Friday, 17 December 2021

Digital Signatures and Digital Signing

Adding a signature to a document is fundamentally a way of providing assurance that the person whose signature it is has approved of its contents. A signature by itself is, however, not a very secure way of doing this. Handwritten signatures can be easily forged, copied or even machine written. Especially when provided in copied form, there is no definitive way of telling whether a signature on a document is genuine and actually proves that the person did in fact sign the document. 

Do these signatures look genuine?

To get more assurance, it is possible for example to get a notary to certify that a signature is genuine, the notary then being used as a trusted third party that is vouching for the signature being genuine. For further reassurance, the document itself can be protected from being altered by adding ribbon and seals, which provide assurances that the document that has been signed has not changed since being signed. Doing all this takes time and money, so in practice it is often taken on trust that a signed document is genuine. For documents relating to patent proceedings at the European Patent Office, the UK IPO and elsewhere, the office will accept a copy of a signed document and assume that it is genuine, the assumption being that the document was originally hand signed and then copied, provided it looks real. 

How can you tell this signature is genuine?
The process of using copies of genuine handwritten signatures and filing these online in pdf form at the EPO, typically to register an assignment, is standard practice and usually works without any trouble, provided the formal requirements of being able to identify the assignor and assignee are met and that duly authorised representatives of both parties have signed. I have personally arranged to have many assignments recorded at both offices this way with no trouble, even though in many cases I did not and could not verify myself that the signatures were genuine. Over the past couple of years, however, as personal contact has become the exception, there has been more interest in the use of digital signatures. The problem at the moment is that many people still do not actually know what one is, let alone how to properly use one. 

At risk of stating what should be the obvious, a digital signature is not something that is written by hand or pasted on a computer screen that looks like one written by hand on a piece of paper. It should be clear that this type of signature is far too easy to fake. If spotted, such signatures should be (and often are) rejected. Even if you sign by hand your actual signature on a computer screen, the proof that it was you is non-existent because anyone else could have done the same by copying and pasting an image of your signature from somewhere else, the result being indistinguishable. 

A real digital signature is something quite different. A digital signature, if done correctly, performs all the original functions of a genuine original handwritten signature but without the need for an authenticated paper copy. To work, a digital signature must be kept in its original form along with the document it is supposed to be authenticating. Without the code making up the digital signature, in combination with the original document, the signature is meaningless because it cannot be verified, defeating its whole purpose. A common confusion I have seen is when a scanned pdf is presented with what seems to be a digital signature, but the process of scanning has stripped it out, leaving only a mark on a computer file that suggests it was signed. This is, of course, useless and not even as good as a scanned copy of a handwritten signature.

To go back to basics, digital signing at its heart involves asymmetric cryptography. A user who wants to sign something will have a private key, which they keep to themselves, and a public key, which is open for all to see. The user can apply their private key to a document (or, in practice, a hash of a document) to produce a signature string. Anyone else can then use the combination of the document, signature and public key to cryptographically prove that the user's private key was used to sign the document. The signature therefore proves that the document was signed by the user. The only assumption made is that nobody else had access to the user's private key. It is fundamental to the ability to verify the signature that the document and signature are kept together and in their original state. If either is altered by even one single bit, the signature will not validate. 

An example of digital signing I have used before relates to how the Bitcoin system works. Bitcoin addresses (P2PKH types) are representations of the public key part of a public-private key pair. The owner of the bitcoin associated with an address is in possession of the private key and therefore only they are capable of 'spending' the bitcoin. In practice, transferring ownership from one address to another involves a process of digital signing, in which the owner signs a transaction with their private key to the effect that only the owner of the private key of the recipient address can then do any further transactions with whatever is sent to that address. Since all transactions are publicly available, anyone can verify how much any particular address contains. Another feature is that the owner of an address can verify that they own it by digitally signing a message linked to the address. An example I have used before is the following:

I, Tufty Sylvestris, confirm that I am the owner of the following address.

bc1quklwszfchvfzpxa7wk8pge7ykczcg0pv54wc8a

IA0TdtltWrzK62rDVw/WkZ36hNOGshhw8UFXySK7VFY9Nv5mQWr6B3aXpDpFH15gPH7uUJsPzlLB/T+eKkXjMWo=

To go back to the principle of signing documents, the message part corresponds to the document. The message is signed with the private key corresponding to the address, resulting in the signature string. Anyone can then verify that the signature is genuine by copying these components into a signature verifying tool, such as the one provided within the Electrum Bitcoin wallet, or one available online. You do, however, have to be very careful that the tool you are using for verification is not in some way compromised or you could be easily fooled

An additional problem with using just a public-private key pair is that you do not necessarily have a link between the owner of the private key and a specific person unless you have some other way of figuring out who the owner of the private key is. To take a well known example, the owner of the private key to address 12c6DSiU4Rq3P4ZxziKxzrL5LmMBrzjrJX is, beyond any reasonable doubt, the person who was behind the pseudonym Satoshi Nakamoto because this address was the destination for the very first 50 bitcoin that were mined on 9 January 2009. 

For any normal use, it is necessary to provide a link between a private key and an actual person. A usual way to do this is for private keys for use in digital signing to be issued and certified by trusted authorities. For the EPO, this is done by a user's private key being securely stored on a smart card issued by the EPO to a patent attorney together with a PIN. With possession of the PIN and the smart card, the attorney can sign a document to the satisfaction of the EPO. Documents can only be signed with physical possession of the card and knowledge of the PIN, providing a decent level of security. This works very well for everyday activities of an EP attorney, who can use their smart card to digitally sign documents that are sent online to the EPO. The same principle can also be used to sign any documents. I can, for example, take any pdf document and apply a digital signature from my smart card that proves I signed the document. The document with its signature attached could then be sent to someone who wanted evidence that I signed it and they would be able to verify with a single click that the signature was valid.

