House Passes Digital Signature Bill

ElDaveo writes "Story on CNN.com: 'Forget pen and paper. In the 21st century, signing your John Hancock could be a mouse-click away. The U.S. House of Representatives has approved a bill that would allow U.S. consumers to electronically sign their name over the Internet.'" Good. Maybe now I won't need to deal with so much paper in the future. On the downside, maybe some script kiddie will hack my signature and find cool things to buy online.

Signature use: age verification

[Kesh]

The best reason to legalize digital signatures is for age verification purposes. Right now, the only way for a web site to verify a customer's age is if they provide a credit card #, a very poor method.

With standardized digital signatures, a central resource can be created where you register your signature, along with enough data to verify your identity. This agency (probably a government one) can then act as a server for verification. When you attempt to access an 'adult' site, you submit your digital signature, and the site checks with the agency's server to compare the signature you provided with one on record at the agency. If it's a match, you're allowed in. If not, when the vendor requests verification, the agency's server would simply give them an error stating that you're not subscribed, and therefor not of age. (I call it a subscription, but no fees should be charged if it's a government run agency.)

It's more secure than the credit card method, and finally makes it easier to simply enforce standard laws about providing such material to minors, since there would be a way for web vendors to verify their customer's age. Of course, this is difficult to enforce outside of sites that literally proclaim themselves to host porn; but for those who do, regular federal laws can be enforced without as much controversy. It might help get this 'Internet porn' media-hype off our backs.

The biggest flaw is, like I said, someone has to run the confirmation agency, and that agency has to be able to verify your identity and age. The records at that agency should be very secure, and none of that would be given out to anyone verifying your age via signature... if you're not of legal age, that particular agency would simply deny you to sign up with their service, meaning you can't verify your age with the vendor.

The other flaw is that vendors could use the public key service that allows your signature to verify other documents to figure out who you are, and keep a database, but this isn't any different from a regular porn shop keeping credit card records, so it's a moot point. You lose a little anonymity, but any company that fails to keep its records secure won't get much buisness in the long run anyway.

This seems to be the best method for allowing adults to legally get what they want with the minimal amount of hassle, while preventing minors from doing the same (within reason... no system is perfect, yadda-yadda-yadda, this is just the best one I can think of that's not too arbitrarily restrictive.)

And of course, this has no legal effect on Usenet or mailing lists, since subscribing to such content is just like subscribing to Playboy... you made your intent clear by requesting it in the first place; whereas web shops are like physical stores that you could wander into by accident without knowing what they were (until you saw the dildo display, at least :) ). At that point, it becomes the vendor's responsibility to shoo kids right back out the door.

Please, feel free to comment... I'd like to know just how many people think this would be practical and/or effective.

Re:Severe security risk!?

[Skapare]

I haven't seen the details of the bill. However, what electronic signatures are about is that a cryptographically strong hash digest of the document encrypted by your private key, forming a resultant certificate that could only (to the extent the encryption used is strong in this regard) be created with your private key. Your public key is then used to decrypt the certificate, producing a result identify to the regenerated hash digest of the document.

You want to buy a house. You find one on the web for sale, and after doing the virtual tour, you decide to buy. You create a document which is an offer to buy the house. You sign the document with your key and send it to the seller. The seller verifies that you indeed signed the document and decides to accept your offer. She then creates a new document accepting the offer (with all the other stuff attached), and signs it with her key, and returns it to you. You make plans to move in.

In theory it can work. In practice there may be many pitfalls that have not been tested out. If people fail to understand how cryptographic signing works, they could fail to verify that the expected person did indeed sign the document. Human error can still foul things up, and we all know the power of computers is most effective at amplifying human screwups.

I recall a philosophy class I had in college where the professor asserted that there were many things computers simply will not be able to tell us. I immediately rebutted saying, there may indeed be such things, but computers still have the power to make people believe what it says, truthful or otherwise.

I am particularly concerned about things like legal notifications being sent to you via e-mail. For very important documents, even postal delivery is not good enough. Some require a return receipt, and some require identity verification (not so much for privacy, but to verify that delivery was made) for delivery. What mechanisms do we have in place, or just have, that can do all this?

What if I get a court summons delivered electronically in a format that isn't a standardized format, and because of that I am unable to read it (even though the e-mail system has already acknowledged delivery of the mail in which it was an attachment)? One thing we definitely need here is to make sure that any delivery of such things absolutely must be in an open and widely implemented format.

E-mail addresses are not as fixed as postal addresses. If you change ISP, you may end up with a new e-mail address. Or would you feel good about getting your jury duty letter on Hotmail? But then, in about 10 years we'll be serving on juries electronically, anyway.

