Proposed Law:Electronic Signatures == Pen and Ink 85
Salgak1
writes wrote in to send us Washington Times Article
about Rep. Tom Bliley (R-VA) introducing a bill to make an
electronic signature legally equivalent to one done on
paper. Here is The Bill.
Seems Sen. Abraham (R-Mich) introduced a similar
bill in the Senate. (Full Text
Re:Not new . . . (Score:1)
Myths about digital signatures
Edward Felten
Wed, 19 Feb 1997 17:12:43 -0500
There has been a lot of public discussion lately about digital signatures on
mobile code. Several myths permeate this discussion. I'd like to puncture
three of them.
* Myth 1: Digital signatures let you know who wrote a program, or where it
came from.
Reality: Anybody can remove the author's signature or add their own
signature. At best, a signature tells you that the signer endorsed the
program recently. Endorsement is more useful than authorship anyway; most
people care more about whether their corporate MIS department has endorsed a
program than about who wrote the program.
* Myth 2: If X has signed a program, and I trust X, then it is safe for me
to download the program.
Reality: There have been plenty of incidents of reputable and well-meaning
organizations spreading viruses or serving as the base for security
attacks. Before accepting a download from X, it's not enough to ask "Do I
trust X?" One must also ask questions like "How carefully has X managed
his cryptographic keys?" and "What is the probability that X's security has
been penetrated?"
* Myth 3: Digital signatures provide accountability; if a program signed by
X is malicious, the victim can sue X.
Reality: Suppose I accept a download signed by X. A few seconds later
there is some mysterious network traffic and then my disk gets wiped clean.
X could be the culprit. Or X could be innocent --- that code I downloaded
from Y three days ago could have waited a while before detonating. Or
somebody could have exploited a bug somewhere else in my system. I have *no
evidence* to distinguish these cases --- all the evidence disappeared when
my disk was erased. (We can assume the attacker is smart enough to remove
the hostile code from his site immediately after the attack.)
If the attacker doesn't erase my disk, I can't trust the apparent evidence
anyway. After all, the attacker had free run of my system and could have
planted whatever "evidence" he liked. The evidence, whether real or not,
will collapse in the first cross-examination.
Signatures can provide accountability, but only with much more rigorous
logging and auditing than today's consumer software provides.
Your private key is as secure as your PC. Yah. (Score:1)
If you have a cable modem, do a 'net view', or run smbclient -L on your ISPs subnet. You'd be surprised what's out there for the reading.
Smoke and Mirrors (Score:1)
quoted from the article:
"The law is intended to boost electronic commerce by giving businesses and consumers more assurance that on-line transactions are secure."
Notice the goal is not to make on-line transactions more secure, but to give more assurance that they are secure. In other words, this would basically dupe the consumer into thinking their digital signature is secure, while simultaneously the government is in actuality undermining the strong crypto that is required to make it so.
'Don't look over there, there's nothing to see over there, look over here! Look over here!' Smoke and mirrors, that's what it is.
Re:How am I protected from stolen signatures? (Score:2)
I don't know of many people who are careful enough about system security to have digital signatures that are as secure as real ones.
Hasn't anyone heard of DSS (Score:2)
As for matching identities between people & keys, key signing is pretty effective. Only trust keys you've signed or someone you strongly trust has signed.
Mixed reaction. (Score:3)
However, for cryptographic signatures, how does one confirm that the original key came from that person? There's not much right now, beyond paranoia in dealing with unsigned keys, that prevents somebody from pre-emptively and maliciously creating PGP keys for random individuals. This suggests that we need reliable key authorities, the equivalent of electronic notaries ala Verisign; for full accountability, somebody would need to be able to trace the key to a physical contact address.
What about stolen signatures? (Score:4)
being a biometric measure: You can't steal
someones handwriting. (You can fake it, but that
is something different from stealing it.)
But I can get someones PGP key, or someone could
allow me access to his/her key for convenience
(so I can sign things for him/her). Thus,
I don't think a judge would be convinced
that a letter signed by a digital signature
must have been written by the person owning
the signature or the key with which the signature
has been made.
If I post my private PGP key on Usenet, I have
effectively taken any legal binding from my
digital signatures. Something that I can't do
with my real-world signature.
Therefore, for some things these digital signatures just won't work. For other
applications, they are already working,
because parties have agreed to accept them
as a means of authentication, and having
them "stolen" is negligence, making the
negligent party accountable for the damages.
