Slashdot Mirror
Electronic Signatures Now Legal?
xpird writes "CNN is reporting this. -- A new federal law taking effect Sunday gives e-signatures the same legal standing as their handwritten counterparts, a significant change that promises new opportunities and risks on the Internet." Considering the amount of forged e-mail I get, this is gonna get interesting.
The linked article talks about the potential dangers but tries to reassure us that "the experts" are saying it's OK. The problem is, the critics are right about the dangers of your signiture being stolen. (Cryptographic-type people may note that reasonably safe systems can be created, but you can still hack a computer and snarf the signiture key itself, which is pretty darned hard to protect against and still have a system usable by normal people in the real world.) What this article doesn't mention is the total lack of online fraud protection.
Under the terms of this law, if your electronic signiture gets stolen and used, there are no provisions to make you not liable for any charges that are racked up, meaning at the very least that if a signiture is stolen, you could be looking at a total destruction of your credit rating, should you choose not to pay for the theif's actions, or arbitrarily large bills, if you choose to.
This is in stark contrast to credit cards, where, subject to certain rules involving speed of notification of fraud upon discovery, your liability is limited to $50, no matter how much your stolen credit card number is used against your will.
Despite my excitement at seeing the idea of digital signitures accepted, I must strongly recommend against using them in their current form. I'm hoping "That couldn't possibly have been my signiture because I've never used a digital signiture before" will be an adequate defense...
Start reading it. Really carefully.
To quote the CNN article:
(emphasis mine)
This means that the EULA you're clicking 'Accept' for can now be as legally binding as, oh, say, a loan from a bank. Or a bill of sale.
Watch for Microsoft's next version of its EULA, where you agree not to compete with the company for the next 5 years. Or watch for the inevitable rash of popup boxes that require you to hit 'okay' to get rid of. Nevermind mind the fact that when you hit okay, you're legally signing away all your worldly possessions.
Who needs the DMCA to trample our software rights? This law will do it all for us by itself...
I never filled out that signature line in the user prefs page!
Ack, not cryptosignatures! Without a legal definition of what constitutes an electronic signature, this law is worthless at best, and extremely dangerous at worst. My GPG signature is 2 things: identity verification, and verification that the message hasn't been modified since I sent it. I DO NOT want it to constitute a legally binding order. If it always constitutes a legally binding order, how do we do identity verification and checking that a message hasn't been modified without the "signature" carrying more weight than it should?
What's particularly dangerous is that the "--Bob" at the end of this message could be a signature. ANY SSL enabled website could have a button (that does anything in the world) that could be a signature. Anything sent electronically could be a signature!
No. A signature should be something cryptographically verifiable, and protected from fraud. It should also be something that I have to sit down and create, with full realization that this is legally binding. How about a message containing only my name and the date, that is PGP/GPG signed. Whatever the case, this law is crap without some definitions.
--Bob
1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
The purpose of the law is to make digital signatures (a purposefully vague term) have the same legal standing as written ones. This is becuase, BEFORE this law existed, it was very easy to dismiss most 'contracts' that didn't have a written signature.
Now, in order to enforce something, you will *still* have to prove that a signature was that of the person who you think signed it. Just like with handwriting.
Of course fraud can happen as well. Thats' what witnesses are for.
If someone signs my name on a cheque, and buys something.. I can walk in and say 'look, this is NOT mine, I did not sign this'. Unless they can prove I did.. they are out of luck. Generally this can be done by handwriting analysis, fairly easily.
For more serious contracts, there are *always* witnesses. Notaries even. People who actually ask you for ID as well before they notarize what's going on.
So now, the point is, this can be done digitally, and the contracts can't be invalidated solely because the signature was digital.
Petitions are a way of showing a government that a large part of the electorate supports a certain issue. Knowing and dealing with these issues is essential to any democratically elected government because failing to do so will hurt them.
However, I think that it is to early for governments to adopt this sort of technology for voting and petitions. My main objection is that only a small portion of the population can be reached this way. In my opinion having an AOL account does not actually mean you know how to use the internet in an efficient way. Seen in this light, you'd reach about 20% (guestimate, don't kill me for it) of the popuation, dominantly male and generally with good education. Not exactly a representative sample of the population and basing government policies on the opinion of this elite would not be a good thing for democracy. Although you might argue that this is exactly the portion of the population that comes up with good ideas frequently.
So maybe in a few years this when most of us know how to use the internet and related technologies (i.e. past the 'wow this is cool' stage) this is a good idea but not now.
Jilles
Now that electronic signatures are legal, is it possible to create an electronic petition? Say, for the purposes of bring the DMCA up to general election? It would seem to me that such an action would naturaly be very easy over the internet. I'm sure CNN would love it too, "DMCA to be reviewed after government receives 12 million petition e-signatures"
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
How are they planing to avoid rampant fraud? Haven't enough people lost their domain names through forged signatures already?? Reset my bank account pin #?? OK! regester a stolen car? No problem!
Dirty Pirate Hooker
The law does not specify a type of technology for e-signatures. They can be obtained through secured processes, like secret passwords or digital fingerprints, as well as unsecured ones, such as faxed signatures or clicking an acceptance button on a Web page
Oh great. I just clicked a button that and sold my house. Seriously, how could anyone pass such a vague law? If that's hwo the wording of the actual bill really is, then we're in trouble.
I thought the entire purpose of digital signatures was to prevent forgeries, since signatures based on encryption algorithms are very hard to crack. And then it gets convoluted to the point that clicking a button on a non-secure webpage could constitute signing a contract? What next?
There's a chicken egg problem here. Digital signatures will not be safe&secure before we use them and technical issues won't surface untill we use them. Using them will have to involve legal recognition.
People will get burned using digital signatures, companies providing the technology for these signatures will respond by improving their technology.
