function which a signature on the diploma would ensure, was already taken care of when the information was available from the central database.
Another challenge - easily imagined - is the difficulty in knowing who actually sent you an email.
– It is fundamentally difficult to say who sent you an email, says Rolf Riisnæs. – Do you really know who you are talking to? This has proven to be a pressing problem in our day and age. Now it is much easier to reach more people, fast, under the guise of being someone else.
Who hasn’t received scam email form Nigeria?
– Yes, that’s true. New opportunities have opened up. Another thing we see is a considerable change in the division of tasks between parties. I am old enough to remember bank giroes. We still get them, but we no longer return them. That’s what you used to do. The only thing I had to do when receiving one, was to sign it and say which account to draw money from. If a mistake was made, it was the banks problem. Now we punch in the numbers ourselves - OCR-numbers, account numbers and the amount - online, after logging in with our private code. If we make a mistake, it’s our own responsibility. Any digital service has this inherent quality. It changes the risk. It’s a development that’s been going on since 1977, when such communication was available only in academia. Now it is most people's daily life.
In many ways it’s a question of trust. Can you trust the emails you receive, can we trust the forms we fill in, loan applications etc.?
– Yes, it has been about establishing trust in something new and strange. It still is, says Riisnæs.
When can digital signatures be used?
– When transitioning from signatures on paper to digital signatures, we need to shed light on some issues. Especially with regards to the legal effects of signing something.
For starters, says Rolf Riisnæs, – You have to examine if there are any form or procedural demands required to do what you want. Can you write a will and sign it with a digital ID (BankID), for example? No, at the moment you can’t. When it comes to deals with the bank, Section 8 of the Norwegian law on finance agreements (Finsansavtaleloven), states that there is nothing wrong with such deals being made, but there are requirements for satisfactory authentication that has to be met. The purpose of signing something is to authenticate who and what. One way to do it, is through electronic signatures. You should also ask yourself if there are other reasons why electronic signatures are suitable. Maybe you need to safeguard evidence of something happening, beyond what is just a legal issue?
What could that be?
– If I have entered into an oral agreement, but want to make sure some crucial terms are included, we put words to paper and sign it. It’s about proving the likelihood of something having taken place. In other contexts the most important thing is to be sure of the situation at the time. If I want to send a message to my doctor, I may not be concerned about documenting the message being sent. But it does concern me whether or not it was received by my doctor and nobody else. Again, it’s a question of trust. What does it take for us to do this electronically? Riisnæs askes.
Rolf Riisnæs returns to the fundamental question of what a signature apparently means.
– Have you ever asked yourself why you sign a Christmas postcard sent to your family? Well, you’re not doing it to satisfy a legal requirement! Says Riisnæs and laughs.
– And hardly to safeguard evidence. Maybe you’re doing it to confirming it being you sending the christmas card?
It’s strange, but when you say it like that, there are many such cases. If you receive flowers, the message is most likely printed, but at the bottom of the card there are hand written names?
– The employees in the flower shop are usually the ones signing, it’s true.
# Electronic signatures: a question of technology - and trust.
Electronic signatures is really a technologically neutral term. Safe, electronic signatures have a subclass called digital signatures. These are based on a public key encryption. There are reports on the importance of good systems for electronic signatures coming from several quarters. As well as their effects. The American military is rumoured to save more than one billion dollars annually on electronic signatures instead of traditional signatures on paper.
– This technology may contribute to several things. For starters digital signatures can be used as identification. Or unit authentication, which is a horrible word. When you use a digital ID (BankID) from your bank, the technology is used to make sure the bank is the only one who knows you’re logging in.
And for others?
– It can tie you to the contents of something. When you buy software, it’s usually signed. It’s to make sure the people you are buying and downloading from actually are who they say they are. In a similar way signing something can be used in documents. When you forward an email or a document, and sign it, the recipient understands that you vouch for the content.
But electronic signatures can also mean something more “important”?
– Yes, they can be used to express intent. If so the signature relies on both context and content requirements. These requirements state that signing of the document happened in circumstances making you aware of the content, and that you understand the consequences the content is meant to have. Used in this way electronic signatures are about non- withdrawal. Meaning: if your key was used, you cannot deny it was you who used it.
I can see where this brings up trust again?
