Slashdot Mirror
Electronic Signatures Now Legal?
xpird writes "CNN is reporting this. -- A new federal law taking effect Sunday gives e-signatures the same legal standing as their handwritten counterparts, a significant change that promises new opportunities and risks on the Internet." Considering the amount of forged e-mail I get, this is gonna get interesting.
The linked article talks about the potential dangers but tries to reassure us that "the experts" are saying it's OK. The problem is, the critics are right about the dangers of your signiture being stolen. (Cryptographic-type people may note that reasonably safe systems can be created, but you can still hack a computer and snarf the signiture key itself, which is pretty darned hard to protect against and still have a system usable by normal people in the real world.) What this article doesn't mention is the total lack of online fraud protection.
Under the terms of this law, if your electronic signiture gets stolen and used, there are no provisions to make you not liable for any charges that are racked up, meaning at the very least that if a signiture is stolen, you could be looking at a total destruction of your credit rating, should you choose not to pay for the theif's actions, or arbitrarily large bills, if you choose to.
This is in stark contrast to credit cards, where, subject to certain rules involving speed of notification of fraud upon discovery, your liability is limited to $50, no matter how much your stolen credit card number is used against your will.
Despite my excitement at seeing the idea of digital signitures accepted, I must strongly recommend against using them in their current form. I'm hoping "That couldn't possibly have been my signiture because I've never used a digital signiture before" will be an adequate defense...
Start reading it. Really carefully.
To quote the CNN article:
(emphasis mine)
This means that the EULA you're clicking 'Accept' for can now be as legally binding as, oh, say, a loan from a bank. Or a bill of sale.
Watch for Microsoft's next version of its EULA, where you agree not to compete with the company for the next 5 years. Or watch for the inevitable rash of popup boxes that require you to hit 'okay' to get rid of. Nevermind mind the fact that when you hit okay, you're legally signing away all your worldly possessions.
Who needs the DMCA to trample our software rights? This law will do it all for us by itself...
The purpose of the law is to make digital signatures (a purposefully vague term) have the same legal standing as written ones. This is becuase, BEFORE this law existed, it was very easy to dismiss most 'contracts' that didn't have a written signature.
Now, in order to enforce something, you will *still* have to prove that a signature was that of the person who you think signed it. Just like with handwriting.
Of course fraud can happen as well. Thats' what witnesses are for.
If someone signs my name on a cheque, and buys something.. I can walk in and say 'look, this is NOT mine, I did not sign this'. Unless they can prove I did.. they are out of luck. Generally this can be done by handwriting analysis, fairly easily.
For more serious contracts, there are *always* witnesses. Notaries even. People who actually ask you for ID as well before they notarize what's going on.
So now, the point is, this can be done digitally, and the contracts can't be invalidated solely because the signature was digital.
Now that electronic signatures are legal, is it possible to create an electronic petition? Say, for the purposes of bring the DMCA up to general election? It would seem to me that such an action would naturaly be very easy over the internet. I'm sure CNN would love it too, "DMCA to be reviewed after government receives 12 million petition e-signatures"
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
The law does not specify a type of technology for e-signatures. They can be obtained through secured processes, like secret passwords or digital fingerprints, as well as unsecured ones, such as faxed signatures or clicking an acceptance button on a Web page
Oh great. I just clicked a button that and sold my house. Seriously, how could anyone pass such a vague law? If that's hwo the wording of the actual bill really is, then we're in trouble.
I thought the entire purpose of digital signatures was to prevent forgeries, since signatures based on encryption algorithms are very hard to crack. And then it gets convoluted to the point that clicking a button on a non-secure webpage could constitute signing a contract? What next?
There's a chicken egg problem here. Digital signatures will not be safe&secure before we use them and technical issues won't surface untill we use them. Using them will have to involve legal recognition.
People will get burned using digital signatures, companies providing the technology for these signatures will respond by improving their technology.
Of course nobody will want to be the person to get burned. My trust in both analog and digital signatures is not very high. Yet I sign checks, contracts, etc. all the time. However, in the long term I think it will be a lot harder to forge a digital signature than it is to forge an analog signature.
I think the main issues are not technical. Would I trust AOL to manage my signatures? Probably not. Would I trust the dutch government (you guessed it, I'm dutch) to manage my signatures? Maybe, provided that they have some process in place that maintains a certain level of quality.
It's all a matter of trust. Trust no one is not an option and will hurt you economically if others do take the risk, nor is trust anyone. The truth is in the middle. I live in a country where I think I can trust the government to provide me this kind of services.
Countries all over the world are already giving digital signatures legal status. I know of several european countries and now apparently also the US. From now on its a matter of economics. Digital signatures make it easier to do ecommerce which leads to certain cost savings. Countries which opt out won't benefit and will suffer economically. Remember, countries tried to opt out of the internet and most of them failed. Most of them are opening up or suffering economically because they refuse to do so.
So, whether you trust it or not is not very relevant. The major advancement here is legalization. The technology is already in place and legalization will put it to the test.
Jilles
On the surface this seems like a great step toward the "Digital Future" (TM)(C)(R)(etc). However, even in Real Life when it comes right down to it, signatures have little value. Think an unsigned check is "worthless"? Think again, simply writing a check and giving it to someone as a payment makes that check a legal instrument and it CAN be cashed sans signature (although quite often the bank may try REALLY REALLY REALLY hard to get a signature before they will honor it). Other documents require a signature only to minimize the possibility that you can dispute the contract terms later.
Digital signatures introduce a HUGE problem, they will lead the Sheeple (those that follow the "herd") to beleive a level of safety has been added to the WWW that isn't really there. It also seems that there is almost NO way to verify the identity of the person who is signing the digital signature. This would also lead on-line merchants to possibly relax a little bit about credit card fraud, when in reality they now have a new form of fraud to look out for.
I don't know what the right answer is, it is probably a smart card reader coupled with a fingerprint scanner as a form of ID. This would probably require a central database of people's info, though (so that you could "sign" for things anywhere, not just at your home PC), and we all know that big databases are a Bad Thing. Perhaps there is a better solution, or perhaps this will end up being an area where Real Life is safer/better than the 'Net.
-This sig intentionally left blank
speaking of security (or lackof) - click here to marry CmdrTaco!
I'll link those two sites to each other to make things even more convenient - how's that?