Text size: A A A

Digital signatures still handled like stone tablets

Everyone in the business of government knows the pain of circulating documents and ideas for comment and approval, yet we seem to be consistently stuck in the dark ages of hauling stone tablets along the approval chain in order to achieve the goal of that final signature chiselled on the dotted line.

Digital signatures have been around since the early 1990s with Lotus Notes 1.0, yet we still find ourselves in the embarrassing situation of not completely understanding what they are about, or how they can substantially improve our business practices.

Take for example, the National Capital Authority’s Known Infringement Notice Declaration. Its a beautiful and helpful Adobe Acrobat form that shows the user the mandatory fields that they need to fill in, and it also allows a user and witness to insert their digital signature into the form.

In an ideal world the electronic submission of this form would allow electronic systems to extract relevant data alongside the non-repudiable digital signatures directly into an electronic system without any manual intervention.

The problem with this form is that it has a PRINT button at the bottom, instead of a button to electronically transmit it to where it needs to go. A PRINT button that has no place on a form that collects digital signatures because it completely invalidates the benefit that you get from allowing someone to use a digital signature in the first place.

When collected properly, a digital signature provides the reader with confidence that the document that they have received was the exact authentic document signed by the signatory or signatories.

“When you print an electronic document that has been digitally signed, you destroy any value that a digital signature might have had … ”

Once a document is digitally signed, there is no way that the document can be altered without invalidating a digital signature. Furthermore, the authority who issued the digital signature in the first place is able to indicate whether the certificate used to sign a document is valid or invalid.

When you print an electronic document that has been digitally signed, you destroy any value that a digital signature might have had for that particular document. Furthermore, you destroy the ability for data to be electronically extracted from the form into database systems.

A worse crime is rescanning the document with a printed digital signature for filing.

In recent years, there has been an increasing proliferation of the issuance of digital signatures in government accounts but there remains confusion and mystery of what they are, what they should be used for, and how they should be used.

You may have noticed a certificate icon on e-mails that you have received. That is an indication that the e-mail that you have received has been digitally signed by the originator, and is an indicator that your department or agency has introduced digital signatures.

Ideally, what we should be seeing, is a document that clearly shows who has endorsed it, when they endorsed it and any comments that they had. Signatories should be able to see who has already signed a document ahead of them, their considerations and commentary attached to their signature.

What we tend to find in reality is a document digitally signed by multiple parties, only to have one person with old technology — or old habits — send back a scanned copy of a signature page, another sending a version of the document that only has one digital signature on it, and a final version where someone has kindly inserted a picture file of their handwritten signature into the electronic document.

Reaping the efficiencies

If government departments hope to gain the substantial benefits that digital signatures could bring to “business as usual” activities, then proper systems thinking and systems design needs to be applied and enforced at implementation.

It is no longer necessary to have administrative staff walk around the single master copy of a document when we could have digital systems provide a master version of document in a centralised location that is accessible by all endorsers and approvers.

Obviously you could e-mail a single digital master copy of a document along to the next person in the chain, but it doesn’t really make sense to digitise a cumbersome paper based process when you can deliver a solution that is far more efficient and effective.

Educating the workforce about how ICT solutions can help them improve their practices and day-to-day life can reap significant benefits — you only need to do it once and the insanity ceases almost immediately.

Was your department educated about digital signatures if and when they were implemented? If not, why not? Have you printed a document to obtain a paper based signature because someone was having difficulty using their digital signature?

The signees (and their administrative staff) need to be part of the conversation around making such a system work — not just ICT personnel who often don’t see the behavioural obstacles standing in the way of real progress.

Take the example of a Band 1, Band 2 and Band 3, all of whom work in offices adjacent to each other with their own personal administrative staff. A centralised correspondence system to rationalise the requirements for multiple registration of a document to be signed would seem like a sensible idea. However, if the behaviour of administrative staff is not altered, then you end up with a scenario where a document may be registered three times in the centralised correspondence system as it makes its way from office to office.

New workflows

The first challenge in migration to an electronic solution for document approval is break the constraints of archaic paper-based workflows. Most departments have recognised the advantage of transitioning to electronic filing and a range of records management systems, but that’s where the thinking is stalled.

“The challenge for the SES is knowing whether you are actually signing the document that you are looking at … ”

These systems must be accompanied by business approval workflows and data management policies in order to be effective, or you once again end up with a filing cabinet full of material where no one can find anything, or an overflowing digital inbox where you can’t differentiate and prioritise the most important thing that you should be looking at.

Workflows should recognise that it is possible for multiple stakeholders to review a document at the same time. To accomplish this, we need to break out of the mindset of routing a document in a serial fashion to always using a collaborative framework where people can provide endorsement and commentary at any time.

This could mean that signatures attesting to endorsement or approval are separated from the actual document and managed by a workflow system — capabilities that already exist in a number of commercial products.

The challenge for the senior executive service is knowing whether you are actually signing the document that you are looking at, when placing your signature into a signature management and approval system that is not the document itself.

The records management system in conjunction with the signature management system should  provide absolute confidence and traceability between your digital signature and the document you are signing.

You may wonder if isn’t sensible to set up a system where you just digitally sign every document itself? Every time that a digital signature is placed within a document, it increases in size because a version of what you signed is embedded in the document. A large document that has five digital signatures is around five times the size of the original document.

If the fourth signatory requests a change to the document, you need to stop, change the document and then re-start the signature cycle — once again creating a mammoth file to accurately capture the five digital signatures.

When you consider the hundreds and thousands of documents that are in various stages of approval or rework each day, you can imagine the amount of wasted storage when all you actually want is a neat summary of who has endorsed and who has approved a specific version of a document.

A signature or document approval system gets around this problem by flagging that your endorsement or approval is required, providing you with traceability to the document to be signed, and accurately recording a history of who has approved that document.

Govdex, GovCMS, Trim, Objective are all examples of commercial software that has been adapted or created to meet the needs of Australian governments. There are commercial products available today which provide document approval and digital signature management.

Perhaps one of the initiatives of the Digital Transformation Office might be to take a look at the various attempts across whole-of-government to try and get a head-start on solving problems that seem trivial in nature, but consume significant effort when tallied.

We stand to inherit significant benefit through a common and innovative efficient solution for this requirement. After all, while the business of each agency is fundamentally different in nature, no one can get away from the need to create information or knowledge, conduct consultation, seek approval and provide a record of those interaction.

Read more at The Mandarin: Learning from Australia’s past efforts in digital identity

Author Bio

Vince Chong

Vince Chong is a professional engineer and project manager, with almost 20 years of experience in public sector procurement, project and management roles.