Trustworthy Processing of Biometric Signatures on Tablets and Smartphones
-
date post
20-Oct-2014 -
Category
Technology
-
view
542 -
download
3
description
Transcript of Trustworthy Processing of Biometric Signatures on Tablets and Smartphones
Trustworthy Processing of
Biometric Signatures on Tablets and Smartphones
Creating Business Processes with Strong Evidential Weight
Berlin – May 21, 2014
EAB Seminar “Biometrics in Banking – Reality Check 2014”
introduced by Alain Sarraf (SOFTPRO) & Michal Lichner (ANASOFT)
The Signature Professionals – SOFTPRO Group
2
Singapore
SOFTPRO Asia Pacific
Böblingen (Group Headquarters)
SOFTPRO GmbH
SOFTPRO UK
London
Westlake Village,
California
Foundation 1983
Employees ~ 70
Chennai
SOFTPRO Signature Management India
Beirut
Representation
Santiago de Chile
SOFTPRO LATINOAMÉRICA
SOFTPRO North America
Bear,
Delaware
www.sp-l.de/Nscz
Trusted by the World’s leading Financial Institutions
3
* Ranking Source: The Banker: Top 1000 World Banks 2013, Ranking of Banks by Assets end of 2012, published July 2013
12 of the “Top 25 Banks”* are SOFTPRO customers.
SOFTPRO caters for Financial Institutions of all sizes – e. g.:
…and many more
http://sp-l.de/WbiB
Quick Agenda
4
Trend-Reflections: Tablets & Smartphones replacing PCs for many tasks
Roles of handwritten signatures in digital workflows, legal framework
Editing and signing of documents on mobile devices
Integration of E-Signing into individual workflows
We will also cover aspect such as
BYOD – Security – User Acceptance – ROI
In this presentation we cover key topics such as :
IT Security
Cloud Computing
Mobile Computing
Bring Your Own Device (BYOD*)
Enterprise Content Management (ECM)
High-Tech Topics in 2014
5
Topic Ranking “Hightech Trends 2014” by German IT Industry Organization BITKOM
based on industry interviews , published Feb 21, 2014 http://goo.gl/pBOvc
* Side Note: Some legal and IT departments interpret „BYOD“ also as „Bring Your Own
Desaster“ …
2010 – Mar 14: 215 Mio. iPads sold worldwide2)
2014: 18 Mio. Germans >14 are using a tablet3)
Q4/13: More tablets than PCs sold worldwide4)
Tablet Facts 2014
6
Sources:
1) Strategy Analytics 28.04.14 http://goo.gl/IahV3d
2) Quarterly Reports Apple & Extrapolation of SOFTPRO R&D
3) BITKOM Media Release 24.02.14, http://goo.gl/Mklm2f
4) Market Research of IDC 11.09.13, http://goo.gl/v0QOAE
Lenovo Asus Samsung Apple
2.3 2.1
12.8
16.3
sold in Mio. Worldwide 1)
Market
Share
Q1 2014
Q1 2014 65.8 %
28.4 %
5.8 %
Faster processors, larger displays with
higher resolutions, better cameras…
Smartphones and Tablets are
increasingly used for tasks which were
executed with PCs in the past.
Many devices suitable for E-Signing with
robust evidence
Smartphone Facts 2014
7
Source:
1) BITKOM Media Release 14.02.14, http://goo.gl/on0A4w
2010 2011 2012 2013*
10,4
15,9
21,6
26,4
29,6
2014**
* 97% of all mobile phones sold were Smartphones
** estimation as of February 2014
1) Devices sold in Mio. in Germany
Working with Documents on Tablets
Initially tablets were used to view documents. Today many users want to edit & sign docs on their tablet.
Purposes of a Signature
9
Signing a document is about making a
commitment, not just authenticating oneself
A signature establishes validity of a
document to allow the reader to act on it as
a statement of the signer’s intent, and
leaves evidence to that effect afterwards.
Signatures represent a physical
manifestation of consent.
