Privacy-first eSigning
Seamless Identity Check
Digital Twin
Lifecycle Updates
Simple API Integration
Real estate
Financial Services
Healthcare
Education
All industries
Sales
HR
Procurement
Legal
Legal Validity
Blog
News
Back in the days, the steps were few and the encryption simple. Person A wrote a document, signed it, put it into an envelope, and sealed the envelope with a wax seal. The envelope got delivered to Person B using the most direct route. They checked the wax seal, and – if satisfied – retrieved the document to counter-sign it.
Nowadays, the letters are made up of bits and bytes. And the most direct route can include a literal trip around the world, with as many stops as the algorithm in charge deems necessary. This makes the digital version of the wax seal – called encryption – more important than ever.
In a world where it’s impossible to even keep track of how many digital and potentially compromised points of contact an eSignature document touches on the way to the recipient, using asymmetric end-to-end encryption is the only way to maintain the privacy of all parties involved.
If that sounds daunting, it’s because it is. The days of a simple journey from point A to point B are long gone, making proper end-to-end encryption not a nice-to-have but absolutely essential for any business.
Here’s How End-to-End Encryption Works for eSignatures
But why is end-to-end encryption so important in the first place? It’s because the number of steps in between then ends is getting higher and more complex as technology advances.
Typical steps on the journey of eSignature documents and their risks:
| Each step of encrypting end-to-end | Why that step is at risk |
| Your local computer | It’s at risk of being hacked at some stage |
| Your internet connection | It’s too easy to listen in on |
| Your Internet Service Provider (ISP) | They’re often allowed to listen in |
| Your eSignature provider | A great target for hackers – and governments |
| The recipients ISP | It could be a third-tier provider that’s already been hacked |
| The recipients internet connection | They could sit in a coffee shop on public Wifi |
| The recipient’s local computer | It’s just as likely to be hacked as your own device |
One interesting fact is that the number of steps and their individual risk level only matters if you opt for the wrong type of encryption. Let’s have a look at what happens at each step of the journey, and how weak levels of encryption fail respectively.
Here’s the Journey of an eSignature Document From Sender to Recipient
It’s tempting to think of the journey of any eSignature document as a simple path from A (the sender) to B (the recipient). But in today’s complex and hyperconnected world, there are quite a few stops in between that deserve a closer look when thinking about security and privacy.
Your local computer
Your computer is at risk of being hacked – no matter what. Even with constantly improving security tools, the cat-and-mouse game of security providers vs. hackers is hard to win. If huge billion-dollar companies can get hacked, so can your computer.
If you store unencrypted documents on your computer, they’re plain to see (and steal) for anyone who gains access to your device. Once inside, it’s a matter of minutes or maybe only seconds to grab all your documents for a hacker, and anything unencrypted is a free lunch that can be used against you.
The internet connection you’re using
Whether you’re using your home WiFi or a public hotspot: Assume someone’s listening. The average home WiFi security can be overcome in seconds with the right hacking tools, which are freely available for anyone to purchase. And if you’re using any kind of public internet access, be that in the local library or in the first-class lounge in the airport, it’s safe to assume that at least one party is monitoring your traffic.
If you’re sending unencrypted documents anywhere, they’re at risk of being intercepted the moment they leave your computer. If and when someone intercepts your data, they get access to any data you send and receive, and plainly readable documents are the easiest reward for such activities.
Your Internet Service Provider (ISP)
Whoever provides your internet is facing not one but two privacy challenges. Not only are ISPs highly sought after targets for hackers, being that they are the gatekeepers for sheer endless valuable private data, they’re also obliged to comply with law enforcement in certain scenarios: Whether it’s local authorities with wide-ranging data-grabbing powers or even foreign governments as part of agreements like the CLOUD Act – when the right official comes knocking, your data will get handed over.
Your ISP can see any single byte of data you send or receive – act accordingly. And while it’s safe to say that 99.9% of your data will never be looked at or retained, the 0.1% that will be either hacked or passed on to the authorities could result in severe exposure for your business.
Your eSignature provider
Nothing screams “hack me” like any business holding millions of legal documents. No matter what eSignature provider you use, chances are they’ve been or are at risk of being hacked. And getting hacked is not the only issue: The fine print of some eSignature providers specifies “certain employees” that are allowed to access your data in “certain scenarios”. And even if their policy mentions your privacy – who’s to say they don’t have nosey employees? Last but not least, they’re often subject to the same legal requirements as ISP’s, meaning they can be forced to hand over your data at a moment’s notice.
