Slashdot Mirror
Electronic Signatures Now Legal?
xpird writes "CNN is reporting this. -- A new federal law taking effect Sunday gives e-signatures the same legal standing as their handwritten counterparts, a significant change that promises new opportunities and risks on the Internet." Considering the amount of forged e-mail I get, this is gonna get interesting.
The linked article talks about the potential dangers but tries to reassure us that "the experts" are saying it's OK. The problem is, the critics are right about the dangers of your signiture being stolen. (Cryptographic-type people may note that reasonably safe systems can be created, but you can still hack a computer and snarf the signiture key itself, which is pretty darned hard to protect against and still have a system usable by normal people in the real world.) What this article doesn't mention is the total lack of online fraud protection.
Under the terms of this law, if your electronic signiture gets stolen and used, there are no provisions to make you not liable for any charges that are racked up, meaning at the very least that if a signiture is stolen, you could be looking at a total destruction of your credit rating, should you choose not to pay for the theif's actions, or arbitrarily large bills, if you choose to.
This is in stark contrast to credit cards, where, subject to certain rules involving speed of notification of fraud upon discovery, your liability is limited to $50, no matter how much your stolen credit card number is used against your will.
Despite my excitement at seeing the idea of digital signitures accepted, I must strongly recommend against using them in their current form. I'm hoping "That couldn't possibly have been my signiture because I've never used a digital signiture before" will be an adequate defense...
Have you ever posted something other than "Bababooey to you all"?
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
Anyone wanting to really use digital sigs for authentication purposes had better keep hard evidence of all changes to their key pairs - store them on read-only media along with the revocation notices for previously used keys and then get the government to timestamp 'em for you by posting them to yourself via registered mail and never opening the envelope when it arrives.
Guess we'd all better start including disclaimers in our standard email .sig saying "Unless I cryptosigned this document it does not constitute a binding digital signature" or something to that effect too.
Paranoid? Me? Surely not...
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
I had a
It's all a matter of trust. Trust no one is not an option and will hurt you economically if others do take the risk, nor is trust anyone. The truth is in the middle. I live in a country where I think I can trust the government to provide me this kind of services.
While you may trust a government agency to do the right thing, you must remember that it is made up of individual people... some of whom may be likely to tamper with or steal your signature, validation key, or whatever they end up storing for their own personal gain, revenge or other motives. I don't trust government agencies any more than I trust a corporation to maintain and secure my privacy. Echelon, Carnivore, states selling their databases to advertisers( drivers licenses, etc are public data and in some US states the databases are sold just like the list marketing assholes do ), etc should go to show what happens when an agency at large gets too big for it's britches/has too much power. Now, imagine each of those agencies with 1% of their employees being unscrupulous and the damage that those individuals could do to someone...
Don't leave your mind so open that your brain falls out. Don't close it so much that you cut off the blood.
I personally hate the idea of digital signatures for the reason illustrated (and yes, oversimplified) in the Subject of this post. For digital signatures to have value means that, like credit-card numbers, there will be steady and skilled attempts to steal and use them.
I think we'll get spanked on this one.
**>>BELCH
But I thought I'd just relate a little international e-shopping experience I had the other day. I was sitting at home in Connecticut, instant messaging my friend in Colombia (you know, the place where cocaine comes from.) At the time, she was busy making hotel and car reservations online for her next vacation, while I was busy ordering some bicycle accessories and exercise equipment. Neither of us had to spend any time on hold, talking to an undertrained operator who's not familiar with their product line. Or worse, sitting in traffic. Instead, we chatted with each other in between filling out HTML forms.
Sure, the e-industry is filled with marketdroid buzzwords and hype. But that shouldn't bother you any more than the next Jon Katz story about killer high school students whose Luddite tendencies have erotic undertones; just ignore it and go about your life.
This happened to me a few years ago:
I was paying bills and it was getting late, and I mixed up a couple of checks. The county got my dental payment (made out to my dentist for, say $80), while my dentist got my taxes, made out to the county for about $1000.
Result: The dentist cashed the check for the face value, and the county cashed the check as if it were for the money owed them. The bank ended up paying out $2000 instead of the $1080. Yes, and I got the overdraft fees. (The dentist refunded the money quickly once they figured out what happened.)
I'm less dismayed that the dentist was able to cash the check made to the county than the fact that the county was able to take an $80 check and cash it for $1000.
The problem with e-petitions is not response rate; it's the integrity of the signature. People handwrite passphrases on Post-Its and keep them in "passphrase.txt" files; as long as this happens, forgery will be very easy.
Now forgery of an electronic signature on an initative petition would be election fraud, punishable by severe fines, but would this be an effective deterrent? Unclear at best.
sulli
RTFJ.
A troll with a 33 karma, I might add!
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
what e-signatures will do is make signature fraud substantially more difficult to accomplish
This is a nice post, but like many people here, you're confusing e-signatures (zero security) with digital signatures (cryptographic mechanism). Unfortunately, Congress picked the wrong one to make legally binding as well. :(
Perhaps I'm being stupid, but I don't really see how this is any worse than the situation with non-e-signatures
Suppose someone shows up in court with a document with what looks like my signature on it. This is evidence that I signed it. But I can introduce evidence that I didn't (e.g. by saying I didn't). It's then up to the other person to show that I really did - e.g. by comparing it to real examples of my signature, or getting a handwriting effect in. And ultimately the court/judge/jury will have to decide whether on the evidence I did or did not sign the document.
Similarly, someone may claim they have my electronic signature, but they still need to be able to prove to a court's satisfaction that I actually signed what they're holding. Depending on the sophistication of the technology used that may be more or less difficult.
If one forgets normal Slashdot paranoia and accept that the courts have a certain amount of common sense, where's the problem?
Don't forget that we've had technology around for 20 years that allows easy, undetectable duplication of signatures - fax machines. And yet the sky hasn't fallen.
There may easily be something I've missed - for a start I haven't seen the text of the act itself (URL anybody?). But I haven't seen anything here on Slashdot that points out any actual problems.
- Alan
This was asked a while ago, but I guess it's useful to ask it again (sorry, I'm too lazy to dig up the URL):
Q: Why sign something? In real life, when you sign something it means you said it and mean it. If you don't sign it, it's just chatter. So why sign stuff on the Internet?
The answer previously was that digital signatures aren't valid "signatures" and the value of them only is in that the recipiant can know for certain who sent it.
How does this bill change this situation? Can a signature you meant to be only ensurance that you have sent it be used law-bindingly? Where's the difference?
I doubt, therefore I may be.
Start reading it. Really carefully.
To quote the CNN article:
(emphasis mine)
This means that the EULA you're clicking 'Accept' for can now be as legally binding as, oh, say, a loan from a bank. Or a bill of sale.
