Blog article
See all stories »

All Trains Cancelled: How an e-Sig Failure Derailed a €3bn Transport Deal

On 21st September, the Swiss-based train manufacturer, Stadler, announced that it lost a €3bn  contract with the Austrian Federal Railways ÖBB due to a legally impermissible electronic signature on the purchase agreement.[1]

The consequences of such a failure are serious. The costs inherent to a multi-billion public tender are counted in millions and the episode could delay delivery by a year or more. And now Stadler has no assurance, whatsoever, that it will still be awarded the contract.

What went wrong?

From a technical point of view the e-signature was not flawed. It was the surrounding legal framework that failed.

The contract was governed by Austrian Law and needed to be signed with a Qualified Electronic Signature (QES). The Austrian Signature Law[2] is directly derived from EU law, the Electronic Identification and Trust Services (eIDAS) regulation,[3] which warrants that a QES has the equivalent legal effect of a handwritten signature.

Stadler used a QES to sign the contract. So far so good. 

The problem lies with the Trust Service Provider (TSP) used to deliver the signature service. Stadler used a Swiss TSP which means the QES is thereby considered qualified under Swiss Signature Law (ZertES).[4]  From a technical point of view, a QES under ZertES and a QES under eIDAS are almost identical. They follow the exact same technical standards together with a very similar certification framework. The main difference lies in the liability of the services rendered. EU and EEA countries follow the eIDAS framework, which offers cross-border interoperability between all EU and EEA member states. In other words, what is qualified in Germany will have the exact same legal effect as what is qualified in Austria.[5]

This interoperability is, however, strictly limited to the EU member states. The eIDAS and ZertES regulations allow for the possibility to establish a recognition agreement with third-party countries, but, in this case, none had been negotiated or entered into. In 2017, at a Cryptomathic conference in Zurich, the head of the legal data processing unit at the Federal Office of Justice confirmed that even though the underlying standards are the same, interoperability is not automatically provided in the absence of a mutual recognition agreement between the EU and Switzerland.

Inevitibly then, the Austrian Federal Administrative Court declared that Switzerland is not part of the EU and that the jurisdictions are not aligned.

To avoid this procedural flaw, Stadler could have signed using a Qualified Electronic Signature, delivered by a trust service provider legally domiciled and supervised in an EU or EEA country and duly registered in the EU trusted lists. Any other service provided from third party countries such as Switzerland or the UK would not be fit for purpose.

Most providers including Docusign and Adobe offer, by default, qualified seals or simple electronic signatures. The electronic signatures are admissible in court but do not provide legal certainty; they would not have satisfied the requirements for the Austrian contract.

Key learnings: Multi-jurisdictional deals need legal certainty

This case demonstrates the critical importance of selecting the right e-signature partner and solution provider to ensure that the transaction cannot be repudiated due a procedural flaw. Assurance or even high assurance that the contract is signed is not enough for sensitive operations or high value transactions. Legal certainty is required.

Countries in the EU are in the fortunate position to have a legal framework where certain types of accredited trust services are granted the same legal effect as handwritten signatures. This principle of equivalence means that a document, which is ‘duly’ signed electronically, will be regarded as legally equivalent to the paper-based version with a handwritten signature. In case of dispute, the burden of proof is in the hands of the opposing party and the TSP is liable for damage. The liability caps are defined with the TSP and usually follow the liability requirements set out in the national law where the TSP is registered. Similar legislation is in place in Switzerland, but there is no mutual recognition yet.

This principle of equivalence is however not present in all jurisdictions. The US eSign Act, for instance, grants legal recognition and court admissibility for electronic signatures and records, but it does not provide full legal certainty.

Regardless of the contract or jurisdiction, here are five golden rules that businesses need to observe to avoid falling into procedural traps:

1.       There is no legal certainty without a duly performed identification process of the signee.

Solutions where you do not present official ID documents will never allow you to obtain legal certainty. There is a plethora of solutions, which rely only on invites by email, phone or messaging. Without formal ID Proofing, either face to face or remotely, there is no certainty that the signee really is who they claim to be.

