WWDC: Yosemite Mail features Signatures vs DocuSign Electronic Signatures

OSX-Yosemite-Signature-Docu

Today’s WWDC plethora of announcements included a nifty mention of some new features to OS X Yosemite’s Mail application including the ability to embed a graphical representation of your signature on a pdf document. Although the embedding of this feature in the Mail application is new, the feature has been a part of OS X since OS X Lion, available in the Preview application and is similar to the features available with the DocuSign for Outlook app. It seems like Apple has been interested in signatures for awhile now including filing a patent application that discusses new methods of adding signatures to documents. A blogger has gone as far to say that the new feature will put DocuSign in the “Loser” column as pertains to Apple encroaching on their product turf.

I wouldn’t put a death nail quite yet on DocuSign, as there are common misconceptions of what it means to be a legal electronic signature in the US (my past self included); which the Mail feature does not provide. I am no lawyer, so here is some further reading from one related to the legality of the embedded signature in Canada based on the similar technology that was available in the Preview application.

My take on the situation is below:

First, let’s look at a couple compliance areas as it relates to ESIGN:

(f) Document integrity and signature authentication. Each System institution must verify the legitimacy of an E-commerce communication, transaction, or access request. Document integrity ensures that the same document is provided to all parties. Signature authentication proves the identities of all parties. The parties to the transaction may determine how to ensure document integrity and signature authentication.

(g) Records retention. Each System institution may maintain all records electronically even if originally they were paper records. The stored electronic record must accurately reflect the information in the original record. The electronic record must be accessible and capable of being reproduced by all persons entitled by law or regulations to review the original record.

As it pertains to document integrity, there is no verifiable means of ensuring the document exchanged via Mail is the identical from one party to another. With DocuSign, there is a verifiable single copy of the document, stored on DocuSign servers.  The document is sent and signed by each party which creates an auditable trail of all the interactions related to the document.

Furthermore, the Mail technology that  embeds the graphic image on the pdf does not uniquely identify the parties that signed the document in anyway.  For example, I could hypothetically take the signature layer that was provided on the original pdf and embed it to another document without any way to determine if it was the original signer or myself that embedded the graphic.

Last, by using DocuSign, the final document is stored safely in the cloud, and always available. This is far superior to an email inbox that may be tampered with or simply lose the data via accident or force of nature.

Second, how about Digital Signatures? Well, it’s fairly complicated so I won’t bore you with the details but it is something that DocuSign supports, especially as it pertains to legal compliance in other countries that require a Digital Signature like Brazil.

A Digital Signature means an electronic signature that transforms a message using an asymmetric cryptosystem such that a person having the initial message and the signer’s public key can determine whether:  The transformation was created using the signer’s private key; and whether the initial message has been altered since the transformation.

Last, let’s talk about DocuSign’s Digital Transaction Management (DTM)

DocuSign is expanding its technology footprint and creating the DTM platform so that customers can digitalize every aspect of a paper process; think what Visa / Mastercard has done with cash.  The DTM framework includes: preparing the document with use of templates, using workflow mechanisms to ensure proper data entry, leveraging approval rules to route documents across interested parties, signing securely, and meeting compliance and reporting requirements.

Conclusion: I am not saying that Apple isn’t forging ahead with more sophisticated signing features; mobile id and signing seems promising and a natural fit for an Iphone, but as it currently exists, its legality seems risky at best, and isn’t anything that closely resembles the full feature set provided by DocuSign.

4 thoughts on “WWDC: Yosemite Mail features Signatures vs DocuSign Electronic Signatures