Watch for Microsoft's next version of its EULA, where you agree not to compete with the company for the next 5 years. Or watch for the inevitable rash of popup boxes that require you to hit 'okay' to get rid of. Nevermind mind the fact that when you hit okay, you're legally signing away all your worldly possessions.
Who needs the DMCA to trample our software rights? This law will do it all for us by itself...
to some Swiss acount?
LastWOLF
"Take your wings, go out and fly.
Learn, read and soar the sky."
So far, there haven't been any high profile court battles over this - or none that I have heard of anyway.
Not really related to the topic, but can you point me somewhere that states this assumption? Somewhere besides
Thanks!
-- bearclaw
I don't see how things would be much different with e-signatures.
Hey, how do I get licensed as an e-Notary-Public?
The Web is like Usenet, but
the elephants are untrained.
Postscript: Current fraud laws may provide some level of protection, which is why I hope claiming that you've never ever used one might help somehow, but as our society found them unacceptable when credit cards were developed, I think what protections may exist are just as unacceptable now.
The "E-signatures" referred to in this bill are not synonymous with digital signatures. As the article itself states:
In other words, the law actually makes really stupid things legally binding. A signature in the real world sense is a mark of authenticity. Yes, this check is really mine, yes it's really me taking 20 dollars out of my bank account, etc. How can clicking an acceptance button compare to these things? Yes, I realize that real signatures can be faked, but there's a law to handle that. I have a hard time comparing falsely clicking a button to forging someone's signature.
Furthermore, this bill in no way applies to forged mail headers, and it isn't going to cut down on your spam. It doesn't require people to use E-signatures, it just makes them more legally binding.
Too late now, it's law. Everyone had their chance over the last year to get this thing knocked down, or looked at critically by technical folks. Best you can hope for now is an amendment or that something will come along to strike it down.
How is this "easier to break" than existing forgery methods? I mean, if you ask me, pen and paper forgery has got to be one of the simplest methods of committing fraud. Or how about the telephone or the mail or fabricated ID cards? As long as identification technology is hindered by those who fear progress based on the supposition that the crime of identity theft is somehow rampant and pernicious, we will be stuck with the simple tools (like photo cards, signatures, etc etc) which will always be easy to forge. The next step is ensuring that digital signatures are unique and tied to an individual in an inseparable way, like with a biometric method of some sort. Then security will be LESS of a concern as far as fear of criminals goes. Then we can get back to worrying about the government and corporations, like normal.
I do not have a signature
So I should no longer need to use my credit card to verify my age (Yahoo! made me do that to use my spam-trap email account). Now I can just digitally "sign" an affirmation of my age, right?
Everyone knows that credit cards are not proof of age, but they use them anyways because it covers their ass, legal-wise. With "e-signatures" given the full force of law, they should be able to point to this law and use an "e-signature" form post button to prove your age with just as much ass-covering legaility.
-- Don't Tase me, bro!
The one commentator said "If someone steals your credit card, you get a new one. What do you do if someone steals your thumbprint? Get a new thumb?"
That's the gist of it. Once my signature is digitized, it can be reproduced and sent along with anything.
The only way I can see this working is if it is some sort of secret that is known only to me, and it is revocable. I somehow doubt that that digitizing tablet and thumbprint reader on TV was using the data to unlock an internal secret key and using THAT to sign the data. No, I'm sure it was just digitizing the actual sig or print and sending THAT along.
I also get very nervous signing credit card slips using digitizing tablets at stores now, even though I'm fairly sure it doesn't record stroke and weight. All you need to do is sign once some tablet that DOES do that, and then anyone can print out perfect stroke and weight sigs using a plotter and a pen. (In these cases, I alter my sig by signing the name of the store across my sig on the table...)
I'd be more comfortable with a smart-card idea like the America Express Blue Card than what I've seen so far. At least it's something only issued to you and it can be revoked.
Yeah, things like PGP signatures could be used to do this, but I can't imagine the average person managing that correctly. I could easily, for example, go to someone's office at work and ask them to type in their PGP sig so I can debug their computer, then go back to my office and scarf their private key file. But I would have far less success going into their office and asking to borrow their smart-card for a while..
I had a job once doing programming and technical development of a device that allowed remote signatures.
It used an overhead scanner and a plotter, in an electronically sealed box. Neither end could have the box opened during the transaction to prevent swapping of papers, and the stream was encrypted between 'em.
It was legal as it met the requirements for a person actually signing a piece of paper in person.
Remote tele-signatures!
And while collecting paper signatures requires an army of supporters at malls, airports, college campuses, etc. to collect the signatures in the alloted time. One person with a web site could do it.
And IMO, people would be more willing to "click" their support for an on-line ballot measure, than to actually sign in person.
I think legislators failed to think of this. Oops. More power to the people.
Once upon a time contracts were infrequent things. You signed a contract when you sold your house, maybe you signed a marriage license or other official documents. You could definitely say that what you signed was Important.
Over time, the signature gets more play. Sign this W2. Sign this NDA. Fill out our Video Rental Membership Form. Don't forget your tax return... Oh, could you sign this liability release?
Still, there was a natural barrier to presenting a contract. You had to provide the paper, get the signature, keep a copy on file, etc. Contracts for Stupid Shit didn't exist. No more.
Now anything, no matter how stupid, can have a contract associated with it. Visit our website? First agree to our terms. Shop at our grocery store? Please touch this touch-screen first. The thing that distresses me about this, aside from the forgery aspect, is that it introduces a galaxy of new contracts into my world. Contracts I don't want to review, don't want to think about, and don't want to sign. Now I can sign them with a button.
It would be nice to use technology to free me from this. How? For one, a proxy server that recognizes these "agreements" and "agrees" to them. Would this be legal? Right now, it's my best hope, next to Refusing to Sign.
This has been the case (to some extent) for some time in the UK. Indeed, an act of parliament was digitally signed recently, to show how up to date our lovely government is.
I never filled out that signature line in the user prefs page!
This is a partial summary of the law. I am taking it from an "impact on application" document as we are implementing it for the hiring process in our stores. No more paper for you to sign!
E-signatures can not be used on: wills, codicils, testamentary trusts, adoption laws, divorce laws, any matter of family court law, court orders, court notices, cancellation of utilities, reposession, foreclosure, eviction, cancellation of health or life insurance and bennies, transport of hazardous materials, and product recalls where health and safety are involved.
Very important point to note: The signature must be bound to the document that is being signed. Which means if you sign this form, you cannot use the same sig on the next form. In our stores you must sign the little electronic pad 5 times. The very good part of this is if the binding process is not as good as it should be, the company that failed to bind correctly will be open to lawsuits from you to recover any losses through their negligence. Someone steals your sig from our db? We have to pay to fix it.
Hope this clears up some of the fears. I have not seen the whole law but a lot of thought did go into it.
