Reduce Paper Hassles with Electronic Consent
A nonprofit's guide to digital signatures and click-through agreements
July 24, 2006
Each summer, YMCA-owned Camp Ralph S. Mason, located in Hardwick, New Jersey, hosts more than 1,000 children. But before children actually arrive at camp, their parents must complete an application, as well as various forms for paying fees and signing up for programs. Invariably, with so much paperwork floating around, Camp Mason would misplace a few applications each year and have others show up late due to mail delays — until, that is, the camp began allowing parents to register their children online.
The Web-based registration process requires that parents provide basic information, such as their child's date of birth and an emergency contact number. Before they can complete the process, parents must also check a box indicating that they've read the Parents' Handbook. By electronically consenting to Camp Mason's terms and conditions, parents are bound to the agreement in the same way they would be if they had physically signed a document.
The result is a more efficient — and paperless — way for the camp to obtain consent. And the system seems to be working fine for the parents, too, according to Camp Mason CEO Mike Peterson. "We have yet to have any negative experiences using electronic consent forms," Peterson said, adding that no parent has yet contested his or her electronic agreement to Camp Mason's terms and conditions.
If Camp Mason's prior troubles all-too-closely resemble the situation at your organization, allowing your constituents and users to express consent electronically may be a good solution, potentially saving you money on paper, printer toner, stamps, and envelopes. And without all that cumbersome paperwork, your staff is likely to spend a whole lot less time filing documents and searching overstuffed drawers and cabinets for important files.
Electronic Consent: The Basics
Although electronic consent is a fairly broad topic encompassing diverse technologies, many organizations rely on one of two high-level methods: click-through agreements (like the one used by Camp Mason) and digital signatures, a virtual and authenticated representation of a specific person's real-world signature.
Click-Through Agreements
You've likely run across so-called click-through agreements fairly frequently in your online travels. Essentially, a click-through agreement divulges the terms and conditions a user should know before visiting a Web site, using a service, or finalizing a transaction, then prompts him or her to consent. For instance, in order to sign up for most free Web-based email services, you'll have to agree that you will not use your account to send spam.
Typically, click-through agreements allow a user to concur with the terms by checking a box, hitting a button marked "I Agree," or something similar. Users who do not agree to the conditions can simply leave the page or click an icon labeled "I Do Not Agree."
Though click-through agreements won't require your organization's constituents, volunteers, and funders to learn their way around an unfamiliar piece of technology, the downside is that they don't provide much in the way of authenticity. This means that your organization has no way of knowing if the person expressing consent is really who they say they are — unless, of course, they are entering verifiable information such as a credit-card number.
Digital Signatures
In 2000, the United States Congress passed the Electronic Signatures in Global and National Commerce Act (ESIGN), which essentially gave electronic signatures the same level of validity as a physical pen-and-paper signature. According to ESIGN, an electronic signature can be defined as "an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record."
Because this definition is quite vague, almost any marking — such as a person's typed name or initials — could technically constitute an electronic signature. But as is the case with click-through agreements, such forms of electronic signatures offer no concrete proof of a user's identity.
To solve that, some third-party firms, like VeriSign, offer third-party certificates (in digital form) to organizations that want to prove their identity to their constituents and vice versa. Other companies offer solutions that let you sign and authenticate documents using a piece of specialized software or a Web-based service. Although "digital signature" technologies like these are often used interchangeably with "electronic signature," digital signatures offer a higher level of authenticity, but aren't always straightforward to use. In most cases, implementing a digital-signature solution will require your organization — and in some cases the people you deal with — to spend both money and time learning how to use the technology.
The nature of the information being transmitted is a crucial element when deciding whether to obtain consent using a simple click-through agreement or a full-blown digital signature, according to Jason Schultz, a Staff Attorney at the Electronic Frontier Foundation (EFF). "If you're doing any kind of serious transaction where you're entering into a contract with someone, you're definitely going to want something very substantive," Schultz said.
Laws governing electronic consent vary according to state and transaction type, so your organization may need to consult an attorney regarding the specific situation in which it intends to obtain electronic consent. For additional information, visit ESIGN Commission, which offers a list of electronic signature laws by state, message boards for asking questions, and other helpful resources.