2.       There is no legal certainty if you are not the signee. 

Open the signed PDF in Adobe and check the signature panel. Do not rely on the information added in the new document as it has no legal value whatsoever. If you sign as legal or physical person, you should recognize your name as displayed in figure 1, below. If your name is not included here, you are not the legal signee.

 

Fig 1: Only those persons displayed in the signature panel are the legal signees.

 

3.       The service provider must be admissible.

There is always a section in your contract which will state which jurisdiction applies for the contract. It is very important to verify that the service provider is legally domiciled in the same jurisdiction or in a jurisdiction that offer cross border interoperability.

Contract

Certificate

Any EU or EEA Law

The provider shall be in the EU Trusted list for QES

Other jurisdiction

Service provider in the same jurisdiction

It is, however, not straightforward to verify where the certificate provider is legally domiciled. On the signature panel, check the certificate details of the issuer as shown on Figure 2 and Figure 3 where we see signatures using TSPs established in the US and in the EU respectively.

 

 

Fig 2: Here the issuer is based in the US and the signature is therefore not permissable for an EU contract

 

 

This confirms that this is a Qualified Electronic Signature according to EU Regulartion (eIDAS). Such verification would have saved Stadler!

Please note that many PDF readers do not present electronic signatures (e.g., Google Chrome).

4.       There is no legal certainty if the signee does not retain a level of control

One of the easiest ways to spot a potential issue here is to look at the consent mechanism. Generally, a signee needs to demonstrate consent to a signature operation. This consent needs to be strongly bound to the signature operation and is typically provided using two factor authentication, using app or SMS-based one-time passwords.

Any solution that is simply based on username / password or with static mechanism (e.g. scratching a signature on a pad or mobile phone) will not be regarded as sufficiently strong to deliver the level of security required to safeguard against replay or man in the middle attacks.

5.       Without technical non-repudiation there is no legal certainty

This aspect is more difficult for a non-expert to verify, i.e. to establish the assurance that someone cannot deny the validity of the e-signature. When you read something in your web browser or in your mobile app, how can you be sure that the text you read is genuine, from the right source, and agree on the content it displays?

Cryptomathic introduced the the concept of What You See Is What You Sign (WYSIWYS) and implemented a solution that ensures, with a high degree of assurance, that the document(s) received at the beginning of the signature flow is/are truly rendered to the user, that they provide their wilful consent, that the signed documents have not been altered and are signed for long-term archive. Finally, we also store the logs and can reproduce the visual experience days and years after the signature operation.

The legal framework for awarding contracts electronically with the Austrian Railways is based on Austrian law and incorporates amongst others, the EU regulation on electronic identification and trust services for electronic transactions in the internal market, i.e. all EU and EEA member states. Any bidder therefore needs to apply a QES issued from a TSP registered in the EU. Similar legislation is in place in Switzerland but, critically, there is no current mutual recognition between the EU and Switzerland that supports the level of legal non-repudiation required by orders of this magnitude.

Most electronic signature providers offer qualified seals or simple electronic signatures by default. These assets are admissible in court but do not provide legal certainty, which is the key issue here.

Bottom line: the lawyers at Stadler should have stressed the importance of the legal domicile of the TSP in this cross border transaction.

[1] More reading on https://www.watson.ch/wirtschaft/schweiz/472368308-stadler-rail-verliert-oebb-mega-auftrag-wegen-signatur-fail

or https://www.tagesanzeiger.ch/panne-bei-unterschrift-stadler-verliert-milliarden-auftrag-883965297799

[2] Bundesgesetz über elektronische Signaturen (Signaturgesetz - SigG)

[3] eIDAS Regulation (Regulation (EU) N°910/2014)

[4] Bundesgesetz über Zertifizierungsdienste im Bereich der elektronischen Signatur

[5] Art 12 – eIDAS regulation

 

 

1340

Comments: (0)

Guillaume Forget

Guillaume Forget

Managing Director

Cryptomathic GmbH

Member since

19 Jul 2004

Location

Munich, Germany

Blog posts

2

This post is from a series of posts in the group:

Digital Identity Management

Discuss upcoming trends in digital proofing, authentication, fraud and digital identity management.


See all