Sig-"Out beyond fields of wrongdoing and rightdoing, there is a field. I will meet you there." Jelaluddin Rumi
Our law was specifically amended a while back to allow the 'electronic' signature of documents sent by fax to be binding.
A pizza of radius z and thickness a has a volume of pi z z a
This is Public Law 106-229, available in text and PDF. It is not clear to me that clicking on a web page's order icon or similar act will constitute an electronic signature. The original legislation defined an electronic signature to be something intended by the person to indicate agreement, but the final law defines it to be something executed with intent to sign a record. It seems to me an electronic signature is not created unless the person specifically intends to create a signature, not just agree to a contract.
All the time I spent forging my fathers signature is now down the crapper...
Its good to see the Feds are making laws that are easier to break. That's what they are there for, right? Keepin themselves in business. I think the Judicial Branch of Government has more bugs than windows....
-- "Microsoft can never die! They make the best damn joysticks around!"
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
dnnrly
Hmm. I dont know whet to make of this. Its great that courts finally recognise these (although as usual, I suspect this is a US only issue - people seem to forget the rest of the world exists)
On the other hand, I really DONT want these things to become more common - I dont want to have to download the damned things all the time (which is what will happen if 'joe user' decides to use the 'new' feature of microsoft mail-spammer 2003 - 'hmm - append huge secure signature to all posts (yes/yes?)'
How annoying will THAT be?
I hate shopping online because you can never see, hold, feel the product (tactile response is VERY important when purchasing a laptop; the iBook is a tactile orgasm, if little else). Personally, I've only bought two things online: my Pentium III 500 (last year), and my DSL modem (August). I got those online cause I knew very well what those were like and I just needed somewhere to get them. (Note to CPU buyers going OEM: Don't trust your shipment unless it has a buttload of packing foam or bubble wrap. I got my P3 in a FedEx Box about 20 times as big as the processor itself; it was in an anti-static bag inside a roll of big bubble wrap. They learn well.)
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
A point to remember is that the law enables eSigs--which is just about anything (X) or /S/GriffJon or whatever else. It's instructive to realize that physical signatures work the same way--a physical mark is a legally binding signature if it was made with 'the intent to sign'
.
Will there be fraud in eSigs? yes. There will be an immediate move towards digital (cryptographic) signatures, and higher security. This might even get more intelligent password use, or hell, even hardware solutions (smartcards, dongles, etc)
The law is well-written, and in 5 years people will wonder how things got done before the ESIGN law.
Naturally, a lot will happen in those five years, and people dealing with eSigs and certificates will have to deal with identity, accountability and such so as to get trusted eSigs.
Returned Peace Corps IT Volunteer
This is kinda a good idea, the problem is that we need more standardised technology for signature authentication.
The most obvious problem is people hacking into your computer, and copying your signature. I'd suggest that storing the signature on external media (a smartcard would probably be good for this) should significantly help with that problem.
Then there is the issue of your signature being copied, once it is sent. PGP offers a suitable service, where messages can be signed, allowing people to verify that the message came from you, without the "signature" being usable on other messages/documents.
Perhaps an application which presents a document to be signed, and if you accept, signs it using a key stored on the smart card, before sending the signature back to the originator?
Thoughts?
Wonder if it would work? I mean, e-sigs _are_ legal, and it *looks* like it came from Bill..... #!/usr/bin/perl open(MAIL,"|/usr/sbin/sendmail -t"); print MAIL "To: nukes@pentagon.gov\n"; print MAIL "From: BillC@whitehouse.gov\n"; print MAIL "Subject: RED ALERT\n\n"; print MAIL "Hello,\n\n"; print MAIL "This is Bill. Launch 5 nukes to Moscow.\n\n"; print MAIL "Bill Clinton"; close(MAIL);
Something I've always wondered:
I always have to sign my name (though it's usually more of a scribble) when I use my credit card in a physical store, but no such authorization is required for online credit card transactions. Why?
Nobody ever bothers to check my signature vs. the on the back of my card in real life, so why are these signatures required in the first place? Is it tradition =) or something?
You may not even need to go that far though. I believe the law (I read it a while ago, so I may be misremembering though) states a requirement of the intent to sign. If you click OK without intending to sign (it was there, I clicked it to get it off my screen...), it may not hold.
BZZZT. You may have the causality wrong.
The other possibility:
We are here to observe the perfect conditions because they are the perfect conditions. Doesn't imply any causality whatsoever.
Still think it's a good idea?
God invented whiskey so the Irish would not rule the world.
I'm building a .com that's got some insurance-covered items for sale. In order to pay by insurance, the customer (under the old law) would have had to MAIL IN their "release of beneifits" insurance form. Laziness would stop most people right there. Now that this is in place, we'll be evaluating the best digital sig solution to implement.
Daniel
For something such as getting reimbursed for health care expenses, that can make a significant positive impact on the life of Joe Public. Take the example of waiting to get a $100 reimbursement check -- would you rather wait three weeks (or whatever) or have the transaction completed in a day or two?
No Laughing Allowed!
Wow... then people would be voting solely on their conscience. What a concept.
its a simple concept. it requires a bank that the funds are drawn on and a bank you have brought the check to. they may or may not be the same bank (in most cases, they wont be). if both banks let the transaction happen without a signature, the check was just cashed.
if your bank complains, you have to get the check signed. if the bank the funds are drawn on complains, you have to get the check signed. if nobody complains, you do NOT have to get the check signed.
No accounting for taste!
I had a 45-year old friend of mine express a similar sentiment to yours, in about 1995: "I really don't see the point of shopping on the web, I've never bought anything that way." Of course, in '95, options were more limited and perhaps he couldn't anticipate how things were going to change. (I noticed he still invested in tech stocks and made some money on the ride up, though.)
But it's 2000 now, and he buys all sorts of stuff online. When I reminded him of what he had said, he laughed. The web and e-commerce is a fait accompli. In 2000, a Slashdot post saying "I hate shopping online" and "I've only bought two things online" is a troll, almost by definition.
We all know you can't feel stuff online (well, not without a Vivid Video bodysuit, anyway.) You're not telling anybody anything new. Perhaps you don't buy things like software, CDs, CD-R disks, books, videos, electronics, and perhaps you don't book flights, hotels, or rental cars, and perhaps you don't purchase information in any form online. I, and millions of others, including many here on Slashdot, do. (Lately I've been renting DVDs online at netflix.com: it rocks! No late fees or time limits; beats Blockbuster senseless.)
So if you have something to say about why this all isn't good, or doesn't make sense, by all means, say it. But "I'm sick of this stupid "e-commerce"" isn't particularly constructive or interesting, and might just as easily be posted by a clever troll as by someone who really feels that way.
The way i see it, unless digital signatures are backed by cryptography, what's to stop me from "signing" something for you? How do you opt in and opt out of this thing? Do you have to show up at a government office and say "yes, i'd like my clicks to be legally binding". Or do you have to show and say "NO! I don't want to participate"? How many forms of ID do you need? Or can this be done via postal mail?