Best Practices for Click-Through Agreements
If your goal is to obtain consent surrounding low-impact transactions — making sure that new members concur with your organization's rules and regulations, for example — you can avoid more complex and expensive digital-signature technologies and simply use a click-through agreement.
Using standard HTML, your Webmaster or volunteer Web builder can add click-through agreements to your nonprofit's site, but the manner in which you present the click-through screens to your visitors can be a bit trickier. It's a good idea to consult an attorney to help you draft the contents of a click-through agreement and make sure that it complies with state or local laws; adhering to a few high-level principles will decrease the chances that the agreement ever ends up under scrutiny in a court of law.
The EFF's Schultz suggests that organizations prominently display all click-through agreements or terms of service in a location that users won't miss, pointing out that United States courts are currently frowning upon sites that list their terms and conditions on pages that are hard to find or infrequently accessed. "The best practices are really to be up front and to disclose the major terms…and then give them an actual opportunity to agree," Schultz said.
In addition to including a button for accepting terms of service, Schultz advises that organizations also provide users with an icon or checkbox for rejecting the conditions outlined in the click-through agreement. He also thinks that giving users a third option for asking questions and getting more information about the terms and conditions can be a solid precautionary measure when structuring click-through agreements.
"A court looking at that later would say 'Well they [the user] clearly had an option to get more information and they chose not to,'" Schultz said. "So they [the court] would probably hold that against the user."
Implementing Digital-Signature Solutions
Transactions or agreements that require your nonprofit to enter into a legal contract with another organization or a third-party technology vendor may require a digital signature, as you'll want concrete proof of all parties' consent should someone ever attempt to repudiate the agreement.
If your organization is planning to collect authenticated digital signatures from a large number of constituents, you may want to investigate a back-end solution, such as Silanis ApproveIt Web Server, AlphaTrust Pronto Server, or a digital signature subscription service provided by Yozons.
However, these can be complex and expensive, so if you only need to collect signatures from just a few key funders or are simply experimenting with digital signatures to see if people will embrace them, a cheaper, less elaborate solution makes the most sense
Web-Based Digital-Signature Services
Since the passage of the ESIGN Act, several services have sprung up that allow two or more parties to digitally sign a document. Getting started usually only requires that you create an account at the service providers' Web site and follow a few simple steps.
While the two services discussed below will charge your organization a fee for each digitally signed document you send, those on the other end of the transaction won't incur a charge or be forced to install any software on their computers. Both services below also offer some form of a free trial, so you can judge their effectiveness and ease of use before you spend any money.
DocuSign Express allows you to send multiple-page documents to several recipients at once to collect their authenticated digital signatures. To use DocuSign's 30-day trial, you'll need to install a 6MB application on the computer from which you'll be sending the documents.
The application's interface is similar to that of an email client, allowing you to add files such as Word documents, Excel spreadsheets, and Adobe PDFs to an envelope, then drag tabs to flag spots in a document where recipients should sign, date, or initial. After you send the documents, recipients will be able to access them by clicking an email link and creating a free DocuSign account. Once your recipient creates a signature and applies it to the document, you'll receive an email notification.
DocuSign Express employs several layers of authentication so your organization can verify a sender's identity and ensure that the documents have not been tampered with. First, each document is encrypted, uploaded to DocuSign's server, and assigned a unique, random string of letters and numbers known as a hash, which is like a fingerprint. Changing the document changes the hash. DocuSign Express also records every aspect of the transaction, including names of anyone who's accessed the documents, the time at which they signed, and their originating IP address.
As an additional security measure, your organization can password-protect the document; DocuSign even goes one step further by allowing you to request that recipients answer personal questions (such as residence history) before they can view the documents.
The service's pricing setup depends on how many transactions you plan to complete and the average number of pages each document contains; you can find out exactly how much DocuSign Express will cost your organization using its pricing calculator. Nonprofits are also eligible for a 20-percent discount off the estimated cost.
