Smartcard practical advice guide

The purpose of this guide is to provide further practical advice to using your Smartcard after it has been activated.

This guide and corresponding FAQs will continue to evolve as members begin to use their Smartcard and as legislation and practice develops.

Smartcards provide the opportunity to use digital signatures within the profession. While the advent and use of digital signatures is not new, it is still relatively underutilised and untested within legal practice and so this guide is designed to support solicitors by providing some further explanation and resource around using the Smartcard digital signature facility.

This guide is not, nor is it intended to be, a complete statement of the law and does not displace the legal responsibilities and obligations on solicitors to identify relevant matters of law. It is hoped however that this guide will assist solicitors in accessing and using their Smartcard

The Society welcomes any comments on the guidance and would be pleased to hear from members with comments or useful additions and amendments to it. Comments can be sent to [email protected]

The guide

Since 2014, the Law Society of Scotland has issued Smartcards to the majority of the Scottish legal profession.

Smartcards provide the opportunity to use digital signatures within the profession. While the advent and use of digital signatures is not new, it is still relatively underutilised within the legal practice. This guide is designed to support solicitors by providing some further explanation and resource around using the Smartcard’s digital signatures facility.

This guide is not, nor is it intended to be, a complete statement of the law and does not displace the legal responsibilities and obligations on solicitors to identify relevant matters of law. The Society welcomes any comments on the guidance and would be pleased to hear from members with any suggested additions and amendments to it.

Electronic and digital signatures

The use of electronic or digital signatures is not new and has developed globally over the years. The Society’s strategic technology partner for the project has issued digital signatures to lawyers for a decade and through over 70 bar associations in Europe. In addition to the legal profession, electronic signatures are utilised by the public, banks and retailers in many everyday transactions.

An electronic signature, or e-signature, is considered a fairly generic term which simply provides approval to a process or transaction. Many electronic signatures have the ability to ensure the identity and authenticity of the document as well as the individual.

As a generic term, electronic signatures vary widely in their sophistication and use. They can extend to signing a handwritten signature on an electronic pad, clicking a “submit” or “buy” button on a website or using a four-digit PIN to withdraw cash from an autoteller. It might also be an electronic or digital signature which is cryptographically tied to a digital identification or “certificate.”

What is a secure digital signature?

There are generally considered to be a hierarchy of three main types of electronic signature, each considered to be of increasing certainty and security, all of which are acknowledged in the EU directive on electronic signatures (“Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures”). This Directive is underpinned by appropriate UK and Scottish legislature in itself.

1) The electronic signature

This is data in electronic form which is attached to or logically associated with other electronic data and which serves as a method of authentication.

2) The advanced electronic signature

This is data which meets the following requirements:

  • It is uniquely linked to the signatory Professional 
  • It is capable of identifying the signatory
  • It is created using means that the signatory can maintain under their sole control
  • It is linked to the data to which it relates in such a manner that any subsequent change in the data is detectable
3) The qualified digital signature

This is data which must in particular include:

  • An indication that it is issued as a qualified certificate
  • The identification of the certification service provider
  • The name of the signatory
  • Provision for a specific attribute of the signatory to be included if relevant, depending on the purpose for which the certificate is intended
  • Signature-verification data corresponding to signature-creation data under the control of the signatory
  • An indication of the beginning and end of the period of validity of the certificate
  • The identity code of the certificate, the advanced digital signature of the issuing certification service provider

Electronic vs digital – in this document, we tend to use the term “electronic signature” to mean the wide group of electronic signature that people may use, and the term “digital signature” to mean the qualified digital signature issued by the Law Society of Scotland and applied by using your Smartcard.

What does “qualified” mean in this context? It means it is a signature which “qualifies” by meeting certain stringent legal requirements which include a publicly available certification policy, covering certain key matters, so that anyone can check the status of the signature. It is the highest level of signature and security recognised in most jurisdictions.

How is the digital signature created?

The digital signature is created with asymmetric codes (also known as asymmetric cryptography, or public key system). These codes are commonly called the public and private keys. Although different, the two parts of this key pair are mathematically linked.

