Providing half-signed documents to all signers before all signers have signed #384
Comments
|
I'm having the same issue. In a strict 3-person signing workflow, after the 2nd person signs the document, all parties received the incomplete signed document with the 3rd person missing signature. Docuseal v1.9.1 |
|
@rubyonrailsstarter i think the issue you described is different from the issue raised in the original post. |
|
@Tom-H-L partially signed PDF doesn't contain a digital signature attached to it and can't be used as a finalized agreement. Only after all signing parties sign the document the PDF is sealed with digital signature. Other esignature software providers also show signatures added by previous signing parties to the last signing party during the signing process. Just like with in-person 'paper' signing a signature of the first signer is visible on the paper document to the last signer.
|
Of course it can be used. You download it, print it, and have a document that bonds the other party while you are having the power to seal the deal or not whenever you want. This enables massive abuse. See the example that I outlined in the original post. This completely ignores if some online eSignature tool forsees some digital signature document attachment in the next steps or not. The partially signed and printed document is fully legally bonding in many jurisdictions.
One of the big players, DocuPanda, does NOT disclose the partially signed documents. Only after all parties have signed, the document with the signatures gets disclosed, which is the proper way of doing it.
Yeah, but just like with in-person paper signatures, you either sit on a table to have everyone involved sign at the same time and only after everyone has signed, they will be handed a copy with all signatures on it. If this is not possible, e.g. when an employment contract is being sent to the applicant via email for signature, then, if the company is smart, they will send an unsigned document and only sign it themselves as soon as the applicant has returned the partially signed by him document, so that the company is not at risk being held hostage by the applicant when he keeps the partially by the employer signed contract and he takes his time to sign while negotiating other offers, too. That is why people should not send documents via Email for signature since it will always include this power asymmetry. They should use online signature platforms so that it resembles the "everyone signs at the same time on the same desk" situation by collecting all signatures first and only after everyone has signed, handing out the signed copies to the parties. But Docuseal fails in this regard, as it is currently. I wonder that you do not recognize this problem to be real conceptual security issue of Docuseal. Especially, since there is not one advantage of how it is right now that the signer gets a partially signed copy, other than to serve for fraudulent intentions as described in my examples. The partially signed document has zero additional value for him compared to the blank document without any signatures. |
When you have a document that is to be signed by multiple signers, at docuseal the document as available for all signers to see the document with the signatures of the previous signers even before all have signed.
This is a huge security issue. The other singer is empowered to obtain a half signed document that leaves the first signer to be at the mercy of the later signer, since he can chose if and when he will sign, while the first signer is already bond by his signature.
For example if the contract is to by a car, and e.g. the seller signs the contract, the buyer can download this half signed contract and still try to buy another car, while he has the first car secured, since the seller has bond himself already with his signature and thus will get in trouble if he sells the car to someone else. The buyer can then either go buy some other car and leave the contract with the first seller unsigned forever, or if he sees that he can't get the other better car, return to the contract of the first seller and then sign it at some point later to still close the deal. Even if the first seller has deleted the contract at docuseal in the mean time, the malicious buyer can still print the half signed contract that he had downloaded and sign it by hand and still get a valid contract this way. If the seller has sold the car until then, he must pay damages to the buyer who has a signed contract but is not able to get the car since it has been sold elsewhere in the mean time.
At other platforms, e.g. PandaDoc the signatures of the previous signers are only displayed on the document as soon as ALL signers have signed, which is the proper way to do it. This way no signer is able to obtain a half-signed document, only an unsigned document or a document fully signed by all parties. This is the only proper way to do it.
The way it is now at docuseal is completely insecure and risky to use since the later singer can abuse it. The only way currently to prevent this would be if the seller is aware of this technical shortcoming of docuseal and thus he has included a provision in the contract that gives the contract a deadline to be signed by both parties, as you do with offers that expire, which is a very awkward, uncommon and impractical workaround and it also adds other problems, e.g. putting stress on the signers even if it would not be necessary if the platform would just withhold the partial signed contract until everyone signed.
The text was updated successfully, but these errors were encountered: