Legal Enforceability of eSign

June 17, 2024

Ancha

Content Strategy Lead

eSign legal

Summary

  • The foremost priority when it comes to evaluating electronic signatures is enforceability - can you rely on eSigned documents in court and in regulatory audits? 
  • In this post, we give you an easy framework to evaluate the ease of enforcement of different eSign types.

In our previous post we discussed a Matrix of Validity - an easy-to-decipher table charting which mode of eSigning is legally valid for which type of document. What the validity matrix essentially tells us is that the question of validity is a binary question. A particular signing type is either valid or invalid for a particular type of document. But the question of validity has a very narrow and limited utility when it comes to actually going digital with paperwork. As per the validity matrix, most documents can be validly signed through any type of electronic execution.

Enforceability on the other hand is a question of “how easy” it is to “prove” a document in Court or before a regulator. Therefore, ease of enforcement is a spectrum.

But how do we judge the ease of enforcement of a particular signing type? It depends on the ability of an electronic mode of execution to meet the end goals of the signing process. The better a particular mode of execution is at meeting such end goals, the easier it would be to enforce it in a Court of law or before a regulator. 

Therefore, unlike validity - which is a simple yes/no matrix - the question of enforcement needs to be visualized as a spectrum - a Spectrum of Enforcement.

In this article, based on their technical capabilities, we will map out 4 of the most commonly used eSign types - virtual signatures, secure virtual signatures, digital signatures (DSC tokens) and electronic signatures (Aadhaar eSign) on the spectrum of enforcement.

After that we will also take a look at the legal presumptions in favour of eSigns under the Evidence Act which make them the easiest signing type to enforce in a Court of law.

Let’s begin.

1. Standard Virtual Signatures

Standard virtual signatures are nothing but a visual electronic replication of your wet-ink signature. All you need to affix a virtual sign is the electronic agreement and a service provider which lets you affix virtual signatures on an electronic document. Users can either draw their signature electronically or choose from a computer generated template of their name. You may have signed this way sometimes when you receive a courier.

Standard Virtual Signatures are on somewhat shaky ground when it comes to enforcement. Here’s why:

GOAL VIRTUAL SIGNATURES
Authentication: The identity of the parties signing the document is clear Image

While the wet-link signature pattern of a person is said to be unique to a person, it is tough to draw this unique signature electronically. It is fairly easy for two different people to have the same virtual signature
Integrity: The document cannot be changed unilaterally after the signatures are fixed Image
Anything can be added or deleted once a virtual signature is affixed to an electronic agreement. The PDF can be edited later as there are none of the technical safeguards that electronic signatures rely on to assure integrity of the document
Non-repudiation: The parties cannot later 'deny' their acceptance of the terms and conditions of a document at a later stage Image
Similar to wet-link signatures, parties can contest their virtual signatures also in 2 ways:
1) By stating that the signature was forged
2) By stating that the document has been
altered/tampered since they signed it

2. Secure Virtual Signatures

We saw how virtual signatures are similar to wet-ink signatures, but applied to an electronic medium. But we also saw how virtual signatures can be hard to enforce. That's where a concept known as "Secure Virtual Signature" comes in. It solves for this gap by adding additional layers of authentication.

Some examples of added layers of authentication provided by Secure Virtual Signatures: 

1) OTP authentication system 

Signers can be asked to enter an OTP sent to their registered phone number/ email address before they can sign the document. Since the OTP is being sent to a unique parameter exclusive to the signer - an element of identity is added to the process. 

2) Face Capture 

With a Face Capture layer - signers are required to undergo a live face capture before they can sign the document. The face capture feature establishes beyond doubt the identity of the person who has affixed his Secure Virtual Signature to the document.

3) Geo-location capture 

With Geo-location capture, the signer’s GPS coordinates are captured at the moment of signing. This is useful in cases where electronic signing is happening at a fixed location like a bank branch or the signer’s home.

