Paul,

Your survey interests me.  The problem with electronic signatures is the signature itself and the documents to which they are attached.  Having a person "sign" an electronic document or having a notary apply an electronic notary signature to a document doesn't solve the problem. 

In a court where disagreements with respect to the validity of documents would be tested, the issue of authenticity must be addressed successfully to allow for the admission of evidence.  If the electronic document or any component that went into its creation cannot shown to have been under a continuous "chain of custody," the document would likely be ruled unauthentic, hence inadmissible or admissible with many questions about it trustworthiness.  Even if the possession of the document has been continuous but the electronic document has been moved from one medium to another (from disc to CD to tape, etc.) and if there is no contemporaneous attestation in writing by the person who actually moved the data that the movement of the data was done in conformity to existing written policies and procedures for the preservation of data, the chain of custody would be regarded as having been broken.  Finally, if there are two competing versions of the subject documents and if the court cannot establish that either party in the contest has an unbroken chain of custody, there is the distinct possibility that the case may be thrown out.

Wet signatures prove nothing, as well.  Ink on paper may appeal to someone's innate sense of trust, but anyone can sign a piece of paper, and a skillful forger can fool the best handwriting expert. 

Signatures are simply icons of one's agreement to be bound by the terms of a contract.  The trust imbued in them comes from a time when one's word meant something and one's mark was unique and symbolized the honorable commitment of a party to uphold his end of an agreement.  Today, signatures have a far lower esteem level, and they lack the moral force of previous centuries.  The heroics we undergo today to pin down those who skirt the responsibilities attendant to the application of a signature in a legal setting reflect the general disregard we as a people have for the importance of keeping one's word.

So, the technology has to scale upward to keep pace with human dishonesty.  My company produces a system that positively identifies the sender of a document in such a way that it does not rely on signatures, user names, or passwords, and it keeps a contemporaneous encrypted copy of the document being sent in a repository for later reference in court (if it gets to that point).  The whole process creates a digital eyewitness to the process that cannot be subverted by tampering with the signature, rewording the document, or any other form of document tampering.

Feroz,

Yes, you are right, the UETA and E-SIGN, signed into law by President Clinton in 1999 and 2000, respectively, gave domestic and international commercial electronic documents the same force of law that paper documents had previously.  The condition applied in these laws was basically that the documents had to have an authenticating digital signature and the parties to the transaction had to agree that such documents would meet the requirements of their businesses. 

A glaring example of how these laws are routinely ignored is the U.S. Customs Service and foreign customs services which routinely demand the production of the original paperwork when moving goods through the customs process.  One would think that the E-SIGN law which was to make electronic transactions of international scope binding would have some bearing on how goods clear our borders.

All that being said, the problem with digital signatures is that their existence only proves who paid for them, not who applied them to specific documents.  When I buy a digital signature from Thawte or any other signing authority, I receive that little bit of digital alphabet soup that comprises the signature.  Then it has to be placed into a digital store (storage area) on my computer where it becomes accessible to programs that facilitate digital signing such as Microsoft Outlook, Word, and Excel, Adobe's Acrobat, etc.  If someone has the user name and password to gain access to a machine that has digital signatures on the disk, that person can sign anything he or she wishes.  The most that can be said about a digital signature is that:

1. it was purchased by a person, presumably the same person whose name appears when one views the visual representation of the certificate,

2. it was installed on a specific machine, and

3. someone who had access to that machine and who knew the login credentials for the machine applied the digital signature to the document in question.

That leaves a lot of room for doubt about who signed it and sent it, and it says a lot about the gaping holes in computer security that prevail in 99% of all businesses and home computers. 

The litigation climate in the United States today when it comes to the discovery of electronic documents is all encompassing.  PDAs, mobile phones, dgital faxes, computers, network logs, cached files from web browsing, in-memory databases and cached memory (yes, it's true), deleted files on hard discs, e-mail, instant messages, and the like not only from devices owned by a business but also from persons and organizations that have received electronic communications from the business become fair game for a team of attorneys seeking to protect their client.  Independent contractors home computers, an Internet Service Provider's servers, computing devices maintained by companies or persons to whom e-mail might have been forwarded can all be subject not only to e-discovery but worse a little something called a "litigation hold." 

One learns about a litigation hold usually before the litigation is even filed.  A letter arrives at your office from the attorney for what will be the opposing party in eventual litigation that explains that there is a possibility that litigation might be filed imminently, and in order to preserve evidence as required under U.S. law, you are required to preserve all data in your control in its present state.  That means not adding any data, deleting any data, performing no upgrades to software, not adding new users if their addition will cause areas of network discs to be overwritten to any extent, not deleting e-mail, not deleting instant messages, and so on.  To do so would be what the court calls "spoliation." 

If one is found to have committed spoliation, the remedies for the court are very wide ranging, but their intent is to place the party committing the act in a legal position relative to its opponent that prevailed at the time the acts were committed.  This might mean that the judge would give instructions to a jury to regard evidence presented by the spoliator as false and to infer a prejudicial view of the actor that makes the spoliator's argument less tenable.  It could also mean that the judge would require the guilty party to pay some or all of the e-discovery costs of its opponent.  It could even mean he would levy a substantial punitive fine.

So, digitial signatures are fine if they are in the possession of scrupulously honest people who jealously guard the security of their computers.  Unfortunately that isn't usually the case.  Most people don't watch their computers like hawks, and also unfortunately, there are plenty of people out there who are ethically challenged, being unable to understand the difference between right and wrong.  The combination of these two defects makes the documents signed with digital signature less than trustworthy from a legal perspective.

