Can you trust the electronic signature?
An electronic signature carried out on a system as secure as Closd’s is more reliable than a handwritten signature. Since the European eIDAS regulation entered into force, electronic singatures have become widespread: the certification of an electronic signature service provider by the ANSSI (the National Agency for the Security of Systems Information) means an assurance that it complies with the rules established under French law. Indeed, the European requirements relating to “Advanced” and “Qualified” signatures take precedence to those of Articles 1366 and 1367 of the Civil Code.
An electronic signature made on Closd is therefore proved valid by:
– The certification of DocuSign and CertEurope (our electroonic signature providers) by the ANSSI; and
– The set of clues given by the triple authentication of the signatories.
The verification of an electronic signature by a PDF reader is based on a “chain of trust” principle. The encryption certificate is validated by the Certification Authority that issued it (the electronic signature provider), itself validated by an authority with a higher level of trust and so on, until it reaches a Root Certification Authority, the last link in the chain (generally companies playing the role of trusted third party for a multitude of reasons). The PDF reader verifies the reliability of each level: if one link in the chain is missing, it will not validate the electronic signature.
What is the legal framework under French law?
In French law, three conditions make it possible to give the electronic signature a validity and probative force equal to that of a handwritten signature, and give the electronic document the same value as the paper document:
– the reliability of the process used (article 1367 paragraph 2 of the civil code)
– (i) the identification of the person who is signing (ii) the establishment and conservation of the document under conditions guaranteeing its integrity (article 1366 of the civil code).
A judge determines whether these three conditions are met. Before the entry into force of the European eIDAS regulation, it was difficult to determine the reliability of the technical process without being an IT specialist. This obstacle prevented the widespread use of electronic signatures. Despite this, numerous appeals court decisions have admitted the electronic signature as evidence since 2013, as has a decision of the Court of Cassation dated April 6, 2016.
What is the legal framework under European law?
Under European law, the eIDAS Regulation of July 23, 2014 changed things by allowing easy proof of the reliability of electronic signature technology. This text, which has been applicable throughout the European Union since July 1, 2016, has created a harmonized and robust technical-legal framework for “digital trust services” (such as electronic signatures).
It sets forth several types of electronic signatures (Simple, Advanced, and Qualified, depending on the authentication process implemented) and establishes a certification system issued by a national control authority (in France, the National Agency for the Security of Systems Information (ANSSI)) for each service provider before starting their activity. Once certified, the company obtains the label of “Trusted Service Provider” (PSCo). Regular audits are then put in place.
This certification appears on the French trusted list, published by ANSSI and by the European Commission. It therefore allows the judge to easily assess whether the condition in Article 1367 paragraph 2 is fulfilled.
The conditions set forth by article 1366 are met by Closd thanks to the triple authentication of the signatories described below and the storage of documents on dedicated and secure servers located in France.
What are the different types of electronic signatures?
Legally, there is no difference in validity between “Simple”, “Advanced” and “Qualified” signatures. Their admissibility in court cannot be contested in any state of the European Union. The only difference is that the “Qualified” signature benefits from a presumption of reliability.
The “Simple” signature is, by default, that which does not meet the requirements of the “Advanced” or “Qualified” categories. Verification of the signer’s identity usually means sending a unique code (One-Time Password – OTP) to the signer’s mobile phone after clicking on a link received by email. Only the signatory has the code, unless his mailbox and phone were both compromised.
The “Advanced” signature must meet the following regulatory criteria:
- it must be linked to the signatory in an unequivocal manner;
- it must allow the signatory to be identified; and
- it must have been created using electronic signature creation data that the signer can, with a high level of confidence, use under their exclusive control; and be linked to the data associated with this signature so that any subsequent modification of the data is detectable.
- In practice, on Closd these requirements are met by a combination of sending an OTP code to a mobile phone and the inbox’s password with two other factors, that together make it possible to establish the signatory’s indetity with certainty: an automated ID verification and a secure password to access Closd. From a probative point of view, these authentication methods constitute an important bundle of clues, in addition to the certification issued by ANSSI. Disputing a signature made on Closd would require proving not only the theft of the mobile phone and that hacking of the inbox, but also the theft or falsification of a copy of the signer’s identity document.
The “Qualified” signature legally corresponds to an “Advanced” signature, but with reinforced technical requirements. It also requires the issuance of a certificate following a face-to-face verification of the signatory’s identity (by either physical appointment or videoconference). The advantages of electronic signatures (mobility, speed) can be greatly reduced by this process.