Being able to sign documents in the cloud is yet another example of how cloud computing is facilitating the processes of digital evolution. The development of online document signature has gone through a number of exciting changes in recent years. These changes have important implications for consumers as well as service providers.
There are a number of reasons for shifting to paperless processes, such as online signatures. For instance, environmental and financial limitations are putting pressure on enterprises to find efficient, effective, cost-cutting methods. Such solutions also facilitate organization; it’s more convenient to store documents on a searchable medium, rather than in a filing cabinet.
Electronic Signatures, Defined
A number of laws have been passed worldwide to regulate and facilitate the use of electronic records and signatures.
The PIPEDA (Personal Information Protection and Electronic Documents Act) defines an electronic signature as:
“A signature that consists of one of more letters, characters, numbers or other symbols in digital form incorporated in, attached to or associated with an electronic document.” This piece of legislation also differentiates between secure and insecure electronic signatures. The former requires the “technology or process used to make the signature [to be] under the sole control of the person making the signature.”
Another important piece of legislation, the ESIGN Act (Electronic Signatures in Global and National Commerce Act), defines an electronic signature as “an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.”
According to Phil Wainewright, a cloud computing blogger for ZDNet, we can conceptualize the evolution of online document signature in three generations. In the first generation, the solution is technology-intensive and largely over-engineered. During the 1990s, this consisted of applying an on-premise PKI server infrastructure to authenticate an individual’s online signature.
In the second generation, signature authentication went online. With services such as RPost’s Registered Email, the physical process was replicated virtually. This service consisted of a digital instantiation of registered mail, and provided a legally valid confirmation of email delivery.
Currently, we are entering the third generation of online document signature solutions. This involves a process that leverages the convenience of the online environment to achieve a simple, flexible and extremely cost-effective option. Examples of such services include EchoSign and DocuSign. Other services, such as the digital signing of contracts on mobile devices, are in the works.
RPost Office offers a service similar to Certified Mail, which provides a receipt that proves your document was delivered. RPost Office allows users to send email messages that are encrypted end-to-end (attachments as well). They will also provide a receipt that stands up in court. Contracts can be completed and signed electronically through this service as well.
RPost established the Registered Email system in 2000, long before there were other products offering secure electronic correspondence. On July 19, 2011, RPost filed a lawsuit against Adobe and EchoSign for infringing on RPost’s patented technology with its services. The company asked the court for a permanent injunction against services from both Adope and EchoSign, as well as damages on infringing products.
According to Zafar Kahn, RPost CEO:
“The key element in any system of electronic signature is creating a legally meaningful audit trial of every step of the signature process and associating that audit trail with particular electronic document content. When part of that audit trail involves e-mail, it is on our turf: we pioneered the technology for proof of e-mail and document delivery, including recording recipient reply or signoff on the message content, and have the patents to prove it.”
DocuSign & EchoSign
DocuSign, founded in 2004, offers an online signature solution tailored to individuals, large enterprises and anyone in between. Users with documents that require a signature can upload documents to DocuSign in any of the major file formats (e.g. Microsoft Word, Microsoft Excel, Adobe Acrobat, PDF, etc.). The document is then emailed to anone who needs to sign it. Users can even add “Sign Here” tabs into the document to guide recipients.
Users that need to sign a document will be altered thorough an email message of a pending document in DocuSign. It’s important to note that the document is not attached to the email, rather it remains in DocuSign. The service guides signers from tab to tab, wherever a signature, initial or other information is required. Once all form fields have been completed, and signatures provided, signers will need to confirm signing. Both the sender and recipient can have access to signed documents in the cloud.
On July 18, 2011, Adobe, the parent company of DocuSign, acquired its largest competitor, EchoSign.
According to Tom Gonser, DocuSign’s chief strategy officer and founder:
“Adobe has in the past been pretty steadfast that the way you sign a document is that you get a digital certificate and use a process that requires PKI. The strategy of putting everything on a server in the cloud is what DocuSign started doing in 2003. It’s the difference between using software to sign documents and using the cloud to sign documents.”
This article takes a look at online document signature solutions in the cloud. It defines the concept of electronic signature, as it has been outlined in US legislation. The article looks at the evolution of electronic signature services, as it has been conceptualized in three generations. It also briefly introduces three major online document signature services: RPost Office, DocuSign and EchoSign.
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
- Contractual Security Requirements (Domain 2)
- Contract Enforceability (Domain 3)
- Provider Selection (Domain 8 )