Is a document signed with hellosign legally binding?

Hubert Kario hka at qbs.com.pl
Fri Jan 4 00:33:53 CET 2013


Hi Morten,

On Thursday 03 of January 2013 22:43:33 Morten Kjærulff wrote:
> Hi,
> 
> This is a off topic question, but I do not know where to go with it.
> 
> I just signed up with hellosign.com. It is a service where you upload an
> image file with your handwritten signature. Later on you can upload a
> document and they will merge your signature and document, and mail it to
> the one you specified. (at least that is how I understand it)
> 
> They claim (http://www.hellosign.com/info/faq) that electronic signatures
> are legally binding, and refer fx to "European Directive (EC/1999/93)" (
> http://ec.europa.eu/information_society/policy/esignature/docs/electronic_
> sig_report.pdf). As far as I can see, this document is about digital
> signing using certificate and so on.
> 
> As I see it, the service provided by hellosign.com has nothing to do with
> the topics in "European Directive (EC/1999/93)".
> 
> Am I right or wrong?
> 
> /Morten

As always on the Internet, IANAL. Even if I were, this wouldn't be a legal 
advice, not legally binding, yada yada. What's more, I have no knowledge how 
exactly their system works so below is just my opinion and bits of knowlege 
about how digital signatures work in EU.

Now, back to the issue in question.
In one sentence: this looks very fishy to me.

First: basically only Qualified Electronic Signatures are unquestionably 
legally binding.

Second: Qualified Electronic Signature can only be created using a Secure 
Signature Creation Device (a.k.a. cryptographic token).

Third: to get a Qualified Certificate you need to personally visit (this may 
be more relaxed in some countries) one of certification authorities and 
present some kind of state issued ID

Considering that the biggest problem (as far as proving its origin, creation 
date, etc.) with electronic data is that it is very easy to copy, the whole 
goal of digital signatures was directed to make it impossible to copy a 
signature (in a way for it to still be valid) without copying verbatim the 
file/data that was signed. They are doing exact opposite. The only thing 
agains that is the audit trial. If it doesn't use third party provided time 
stamps in one way or another I'd bluntly call it useless.

They perform no detailed verification of the person's identity (I can submit 
scan of Steve Jobs signature and his photo, doesn't make me Steve Jobs).

As such, I'd say it's very unlikely for the scheme described to be regarded 
as trustworthy (and admissible before court without question), let alone 
usable for Qualified Electronic Signing.

The only stuff they can reasonably prove, is that a document was created 
before such and such time and uploaded at such and such time to their 
service. gmail can do just as much. I'd say if the other person signing a 
contract is also using gmail it's just as secure and trustworthy.

But maybe it's just my bias against crypto that doesn't use DSA/RSA/ECC...

Regards,
-- 
Hubert Kario
QBS - Quality Business Software
02-656 Warszawa, ul. Ksawerów 30/85
tel. +48 (22) 646-61-51, 646-74-24
www.qbs.com.pl



More information about the Gnupg-users mailing list