Much like DocuSign Express, PrivaSign allows your organization to collect signatures via a Web-based service that looks and works similar to a standard email client. However, PrivaSign is a 100-percent online service and won't require that your nonprofit install any software in order to send documents.
The service encrypts all transactions and lets users choose from several different encryption-strength levels, though the stronger ones come at an additional cost. Besides assigning each document with an MD-5 Tamper Seal, PrivaSign also records the names and IP addresses of everyone who has accessed the documents, as well as the exact time they viewed them.
PrivaSign's free trial places $5 in your account, which should allow your organization's staff members to send and sign a few documents internally to get a feel for how the service works. Pricing varies depending on the encryption level you choose and the number of pages in the document; for example, if your nonprofit and a funder both wanted to sign a one-page document using the default (free) encryption level, the cost would be around $2.25 (which includes three months of online storage).
Digitially Sign Files Via a PKI Certificate
How PKI Works
In addition to using a Web-based electronic consent service, your nonprofit's staffers and the people they'll be obtaining consent from can each purchase their own authenticated digital identities in the form of a certificate. While this solution may not be ideal for organizations requiring consent from a large group of constituents, it's more suitable for nonprofits that will regularly be collecting signatures from a small group of people.
Digital-identity certificates use an encryption technology known as public key infrastructure (PKI). When you purchase a certificate, your Web browser will create two keys (long, unique strings of numbers): a public key that anyone can use, and a private key that's for your data only. Whenever you want to exchange digital signatures with someone, use your private key to create a signature based on the contents of the document.
To ensure that the signature was indeed created with your private key and that the file hasn't been altered by a third party, the recipient would then use your public key to verify that the message came from you. Protecting your private key with a strong password is important, as a hacker could potentially assume your digital identity if he or she were to gain access to your computer.
Where to Get PKI Certificates and How to Use Them
Ideally, all parties that will be signing documents would agree to purchase their own digital identities. Typically, trusted third-party certificate authorities (CA) issue digital identities that confirm the purchaser is indeed who they claim to be.
Popular CAs include VeriSign, which will issue a one-year personal certificate for $20 and IdenTrust, which sells personal one-year certificates for $24. You can also obtain a free digital certificate from Thawte. However, since this free certificate hasn't been authenticated by any third parties, you'll need to get it notarized through Thawte's Web of Trust.
The type of documents your organization uses will determine what additional software or services you'll need to actually begin signing files. For instance, if your nonprofit primarily uses PDFs, all signing parties would want to download VeriSign's Adobe Acrobat Reader plug-in, which allows you to attach proof of your VeriSign digital identity.
If your organization's staffers use Microsoft Office 2000 or later, they can digitally sign Word documents, Excel spreadsheets, and PowerPoint files, so long as they've purchased a certificate from a third party. In most Office applications, a user can digitally sign a file by accessing the Tools > Options > Security menu item, then clicking the Digital Signatures icon. From the resulting pop-up pane, hit the Add button to choose the certificate you want to use to prove your identity.
However, if your nonprofit doesn't use Microsoft Office or needs to sign other types of less-common documents, certain pieces of commercial software will let you use your certificate to validate documents. Again, though, this option is probably best for nonprofits that will only be exchanging signatures with just a few people, as it will require that all signing parties purchase and install the software.
Nonprofits that decide to explore this option can download the trial version of E-Lock's DeskSeal, an application that allows users to sign various types of documents with their personal digital certificates. Parties that just want to verify your signature can use E-Lock's free reader program to do so, but if they also need to sign documents themselves, they'll also need to purchase the $36 DeskSeal application.
Allowing the people and organizations your nonprofit deals with to express their consent electronically can not only be more convenient than collecting physical signatures, but it can also help you cut down on expenses related to buying, mailing, and storing paper documents. And without large and cumbersome stacks of papers to organize and file, your staff can spend less time doing menial office work and more time helping your nonprofit fulfill its goals.
Copyright ©2006 CompuMentor. This work is published under a
Creative Commons Attribution-NonCommercial-NoDerivs 2.5 License.
Last modified: Jul 25, 2006
(http://www.techsoup.org/learningcenter/software/page5465.cfm)