The private key, which is known only to the signatory, is used to create the digital signature and to change the message into encrypted form.

The public key is used by the receiving party to verify the digital signature and decrypt the message.

How do I apply my Smartcard digital signature? The signature can be applied using mainstream business IT packages such as Word and Adobe. The functionality is built into these programmes, although you will need to ensure in your settings and installation that this functionality is live. A technical guide on how to apply a signature is available.

How does a signature appear on the document?

It may appear on printed versions or on screen as a box detailing who signed the document, their email address, the date and timing of the signature and any other information the sender is sharing.

However, it is important to understand that the visual representation is NOT the signature.

The signature is a clickable link within the menu, title or side bar which links through to a range of information on the digital certificate behind the signature. Solicitors should note that it is that information they need to check for the validity of the signature, not any visual representation on the “face” of the document.

How do I know if I can trust a digital signature?

Such concerns are not exclusive to electronically signed documents. Even when using manual signatures, uncertainty can arise as to the validity and identity of the signature and the authenticity of the document.

The main components of creating certainty and trust around the digital signature can be broken down into four elements:

1. Authentication – How did the individual verify their identity within the transaction?

The digital signature is unique to the signatory and created by means that only the signatory can operate. For example, a strong authentication process will not simply permit a user to click a button. It will require:

a) Smartcard or similar physical token and

b) Password or code.

Both of these items are exclusive to the signatory.

2. Vetting – How was the identity of the individual assessed by the regulatory authority and system?

The Smartcard process requires a face to face meeting with every solicitor at which that solicitor’s identification and photograph are checked against the information in the Law Society’s database. This provides far greater certainty than filling in an online form or accepting any photograph posted. The Society also confirms at the time of issue that the solicitor is entitled to practice law in Scotland.

3. Registration and Certification – How do I know I can trust the vetting system and the integrity of the authentication?

To be a qualified digital signature, there must be a Certification Authority (CA). The CA publishes a Certification Policy which meets certain legal requirements. For the Smartcard, the CA is Abogacia Certification Authority (ACA), operated by RedAbogacia. The signature must then be issued by a recognised Registration Authority (RA); for the Smartcard, the Law Society itself is the RA.

The Society holds a live register of its members. If the Practising Certificate of any solicitor is suspended or cancelled, then the Society can also instantly terminate the certificate underlying the digital signature of said solicitor. Signing systems such as the one being used by the Society through Smartcard offer one of the highest levels of authenticity available.

4 Certainty and Integrity – How do I know when the digitally signed document was signed and that it has not been altered in some way since then?

As previously mentioned, the digital signature is created using a Private Key System. This gives only the person signing the document access when applying the signature. The date stamp applied to the signature is generated by the communication with the CA and cannot be altered.

Once the signature is applied to the document, no further alteration to the document can occur without invalidating the digital signature.

Are digital signatures legally binding?

Electronic signatures are widely used and legally binding in the majority of countries worldwide. The European Directive 1999/93/EC and “Regulation on electronic identification and trust services for electronic transactions No 910/2014“ establish a community framework for the use of digital signatures on electronic contracts in the EU. The signatures are legally admissible as evidence in legal proceedings and enforceable in the European Union. In the UK, the UK Electronic Communications Act 2000 establishes the legality of digital signatures. Regard should also be given to the Requirement of Writing (Scotland) Act 1995.

Why might I use a digital signature?

There are many reasons to adopt this process: It is more efficient and makes for faster workflow. It is driven by client demand. Making use of a self-proving digital signature like the Smartcard signature provides more efficiency for your business. It provides greater integrity within the document and is a positive technological development with in a firm.

What sort of things are digital signatures used for?

In many respects a digital signature is used in the same way that you manually sign a document. It might be applied to:

  • Contracts
  • Conveyancing transactions
  • Trust deeds
  • Financial instruments and share dealing
  • Confirmation that advice has been given on a compromise agreement
  • Commercial contracts and leases
  • Company documents
  • Statements to police or investigating authorities
  • Licenses on behalf of clients
  • Trademark or patent applications on behalf of clients
  • Submissions to local authorities on behalf of clients.
Can I sign emails with my digital signature?

