Electronic Signatures what are the rules and can you remotely witness?

In the UK, and EU law, a signature is a form of endorsement and is any indication given by an individual whether on their own behalf of on behalf of a principal that they agree with a particular course of action (such as agreeing a contract), a particular form of association (such as a petition) or a statement (such as a letter). Traditionally that endorsement is a handwritten graph which is unique and specific to an individual, i.e. what we all commonly think of as a signature. However, there is no requirement that any individual have either a specific or unique signature. It can take any form whatsoever, or at least there is no law that says that it cannot. Generally handwritten signatures take two forms, a graphic (usually an iteration of the handwritten version of the signatory’s name) and a block (usually a picture or drawing of some sort, whether created by hand or some other device). Some signatures are flourished and embellished, others simple. The lack of any requirement of uniformity is not of itself problematic if the counter signatory accepts whatever manifestation of their autograph as may appear.

What we need to consider is where the counter signatory is unable or unwilling to accept a particular signature and they require greater comfort that the signature is genuine. In that case we would normally turn to witnesses. Indeed some forms of legal agreement require witnesses to confirm that the signature in question is genuine. There are of course several administrative systems to prove signatures to a higher level, such as notarisation, attesting under oath being sworn before a commissioner for oaths, and apostilisation. A document may also be executed and notarised outside the country in which it is to be used. If this occurs, it is usually necessary for the notary’s signature and seal to be certified as genuine. This is called legalisation, and typically occurs at an embassy. To avoid the cumbersome formalities of legalisation by an embassy, various states, including the UK have ratified the Hague Convention Abolishing the Requirement of Legalisation for Foreign Public Documents. Instead of legalisation by the appropriate embassy, the notary’s certificate and seal are certified as genuine by the competent authority of the state within whose territory the document has been executed. The certification is by way of a certificate called an apostille. Yet in the current time where it may be difficult to attend in front of witnesses, notaries etc., what can you do?

Problems with proof of signatures are not new since they relate to authenticity, but in an age when documents can be sent by transmission systems relying upon electrons and electromagnetic disturbances and given the opportunities which present themselves to would-be fraudsters a signature authentication system was called for. This has been subject to recent review, but the outcomes and guidance are perhaps not ideal for the current pandemic. For example, in a comprehensive report on electronic signatures, published by the UK’s Law Commission at the beginning of September 2019 (Law Com № 386). That report begins positively in that it stated that save in one circumstance an electronic signature was as good as a physical one. The problem is the witnessing of signatures. In cases where witnessing a signature was a formal requirement it has been confirmed by the Law Commission that the witness must not only watch the signature in question being inscribed but must also be physically proximate to the signatory so that the signature takes place in a direct line of the sight of the witnesses. It is not something which, for instance, the witness can view over a visual feed of some sort. So if you need to execute with a witness, you cannot rely on video technology and consider it without risk. Until this approach is subject to a new common law precedent to the contrary, or legislative change, it will not be acceptable to witness remotely. The Law Commission recommended that this limitation be abolished and that Public Key Infrastructure (PKI) systems be seriously considered as a basis for signatures. However, this last recommendation is curious since it appears to be available anyway from EU law (which still applies in the UK), though in slightly more formal terms than a ‘mere’ PKI infrastructure.

In relation to creating a formal set of rules the European Parliament and Council promulgated a Directive: Directive 1999/93/EC of the European Parliament and of the Council of December 13th 1999 on a Community framework for electronic signatures (as published in issue 13 of series L of the Official Journal of the European Communities of the 19th of January 2000, pp 12-20). The starting point was to provide a legal basis for the creation of authentication systems (or trust services) so that a recipient could be informed that an approval had been given by one party in relation to a particular state of affairs, to another, without intervention. The means whereby this was done can be left to the imagination of the operator whereas the safety and security of any particular system is a matter for market forces and member state determination. The directive (which gave rise to regulations made under the Electronic Communications Act 2000) was replaced by Regulation (EU) № 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (as published in issue 257 of series L of the Official Journal of the European Union of the 28th of August 2014, pp 73-114), which was implemented by The Electronic Identification and Trust Services for Electronic Transactions Regulation 2016 (2016 № No.696). The framework adopted was the Electronic Identification Authentication and trust Services system, or eIDAS. The framework is to be found in Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015 on setting out minimum technical specifications and procedures for assurance levels for electronic identification means pursuant to Article 8(3) of Regulation (EU) № 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (as published in issue 235 of series L of the Official Journal of the European Union of the 9th of September, pp 7-20). The upshot is that a system which guarantees that a signal of affirmation has originated from a specific, known source, i.e. that a communication from X actually comes from X and it is the communication which X sent.

Importantly, the eIDAS framework does not set out any specific means by which things are done – in other words is technology neutral – but simply sets security standards at a number of levels (simple, advanced, and advanced+ certified), those standards being determined by the degree of assurance that the service provider needs to provide. Since it is a standards scheme the assurance provider must be registered and accredited, in this case by the European Commission, though only upon the recommendation of a member state and only after certain requirements relating to compliance with the standards of infrastructure set out in the regulation have been complied with. In essence simple is just that, an unsupervised scheme with minimal security. Simply sending an affirmatory by email will do – little regulation is needed and as a result little security can be expected; it will do for most purposes however.

The advanced scheme is designed to provide confidence as to the authenticity of the signer and message security so that the document is (in some way) uniquely linked to the signer, is capable of identifying the signer and is created using signature creation information which the signer can use under their sole control. Finally any change is detectable. All the advanced+ system offers is the fact that the transaction in question is overseen by the properly registered trust entity or trust steward. With both forms of advanced scheme comes a sting, for both the notifying member state and the notified service provider:-

A member state is liable to a person who has been damaged by a members state’s negligent or intentional failure to provide sufficient infrastructure to enable the system to work and that an applicant is properly attributed and a service provider is liable to a person who has been damaged by a failure to comply with the strictures and standards of the regulation.

From the foregoing we are able to confirm that electronic signatures are permitted and useable, but that if you require your signature to be witnessed there is no perfect option. You can take the risk of reliance on another saying they witnessed you remotely, but as a strict matter of law that will not be acceptable before a court of law. Hopefully however, the parties can agree to acceptance of the signature perhaps via the rules flowing from the Directive, where however, it is the state that requires a witnessed signature, if they are unwilling to accept it done remotely or via authentication as an e-signature then only in person witnessing is acceptable.