Is a document signed with hellosign legally binding?
hka at qbs.com.pl
Fri Jan 4 00:33:53 CET 2013
On Thursday 03 of January 2013 22:43:33 Morten Kjærulff wrote:
> This is a off topic question, but I do not know where to go with it.
> I just signed up with hellosign.com. It is a service where you upload an
> image file with your handwritten signature. Later on you can upload a
> document and they will merge your signature and document, and mail it to
> the one you specified. (at least that is how I understand it)
> They claim (http://www.hellosign.com/info/faq) that electronic signatures
> are legally binding, and refer fx to "European Directive (EC/1999/93)" (
> sig_report.pdf). As far as I can see, this document is about digital
> signing using certificate and so on.
> As I see it, the service provided by hellosign.com has nothing to do with
> the topics in "European Directive (EC/1999/93)".
> Am I right or wrong?
As always on the Internet, IANAL. Even if I were, this wouldn't be a legal
advice, not legally binding, yada yada. What's more, I have no knowledge how
exactly their system works so below is just my opinion and bits of knowlege
about how digital signatures work in EU.
Now, back to the issue in question.
In one sentence: this looks very fishy to me.
First: basically only Qualified Electronic Signatures are unquestionably
Second: Qualified Electronic Signature can only be created using a Secure
Signature Creation Device (a.k.a. cryptographic token).
Third: to get a Qualified Certificate you need to personally visit (this may
be more relaxed in some countries) one of certification authorities and
present some kind of state issued ID
Considering that the biggest problem (as far as proving its origin, creation
date, etc.) with electronic data is that it is very easy to copy, the whole
goal of digital signatures was directed to make it impossible to copy a
signature (in a way for it to still be valid) without copying verbatim the
file/data that was signed. They are doing exact opposite. The only thing
agains that is the audit trial. If it doesn't use third party provided time
stamps in one way or another I'd bluntly call it useless.
They perform no detailed verification of the person's identity (I can submit
scan of Steve Jobs signature and his photo, doesn't make me Steve Jobs).
As such, I'd say it's very unlikely for the scheme described to be regarded
as trustworthy (and admissible before court without question), let alone
usable for Qualified Electronic Signing.
The only stuff they can reasonably prove, is that a document was created
before such and such time and uploaded at such and such time to their
service. gmail can do just as much. I'd say if the other person signing a
contract is also using gmail it's just as secure and trustworthy.
But maybe it's just my bias against crypto that doesn't use DSA/RSA/ECC...
QBS - Quality Business Software
02-656 Warszawa, ul. Ksawerów 30/85
tel. +48 (22) 646-61-51, 646-74-24
More information about the Gnupg-users