What is the bar for a "legally binding digital signature"? Is this a very complicated topic - or is it quite simple?
I can sign a PDF with OSX Preview for free. I can pay a bunch of money to sign with Docusign. Both produce a PDF with a digital image of my signature. I assume both documents constitute a legally binding agreement, so long as I actually preformed the digital signature. What justification do the e-signature SaaS companies have for their exorbitant prices? I understand the "audit trail" angle - that's just collecting my IP every time I interact with the document.
> What justification do the e-signature SaaS companies have for their exorbitant prices?
They will defend their digital signature in court.
I was shocked to find these "click here to sign" contracts manage to do it all without an ounce of cryptography, but the fact is lawyers don't need cold hard math, they need a warm body to be a subject matter expert to explain to a jury that unless you're claiming someone else has access to your inbox, you're the one that clicked the button.
Yeah, I find it funny to see technologists being surprised that in most cases judges won't mind that the signature wasn't done with quantum-resistent cryptography stored in a blockchain or whatever. Technical solutions to political problems...
I had to get a notary to sign my I-9 form for a new remote job. The process of identity verification involved a seemingly 19 year old dude looking at my ID and then signing a piece of paper.
A website sending you an email and tracking your IP and keeping a log... seems to be about the same level of trust to be honest.
Ageism aside, you are describing a system where an unrelated third party who has experience validating state/federal identity documents validated yours, visually compared the person presenting the documents to the picture on the ID, then signed a log in his possession that he’d testify to in court if needed.
That feels like a pretty damn good system to me, and far beyond the system you handwave at. Where’s the complaint?
Notaries are personally responsible for any misconduct with up to a felony criminal case for violations. Including not sufficiently verifying the identity of the person in front of them. Sure, most states will just slap them with a $500 penalty, but they'll also revoke the notary status pretty quickly.
I would like to re-emphasize personally. It's not a business risk, it's a personal liability.
Not really applicable, in that situation there were local court rules requiring physical documents and "wet" signatures (i.e., signed in person with a pen). The UST specifically noted that absent those rules DocuSign would have been acceptable.
Of course it is applicable. The Docusign users failed to use it in a way that would be legally valid.
If you have a more recent case that seems relevant or invalidates that result, post it. Otherwise I'm not sure what being 7 years old has to do with anything.
You're attempting to make a mountain of a single instance, years ago, of an electronic signature being rejected by a non-judicial officer in a quasi-judicial proceeding and trying to make it out like a general policy when it is so rare an exception that no court before or since has ruled against the consensual use of electronic signatures by the parties.
If you have any evidence that electronic signatures can't be used in court proceedings, and not just in the limited circumstance of one US Trustee's meeting room, the onus is on you.
I never claimed I did, and I have no interest in talking to someone intent on making up crap that I never said, so I'm going to ignore you now. Life is too short to put up with bad-faith bullshitters.
See the recent Canadian case of the thumbs up emoji signature [0]. The bar for a legally binding contract is much lower than what most people believe. The main thing you need is to be able to prove that the other party actually did express their assent to the contract. In the thumbs up case, who sent the text was not disputed, so the issue hinged on whether a reasonable person would interpret thumbs up emoji as expressing assent.
Mostly yes.
In the EU at least, the rule is "An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures."
However, the burden of proof is higher if you dispute a "qualified electronic signature". To be qualified, there's no specific technical requirements, e.g. use of cryptographic signatures, but you'd need to be certified and registered as a “Remote QSCD” according to ETSI EN 419 241‐2 PP.
Self-hosting this solution (or using PGP) won't magically make you a certified QSCD trust provider. You need to convince some certifying body that everything is nice and safe, which will mostly involve a lot of paper work and (evidence of) processes being in place.
> Self-hosting this solution (or using PGP) won't magically make you a certified QSCD trust provider. You need to convince some certifying body that everything is nice and safe, which will mostly involve a lot of paper work and (evidence of) processes being in place.
This! Just like a self-signed SSL certificate for a website: yes, the traffic will be encrypted but you cannot be sure that the website is who it says it is.
Docusign makes it easy to collect lots of signatures from lots of people. That’s the use-case from my POV. 1 signature on 1 doc, use any PDF tool—no problem. When a board needs to approve 4 docs and you need 5 signatures on each, it needs to be easy.
Whether that’s worth Docusign’s pricing or if there’s better alternatives, up to you. But it’s objectively a helpful tool.
> Docusign makes it easy to collect lots of signatures from lots of people. That’s the use-case from my POV. 1 signature on 1 doc, use any PDF tool—no problem.
Collecting lots of signatures isn’t Docusign’s value prop.