Digital signatures are supposed to be HARDER to forge than real ones. Not just more convienient, otherwise we'll be seeing a huge rise in fraud... That means being based on public key encryption (I think), so everyone can verify you, but no one can be you.
Ack, not cryptosignatures! Without a legal definition of what constitutes an electronic signature, this law is worthless at best, and extremely dangerous at worst. My GPG signature is 2 things: identity verification, and verification that the message hasn't been modified since I sent it. I DO NOT want it to constitute a legally binding order. If it always constitutes a legally binding order, how do we do identity verification and checking that a message hasn't been modified without the "signature" carrying more weight than it should?
What's particularly dangerous is that the "--Bob" at the end of this message could be a signature. ANY SSL enabled website could have a button (that does anything in the world) that could be a signature. Anything sent electronically could be a signature!
No. A signature should be something cryptographically verifiable, and protected from fraud. It should also be something that I have to sit down and create, with full realization that this is legally binding. How about a message containing only my name and the date, that is PGP/GPG signed. Whatever the case, this law is crap without some definitions.
--Bob
1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
The purpose of the law is to make digital signatures (a purposefully vague term) have the same legal standing as written ones. This is becuase, BEFORE this law existed, it was very easy to dismiss most 'contracts' that didn't have a written signature.
Now, in order to enforce something, you will *still* have to prove that a signature was that of the person who you think signed it. Just like with handwriting.
Of course fraud can happen as well. Thats' what witnesses are for.
If someone signs my name on a cheque, and buys something.. I can walk in and say 'look, this is NOT mine, I did not sign this'. Unless they can prove I did.. they are out of luck. Generally this can be done by handwriting analysis, fairly easily.
For more serious contracts, there are *always* witnesses. Notaries even. People who actually ask you for ID as well before they notarize what's going on.
So now, the point is, this can be done digitally, and the contracts can't be invalidated solely because the signature was digital.
So what is a few days when you are leasing, refinancing or buying a house or something? Is it that big a deal for it to take a few days to get everything signed when someone is buying something as expensive as a house? It may be to the real estate agent, but I don't know if it really matters to the consumer. I know I would have been leary of an using an e-sig when I bought my house.
-N
I wonder if it would work? I mean, e-sigs _are_ legal, and it *looks* like it came from Bill....... #-------------------------------------# #!/usr/bin/perl $|++; open(MAIL,"|/usr/sbin/sendmail -t"); #lets go! print MAIL "To: nukes@pentagon.gov\n"; #mm hmm print MAIL "From: BillC@whitehouse.gov\n"; #the big guy print MAIL "Subject: RED ALERT\n\n"; #send a nuke print MAIL "Hello,\n\n";#standard greeting print MAIL "This is Bill. Launch 5 nukes to Moscow.\n\n";#ah, we've been h4x0r3d! print MAIL "Bill Clinton";#legal sig close(MAIL);# BOOM #----------------------------#
I'm not sure.. there are rules stating what things a cheque needs to have in order to be valid.
One of them is a signature from the issuer.
The reason many cheques can be cashed without either party signing them, especially when deposited through ATMs and such, is that it is more economical for the banks to simply pass them all and deal with any issues that arise than it is to visually inspect each and every cheque.
A check is not a contract per-se, it is an instrument of trade. The bank says that if you hand a document with your signature, your account number, the payee, and a few other minor details, they will honor it.
See the BBC's story about MP3.com' s 'e-mail march' where MP3 is launching a 'million e-mail march' in support of an American bill which could end legal action against it.
Richy C.
--
Neither.
The law simply means that the signatures in and of themselves cannot be invalidated simply because they are not handwritten, and are digital.
Either that corporations would be given the right to vote....
Ewige Blumenkraft.
I'm starting the process of being appointed as a Notary Public for my state[*], just because it's such a useful thing to be. Maybe we need something similar for the Internet -- volunteer witnesses who can be trusted. Possibly even professional witnesses (think the Fair Witness from Stranger In A Strange Land).
[*] That would be the state of Ohio, not the state of confusion or state of delirium, thank you.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
does this mean that if we give a site bad info and click the button saying it is correct we are doing something illegal? I can just see them coming after people for that. Of course, they would have to track you by IP and that would probably be more of a pain than it is worth
I'm a signature virus. Please copy me to your signature so I can replicate.
Online signatures would work for software until I went to buy a copy. Why's that? I'm 14! My signature isn't valid. And if my mom or dad signs the EULA, depending on the wording, I cant use it. -Rob
Want to NOT be nervous next time?
REFUSE TO SIGN!
REFUSE TO SIGN!
REFUSE TO SIGN!
In fact, refuse to sign, and if they hassle you, tell them why you are refusing to sign (the digitization/copying issue), and threaten to walk away and take your business "elsewhere". If they STILL refuse to cooperate - WALK AWAY - and go elsewhere (even if means you must go out of your way, DO IT).
YOU ARE IN CONTROL - NOT THEM!
This works even better if you explain your reasoning when there are several people behind you. In fact, explain to the cashier and to those in line why this is a BAD thing - as well as how it can be improved - you seem to know enough about this to be effective. Explain it to the store manager as well (they are generally called when someone refuses to sign).
Finally - don't sign in the box on the receipt. My paranoid side tells me that they probably just stuff these "manual" receipts into a bag to be digitised later. Call me paranoid, but if I were a business, or a company peddling this tech, that is what I would do (or in the case of the vendor of the tech, tout as a "feature" to prospective clients)...
* Side note - I love to do this, every time I go to Best Buy, or Sears (don't go there much, though), or Home Base (Gah! At a hardware store now?!). I just love the look on the cashier's and managers faces, like I was refusing to use a laser scanner for fear of radiation or something - heh, heh...
Want to know another scary place that _may_ initiate it? The US Post Office. They have the machines needed, same as everywhere else - so far though, I haven't been asked to use it (when purchasing money orders for Ebay transactions)...
I support the EFF - do you?
Reason is the Path to God - Anon
PureEdge offers a secure digital signature methodology that should a solution to many of the questions raised here.
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
If they don't define how people will be verified in the first place for their 'e-signature' there will definately be some issues... This article at ABC news states that 50 million people are not going be web literate any time soon. Unless you have to show up in person to verify who you say you are, thats quite a lot of people I can impersonate. The problem is, right now only some/most have access to a computer. But EVERYONE has access to a pen.
What would the most convenient device be for y'all?
1. Magstripe card/reader
Limited to a small key, really easy to clone. Easy to carry around.
2. SmartCard/reader
Slightly larger key, hard to clone. Still easy to carry around.
3. Hardware dongle
No key limit, hard to clone. Not so easy to carry.
4. Trusted Software.
No key limit, easy to exploit. No need to carry.