10
Goals for Signing on Tablets & Smartphones
Accelerate Workflow (e.g. from application to contract)
Cut Costs (thanks to reduced paper usage)
Secure Documents (e.g. for archiving)
Perceptions of Signatures today
11
http://www.bbc.com/news/magazine-27311868, BBC News May 7, 2014
There have been calls to phase out signatures from the
banking industry. But have our own personal autographs really
had their day?
BBC’s Jon Kelly answers in his report: “The signature may
have more life in it than the techno-enthusiasts might imagine”
Mike Allen, a forensic document analyst - quoted in this report:
"It's someone making their mark and saying 'I agree with
this.‘“It's not about being safer - the value of it is that it's you."
Perception & Reality about Signature Requirements
12
Image Source: AIIM Industry Watch: Process Revolution – Moving your Business from Paper to Tablet PC, May 2012
Really?
In most cases
E-Signing is a
serious
alternative.
Let’s get specific
13
Q: Is it legal to use SignDoc?
A: Please specify for appropriate investigation where do you intent to use SignDoc for which
purpose(s) based in order to achieve which goal(s).
Legal and evidentiary considerations for processes with Electronic Signatures must include:
Country
Industry
Application
Goals (e.g. Cost Savings?)
Document Lifetime
Perception & Reality about Signature Requirements
Surprising for many:
In many business cases physical signatures on paper (“wet-ink signatures”) are not required
de jure.
For most of the business processes where SignDoc is used today there
exist no regulation which explicitly requires to sign a document at all to do this on paper -
in a “written form”
using physical signatures on paper was the form chosen arbitrarily to have some kind of
proof of intent
Form Free Agreements
EU: Level of Contract Regulation
15
Signature
Requirements
imposed by law
for validity or enforceability
reasons
Qualified Electronic
Signature explicitly
required by law
No Signature
Requirements
are imposed by law
for validity or enforceability
reasons
80 %
15 %
5 %
Source: Prof. Dr. Patrick van Eecke, DLA Piper
Form Free Agreements
Banking: account opening, modification, and deletion, cash deposits and withdrawals,
standing orders, exemption orders for capital gains, loans, mortgage origination and
closing, …
Insurance: Applications, agreements, damage reports …
Telco: Contracts (mobile, DSL, cable etc.), service reports, …
Utilities: Contracts (Power Supply), Applications for Customer Reward Schemes
Retail: Receipts at the point of sale or point of delivery, merchandise return, service
documentation, …
E-Signing: Sample Use Cases
16
Replacement for „Arbitrarily Written Form“ on Paper in Form Free Agreements
More examples http://sp-l.de/ev3h
E-Signing in the EU: From Directive to Regulation
17
Directive 1999/93/EG 13.12.99
Directive on a Community framework for
Electronic Signatures
eIDAS-Regulation 2014
Regulation on Electronic Identification
and Trust Services for electronic
transactions in the Internal Market
April 3, 2014: EU Parliament voted to
pass, regulation takes full legal effect
from July 2016 onwards.
http://goo.gl/r3QTCR
eIDAS-Regulation replacing national E-Sign Laws
18
Electronic Signature Act (Official Gazette 10/02; 2008)
Act on Electronic Signatures (No. 227/2000)
Signature Law & Signature Ordinance (both 2001)
Decrees on E-Signatures (1999)
Act on Electronic Signatures (2001)
Electronic Documents and Legal Acts (Decree-Law No. 290-D/99)
Law on Electronic Signature (No. 455/2001)
Act on Electronic Signatures (No. 215/2002)
Among the 28 country laws and ordinances
to be widely replaced by the European
Regulation are for example ….
Note: The year shown at each act lists when these acts came into force for the first time. Most of these acts were updated last time in either 2012 or 2013.