Another interesting point is that you can't have
key escrow with those keys. (Sometimes, you just have to proove things, and not just rely on the honesty of the NSA.)
And having strong signatures, you can effectively
use this to create strong encryption (a process
called "chaffing" IIRC).
Thus, a law that makes digital signatures legally
binding automatically allows everyone to own
strong encryption software.
Clues for the clueless (Score:5)
Think of a school ID, a driver's license and a passport. They're all photo ID's, but with different requirements for obtaining one. As a result, they provide differing levels of authentication and authorization.
Woah... (Score:3)
Until we have legal, government-encouraged, secure (Ex: no key escrow repository) crypto, the electronic signiature is worth no more than a name pecked out on an old typewriter. No if's and's or but's about it, electronic sigs would be great, but until the strong crypto to ensure their validity is in place legally and widely, they're not going to happen, unless in some insecure half-assed form that would be bad news for everyone.
--
Re:Woah... (Score:1)
hmmm (Score:1)
Oh - the link for the text of the House bill (it's HR1714) dosen't work, and thomas.loc.gov says that the text of HR1714 has not been entered into the database yet.
They're very safe. (Score:1)
"some security hole"? (Score:1)
And how do folks use e-signatures to read your data? HOW could they use this to know what you "buy or do or pay"?
Relax. This law is a Very Good Thing.
Digital signatures don't work that way. (Score:2)
Read Applied Cryptography; It talks about lots of other Neat Stuff (like e-cash). You'll find it interesting.
Re:Woah... (Score:1)
Very well said. Have to love two-faced politicians that will push for this one day, then a 56 bit max on crypto the next.
--
Re:Woah... (Score:1)
There's nothing secure about a pen and ink signature. Yes, a handwriting expert can make a careful examination, and express a professional opinion, but it's still an opinion. Also, the value of the document better be high since handwriting experts don't work for minimum wage.
When you sign a check, and give it to the cashier, how does he/she know it's your signature? If it isn't, but it's sort of close, how do you dis-prove it to your bank? $100 check, $200 for handwriting analysis...
The best way to secure the secret key is a smart card, and a 'wallet' where you enter the passphrase (so you don't have to trust someone else's card reader to not log your input).
Re:Woah... (Score:1)
A proper digital signature is not an arbitrary set of bits. It is an MD5 of the document which is encrypted with your secret key. Only your public key can decrypt it, and only that document will have that the MD5 that was decrypted.
Had the checks been signed digitally, you wouldn't have had to contest them at all, they wouldn't have matched your public key.
Re:Woah... (Score:1)
The technology is simply too immature at this early point to apply to such a fundemental sort of legal construct.
okay, as long as. . . (Score:1)
Not yet... (Score:1)
The biggest, of course, if getting rid of these silly export laws. It'll take the Supreme Court to do that; the appeals court was a major victory for our side but the fight's not over yet.
Second, SSL needs to become more and more widespread. It's getting there, certainly. I'm hoping that the end to these export restrictions, couple with the freeing of RSA (which I believe is coming soon; doesn't the patent expire sometime next year?) should do that one. Of course, the ultimate goal is to have all servers use SSL, but that'll take time.
Once those two are in place, then we'll be ready for something like this. But not before. There are simply too many poential problems to do this just yet. I'd like to see this as much as anyone, but the Net is not yet ready.
Re:I check signitures for a living. (Score:1)
The big issue that I can see with this idea is that it can be taken too far and lead to very real finanicial risks involving banks, trusts, credit unions, and brokerage houses. In making the electronic signatures a legal signature, you open the door to a lot of problems like theft of the signature and signature duplication. Say you had $5,000.00 in a money market account, using a good bit of computer know how, another person gets your signature and basic account information (account number, ammount in there, the usual). Bet you dollars to donuts, that computer cluebie can find a way to fool the bank employee on the other side of the terminal into handing over the money.
I think you're a little unclear on what constitutes a digital signature. We're not talking about that little block of text that goes after your e-mail. We're talking about a digest or hash function that takes a private key block, hashes it against a transaction message (which can be anything -- e-mail, news posting, audio data...), thus generating a "signature" which can be verified using a public key.
You can't duplicate or "steal" a signature because the signature is different for every document. As long as your private key is secure, your digital signature is secure.