Not everyone is yet wired. And that probably won't be the case for quite a while. How will they get their important legal e-mail?

My biggest concern, however, is, as you can guess, security. And guess where the least secure computers tend to be.

Eggs in Baskets -- Why we have Signatures

[werdna]

Several posts thus far have accused the Congress of being "brain-dead" or "ignorant" of technological issues. While the conclusion may be true, this bill is not evidence therefor. Indeed, far to the contrary, this bill is an extraordinary step: Congress is getting government OUT OF THE WAY of technologists and the marketplace.

To the contrary, these postings manifest a lack of understanding of the *legal* purpose and effect of a signature (which is all that the bill addresses). One post stated:

Signing a document has two purposes:

* authenticity
* non-repudability

However true this might be for practical uses of signatures, the signing of a document for legal purposes has nothing whatsoever to do with either "feature," as they appear to be understood here. ("Authentication" doesn't mean what I think he thinks it means.) Indeed, nothing about paper-on-ink signatures, which are trivially forged and transferred from one document to another, provides either of the cited functions.

And it is certainly true that a panel of computer lawyers at the ABA (and the state of Utah) felt that a set of express standards for signatures by electronic means to assure authentication of and non-repudiability by the signer. On the other hand, the clear trend today in state legislatures is instead to adopt more minimalist bills, such as the one that passed the House, that simply assure that electronic instruments are treated no more or less formally as paper writings. Here's why:

In almost all of the United States, we still have a body of law entitled the "Statute of Frauds," which provides that certain types of agreements (e.g., sale of goods > $500, transfer of real estate) are unenforceable unless a "sufficient memorandum" is signed by the party against whom enforcement is sought. Other laws likewise require formalities for certain documents, such as deeds, wills, assignments of certain kinds of intangible property and the like be signed by certain parties.

Here, the purpose of these laws is, supposedly, to avoid swearing matches by giving the world an incentive to make physical, tangible manifestations of the subject matter of the agreement. But the effect of the law is that a market participant, even though he had agreed in full to a contract and even if he fully intended at the time to go through with it, may actually avoid its enforcement later on the purely technical ground that there exists no writing signed by him.

Interestingly, except for certain instruments, the tangible manifestation is not as important as the fact that it was made: you could enforce a document with credible testimony that a signed writing existed in the past. In any case, it is that manufacture of that manifestation that is important for legal policy.

The signature itself, for legal purposes, does not serve to authenticate who was the document's signer, or to avoid repudiation: it is merely to authenticate the document as the one agreed to by the parties -- to distinguish, for example, a draft from the "real thing." The legal technicalities of signature are few. The following have all been found to be valid:

- printing an "X"
- making a scratch on the paper
- shaving a name on the side of a cow
- writing someone else's name
- typing your name
- asking Western Union to type your name

which of course does nothing to identify the signer or to assure non-repudiation. Nor does the common law require that document to be signed, if the signature is placed on another instrument (or bovine mammal) in such manner as to manifest intent to authenticate that document. Papers have been written with bizarre examples of what constitutes a signature. Under the UCC, a signature is any fixed tangible manifestation of an intent to authenticate the document.

On the other hand, when I am attending the closing a zillion dollar sale of a chain of hotels, and the principal of the seller walks up to one of the documents, notes that he heard he could sign "Minnie Mouse" or scrawl an "X," on another piece of paper, I politely ask him (if he is not illiterate) to write his name in cursive on the contract itself. If he refused, I'd advise my client to consider putting off the closing.

Why? Because while these methods of signature are legally sufficient if *he* in fact *intended* to sign, I might still someday need to use these documents to evidence those facts. The legal sufficiency of a document is an entirely different thing from the practical security that sometime, someday, he might change his mind and "misremember" why he signed "Minnie Mouse," or marked only a vertical line or "X." (Remember, it is all about the manifestation of an intent to authenticate.)

On the other hand, for less signficant transactions, we hardly care one way or the other whether or not we can prove or disprove *WHO* signed the document or why -- we just want there to exist barely minimal legally sufficient documents to avoid a technical defense based upon the Statute of Frauds.

Its all about Eggs in Baskets. The realities of the marketplace determine what "technologies" for signature an individual will use, and what "informal," but legally sufficient signatures will be accepted. Each buyer and seller will decide for himself and herself what to require of the other.

Many valid signatures are commercially unacceptable for those reasons. On the other hand, while this is a non-problem, the concern is that a commercially acceptable signature might be held to be invalid! The law serves only to provide the minimum requirements for a signature to be valid (as opposed to "commercially acceptable.") The marketplace determined what technologies they will use and accept.