For a formal legal letter, document or contract it is recommended that solicitors create a Word or PDF document and sign this with their digital signature. This creates a standalone document which reduces the risk of confusion from long email chains or conflict arising from email footer/disclaimer information.

It is possible to sign your email with your digital signature. However, this requires the email address that you are using to send the email from to be the same as in your digital signature. In certain circumstances, solicitors will use a different email address (home account, generic office account, etc.) which is obviously not the same email address as in the certificate. This can lead to the digital signature not being validated by the CA. It is therefore not recommended to sign emails directly with the digital signature.

Can I change the file name of a digitally signed document?

No. In most cases this is not possible as all attributes of the file are “locked” to ensure an original version. If the file is saved under a different name, the signature will be invalidated. To manage this within case management systems, there are options – such as creating a folder following your normal filing convention and then saving the actual file, unchanged, into that folder. Or saving the email, with the document attached. Changing the name of the email will not affect the document, so the digital signature will remain valid.

I would like to use digital signatures and Smartcard in my next transaction. What do I need and what should I be considering?

On a practical level, you will receive a card reader when you activate your Smartcard and this will enable you to put a digital signature on relevant documents. You should also consider the longer-term aspects of the transaction, and account in your Terms of Engagement for how matters will be dealt with. You should consider including clarification on items relating to digital signature and storage, for example:

  • How original documents are retained by the practice unit
  • Risks associated with electronic retention
  • The practice unit’s policy in relation to retention of electronic documentation, in terms of length of periods, etc.
  • Providing the client with advice that the client should also retain the document electronically and without alteration.
It’s fairly common in our firm’s office that other solicitors, trainees and secretaries will PP documents or apply signatures on behalf of those who are absent from the office on other business matters. Provided I give direct authority and direction, can I utilise the digital signature and Smartcard in the same way?

No. This would be a misuse of the Smartcard and could, according to the Smartcard contract and the statement from Marsh on the Master Policy, constitute negligence on your part as well as fraud committed by the person who is signing with your Smartcard. Members are not permitted to allow others to apply their digital signature.

Does the digital signature in the Smartcard provide any greater or enhanced certainty or security over a manual or wet signature?

A wet or manual signature, on its own, does not guarantee the identity or the professional status of the person signing the document. There are several risk issues around both wet and digital signatures alike, but in many settings a digital signature will offer greater certainty and security. The signature also “locks” the document and prevents any amendment – compared to a paper contract where a page could be carefully removed and replaced, for instance.

When is a bargain concluded when I issue an electronic document?

In the interests of certainty, it would be advisable to state within the contract itself when the parties intend for delivery to be effected.

At the moment, there is no law on what constitutes the point of delivery of an electronic document. However, commentary on creation of contracts by electronic means refers to “transmission” and “delivery” which supports the view that the contract is concluded when the document is received by the recipient, not at the point of dispatch by the sender.

This approach is in line with the general rule that “an acceptance of an offer becomes effective at the moment the indication of assent reaches the offeror.” (Article 18 of the UN Convention on Contracts for the International Sale of Goods 1980)

Can a document be digitally signed by one party but wet/manually signed by another?

Since the Legal Writings (Counterparts and Delivery) (Scotland) Act 2015 has been enacted, a document can be digitally signed by one party and wet/manually signed by another – but only in counterparts as defined in the Act.

Should multiple copies of all digital documents be executed to create multiple signed original copies, one for each part?

The Legal Writings (Counterparts and Delivery) (Scotland) Act 2015 states that a document can be digitally executed by several parties in counterparts. This is the most straightforward method of multiple executions of electronic documents.

If there are several signatories and an electronic document is not being executed in counterpart, it is recommended that the parties agree the sequence of execution: The first signatory would create the document and include signature lines for every other signatory in the chain. He/She signs the document and sends it to the second signatory. The second signs the document with his/her own signature and send it to the third, and so on. Each signatory can check the document as being unchanged as well as confirm the validity of the applied signatures and can add his/her own signature in turn, without it showing as an amendment. The most recently signed document should be regarded as the “original” in these circumstances. The final signatory, after applying his/her own signature, sends a copy of the document to all in the chain.

