Slashdot Mirror
Electronic Signatures Now Legal?
xpird writes "CNN is reporting this. -- A new federal law taking effect Sunday gives e-signatures the same legal standing as their handwritten counterparts, a significant change that promises new opportunities and risks on the Internet." Considering the amount of forged e-mail I get, this is gonna get interesting.
The linked article talks about the potential dangers but tries to reassure us that "the experts" are saying it's OK. The problem is, the critics are right about the dangers of your signiture being stolen. (Cryptographic-type people may note that reasonably safe systems can be created, but you can still hack a computer and snarf the signiture key itself, which is pretty darned hard to protect against and still have a system usable by normal people in the real world.) What this article doesn't mention is the total lack of online fraud protection.
Under the terms of this law, if your electronic signiture gets stolen and used, there are no provisions to make you not liable for any charges that are racked up, meaning at the very least that if a signiture is stolen, you could be looking at a total destruction of your credit rating, should you choose not to pay for the theif's actions, or arbitrarily large bills, if you choose to.
This is in stark contrast to credit cards, where, subject to certain rules involving speed of notification of fraud upon discovery, your liability is limited to $50, no matter how much your stolen credit card number is used against your will.
Despite my excitement at seeing the idea of digital signitures accepted, I must strongly recommend against using them in their current form. I'm hoping "That couldn't possibly have been my signiture because I've never used a digital signiture before" will be an adequate defense...
Have you ever posted something other than "Bababooey to you all"?
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
Anyone wanting to really use digital sigs for authentication purposes had better keep hard evidence of all changes to their key pairs - store them on read-only media along with the revocation notices for previously used keys and then get the government to timestamp 'em for you by posting them to yourself via registered mail and never opening the envelope when it arrives.
Guess we'd all better start including disclaimers in our standard email .sig saying "Unless I cryptosigned this document it does not constitute a binding digital signature" or something to that effect too.
Paranoid? Me? Surely not...
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
I had a
It's all a matter of trust. Trust no one is not an option and will hurt you economically if others do take the risk, nor is trust anyone. The truth is in the middle. I live in a country where I think I can trust the government to provide me this kind of services.
While you may trust a government agency to do the right thing, you must remember that it is made up of individual people... some of whom may be likely to tamper with or steal your signature, validation key, or whatever they end up storing for their own personal gain, revenge or other motives. I don't trust government agencies any more than I trust a corporation to maintain and secure my privacy. Echelon, Carnivore, states selling their databases to advertisers( drivers licenses, etc are public data and in some US states the databases are sold just like the list marketing assholes do ), etc should go to show what happens when an agency at large gets too big for it's britches/has too much power. Now, imagine each of those agencies with 1% of their employees being unscrupulous and the damage that those individuals could do to someone...
Don't leave your mind so open that your brain falls out. Don't close it so much that you cut off the blood.
I personally hate the idea of digital signatures for the reason illustrated (and yes, oversimplified) in the Subject of this post. For digital signatures to have value means that, like credit-card numbers, there will be steady and skilled attempts to steal and use them.
I think we'll get spanked on this one.
**>>BELCH
But I thought I'd just relate a little international e-shopping experience I had the other day. I was sitting at home in Connecticut, instant messaging my friend in Colombia (you know, the place where cocaine comes from.) At the time, she was busy making hotel and car reservations online for her next vacation, while I was busy ordering some bicycle accessories and exercise equipment. Neither of us had to spend any time on hold, talking to an undertrained operator who's not familiar with their product line. Or worse, sitting in traffic. Instead, we chatted with each other in between filling out HTML forms.
Sure, the e-industry is filled with marketdroid buzzwords and hype. But that shouldn't bother you any more than the next Jon Katz story about killer high school students whose Luddite tendencies have erotic undertones; just ignore it and go about your life.
The problem with e-petitions is not response rate; it's the integrity of the signature. People handwrite passphrases on Post-Its and keep them in "passphrase.txt" files; as long as this happens, forgery will be very easy.
Now forgery of an electronic signature on an initative petition would be election fraud, punishable by severe fines, but would this be an effective deterrent? Unclear at best.
sulli
RTFJ.
A troll with a 33 karma, I might add!
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
Start reading it. Really carefully.
To quote the CNN article:
(emphasis mine)
This means that the EULA you're clicking 'Accept' for can now be as legally binding as, oh, say, a loan from a bank. Or a bill of sale.
Watch for Microsoft's next version of its EULA, where you agree not to compete with the company for the next 5 years. Or watch for the inevitable rash of popup boxes that require you to hit 'okay' to get rid of. Nevermind mind the fact that when you hit okay, you're legally signing away all your worldly possessions.