  1. David Wall

    U.S. courts have upheld simple email communications as legal e-signatures. There’s no need for a fancy embedded image of a handwritten signature which can easily be copied and inserted at will — what we call “eye candy” in that it looks nice, but has no specific legal bearing. Typically, for a simple email to pass legal review, it needs to state the contractual terms, and typing your name of otherwise making affirmative consent to those terms is enough to hold the emailing parties to those terms. Most businesses of course have additional process (and perhaps other emails or related records) that goes with the email authorization to show negotiation, payment, delivery, etc. We wouldn’t recommend it for most matters, but regular emails can be legally binding. Countries that require digital signatures — like how U.S. state laws were before the E-Sign Act changed matters back in 2000 — generally require more than a digital signature. Yozons has digitally signed transactions since it’s first patented web-based service/product in 2001, and still does with its current product line because it allows for creating a reliable record of what was agreed to in the online document. But when laws require digital signatures, they also typically require that the parties signing have pre-defined digital certificates issued by trusted authorities (CA) that bind the signing party’s public key and verified identity, and the signing party is required to maintain sole control and use of the related private key (this is a typical PKI and can be used in email as well via S/MIME). Such PKI-requirements just isn’t workable in most web-based e-signatures services where the server is performing the party verification and applying the electronic signatures to documents it presents to the various parties. But the U.S. E-Sign Act got rid of that antiquated PKI requirement, and hence the market for e-signatures has exploded in the U.S. to great success.

    Reply
  2. John Harris

    ‘Antiquated,’ David? While you are right that US law does not speak to digital signatures, you are ignoring the countless regulations here in the US that do speak to digital signatures (or technologies that describe their inherent features), such as 21 CFR Part 11 (FDA). Or you’re ignoring the countless laws around the world that provide, for lack of a better term, ‘extra credit,’ to those signatures that do employ digital signatures and the many benefits of them. Whether it’s Canada (“secure electronic signature”), or China (“reliable electronic signature”), or Europe (“advanced and qualified electronic signatures”), almost every other country understands that there is a real difference between the type of signature employed in the Mail app and the default DocuSign signature and actual ‘digital,’ cryptographic signatures that provide tamper-evidence, integrity and authentication with every signature. You posit that “such PKI-requirements just [aren’t] workable in most web-based e-signatures services where the server is performing the party verification and applying the electronic signatures to documents it presents to the various parties.” In fact, digital signatures employed in a web-based / cloud environment are completely workable. SIGNiX has been doing this for over 12 years because SIGNiX knew that the technology you call antiquated provided critical differentiating features versus the simpler click-to-sign and cut-and-paste signatures that seem so popular now. We understood that the nature of electronic evidence is very different from that of paper, and that in order to make a signature ‘stick’ in the long term, you’re going to need to deploy technology that allows the signature to be verified and extant regardless of the eventual health of the company. Our signatures don’t ‘link’ back to our web page, making them subject to link rot. All of the info you need to prove that signature took place resides as metadata in the PDF itself, offline, and is complemented by a highly detailed audit trail that aims much higher than our competitors in terms of evidence. Why is that? Because the bar for evidence can only go UP. And we know we’re providing our customers a much better service by aiming above the bar, rather that at it. ‘Antiquated?’ Standards, integrity and assurance should be as timeless as the signatures we apply.

    Reply
  3. David Wall

    John, As I stated clearly, Yozons has applied digital signatures in its web-based platform since 2001. The issue is with most standards that require more than this, generally requiring end-user digital certificates in which the private key is held in the sole custody of the signer. How do you do this in a typical web scenario? Explain how my private key is applied to any document — or am I limited by document file types? — via a web service so that others can verify it against my public key published in my digital certificate that also must be in the web service. How is my private key available on my laptop, desktop, iphone and ipad so that I can securely keep and use it? How/where is the digital signature appended using my private key as I may need to sign in multiple spots, initial, fill out a form first, etc.? Very few people have digital certificates suitable for e-signatures in the U.S., and hence my comment about it being unworkable in general. There are always instances where it can work quite well and many smaller EU countries issue eIDs, though few are interoperable. As I don’t have any such cert, how would you go about getting me to sign something? Send me a demo as I’d be interested. You can use my sales at yozons dot com email address.

    Reply
  4. David Wall

    Needless to say, no demo transaction was ever sent that demonstrates how this is done. But you can send yourself demo docs to sign using Open eSignForms (or most of the web-based competition that makes use of the Yozons non-PKI tech) because they don’t rely on digital certificates, an antiquated requirement for e-signing most documents that thankfully the E-Sign Act didn’t keep or adoption would still be quite low as it had been under state laws that required them.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Please type the characters of this captcha image in the input box

Please type the characters of this captcha image in the input box