E-Signature Terminology by European Commission
‘Electronic Signature' means …
Directive 1999/93/EG
Art. 2 paragraph 1
Regulation eIDAS 2014
Art. 3 paragraph 10
data in electronic form which are
attached to or logically associated with
other electronic data and which are
used by the signatory to sign;
data in electronic form which are
attached to or logically associated
with other electronic data and which
serve as a method of authentication;
E-Signature Terminology by European Commission
‘Advanced Electronic Signature'
means an electronic signature which meets the following requirements:
Directive 1999/93/EG
Art. 2 paragraph 2
Regulation eIDAS 2014
Art. 3 paragraph 11
(a) it is uniquely linked to the signatory;
(b) it is capable of identifying the signatory;
(c) it is created using electronic signature
creation data that the signatory can, with
high level of confidence, use under his
sole control; and
(d) it is linked to the data to which it relates
in such a manner that any subsequent
change of the data is detectable;
(a) it is uniquely linked to the signatory;
(b) it is capable of identifying the signatory;
(c) it is created using means that the
signatory can maintain under his sole
control; and
(d) it is linked to the data to which it relates
in such a manner that any subsequent
change of the data is detectable;
Purpose:
Provision of
Authenticity
&
Integrity
Admissibility
21
Can Electronic Signatures created with SOFTPRO SignDoc be used in Court?
An electronic signature shall not be denied legal effect and admissibility as evidence in
legal proceedings solely on the grounds that it is in an electronic form or that it does not
meet the requirements of the qualified electronic signature.
Admissibility Yes
Directive 1999/93/EG
Art. 5 paragraph 2
Regulation eIDAS 2014
Art. 25 paragraph 1
Persuasive Evidential Weight
22
Holistic Assessment of all Process Steps in a Document Lifecycle required
Access Authentication Document
Presentation
Capturing
additional data
Document
Completion
Signature
Creation
Archiving /
Delivering
take photo on tablet on web portal e.g. insert text,
tick boxes…
Components of Evidential Weight
Signature
Creation
Adding evidential weight
via multiple E-Signing
options
Additional Evidence (Integration via SignDoc SDK)
GPS Coordinates, Time Stamp,
Certificates, ….
Handwritten
Signatures
Image of
Signer
Image
of ID
+
+
+
+
+
+
+ +
+
+
Leverage Cameras
of Tablets
The more precise and differentiated signals of the writing procedure
may be captured the higher the evidential weight of a particular
signature data set
Capturing of as many signals per second as possible – also required
for accurate display of arcs and loops, ideally also capturing of different
levels of writing pressure
Crucial for the reliability of a comparison with a reference signature no
matter if verified
- automatically using software and/or by a forensic expert
- per default always immediately after signing or later, only if necessary
Evidential Weight of Data of
Digitized Handwritten Signatures
24
Spotlight: E-Signing in Spain
25
Full legal support as a means of client consent
Must obtain from client consent to use the system, both required by
Data Privacy laws and two-party agreement laws
Double signature process based on transaction complexity and risk
Not relevant that Biometric Signatures are not a PKI: Solution
robustness provides the proof of the agreement
Technical Audit by 3rd party to certify security level and robustness
Must comply with legal restrictions based on Data Privacy laws
“Firma
Digitalizada”
Source: Main Conclusions of the Legal Report on Firma Digitalizada, Santiago Uriel, Presentation at SOFTRPRO Partner Academy 2013 Prague
Santiago Uriel
CIO CECA
In many cases there is no regulation at all
26
Image Source: Legal Framework of Firma Digitalizada, Santiago Uriel CIO CECA, Presentation at SOFTRPRO Partner Academy 2013 Prague
If there's no legal regulation …
…..there is no need to wait for one.
The Spanish Savings Bank Organization, one of the most successful users of e-Signing in
Europe, did not wait for a law to come (as there wasn't any).
In 2008 they have just started to include E-Signing in their processes.
No Limitation Requirement of written form
Consumer Loans regulated in
Civil Code Art. 492
Case Example of Regulations in Civil Law
27
E-Signing of Loan Contracts on Tablets – Today different situations in the EU
Exception to the rule: If no interest is
imposed on the consumer loan (Zero-Percent-Financing) the contract does not fall under the regulations of a
consumer loan and may be categorized as form free.