Who needs the DMCA to trample our software rights? This law will do it all for us by itself...
Postscript: Current fraud laws may provide some level of protection, which is why I hope claiming that you've never ever used one might help somehow, but as our society found them unacceptable when credit cards were developed, I think what protections may exist are just as unacceptable now.
Too late now, it's law. Everyone had their chance over the last year to get this thing knocked down, or looked at critically by technical folks. Best you can hope for now is an amendment or that something will come along to strike it down.
So I should no longer need to use my credit card to verify my age (Yahoo! made me do that to use my spam-trap email account). Now I can just digitally "sign" an affirmation of my age, right?
Everyone knows that credit cards are not proof of age, but they use them anyways because it covers their ass, legal-wise. With "e-signatures" given the full force of law, they should be able to point to this law and use an "e-signature" form post button to prove your age with just as much ass-covering legaility.
-- Don't Tase me, bro!
The one commentator said "If someone steals your credit card, you get a new one. What do you do if someone steals your thumbprint? Get a new thumb?"
That's the gist of it. Once my signature is digitized, it can be reproduced and sent along with anything.
The only way I can see this working is if it is some sort of secret that is known only to me, and it is revocable. I somehow doubt that that digitizing tablet and thumbprint reader on TV was using the data to unlock an internal secret key and using THAT to sign the data. No, I'm sure it was just digitizing the actual sig or print and sending THAT along.
I also get very nervous signing credit card slips using digitizing tablets at stores now, even though I'm fairly sure it doesn't record stroke and weight. All you need to do is sign once some tablet that DOES do that, and then anyone can print out perfect stroke and weight sigs using a plotter and a pen. (In these cases, I alter my sig by signing the name of the store across my sig on the table...)
I'd be more comfortable with a smart-card idea like the America Express Blue Card than what I've seen so far. At least it's something only issued to you and it can be revoked.
Yeah, things like PGP signatures could be used to do this, but I can't imagine the average person managing that correctly. I could easily, for example, go to someone's office at work and ask them to type in their PGP sig so I can debug their computer, then go back to my office and scarf their private key file. But I would have far less success going into their office and asking to borrow their smart-card for a while..
I never filled out that signature line in the user prefs page!
Our law was specifically amended a while back to allow the 'electronic' signature of documents sent by fax to be binding.
A pizza of radius z and thickness a has a volume of pi z z a
A point to remember is that the law enables eSigs--which is just about anything (X) or /S/GriffJon or whatever else. It's instructive to realize that physical signatures work the same way--a physical mark is a legally binding signature if it was made with 'the intent to sign'
.
Will there be fraud in eSigs? yes. There will be an immediate move towards digital (cryptographic) signatures, and higher security. This might even get more intelligent password use, or hell, even hardware solutions (smartcards, dongles, etc)
The law is well-written, and in 5 years people will wonder how things got done before the ESIGN law.
Naturally, a lot will happen in those five years, and people dealing with eSigs and certificates will have to deal with identity, accountability and such so as to get trusted eSigs.
Returned Peace Corps IT Volunteer
Here in Europe the European Parliament passed a guideline last year (I think, or was ist this year?) that would equal the electronic signature with a handwritten one. Now the EU member states have 2 years time to pass this into local law... So, this whole thing is not at all US only!!!
This is kinda a good idea, the problem is that we need more standardised technology for signature authentication.
The most obvious problem is people hacking into your computer, and copying your signature. I'd suggest that storing the signature on external media (a smartcard would probably be good for this) should significantly help with that problem.
Then there is the issue of your signature being copied, once it is sent. PGP offers a suitable service, where messages can be signed, allowing people to verify that the message came from you, without the "signature" being usable on other messages/documents.
Perhaps an application which presents a document to be signed, and if you accept, signs it using a key stored on the smart card, before sending the signature back to the originator?
Thoughts?
Wow... then people would be voting solely on their conscience. What a concept.
No accounting for taste!
I had a 45-year old friend of mine express a similar sentiment to yours, in about 1995: "I really don't see the point of shopping on the web, I've never bought anything that way." Of course, in '95, options were more limited and perhaps he couldn't anticipate how things were going to change. (I noticed he still invested in tech stocks and made some money on the ride up, though.)
But it's 2000 now, and he buys all sorts of stuff online. When I reminded him of what he had said, he laughed. The web and e-commerce is a fait accompli. In 2000, a Slashdot post saying "I hate shopping online" and "I've only bought two things online" is a troll, almost by definition.