4) Backing each virtual sign with a neutral digital signature 

A virtual sign - no matter how secure, does not operate on the asymmetric crypto and hash systems that a digital signature operates on. This opens the virtually signed document to risk of undetected tampering. This glaring loophole can be circumvented if the technology platform affixing the virtual sign also affixes a neutral digital signature on the document. This digital signature won’t act as a “signature of a party” but as a security procedure that safeguards the integrity of the document.

If all the above layers are in force, it becomes very hard for a signer to repudiate a “Secure Virtual Signature”. To successfully do that they would need to do ALL of the following: 

(i) Prove that the OTP authentication on their phone number was not done by them 

(ii) Prove that they did not perform the act of selecting or inscribing the virtual signature 

(iii) Prove that the geo-location captured does not actually reflect their location at the time of signing the document 

(iv) Prove that it was not their face in the face capture 

These additional security features put Secure Virtual Signatures in a very good position when it comes to enforcement.

GOAL VIRTUAL SIGNATURES
Authentication: The identity of the parties signing the document is clear Image
OTP verification, face capture and geo-capture work together to establish a "virtually irrefutable" trail of identity
Integrity: The document cannot be changed unilaterally after the signatures are fixed Image

Bad: Secure Virtual Signatures do not make use of asyymetric cryptographic systems and hash functions to ensure the integrity of the signed documents. So in an ordinary scenario, they ensure document integrity in the same way the wet-ink signatures do

Good: At times, documents signed using secure virtual signatures are secured by digital signatures affixed in the background by a third-party platform. This acts as a security procedure under the IT Act to ensure that the document cannot be altered or modified without altering the parties
Non-repudiation: The parties cannot later 'deny' their acceptance of the terms and conditions of a document at a later stage Image
Added security layers make it extremely hard for signers to repudiate secure virtually signed documents in court

3. Electronic Signatures (including Digital Signatures)

Aadhaar eSign, and DSC tokens form the crème de la crème of electronic signing methods - not only because they are legally valid for the most number of use cases, but also because they are the easiest to enforce. 

We have already seen how the underlying combination of asymmetric cryptographic systems and hash functions behind digital signatures and electronic signatures helps in: 

- Linking the identity of the signer irrefutably to the document 

- Making it computationally impossible to tamper the digitally signed document without parties being alerted 

There is no other signature type that meets the end goals of the signing process better than electronic signatures. 

GOAL ELECTRONIC SIGNATURES | Digital Signatures
Authentication: The identity of the parties signing the document is clear Image
The secure key pair encryption/decryption process helps to clearly establish the signer's identity, details of which are contained in the electronic signature certificate that is digitally signed by the Certifying Authority, a neutral identity
Integrity: The document cannot be changed unilaterally after the signatures are fixed Image
The public key decryption + hash matching process ensures that anyone opening the document on a PDF reader is altered if the document has been altered after the signatures were affixed

The hash matching process is virtually foolproof in detecting tampering since it is computationally infeasible for two different documents to have the same hash result
Non-Repudiation: The parties cannot 'deny' their acceptance of the terms and conditions of a document at a later stage Image
The secure key pair is only issued by the ESP once the Aadhaar based eKYC of the signer has been successfully carried out by UIDAI

For the signer to deny their Aadhaar eSign, they would need to prove that someone else had their Aadhaar number and their mobile phone which they used to carry out the e-authentication process. This is extremely unlikely
Image
The asymmetric crypto system can only be activated by a unique PIN or code that has been handed over ONLY to the signer

For the signer to deny the digital signature - they need to prove that someone else got access to their PIN or code. This is extremely unlikely

Authentication, check. Integrity, check. Non-repudiation, check. 

THE FINAL SPECTRUM OF ENFORCEMENT

So, based on the above analysis, the final spectrum of enforceability of common electronic signing types looks like this:

The above spectrum is a handy tool to assess enforceability of a particular electronic execution type you are evaluating as you make the transition to digital documentation. 

You can assess the location of each signing type on the spectrum against other key factors like: - Likelihood of the need of enforcement arising 

- Regulatory/Audit requirements 

- Internal compliance

Note: To see how we plotted other modes of execution on the spectrum, please refer to chapter 7 of our Laws of eSign book.