– You’re right. We’re back to what Bruce Schneier said about the electronic signatures being the biggest terminological mistake in the history of cryptography. What he meant was that a handwritten signature has a strong connection to the sender, but a weak connection to the content. When a document is signed, it’s usually just signed on the last page. The opposite is true for electronic signatures. It’s closely connected to the document, but not so to the signer. Because in most cases access to the signature is secured through something you have and something you know; and rarely linked to anything biometrical.
Wow, good point.
– Yes. It’s basically a logic that says: “Someone you trust confirms this key is connected to this person.” Furthermore security of the key is equal to how well it is guarded by the person who owns it. Both without the recipient able to see the difference. Traditionally we’ve put a huge trust in signatures on paper, but electronic signatures can be created to hold an extremely powerful link between key and content.
Couldn’t you solve it by iris scanning or a biometric fingerprint?
– Yes, there are ways to technically ensure that no one else can use the key. But it requires equipment most people don’t have. It’s been many years since PCs came with fingerprint readers, right? But they’re still not widely used for anything except logging in. If you receive two electronic documents: How do you know which one is made with a code and which is made by scanning an iris? There are answers to these questions, but it’s not easy for the individual to find them.
# Public Key Infrastructure, eIDAS and certificates: How to make sure we know what we sign - and who is signing?
Riisnæs followed the work that went into the e-signature directive of 1999. It was the predecessor of the Norwegian e-signature law. Today we can find common rules on electronic signatures and other electronic trust services in the EC-regulations that were approved in 2016 called eIDAS (Electronic Identification, Authentication and trust Services,) while in The United States the ESIGN law passed in 2000, literally is the law of the land.
– When the e-signature directive was passed in 1999 it had a huge impact. From a situation where we had technology that could be used, but no common requirement to ensure quality, safety and users, we instead had a framework which defined so called qualified certificates. Those who issued certificates where registered at what is now called National Communication Authority (Nasjonal Kommunikasjonsmyndighet NKOM). This meant that suddenly there was a list of players in the norwegian market everyone had in common, representing quality and security. It provided a framework making it possible to recognize reliable solutions.
A PKI (Public Key Infrastructure) is based on asymetric encryption which - you guessed it - builds on the ideas of the american we mention earlier. In Norway examples of PKIs for consumers are BankId and Buypass, which are best known for the services delivered to The National Lottery (Norsk Tipping). There are also PKIs used in the health service (electronic sick leave notices and electronic prescriptions) and PKIs directed towards business with strict requirements for secure communication.
And the purpose of eIDAS and alike is to make sure regulations transcend borders?
– Yes, it’s about making systems transnational. However there are complexities that aren’t going away any time soon.
– Access to reliable certificates (to confirm the signer of a signature) is just a first step. Certificates have to be linked to the bearer. It requires the certificate to hold information that the recipient can recognize. The authorities in Norway use my social security number to tie my signature to me, through a key and a certificate which make me the same Rolf Riisnæs they receive documents from. The social security number doesn’t exist in the certificate itself, but is made available from those that issue the certificate in other ways, when verifying the signature. The Norwegian social security number cannot be used by a foreign government if they haven’t stored any information on me in advance, just like that. Not all countries have national unique identifiers.
It’s not easy, is it?
– Certainly not. In many ways it’s significant how the technology is basically the same as it was in 1978, 1988 and 1998. There weren’t many electronic signatures back then. It was difficult to make it work seamlessly and credibly for stakeholders in the market. What they envisioned 40 years ago, was people signing things on their private computer and the document being sent to a common site. Today signing usually happens centrally or using a third party. Now we have proven technologies, certified and approved. And there are service providers offering more or less good solutions. The challenge is moving the information needing to be signed into a framework for signing that can be comprehended and feels safe to users. It’s demanding for those offering the electronic dialogue and signing processes.
The communication is important, in other words?
– Yes, users must understand what they’re signing. And it has to be possible to document afterwards whatever was signed actually was what the user meant to approve to, before signing. Especially if it’s more complicated than what’s possible to see with a screen shot. Electronic signatures have many good features, but you should still ask yourself: Does the information match what I just wrote and read on the screen?
It usually does?
– Yes, but it is important to remember how the result of an interaction in a good dialog based system still may be demanding to present to a user when signing. It has to be set up in such a way that we achieve reliability and comprehension of what we’re actually signing.