We all know you can't feel stuff online (well, not without a Vivid Video bodysuit, anyway.) You're not telling anybody anything new. Perhaps you don't buy things like software, CDs, CD-R disks, books, videos, electronics, and perhaps you don't book flights, hotels, or rental cars, and perhaps you don't purchase information in any form online. I, and millions of others, including many here on Slashdot, do. (Lately I've been renting DVDs online at netflix.com: it rocks! No late fees or time limits; beats Blockbuster senseless.)
So if you have something to say about why this all isn't good, or doesn't make sense, by all means, say it. But "I'm sick of this stupid "e-commerce"" isn't particularly constructive or interesting, and might just as easily be posted by a clever troll as by someone who really feels that way.
The way i see it, unless digital signatures are backed by cryptography, what's to stop me from "signing" something for you? How do you opt in and opt out of this thing? Do you have to show up at a government office and say "yes, i'd like my clicks to be legally binding". Or do you have to show and say "NO! I don't want to participate"? How many forms of ID do you need? Or can this be done via postal mail?
Digital signatures are supposed to be HARDER to forge than real ones. Not just more convienient, otherwise we'll be seeing a huge rise in fraud... That means being based on public key encryption (I think), so everyone can verify you, but no one can be you.
Ack, not cryptosignatures! Without a legal definition of what constitutes an electronic signature, this law is worthless at best, and extremely dangerous at worst. My GPG signature is 2 things: identity verification, and verification that the message hasn't been modified since I sent it. I DO NOT want it to constitute a legally binding order. If it always constitutes a legally binding order, how do we do identity verification and checking that a message hasn't been modified without the "signature" carrying more weight than it should?
What's particularly dangerous is that the "--Bob" at the end of this message could be a signature. ANY SSL enabled website could have a button (that does anything in the world) that could be a signature. Anything sent electronically could be a signature!
No. A signature should be something cryptographically verifiable, and protected from fraud. It should also be something that I have to sit down and create, with full realization that this is legally binding. How about a message containing only my name and the date, that is PGP/GPG signed. Whatever the case, this law is crap without some definitions.
--Bob
1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
The purpose of the law is to make digital signatures (a purposefully vague term) have the same legal standing as written ones. This is becuase, BEFORE this law existed, it was very easy to dismiss most 'contracts' that didn't have a written signature.
Now, in order to enforce something, you will *still* have to prove that a signature was that of the person who you think signed it. Just like with handwriting.
Of course fraud can happen as well. Thats' what witnesses are for.
If someone signs my name on a cheque, and buys something.. I can walk in and say 'look, this is NOT mine, I did not sign this'. Unless they can prove I did.. they are out of luck. Generally this can be done by handwriting analysis, fairly easily.
For more serious contracts, there are *always* witnesses. Notaries even. People who actually ask you for ID as well before they notarize what's going on.
So now, the point is, this can be done digitally, and the contracts can't be invalidated solely because the signature was digital.
If an e-signature were done right, adding it wouldn't make forging your signature any easier at all. Your kids will have a choice, and they will pick the written one because it's the one they have a chance in hell of faking. You're back to square one.
Interesting that you picked your kids as the example.... I hope you're not really a parent.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
I'm not sure.. there are rules stating what things a cheque needs to have in order to be valid.
One of them is a signature from the issuer.
The reason many cheques can be cashed without either party signing them, especially when deposited through ATMs and such, is that it is more economical for the banks to simply pass them all and deal with any issues that arise than it is to visually inspect each and every cheque.
A check is not a contract per-se, it is an instrument of trade. The bank says that if you hand a document with your signature, your account number, the payee, and a few other minor details, they will honor it.
Neither.
The law simply means that the signatures in and of themselves cannot be invalidated simply because they are not handwritten, and are digital.
I'm starting the process of being appointed as a Notary Public for my state[*], just because it's such a useful thing to be. Maybe we need something similar for the Internet -- volunteer witnesses who can be trusted. Possibly even professional witnesses (think the Fair Witness from Stranger In A Strange Land).
[*] That would be the state of Ohio, not the state of confusion or state of delirium, thank you.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
Want to NOT be nervous next time?
REFUSE TO SIGN!
REFUSE TO SIGN!
REFUSE TO SIGN!
In fact, refuse to sign, and if they hassle you, tell them why you are refusing to sign (the digitization/copying issue), and threaten to walk away and take your business "elsewhere". If they STILL refuse to cooperate - WALK AWAY - and go elsewhere (even if means you must go out of your way, DO IT).
YOU ARE IN CONTROL - NOT THEM!
This works even better if you explain your reasoning when there are several people behind you. In fact, explain to the cashier and to those in line why this is a BAD thing - as well as how it can be improved - you seem to know enough about this to be effective. Explain it to the store manager as well (they are generally called when someone refuses to sign).