EVIDENCE ACT PROVISIONS IN FAVOUR OF ESIGNS

We saw how electronic signatures, or eSigns, best meet the end goals of the signing process, hence making them the most easily enforceable form of executing a document. But do our laws also recognise this inherent superiority of electronic signatures over other methods of execution? The short (and sweet) answer is YES. 

The Evidence Act creates several presumptions in favour of the validity of eSigns. These presumptions - when combined with the solid technical architecture of eSigns - make enforceability even easier. In this chapter we will look at what these legal presumptions in favour of eSigns are.

The Indian Evidence Act, 1872 lays down the rules governing admissibility of evidence in India. The Indian Evidence Act carves out several presumptions that make eSign much easier to enforce compared to other electronic execution methods. Let us take a look at what these presumptions are.

1. Section 47A

As per Section 47A of the Indian Evidence Act 1872, the opinion of the Certifying Authority (a highly regulated entity which issues electronic signature certificates) is a relevant fact for the Court to make an opinion as to the electronic signature of any person. Certifying Authorities maintain full transactional logs to assist and certify any transactions carried out through them for adjudication purposes. Therefore, in the unlikely event that an electronic signature is ever questioned in Court, there is a standing help in the form of a regulated neutral entity that can vouch for it. 

Additionally, the signature certificate, its properties and details such as the name of the signer etc. can be viewed by anyone in the PDF reader itself.

2. Section 67A

Section 67A states that if a signer uses a secure electronic signature to execute a document then it will be presumed that such eSign belonged to the signer herself and not to any other person. This means that for non secure eSigns, the affixture of the electronic signature must be proven to have been done by the signer. But for secure electronic signatures - this burden of proof is not required. Therefore, someone who has signed using a secure electronic signature later cannot refute his signature. This Section is the legal recognition of the ability of eSigns to meet the “authentication” goal of the signing process.

Aadhaar eSign, DSC Tokens and PAN eSign qualify as secure electronic signatures under the Evidence Act and the IT Act.

Note: For an analysis on why Aadhaar eSign, DSC Tokens and PAN eSign qualify as secure electronic signatures, please refer to chapter 8 of our Laws of eSign book.

3. Section 85A

Section 85A says that an agreement which has been executed using electronic signatures will be presumed to have been concluded between the parties and attained finality. Section 85A thus lends certainty as to the finality of the terms and conditions agreed between parties to the agreement.

4. Section 85B

Before we get into Section 85B, we need to discuss a new term - secure electronic records.

Any electronic document that has been electronically signed using Aadhaar eSign, DSC Tokens and PAN eSign is a secure electronic record.

Note: For an analysis on why an electronic record signed using Aadhaar eSign, DSC Tokens and PAN eSign qualify as secure electronic records, please refer to chapter 8 of our Laws of eSign book.

So what does Section 85B say?

Clause (1) states that in proceedings involving a secure electronic record, it will be presumed that the secure electronic record has not been altered since the time it was executed by a secure digital signature. The ability of Section 3 Digital Signatures and Schedule II eSigns to ensure integrity of the signed document is not just technologically assured, but now it is also legally recognised.

Clause (2) of Section 85B states that wherever there is a secure electronic signature, the Court will presume that it was affixed by the signer with the intention of signing or approving the electronic record. 

The effect of Section 85B(2) is that no party to an agreement, in case they use a secure electronic signature to execute the document, can later claim that they did not know what they were signing. Intention of the signer to approve the contents of the signed document is legally presumed, by virtue of this section. This section reinforces the ability of secure electronic signatures to meet the end goals of the signing process, especially “integrity” and “non-repudiation”.

5. Section 85C

Section 85C states that the details mentioned in the Electronic Signature Certificate, such as name of the signer, email ID and time of signing will be presumed to be true. This helps in establishing the identity of the person who signed the document. 

6. Section 90A

Section 90A applies to electronic records that are five or more years old. If such electronic records contain an electronic signature, then the Court will presume that it was affixed by the person whose electronic signature it purports, or appears, to be. Section 90A is similar to Section 67A of the Evidence Act, to the extent that the identity of the signer is presumed and need not be proven. 

Want to implement eSign in your business?

Content
of
Table