Schneier Asks Why We Accept Fax Signatures

Bruce Schneier's latest commentary looks into one of my pet peeves: faxed signature requirements. He writes "Aren't fax signatures the weirdest thing? It's trivial to cut and paste -- with real scissors and glue -- anyone's signature onto a document so that it'll look real when faxed. There is so little security in fax signatures that it's mind-boggling that anyone accepts them. Yet people do, all the time. I've signed book contracts, credit card authorizations, nondisclosure..." It's amazing how organizations are sometimes willing to accept low-quality, unverified scans delivered over POTS as authoritative, when they won't take the same information in a high-resolution scan delivered over (relatively secure) email.

Signatures aren't about security

[bperkins]

They are about legal requirements.

Faking a fax signature isn't really that much harder than faking a real one.

Sending a fake signature over a fax isn't that much harder than faking a real one, but is no less criminal.

"Notarized" signatures are supposed to be more secure, though if you can produce a convincing fake ID, they probably aren't.

telephone number

[goombah99]

Faxs come with a telephone number of the sender as well. and often the personal cover letter. To forge a fax that is perpetually unquestionable you have to forge the phone number, signature, and stationary.

People are comfortable with that because they understand what is involved in doing that. With e-mail and digitial docs its harder for an untrained person to evaluate the threat. Also with digital docs it's harder later to raise questions about the authenticity. With the fax, one can later check for example fax logs on the sending machines and other trails of evidence.

In both cases forgeries are possible but in the case of faxes most humans are able to evaluate the threat.

Re:telephone number

[Loether]

Faxs come with a telephone number of the sender as well. and often the personal cover letter. To forge a fax that is perpetually unquestionable you have to forge the phone number, signature, and stationary. "Forging" a telephone number on a fax machine just requires changing a setting on the sending machine. It's in the fax manual.

Schneier's thinking is backwards

[Theaetetus]

Requiring a signature comes out of the old contract law of the Statute of Frauds, which requires certain contracts (not all) to be in writing, with a signature by the person to be bound to the contract. It was so that you couldn't agree to sell someone an expensive good, collect the money, then give them a cheap one and claim that that was the original contract - or so that you couldn't agree to buy the expensive good, pay them a dollar, and claim that was the original contract. Your signature isn't about protecting you from identity theft, it's about protecting the other party from your fraud.

So, why do companies accept easily faked signatures by fax? They have a signature, so you're bound to the agreement. The burden of proof is on you if you want to prove the signature was faked, not them, so they're protected. They'll either get paid by you, or you'll find the identity thief and they'll get paid by him or her.

The bigger question would be why do we agree to being bound to our faxed signatures? And the answer there is convenience. Sure, they can be faked, but it's a lot nicer than having to wait for the US Mail.

Re:It's an "older" technology

[Jhon]

TECHNICALLY, the "fax machine" was invented in the 19th century. It became WIDELY used in the 1970s. While the first EMAIL may have been keyed in 1965, it could HARDLY have been considered to have been in WIDE use.

So, YES, the fax machine is OLDER. Much older.

Re:Actually, I LOVE the CC sig.

[eXonyte]

Did you know that putting "See ID" or "See License" invalidates a Visa card unless you sign it as well? Unless, of course, your legal name happens to be "See License".

Check out the Rules for Visa Merchants, in particular page 34 (page 29 if printed). There is some amusing information in there, such as the fact that merchants are not allowed to require ID for a credit card purchase.

[...] merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID.

I have no idea if MasterCard, Discover, or Amex have similar rules.

Re:Actually, I LOVE the CC sig.

[smbarbour]

I work in the credit card industry, so I do know how it works...

1) The signature on the back of the card authorizes it for use. Failure to sign the card is supposed to indicate that the card is not authorized.

2) Merchants are NOT allowed to check ID as a condition of credit card acceptance.

3) The signatures do NOT have to match. The signature on the card only authorizes the card for use and is not for comparison.