Of course, the least secure (and most insidious) will be the "Click" signature, which I sincerly hope is legislated into oblivion.
.sig: Now legally binding!
All issues on the security of e-signatures aside, I'm not so sure online petitions will work. How many people other than us nerds will want to use this technology? I think the public is going to have a large fear of their identity being stolen if they use e-signatures, and they won't use them unless forced to. So most e-petitions will only have a few nerds' signatures on them. I doubt that any petition in the next few years using e-signatures will garner enough sigs to even be legally submittable. Remember, you have to have a certain number of sigs in order to submit a petition. Maybe 5 years down the road, with e-petitions and e-voting and everything else, e-signatures will finally come into play, but not now.
Colin Winters
E-Signatures are NOT cryptographically verified, and the law does not require them to be so. Digital Signatures are crypto, eSignatures include [X] and /S/Your Name and faxes and scans of your written signature (read the CNN article for a longer list).
I agree, however, that authentication is going to be the real problem with eSigs. After a few forehead slaps, everyone will require cryptographically-verified sigs.
Returned Peace Corps IT Volunteer
Here's a little thing I tapped out over two months ago for people to make sure I am who I say I am.
My web page is the most public forum easily available to me, and advertised in my signature. Hopefully that'll be worth at least a little towards keeping my identity safe.
--
Rob Carlson
Petitions are a way of showing a government that a large part of the electorate supports a certain issue. Knowing and dealing with these issues is essential to any democratically elected government because failing to do so will hurt them.
However, I think that it is to early for governments to adopt this sort of technology for voting and petitions. My main objection is that only a small portion of the population can be reached this way. In my opinion having an AOL account does not actually mean you know how to use the internet in an efficient way. Seen in this light, you'd reach about 20% (guestimate, don't kill me for it) of the popuation, dominantly male and generally with good education. Not exactly a representative sample of the population and basing government policies on the opinion of this elite would not be a good thing for democracy. Although you might argue that this is exactly the portion of the population that comes up with good ideas frequently.
So maybe in a few years this when most of us know how to use the internet and related technologies (i.e. past the 'wow this is cool' stage) this is a good idea but not now.
Jilles
Don't worry. In some jurisdictions, "I didn't sign that" won't be an admissable defence. It's called non-repudiation, and is state law in some places.
What OS by WHAT Swedish guy? I'll taka the wild stab in the dark here and reason that maybe you have mixed up Linus Torvalds as being Swedish instead of Finnish, which is really is. Of course, maybe that's just where he lived and he's really Swedish, but I don't remember ever reading *that*.
I'm reporting you right to Pater to have your UID revoked! 224634 shall live no more! (hey, I made it rhyme!)
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
Seems to me that people running insecure boxen now have a lot more to worry about... It was bad enough having to dealing with fixing you computers, now you may very well have to deal with getting out of the army.
This does indeed open dangerous doors.
Not that simple. Large corp gives very large bonus to employee on the board (or spread out over all of the board members) who turn around and give large personal donations to party or campaign.
Sorry Bob, but for a creationism troll to be effective I shouldn't be able to refute it off the top of my head (Because I'm a dummy!). Make us do some research for the love of god-as-you-know-him.
-nme!
As I have noted several times before, the law of signatures has NEVER BEFORE required that any particular technology or form be used to satisfy the statute of frauds. Period. You can sign, "Minnie Mouse," shave a slash on the side of a cow, make a plaster cast with a finger-mark in it, or any other fixation manifesting an intent to authenticate -- any or all of that can be enough.
It is up to the people engaged in a transaction to worry about deniability, forgeability and so forth. A forged signature does not bind me to an agreement, and the most casual X on a contract I didn't read does. That's the way it is, and has been for hundreds of years.
On the other hand, if you want to enforce an agreement, you will want to be able to prove that the signature existed and was signed by the person to be bound. If you accepted a difficult-to-prove, but legal technology, you should be prepared for the consequences. Likewise, be careful about the documents you sign, whether electronic or otherwise.
The case law has already been clear that teletyped and typewritten documents can be binding agreements, and the bits of case law that has come to date all supports the proposition that this law doesn't materially change the status quo. What it does do is to give comfort to those who would engage in high-stakes comemrcial transactions by electronic means -- who needn't fear that the enforceability of their documents may depend upon some seminal case based upon a new technology, however likely the result.
That's what drove this legislation. The rest is already well-inscribed in the common law.
It's probably important to note that what the law means by "e-signatures" is NOT the same as digital signatures (like PGP-signing your e-mail).
"E-signatures" are things like click-through licensing. "Click here to accept the agreement." "By pressing 'Accept', you agree to...". In other words, it's a way of making legally binding the bogus licenses that companies have been forcing on users for years (e.g., the Windows EULA).
I highly recommend the following URL for great info on e-sigs:
http://cryptome.org/esigs-suck.htm
~Mr. Bad
Evan Prodromou | evan@prodromou.name | http://evan.prodromou.name/
No you can't, not unless you're willing to shred the 1st Amendment. If you make it illegal for corporations to give money to politicians, then high-ranking officers of the corporation will give money allegedly as private citizens. Try to ban that, and they will instead give money to advocacy groups that will in turn give it to politicians. Ban that, and not only will they find another loophole, but you've directly violated the rights of speech, press, assembly, and petition.
An alternative solution is for the government to stop passing unconstitutional laws that favor certain corporations; that way there would be no incentive to lobby and corporations would have to actually focus on producing what consumers want.
How to solve most of our problems: 1.Lots of nuclear plants. 2.Cure aging.
I say cheque because that's the appropriate Canadian spelling, but I'm actually referring to US law.
I take this from the web page http://www.goodthink.com/$$parti.html
I realize this is not really a legal citation, however..
Here is the excerpt:
Then my eyes caught sight of a small, pocket-sized book titled Negotiable Instruments and Check Collection, a guide for laymen. And plain as day, it listed the nine criteria for a negotiable instrument. Read for yourself what I read, and I believe you'll yell out loud just as I did when I came to the very last word:
"1. Must be in writing.
2. Signed by maker or drawer.
3. Promise or order....A check usually meets the requirement because the drawee's name is printed and encoded on the face of the instrument.
4. Unconditional....
5. Order to pay money.
6. Must be a fixed amount.
7. Payable on demand or at a definite time....
8. Payable to order or to bearer....
9. No other undertaking or instruction. The final requirement of negotiability is that beyond the maker's order...the instrument must not contain 'any other undertaking or instruction'....The opposite issue is whether or not the parties can use a form that is a negotiable instrument and avoid negotiability by declaring, on the instrument, that it is not negotiable. The answer is yes, except for a check."
BTW.. it's an interesting story. Basically, it ammounts to the fact that a cheque cannot be made non-negotiable simply by writing 'non-negotiable' on it.
faxed signatures???? Oh c'mon, I was in 4th grade when I figured out how easy it was to copy my dad's signature from his checkbook onto my dentention notices. (Of course I got caught one time when I left the notice in the copying machine!)