Finally - don't sign in the box on the receipt. My paranoid side tells me that they probably just stuff these "manual" receipts into a bag to be digitised later. Call me paranoid, but if I were a business, or a company peddling this tech, that is what I would do (or in the case of the vendor of the tech, tout as a "feature" to prospective clients)...
* Side note - I love to do this, every time I go to Best Buy, or Sears (don't go there much, though), or Home Base (Gah! At a hardware store now?!). I just love the look on the cashier's and managers faces, like I was refusing to use a laser scanner for fear of radiation or something - heh, heh...
Want to know another scary place that _may_ initiate it? The US Post Office. They have the machines needed, same as everywhere else - so far though, I haven't been asked to use it (when purchasing money orders for Ebay transactions)...
I support the EFF - do you?
Reason is the Path to God - Anon
PureEdge offers a secure digital signature methodology that should a solution to many of the questions raised here.
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
What would the most convenient device be for y'all?
1. Magstripe card/reader
Limited to a small key, really easy to clone. Easy to carry around.
2. SmartCard/reader
Slightly larger key, hard to clone. Still easy to carry around.
3. Hardware dongle
No key limit, hard to clone. Not so easy to carry.
4. Trusted Software.
No key limit, easy to exploit. No need to carry.
Of course, the least secure (and most insidious) will be the "Click" signature, which I sincerly hope is legislated into oblivion.
.sig: Now legally binding!
E-Signatures are NOT cryptographically verified, and the law does not require them to be so. Digital Signatures are crypto, eSignatures include [X] and /S/Your Name and faxes and scans of your written signature (read the CNN article for a longer list).
I agree, however, that authentication is going to be the real problem with eSigs. After a few forehead slaps, everyone will require cryptographically-verified sigs.
Returned Peace Corps IT Volunteer
I don't know about the UK, But I would trust signitures that are unique for each transaction that would include a hash consisting of my signature serial number, my name, the other party's signature serial number(invoice number?) and the other parties name. A copy of all signitures gets sent to a third party repository. They should recieve 1 copie from each of the parties that would match. All other copies would be returned as Check Fraud! After both parties receive confirmation from the repository the signiture is valid. Only a system like that would work for me. A signiture that does not get submitted by both parties(outstanding signature) is void in say 20 minutes. Out of serial number sequence submissions and unconfirmed signitures are rejected. It rejects duplicate signiture submissions and hacked signatures. Each signature would be valid for only one transaction. All other uses would not be validated. Anybody find a security hole in this one?
The truth shall set you free!
Petitions are a way of showing a government that a large part of the electorate supports a certain issue. Knowing and dealing with these issues is essential to any democratically elected government because failing to do so will hurt them.
However, I think that it is to early for governments to adopt this sort of technology for voting and petitions. My main objection is that only a small portion of the population can be reached this way. In my opinion having an AOL account does not actually mean you know how to use the internet in an efficient way. Seen in this light, you'd reach about 20% (guestimate, don't kill me for it) of the popuation, dominantly male and generally with good education. Not exactly a representative sample of the population and basing government policies on the opinion of this elite would not be a good thing for democracy. Although you might argue that this is exactly the portion of the population that comes up with good ideas frequently.
So maybe in a few years this when most of us know how to use the internet and related technologies (i.e. past the 'wow this is cool' stage) this is a good idea but not now.
Jilles
Don't worry. In some jurisdictions, "I didn't sign that" won't be an admissable defence. It's called non-repudiation, and is state law in some places.
I'm reporting you right to Pater to have your UID revoked! 224634 shall live no more! (hey, I made it rhyme!)
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
As I have noted several times before, the law of signatures has NEVER BEFORE required that any particular technology or form be used to satisfy the statute of frauds. Period. You can sign, "Minnie Mouse," shave a slash on the side of a cow, make a plaster cast with a finger-mark in it, or any other fixation manifesting an intent to authenticate -- any or all of that can be enough.
It is up to the people engaged in a transaction to worry about deniability, forgeability and so forth. A forged signature does not bind me to an agreement, and the most casual X on a contract I didn't read does. That's the way it is, and has been for hundreds of years.
On the other hand, if you want to enforce an agreement, you will want to be able to prove that the signature existed and was signed by the person to be bound. If you accepted a difficult-to-prove, but legal technology, you should be prepared for the consequences. Likewise, be careful about the documents you sign, whether electronic or otherwise.