Re:It's an "older" technology

[reebmmm]

The acceptance of fax signatures has to do only with fact that fax machines have been around for a long time

This is part of it, but the real reason why is that the law (E-SIGN and various other state versions) have basically said that you can't deny a signature MERELY because it's electronically signed.

Oh, and also because its silly not to accept an electronic signature.

It might surprise people but there's hardly a reason NOT to accept a fax/electronic signature since a signature is really meaningless in the business context. It is essentially EVIDENCE. It's not conclusive. There are certain enumerated situations (like wills and real estate) where signatures are a big deal, but these are not the day-to-day transactions people usually think about.

In a contract, the question is whether the parties intended to form a contract. A signature can be evidence of that. So can clicking a button. So can doing s/First Last/. So can paying for the goods. So can accepting the goods. So can performing. So can stating so in an e-mail with a contract attached. And on and on.

Besides, the risk of fraud exists regardless of whether you get a real signature or otherwise. Again, even when there's a fraud, the signature becomes evidence of the fraud. Heck, even requiring in person signature is not a sure fire way to prevent fraud. Frequently the person accepting an actual signed contract will not be in a position to evaluate whether the signature is in fact true or fraudulent.

Re:Actually, I LOVE the CC sig.

[alan_dershowitz]

The signatures do NOT have to match. The signature on the card only authorizes the card for use and is not for comparison. This is WRONG. If you go through with a transaction where the signatures don't match, your business could be held LIABLE for the purchase if it was a fraudulent transaction. You are supposed to hold the card and make a Code 10 call to VISA and ask for further instructions if the signature doesn't appear to match.

Re:Should have stop at, Aren't FAXes the weirdest

[Wrath0fb0b]

The reason your bank can use a digital image for your check is because Congress created a legally binding document called a "substitute check" (this was in the wake of 911 when paper checks were stuck on the ground for 3 days). See http://en.wikipedia.org/wiki/Check_21_Act. Before that act, the original dead-tree check had to be sent to the account bearer's bank for actual processing.

I would be wary of stretching that logic to apply to any legal document -- if scanned documents were valid, banks could have been doing this with checks before the intervention of Congress. Then again, I don't know why faxed documents are presumed any better.

Re:Older generation

[iocat]

Great points. In practice, we usually fax contracts so we can start working, then send (via FedEx) paper copies for 'real' execution. I can't think of an example in 15+ years in the working world where a fax signature wasn't used in a positive manner -- to seal the deal on something everyone already agreed on, like an NDA or a writing assignment or a negotiated development contract.

On the other hand, we also switched to the e-signing service DocuSign for our internal contracts and approvals, because using a fax machine is such a massive pain in the ass and no one in our company likes dealing with paper. A few of our clients use it too, it's pretty wonderful. As secure as you want it to be, and also quick and easy.

Re:Should have stop at, Aren't FAXes the weirdest

[Kadin2048]

I am in agreement with you and wanted to point out something that I think furthers your point.

The Uniform Commercial Code (UCC), which has been adopted by all 50 states, discusses what is a valid signature in Article 1, Section 1-201(39):

"Signed" includes using any symbol executed or adopted with present intention to adopt or accept a writing.

(Writing is defined as "printing, typewriting, or any other intentional reduction to tangible form.")

While that doesn't rule out the possibility of states having other requirements for signatures, the "least common denominator" between all states -- the UCC -- is pretty format-agnostic.

I think it's also worth pointing out that some 48 states, according to one source, have put digital-signature laws in place that allow some form of non-physical, electronic signature. Some of them are pretty specific to PK crypto, while others are technology-agnostic. I find it a little hard to believe that any state that's gone to the trouble of crafting and passing a digital-signature law would still require faxed signatures.

What seems more likely to me is that private agreements between parties are the major driver for faxed signatures, because there are contracts forming standing arrangements between businesses that weren't written to take advantage of anything besides the dominant technology (POTS fax) at the time they were written. Therefore, you end up with change orders, POs, and other authorizations having to go by fax, because of some hoary old contract, even though some other form of signature would be theoretically acceptable.