Re:Not new . . . (Score:1)
You are correct; there are plenty of existing precedents to indicate that "digital signatures" are as good as pen-and-ink.
While electronic manifestation of assent would have some positive attributes, it is also currently (mis)used to get you to agree to shrinkwrap or clickwrap license "agreements." These are ususally onerous, extremely imbalanced instruments that basically abscond with your money and your liberty, and leave you holding a piece of buggy software. I wrote an essay [microtimes.com] on this subject some time ago.
Finally, it would be interesting to see how this proposed legislation would affect Uniform Commercial Code 2B [uh.edu] (a sweeping re-write of contract law to effectively legalize all shrinkwrap "agreements"). It's beginning to look like UCC-2B may not fly because of myriad legal and ethical flaws; I wonder if this legislation is in response to that.
Schwab
A couple of misperceptions here (Score:1)
Two, digital signatures ahve no export limits; they are strictly one way hash functions of the document in question. There is no encrypted information as such. There are explicit allowances for digital signatures.
--
Stating the Obvious (Score:2)
Talk about stupidity! And what will the NSA say about this? Can we only use 56 bit keys for our "signature" ?
--
Re:Woah... (Score:1)
"When you sign a check, and give it to the cashier, how does he/she know it's your signature? If it isn't, but it's sort of close, how do you
dis-prove it to your bank? $100 check, $200 for handwriting analysis..."
They take my thumbprint...
Re:How am I protected from stolen signatures? (Score:1)
There are some great articles that explain how all this works... Look to www.gnupg.org for their URL's, as I don't remember them off the top of my head.
Re:How am I protected from stolen signatures? (Score:2)
And anyone who can break into your house/office can get your paper signature. QED
Another Similar Bill (Score:2)
Does anyone know the bill number for the Bliley bill? Slashdot's link seems to be broken, and I can't find any digital signature bill by Bliley on Thomas [loc.gov].
It should be noted that none of these bills specify a particular digital signature technology. The Digital Signature Act directs the appropriate government agencies to draft guidelines within 6 months (for use in transactions with the government). The Millennium act just says that "the parties to an interstate transaction may establish by contract" the technologies they want to use (one wonders how you are supposed to sign the contract).
Re:I like (Score:1)
It should also boost the smart card market.
My only question (Score:1)
My only concern is this - How would public keys be managed. This seems to be the achilies heel of PGP/RSA (and other public key systems). For example, lets say I sign a credit transaction with my secret key. They, when Visa comes a knocken' I could just say "That's not my sig. Someone must have created their private key using my name." What could they do about it? probably nothing. Unless...lets say you were required to register your public key with a trusted third party (the gov, bank, etc) and they varified you id first (via SSN/Mother's maden name/Address/etc) before your public key was added to the repo. At this point, others can trust that your sig/public key (which were generated by your private key) really came from you (and not just anyone that may have generated a private key using your name).
sorry for the horrid spelling - its friday
Immature? (Score:1)
Think about it -- Right now you can call someone on the phone and give them your credit card number and verbal authorization, and that's an enforceable contract. Likewise with the Submit button on amazon.com, or even an eBay auction.
Wouldn't a digital signature system actually be less "immature" than these relatively crude (and easily fradulent) ways of doing business now?
--
No privacy, never ! (Score:1)
Re:Woah... (Score:1)
-earl
Re:How am I protected from stolen signatures? (Score:1)
---
Re:How am I protected from stolen signatures? (Score:1)
1. The signature isn't just your name or some arbitrary key. The signature is effectively the entire encrypted document or more importantly the fact that when the document decrypts using the sister key (public/private depending on the implementation) it proves that you wrote it for that person.
2. In theory impossible (well technically improbable) to crack an arbitrary private key. (theory==The mathematics are more advanced than anything I could probably hope to understand. But as I hear it factoring 200+digit numbers to primes isn't something computers like to do, or people for that matter.)
Re:Clues for the clueless (Score:1)
I saw enough on their screens to see that they had implemented some kind of ssh-based system. Plenty secure, right? A couple of problems though...
o The way you upgraded was to write your passphrase on a piece of paper and turn it in to the staff so they could enter it for you... and keep the paper. I wonder who has access to the written copy of my passphrase?
o Your passphrase could be as much as 20 characters long... or as short as 4.
o But none of that really mattered anyway, because they had just built a new backend using ssh. Any time you wanted to do anything electronically, you still used your old 8-chars-max password low security password, and something on their backend used it to look up and invoke your ssh passphrase.