The EPO has recently announced, in the November 2021 issue of the Official Journal, that "a qualified electronic signature" will be "considered to fulfil the legal requirement for a signature with respect to data in electronic form in the same way that a handwritten signature does with respect to data on paper". On the face of it, this seems quite straightforward. Provided the digital signature can be verified, the EPO will accept it. Clearly a signature produced using an EPO-issued smart card will work. Other signatures should also work, such as those issued by Docusign, which are increasingly common. The key, however, is that it must be possible to verify the signature. As a patent attorney, if I am asked whether something will qualify to be used in support of, for example, a request to record an assignment, the answer should be simple. If I can verify it myself, it should be ok. If I am presented with a copied pdf with a stamp stating that it has been digitally signed, the answer is of course no. 

Another feature of the new rule is that, as I know from recent personal experience, documents that have been signed on screen and passed off as handwritten signatures are now more likely to be rejected. Under the new provisions, before trying to record an assignment that looks like it might have been signed on a screen rather than by hand, ask yourself whether it looks like it meets the requirements and, if not, go back to your client and ask how the document was signed. 

8 comments:

  1. Point 3 of the Notice is key: " For the purposes of this notice, the Legal Division will apply mutatis mutandis the definition provided in Regulation (EU) No 910/2014.[ 1 ]" In that eIDAS regulation, "qualified" has a very special meaning as set out in that regulation and Docusign signatures are not qualified signatures in the sense of that Regulation if you use any default configurations of Docusign (as I understand it). See in particular points 3(d) and 3(e) of the EPO notice, which in turn use "qualified", which in turn under the eIDAS Regulation have a very special meaning as set out therein. And incidentally I believe non-EU certificates are not "qualified certificate" in the sense of the EIDAS Regulation. The EPO Notice of course uses 'mutatis mutandis' so perhaps UK certificates are fine with the EPO.
    But clearly you have also thought about it so I'm curious to learn how you can "verify" a signature in terms of linking it to a certain natural person.

    ReplyDelete
    Replies
    1. Very interesting. Thanks for your thoughts. I had not looked into it that far to be honest. If it works as you say, the possibility of using digital signatures at the EPO will be very limited.

      As for being able to verify, a signature can be verified only as far as the authority that issued the key, the decision then being whether you trust that authority. That is the kind of verification I mean. If you're going to go down some kind of Craig Wright rabbit hole about proving identity, I'm not going to be following you.

      Delete
    2. So, looking at the Regulation, Article 3(12) states: "‘qualified electronic signature’ means an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures;"; Article 3(11) states: "‘advanced electronic signature’ means an electronic signature which meets the requirements set out in Article 26;". Article 26 states that "An advanced electronic signature shall meet the following requirements:(a) it is uniquely linked to the signatory; (b) it is capable of identifying the signatory; (c) it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and (d) it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable."

      Given all that, I don't see why a Docusign signature would not be acceptable.

      Delete
    3. I have spoken to DocuSign recently about this. A QES is tightly defined in Regulation EU 914/2014, as noted. DocuSign has a method of providing certification to the level required for a QES as set down in the Regulation. This involves an online video verification process for the signer, who is in effect interviewed (in a specified format) by an employee of a DocuSign sub-contractor. The interview includes several steps having the aim of demonstrating that the person is present, is who he/she says he/she is and is speaking live (as opposed to being a static image and/or a recording). Without these steps the signature will not be certifiable as a QES and DocuSign will not provide such certification; but (in reply to the earlier comment) if the verificiation process is followed it seems to be within the range of services regularly provided by DocuSign to attain the certification level of a QES. (I say "seems" purely because I have not yet put it to the test; but I have no reason to disbelieve the information DocuSign passed to me.)

      Delete
    4. Thanks all for the information. Good to learn that DocuSign can carry out the interview. I had no opportunity to that for when answering the "simple question" from a client. I probably have overlooked that interview service at the DocuSign website. I would still consider it important to double check if all DocuSign signatures are made after such an interview process, or if it is an optional feature. If it is optional, i.e. some DocuSign signatures are placed without the interview process, then it is of course important to be able to recognize those.

      Delete
  2. Do you know whether electronically signed documents in accordance with the EPO's notice are Annex-F compliant? We recently attempted to file such a document using OLF2.0, admittedly before the new practice came into effect, but needed to print and scan it to make it Annex-F compliant. Printing using Amyuni does not work, as it's already in pdf format.

    ReplyDelete
    Replies
    1. I don't see how it would be possible to submit digitally signed documents using online filing as it is currently setup, as it is very restrictive on what it accepts. A digitally signed pdf would almost certainly not comply and it cannot be altered so online filing would need to be altered to allow such documents to be submitted, perhaps as separate types of documents that do not have to meet the usual requirements. Yet to be seen as far as I can tell. I haven't submitted one yet.

      Delete
    2. An update on my earlier comment: As a test, I have just digitally signed a printed pdf and tested if this passes EPO online filing checks. It works. It should therefore be possible to submit digitally signed pdf documents through online filing, at least provided the underlying pdf complies with the requirements.

      Delete