Is a digitally signed document evidentially “worthless” if printed off?

The document is not evidentially worthless but the hard or PDF copy will not have the same self-proving status as the “original/authenticated version,” which can only be accessed electronically. As such, the best means of verifying the document is to access it electronically.

Once the use of electronic signatures has been agreed upon, what happens if either party uses a third-party provider of digital signatures other than the Law Society?

If a document is signed using an electronic signature other than the one utilised on the Smartcard, members should take steps to verify whether the signature is an advanced digital signature. In the event a solicitor uses a third-party provider of electronic signatures (whether an advanced digital signature or not), he/she will not be able to rely on the “Authentication and Verification” process provided by the Smartcard as described in chapter A. As a result, recipient members will wish to see certification of the third-party provider. Only a document signed using an advanced digital signature with a qualified certificate will benefit from having a self-proving status.

However, even if the electronic signature is not an advanced digital signature, it is still admissible in Scottish legal proceedings. A digital signature and its certification are admissible in any legal proceedings as evidence in respect of any question as to the authenticity or integrity of an electronic communication. On the basis of the Legal Writings (Counterparts and Delivery) (Scotland) Act 2015, the same applies in relation to counterparts executed by digital signature.

How does appending a digital signature interact with the practice of certifying documents as true and accurate copies?

To certify a copy of an original document as a true copy requires:

  • The signatory to have seen both the original document and the copy and seen that the latter is a copy of the former
  • docquet to be applied to the copy to the effect that it is a true copy of the original
  • The docquet to be signed by the person who has inspected the original and the copy

Since an advanced digital signature is as valid a way of signing something as a manual signature, there is no reason why the “copy” could not be a PDF rather than a hard copy. In practical terms, it is acceptable to scan a document, add a “true and accurate” docquet to the PDF and then append a digital signature to the PDF.

When applying a digital signature to a 200 page document with a plan and 30 appendices, do I sign once, applying the signature to the entire document, or do I have to sign multiple times?

A single digital signature is all that is required, provided all the appendices/plans have been referred to in the document, are identified as being the appendices referred to therein and are added to document before the digital signature is applied to the combined document. This is provided by the Electronic Documents (Scotland) Regulations 2014.

Will the system allow signatures to be added to all types of documents, regardless of the package on which they were created – e.g. can a Word document be digitally signed as well as a PDF?

The signatures work on the usual range of business packages like Work and Adobe – there are details on the website (www.lawscot.rog.uk/members/Smartcard) of the ones most commonly used, or you can check the details of your own product.

How and to what extent do members of the Law Society need to interrogate the validity and nature of a qualified digital signature?

The digital signature is a dynamic process. It occurs in the online environment and checks the RA and CA at the time when the private key is applied. Members should not rely on a printed version of the document that includes a digital signature. Instead, members should review the electronic document and use that to access the digital signature. That will confirm whether or not the digital signature was valid when it was applied.

What steps should solicitors take to preserve a copy of digital missives or indeed any digitally executed contract?

Solicitors should comply with existing Law Society’s guidance papers on

All outsourcing providers should be made aware of that guidance and required to comply with it.

In the event that the digital documents are to be destroyed, the intent to do so should be intimated in writing to the client. Tacit consent by accepting terms of engagement may be acceptable but is a matter of law.

The normal duties of care and confidentiality in the storage of clients’ papers in terms of the rules would, for the avoidance of doubt, apply to electronic and scanned material. Offsite copies of the electronic and scanned archive should form part of the practice unit’s contingency planning strategy.

Although documents which have only ever existed electronically and are signed with digital signatures have the same legal status as “manual signature” documents, great care should be taken to ensure the electronic documents be retained in original electronic format and backed up appropriately. Since a hardcopy will not have the same self-proving status as the “original/authenticated version,” which can only be accessed electronically, it is best practice to have sufficient back-up concerning these files and documents.

Where missives are concluded by an exchange of digitally signed documents, both parties will be in possession of a copy of an original. Does that mean that there are in fact two principal sets of documents, either of which is evidentially as valid as the other?

