Dynamic signature

Disclosures

Divulgaciones

Dynamic signature (capture of the behavioral pattern).
A potential systemic risk for your company

You have to be very careful when you find texts that mix concepts like:

Call to the dynamic signature, biometric signature.

Rate the signature biometrics as an advanced electronic signature.

Associate “digital signature ” to the signatures of the eIDAS legal environment and, to use the term “electronic signature” to any other technique that has the purpose of recording an expression of consent. It is not surprising that this lack of knowledge is suffered even in large organizations, especially those whose parent company is the US and whose legal regulations are totally different from those of the EU.

Dynamic signature, capturing behavioral pattern is considered biometric data processing expressly prohibited by GDPR.

Firma dinámica (captura del patrón conductual).
Un potencial riesgo sistémico para tu empresa

Tienes que ser muy cauto cuando te encuentras textos que mezclan conceptos como:

Llamar a la firma dinámica, firma biométrica.

Calificar a la firma biométrica como firma electrónica avanzada.

Asociar “firma digital” a las firmas del entorno legal eIDAS y, utilizar el término “firma electrónica” a cualquier otra técnica que tenga como fin dejar constancia de una expresión de consentimiento. No es de extrañar que esta carencia de conocimiento se padezca incluso en grandes organizaciones, especialmente en aquellas cuya matriz es EE.UU. y su normativa legal es totalmente distinta a la de UE.

La firma dinámica, captura del patrón conductual está considerado tratamiento de datos biométricos expresamente prohibido por el RGPD.

Dynamic Signature

The biometric pattern is captured, which presupposes obtaining the graph and the behavior of the hand when making the signature (pressure, inclination, direction, speed, etc). This is a signature that when capturing biometric data , presents a high risk in relation to data protection legislation.

Firma dinámica

Se captura el patrón biométrico, lo cual presupone obtener el grafo y la conducta de la mano al realizar la firma (presión, inclinación, dirección, velocidad, etc). Esta es una firma que al capturar datos biométricos, presenta alto riesgo en relación con la legislación de protección de datos.

The dynamic signature is a high-risk treatment. Badly managed it can lead to very serious consequences for your organization.

If the procedure used is qualified as illicit, not only does the legal effectiveness of the signature decline, but also may lead to sanctions for violation of data protection regulations.

La firma dinámica es un tratamiento de alto riesgo. Mal gestionado puede conllevar gravísimas consecuencias para tu organización.

Si el procedimiento utilizado es calificado cómo ilícito no solo decae toda la eficacia jurídica de la firma, sino que puede conllevar sanciones por infracción de la normativa de protección de datos.

The Sign to Sign ® biometric signature follows the known procedure of “unity of the legal act” , and is intervened by electronic sealing of ANF AC in order to guarantee the authenticity and integrity of the signed document.

Through this procedure, the signer stamps his signature (graph) directly on the electronic document (pdf), there is no possibility of error in the processing of information, the signer signs directly on the document that he has read and , to whose terms and conditions he gives his adhesion.

An independent image is not obtained, therefore, in no case is the signature reusable.

The Sign to Sign ® biometric signature is not a dynamic signature, we do not capture the biometric pattern of the signatory, therefore, special data processing is not carried out (RGPD – LOPDGDD).

In addition, the audit trails and legal evidence that are generated during the electronic transaction are collected, authenticating them and guaranteeing their integrity when they are signed electronically by ANF AC (long term). However, this generates an evidentiary document that in turn is signed by ANF AC.

This biometric signature can be submitted to an expert report (computer and calligraphic). It offers the necessary legal security to be admitted as evidence in court.

La firma biométrica de Sign to Sign ®, sigue el procedimiento conocido de “unidad del acto jurídico”, y es intervenida mediante sellado electrónico de ANF AC a fin de garantizar autenticidad e integridad del documento firmado.