I thought about pointing out the problems with this supposedly iron-clad accountability scheme, but I didn't figure the people I was talking to would understand.
And besides, I might get the opportunity to appear as an expert (read "paid") witness the first time someone gets busted for something they didn't do.
Honestly, I think the whole thing was a sop for the pointy-haired bosses/lawyers who reasonably want to do something about security, but are clueless about the implications of their schemes.
Re:The especially clueless (Score:1)
I don't give them that much credit.
A quick lesson in public-key crypto. - Read this (Score:1)
If someone sends you a message they encrypt the whole thing with your public key, and you decrypt it with the private key.
If you sign a message you usually want it to be world readable so you post the message in plain text, along with an MD5 hash of the message body that you encrypt with your private key. This lets anyone reas the message, and anyone with your public key decrypt the 'signature' and read the hash. They then perform the same hash on the message they read, and compare the values. If it's the same, they can be very sure the message hasn't been tampered with. (It's a 'hard' problem to find a message that has the same MD5 hash as a given message. And a 'very hard' problem to find one that makes sense (ie, not random characters.))
The private key is all that's needed to sign a message! Some programs like PGP use another layer on encryption to hide your private key from casual tampering, making you enter a password to decode your private key. This is not a part of the public-key signature process, but instead a PGP feature. This means that all someone needs to have is your private key and they can masquerade as you.
How do they capture it? Trojan horses. There are many ways, some of them include. 1) Rewrite PGP to send a 'plaintext' of the private key to the attacker. 2) PGP can be used in batch mode. Write a front-end that pretends to be PGP, then sends the data to the real PGP to do the work. Then emails your passcode and private key to the attacker. 3) Watch for PGP to be run and scan through its memory space to read the private key. Mail it off the the attacker.
Of the above methods, #2 is easiest, followed by #1, and then #3. #2 could be hacked together in an hour by anyone who can code in perl.
With your private key, anyone can post messages and sign them as you. Such messages will be identical to messages you have written and signed yourself.
It is true that the Signature can't just be stuck on any old message, but with the private key, you can create a signature for any old message.
PGP could be based on a provably uncrackable code, resistant to quantum computer of unimaginable power, and your signature would still only be as strong as your OS.
The same goes for smart cards. It's just that we can assume a smartcard designed explicitly for security would be more secure than Win95. Maybe not much more, but some. The problem with smart cards is that it's all security by obscurity. The companies *know* that anyone dedicated enough, who knows the chip details, can crack them. Thus you'll never see the details, and will have to trust a big corp telling you that you're safe. Dunno about you, but I'm not the trusting sort.
Even if you can trust the smart-card, what's to stop a simple pickpocket from stealing it, cracking the simple code, and signing things before the card is revoked? You doubt the code would be simple? How many consumers can remember more than a six digit code? Fingerprints would be no more secure unless everyone used windex on the sensor after each use.
The digital signature is a great idea, but remains very easy to forge.
What can we use? How about recording a 640x480@30fps video w/ 16b 44khz audio of yourself reading the document outloud, then signing physically. It'd be a lot harder to fake. And as long as the document you read matched the other, it shouldn't matter if you fax it, because someone could just download the signature video and see if it looked real... This is just a moderately silly suggestion, but it's also the most secure thing I can think of, at least until virtual actors get to the point someone can fake this.
Re:The especially clueless (Score:1)
And those $200/hr consultant are going to have a solution for keeping private keys private? This either requires everyone to use certifiably secure computers to sign messages, or some sort of smart-card implementation which is only as trustworthy as the company that made it, etc.
Bussiness types get fightened easily, and throw a lot of money around to get solutions, but I'd hardly call them astute when it comes to judging the professionals they hire, the solutions they are given, or following the directions they're given. (Witness y2k and two digit dates... Good idea at the time, but the programmers back then all said "Oh, and replace this before 1999..." Did these "frighteningly astute" million-dollar-men listen? Nope. They had tossed around the big bucks, so their job was done.)
Digital signatures are fine, assuming everyone involved is trustworthy, intelligent, and not gullible. It'll never happen.
I think item #2 covers this. (Score:1)
Two, parties to an electronic transaction should choose the electronic authentication technology.
Third, parties to a transaction should have the opportunity to prove in court that their authentication approach and transactions are valid.