Each party has access to each “original” digitally executed document, held on their system, each of which is equally valid.

 

How do I submit a digitally executed document to a Court?

Courts will allow productions to be lodged electronically in PDF format. (Art 46, Regulation No 910/2014) However, this is a matter of policy and practice which will continue to develop as Courts become e-enabled. If a document has been signed by a member using the Smartcard, the document will contain a version of the member’s public key and the date/time stamp of signature. However, if printed, the hardcopy will not be an “original/authenticated” version of the document which can only be accessed electronically. Based on the Legal Writings (Counterparts and Delivery) (Scotland) Act 2015, the same applies to counterparts executed by digital signature.

This section provides working definitions which may be of further assistance in using this guide, but the explanations are not legal definitions.

Advanced Digital Signature

The middle level of signature recognized under the relevant EU Directives. This is data which meets the following requirements:

  • It is uniquely linked to the signatory
  • It is capable of identifying the signatory
  • It is created using means that the signatory can maintain under their sole control
  • It is linked to the data to which it relates in such a manner that any subsequent change in the data detectable.
Certificate

This is information containing identification of the provider of the digital certificate, usually located on the cryptographic device. The certificate is forgery resistant and can be verified because it was issued by an official and trusted agency.

Certification Authority (CA)

In the Law Society system, the Certification Authority (CA) is Abogacia Certification Authority (ACA, operated by RedAbogacia). It meets all key EU and international standards required of certification authorities, holding the required information to allow the issuing and use of a qualified secure digital signature. This outsourcing process removes the cost, resource commitment and risks of the Law Society of Scotland attempting to become a certification authority in its own right. These considerations were made when the project was designed and put to tender in 2013.

Counterparts

Historically, contracts under Scots law have been concluded by both parties signing the same physical copy. Signing in counterparts now is where parties sign a separate physical copy of a document. Once the parties have all signed their respective counterparts, these are exchanged between them, and the contract takes effect from that point.

Cryptographic device

In short, this is the Smartcard, or rather the chip on the card. It identifies the signatory within the PKI system and enables the generation of keys and algorithms necessary to apply the digital signature.

Cryptography

In this context, the creation of asymmetric codes (in a PKI system, this means one public and one private key) which are related mathematically but not in a way which can be determined by only accessing one of the codes. This can then be used to encrypt a message or to apply a digital signature by embedding the private key within a document.

Digital Signature

The lowest level of signature recognized under the relevant EU Directives. This is data in electronic form which is attached to or logically associated with other electronic data and which serves as a method of authentication.

Manual Signature

A hand-written signature.

PKI – Public Key Infrastructure

It is a cryptography system that enables message encryption or application of digital signatures. Cryptography could have two keys, neither of which is “public” to allow communications between two individuals who have set up the system in advance. However, where one of the keys is “public,” i.e. accessible by others outside a predefined list of users, the system is usually referred to as PKI.

Private Key

The private key, which is known only to the signatory, is used to create the digital signature and to change the message into encrypted form. It is essentially a very long list of numbers and characters that have a mathematical association with the public key.

Public Key

The public key is used by a receiving party to verify the digital signature and decrypt the message. It is essentially a very long list of numbers and characters that have a mathematical association with the private key.

Qualified Digital Signature

The highest level of signature recognized under the relevant EU Directives and the type of signature used by the Law Society’s Smartcard. This is data which must in particular include:

  • An indication that it is issued as a qualified certificate
  • The identification of the certification service provider
  • The name of the signatory
  • Provision for a specific attribute of the signatory to be included if relevant, depending on the purpose for which the certificate is intended
  • Signature-verification data corresponding to signaturecreation data under the control of the signatory
  • An indication of the beginning and end of the period of validity of the certificate
  • The identity code of the certificate
  • The advanced digital signature of the issuing certification service provider
Registration Authority (RA)

For the purpose of issuing Smartcard, the Law Society of Scotland is the Registration Authority (RA), performing necessary ID checks, issuing cards & digital signatures and providing accurate information to the Certification Authority.

Wet Signature

A hand-written signature.

 Add To Favorites