Friday 17 December 2021

Digital Signatures and Digital Signing

Adding a signature to a document is fundamentally a way of providing assurance that the person whose signature it is has approved of its contents. A signature by itself is, however, not a very secure way of doing this. Handwritten signatures can be easily forged, copied or even machine written. Especially when provided in copied form, there is no definitive way of telling whether a signature on a document is genuine and actually proves that the person did in fact sign the document. 

Do these signatures look genuine?

To get more assurance, it is possible for example to get a notary to certify that a signature is genuine, the notary then being used as a trusted third party that is vouching for the signature being genuine. For further reassurance, the document itself can be protected from being altered by adding ribbon and seals, which provide assurances that the document that has been signed has not changed since being signed. Doing all this takes time and money, so in practice it is often taken on trust that a signed document is genuine. For documents relating to patent proceedings at the European Patent Office, the UK IPO and elsewhere, the office will accept a copy of a signed document and assume that it is genuine, the assumption being that the document was originally hand signed and then copied, provided it looks real. 

How can you tell this signature is genuine?
The process of using copies of genuine handwritten signatures and filing these online in pdf form at the EPO, typically to register an assignment, is standard practice and usually works without any trouble, provided the formal requirements of being able to identify the assignor and assignee are met and that duly authorised representatives of both parties have signed. I have personally arranged to have many assignments recorded at both offices this way with no trouble, even though in many cases I did not and could not verify myself that the signatures were genuine. Over the past couple of years, however, as personal contact has become the exception, there has been more interest in the use of digital signatures. The problem at the moment is that many people still do not actually know what one is, let alone how to properly use one. 

At risk of stating what should be the obvious, a digital signature is not something that is written by hand or pasted on a computer screen that looks like one written by hand on a piece of paper. It should be clear that this type of signature is far too easy to fake. If spotted, such signatures should be (and often are) rejected. Even if you sign by hand your actual signature on a computer screen, the proof that it was you is non-existent because anyone else could have done the same by copying and pasting an image of your signature from somewhere else, the result being indistinguishable. 

A real digital signature is something quite different. A digital signature, if done correctly, performs all the original functions of a genuine original handwritten signature but without the need for an authenticated paper copy. To work, a digital signature must be kept in its original form along with the document it is supposed to be authenticating. Without the code making up the digital signature, in combination with the original document, the signature is meaningless because it cannot be verified, defeating its whole purpose. A common confusion I have seen is when a scanned pdf is presented with what seems to be a digital signature, but the process of scanning has stripped it out, leaving only a mark on a computer file that suggests it was signed. This is, of course, useless and not even as good as a scanned copy of a handwritten signature.

To go back to basics, digital signing at its heart involves asymmetric cryptography. A user who wants to sign something will have a private key, which they keep to themselves, and a public key, which is open for all to see. The user can apply their private key to a document (or, in practice, a hash of a document) to produce a signature string. Anyone else can then use the combination of the document, signature and public key to cryptographically prove that the user's private key was used to sign the document. The signature therefore proves that the document was signed by the user. The only assumption made is that nobody else had access to the user's private key. It is fundamental to the ability to verify the signature that the document and signature are kept together and in their original state. If either is altered by even one single bit, the signature will not validate. 

An example of digital signing I have used before relates to how the Bitcoin system works. Bitcoin addresses (P2PKH types) are representations of the public key part of a public-private key pair. The owner of the bitcoin associated with an address is in possession of the private key and therefore only they are capable of 'spending' the bitcoin. In practice, transferring ownership from one address to another involves a process of digital signing, in which the owner signs a transaction with their private key to the effect that only the owner of the private key of the recipient address can then do any further transactions with whatever is sent to that address. Since all transactions are publicly available, anyone can verify how much any particular address contains. Another feature is that the owner of an address can verify that they own it by digitally signing a message linked to the address. An example I have used before is the following:

I, Tufty Sylvestris, confirm that I am the owner of the following address.



To go back to the principle of signing documents, the message part corresponds to the document. The message is signed with the private key corresponding to the address, resulting in the signature string. Anyone can then verify that the signature is genuine by copying these components into a signature verifying tool, such as the one provided within the Electrum Bitcoin wallet, or one available online. You do, however, have to be very careful that the tool you are using for verification is not in some way compromised or you could be easily fooled

An additional problem with using just a public-private key pair is that you do not necessarily have a link between the owner of the private key and a specific person unless you have some other way of figuring out who the owner of the private key is. To take a well known example, the owner of the private key to address 12c6DSiU4Rq3P4ZxziKxzrL5LmMBrzjrJX is, beyond any reasonable doubt, the person who was behind the pseudonym Satoshi Nakamoto because this address was the destination for the very first 50 (spendable) bitcoin that were mined on 9 January 2009. 

For any normal use, it is necessary to provide a link between a private key and an actual person. A usual way to do this is for private keys for use in digital signing to be issued and certified by trusted authorities. For the EPO, this is done by a user's private key being securely stored on a smart card issued by the EPO to a patent attorney together with a PIN. With possession of the PIN and the smart card, the attorney can sign a document to the satisfaction of the EPO. Documents can only be signed with physical possession of the card and knowledge of the PIN, providing a decent level of security. This works very well for everyday activities of an EP attorney, who can use their smart card to digitally sign documents that are sent online to the EPO. The same principle can also be used to sign any documents. I can, for example, take any pdf document and apply a digital signature from my smart card that proves I signed the document. The document with its signature attached could then be sent to someone who wanted evidence that I signed it and they would be able to verify with a single click that the signature was valid.

