Margus Pala, eID Easy: “if I could, I would ban anyone from accepting my handwritten signatures”
Adopting electronic signatures can be a tricky process, forcing businesses to resort to non-secure and rather obsolete methods of document signing.
A wide variety of existing electronic signatures come with their own potential pitfalls. As such, email signatures are hard to prove in court, while others are expensive to adopt. But digital document signing leads us to a more secure future, and businesses shouldn’t delay the process of shifting to electronic signatures.
We've reached out to Margus Pala, the CEO of eID Easy, who talked us through all ins and outs of digital signatures.
Tell us about your journey. How did eID Easy go from an idea to a business?
I loved the idea of electronic voting of the Estonian parliament from the start of 2005. However, if everyone has a strong eID such as a national ID card, then it felt stupid to let your voice be heard only once every four years. You could do that every day, voting on the same issues as parliament members are doing. I started building and experimenting with the ID card-based web app shadow parliament. At some point, people started asking me to help them integrate ID card user identification and electronic signatures to their websites, and then it was developed into the product in 2016. It was a hobby project for some time growing organically until the Covid triggered turning it into an actual business. Now we have a complete team, funding, and working solution. It’s getting hard to keep up with the customer demand.
Can you tell us a little bit about what do you do? What are the main issues you help solve?
We are helping businesses adopt the highest quality electronic signatures. Without eID Easy, it is just difficult and expensive. As a result, businesses are forced to do non-logical actions to get by. Plenty of businesses sign documents by emailing, printing, signing, photographing, uploading, emailing, printing, and archiving. I don’t know if I should laugh or cry at that.
More innovative businesses use electronic signatures created by e-mail verification. This is much better and works perfectly with the down payment or another guarantee. However, this signature validity is always decided only in court based on extra evidence. The signer just has to say that he never locks his computer, everybody has access to his computer, and the court will deem the signature invalid unless you have other good evidence that this specific person signed the document.
With Qualified Electronic Signatures (QES) created in eID Easy platform, the court accepts the signature as valid by default as mandated by eIDAS regulation.
In your opinion, why do certain organizations struggle to implement quality identification measures?
They do not know how easy it is. Since they have not done it before, they think it’s overly complex and creates unbearable friction. In fact, it is as easy as implementing Facebook login or Paypal payment. There are very many people that have high-quality eID, which means that this is easily available.
Have you noticed any new cyber threats arise as a result of the pandemic?
I have seen more and more attempts done to fool passport photographing and selfie-based user identifications. There is a very big error rate comparing low-quality passport photographs with the face. You can improve algorithms, but you never get them as accurate as eID are much more reliable even with a “low” level of assurance (LoA).
While a digital signature is becoming a widespread tool, there are still some myths and confusion around it. What misconceptions do you run into most often?
The biggest myth is that standard e-mail verification-based signatures hold any ground when disputed in court. Sales and marketing engines are working hard to give businesses false confidence. Another very common misinformation is saying that e-mail based signature is Advanced Electronic Signature. Portals build nice Certificate of Completion pages that look like diplomas that you can frame and hang on the wall. How come it’s not valid in the court when it looks so beautiful?
Some providers explain the concept of Qualified Electronic Signatures in the signed files, even if there is no connection with QES, to create an impression that the signature could be qualified.
Businesses do not understand that even simple e-mail where people agree on something is the exact same level of signature that most portals sell for 1-2EUR a document. If somebody challenges a non-qualified signature, then you are in trouble. According to eIDAS very broad definition, anything can be an electronic signature: “electronic signature” means data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign;
Even though the use of electronic signatures is basically commonplace, written signatures are still widely used. Are there any issues that can arise in this mix?
If I could, then I would ban anyone from accepting my handwritten signatures. Thankfully, I don’t even remember when I had to sign anything on paper, it must have been many years ago. Once I sign a document and give it to you, you can effectively examine the signature and create very effective fake signatures that even the best forensic experts have trouble distinguishing. Similarly, if I give you an image of my fingerprint, then you have full access to my phone and all my life.
There is also a very weird print, sign, and photograph signature hybrid. Businesses believe that this is the “same as handwritten” when in fact, this is the lowest legal validity electronic signature. You can photoshop whatever image you want on the picture, especially if you have seen a sample of my handwritten signature image.
Most importantly, the “signature” is actually the DKIM signature of your e-mail message and your name under the message. If you show this to the court, then the court might believe that somebody having access to that e-mail sent you a photo with this text, meaning they wanted to sign an agreement with you.
What are some of the lesser-known risks a company can be exposed to if proper authentication methods are not in place?
If you are using eID, it's an extremely rare chance that somebody else will get access to your account. On the other hand, if you use passwords, you might never know that the account was compromised. It’s the same probability as someone taking money out of your account with your credit card and PIN. It might not happen, but if it does, then why are you writing the PIN code of your card and then losing it?
What technologies do you think will emerge as digital identity becomes a significant part of our lives?
I say that latest, by 2026, more than half of the electronic signatures will be at the qualified level. eIDAS wallet in 2 years will trigger a huge explosion in QES adoption as well. Along with the wallet, we will start seeing all kinds of human and machine-readable digitally signed documents (Verifiable Credentials) circulating. In Estonia, this is already very common. Anyone can log in to the tax office and request proof of having no tax debt and they will get a document with a tax office qualified electronic seal containing machine-readable XML and human-readable PDF. Anyone can verify the contents of this document (Verifiable credential) independently and fully offline.
Creating QES is actually extremely easy. There are plenty of free applications that you can install and use.
Unreliable e-mail based signature creation means opening an e-mail, looking for the message, clicking the link, sometimes drawing a picture with the mouse, clicking “Sign now”. At the same time, QES creation means clicking “Sign now,” opening the app in your phone from notifications, confirming the signature, and being done.
Creating the highest quality signature can be even easier or very comparable friction to the simple signature.
Even now, the price for a qualified signature can easily start from 0.1EUR to 0.2EUR, additionally being 10x smaller than a traditional simple signature.
Share with us, what’s next for eID Easy?
Even if we are a team of experts of electronic signatures and eID means, then, so far, we have covered only part of the EU countries and methods. Imagine then international businesses tackling the same challenge on their own.
However, at our current pace, we will have all European electronic signatures and identity means integrated into our SaaS platform in 2022. We have seen a big interest in enhancing signatures' quality in existing signature portals with our solution. After that, there is much more work outside Europe, where we see all kinds of electronic signature and digital identity solutions popping out like mushrooms in the forest after the rain.
When eIDAS and other region identity wallets are coming out, someone needs to help businesses adopt this technology. Along the same line, there will be a huge industry of issuing, verifying, and managing the credentials as well.
Due to the sheer amount of work we are looking to expand our team. If someone feels like a “fully legally valid” electronic signature is the future, then they can get in touch with eID Easy team.