Similar legal situation for example in …
What to do if Written Form is still required?
28
! Written Form
Hybrid Solution:
Combination of Paper &
Special Pen with Tablet
Signature Capturing with special „Tablet
Inking Pen“ in parallel: wet ink on paper and
digital ink on tablet.
Suitable in particular for usage where written
form required in some processes only while
most processes are form free
Video http://sp-l.de/9vmi
Form Purposes of Written Form
Features of a written form which should be fulfilled by an electronic method:
Identity
Integrity
Proof
Conclusiveness
Warning Protection
against
Haste
Resistance
against
Manipulation
Non-Repudiation
29
Pen Computing: Evolution from Stationary to Mobile
30
Tablets &
Smartphones
Windows
Tablet PCs
Tablets in connection with
PC / Notebook
Stationary Mobile primary area of use
Display Size & Content to be signed
31
12.2“ 10.1“ 8.0“ 5.7“
Receipts
~ A6
Complex Contracts
A4 / letter size
Smartphone – Alternative to Signature Pads
… applicable for ‚Bring Your Own Device‘ concepts
until December 2013: worldwide > 50 mio. sold devices
GALAXY Note since Nov 2011
GALAXY Note II since Nov 2012
GALAXY Note 3 since Sept 2013
33
First impression counts – also when Signing
Stylus
Digital Ink
Display Surface
Smartphone – Alternative to Signature Pads
34
Connect Smartphone and PC in same network
App Sign2Phone
Rich Client SignDoc Desktop
Browser Client SignDoc Web
or
Integrate E-Signing in existing Workflows
35
Apps for
Signature Platform
36
Key Take Aways
Signatures …
Are a viable biometric for stating consent in contracts
Can be easily incorporated into existing bank processes without disruption
Are subject to only very few legal restrictions for usage in most banking
applications
Legality is becoming clearer and more transparent due to new regulations
May be cheaply captured with a broad array of devices = many capture
possibilities and lower costs
Consumer Credit Specialist of BNP Paribas Personal Finance
Group is saving 1.6 mil paper sheets (20 trees) per year
37
E-Signing on Tablets – Reference Banking
eSign Cetelem is the customer’s application
based on SIGNATUS, a solution provided by
ANASOFT with E-Signing components powered
by SOFTPRO. Retailers and their customers sign
on tablets, like the Samsung Galaxy Note 10.1,
for installment sales in retail.
http://sp-l.de/fTwX
Case Study: Cetelem, BNP Paribas Personal Finance Group
38
Topic: Dematerialization, in two phases ...
Goal: Electronic Clients’ documentation
Solution: DMS Alfresco Enterprise
Goal: Electronic signing of contracts on
points-of-sale
Solution: eSign Cetelem project
Requirements:
• Signing of contract on the reading device
• Maximum safety – personal data, fraud, loss
• POS infrastructure independence
Solution:
• SignDoc SDK + Samsung Galaxy Note =
fully mobile solution
• Samsung SDKs + PKI + custom features = maximum security
• Integration with Cetelem’s environment (Extranet, DMS)
Case Study: Cetelem, BNP Paribas Personal Finance Group
39
+ + + L I V E D E M O + + +
Customer’s View:
• Improved cash flow for POS partners
• Signed contract immediately accessible to Client via Client Zone
• No fraud, no loss of documents, decreased error rate
• Innovation and market leadership
• Solution for POS & for e-commerce (delivered by couriers)
SIGNATUS – the preferred solution for BNP Paribas Personal Finance Group
40
12 000+ contracts 54% time saved
0% issues / errors 100% satisfied customers
Case Study: Cetelem, BNP Paribas Personal Finance Group
41
Additional Information about ANASOFT
www.signatus.anasoft.com
Phone +421 2 3223 4111
ANASOFT
Bratislava, Slovakia
Bochum, Germany