2

HelloTech has a series of documents they want potential technicians to sign. These are delivered by an email containing a link to their documents in the HelloSign document-signing service. Clicking this link sends the potential technician to a document they can sign, but there is no authentication step to verify that the person that's signing the document is who they say they are.

Since anyone could intercept the unauthenticated email link in transit and impersonate the signer, how can HelloSign claim that such a signature is legally valid?

Bill_Stewart
  • 121
  • 3

1 Answers1

2

anyone could intercept the unauthenticated email link in transit and impersonate the signer

So?

If they sent a paper copy, anyone could intercept it in transit and impersonate the signer. In both cases, this would be fraud and to quote from my answer to How to prove the genuinity/nongenuinity of a signature?

Fraud would have to be proved: it would not be sufficient to say "I did not sign that"; the person would need to demonstrate that a fraud has been perpetrated.

A party to a contract is entitled to rely prima facie on the validity of the signature. A person would have to provide evidence that it was not their signature or had been affixed without their knowledge or consent.

A court would look at the entire circumstances surrounding such a claim; if a person had, up until the dispute, acted as though they had signed the document then a court would probably not countenance an argument that they hadn't.

It is always possible to construct contrived circumstances where this or that could happen but, in reality, they are extremely rare. Unless you are dealing with a con-artist, you can trust the signature; if you are dealing with a con-artist, you have bigger problems.

It is irrelevant whether the signature is in ink or in bits, the same principles apply.

Of course, it is entirely possible, even likely, that the link sends a lot more information back to the HelloSign service than you think it does. Information that can both validate signatures and be stored as evidence.

Community
  • 1
Dale M
  • 208,266
  • 17
  • 237
  • 460
  • Email vs. physical mail in transit is a false comparison. There are legal ramifications for tampering with physical mail, but email by definition is clear text and available for viewing by anyone. – Bill_Stewart Nov 29 '16 at 22:32
  • @Bill_Stewart I didn't mention the transit of the physical copy was by mail - hand delivery our courier are both options. Anyway, how the interception happens is beside the point. – Dale M Nov 29 '16 at 23:29
  • I think I must not be explaining properly. A responsible party obtaining a signature will (or should) take reasonable means to ensure the signature is valid: Examples would be a courier requesting an ID, sealed mail, or web site authentication. Unauthenticated email has no means of proving the signer is actually the signer. It's even worse than that, because email by definition is clear-text, which means anyone could sign for anyone else, and there is no way to tell. – Bill_Stewart Nov 29 '16 at 23:57
  • 1
    @Bill_Stewart You're assuming that wet-ink signatures are somehow supposed to be unforgeable proof of identity. They're not. Courts are well aware that signatures can be faked, but they also know that you don't need to look at the signature in isolation. You can call witnesses (including the person who supposedly signed) to testify under oath (i.e. lying risks felony perjury charges), you can look at how people acted, you can do a lot of things. And in the end, you look at what is more likely, not at whether something is 100% certain. – cpast Nov 30 '16 at 01:18
  • Sure, but that's not really relevant to the question. I'm afraid I have asked a bit too technical of a question here. Of course things can be faked; the issue is that with an unauthenticated email it is really, really easy to fake and that's what I am drawing attention to here. – Bill_Stewart Nov 30 '16 at 01:27
  • @Bill Email is very often encrypted in transit, and even if not, it's far from trivial to intercept it. In any case, the standard of proof in a lawsuit is "preponderance of the evidence." You don't just have to show that the signature could conceivably have been faked, you have to show that it's more likely than not that it was faked. – cpast Nov 30 '16 at 01:39
  • Encrypted: Not in this case. Far from trivial to intercept: Not true at all, unfortunately. My recommendation is that these organizations (such as HelloSign) should implement some form of authentication to protect themselves from fraud. For myself, I will not sign without authentication. – Bill_Stewart Nov 30 '16 at 01:56
  • @Bill Encrypted: Yes, many commonly used email systems encrypt between servers. For instance, a HelloSign->Gmail email will be encrypted in transit, per Google. Intercept: Also nontrivial by anyone with any motivation to, unless you'd like to suggest a method how? Keep in mind that things like "Google intercepted it and forged my signature" aren't likely to sway a jury without actual evidence of that. – cpast Nov 30 '16 at 02:14
  • Encryption between servers: Yes, sometimes, but not guaranteed. Intercept: Trust me, it's easy for hackers who like to steal information to read emails in transit (and that's the point, isn't it?). This problem is silly and easily solved (or at least greatly mitigated) by having signers authenticate. – Bill_Stewart Nov 30 '16 at 02:26
  • Let us continue this discussion in chat. – cpast Nov 30 '16 at 02:27