Department of Justice eSignature Guidance for Federal Agencies

Owned by Larry Talley - NOAA Federal
Last updated: Jul 30, 2007Version comment
7 min read

A useful resource is U.S. Department of Justice LEGAL CONSIDERATIONS IN DESIGNING AND IMPLEMENTING ELECTRONIC PROCESSES: A GUIDE FOR FEDERAL AGENCIES, from which I quote at length below:

...
2. The importance of signatures

Signatures have been given a unique place in the law partly because they reflect physical characteristics of individuals that were applied to the particular document at issue. Generally, the presence of a signature on a document is sufficient to identify the person who signed the document (although courts might require that someone identify the signature as belonging to the signor), to indicate that the person read and was familiar with the contents of the document (or at least had the opportunity to read it before she signed it), and to demonstrate that the person agreed and intended to be bound by the contents of the documents she signed.#20 These may be only assumptions, but agencies, businesses and the courts routinely rely on them.#21 Such "presumptions" provide a set of rules for associating an individual with a document and establishing his or her intent to accept or acknowledge its contents. Many of those rules are supported by centuries of case law and, in some cases, statutes that enforce them. Of course, signatures can be forged, may be illegible, or may have been placed on a document in a manner that does not satisfy the rules. In those situations, the party challenging the signature generally has the burden to rebut or overcome the presumption.

Unlike traditional signatures, electronic alternatives do not yet necessarily enjoy the long history of use and common expectations that surround traditional signatures. However, other steps have been taken – and undoubtedly more will be taken in the future – to support the validity of electronic signatures. For example, an increasing number of statutes and regulations impose the same presumptions of identity, intent, or familiarity with content that are typically associated with paper signatures. The proper design of legal instruments can reduce the need for such presumptions. Until such presumptions become widely accepted for electronic signatures, agencies should ensure that the electronic signature technologies they adopt identify the signers of the document and clearly express their intent and familiarity with the document.

For example, statutes that require certain agency officials to authorize or approve an agency action might not be satisfied with something less than a signature on a document. Thus, simply affixing a "/s/ [Named Official]" on an electronic document authorizing a particular agency action may not satisfy any requirement that agency actions be authorized in a signed writing by the appropriate official, any more than it would on a paper document. The official's signature on a paper authorization demonstrates that the official saw and signed the authorization; the law presumes that the official was aware of the contents and the effect of signing the document. To the extent that an agency adopts electronic processes for such approvals, it must ensure that the technology utilized provides a legally acceptable method for indicating approval of the action.

3. Electronic alternatives to traditional signatures

Electronic signatures generally fall into three broad methods of identifying an individual: something the individual knows, something the individual possesses, and something about the individual. Examples of techniques that use these methods include user identification codes and passwords (i.e., numbers or codes known to the individuals such as a "PIN," a passcode, or a private key used to make a digital signature #22), tokens, smart cards or other physical objects that the user possesses that may be inserted into a reading device, and devices that measure physical, or "biometric,"#23 characteristics of the individual.#24 The National Institute of Standards and Technology has recognized that use of a combination of authentication techniques can "substantially increase" the security of an authentication system. For example, public key digital signature technology is designed to work only when the private key which is used to make a signature is used in conjunction with the proper PIN, password, or biometric identifier.#25

Properly implemented, various types of electronic signatures, like traditional signatures, can offer increasing degrees of reliability, although no system – either electronic or traditional – can completely prevent fraud or misuse. Depending on the nature of the transactions, smart cards and sophisticated digital signatures that use public key cryptography can frequently offer a reasonable degree of reliability. The risk with these technologies is that any number that can be typed or any card or token that can be inserted can also be disclosed to others or stolen. Parties seeking to avoid a transaction might claim that their identifying number, card or token was given to others who then acted as imposters. Of even greater reliability is a properly implemented biometric-based digital signature. When coupled with public key cryptography, biometric-based digital signatures become an even more powerful tool that holds much promise. However, the widespread use of biometrics would be expensive to implement, its commercial application is still relatively limited, and not every transaction requires this very high degree of security.#27