Which brings us to the ESA. Assymetric encryption now provides (under certain circumstances) greater security to prove authenticity, which is an excellent reason to use electronic signatures in lieu of "traditional" technology, particularly for on-line transactions. On the other hand, it is not for the law to determine what technology should be used -- the law should only undertake to assure that a sig is valid and leave it to you and me to decide what we will accept.

The mind-loss would be to adopt some 50 plus pages of specification as to what is and what is not a valid signature and providing an entire new kind of litigation on the formalities of a contract. "Sorry, you don't get to keep the house, your certification authority's license expired the day beforehand." Such technical defenses would be brain-loss at best.

Whether a vendor should accept the following e-mail:

"I will buy five million widgets at $25,000 apiece, 2%/10 net 30. love andy"

is entirely up to him. Whether a court will enforce these price terms if Andy admits he sent it, on the other hand, is another issue entirely. On the other hand, if commercial exigencies make it practical and financially more efficient to permit that exchange by e-mail, the law should not get in the way.

As an aside, it is almost certainly the case that the foregoing e-mail would satisfy the Statute of Frauds. Its just that in the absence of case law, a market participant can't be assured that it is. We abundance-of-caution-types would stick to pen-to-paper, even if it cost a bit more and took a bit longer, because we KNOW that the courts will accept that. It is for these people that this law exists -- to give them some comfort concerning what is almost certainly the law today -- there will be no technical defense to enforcing an agreement on the ground that the agreement was signed in electronic form. It is up to the market participants to determine if the mode of signature used gives them enough comfort that they will be able to prove that the document was in fact signed by the other party.

Hat's off to a Congress that showed, in this case, a far greater savvy about electronic signatures than the ABA and many technologists. ESA does precisely what it is supposed to do, make crystal clear that a technical defense on the ground that an electronic document is not a "writing," and that a typed signature is not a "signature," while leaving it to the marketplace to decide what signature technology they will prefer to use.

Segment also had email notification -alone-

[coyote-san]

Something else the CNN article covered in the same segment (because it's in the same bill?) would allow companies to substitute email notification for pmail notification.

There would be no requirement to send a paper copy of the document.

There would be no requirement to obtain proof of delivery.

The segment then had several talking heads - always from the industry - assuring us that only a few crackpots afraid of technology they don't understand were upset by the provisions of this bill. Most people *wanted* to be able to visit a web site and sign a contract for, oh, health insurance and get an immediate email confirmation.

The critics raised dire (but always "unsubstantiated") fears that people would get nailed by late fees or policy cancellations because they never received the email notifications. In the worst case, they could lose their house to foreclosure.

N.B., this is not something which only people who aren't making payments need to worry about, nor are these fears unsubstantiated by experience. It's a significant problem today - ask any victim of identity fraud.

While a company should theoretically verify the digitial signature of all documents regarding change of address and change of signature, history shows that the companies will bend over backwards to "help" the customer who lost his information due to a disk crash while moving, lost it due to a virus, or a dozen increasingly more bizarre reasons.

Considering the fact that I write so few checks (prefering direct payment) that I often forget to sign the laser-printed jets -- yet they are still accepted without a problem -- and the funny look I got from one bank rep who was critical of home printed checks because they were too easy to fake ("but that's why you have a sample of my signature!"), I doubt companies would ever check the signatures until the lawyers get involved in a dispute.

The real concern

[X]

First of all, for those of you who are concerned that this opens up some huge problem in security because bits can be copied easily, please read up on digital signatures and how they work. Rest assured that provided you use them properly, it is VERY hard for someone to add your digital signature to another document (unless the contents of that document are bit-for-bit the same as one you've already signed --in which case, who cares?).

The concern I have is that this is based on what we CURRENTLY know about encryption technology. I've been reading up on the history of cryptography, and it really looks like a horse race between code makers and code breakers. The thing is, the code makers HAVEN'T been consistently winning. Indeed, if you look back in history prior to the 1970's, you'll find that there were very limited periods of time when code makers were winning, and frequently it was only for short periods of time.

What's going to happen when the inevitable happens? Particularly if cryptographers don't have a new discovery to replace the broken approach. Once the infrastructure of using digital cryptography is in place, it's going to be hard to undo it (case in point: how companies/governments/individuals elected to avoid Y2K problems by simply pulling the plug?).

I don't think this is a reason not to use digital signatures. I think it's a reason to start thinking NOW about how to handle the seemingly inevitable moment when someone figures out how to crack existing approaches... particularly if there is no replacement.