fidentity logo

QES: What you need to know

Are digital signatures legally valid in Switzerland?

The world used to be simple. Contracts were con­cluded with a handshake. Or written on paper and signed by hand.

Portrait Franziska Ackermann, Head of Communications
Franziska Ackermann
11.1.2022
Docusign-certificate.jpg
The law stipulates when an electronic signature is valid. The requirements vary depending on the jurisdiction.

Today’s digital world is much more complex.

We regularly do things that we don’t think about the legal consequences of. Today, it can happen that a billion-euro deal is null and void due to a formal error despite digitally signed contracts – as the collapse of the Stadler Rail deal in September 2021 shows.

  • We enter into contracts when we click a button on the Internet.
  • We use scanned signatures as if they were originals.
  • We use digital signature services from cloud providers.

The question therefore arises: What actually applies when things get serious – if we want to conclude an agreement that is legally enforceable? When do I enter into a contract? Who has to prove that the contract was concluded? Which legal requirements apply?

In the following, we analyze these questions in relation to the digital conclusion of contracts under private law, as they typically occur in business transactions.

Technical implementation

Three aspects are central to the legal enforceability of contractual agreements:

  • Content of the contract: What was agreed?
  • Expression of will: Were identical expressions of will made?
  • Identity: Who are the parties to the agreement?

Only when these three aspects are clear, i.e. when a contract has been concluded, can one discuss rights and obligations from the agreement.

In the following we explain the technical implementation of these three aspects, as they lead to essential conclusions.

Make the content of the contract unchangeable

In the physical world, this is clear: we put the contract in writing, and the paper is relatively unchangeable. With digital contracts, for example in the form of a PDF file, things are more complicated. PDF files can be replicated and modified.

To make the content of a PDF file unchangeable, a checksum is assigned to the file. A change to the document always results in a changed checksum. If I have two documents with the same checksum, I can be sure that their content is absolutely identical. The checksum thus prevents the content of the contract from being subsequently changed.

Prove the expression of will

Orally or in writing, handshake or signature. Both are possible as an expression of will, but the signature has clear advantages in terms of provability. Digitally, things get more involved . To sign, both parties take the checksum generated above and sign it. That means that they encrypt them. The encryption relies on two keys, one secret and one public. With the public key, I can check whether the encryption has been carried out with the secret key.

This means that if I have a checksum that matches my document and the public key of the other party, I can prove that the party signed the document with their private key.

This is technically complex, but takes place millions of times a day. The entire Internet is based on the technologies described.[1]

The digital signing of a document now works as follows:

  • Create document
  • Calculate checksum
  • Have checksum signed by parties
  • Insert signed checksums into the document

Done: I can prove that the owners of the private keys knew and signed the contract. Now we use the “signing” borrowed from cryptography, and we have a simple electronic signature.

From a purely technical point of view, this process is absolutely “safe”. With today’s technology, it takes me an infinite amount of time to attempt fraud.[2]

To clarify: All optical features inserted into the document such as images of signatures, logos, stamps etc. are completely irrelevant and only serve to please the user. Technically and legally, these elements are meaningless.

Identity

Unfortunately, a simple digital signature doesn’t prove anything. So I can easily deny that I had a private key. With that I have a contract with signed content. But I can’t prove who the other party is.

This is where legal regulation comes into play. It defines how the identity of the parties is to be determined and linked to the signatures. There are three levels:

  • Simple: No guidelines whatsoever. Everything is allowed. Low assurance.
  • Advanced: The assurance that the link between the three factors can be verified must be “substantial”.
  • Qualified: « High » assurance that the link is correct.

The requirements vary depending on the jurisdiction.

Implementations available in Switzerland

Simple signature

Various implementations with the “simple signature” level are available on the market. Above all, Docusign is a well-known representative. Here you get a link that displays the document and enables it to be signed. The user types or draws his name and this is inserted into the document as a picture. The process described above is run in the background and a signed checksum is inserted into the document.

If we analyze this process, we have the following components:

  • A checksum is calculated for the content of the contract.
  • The expression of will takes place as a click or by typing the name.
  • The identity is unchecked. The connection to a perso can only be made via the custom link sent by the sender to the recipient’s email.

If we dig a little deeper, we find out that the checksum was signed by DocuSign and not by a secret key that is only known to the owner of the e-mail address.

To summarize, a simple DocuSign signature can only ensure that the DocuSign company knew the content of the document.

Docusign-certificate (1).jpg

At best, sending links via e-mail creates a very weak link between the person and activities on the Docusign platform. The evidential value should tend towards zero.

Advanced signature (FES)

Various providers enable advanced electronic signatures (FES). In Switzerland, these are subject to regulation (ZertES) with regard to the collection and linking of factors. In the context of the free assessment of evidence (Art. 157 ZPO), courts will attach increased evidential value to advanced electronic signatures. In order to achieve the required security, the providers have come up with various methods, especially for identification, in order to achieve substantial security with regard to identification. There is a small boom in enterprise-internal processes. The combination of company e-mail address and employee identity security can be used to construct a solid procedure that is sufficient for many business transactions.

Swisscom offers a specialty in Switzerland with the argument that identification is required by law when handing over a SIM card and that a substantial level of security is thus achieved. A user can trigger a signature using an SMS code. The potential problem here is that the link between the contractual partner and his mobile number has to be established, which cannot always be taken for granted. It is also questionable whether it will be possible at the crucial moment to obtain evidence of the identity of the number owner.

swisscom certificate

The advanced signature in combination with an appropriate identification method can be an adequate compromise for many contracts. Before using the advanced electronic signature, however, it should be clarified whether the corresponding contract or type of contract must be in writing (written form requirement; form required by law). This is not the case by law for most types of contract (e.g. employment contract, order). Legal standards that require a handwritten signature can be found in consumer transactions (B2C), e.g. in tenancy law or consumer credit. Assignments of claims (assignments) and certain corporate law transactions also require the written form. In addition, formal requirements can be regulated in the contracts themselves (so-called contractual written form reservations), which is often the case with written contracts.

With an FES, a form invalidation arises in these cases. The contract did not come about and has no legal effect.

Qualified electronic signature (QES)

The qualified electronic signature (QES) is the counterpart to the handwritten signature. It offers legal certainty with regard to formal requirements, because it is explicitly “on a par with a handwritten signature” [3] and meets all legal formal requirements. Anyone who signs with a QES does not have to worry that a contract has not been concluded due to a lack of formal requirements.

Compliance with the formal requirements does not say anything about the evidential value of the document. Neither the ZPO (Swiss code of civil procedure) nor the ZertES (Swiss digital signature law) contain any special guildelines regarding the evidential value of electronic signatures. If the authenticity of the document or the signature is disputed, it can be assumed, according to the general principles of evidence assessment and teaching, that the qualified electronic signature has a higher (if not full) evidential value. The Federal Administration’s Validator Service can be used to check whether a document bears a qualified electronic signature (a signature equivalent to a handwritten signature) and when the document was signed (qualified time stamp).

In order to achieve this high level of security, however, the legislator sets extensive requirements (ZertES; VZertES):

  • The checksums must be signed using certificates from providers recognized in Switzerland. [4] The certificates of numerous foreign providers (eg Adobe Sign, DocuSign) are generally not legally valid in Switzerland. [5]
  • Anyone who wants to sign with QES must also be personally identified in advance at a verified registration office and receive secure means of access with which they can release (i.e. sign) a signature in the future.

There is an exception for financial intermediaries (e.g. banks) when it comes to identification: it is also possible to issue a QES online using video identification. Here it is legally argued that identification takes place via video chat “among those present”. However, the signature is only valid between the parties. Reusability in other business relationships is excluded.

In typical implementations, the user goes through a video interview and approves the signature using an SMS code. In this way, contracts with great evidential value can be concluded at a distance. The disadvantage compared to the simple methods is that the identification and the signature are expensive (~20 CHF) and that the hurdle for typical online use cases is high. It takes 10 to 15 minutes to complete the process.

As attractive as the advantages of QES are, their widespread use is unfortunately not very common today. A vanishingly small proportion of the population has the option of signing with a permanently qualified signature. The ad-hoc method via video identification is reserved for financial intermediaries and is also time-consuming and expensive.

Summary

In Switzerland, digital signatures are regulated by law and their validity varies depending on the jurisdiction. There are three key aspects for the legal enforceability of contracts: Contract content, expression of intent and identity.

Digital signatures use checksums and encryption to ensure the immutability and traceability of the contract content. Simple signatures such as DocuSign offer low security, while advanced signatures (FES) have greater probative value thanks to better identification methods. Qualified electronic signatures (QES) are equivalent to handwritten signatures and offer the highest level of security, but are complex and expensive to implement.

Outlook

The central problem for the evidential value of digital signatures is the link to a natural person. The physical registration and video process are tedious and expensive, and pre-registration has only proven to be useful for a few people.

However, there is a silver lining on the horizon. Identification methods based on artificial intelligence (AI) offer “substantial”, in combination with manual sampling even “high”, security. These highly automated processes enable faster and more convenient usage of qualified electronic signatures. The regulators in Switzerland and the EU seem to see this in a similar way. There is well-founded hope that the legal security of qualified signatures can be combined with a user-friendly process in the foreseeable future.

The development remains dynamic and we hope to see significant progress in 2022.

Authors

Dr. Martin Eckert (Partner MME) linkedin

Dr. Thorsten Hau (CEO fidentity) linkedin

Footnotes

[1] For example, the HTTPS internet protocol, which is used when surfing the internet. The content is encrypted and signed using exactly the same methods.

[2] An attack requires 10 to the power of 64 years of computing time. For comparison: the universe has only existed for 10 to the power of 10 years.

[3] https://www.fedlex.admin.ch/eli/cc/27/317_321_377/de#art_14

[4] The following four providers are currently recognized: Swisscom (Switzerland) AG, QuoVadis Trustlink Switzerland AG, SwissSign AG and the Federal Office for Information Technology and Telecommunications.

[5] Only if the foreign suppliers integrate certificates from suppliers recognized in Switzerland into their products can the corresponding products possibly meet the requirements of a QES under Swiss law.

Get in touch.

Portrait René Greiss, Head of Sales and Business Development
René Greiss
Head of Sales and Business Development
Interested in learning more about IDENT, SIGN, and ONBOARD? Get in touch now. I’m happy to assist you.
Contact me
Read more news