Data Security – Is it on Your Mind?

I spend a great deal of time thinking about electronic signature and online contract execution. The DocuSign process is a green process for contract execution, when compared to a purple (fax) process. How do the two compare regarding security?

I was just reading Schneier on Security, a blog on security and security technology. According to Schneier, the security of a purple process is sorely lacking:

“It’s trivial to cut and paste — with real scissors and glue — anyone’s signature onto a document so that it’ll look real when faxed. There is so little security in fax signatures that it’s mind-boggling that anyone accepts them.”

In another post from his archives, Schneier commented on the story of a prisoner being freed from jail on the basis of a forged fax – a fax was sent to the jail, stating that a decision had been reached to release the prisoner immediately. Because faxes are treated as if they were original documents, people do accept fax signatures and do so all the time. However, faxes lack authentication mechanisms of original documents, such as letterheads, watermarks and signatures. We also have the issue of unsecured data within the fax process, such as exposed credit card numbers, personal contact information and other potentially sensitive data.

Security Considerations of a ‘wet’ Signature:

• Is unique to the signer, but each one may look slightly different
• May not be known by the recipient, so there is no certain way to rely on it
• Is subjective in that handwriting experts can indicate ‘likelihood’ that it belongs to a given individual, but it is often arguable
• Can be easily copied and used on other documents via “real scissors and glue”
• Does not ensure the underlying document has not been modified
• Has to be physically moved around, as in faxed

What if Security Were Highly Important to You?
DocuSign’s electronic signature and online contract execution process captures the identity of the party to the agreement, generally via an email address associated with the individual. DocuSign also captures the individual’s consent to use electronic signatures and adoption of a GUID/Symbol combination. This combination serves as the individual’s signature which can then be applied to an unalterable document with a unique envelope ID number. Combine the above with an audit log of the sending and signing process with a hash value to the actual image of the signed document, you have a process that would take more than cut-and-paste to fake. DocuSign can issue a digitally signed (sealed) electronic record of the transaction for true reproduction of the electronic version of the document. Eliminating the manual document handling eliminates data leakage via fax in the physical world.

Security Considerations of a DocuSign Signature:

• Both the visible and invisible aspects of the signature are completely unique to the signer and cannot be copied
• Arrives with evidence about the signer’s identity such as email, IP address, authentication information, time stamps, etc.
• Is not subjective, as experts can easily determine from the extensive audit log exactly who signed, when they signed, and where they signed on the document with evidence.
• Cannot be copied anymore than a picture of the Mona Lisa is the actual Mona Lisa
• Affirms the fact the underlying document has not been modified
• Does not have to be physically moved, as it is electronic

In our ‘mock trials’ the judge indicated that if a person wanted to commit fraud, the first thing they would do is to request a paper transaction because

How important is your and your customers' data?

Image courtesy of flickr user L.Marie under Creative Commons. v