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
You don't even need a check! In fact, you can just give your bank account number over the telephone... Most banks will require the depositor to print out an actual draft, complete with account number in the special ink that can be read by the banks computer.
Telephone checks and all paper drafts are established as a legal method of payment as provided in the Uniform Commercial Code, Title 1, Section 1-201 (39) and Title 3, Sections 3-104, and 3-403;
Code of Federal Regulations, Title 12 chapter II, Part 210 and Regulations J, Federal Reserve Bank, Part 2, Sections 4a-201 to 4a-212. Only verbal agreement is required for authorization.
Also see Romani V Harris, 255Md 389.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
Do these really make sense? Couldn't any fool I write a check out to photocopy/scan/physicially-cut-and-paste my signature at the bottom of any document he wished and fax it to the appropriate place? I think this is just one more akward step toward creating an economy with absolute dependence on electronics. It's just one more thing that makes me a little sqeamish and leaves me trying to hold on to any privacy/anonynimity I have left.
I'm not sure.. there are rules stating what things a cheque needs to have in order to be valid. One of them is a signature from the issuer.
You say "cheque", the rules may be different in your country. I know this because in the US I operate a business, and this is one of the many things that I've learned "The hard way".
-This sig intentionally left blank
But in practice I've found that signatures are often meaningless unless you actually dispute things.
I once forgot to sign a whole batch of checks. Sent them out to the power company, phone company, etc, etc.
Only discovered this a month later when I got the cancelled checks back from my bank. Every single check had been honored.
Good for me in that case, though a little frightening, to say the least...
The cake is a pie
I really don't think out legislators thought about this very well. Identity theft has just been taken to a whole new level. Either this law should be repealed, immediately, or we should all go out and get finger printed so after some steals our identity (digitally speak), we will have a record that we are indeed who we say we are.
Burn Hollywood Burn
Here's some bits from Finnish law:
g =uk
The signature must contain:
1)The name of the signer and an unique id other than the SSN
....
The signature must be based on encryption that is sufficiently secure and use publically available specifications. It must be based on public key crypto or something that is at least as secure.
...
Then some bits about how the CA must store the keys and how the users must be able to revoke their keys if they want to.
Then some more bits about how your identity must be verified when you get one of these id's and also that the CA is liable if someone uses your key and it was their fault.
The way they do it is issuing smartcards (which also work as a normal id card and are valid for travel inside most of Europe)
There's some information about the Finnish system at http://www.fineid.fi/Default.asp?todo=setlang&lan
Works pretty nicely, supposedly even with Linux...
I'd just use the PGP "web of trust" concept, but with some extensions (and legal changes required as well).
I see it as absolutely essential that the keys used be issued by some trusted group. However, I don't trust the government, and I don't trust Verisign; both are too big, located outside my community (so I can't come in and yell at them) and (as they've never met me as a person) don't really care for my interests. I'd put much more trust in my local notary public.
One way of handling this: A licensed notary public could be given a key with which they could sign clients' keys. These notary public's keys would be signed by the government office which issued them, and these signatures backed by a central key.
As for a set of hosts to store the public keys on, the existing PGP keyserver architecture seems to be doing just fine.
If any notary was found to be dishonest or allow their key to be stolen, a revocation would be issued; their clients would then have to have their keys resigned by someone else.
First of all, the fee is no longer ongoing.
Second, decentralization is encouraged.
Third, I'm dealing with someone local I can walk over to and yell at -- and (at least until I yell at them) who thinks of me as a Real Person. Don't underestimate the value of this.
Yes, it's more expensive for the consumer. However, I think that's a Good Thing -- binding signatures are
Technically, I could take a dump on a piece of toilet paper, and write "I owe you $7" on it, and the bank should honor it. However since the world has a few people with common sense left in it (they're running the banks), that'll never happen.
Bite my shiny metal ass!
Reimbursing for donations is illegal. Recall that the Dems had to give back quite a bit of money raised that way...
Only the dead have seen the end of war.
This is why you have certification authorities on the Internet, such as Thawte, Verisign, etc. They cross sign your keys and guarantee that anything cross signed by them is authentic. So naturally, before they cross sign, they verify that the person is authentic and the key belongs to him. They take responsibility in the case of any bad identity mis-haps.
Banu
So then you're limited to $1000. You can also make it illegal to allow corporations to indirectly give to politicians. Whether through incentives or what not.
Now that electronic signatures are legal, is it possible to create an electronic petition? Say, for the purposes of bring the DMCA up to general election? It would seem to me that such an action would naturaly be very easy over the internet. I'm sure CNN would love it too, "DMCA to be reviewed after government receives 12 million petition e-signatures"
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
On the other hand, the whole concept of signatures is pretty ridiculous in the first place. How does putting one's name down in ink make something more valid than anything else?
Got Rhinos?
The only thing that an e-signature confirms (cryptographically) is that the person who signed the document is the same person who owns the secret key. The word "owns" is a source of a plethora of problems: what happens if a key becomes corrupted (gets lost or stolen)? How is the connection made between the key owner (a user account on a computer) and the real person behind it?
The latter problem can be solved in two ways - with a web of trust (PGP approach) or via certification authorities. The first approach has the advantage that it does not need a central authority and that it is decentralized. However, if someone has to relocate, he/she first has to build up such a "web of trust" again, which is clearly impractical for many people.
With CAs (certification authorities), the problem is that there exist too many right now, and there is no standard procedure to establish the authenticity of the keys. In order to make this technology really accessible, public authorities would have to give out certicates as well. E. g. you go to the city hall and get a certificate for your public key in the same way you obtain a passport.
The cryptographical problems have been solved (at least for now, unless new algorithms are detected), but the "real world problem" of authenticity will always remain. It is important to establish good practices to cope with that.
When it comes to signatures on paper, they must be done in permanent ink. No exceptions. I feel that this stupid e-signature fiasco will undermine all that. Sure, perhaps some e-sigs will change by only a few bytes, but that's corruption nonetheless, akin to this.
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
Well sure you or I would do that. But we are not big wig corp types (we know where the any key is). On paper there not forcing you to do any thing you chose to contribute and they chose (later) to reward you for your patriotism.
If only rsa was this easy to defeat.
I know I'm going to hell, I'm just trying to get good seats.
You are now allowed to hack into banks, just not take money....
-- "Microsoft can never die! They make the best damn joysticks around!"
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
I think this is a good thing, but until there is sufficient infrastructure in place to verify electronic signatures, we're all in for a shock.
What we need is a public-key registrar that can be used to verify the authenticity of the signature. At the moment the only folks that are key-registrars are for fee, and I'm not going to pay an ongoing fee so someone else can vouch for my signature. Unfortunately this means we'll need the fed to step in a be a public, public-key registrar.
