Starting a business in Italy meant signing plenty of documents. Italy uses a formalized and centralized legal document signing system. It has a lot of interesting pieces so I wanted to tell you about it. Let’s compare Italy’s InfoCert with DocuSign.
Starting with InfoCert.
Verified by a human.
I had to fill out forms. Then a woman popped up in a video chat. She knew a little English. She asked me a lot of identity questions. I had to hold my passport up to the webcam. I had to show her the original document for my Italian Codice Fiscale, which is the equivalent of the Social Security Number. I had to hold up other docs to the camera. I had to put my face closer for her screen shot.
Set up the software.
Then you set up the “Digital Key” software, which they’ve abbreviated to DiKe. In order to use it, I had to go through multiple steps and passwords. Make a password here and we will email you a PDF with another security key. OK got that key, now use that to make this other password and PIN. Set up your mobile phone as the second factor.
It was so many steps.
Let’s sign something.
Finally, the software is ready. I had something to sign. I open that doc up. It opens up DiKe. I have to log in on my computer. I have to put in my PIN to sign. I then get a text on my phone. I have to put in that second factor. This thing is now signed.
InfoCert is pretty locked down.
In order for me to sign something, I have to be on my computer logged into DiKe. I have to know a password and a PIN. I have to have my mobile phone handy and receive a text message for the 2FA.
Long story short, we would be able to prove fairly confidently that Debbie Levitt digitally signed this document. Who else could have signed this doc? Someone with access to my computer and phone who knows all my passwords. If you’re smart, that’s nobody. Yes, my computer and phone are around the house and my boyfriend could pick them up and try to use them. But never tell anybody these important passwords and PINs. Nobody needs to know them. I’m not telling them to anybody.
Bonus: You can also get a legalmail.it email address and have docs sent there. So another layer of security since people would have to get into that webmail to see what you need to sign.
Let’s talk about DocuSign.
You need me to sign a contract. DocuSign emails it to me. I click the link. I see the document. I click sign.
But what if we wanted to be really evil. You need Debbie Levitt to sign a contract. You create an email address [email protected] You email John Smith a contract for Debbie Levitt to sign in DocuSign. John Smith clicks on the link, John Smith clicks sign, the end.
Would that hold up in court?
How would I prove I didn’t DocuSign it? How would I prove that’s not my email address and I don’t pick it up? How do you prove you don’t get an email address? You might have to subpoena the IP address info from the mail provider… and depending upon who and where they are, they might not exactly be keeping those records.
DocuSign tried to improve security but it comes off to me as theatre.
DocuSign claims lots of security and privacy. Only you will see this document. We’re going to track and timestamp that. We’ll take your IP address (though someone could VPN into the area where they know I live).
When you set up a document for signing, you can now choose methods that will supposedly authenticate the person signing. These are optional. So again, if we’re super evil, we don’t set these up. Or we set up one we think we can easily fake.
Security Code means you set up a code that the person signing needs to put in. SMS and Phone are where they text or call a number and you have to enter a code on the site. With so many VOIP and burner numbers, this one also comes back to “prove you didn’t use that phone number.”
The ID check is similar to things you’ve seen on other sites. You put in some info and get questions that people who’ve dug a bit into you would probably be able to answer. Here is DocuSign’s example:
If included, these could challenges could appear successfully satisfied.
Again, if truly evil, I don’t include the challenge. If trying to look more realistic, I could include a challenge that John Smith can pass. Takes some work but could be done.
And then how do I prove that I never saw the document or signed the contract?
When I think about InfoCert, I can’t think of how anybody could fake the signing.
Let’s go back to Italy. You want a contract signed by Debbie Levitt but you send it to Giuseppe Nieddu, who created [email protected]
He’s not going to get far. The system knows that’s not my email address. They know that documents go to [a certain email address] or my @legalmail.it address.
OK let’s say he hacks my email sends himself the document. Unlikely, but let’s imagine it. Now he has to log into DiKe. If he signs in as himself in DiKe, then he’s signed it and not me. He would have to know my password, my document signing PIN, and have my physical phone with him to do the two-factor authentication.
It looks like a fake contract signing couldn’t happen in Italy. Does it happen in America? No idea. But I can see how it could using DocuSign. It’s easier than forging a signature, which used to happen enough that it was a plot in nearly every TV show when I was growing up.
Why spend hours trying to copy a signature when you can manipulate DocuSign? VPN to where I live, create an email address that I can’t prove I don’t pick up, and sign the doc.
Does that mean DocuSign is a bad service?
No, it’s not a bad service. I’ve used it on both ends. I trust it. But I see the flaws in the process and in true security. I don’t just want DocuSign to keep my doc private and get a signature. I want it to keep the world from pretending to be me and signing things.
DocuSign might want to ask itself how it can be more like Italy’s InfoCert. Yes, there were lots of hurdles to setting it up but I only had to do it once. Everybody here does it, it’s a fact of life. How can DocuSign create a business that becomes a fact of life?