The EPO has recently announced, in the November 2021 issue of the Official Journal, that "a qualified electronic signature" will be "considered to fulfil the legal requirement for a signature with respect to data in electronic form in the same way that a handwritten signature does with respect to data on paper". On the face of it, this seems quite straightforward. Provided the digital signature can be verified, the EPO will accept it. Clearly a signature produced using an EPO-issued smart card will work. Other signatures should also work, such as those issued by Docusign, which are increasingly common. The key, however, is that it must be possible to verify the signature. As a patent attorney, if I am asked whether something will qualify to be used in support of, for example, a request to record an assignment, the answer should be simple. If I can verify it myself, it should be ok. If I am presented with a copied pdf with a stamp stating that it has been digitally signed, the answer is of course no. 

Another feature of the new rule is that, as I know from recent personal experience, documents that have been signed on screen and passed off as handwritten signatures are now more likely to be rejected. Under the new provisions, before trying to record an assignment that looks like it might have been signed on a screen rather than by hand, ask yourself whether it looks like it meets the requirements and, if not, go back to your client and ask how the document was signed. 

Wednesday 8 December 2021

Missing the non-obvious

The laboratory technique of Polymerase Chain Reaction (PCR) will by now be well known, at least in principle, to most people from its extensive use in testing for a particular virus. In very simple terms, PCR is a method of amplifying a DNA target sequence through repeated heating and cooling cycles that amplify the target sequence until it reaches a level high enough to be detected. PCR can therefore be used to detect extremely small amounts of a particular sequence, provided enough cycles are used. As the inventor Kary Mullis put it, "you can find almost anything in anybody" (see here). How many cycles are used is therefore critical to how much reliance you put on the results, particularly if you are using it to diagnose the presence of a virus (the RNA sequences being converted to DNA for RT-PCR testing). 

To have confidence in the results, a PCR machine will need calibrating and validating to ensure that the thermal cycling is accurately and repeatedly carried out and that the amount detected after each cycle is accurate. If this is done properly, the technique can be used to establish quantitatively as well as qualitatively what was present in the original sample, i.e. not just whether something was there but also how much.

Fluorescent dyes can be used that allow measurements to be made that correlate the amount of the detected substance with a fluorescent response, which allows an instrument to be calibrated and validated so that it can be known how a measured response corresponds to an amount of material present. Such dyes might, for example, be used in the form of a standard solution put in a PCR machine to establish a calibrated level.

GB patent application 1421819.2 disclosed the use instead of a fluorophore suspended in a thermoplastic polymer matrix, for use in PCR validation. A PCR tube made of the polymer (shown here on the right, the sole drawing in the application) with a fluorophore suspended in the polymer, allowed a spectrometer to detect a known level of fluorescence so that the PCR machine could be validated. Claim 1 of the application as filed read:

1. Use of a fluorophore suspended in a thermoplastic polymer matrix, which fluorophore suspended in a thermoplastic polymer matrix has fluorescence characteristics within a predetermined uncertainty budget, wherein the polymer matrix is selected from the group consisting of: poly methyl methacrylate (PMMA), polycarbonate (PC), polyoxymethylene (POM), chlorinated polyvinyl chloride (CPVC) or PVC/Acrylic copolymer to validate a thermal cycler.

The examiner objected that the claimed invention lacked an inventive step, given that suspended fluorophores were known and the choice of polymer was obvious. The applicant was unable to get over this and the issue came before a hearing officer at the UK IPO.  By this stage, claim 1 had been amended to add a few more features:
1.  A method of validating a thermal cycler, characterised by the steps of:   
    suspending a fluorophore in a thermoplastic polymer matrix, wherein the fluorophore has fluorescence characteristics within a predetermined uncertainty budget, and wherein the polymer matrix is selected from the group consisting of: methyl methacrylate (PMMA), polycarbonate (PC), polyoxymethylene (POM), chlorinated polyvinyl Chloride (CPVC) Or PVC/Acrylic copolymer, and the thermoplastic matrix is cut to the shape of a PCR tube; and   
    validating the thermal cycler using measurements obtained in the thermal cycler and the predetermined uncertainty of the fluorophore:  
    wherein validating the thermal cycler includes confirming that the measurements obtained the thermal cycler match the fluorescence characteristics of the fluorophore within the predetermined uncertainty budget.
The examiner still objected that the claimed invention lacked inventive step because it was known to use fluorophores to validate a PCR machine and the choice of polymer was obvious, all of them being well known polymers. What neither the examiner nor the applicant argued though, at least until they were prompted to by the hearing officer, is whether the feature of the "thermoplastic matrix is cut to the shape of a PCR tube" was significant. The hearing officer looked through the two documents cited by the examiner and concluded that neither document actually disclosed a thermoplastic polymer matrix, in which a fluorophore is suspended, being cut to the shape of a PCR tube. Based largely on this, the hearing officer found that the skilled person would not be motivated to provide such a PCR tube based on the documents. The claimed invention was therefore not obvious and the application sent back to the examiner to conclude proceedings. 

The lesson to be learned from this should be obvious, which is that you should always take care to check what it is you are claiming as the invention and argue on the basis of any and all differences over the prior art. It really shouldn't be necessary to rely on the examiner or a hearing officer to do it for you.