Fourth, the international approach to electronic signatures should take a non-discriminatory approach to electronic signature. This will
allow the free market -- not a government -- to determine the type of authentication technologies used in international commerce.
Re:Woah... (Score:1)
In the case of an electronic signature not only can they be cracked but manipulated pretty easily and it is much harder to prove that you didn't sign something that say... you didn't want to.
I don't know, I'm all for technology and everything but things like e-money and now e-signatures gives me the creeps. They're too easy to manipulate.
This will proabably fail (Score:1)
Encryption is just one of those things that the government just doesn't want to deal with. Even if the encryption is used for something like digital signatures, it will quickly become an issue of "supporting terrorists" or the like. Most of the people in Congress are too clueless to get the whole picture.
Further, the signature could be forged perfectly if someone obtained your secret key. While the whole point is to protect your secret key, nothing is perfect. At least most forgeries can be detected with enough time and energy (And a well trained graphologist). A stolen secret key would be almost undetectable.
The idea of typing your name for a signature isn't going to fly either. There are too many legal problems with this. It can be easily forged for one thing. How do you verifiy the signature? Do you check the IP address in the logs? Does it become part of the signature, too? A dispute of a typed name for a signature would always favor the the signee. Trying to actually prove that someone truly typed their name on a web page would be a total nightmare.
The idea of using retinal scanning (Or other keys of this sort) is actually not bad. But, the technology for this must be deployed on a grand scale. Perhaps this bill should wait until that has happened.
Re:By private contract (Score:1)
Re:Stating the Obvious (Score:1)
It could be defined to be flexible as to advance as cryptography advances. I don't think it would be wise to state the actual number of bits of the key in a new law.
In my opinion it would be much better to phrase it along the lines of: "a legal signature is one created with an encryption method that takes at least 256 years to crack using todays (date of signature) largest amount of compute power available to a person or organisation."
Well, I'm not a lawyer, nor do I speak English natively, but I think you can get the picture.
Anyways, the weakness of encryption has long passed the era when the encryption algorithms where the weak point in the chain.
The weak point is you and me. At one stage or an other we have to type a password/phrase or a key or it could be something else, it doesn't matter. I'm sure that this is, even statistically, a much more likely place to hack an encryption system then a (relatively good) encryption method.
So maybe that's where our worries should be. Maybe there has to be a safer way to identify yourself before you can use your digital signature.
Finger print recognition? Or a physical signature?
Ah, no, that's what we are trying to do away with...
Breace.
Re:Purpose of a Signature (Score:1)
Well, I have to say, maybe I've been watching Discovery Channel a bit too much lately, but this is certainly not true.
They (as in Big Brother) are very capable of figuring out whether something is an original autograph or not. Carbon copy systems for example often use different 'ink' that can easily be detected. Even if the ink could also be found in pens, then the structure of the copying material leaves marks for example. Obviously you wouldn't be able to see this with bare eyes, and for some of the details they actually use chemicals and special light.
Breace.
Mr. Kensey (Score:1)
I check signitures for a living. (Score:3)
I hate to tell you this, but werdna is correct about the modern day legalities of signitures.
First thing in the morning every day at the bank I work for, I check the signitures and account numbers on the dormant account activity checks. This review includes both deposits and withdrawls. It is actually a bit difficult to decern an imposter on one of these tickets. It has been my experience that a good forgery will get by the vast majority of people.
I would ordinarilly include myself in a generalization like that, but in this case that is not true. A friend of mine introduced me to the mishmash that is hand writting analysis. While the accuracy of hand writting analysis in the field of psychology may be bunk (I have yet to decide), it does teach you to look for certain characteristics in the letters. It is little things like "does the letter "o" have a stroke through it?" that make the difference. You really need at least 10 characteristics in the letters to match before you can be comfortable signing off on the ticket. To the trained eye, these traits are very easy to spot.
Now, I have to make sure that my bank is doing what it is supposed to in its work with the federal government on a day to day basis. I can tell you right here and now that our Chief Financial Officer would not accept just a signature as the conclusion of a deal. I like our CFO and I like my job, but common sense is the best asset around in any job. It is like you don't breath in Chlorine gas.
