Wanted!!! Electronic signature user

The market for electronic signature can be much wider than the needs of the public administration. To offer business services it is required to define expected advantages from usage of electronic signature technology in business transactions. The advantages need to be expressed in amount of money and time, but first of all, the beneficiary needs to be specified - i.e. electronic signature user. Until now electronic signature offer has been addressed to signers but the advantages that they had from using the signature were insignificant. In this article I am defining who in my opinion is an electronic signature user and whom the business offer should be addressed to.

Electronic signature is a mechanism functioning between three parties: signer, trusted third party and trusting party. Each of them participates in processes related to electronic signature and potential users of electronic signatures are naturally searched for among them. It can be observed that the current offer of electronic signature has not been targeted for the trusting party or has not been attractive for them. Let us start our analysis from the very beginning.

The fundamental problem with electronic signature functioning in Poland and in Europe as well lies in the fact that e-signature has been first defined by lawyers in legal regulations and then it started functioning as a commonly available solution. Therefore, the discussion on electronic signature centers on the defined scope and acceptable uses instead of the purposes and possible applications of this form. We have caused the situation when practically everyone in Europe will ask whether it is specified by law and whether law deigns to accept this form before they use any mechanism in type of electronic signature. European legislation has taught us that unidentified legal entities do not exist and even business do not use them.

In the European Union there is the Electronic Signature directive[1], which very precisely defines signer and trusted third party but practically ignores trusting party in its provisions. There is only one statement in the directive directed to the trusting party, namely: “Member States shall ensure that an electronic signature is not denied legal effectiveness and admissibility as evidence in legal proceedings...” Polish act[2] is not any better. Searching there for obligations of trusted third party towards trusting party is pointless and the only element indicating trusting party is a declaration in article 8 that the signature is not denied probative value due to its electronic form.

Provisions of the directive and Polish act are now over ten years old, so it is assumed that experiences from this period will allow to create new and modern law that supports electronic trust tools. New regulation draft[3] on electronic identification, just like the documents mentioned above, does not define trusting party, and many times mentions in its provision that qualified signature is something that should be used by market participants.

Unfortunately, the regulation draft creates ambiguity related to the scope of its binding force. Namely, trust services provided basing on agreements by civil law are excluded from the application scope of the regulation. Of course it seems that such opening to niche and innovative solutions is a pro-market action, not defined in the regulations in force. In practice, it may prove too rash an action as the exclusion applies also to article 20 (1)[4], which makes electronic signature equivalent evidence in legal proceedings. As a result trusting party will never know whether (regular) electronic signature is verified with a certificate which was created according to an agreement by civil law or basing on legal regulations. In particular, it causes significant risk increase when using other signatures than qualified ones and problems with acceptance of certificates created outside the European Union[5]. Therefore, after a risk analysis, it can be expected that trusting party will choose paper which probative value during legal proceedings is known.

Since regulations on electronic signature have been drafted and their task is to create mechanisms that support electronic economy, it seems necessary that these regulations support market behaviours and new business initiatives. Unfortunately, provisions of this act and planned acts rather single qualified signature out and indicate that this form enjoys main legal support while other forms should rather not be a commonly used trust mechanism.

It is understandable that public administration tries to define mechanisms that can be acceptable for it and has called them qualified ones but does it mean that qualified signature should be called „the most secure one” in legal regulations and that regulations should be introduced that eliminate the non-qualified ones[6]? The situation which we are currently in results from erroneous assumption that what is good for administration is good for the business. If administration wants to propose a common access mechanism for public services, business should accept it in whole and adopt it to its activities. This attitude has not been commonly accepted by market participants and currently qualified signatures are used mostly in situations in which public administration has bound itself to use them or requires them to be used by law. What is dangerous is the fact that in the proposed new regulations on the European union level this approach has not been changed and we still can observe the expectation that the market should accept "the most secure", qualified, signature for its purposes.

