Ensuring authenticity in digital transformation using cloud signatures

By Venkatraman Srinivasan, eMudhra Limited

‘Property rights’ is a long-established concept in society, and as society evolves, so does one’s ability to assert property rights. This transformation can be seen in multiple eras: trade invention, the Industrial Revolution, and the technology revolution we are experiencing today. The concept of a ‘signature’ is also ancient, having been used as early as 4000 BC where the first marriage contract was drafted in an Assyrian tablet in the ancient city of Kanesh.  

Clearly, the basics have not changed in over 6000 years. Identity and authenticity have always been at the center of signatures and contracts. Yet, it is evident that there has been tremendous behavioral change with the uptake of mobile and technology adoption, and tremendous complexity in our business ecosystems through globalization. In our technology-driven era, as with past eras, systems and processes evolve to best cater to societal needs and enable societal progression onto the next epoch. The ability to ‘sign’ is so fundamental to our society in its ability to bind an identity to a contract that there is no doubt about the fundamental need to promote and quickly evolve digital ways of signing documents that promote adequate identity assurance and authenticity.

However, it is important that in our pursuit of ensuring authenticity, we do not sacrifice ease of use. This may result in a scenario wherein the technology would be ideal but may not be adequately adopted. For this reason, we already see many jurisdictions moving away from the use of tokens and smartcards towards ‘remote signing’ solutions (cloud signing). Cloud signing is increasingly becoming more popular with several countries opening up their identity stores to enable real-time identity verification and promote greater ease of use in adopting cloud signatures.

Authenticity is a key cornerstone in the cloud signature ecosystem. It is important to promote this properly so that jurisdictions realise the importance of Trust Service Providers (TSPs) and identity backed signature certificates (at a user or transaction level), as opposed to ‘Simple Electronic Signatures’ where application providers have the tremendous flexibility to promote ease of use at the expense of authenticity. At the same time, it is also critical to constantly evolve the identity vetting process itself, to make it more real-time, mobile, and easy so that end consumers more willingly adopt an identity backed certificate for an increasing number of use cases.

Below is a quick look at a couple of jurisdictions who have adopted their own approach to increasingly enforce authenticity in the signing process:

ESign, India: The Controller of Certifying Authorities in India in collaboration with local TSPs have allowed for a cloud signing service that operates based on 1) real-time ID validation against the National ID (using different methods), or 2) allowing a TSP to create eKYC accounts viaasynchronous Identity verification (including video) which enables users to sign documents leveraging ‘short term certificates’. Uptake in adoption of such identity-backed certificates has been significant over the past decade with eSign being adopted by several organizations to replace their manual onboarding processes and various other processes.

Individuals too are increasingly leveraging basic eSign functionalities to quickly sign and send documents to governments, banks, and various other entities (including each other). eSign is permitted for most use cases, except for very selective use cases, such as transfer of immovable property, etc.

UAE Pass,United Arab Emirates: UAE Pass, leveraging the ‘Emirates ID’ ecosystem was introduced in UAE a few years ago. The registration process has eased over time with the key enhancement being to eliminate the need for a visit to a kiosk and enabling asynchronous registration from the mobile app (leveraging Face ID and real-time validation against National ID).

UAE Pass has been gaining a lot of traction in UAE with most government agencies and large banks looking at enabling (or having already enabled) UAE Pass as a way of transacting with the organization. This is also a notable example where the authenticity has been pushed through increased awareness effectively replacing relatively weak SES (simple electronic signatures) based transaction ecosystems.

As businesses go more global and borders mean less for businesses, it is important to drive authenticity in the cloud signature ecosystem. Bodies like the Cloud Signature Consortium (CSC) have been instrumental in doing so by raising awareness around the importance of identity assurance, technology standards that can drive some commonality amongst jurisdictions, and much more. Authenticity, in both identity and content is crucial, as is the need to standardise the cloud signature ecosystem in more jurisdictions across the world.