The Legality of an Electronic Signature

by Kent Strickland and Thomas Roberts

An electronic signature is often viewed as a tool that can be used with current technology to eliminate paperwork and improve workflow.  Most people visualize a handwritten signature, electronically scanned into the computer, then copied and pasted onto a Word document.  This might appear to be a properly signed document, but technically and legally there is a little more to it than that.

Remember what a handwritten signature does.  Handwriting habits, signature style, speed and the amount of pressure exerted on the pen at key points can be uniquely attributed to a specific individual and forensically verified (authentication).  The signature indicates that the signer verified and agrees with the content.  Content alterations made after the document is signed must be obvious and approval of the changes indicated by initialing the revisions.  Signing in ink makes erasure or alteration difficult without damaging the paper on which it is written.  Therefore, the signer is uniquely identified and the signature and document content become inseparable (non-repudiation).  This process gives the signature legal footing.

It is important to realize that when substituting an electronic medium for a paper one where a signature is required, the process must still ensure authentication and non-repudiation if it is to have the same legal status.

What happens when a handwritten signature is scanned into the computer?  It flattens the signature and reduces image quality, losing the 3D effect created by the speed and pressure of the original signature on paper.  The age of the signature cannot be determined and there is no handwritten date for corroboration-all signatures are exactlythe same.   Anyone with a mouse and the ability to copy and paste can use the scanned signature for other purposes and anyone with a word processor and a copy of the file can alter a document with such a signature. 

What do you think the chances are that someone would misuse or forge an electronic signature?  Conduct your own risk assessment-simply read the news or do a little research through Google.  Many individuals are now gainfully employed investigating electronic forgery, identity theft and fraud involving the exposure of enormous amounts of sensitive information.  Many email accounts have recently been flooded by messages telling account holders that eBay or a bank requires account holders to login and verify credentials due to some technical problem or security threat.  Many times these messages contain graphics, logos or signatures that aid in convincing recipients of their authenticity.  The threat to your own information and the information you use in the work place is really and growing in sophistication.  Each user needs to be aware of these threats and being informed of the appropriate means of using electronic signatures will aid in that process.

It seems there should be an appropriate solution for using electronic signatures-such as a means to notarize an email message.  One available solution involves the use of a method called PGP (Pretty Good Privacy).  As you may have noticed, the CIO-Alert email messages are digitally signed using PGP.  Each message will state at the beginning that it is a PGP Signed Message and will contain a PGP Signature line at the end.  The PGP key used to create the digital signature for each message has a corresponding public PGP key that can be used by recipients to verify the signature.  Using this signature differentiates actual alerts from virus-laden emails that might forge the CIO-Alert email address or pretend to be a security alert asking addresses to visit a hostile Web site.  A digital signature is a specific robust type of electronic signature. 

For more information about electronic signatures, visit the ITS Security & Privacy Web site at www.bgsu.edu/infosec/compliance/ and click on the “Applicable Legislation” link to download the PDF file. 

By Kent Strickland,

information security officer and

Thomas Roberts,

security analyst, ITS