I realy HATE having to invoke ANOTHER federal program, but here I think it makes sense.
There are certain terms that have to be met for a contract to be legally binding. (in my country at least) One is that both parties must receive benefit. Thus, if I signed a note saying I'd give you my house, I can't be bound to do it.
Also, contracts don't need signatures. Many contracts are verbal.
So you see, legalising digital sigs don't cause silly dangers like the ones mentioned here, but it may help acceptance if more legit e-contracts.
---
How are they planing to avoid rampant fraud? Haven't enough people lost their domain names through forged signatures already?? Reset my bank account pin #?? OK! regester a stolen car? No problem!
Dirty Pirate Hooker
this is like giving a ten-year-old a loaded M-16
Yes, they could, but if their info got "In", then that info can get "out". Personally I wouldn't want to lose my "Palm XII" that had my fingerprint and DNA info stored inside. Next thing I know, my genetic info is being sold to the highest bidder for a new identity.
-This sig intentionally left blank
The law does not specify a type of technology for e-signatures. They can be obtained through secured processes, like secret passwords or digital fingerprints, as well as unsecured ones, such as faxed signatures or clicking an acceptance button on a Web page
Oh great. I just clicked a button that and sold my house. Seriously, how could anyone pass such a vague law? If that's hwo the wording of the actual bill really is, then we're in trouble.
I thought the entire purpose of digital signatures was to prevent forgeries, since signatures based on encryption algorithms are very hard to crack. And then it gets convoluted to the point that clicking a button on a non-secure webpage could constitute signing a contract? What next?
This is why you have certification authorities on the Internet, such as Thawte, Verisign, etc. They cross sign your keys and guarantee that anything cross signed by them is authentic. So naturally, before they cross sign, they verify that the person is authentic and the key belongs to him. They take responsibility in the case of any bad identity mis-haps.
If somebody digitally signs a new credit card application "for me", and I don't find out for several months, what is Verisign going to "guarantee"? A situation like this could make life such a pain in the ass, that just about any "guarantee" isn't going to do much for me.
-This sig intentionally left blank
The law is only there to enforce societal standards of honesty and good behavior. I shouldn't have to get you to sign something in triplicate with a dozen lawyers present before you'll begrudgingly keep to your word.
Remember, just because it's easy doesn't make it right. It's easy to change your mind, not obey the law, or back out of your commitments on the Internet. But that doesn't make it right. The law is just catching up to what most people would consider standards of good behavior on the Internet.
maybe I can start writing checks on line now?
---
GetSystemMetrics(SM_SECURE) == FALSE
What is the difference from making a fake e-signature and defrauding a company then signing a fake check and defrauding a company? Nothing! Non-electronic and Non-internet-but-electronic fraud costs companies millions and millions of dollars a year.
.END RANT
Obvisouly there are going to extensive problems with this that will take alot of time and planning to get around but if companies use current antifraud measures against this it will save alot of money and legal battles.
It is something new but also something that is needed. As everything moves into the digital realm it is best to get legal issues like this figured out before the corporate world takes more control of the net.
I am
but couldnt this be abused by 'the man'. "well...we're takin you house and all your bank accounts....what...you signed for it right here...." .... or what about "your honour, he gave us consent to search, just look at this signature right here...".... i know your all looking at me going "um...freak", but isnt this a real possibility? god knows its a hell of alot easier to resolve a forged handwriting than a forged electronic document.... how can you put a microscope on 1's and 0's ?
just makes you wonder
oh btw, this sig of mine..it was by dan quale, not al gore....so shut the hell up about it. god damn people
"sex on tv is bad, you might fall off..."
I lost my concept of community when my community lost all concept of me.
Simple petition:
No Vote, No donation.
Translation:
Corporations do not have the right to vote, therefore cannot make campaign and party donations.
I'd say that atleast 85% of the population would sign this without a second thought.
I hope you don't combine these. That could get risky. I don't want armed druggies near my email server, even if it is running on OSS.
Start reading it. Really carefully
Why don't you do this already? I know there are a lot of words in those things, but that is the End User License Agreement. By blindly clicking OK you are accepting their terms and they have the right to prosecute violations of it.
Watch for Microsoft's next version of its EULA, where you agree not to compete with the company for the next 5 years.
What? Never seen that one before. And so what if they do have it? Don't agree to it. There are always other alternatives (like that OS everyone around here talks about from that Swedish guy). I think this is actually a GOOD thing. Here's why: if we are legally bound to a click-through LA, they must be legally bound to honor it and not change it without our consent *cough*Cue:Cat*cough*. So we now have grounds for a lawsuit for an unfair (like your Microsoft example) or undocumented LA change.
Planning to be moderated ± 1: Bad Pun.
Yup--I mean it. Spend a little time in the business world and you'll be amazed at how often a business process depends upon there being a signature on a document--without the slightest regard for whether or not that is your signature.
For example, consider your checking account. When you opened the account you had to sign a card, right? So the bank could compare your signature on each check to prove that it's really you? Guess what--banks do not check signatures on checks. In fact, if you ask your bank to validate the signature on each check cashed they will typically charge you for the "service." So unless you allege that a check was forged, your signature at the bottom of that check is meaningless.
Case in point: ABC News is a client. For some reason, known only to ABC's Accounts Payable department, they pay their invoices from a bank in North Dakota--on a joke of a check form. The bank name, transit routing numbers, and the signature are all printed in place on an old-fashioned chain printer--they don't even have one of those stamps that purports to be an authorized signature. The first time we got paid we looked at the check and said, "yeah, right. No way on earth is this going to be accepted by the bank." We took it to the bank in town, the teller looked at it, said, "are you going to be on TV?" and processed the deposit. Without any "signature" beyond the words "American Broadcasting Companies, Inc."
I have a project starting later in the month designing a new system for a U.S. sports sanctioning body. As part of the entry process for competitions a competitor has to present copies of various documents (medical forms, membership cards, etc.). The system, in theory, depends upon the validity of signatures--but the forms are typically photocopied. It is child's play to create a phony medical certificate--in essence to cheat--using any $99 graphics program. But--if we assign the competitor a digital signature (using the PGP trust method), and counter-sign with a trusted medical provider and a date, we have a substantially more trustworthy certificate. It becomes vastly harder to cheat. We really, really like the idea of digital signatures--and we really, really hope that the client (the sanctioning body) will adopt the plan.
It will be possible to cheat with e-signatures. You will hear horror stories repeated by breathless bimbos on the 11 o'clock news. But signature fraud happens all the time today--what e-signatures will do is make signature fraud substantially more difficult to accomplish, and therefore a crime that occurs much less frequently.
IMHO, this is a very good thing.