The case law has already been clear that teletyped and typewritten documents can be binding agreements, and the bits of case law that has come to date all supports the proposition that this law doesn't materially change the status quo. What it does do is to give comfort to those who would engage in high-stakes comemrcial transactions by electronic means -- who needn't fear that the enforceability of their documents may depend upon some seminal case based upon a new technology, however likely the result.
That's what drove this legislation. The rest is already well-inscribed in the common law.
It's probably important to note that what the law means by "e-signatures" is NOT the same as digital signatures (like PGP-signing your e-mail).
"E-signatures" are things like click-through licensing. "Click here to accept the agreement." "By pressing 'Accept', you agree to...". In other words, it's a way of making legally binding the bogus licenses that companies have been forcing on users for years (e.g., the Windows EULA).
I highly recommend the following URL for great info on e-sigs:
http://cryptome.org/esigs-suck.htm
~Mr. Bad
Evan Prodromou | evan@prodromou.name | http://evan.prodromou.name/
No you can't, not unless you're willing to shred the 1st Amendment. If you make it illegal for corporations to give money to politicians, then high-ranking officers of the corporation will give money allegedly as private citizens. Try to ban that, and they will instead give money to advocacy groups that will in turn give it to politicians. Ban that, and not only will they find another loophole, but you've directly violated the rights of speech, press, assembly, and petition.
An alternative solution is for the government to stop passing unconstitutional laws that favor certain corporations; that way there would be no incentive to lobby and corporations would have to actually focus on producing what consumers want.
How to solve most of our problems: 1.Lots of nuclear plants. 2.Cure aging.
I say cheque because that's the appropriate Canadian spelling, but I'm actually referring to US law.
I take this from the web page http://www.goodthink.com/$$parti.html
I realize this is not really a legal citation, however..
Here is the excerpt:
Then my eyes caught sight of a small, pocket-sized book titled Negotiable Instruments and Check Collection, a guide for laymen. And plain as day, it listed the nine criteria for a negotiable instrument. Read for yourself what I read, and I believe you'll yell out loud just as I did when I came to the very last word:
"1. Must be in writing.
2. Signed by maker or drawer.
3. Promise or order....A check usually meets the requirement because the drawee's name is printed and encoded on the face of the instrument.
4. Unconditional....
5. Order to pay money.
6. Must be a fixed amount.
7. Payable on demand or at a definite time....
8. Payable to order or to bearer....
9. No other undertaking or instruction. The final requirement of negotiability is that beyond the maker's order...the instrument must not contain 'any other undertaking or instruction'....The opposite issue is whether or not the parties can use a form that is a negotiable instrument and avoid negotiability by declaring, on the instrument, that it is not negotiable. The answer is yes, except for a check."
BTW.. it's an interesting story. Basically, it ammounts to the fact that a cheque cannot be made non-negotiable simply by writing 'non-negotiable' on it.
faxed signatures???? Oh c'mon, I was in 4th grade when I figured out how easy it was to copy my dad's signature from his checkbook onto my dentention notices. (Of course I got caught one time when I left the notice in the copying machine!)
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
You don't even need a check! In fact, you can just give your bank account number over the telephone... Most banks will require the depositor to print out an actual draft, complete with account number in the special ink that can be read by the banks computer.
Telephone checks and all paper drafts are established as a legal method of payment as provided in the Uniform Commercial Code, Title 1, Section 1-201 (39) and Title 3, Sections 3-104, and 3-403;
Code of Federal Regulations, Title 12 chapter II, Part 210 and Regulations J, Federal Reserve Bank, Part 2, Sections 4a-201 to 4a-212. Only verbal agreement is required for authorization.
Also see Romani V Harris, 255Md 389.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
I'm not sure.. there are rules stating what things a cheque needs to have in order to be valid. One of them is a signature from the issuer.
You say "cheque", the rules may be different in your country. I know this because in the US I operate a business, and this is one of the many things that I've learned "The hard way".
-This sig intentionally left blank
But in practice I've found that signatures are often meaningless unless you actually dispute things.
I once forgot to sign a whole batch of checks. Sent them out to the power company, phone company, etc, etc.
Only discovered this a month later when I got the cancelled checks back from my bank. Every single check had been honored.
Good for me in that case, though a little frightening, to say the least...
The cake is a pie
Here's some bits from Finnish law:
g =uk
The signature must contain:
1)The name of the signer and an unique id other than the SSN
....
The signature must be based on encryption that is sufficiently secure and use publically available specifications. It must be based on public key crypto or something that is at least as secure.
...
Then some bits about how the CA must store the keys and how the users must be able to revoke their keys if they want to.
Then some more bits about how your identity must be verified when you get one of these id's and also that the CA is liable if someone uses your key and it was their fault.