The value is signature certification, and a proven track record in court.
A single signature on a PDF is not technically difficult. The machinery to reasonably guarantee (edit: verify is a better word here) that it was you who signed the PDF is the thing that matters.
The value increases from there as the complexity of the document being signed increases.
DocuSign doesn't really do anything to reasonably guarantee that it was any particular person who signed the PDF. Not that it really matters. If there was something worth suing over then usually there will be plenty of other evidence as to who signed the agreement.
Really the only thing that DocuSign does is timestamp the actions on the document. In order to get that a self hosted implementation would need some kind of third party system to act as a witness.
They’re capturing more than just timestamps. If possible, they’ll associate a signature with a DocuSign profile, which itself has a history of interactions with DocuSign servers. They also capture associated emails, IP/browser info, drop cookies, location data if enabled, etc.
None of this guarantees Person A signed the doc, but the point is to systematically collect as much info as possible to be used if someone does sue, and to check the boxes that customers need checked in a consistent manner that they can sell as an effective solution that stands up in court.
I’m not saying they’re doing anything unique here, but customers - especially enterprise customers - buy it for all of these things, not just because it makes coordinating many signatures easier.
The typical “no one gets fired for buying DocuSign” adage applies here.
Depends on country how much verification DocuSign is able to do, and also the higher levels of verification are opt-in. In some countries it can be backed with fairly strong auth schemes, in other places stuff like video calls are used.
This link has list of different IDs they support in different countries:
I know that I can sign things on a brand new device without making an account. They can log what any web site can log. None of it really proves anything, except as other commenters pointed out - if I sign tons of stuff with the same browser/session, with an account I made, or if I used some premium ID verification they offer. (which I've never done)
My point that it doesn't really matter that much. If I DocuSigned some contract, delivered work described in the contract, maybe got paid for some of that, and then later some dispute comes up.. at that point we're arguing about terms or other facts.. Neither party is going to be in any position to argue "oh I never DocuSigned that agreement" because all of the other work and communication and transactions are enough to prove that's not true.
As always, it depends on the jurisdiction. The EU has the eIDAS [1] which allows simple signatures such as these for most form-free-contracts (the majority). There are however some, which need a digital cert and have to be encrypted.
And Switzerland ZertES: https://en.wikipedia.org/wiki/ZertES - There are not normally various levels of trust with afaik only QES (Qualified Electronic Signature), the highest level to legally be on the same level as a hand signature.
I had same feeling when I build a free tools to unlock the password protected pdf. It can be easily done with OSX Preview. Then I see that people who don’t have technical knowledge and tools, they can easily unlock pdf from browser itself.
I think there's more to that. A proper digital signature requires you to obtain some certificate/key from an authority which you can then use to sign documents (this doesn't even require an image of your physical signature in the document). This proves that it was actually you who signed the document. The document also can't be altered afterwards without rendering the signature invalid etc.
Just adding the image of your signature to a PDF is probably fine for unimportant things, but it certainly isn't enough to be legally binding (at least in the EU).
The legal rules around formality are somewhat complicated. To give you an idea, here are the broad laws in England and Wales.
Not a lot of formality is required for most contract signing, and so long as the other side of a contract is sure that you signed it, a PDF signed in a standard PDF editor like Preview is almost certainly fine.
For property transactions, there's still an issue in use of e-signatures. There's a statutory scheme for "e-conveyancing" set out in Part 8 of the Land Registration Act 2002 which gives the Land Registry the ability to set up provision for using e-signatures for formalities that previously required wet ink signatures. They never got round to actually implementing this up until COVID restrictions made it somewhat impractical to get wet ink signatures so made a temporary change to allow it. When the COVID restrictions were lifted, they've gone back to the old practice but have promised that they're totally going to sort out a permanent solution. Whether they will is another matter.
I've personally used an iPad with an Apple Pencil to sign and have attested a (non-company) deed that had to comply with the LP(MP)A requirements and nobody seemed to have any trouble with it.
I suspect the target audience of a lot of e-signature SaaS products are companies where there are teams managing a lot of documents being signed across multiple jurisdictions, and juggling between sales, in-house legal and so on. Most of the problems those products are solving are likely business process issues rather than strictly legal requirements.
I can sign a PDF with OSX Preview for free. I can pay a bunch of money to sign with Docusign. Both produce a PDF with a digital image of my signature. I assume both documents constitute a legally binding agreement, so long as I actually preformed the digital signature. What justification do the e-signature SaaS companies have for their exorbitant prices? I understand the "audit trail" angle - that's just collecting my IP every time I interact with the document.
Is this a big SaaS scam?