Regardless of the existing legal provisions, another very serious problem in the functioning of electronic signature market consists in the fact that signer was supposed to be the main receiver of this market. Cryptographic solutions and certificates offered to them by certification centers were supposed to create the conditions in which everybody would have a signing tool for their disposal. But again, there was no market demand, because there were no services and process and costs of gaining this tool discouraged from having it. Continuous stress on the tool for electronic signing will not create a market of electronic services or the market will use tools that are easier to get - e.g. by scanning signed paper documents. Therefore the basic solution for the market consists of offering friendly, understandable and easy to use electronic services. These services should include business processes which result in an accepted and signed document, giving proof that a given process has been conducted. Moreover, the tools to execute these services have to be offered for free and without unnecessary restrictions, e.g. in form of an obligation to personally appear somewhere to gain access to a service.

To understand the core of this change, let us have a look at the case of signing a telework agreement. If we offer job placement service and enable future employee to accept work conditions and sign agreement electronically, it will work as whole only when the employee can get the tool and sign without unnecessary actions immediately after receiving the agreement. Both employer and employee will be willing to bear small costs to enter into agreement electronically as long as they do not exceed the costs of executing this process in paper form. Tool used in this process will allow them to execute other processes related to work later on - e.g. billing, receipt confirmation of tax return documents and amending the agreement. The natural role of trusted third party in this process is to intermediate in exchange of documents and to maintain business process while the main service user is the employer for whom the process of remote employment and servicing remote employee is significantly easier and the costs thereof reduced.

Tax returns are another example of such business process but in public administration. They do not need to be signed with a secure electronic signature, authentication based on knowledge is a sufficient form of electronic signature. This solution is widely used (11 million tax returns filed this year in Poland) and its main success results from the fact that there is no need to go outside, prove one's identity and pay a fee to file one's tax return. It should be observed that again tax office is the main user of electronic signature as it trusts the signatures and signer uses a tool that is easy to get and free.

If we have a closer look at the above examples we can see that the main user of electronic signature is the one who defines business process, collects signed document and directly benefits from using it. On the other hand, signer participates in a process defined by the user. Therefore, electronic signature offer has to be addressed mainly to the ones who define business processes, in which signed documents take part. As the entity which defined business process will naturally communicate with many entities and persons, from which they will demand the signatures, it seems logical that signer needs to be able and needs to want to use electronic signature in this process.

It cannot be achieved by burdening signer procedurally and financially. There are two possible ways in the further development of electronic signature services:

  • The state issues and finances providing the citizens with free tools for identification and signing, which can be used in business contacts and the market concentrates on offering services using these mechanisms. In this case it has to be assumed that in the course of lobbying all entities providing certifying services will become public issuers financed by the state or will cease to provide their current services. This model will bring effects only when certificate saturation in the market is sufficiently high - i.e. several years after the process has been started,
  • Certifying entities will offer certification services allowing to receive the certificate for free but technical and business model will allow them to profit from offered services and serviced business processes. For this purpose other model of offering services related to electronic signature is necessary, e.g. PKI 2.0 model[7], where instead of trust certificates the third party offers signature services, as in the credit card business payment services are offered.
Regardless of which way we take, the market of electronic signature services has to change and offered services have to be addressed to electronic signature user defined in this article. At the end it is worth to repeat that the main users of electronic signature are the ones, who define the need to have electronically signed documents in their business process and the one who take actions and risk basing on trust to electronic signature.

Michal Tabor

[1] Directive of the European Parliament and of the Council 1999/93/EC as of 13 December 1999 on a Community framework for electronic signatures.

[2] (Journal of Laws as of 15 November 2001).

[3] Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on electronic identification and trust services for electronic transactions in the internal market COM(2012) 238 final

[4] Proposal COM(2012) 238 Article 20.1 An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form.

[5] The author of this article has mentioned in the correspondence the problem with article 20.1 of the proposal, which should clearly include all signatures regardless the way in which certification service is performed.

[6] Proposal COM(2012) 238 Article 20. 4. If an electronic signature with a security assurance level below qualified electronic signature is required, in particular by a Member State for accessing a service online offered by a public sector body on the basis of an appropriate assessment of the risks involved in such a service, all electronic signatures matching at least the same security assurance level shall be recognised and accepted.

[7] PKI 2.0 is described here www.pki2.eu