The way they do it is issuing smartcards (which also work as a normal id card and are valid for travel inside most of Europe)
There's some information about the Finnish system at http://www.fineid.fi/Default.asp?todo=setlang&lan
Works pretty nicely, supposedly even with Linux...
I'd just use the PGP "web of trust" concept, but with some extensions (and legal changes required as well).
I see it as absolutely essential that the keys used be issued by some trusted group. However, I don't trust the government, and I don't trust Verisign; both are too big, located outside my community (so I can't come in and yell at them) and (as they've never met me as a person) don't really care for my interests. I'd put much more trust in my local notary public.
One way of handling this: A licensed notary public could be given a key with which they could sign clients' keys. These notary public's keys would be signed by the government office which issued them, and these signatures backed by a central key.
As for a set of hosts to store the public keys on, the existing PGP keyserver architecture seems to be doing just fine.
If any notary was found to be dishonest or allow their key to be stolen, a revocation would be issued; their clients would then have to have their keys resigned by someone else.
First of all, the fee is no longer ongoing.
Second, decentralization is encouraged.
Third, I'm dealing with someone local I can walk over to and yell at -- and (at least until I yell at them) who thinks of me as a Real Person. Don't underestimate the value of this.
Yes, it's more expensive for the consumer. However, I think that's a Good Thing -- binding signatures are
Technically, I could take a dump on a piece of toilet paper, and write "I owe you $7" on it, and the bank should honor it. However since the world has a few people with common sense left in it (they're running the banks), that'll never happen.
So then you're limited to $1000. You can also make it illegal to allow corporations to indirectly give to politicians. Whether through incentives or what not.
Now that electronic signatures are legal, is it possible to create an electronic petition? Say, for the purposes of bring the DMCA up to general election? It would seem to me that such an action would naturaly be very easy over the internet. I'm sure CNN would love it too, "DMCA to be reviewed after government receives 12 million petition e-signatures"
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
On the other hand, the whole concept of signatures is pretty ridiculous in the first place. How does putting one's name down in ink make something more valid than anything else?
Got Rhinos?
The only thing that an e-signature confirms (cryptographically) is that the person who signed the document is the same person who owns the secret key. The word "owns" is a source of a plethora of problems: what happens if a key becomes corrupted (gets lost or stolen)? How is the connection made between the key owner (a user account on a computer) and the real person behind it?
The latter problem can be solved in two ways - with a web of trust (PGP approach) or via certification authorities. The first approach has the advantage that it does not need a central authority and that it is decentralized. However, if someone has to relocate, he/she first has to build up such a "web of trust" again, which is clearly impractical for many people.
With CAs (certification authorities), the problem is that there exist too many right now, and there is no standard procedure to establish the authenticity of the keys. In order to make this technology really accessible, public authorities would have to give out certicates as well. E. g. you go to the city hall and get a certificate for your public key in the same way you obtain a passport.
The cryptographical problems have been solved (at least for now, unless new algorithms are detected), but the "real world problem" of authenticity will always remain. It is important to establish good practices to cope with that.
When it comes to signatures on paper, they must be done in permanent ink. No exceptions. I feel that this stupid e-signature fiasco will undermine all that. Sure, perhaps some e-sigs will change by only a few bytes, but that's corruption nonetheless, akin to this.
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
How are they planing to avoid rampant fraud? Haven't enough people lost their domain names through forged signatures already?? Reset my bank account pin #?? OK! regester a stolen car? No problem!
Dirty Pirate Hooker
this is like giving a ten-year-old a loaded M-16
The law does not specify a type of technology for e-signatures. They can be obtained through secured processes, like secret passwords or digital fingerprints, as well as unsecured ones, such as faxed signatures or clicking an acceptance button on a Web page
Oh great. I just clicked a button that and sold my house. Seriously, how could anyone pass such a vague law? If that's hwo the wording of the actual bill really is, then we're in trouble.
I thought the entire purpose of digital signatures was to prevent forgeries, since signatures based on encryption algorithms are very hard to crack. And then it gets convoluted to the point that clicking a button on a non-secure webpage could constitute signing a contract? What next?
This is why you have certification authorities on the Internet, such as Thawte, Verisign, etc. They cross sign your keys and guarantee that anything cross signed by them is authentic. So naturally, before they cross sign, they verify that the person is authentic and the key belongs to him. They take responsibility in the case of any bad identity mis-haps.
If somebody digitally signs a new credit card application "for me", and I don't find out for several months, what is Verisign going to "guarantee"? A situation like this could make life such a pain in the ass, that just about any "guarantee" isn't going to do much for me.
