Which factors should I consider for devices that accept handwritten digital signatures?

I don't think there are going to be any guarantees. If there is not previous case law on topic, then I would expect this to come down to an assessment of credibility, based upon the testimony of the people involved, possibly testimony from expert witnesses, and the rest of the circumstances surrounding the court case.

Keep in mind that the legal process doesn't treat signatures as absolute ironclad guarantees; they consider them as part of the totality of the evidence.

If you want to think about how to ensure this will stand up in court, I would have two suggestions. First, talk to a lawyer. (Legal advice is not our strength on this site.) This is the most important advice I can give you: talk to a legal expert.

Second, I would suggest thinking about this from an adversarial perspective. Imagine you were an expert witness hired to demolish the credibility of the signature in court. What would you be your line of attack? What would you say, to try to convince a judge or jury that the signature doesn't prove anything? Then, think about what processes or mechanisms you can put in place to make those arguments less compelling. Note that complex technical mechanisms that are hard to explain to a jury are not likely to be an effective rebuttal; you need to look for something that will be persuasive in a courtroom, which is not necessarily the same thing as what mechanism will be most effective from a technical perspective.

My guess is that, for a low-value transaction, you probably don't need any crypto. If you've captured a signature that appears to match how Alice signs her name, that's probably going to be good enough for a low-value transaction. Conversely, for a high-value transaction, I'm skeptical about whether these devices are going to be persuasive in court, no matter how much fancy crypto you've thrown into them. We have decades of familiarity and experience with wet ink signatures on paper, and we understand their failure modes a lot better than we do digital signature pads. Look at UK's chip-and-pin, for instance; it has suffered from multiple serious security flaws (found primarily by security folks at Cambridge), even though their scheme has lots of fairly reasonable crypto that was designed and intended to stop such attacks.


EU directive 1999/93/EC (and its upcoming replacement) enforces legal equivalence between a qualified electronic signature and a handwritten signature in all Member States, and "some legal value" for other types of advanced electronic signatures. However, this directive do not address "handwritten digital signatures" but actual electronic signatures, as standardized for instance by PAdES or CAdES. In other words, 1999/93/EC will not help you here, and I doubt technical measures alone will ensure that this kind of signature is accepted in court.

edit:

Several companies offer tablet-based solutions claiming to be 1999/93/EC AdES compliant, which I don't believe.

First, advanced electronic signatures which provide legal equivalence with an handwritten signature require the usage of a qualified certificate (1999/93/EC article 5.1) : tablet-based solutions obviously do not belong to this category.

For the non-qualified advanced electronic signatures, I share the view of Concise European IT Law:

"Although the definitions are being formulated in a technology neutral way, they implicitly refer to certificate-based public key cryptography, also known as 'digital signature' technology."

In practice only certificate-based signatures provide the interoperability intended by the directive, due to the various national transpositions of the AdES definition. For instance, Czech Republic's Act 227/2000 requires that an AdES be

"created and attached to a data message using means that the signatory can maintain under his sole control"

Most (if not all) tablet-based solutions will fail the "attached" part. In fact, a scribble captured on a tablet (with or without biometrics) is reusable with any document, contrary to a proper digital signature.