I really don't care for some ecommerce ideas for the simple reason that some things have exorbant shipping costs. This on the other hand, this idea scares me. I like the annonimity of the internet. I can go anywhere under my 4 names and no one can connect that to a face or a business. While people do actually call me telosphilos or telos in the real world out there, they are not the same people that I work with every day. Those people that know me online are not my flesh and blood familly, but they are the best of friends. My boyfriend even calls me by my nickname. Yet, I am very protective of my financial information. I am also very careful to keep any actuall pictures of me off the internet. (There are two out there, but they include facepaint and night Figment hunting (long story).)
I do not have a lot of money, but I work with large sums each day. As part of the customer services, we try to teach people how to protect themselves from con artists and your basic scams. Some are fairly simple like shielding your pin number from view when you use your atm card or not giving out credit card numbers in chat rooms. Some are vastly more complicated, preventing the real code warriors with a financial hole they want to fill from breaking into banking-on-line systems.
The big issue that I can see with this idea is that it can be taken too far and lead to very real finanicial risks involving banks, trusts, credit unions, and brokerage houses. In making the electronic signatures a legal signature, you open the door to a lot of problems like theft of the signature and signature duplication. Say you had $5,000.00 in a money market account, using a good bit of computer know how, another person gets your signature and basic account information (account number, ammount in there, the usual). Bet you dollars to donuts, that computer cluebie can find a way to fool the bank employee on the other side of the terminal into handing over the money.
You see, at some time we have to account for human error. It is also very easy to have human error occur on account of fraud. Most financial types really do not know computers or computer security. Computer people generally have better things to do then learn how to make up little slips of paper tracking where all of the money in the bank is. So, what do you get? You get some one that maybe has figured out that a mouse is a periferal authorizing a con job on an account in his first week at the bank. There, your account just went from $5,000.00 to zero.
Just think about it, it can mess up all sorts of financial deals. Would you like it if your paycheck which more likely then not goes through an automated clearing house was missing about $50.00 in income taxes over the course of six months due to an error on your account and the IRS not only caught it, but chose to audit you and your company? This is the sort of thing that can happen.
It is food for thought. Anyways, it is getting late and I am tired of ranting. Thank you for your time.
--telos
I am liking this bill! (Score:2)
There are some technical legal issues arising from the present language, but all in all, it appears on first reading to be an excellent job.
Yes, it does make "love, andy" at the end of an e-mail into a signature, but for the reasons otherwise stated here, I think this will be far better for commerce than a problem at the end of the day.
Re:Purpose of a Signature (Score:2)
Yes, it is difficult to get away with faking Abraham Lincoln's signature, because the physical evidence (paper and ink) can effectively date the paper out of period.
But we are talking about contemporaries forging contemporaries; and by using straightforward means of forgery. There was a great article on the subject fairly recently -- let me see if I can't dig it up for you.
Re:I check signitures for a living. (Score:2)
The Florida statutes, for example, distinguish between an Electronic Signature, which are the characters set forth at the end of this message, intented to authenticate this message, and a Digital Signature, which is usually the hashed and munged result of some form of asymmetric encryption.
When I said electronic signatures are probably valid under the common law, I was referring to both types. Surprise.
Love,
John Wayne
NOTE: The signature above is there to authenticate the message, not to facilitate authentication of the signer of the message. The word "authenticate" is used differently in the preceding sentence, one, a legal term of art referring to the process of "legalizing" a document; the latter, a process for assuring confidence in the identity of the signer. While signatures can serve these dual purposes, the law is only concerned withy the former.
Re:Woah... (Score:2)
Certain documents do not have legal effect until signed. Upon proving that they were signed properly, a lawyer has proved the legal consequence.
Accordingly, the signature at the end of this message, which authenticates (in the legal sense) the document, but doesn't give you a clue who I am or any assurance that I signed it, is a perfectly useful legal device that doesn't require any government-encouraged secure crypto. I believe this is a good thing (tm).
Frankly, I don't want the law dictating and regulating the technology I choose to sign my documents. It is up to ME if I want to bear the risk that someone might deny a signature they genuinely signed, but might be difficult to prove later. Eggs in baskets. That's what this is about.
Love,
Jack the Ripper
Re:Mr. Kensey (Score:2)
Of course, signatures serve plural non-legal purposes, among which are precisely the issues of identification and non-deniability. Those purposes are served, or are not served, adequately in the eyes of the parties involved in the transaction. If they trust one another, the only issue is the authentication of the instrument (the giving of legal effect). If they do not, or the risks are too great, they will take greater measures.