Of course nobody will want to be the person to get burned. My trust in both analog and digital signatures is not very high. Yet I sign checks, contracts, etc. all the time. However, in the long term I think it will be a lot harder to forge a digital signature than it is to forge an analog signature.
I think the main issues are not technical. Would I trust AOL to manage my signatures? Probably not. Would I trust the dutch government (you guessed it, I'm dutch) to manage my signatures? Maybe, provided that they have some process in place that maintains a certain level of quality.
It's all a matter of trust. Trust no one is not an option and will hurt you economically if others do take the risk, nor is trust anyone. The truth is in the middle. I live in a country where I think I can trust the government to provide me this kind of services.
Countries all over the world are already giving digital signatures legal status. I know of several european countries and now apparently also the US. From now on its a matter of economics. Digital signatures make it easier to do ecommerce which leads to certain cost savings. Countries which opt out won't benefit and will suffer economically. Remember, countries tried to opt out of the internet and most of them failed. Most of them are opening up or suffering economically because they refuse to do so.
So, whether you trust it or not is not very relevant. The major advancement here is legalization. The technology is already in place and legalization will put it to the test.
Jilles
Yup--I mean it. Spend a little time in the business world and you'll be amazed at how often a business process depends upon there being a signature on a document--without the slightest regard for whether or not that is your signature.
For example, consider your checking account. When you opened the account you had to sign a card, right? So the bank could compare your signature on each check to prove that it's really you? Guess what--banks do not check signatures on checks. In fact, if you ask your bank to validate the signature on each check cashed they will typically charge you for the "service." So unless you allege that a check was forged, your signature at the bottom of that check is meaningless.
Case in point: ABC News is a client. For some reason, known only to ABC's Accounts Payable department, they pay their invoices from a bank in North Dakota--on a joke of a check form. The bank name, transit routing numbers, and the signature are all printed in place on an old-fashioned chain printer--they don't even have one of those stamps that purports to be an authorized signature. The first time we got paid we looked at the check and said, "yeah, right. No way on earth is this going to be accepted by the bank." We took it to the bank in town, the teller looked at it, said, "are you going to be on TV?" and processed the deposit. Without any "signature" beyond the words "American Broadcasting Companies, Inc."
I have a project starting later in the month designing a new system for a U.S. sports sanctioning body. As part of the entry process for competitions a competitor has to present copies of various documents (medical forms, membership cards, etc.). The system, in theory, depends upon the validity of signatures--but the forms are typically photocopied. It is child's play to create a phony medical certificate--in essence to cheat--using any $99 graphics program. But--if we assign the competitor a digital signature (using the PGP trust method), and counter-sign with a trusted medical provider and a date, we have a substantially more trustworthy certificate. It becomes vastly harder to cheat. We really, really like the idea of digital signatures--and we really, really hope that the client (the sanctioning body) will adopt the plan.
It will be possible to cheat with e-signatures. You will hear horror stories repeated by breathless bimbos on the 11 o'clock news. But signature fraud happens all the time today--what e-signatures will do is make signature fraud substantially more difficult to accomplish, and therefore a crime that occurs much less frequently.
IMHO, this is a very good thing.
would be to implement a public key algorithm. Signing a contract would entail encrypting the contract with your private key. Verifying the contract would entail using your public key to see if the cyphertext decrypts to the original contract text. The problem that then arises is protecting your private key. Perhaps a standard method would be to use a type of removable media to prevent hacking and whatnot.
Badgers? Badgers! We don't need no stinkin' Badgers!
"It's always a risk between the criminals and the good guys. So the better they become at hacking it, the better we'll become at making it stronger," said Stratton Sclavos, CEO of Verisign, an Internet securities firm."
Banker: Oh my god! They broke in and stole all the money!
Bank Guard: Yep! Them rascals sure are clever!
Banker: What?!
Bank Guard: A few more break-ins like that and we'll have the best security system in town!
Banker: You're fired.
Bank Guard: Well, I guess it's time for me to start up that online encryption monopoly that I've been dreaming about....
On the surface this seems like a great step toward the "Digital Future" (TM)(C)(R)(etc). However, even in Real Life when it comes right down to it, signatures have little value. Think an unsigned check is "worthless"? Think again, simply writing a check and giving it to someone as a payment makes that check a legal instrument and it CAN be cashed sans signature (although quite often the bank may try REALLY REALLY REALLY hard to get a signature before they will honor it). Other documents require a signature only to minimize the possibility that you can dispute the contract terms later.
Digital signatures introduce a HUGE problem, they will lead the Sheeple (those that follow the "herd") to beleive a level of safety has been added to the WWW that isn't really there. It also seems that there is almost NO way to verify the identity of the person who is signing the digital signature. This would also lead on-line merchants to possibly relax a little bit about credit card fraud, when in reality they now have a new form of fraud to look out for.
I don't know what the right answer is, it is probably a smart card reader coupled with a fingerprint scanner as a form of ID. This would probably require a central database of people's info, though (so that you could "sign" for things anywhere, not just at your home PC), and we all know that big databases are a Bad Thing. Perhaps there is a better solution, or perhaps this will end up being an area where Real Life is safer/better than the 'Net.
-This sig intentionally left blank
Great. So lawyers get richer while every click of my mouse becomes a legally binding contract. Pay attention to this, boys and girls, this makes all those website disclaimers ("By visiting this site, you agree to the following terms and conditions...") legally binding.
Well, in theory anyway. Anyone wanna test that one?
"I came here to kick ass and chew bubblegum. I'm all out of bubblegum." MSE USC APX AIA CSI CASp
speaking of security (or lackof) - click here to marry CmdrTaco!
I'll link those two sites to each other to make things even more convenient - how's that?