Moreover, electronic signature methods vary in their ability to ensure that an electronic document to which they are bound has not been altered after signing. Some methods provide no assurance at all, but systems using "public key, private key" digital signatures generally are designed to reveal such alterations. Thus, the better approach is to vary the level of security, depending on the significance of the underlying documents. For those records where the need for reliability is even higher, agencies should consider using a combination of security methods.#28

Indeed, a well-designed electronic system can make the indication of agreement more trustworthy than paper documents that are ambiguous as to intent. The creative design of the agreement formation stage of an electronic process offers agencies the possibility to develop an indication of intent that is even more meaningful than one arising from traditional paper processes. For example, when a multi-page paper document is signed only on the last page, the question is sometimes raised whether all of the pages were included in the document the signer signed. An electronic signature bound to the entire document eliminates any question as to the contents of the document signed by the signer. With high value transactions, exceeding, rather than merely meeting, the reliability standards of paper signatures, should be an agency's goal.
...

20 Experience teaches that signatures are important to connect the individual to the act, and in some cases we have failed to prove our case where we have not had the defendant's signature. For example, in United States v. Larm, 824 F.2d 780 (9th Cir. 1987), an allergist was acquitted of Medicare fraud concerning claim forms he did not personally sign. In United States v. Brown, 763 F.2d 984 (8th Cir.), cert. denied, 474 U.S. 905 (1985), the conviction of a pharmacist was reversed on some counts because the government could not link him, through a signature or initials, to claims submitted to the government for brand-name drugs when generic drugs were dispensed.

21 Thus, for example, courts normally prohibit individuals from avoiding their obligations by contending that they did not read what they signed, or that the contents were not explained, or that they did not understand them. In re Cajun Elec. Power Co., 791 F.2d 353, 359 (5th Cir. 1986); see Jones v. New York Life & Annuity Corp., 985 F.2d 503, 508 (10th Cir. 1993); Hill v. A.O. Smith Corp., 801 F.2d 217, 221 (6th Cir. 1986); O'Neel v. National Ass'n of Sec. Dealers, Inc., 667 F.2d 804, 806 (9th Cir. 1982).

22 A "digital signature" is generated by using an algorithm that ensures the identity of the signatory and the integrity of the data can be verified. Signature generation makes use of a value (commonly referred to as the "private key") to generate a digital signature. Signature verification makes use of another value (commonly referred to as the "public key") which corresponds to, but is not the same as, the private key. Each user possesses a private and public key pair, and the private key is not deducible from the public key. Public keys are permitted to be known widely, and assumed to be known to the public in general. Private keys should not be shared. Anyone can verify the "digital signature" of a user by employing that user's public key. However, signature generation can only be performed by the possessor of the user's private key. See National Inst. of Standards & Tech., Federal Information Processing Standards Publication 186-1, Digital Signature Standard, at 1 (1998).

23 By "biometric," we mean attributes arising from a person's physical characteristics or actions that are unique to that person. These include codes derived from electronic analysis of fingerprints and retinal scans, among others.

24 Exclusive reliance upon one biometric identification without providing any alternatives, however, may run afoul of the Rehabilitation Act, 29 U.S.C. ' 794d (West Supp. 1999), which may require agencies to provide alternative means of identification for those who do not possess the requisite physical characteristics (e.g., persons with prosthetic hands cannot provide fingerprints).

25 National Inst. of Standards & Tech., Federal Information Processing Standards Publication 190, Guideline for the Use of Advanced Authentication Technology Alternatives, at 39-40 (1994).

26 On the other hand, paper signatures are susceptible to forgery. Forgeries of traditional signatures can often be detected by handwriting analysis and forensic examination. Proving that someone else used an electronic signature can be more difficult because the electronic signature has no attributes that associate it with the individual unless a biometric method is used. However, it may be difficult for an individual to explain how and why someone else was able to obtain access to an electronic signature that had been assigned to her with instructions to safeguard it and keep it private.

27 As with other technologies, signatures in a biometric signature system that was not properly implemented might be subject to challenge. If the method of recording and preserving the signature is flawed, the signatures may not be considered reliable and may not be legally adequate to establish binding obligations.

28 For a more detailed discussion of various types of electronic signatures, and the advantages and disadvantages of each, see the OMB GPEA Guidance, "Implementation of the Government Paperwork Elimination Act," May 2, 2000, Part II, Section 7, 65 FR at 25518.