Mediante este procedimiento el firmante estampa su firma (grafo) directamente sobre el documento electronico (pdf), no existe posibilidad de error en el tratamiento de la información, el firmante firma directamente sobre el documento que ha leído y, a cuyos términos y condiciones presta su adhesión.

No se obtiene una imagen independiente, por tanto, en ningún caso la firma es reutilizable.

La firma biométrica de Sign to Sign ®, no es una firma dinámica, no capturamos el patrón biométrico del firmante, por tanto, no se realiza un tratamiento de datos de carácter especial (RGPD – LOPDGDD).

Además, se recogen las pistas de auditoria y evidencias legales que se generan durante la transacción electrónica, autenticándolas y garantizando su integridad al ser firmadas electrónicamente por ANF AC (larga vigencia). Con todo, ello se genera un documento probatorio que a su vez queda firmado por ANF AC.

Esta firma biométrica puede ser sometida a informe pericial (infomático y caligráfico). Ofrece la seguridad legal necesaria para ser admitida como prueba en juicio.

Legality of treatment –RGPD-

In accordance with current legislation on data protection, the mere collection of the graph cannot be considered special category data processing.

In the case of dynamic signature, a special data treatment is carried out:

«14) biometric data»: personal data obtained from a specific technical treatment, related to the physical, physiological or behavioral characteristics of a natural person who allow or confirm the unique identification of said person,[...]” (Art. 4 RGPD)

Obviously a biometric pattern is behavioral data and, therefore, data whose collection is prohibited.

«1) The processing of […], biometric data aimed at uniquely identifying a natural person, […] is prohibited.» (Art. 9 GDPR)

And, although paragraph 2 of the same article 9 establishes reservations on said prohibition, our consideration in this regard is that not even a prior and duly formalized consent of the signatory would be sufficient to establish a legitimacy of the treatment.

The risk to the rights and freedoms of the interested party is extraordinarily high and, in our opinion, there is no proportionality that justifies this type of treatment; a misuse of these data. P .eg, by applying the corresponding computer logic, it could indiscriminately reproduce the signature of the interested party without their knowledge.In this case, regardless of the direct damage caused by false signatures stamps How could the signatory revoke his signature? Should he change signatures or hands?

The providers that market this technological system do not usually tell their clients that they are responsible for the treatment, the provider is merely in charge. It is the client who, in the event of illegality of the treatment, assumes all responsibility.

Licitud del tratamiento –RGPD-

De acuerdo con la legislación vigente en materia de protección de datos, la mera recogida del grafo no puede considerarse un tratamiento de datos de categoría especial.

En el caso de firma dinámica, sí que se realiza un tratamiento de datos especiales:

«14) datos biométricos»: datos personales obtenidos a partir de un tratamiento técnico específico, relativos a las características físicas, fisiológicas o conductuales de una persona física que permitan o confirmen la identificación única de dicha persona,[…]» (Art. 4 RGPD)

Evidentemente un patrón biométrico son datos conductuales y, por tanto, datos cuya recogida está prohibida.

«1) Quedan prohibidos el tratamiento de […], datos biométricos dirigidos a identificar de manera unívoca a una persona física, […].» (Art. 9 RGPD)

Y, aunque el apartado 2 de ese mismo artículo 9 establece salvedades sobre dicha prohibición, nuestra consideración al respecto es que ni tan siquiera un consentimiento previo y debidamente formalizado del firmante, sería suficiente para establecer una legitimidad del tratamiento.

El riesgo para los derechos y libertades del interesado es extraordinariamente alto y, en nuestra opinión, no existe proporcionalidad que justifique este tipo de tratamiento; un mal uso de estos datos. P.ej. mediante la aplicación de la correspondiente logica informática podría reproducir indiscriminadamente la firma del interesado sin su conocimiento. Llegado a ese supuesto, independientemente de los perjuicios directos que le ocasionen falsas firmas estampas ¿Cómo podría revocar el firmante su firma? ¿Debería cambiar de rúbrica o de mano?