Hmm, you mean: "Automatically include your signature or attach electronic business card (vCard) to outgoing message." Outlook->Options->MailFormat. Not secure, but still really annoying. Especially getting asked "What's a .vcf?" No need to wait until 2005 (when Outlook 2003 will be released), I believe this "feature" has been there since Office 95, but I'm probably wrong.
Planning to be moderated ± 1: Bad Pun.
would be to implement a public key algorithm. Signing a contract would entail encrypting the contract with your private key. Verifying the contract would entail using your public key to see if the cyphertext decrypts to the original contract text. The problem that then arises is protecting your private key. Perhaps a standard method would be to use a type of removable media to prevent hacking and whatnot.
Badgers? Badgers! We don't need no stinkin' Badgers!
ZDNET reported Friday that if you have a Synaptics touchpad on your notebook they will be letting you download a fully licensed copy of Silanis ApproveIt software.
I think it is only available currently for Windows, but there is a developer toolkit version that supports C++ so maybe there is hope for porting at the API to other OS's.
Work for Change & GET PAID!
Anyone here using Win2k wonder why they changed the installation wizards to an IE/web based look? It's a lot easier for a Kaplan-esque judge to understand "But he clicked an Accept button on a web page, your honor" . . .
funny munging
Electronic signatures. The article does not even state of some type of standard for the electronic signatures. USA in the race in tring to be the first they are not looking ahead too much.
- Bruce Shneier makes a lot of good points -
``But some computer security experts downplayed the online dangers.''
"It's always a risk between the criminals and the good guys. So the better they become at hacking it, the better we'll become at making it stronger," said Stratton Sclavos, CEO of Verisign, an Internet securities firm.''
Great... how many "I didn't sign that" lawsuits are going to be neccessary before they realize that this whole e-commerce thing is a huge mistake.
If you really want something, buy it in person. The cost of traveling will be much, much less than the court costs of trying to getting yourself out of a forged deal.
``We are the people our parents warned us about.''
I saw in a news article a few days ago (of course, I forgot where) that two insurance companies (one is Chubb, I forgot the other one; damn, I'm getting old) are now offering insurance against identity theft. It really sucks that this is becoming necessary, but I am afraid that it is.
I will MAKE it legal.
jonkatz@slashdot.org
"It's always a risk between the criminals and the good guys. So the better they become at hacking it, the better we'll become at making it stronger," said Stratton Sclavos, CEO of Verisign, an Internet securities firm."
Banker: Oh my god! They broke in and stole all the money!
Bank Guard: Yep! Them rascals sure are clever!
Banker: What?!
Bank Guard: A few more break-ins like that and we'll have the best security system in town!
Banker: You're fired.
Bank Guard: Well, I guess it's time for me to start up that online encryption monopoly that I've been dreaming about....
On the surface this seems like a great step toward the "Digital Future" (TM)(C)(R)(etc). However, even in Real Life when it comes right down to it, signatures have little value. Think an unsigned check is "worthless"? Think again, simply writing a check and giving it to someone as a payment makes that check a legal instrument and it CAN be cashed sans signature (although quite often the bank may try REALLY REALLY REALLY hard to get a signature before they will honor it). Other documents require a signature only to minimize the possibility that you can dispute the contract terms later.
Digital signatures introduce a HUGE problem, they will lead the Sheeple (those that follow the "herd") to beleive a level of safety has been added to the WWW that isn't really there. It also seems that there is almost NO way to verify the identity of the person who is signing the digital signature. This would also lead on-line merchants to possibly relax a little bit about credit card fraud, when in reality they now have a new form of fraud to look out for.
I don't know what the right answer is, it is probably a smart card reader coupled with a fingerprint scanner as a form of ID. This would probably require a central database of people's info, though (so that you could "sign" for things anywhere, not just at your home PC), and we all know that big databases are a Bad Thing. Perhaps there is a better solution, or perhaps this will end up being an area where Real Life is safer/better than the 'Net.
-This sig intentionally left blank
Great. So lawyers get richer while every click of my mouse becomes a legally binding contract. Pay attention to this, boys and girls, this makes all those website disclaimers ("By visiting this site, you agree to the following terms and conditions...") legally binding.
Well, in theory anyway. Anyone wanna test that one?
"I came here to kick ass and chew bubblegum. I'm all out of bubblegum." MSE USC APX AIA CSI CASp
I don't know. You could try reading the text of the law yourself and see if you can figure it out. (Good luck trying to understand it without a lawyer's help!)
Digital signatures are supposed to be HARDER to forge than real ones. Not just more convienient, otherwise we'll be seeing a huge rise in fraud... That means being based on public key encryption (I think), so everyone can verify you, but no one can be you.
The law saws nothing about digital signatures. It gives legal standing to electronic signatures, an extremely vague term. (Probably deliberately so.) Yes, this is vague enough that clicking a button on a license screen or web page might constitute an "electronic signature". Forget what you know about digital signatures; this is a different beast, and a very disturbing one.
I tried to bring attention to this bill before it was signed by the President, but Slashdot rejected my submission:
- 2000-06-27 20:19:19 UCITA-like e-signature bill will be law soon! (articles,usa) (rejected)
Of course, the bird's already flown the coop now...Deven
"Simple things should be simple, and complex things should be possible." - Alan Kay
I hearby state that I owe eswan 1 (one) gazillion dollars.
Kids love the rich taste of web content! http://british.nerp.net
Woo! It's got his signature on it!
--
The shareholder is always right.
speaking of security (or lackof) - click here to marry CmdrTaco!
I'll link those two sites to each other to make things even more convenient - how's that?
I would just like to say a forged digital signature in my name is NOT legal. So watch it! :)
If a signature can be defined as a form button now it would seem this would be used to try to legitimize 'click through' licensing.
Not to mention stupid web-based games that could be played with this.
I really hope I read that wrong.
"No, Timmy, don't click that! AARRRGH!!!"
I don't subscribe to RMS's GNUtopian vision.
Anything else, and I don't pass go.
Did anyone really think this "digital signatures as legally binding as real ones" was ever meant to help out the average citizen?
Here's proof that it wasn't. Govt's are now scared shitless because grass roots organizations have announced plans to have ON-LINE BALLOT INITIATIVE PETITIONS to get various porpisitions, etc., on state, county, and municipal elections. And hey! The digital signatures collected via the web are "as legally binding as paper signatures". Holy shit! We gave power to the poeple? This was supposed to just help corps and the UCITA. JUDAS! We gotta do something!
So for this, I applaud the new digital signature bill. Because now it gives ME THE POWER to start writing new state legislation myself. Watch out corps., I've got a pen in my hand and web site running from my desk.
A necessary move, but the world isn't ready for it yet. Secure/encrypted email hasn't gone mainstream. The induhviduals of the world aren't savvy enough to deal with electronic signatures. However, a few disasters and incidents of fraud may push this awareness to where it needs to be faster than it would have gotten there otherwise.
We must respect evil, and we must make evil respect us.