-This sig intentionally left blank
Simple petition:
No Vote, No donation.
Translation:
Corporations do not have the right to vote, therefore cannot make campaign and party donations.
I'd say that atleast 85% of the population would sign this without a second thought.
There's a chicken egg problem here. Digital signatures will not be safe&secure before we use them and technical issues won't surface untill we use them. Using them will have to involve legal recognition.
People will get burned using digital signatures, companies providing the technology for these signatures will respond by improving their technology.
Of course nobody will want to be the person to get burned. My trust in both analog and digital signatures is not very high. Yet I sign checks, contracts, etc. all the time. However, in the long term I think it will be a lot harder to forge a digital signature than it is to forge an analog signature.
I think the main issues are not technical. Would I trust AOL to manage my signatures? Probably not. Would I trust the dutch government (you guessed it, I'm dutch) to manage my signatures? Maybe, provided that they have some process in place that maintains a certain level of quality.
It's all a matter of trust. Trust no one is not an option and will hurt you economically if others do take the risk, nor is trust anyone. The truth is in the middle. I live in a country where I think I can trust the government to provide me this kind of services.
Countries all over the world are already giving digital signatures legal status. I know of several european countries and now apparently also the US. From now on its a matter of economics. Digital signatures make it easier to do ecommerce which leads to certain cost savings. Countries which opt out won't benefit and will suffer economically. Remember, countries tried to opt out of the internet and most of them failed. Most of them are opening up or suffering economically because they refuse to do so.
So, whether you trust it or not is not very relevant. The major advancement here is legalization. The technology is already in place and legalization will put it to the test.
Jilles
Yup--I mean it. Spend a little time in the business world and you'll be amazed at how often a business process depends upon there being a signature on a document--without the slightest regard for whether or not that is your signature.
For example, consider your checking account. When you opened the account you had to sign a card, right? So the bank could compare your signature on each check to prove that it's really you? Guess what--banks do not check signatures on checks. In fact, if you ask your bank to validate the signature on each check cashed they will typically charge you for the "service." So unless you allege that a check was forged, your signature at the bottom of that check is meaningless.
Case in point: ABC News is a client. For some reason, known only to ABC's Accounts Payable department, they pay their invoices from a bank in North Dakota--on a joke of a check form. The bank name, transit routing numbers, and the signature are all printed in place on an old-fashioned chain printer--they don't even have one of those stamps that purports to be an authorized signature. The first time we got paid we looked at the check and said, "yeah, right. No way on earth is this going to be accepted by the bank." We took it to the bank in town, the teller looked at it, said, "are you going to be on TV?" and processed the deposit. Without any "signature" beyond the words "American Broadcasting Companies, Inc."
I have a project starting later in the month designing a new system for a U.S. sports sanctioning body. As part of the entry process for competitions a competitor has to present copies of various documents (medical forms, membership cards, etc.). The system, in theory, depends upon the validity of signatures--but the forms are typically photocopied. It is child's play to create a phony medical certificate--in essence to cheat--using any $99 graphics program. But--if we assign the competitor a digital signature (using the PGP trust method), and counter-sign with a trusted medical provider and a date, we have a substantially more trustworthy certificate. It becomes vastly harder to cheat. We really, really like the idea of digital signatures--and we really, really hope that the client (the sanctioning body) will adopt the plan.
It will be possible to cheat with e-signatures. You will hear horror stories repeated by breathless bimbos on the 11 o'clock news. But signature fraud happens all the time today--what e-signatures will do is make signature fraud substantially more difficult to accomplish, and therefore a crime that occurs much less frequently.
IMHO, this is a very good thing.
would be to implement a public key algorithm. Signing a contract would entail encrypting the contract with your private key. Verifying the contract would entail using your public key to see if the cyphertext decrypts to the original contract text. The problem that then arises is protecting your private key. Perhaps a standard method would be to use a type of removable media to prevent hacking and whatnot.
Badgers? Badgers! We don't need no stinkin' Badgers!
ZDNET reported Friday that if you have a Synaptics touchpad on your notebook they will be letting you download a fully licensed copy of Silanis ApproveIt software.
I think it is only available currently for Windows, but there is a developer toolkit version that supports C++ so maybe there is hope for porting at the API to other OS's.
Work for Change & GET PAID!
Electronic signatures. The article does not even state of some type of standard for the electronic signatures. USA in the race in tring to be the first they are not looking ahead too much.
- Bruce Shneier makes a lot of good points -
``But some computer security experts downplayed the online dangers.''
"It's always a risk between the criminals and the good guys. So the better they become at hacking it, the better we'll become at making it stronger," said Stratton Sclavos, CEO of Verisign, an Internet securities firm.''