Paul,

Yes, the electronic signature provided by DocuSign is not a digital signature in the sense that Verisign or Thawte would issue.  That kind of digital signature is simply a string of ASCII values that are uniquely associated with the subscriber.  Moreover, the signing occurs on the user's machine because that is where the digital signature data is stored.

DocuSign sends an e-mail message informing the person to click a link.  When he does, the document requiring signing appears with some aids or instructions.  What it ends up achieving is the application of the person's name, usually in some form of cursive script so that it looks like perhaps someone's florid handwriting, in the spaces where one would sign.  

Bear in mind that these are contracts that are being signed, things that have to withstand the test of the courts.  So, what does such a method offer in the way of proof of the signer being the person whose name is on the document?  There is the session information, i.e. the IP address of the machine connected to the server.  If pressed in court to map that address to the person's actual machine, the attorney would have to subpoena the records of the Internet Service Provider that would show that on that day and at that time, that machine was assigned that IP address.  The connection between the e-mail having been sent to a specific e-mail account and the following login to the server would tend to make someone assume that the intended recipient read the e-mail and followed through with the expected action.  Finally, and most importantly, the person who signed the contract using this mechanism would have to swear under penalty of perjury that he was the one operating the computer and that he willingly signed the document.

What's wrong with this scenario?  First, as you pointed out, a person could steal the computer or somehow access the intended recipient's e-mail account.  This is easier than one would think.  E-mail is sent in clear text over the Internet.  That means that there is no encryption of the message contents, and it is easily read by someone who wishes to "sniff" the line using any number of freely accessible hacking tools found on the Internet.  Here are just a few of them.

Some Internet access methods lend themselves to this more than others.  For instance, Internet access available from a cable company is really Internet access that passes through or by everyone else in the neighborhood where the cable company's wiring is strung.  In effect, cable Internet is like an old fashioned telephone party line.  Your message passes by everyone on the circuit.  I found this interesting quote from a woman who works with a public relations firm in the Silicon Valley.  "My associate recently installed a cable modem in her home and was shocked to find that 'Network Neighborhood' was, literally, her neighborhood! She could see the desktops of all her connected neighbors." 

DSL is more difficult, but it can be intercepted at the ISP level.  In fact, under one of the many laws that were passed in the wake of 911, ISPs can, and most do, keep copies of e-mail messages from their subscribers on their servers long after the e-mail has been retrieved by the user.  This is done so that in case the government needs to pursue a domestic terrorist, it can trace him down and discover his intentions.  That same capability to discover malicious intentions can be used by anyone who works with the network equipment and servers at the ISP to read your e-mail, line by line and word for word.

The end result is that e-mail destined for Sam Smith could be intercepted by Nefarious Nick, and the contract could be signed by Nick without Sam's knowledge or permission.  In a case where Sam is denying he ever signed the document, proving he did in a way that meets the tests of the FRCP may be difficult, and in the meantime in the case of a real estate transaction, commissions can be held in abeyance, title transfer can be stopped, people can be prevented from moving, and a whole avalanche of litigation can be spawned costing more than one could believe to be possible.

Let's say the e-mail was not sniffed or hacked; let's say Sam left his computer on and didn't lock it down before he stepped out of the room.  His 10 year old son comes in and sees all the fancy stuff on the screen.  Regarding it like a computer game, he signs the contract by following the simple instructions.  It can happen, and sooner or later it will.  Or let's say that Sam's wife, who thinks she knows her husband's intentions, sees he is busy, so she signs the document using his name.  Not realizing that part of the reason that Sam stepped away from the computer was because he wanted to think about it first, she has committed him to an agreement (on paper at least) that he doesn't want and will refute in court.  In a non-community property state, such a refutation would hold water.

Finally, let's say that that there is no question about the e-mail or the machine from which the action took place.  Let's say that there is even no real likelihood that Sam DIDN'T sign it.  Let's just assume that Sam is a jerk; he has had buyer's remorse, and lacking any ethical character, he decides simply to find a fast way out even if it is wrong to do so.  His challenge to the opposing attorney would be, "Prove it was me in front of that computer signing that document."  The opposing counsel would be very hard pressed to do that unless there were eyewitnesses who saw the computer on, who saw the document on the screen, and who saw Sam actually taking actions that cause his name to appear on the screen and in the spaces requesting his signature.  Anything short of that would be purely circumstantial evidence.

Now, are digital signatures here to stay?  Of course.  The UETA and E-SIGN legislation of 1999 and 2000 stipulate that they are to be used, and there are laws throughout the civilized world of which our laws are mirrors that affirm the same, but the signatures they refer to are the kind that are issued by a signing authority such as Verisign or Thawte, not simulations of someone's handwriting.  Legislation, however, presumes that the methods and processes discussed will be used by people who obey those laws.  No amount of legislation, however, can coerce a person determined to break them to become law abiding.  When someone does transgress the boundaries of permitted behavior, it then is incumbent upon their accusers in court to PROVE that they broke the law.  The presumption of innocence is what complicates things so much for those of us who want our society to be comprised of trustworthy people. 

So, while digital signatures are here to stay, don't put a lot of trust in what they can do in court to right a wrong committed.  You will have to look beyond these simple tools to systems that are similar to what we produce in our company, things that actually identify the person sitting at the computer and that audit every step taken in the operation of a machine when engaging in an action that could have legal consequences.