From l’Hospitalet to Europe, thanks to the digital signature

Interview published in La Vanguardia and in Norberto Gallego’s Blog on 07/18/2022
Signed by Norberto Gallego

Electronic (or digital) signatures are on the rise in Spain, yet it is far from widespread knowledge and adoption. Even though the country currently has some 14,000 electronic offices available to citizens and companies, much remains to be done. Statistics do not say everything about the emerging market of digital identity certification. Of the various links in this unique value chain, this blog wanted to focus on a peculiar one: the provision of trustworthy services. The first evidence is that the new labour paradigm that has appeared with the pandemic creates a favourable context, which is combined with the need to mitigate the risk of digital fraud.

Last month, Víntegris company was awarded the tender called by the Congress of Deputies for which the 350 legislators are going to use its electronic signature technology in service mode, among other features such as qualified time stamping, a method that provides a record of the exact time of the signature and its validation in case of discrepancies that have not been lacking lately.

It is a reference of enormous value for Víntegris, says Javier Bustillo, its general manager since the middle of last year. “We are part of the T.I. but in a rather special way. An example is that, in most cases, our interlocutors in companies are not those responsible for technology but the legal departments”.

It is reasonable to think that it is due to the dichotomy between two personalities that coexist in Víntegris. On the one hand, there is the condition of a Qualified Trust Service Provider (PCSC); on the other, that of a software manufacturer. It is an unusual duality that allows us to offer the market a value proposition based on a product that is sold as a cloud-based service for the issuance and centralization of electronic certifications with time stamps, qualified signatures, SSL certificates, and other qualities that jurists value. We call it nebulaSUITE […]

In fact, Víntegris has been the only company called to participate in two relevant subcommittees. One, created by the National Cryptologic Center, to which we were invited by our status as a manufacturer, and in the second, an initiative of the Ministry of Economy and Digital Transformation, we participated as a qualified provider of trust services. Its consequence would be ministerial order 465/2021 of May 6, which enables trust service providers to equip themselves with specific technological and legal means for issuing certificates through remote video identification and with probative legal value.

In my opinion, not only the relationship between citizens and Public Administrations is going to change, but also the habits acquired by companies. Recently, we have seen several use cases emerge where this dual role places us in a position that I can call privileged.

[…] We can deal with providers such as the FNMT (Fábrica Nacional de Moneda y Timbre) or with the National Police itself based on intellectual property that we do have. In the same way, we can talk to software manufacturers with a signature workflow but not a label as qualified providers, which means that their signature does not have the legal probative validity that ours has.

I am referring to the ways of managing an electronic signature, for which it is necessary to distinguish between three signature types: basic, advanced, and qualified. Each one with a different probative legal value, being the qualified one the one with the highest value. Here a fundamental legal concept appears, the inversion of the burden of proof, by a reform in the Civil Procedure Law of 2007. I include myself among the laymen in the matter, to whom it went unnoticed in his moment. Its significance is such that the magistrate will admit it directly as valid if evidence with a qualified signature is presented to a judge. This, said so easily, radically changes the effectiveness of many legal acts because it is up to the other party to prove the contrary.

This means the acts acquire the same probative value they would have if the procedure were done in person. As is known, there are software companies that offer signature management, but they do not have the legal status that Vintegris has. We have invested a lot to deserve and renew the European eIDAS certification, in addition to others that are necessary for the validity of our product.

Not quite. In 2016 Víntegris began the migration of its entire installed base so that only four or five of the clients have not completed it, but more than 90% have already migrated to the cloud. Therefore, to be clear: what we sell is a product that works in service mode. In addition, our software can work with the rest of the qualified providers since, on our platform, we accept the qualified certificates of any other trusted provider. I must add a nuance: according to the law, the highest level of signature, the qualified signature, requires that the keys never leave the secure device […]

Intellectual property because what we earn from the issuance of certificates is not comparable to what we earn from the use of the IP for the centralized and secure management in the cloud of all the certificates that are issued […]. When we go to a new client, they have many certificates issued during the last three years and, therefore, we have to integrate them into our platform.

It is not necessary, but we believe it represents a competitive value that differentiates us in the market. Few companies can say the same, and even fewer have an international projection comparable to Víntegris […]. We comply with the eIDAS certification standard with European validity. Currently, we have already finished the translation of the platform, available in three languages ​​and soon in seven. In addition, we are working with one of the most prestigious law firms in Spain to review the legal schemes of each country in which we want to open offices next year.

The reality is that, for a qualified provider of trust services, the legislation of each EU country incorporates nuances that must be strictly respected and complied with. I’m not just talking about the language but about factors that must be carefully analyzed before making a systematic deployment.

