Privacy-first eSigning
Seamless Identity Check
Digital Twin
Lifecycle Updates
Simple API Integration
Real estate
Financial Services
Healthcare
Education
All industries
Sales
HR
Procurement
Legal
Legal Validity
Blog
News
What would happen if all of your documents containing sensitive information were all of a sudden exposed, out in the open?
As online activity grows, it becomes more and more important to ensure your data privacy by properly encrypting your documents. And even though most eSignature providers mention the word “encryption” somewhere, the unfortunate truth is not all encryption is made equal.
Without asymmetric, full end-to-end encryption, your data can be accessed by one or more parties in the eSignature process. Whether that’s legal access as defined in the “rule of least privilege,” illegal access as the result of a data breach, or anything in between – without proper encryption, your privacy is at risk.
“But our data is encrypted – we were assured of that”, you may say. And while that’s technically true, different types of encryption offer vastly different levels of protection. And out of all the possible options (and marketing terms) out there, only one presents a bulletproof solution for your privacy concerns.
Here’s Why Data Privacy Is Impossible Without End-to-End Encryption
If you’re working with anything but asymmetric, full end-to-end encryption, your data privacy is at risk. Take a look at the issues listed below to see beyond the marketing slang you’ve likely been presented with when you signed with your provider.
| Without proper end-to-end Encryption… | What that does to your data privacy |
| Anyone can intercept your unencrypted data | You never know who’s eavesdropping and copying your documents |
| The “rule of least privilege” allows for access to your data | Given the right title or position, any employee can read your documents |
| AI can access your data | Your documents are now processed by smart tools – somewhere, somehow |
| Governments can legally access your data | Your unencrypted documents could end up in the hands of any government agency |
| The risk of a hack becomes a real threat | You become exposed and potentially a victim to blackmail |
| There ultimately is no encryption | Every second your documents are online unencrypted is a risk to your privacy |
| Bonus: Your keys could be sent along with the encrypted documents | As soon as someone gets your documents, they get the decryption keys as well |
Any of them create an uneasy feeling? Let’s take a closer look and see why all of these issues ultimately end up in the same result – the loss of your privacy.
Without end-to-end encryption, your transmissions are exposed
There are plenty of opportunities for someone to listen in on your data traffic. Whether you’re using the public WiFi in a coffee shop, or you’re based in a country that allows for the legal interception of internet traffic by your ISP: If you’re sending any data unencrypted, or with an option to decrypt it, anyone along the many hops of internet traffic could be listening in.
You’ll never know every single touchpoint of your internet traffic. And therefore, you have no way of ensuring they’re all trustworthy or even protected adequately. And even if you’re an expert: Any one of these points can change their technology or permissions at any time, without any obligation to notify you.
Without end-to-end encryption, employees can see your documents
The ominous “rule of least privilege” defines that certain employees at your eSignature provider can access your data. And while the idea in itself – limiting access to strictly necessary roles – is certainly laudable, it does not hide the fact that there is access, depending on the job title or project in question.
You don’t define the “privilege”, which means you’ll never know who’s accessing your sensitive data at any given point in time. Roles change. Role descriptions change. Requirements to fulfill certain roles change. All of which can happen without you ever being notified by your eSignature provider.
Without end-to-end encryption, AI tools have access to your data
Fancy tools like “life-cycle management and analytics” or “proposal management software” are great – but they need unrestricted access to your data to work. They provide benefits by streamlining certain workflows and auto-creating specific content, none of which is possible without actually knowing the content of your documents in the first place.
If AI can read your documents – who or what else can? As soon as any smart tool has access to your unencrypted documents, the data is out there. It’s read, analyzed, improved, passed on to other tools, used for statistics…the list of use cases never ends. You’ll never know where exactly your content ended up and what’s being done with it.
Without end-to-end encryption, the door is open for any government
Governments can legally request your sensitive data – and you want your eSignature provider to comply with those requests. The issue is that access is by no means limited to your government: Agreements like the CLOUD Act specifically outline scenarios in which the participating government agencies freely exchange information requested from any provider within their jurisdiction.
Your eSignature provider should not have to choose between obeying the law and protecting your privacy. For your own sake, you want to be using a provider that willingly complies with any applicable law – because the alternative would put your data at risk anyways. At the same time, once the tentacles of the government grab your unencrypted documents, they’re gone and potentially exposed forever.
Without end-to-end encryption, you’re at risk of getting hacked
Getting hacked is not a question of “if”, but rather a question of “when”. Some of the biggest and best-protected corporations in the world have become victims of cybercrime, and therefore – statistically speaking – so can your eSignature provider. Or even your ISP, for that matter.
As long as your documents float around unencrypted anywhere, they’re a juicy target for hackers. Especially sensitive information, the exposure of which could put your business at risk, is worth lots of money and is frequently used to blackmail companies into paying hefty ransoms. Ask yourself – what would happen if all your sensitive documents suddenly ended up on a public server for anyone to read?
Without end-to-end encryption, there is no real encryption
No matter what level of encryption is promised to you, if it’s not asymmetric and end-to-end, it poses a threat to your privacy. Buzzwords like “military-grade encryption” or “state-of-the-art encryption” are great for marketing. But unfortunately, if that encryption only happens once your documents are on your eSignature provider’s server, it’s too late and therefore pretty much worthless.
If your documents leave your local device in an unencrypted state, assume they are already compromised. Even if they make it across the multiple hops of internet traffic to your eSignature provider’s servers without anyone intercepting them, any minute they are stored anywhere without encryption is an invitation to read them for anyone with access – legal or illegal.
Bonus: Even end-to-end encryption is worthless – if you’re sending along the keys
Often sold as convenient, some providers who offer end-to-end encryption that requires sending along the decryption keys in the same package as the encrypted documents. And while that technically qualifies as end-to-end encryption, the fact that anyone incepting the documents is only a step away from also intercepting the key to decrypt them places this process in the category “marketing gag” at best.
Would you lock your front door and hide the key on the doorstep, in plain sight? It’s exactly the same thing. Yes, the door is locked, that is correct. And if a blind person happens to try your doorknob, they’ll find a locked door they cannot enter. But one glance at the doorstep reveals the key – and there goes your privacy.
The Bottom Line
As more and more of our work lives move into the digital realm, there is more and more potentially sensitive information stored online. Whether it’s an employment contract, a trade agreement, or a confidential letter of intent – there are many types of documents that require absolute confidentiality.
Unfortunately, even when advertised as “encrypted”, many eSignature providers fail to provide bulletproof data privacy to their users. It all comes down to the type of encryption: If there is a way to access “encrypted” documents by anyone or anything, there is a threat to privacy. Whether that’s because the decryption key is sent along with the encrypted documents, there is a “rule of least privilege” that allows for access, or smart tools require access to do their job: If there is access, privacy is breached.
The only way to ensure absolute data privacy is by using asymmetric, full end-to-end encryption. This type of technology encrypts any document locally on the users’ computer, meaning no unencrypted documents are ever out there on the internet. It also provides a separate (hence asymmetric) decryption key for the user to send to the recipient – directly, in any way they choose, making sure the encrypted documents and the key to decrypt them are never in the same package.
Opt for real encryption – and rest assured your documents are for your eyes (and the eyes of your recipient) only. Anything else is a risk to your privacy and simply not worth the gamble.
