Electronic signatures are legally meaningful ways to store interaction by end-users. That’s an oversimplified explanation and certainly not a definition, but in the context of web and mobile applications, it is that. The European Union defined electronic signatures in a regulation (eIDAS) in order to define the legal meaning of electronic signatures.
A bit counterintuitive, but electronic signatures are not necessarily digital signatures in the cryptographic sense. Electronic signatures are any data added to any other data. So an SMS can be seen as an electronic signature because it can identify the author (via the phone number) and the intent (via the content of the SMS).
But in order to define various levels of legal certainty, the EU distinguished three types of electronic signatures – basic/regular (not explicitly used and referred to simply as “electronic signature”), advanced and qualified. The advanced and qualified in most cases do rely on cryptographic digital signatures because they provide sufficient levels of integrity, authorship, and non-repudiation.
But those are complicated to implement, mostly because of the need for PKI and secure key management. On the other hand, basic electronic signatures can be implemented in many ways and are sufficient in case of disputes for minor issues. That’s why some websites, after the appropriate legal analysis, have decided to be practical and implement electronic signatures via a checkbox in a web form.
The checkbox selection as well as other data has to be stored and that way it serves as an electronic signature. The data accompanying the checkbox value (which is simply a boolean with the value “true”) should contain sufficient information to identify the author – the names, email, and other personal data filled in the form, an IP address and possibly browser specifications.
But then there’s the question of preserving the integrity of that signature and then proving to 3rd parties (e.g. regulators) that it has not been tampered with. That’s where LogSentinel SIEM’s secure audit trail comes in the picture and we are happy to have customers using exactly that approach.
The website collects the necessary data and stores it in our blockchain protected audit log, thus guaranteeing (and being able to prove) that once the data is entered, it hasn’t been changed. That solves the GDPR compliance question as well, as data used to defend legal claims is exempt from the right to erasure. Of course, each signature has a retention period and access to the data about the signatures is restricted via role-based control and multi-factor authentication.
There are many services that don’t need a fully qualified electronic signature that is equal to a handwritten one but still needs the legal effects of an electronic signature from their customers. It’s great that the legislation is flexible and technologically neutral in that regard, and that you can employ blockchain’s cryptography to ensure the integrity of the collected signatures.
If you would like to take your website to the next level and ensure full data integrity of the electronic identification, talk to us today:
Bozhidar Bozhanov is a senior software engineer and solution architect with 15 years of experience in the software industry. Bozhidar has been a speaker at numerous conferences and is among the popular bloggers and influencers in the technical field. He’s also a former government advisor on e-government, transparency, and information security.