Lawyers often regard their job as being completed once they've finished writing up a contract. On the other hand, lawyers often have to deal with signing mistakes and errors that are made in making use of contracts. Docusign, and similar software, solves some of this problem but there's so much more that could be done.

Signing Agreements Like Google and Facebook

Some of the blame for contracts being signed wrong goes to the lawyers, for failing to provide appropriate instructions for signing or creating agreements intended to be signed in a confusing manner (i.e. the signature block could have been done better). Big companies don't have their mass market customers sign deals like this.

There's an accepted, standard way for doing deals with the public that all big tech companies use; the user clicks a box that reads "Yes, I agree to the terms". This is valid, binding, and common way of entering into agreements. There are even less explicit ways of entering into deals that are recognized by the common law and special statutes that enable digital agreements. For example, the Electronic Commererce Act, 2000 in Ontario. In other words: insisting on fake signature images to appear in contracts is not necessary for almost every contract out there.

So-called wet ink signatures are even less necessary than digital signatures of scanned versions of a person's signature. These sorts of agreements are often perceived by the public as being more binding, but that's almost always nonsense. I do recognize that formality and ceremony can have a role, but for most businesses these sorts of things are getting in the way of doing a deal. Delays created by people being unable to figure out the software for a signature or mailing in a copy are burdens on businesses, not advantages. Wherever possible, lawyers should be advising their clients to avoid these delays, mistakes, and problems that occur. People should do what Facebook, Google, Microsoft, and every other large online business does: I agree.

There is no magic to signatures. They are a means of expressing agreement. If the person agrees, then they agreed. They could agree by saying I agree in-person, but that wouldn't leave the same sort of evidentiary record that might be needed later. The form doesn't matter, except for the convenience of capturing the data. Which in modern business, is very important. Major companies don't have clerks sorting through all the buttons people pressed that say I agree, they simply record that information in a database, to be retrieved later.

A Better Way To Sign Agreements

Software companies can move to signing agreements using online contracting without any special software. They may need to ask their lawyers to change the way the contracts are drafted, to enable digital assent, but this is usually quite straightforward. What can be difficult is how to coordinate signing of agreements that go beyond just assent, and require collection of information or multiple signers.

Below is a mockup of what it would look like to digitally sign an agreement, with the variables of the PDF version of the agreement substituted in. By that I mean, the information that needs to be filled into the template is displayed on the left, and the information required by the user to be entered into the template is collected. This enables the use of a template with multiple customers.

How would an agreement like the above be made? Below shows a mockup of how the company would create the contract by loading a template and filling in the information.

I think the above form captures the requirements for the contracting needs of 99% of businesses. There might be some edge cases that require a different method, and that could be handled with the typical Docusign-type signing method. But for most use cases, collecting signatures like this is much faster, easier, and avoids the need to have someone manually enter the signing details from Docusign into a spreadsheet somewhere.

Encryption

The ideal way of doing the above is to have a system that encrypts the PDF, and the field information using AES, entirely in-browser. Why? So that there is confidentiality. With modern encryption (like used in WhatsApp) people can enjoy secure systems that don't rely on having the operator of the server have access to every contract they've ever signed. That's how Docusign works. Docusign has a massive cache of signed contracts from companies all over the world. This is a huge security risk, and it's extra risk for Docusign.

How this method works is that the company that creates the agreement for signing creates the form for signing, then a password is automatically generated locally in the browser. The company then sends the link to the user through email, WhatsApp message, text message, Signal, or whatever means they'd like (according to their security needs).

Code Sample

In-browser AES encryption works in every major browser. Here is the Javascript code that can be used to do this:

AES.class.js and Utilities.class.js.

In the code provided above, the contents are stored hex-encoded in a way that permits PDFs of several megabytes to be loaded (unlike atob or other methods). If you, the reader, are actually attempting to build the system described in this blog post, please pay close attention to how this works because you'll find other ideas run out of memory or experience other decryption problems because the WebCrypto API is generally designed for smaller chunks. There are other ways to do it, but the point is that the standard way of doing it probably won't work. So, for example, if you use ChatGPT to generate the code, you'll find out that it doesn't handle larger files.

Downside of Local Encryption

The downside of encryption is that the system can't use email to automatically remind people of signed contracts or email the user when everyone has signed. This requires a bit more work operationally, but the advantages of being secure don't come at no cost. The company would have to send out confirmation that the agreement has signed (if necessary) but they're probably already doing this, so the burden isn't that high. If this really was needed as a feature, the company could potentially build it by connecting to the server and downloading the encrypted data, then decrypting it locally, then sending out emails using their current email system.

There are also theoretical concerns that are raised whenever the subject of Javascript encryption comes up. Some people say not to ever do it because it requires the user to trust the server, which could serve malicious code that stops the encryption from working or duplicates the messages. This is true, but castles could be breached in Medieval times and it wouldn't stop me from preferring to have a castle than not if I were king. Some defence is better than none at all. In this case, a developer could extend the security of this system by making a downloadable version of the server that clients could run on their own servers (but few would actually do this).

Generating PDFs in Browser: PDF-LIB

Philosphically, I think it's better to have purely digital signing. But if it's required that a PDF be outputted from this signing process, which may be required for auditors, ease of backups, or other practical needs, there's a solution in the form of PDF-LIB. PDF-LIB is a Javascript library that can modify PDFs in the browser, entirely using Javascript. So the user or the company could generate a new PDF that has the signature proof page appended, and the data provided by the company embedded too.

Conclusion

Generating agreements for digital signing can be done easily, securely, and conveniently. The method proposed above isn't quite as convenient as emailing a PDF or sending a Docusign link, but the results are more easily used with other software systems, puts control back in the hands of the company, and prevents eavesdropping. Better security may not be important to most businesses, who don't care who has access to their signed agreements, but it certainly matters to some people. Some lawyers are using Docusign for signing retainers, but by doing that they're sending all of their client information to a company in another jurisdiction. In 2023, better is possible. Digital signing is legal, common, and could be much more widespread with better software to enable businesses to do deals.

The software outlined above isn't that glamorous, but it would be great infrastructure for many businesses, who could benefit from template libraries, automation, and being able to back up their data. Right now, many companies don't know what agreements were signed with whom. This is a problem that shouldn't exist. Digital, encrypted signing solves that problem too.