Great... how many "I didn't sign that" lawsuits are going to be neccessary before they realize that this whole e-commerce thing is a huge mistake.
If you really want something, buy it in person. The cost of traveling will be much, much less than the court costs of trying to getting yourself out of a forged deal.
``We are the people our parents warned us about.''
I saw in a news article a few days ago (of course, I forgot where) that two insurance companies (one is Chubb, I forgot the other one; damn, I'm getting old) are now offering insurance against identity theft. It really sucks that this is becoming necessary, but I am afraid that it is.
I will MAKE it legal.
jonkatz@slashdot.org
"It's always a risk between the criminals and the good guys. So the better they become at hacking it, the better we'll become at making it stronger," said Stratton Sclavos, CEO of Verisign, an Internet securities firm."
Banker: Oh my god! They broke in and stole all the money!
Bank Guard: Yep! Them rascals sure are clever!
Banker: What?!
Bank Guard: A few more break-ins like that and we'll have the best security system in town!
Banker: You're fired.
Bank Guard: Well, I guess it's time for me to start up that online encryption monopoly that I've been dreaming about....
And how's it working there so far?
-
-
Give me liberty or give me something of equal or lesser value from your glossy 32-page catalog.
On the surface this seems like a great step toward the "Digital Future" (TM)(C)(R)(etc). However, even in Real Life when it comes right down to it, signatures have little value. Think an unsigned check is "worthless"? Think again, simply writing a check and giving it to someone as a payment makes that check a legal instrument and it CAN be cashed sans signature (although quite often the bank may try REALLY REALLY REALLY hard to get a signature before they will honor it). Other documents require a signature only to minimize the possibility that you can dispute the contract terms later.
Digital signatures introduce a HUGE problem, they will lead the Sheeple (those that follow the "herd") to beleive a level of safety has been added to the WWW that isn't really there. It also seems that there is almost NO way to verify the identity of the person who is signing the digital signature. This would also lead on-line merchants to possibly relax a little bit about credit card fraud, when in reality they now have a new form of fraud to look out for.
I don't know what the right answer is, it is probably a smart card reader coupled with a fingerprint scanner as a form of ID. This would probably require a central database of people's info, though (so that you could "sign" for things anywhere, not just at your home PC), and we all know that big databases are a Bad Thing. Perhaps there is a better solution, or perhaps this will end up being an area where Real Life is safer/better than the 'Net.
-This sig intentionally left blank
Great. So lawyers get richer while every click of my mouse becomes a legally binding contract. Pay attention to this, boys and girls, this makes all those website disclaimers ("By visiting this site, you agree to the following terms and conditions...") legally binding.
Well, in theory anyway. Anyone wanna test that one?
"I came here to kick ass and chew bubblegum. I'm all out of bubblegum." MSE USC APX AIA CSI CASp
I don't know. You could try reading the text of the law yourself and see if you can figure it out. (Good luck trying to understand it without a lawyer's help!)
Digital signatures are supposed to be HARDER to forge than real ones. Not just more convienient, otherwise we'll be seeing a huge rise in fraud... That means being based on public key encryption (I think), so everyone can verify you, but no one can be you.
The law saws nothing about digital signatures. It gives legal standing to electronic signatures, an extremely vague term. (Probably deliberately so.) Yes, this is vague enough that clicking a button on a license screen or web page might constitute an "electronic signature". Forget what you know about digital signatures; this is a different beast, and a very disturbing one.
I tried to bring attention to this bill before it was signed by the President, but Slashdot rejected my submission:
- 2000-06-27 20:19:19 UCITA-like e-signature bill will be law soon! (articles,usa) (rejected)
Of course, the bird's already flown the coop now...Deven
"Simple things should be simple, and complex things should be possible." - Alan Kay
speaking of security (or lackof) - click here to marry CmdrTaco!
I'll link those two sites to each other to make things even more convenient - how's that?
Did anyone really think this "digital signatures as legally binding as real ones" was ever meant to help out the average citizen?
Here's proof that it wasn't. Govt's are now scared shitless because grass roots organizations have announced plans to have ON-LINE BALLOT INITIATIVE PETITIONS to get various porpisitions, etc., on state, county, and municipal elections. And hey! The digital signatures collected via the web are "as legally binding as paper signatures". Holy shit! We gave power to the poeple? This was supposed to just help corps and the UCITA. JUDAS! We gotta do something!
So for this, I applaud the new digital signature bill. Because now it gives ME THE POWER to start writing new state legislation myself. Watch out corps., I've got a pen in my hand and web site running from my desk.