But this has nothing to do with the question whether of whether two people who trust one another can engage in the legally effective transfer of title in land by means of an e-mail. The law gives legal effect to the shaving of a mark on the hide of a cow, or the mere writing of a number and an X on a sheet of paper. Why not, then to the following words:
Love, me.
Not new . . . (Score:5)
Florida's, for example, is among the clearest and most consistent with the common law, defining a "writing" to include "information which is created or stored in any electronic medium and is retrievable in perceptable form," an "electronic signature" to mean "any letters, characters or symbols, manifested by electronic or similar means, executed or adopted by a party with intent to authenticate a writing," and further providing that a writing is electronically signed if an electronic signature is logically associated with the writing.
With those definitions, it provides simply that "Unless otherwise provided by law, an electronic signature may be used to sign a writing and shall have the same force and effect as a written signature."
Other states, such as Utah and Washington, have required that to receive the benefit of the statute, the signature must be made by use of asymmetric encryption, with varying definitions and limitations.
Accordingly, this bill isn't really all that new. However, the defintion of a signature is one of those things that has been traditionally determined by state law -- it may be unclear whether a Federal law purporting to preempt State law in this regard would be unconstitutional.
Purpose of a Signature (Score:5)
(1) At common law, the typing of your initials at the end of an e-mail with intent to authenticate is probably a signature anyway (mileage may vary state to state);
(2) Have you considered how trivial it is to undetectably duplicate a paper signature? Moreover, how easy it is to lift a signature from one document and apply it to another? In comparison, digital signatures are checksummed to the documents they sign, and are very difficult to forge without human engineering;
(3) In practice, disputes over signatures are not really ever resolved by comparing testimony of signature experts (except in extraordinary cases). The two experts cancel each other out trivially, and the jury judges based upon the demeanor of the parties and the overall circumstances of the transaction. In a recent case, where a party denied signing a written agreement to sell some goods, the other side simply asked on the stand whether he routinely sent goods of the type to the other side -- "no"; whether he did after the date of the disputed document -- "yes"; whether he did in accordance with the schedule set forth in the disputed document -- "yes." It was all over, notwithstanding the conflicting expert testimony. (Ironically, the argument was that the signature was "too good," too close to a specimen the other party was known to have and therefor copied. Yeah, right.)
The real deal is this: signatures are not there (for legal reasons) for the purpose of authentication -- they are a mechanism to formally "close" a deal, to distinguish those deals that aren't done from those that are, and in some cases to seal certain types of agreements that require a signed writing.
The authentication purposes are an issue of "risk management," not legal effectiveness. The law only raises the question of whether the act, if it took place, was legally effective to seal the deal, and not whether the act took place.
On the other hand, a businessperson might want to be able to prove a signature was real more readily than usual. This is why when a multi-zillion dollar deal is being closed, a lawyer will not accept from the other side to sign "Minnie Mouse," or "X" (if literate), even though doing so is legally effective for any statute of frauds purposes. Likewise, I would never accept for a meaningful transaction an e-mail stating:
"Yeah, I accept your offer to sell Blackacre for 100,000 lucre. Sure.
Love, Mandy."
Even though it would be enforceable under Florida law for the purpose of the statute of frauds.
Its all about eggs in baskets. How much comfort do you need, and how much certainty do you want to avoid being spoofed. If you make it a personal policy never to sign electronic signatures, it will be hard for the other side to prove that you actually did when you didn't, no matter how good the forgery. On the other hand, if you do, make sure you do a good job of making it difficult for others to forge or spoof you.
Agreed that certification authorities are an important part of making use of signatures safe and commercially sensible. Disagreed in the strongest terms that they are necessary for the law to give effect to an instrument.
In my view, the less the law tells us about how we do business, the better. Leave it to the marketplace to decide what technology and form of signature they want to use. Whether they rely on EDI agreements, e-mail typewritten messages or elaborate cryptographical structure using state-authorized or state-licensed "trusted parties," should be decided by those doing the signing, not those pretending to be high-tech-aware and make some press in Washington.
The law SHOULD make clear that electronic signatures should be used and useful, just so folks don't feel they need to see a case before using the technology. After that, legislators should get out of the way.
Electronic *signature*, not Absolute Truth (Score:1)
People can forge regular signatures too. Are electronic signatures less secure than regular ones?
--