Los proveedores que comercializan este sistema tecnológico no suelen apercibir a sus clientes que son responsables del tratamiento, el proveedor es mero encargado. Es el cliente el que, en caso de ilicitud del tratamiento, asume toda responsabilidad.

Sign to Sign ® offers you a new and innovative biometric signature modality with high legal efficiency:

Hybrid signature
(biometric and electronic)

The applicant delivers the electronic board to the signatory and intervenes as a witness. Once the signatory has signed, the ordering party signs with his electronic certificate attesting to the operation.

Sign to Sign ® pone a tu disposición una nueva e innovadora modalidad de firma biométrica con alta eficacia jurídica:

Firma híbrida
(biométrica y electrónica)

El ordenante hace entrega de la pizarra electrónica al firmante e interviene en calidad de testigo. Una vez que el firmante ha firmado, el ordenante firma con su certificado electrónico atestiguando la operación.

Biometric signature validation

There is no instrument that allows automatic validation of a biometric signature. The intervention of a handwriting expert is required and IT expert.

Handwriting experts with technical capacity and accredited experience in the judicial field. Members of,

Collegiate Association of Calligraphic Experts
Havana Walk, 9-11. Bass. 28036 Madrid.
Avda. Diagonal, 468, 6°A. 08006 Barcelona

Computer experts with technical capacity and accredited experience in the judicial field. Members of,

Professional Association of Computer Experts
Avd. Meridiana 358, 4ºA. 08027 Barcelona

Validación de la firma biométrica

No existe instrumento que permita validación automática de una firma biométrica. Se requiere la intervención de perito calígrafo y perito informático.

Peritos calígrafos con capacidad técnica y experiencia acreditada en el ámbito judicial. Miembros de,

Asociación Colegial de Peritos Calígrafos
Paseo de la Habana, 9-11. Bajo. 28036 Madrid.
Avda. Diagonal, 468, 6°A. 08006 Barcelona

Peritos informáticos con capacidad técnica y experiencia acreditada en el ámbito judicial. Miembros de,

Asociación Profesional de Peritos Informáticos
Avd. Meridiana 358, 4ºA. 08027 Barcelona

Biometric signature validation

The provisions of articles 281 and following of the Law of Civil Procedure (LEC) are applicable in relation to the taking of evidence, making it necessary to carry out an expert opinion in accordance with the provisions of the Articles 335 and following of this Law.

There is no computer tool that allows to automate the veracity or falsity of a graph or a dynamic signature. It is only possible through the intervention of an expert calligrapher, who will issue a personal value judgment. This expertise, as it cannot address technical issues such as integrity and audit trails, has a limited scope that must be complemented with the participation of a computer expert.

In addition, since it is an electronic document, it is necessary to provide the system with certain security measures that configure it as an electronic evidence that allows its accuracy to be validated in the future.

Sign to Sign ®, assumes the responsibility of collecting all audit trails, authenticating legal evidence and guaranteeing its integrity when signed electronically by ANF AC (long term). However, this generates a proof document which in turn is signed by ANF AC, all of which can be validated through the qualified service of ANF AC.

In summary, an electronic transaction whose legal security is based on the use of the biometric signature, has the lack of not being able to verify the truth or falsity of the documents it receives.

Any doubt you have in this regard, do not hesitate to consult our legal department.

Is there legislation or technical standards in biometric signature?

Currently there is no national or European legislation that supports this biometric signature technique, nor any European ETIS standard that can be used as evidence in court.

See more information about legal effectiveness.

Regarding international standards on the matter, the only existing one is ISO/IEC 19794-7:2007, “Data exchange format”. This standard is limited to aspects related to technical safety.

There are no officially accredited auditors to issue certifications of compliance with this ISO.

PARTNER

Conviértete en PARTNER / Become a PARTNER

Maco de referencia ISO 14044:2006 Gestión Ambiental

Plataforma multivalidación OCSP