If your documents spend even a single second on your provider’s systems without being encrypted, they’re in danger of being read. It does not matter if your provider promises to encrypt them once they’re safely stored with them – it might be too late by then.
The recipient’s ISP
When was the last time you checked who provides the internet to the receiving party of your confidential document? Chances are – never. So even if you have all the faith in the world in your ISP, you simply have no way of knowing the security standards of the receiving party’s provider.
Any document you send has to pass your recipient’s ISP – no way around it. And even if you’re fairly certain that their internet provider provides a high level of security, what happens if they download your document while sitting in the local coffee shop and using their public WiFi? As is ever-increasing likely with the new work-from-home standards.
The recipient’s internet connection and computer
In most scenarios, you don’t know what kind of device or connection is used to receive your document. It could be the recipient’s work computer – or their tablet. Or their partner’s computer. Or their friend’s computer. Or a public computer in a hotel lobby. All of which are at risk of being hacked at any given time, or at least at risk of being intercepted when sending and receiving data.
If your confidential eSignature documents are received unencrypted by the signing party, your privacy is breached. Whether that’s just one signatory or an entire group of people who need to sign, a plainly readable document of any kind poses a serious threat to your privacy.
Why the Level of Encryption Matters for Your eSignatures (Not All Encryption Is Created Equal)
With that many stops in between involved groups of any eSignature document, it’s plain to see that encryption is essential to maintain privacy. But encryption comes in many flavors – some of which frankly should be avoided at all cost.
From worst to best, the levels of encryption are:
No-go: No encryption at all
Do yourself a favor, and don’t even consider sending unencrypted documents. It’s playing Russian Roulette with your most sensitive documents.
Best to avoid: Simple password encryption
While it’s tempting to believe that adding a simple password to a Word document is enough to make it safe, the truth is far from it: With today’s computing power, a sophisticated brute-force attack can break simple and especially often-used passwords in minutes.
You simply cannot know what kind of weaponry the opposing party is willing to throw at your password. Avoid simple password protection at all cost. It’s not safe.
Sounds better than it is: Server-side encryption
Many eSignature providers promise encryption – once the documents are safely stored on their servers. As we’ve seen above, that’s the fourth step on the journey of an eSignature document, leaving the previous three steps fully exposed.
Also, there’s usually no mention at what point in time the documents are being encrypted. The second your documents arrive at their servers, they’re at risk – until they’re 100% encrypted.
Getting closer – but still not there: Symmetric end-to-end encryption
This one is great for marketing – because it says “end-to-end”. But don’t be fooled: Even within this highest level of encryption, there are different tiers with vastly different security levels.
Oftentimes, end-to-end encryption means sharing a key: The documents are encrypted right at the start and unencrypted only by the receiving party, correct. But both are done using the same key, which – ironically – sometimes is even sent in the same payload as the document itself. And even if they’re sent separately: If you assume someone is intercepting your traffic, getting a hold of your (encrypted) document, what makes you think they can’t just wait and grab the key you’ll eventually have to send as well?
The gold-standard: Asymmetric end-to-end encryption
This type of encryption is considered state-of-the-art, and it’s the only level of security you can completely rely on. Asymmetric encryption means that there are different keys to encrypt and decrypt your documents, essentially rendering any hack on your documents useless.
Even if your WiFi is insecure, it’s no privacy issue: The attacker can steal a heavily encrypted document they can’t read. They can also potentially steal the key used to encrypt that document, called the “public key”, which is (as the name suggests) no secret. Anyone can have it. What they can’t steal is the key to decrypt – the “private key”. Only the recipient owns this key, and it never gets transmitted in the first place.
End-to-end means your documents are encrypted from the moment of their creation all the way to when the recipient decrypts them. Asymmetric means different keys are used to encrypt and decrypt. The combination of the two provides the highest level of encryption possible and is the only level of security that you should trust your sensitive eSignature documents with.
The Bottom Line
The more complex our technological environment becomes, the harder it gets to keep track of all the potential security loopholes involved in any digital transaction. And while eSignature platforms are great at providing incredible convenience for any documents that require a legal signature, they also present a hefty security risk unless encrypted properly.
You’ll never be able to secure or even know all the stops along the way of an eSignature document. The only way to ensure your privacy is to opt for proper, asymmetric End-to-end encryption, where the private key to decrypt the eSignature documents is only held by the recipient. Because the only thing that cannot be intercepted is that thing that’s never sent in the first place.