We could distinguish four different cases. Two of them are in terms of market segmentation, on which I will not expand. The other two, by the criteria of legal validity and security to which a company aspires when it issues, use an electronic signature that validates some process or document generated by its employees, clients, or suppliers. Some companies need the highest legal validity when they file their taxes. Still, an SME with 25 employees comes to mind that, in its internal document management workflow, requires several approvals for which a basic signature is sufficient.

There are degrees, naturally. An excellent example is that of the health sector. One of our emblematic clients is the General Council of Medical Associations of Spain, which can potentially issue qualified signatures for 280,000 doctors.

There are many use cases where evidentiary signature value is needed, spanning many industries beyond banking and insurance. But also at the level of citizens, as a consequence of the growing need for remote identification. Until now, Víntegris has preferred to focus its activity on some 200 large clients, but we are seeing that going down the pyramid, there are many other potential ones that we ignored. The need for the basic signature has become widespread due to the impact it can have on the exchange of contracts and documentation, in addition to the consequences of regulation.

Above all, among those SMEs that have been a bit forgotten by us. Typically, we serve them through system integrators, the foreseeable ones – Deloitte, Accenture, KPMG, etc.–and some niche partners that usually specialize in vertical sectors. For us, the only way to gain market share in this segment is to create a network of loyal partners that adapt our solutions to the emerging use cases.

Our qualified certificates are valid in some 14,000 electronic locations. For the certificates of a provider to work, if you want yours to work in all of them, it is an important task and investment. It is true that there are certain aggregation centers, such as the Tax Agency or the bodies of some regional governments, but in practice I can find that my certificate has stopped working if an update has not taken the root certificate into account. And if this is a nuisance for a Spanish provider, imagine what happens to another country that wants to come to do business in Spain […]

[…] Let’s say that there is still room to improve the interoperability of electronic certificates in all the offices in Spain. But then, frankly, you look at what happens in the other 26 EU countries, and many are worse off than Spain.

Due to lack of habit. The reality is that today it is possible to carry out almost any procedure with an electronic certificate […] and with even more reason now: thanks to the enabling of remote video identification, things are going to change at a forced pace.

Citizens have been used to the massive use of facial recognition for years and for many uses. Banks apply it for certain operations, with the limitations established by the data protection directive. On the other hand, as far as we are concerned, the National Cryptologic Center has established the technical and functional requirements that must be met by those trust service providers who want to practice video identification with probative validity […]

I would say that the current experience does not change much for the real user: 90 seconds in front of a screen, proof of life, OCR recognition, random movement, and that’s it […] but what is behind it is a series of security certifications that the CCN  National Cryptologic Center,  audits and, in addition, includes real-time consultation of the Police database. Likewise, safeguarding of this information is required for fifteen years in a secure site […], And the verification is not only done with the Spanish DNI but with the passports of the 27 member states, a tool that we have enabled in our solution.

It is obvious, and anyone understands why, as long as the conditions of compliance with the regulations are met. For our part, we are willing to integrate our certification solution with specific applications specifically used by health services and developed by integrators who know the use case well.

I don’t think the public sector is lagging, far from it. There are trustworthy service providers specific to the public sector, such as the FNMT and the regional ones in Valencia, the Basque Country, and Catalonia. These institutional mechanisms work very well, but we still believe that we can do exciting things.

The company in its original form was born in Barcelona in 2004, at the hand of a Catalan businessman, Facundo Rojo, acting as an integrator of third-party technology systems for several years. It focused on four large clients: Generali, BBVA, Catalana Occidente , Sabadel, and on developing software related to security, access management, and the securitization of end-point environments. The great success was to preserve the intellectual property even after the internalization of personnel in the clients.

In 2016, after several years of discreet development, it migrated the architecture to a SaaS model on a hyperscaler. It was already in a position to manage official recognition as a PCSC (Qualified Trust Service Provider). Finally, it was acquired in 2020 by the Euronovate group, with a strategy that proposed giving Vintegris’ activity an international boost. And being controlled by the US group Topaz, which specialized in biometrics, this affiliation provides us a new relevance since we can offer an end-to-end solution for identity management projects: hardware, software, certification, services, and integration and 95% we do it ourselves.

It contemplates four geographies: the United Kingdom, Germany, France and Italy, with the aim of opening offices in 2023. This requires more than just the translation of the platform: a technical-legal adaptation of the solutions and, probably, the purchase of a company with local roots.

Yes, it’s correct. Any European citizen can use Víntegris technology with the same validity as in Spain. Currently, 5% of turnover originates in some other European country, but this quota seems residual to us if we compare it with the opportunities that we believe we have open in Europe. In three years, we could go from the current 5% of our total turnover to 35%.