Slashdot Mirror
Schneier Asks Why We Accept Fax Signatures
Bruce Schneier's latest commentary looks into one of my pet peeves: faxed signature requirements. He writes "Aren't fax signatures the weirdest thing? It's trivial to cut and paste -- with real scissors and glue -- anyone's signature onto a document so that it'll look real when faxed. There is so little security in fax signatures that it's mind-boggling that anyone accepts them. Yet people do, all the time. I've signed book contracts, credit card authorizations, nondisclosure..." It's amazing how organizations are sometimes willing to accept low-quality, unverified scans delivered over POTS as authoritative, when they won't take the same information in a high-resolution scan delivered over (relatively secure) email.
Thats the older generation for you... once you young-uns who grew up with email get promoted to PHB status, you too can adopt your favourite technology of your day to deliver signatures...
The acceptance of fax signatures has to do only with fact that fax machines have been around for a long time, and people think they understand how they work. It just seems safer.
Sadly, the same people who make decisions based on the comfort provided by the familiarity of a technology are those who make policy at companies.
Not just for signatures, but it really annoys me when a company will only accept faxes instead of scanned emails for any number of documents. Luckily the situation has been improving in the recent years.
Businesses have been using faxes for decades. The risk of forgery and other liabilities have pretty much been well-established by law and common knowledge. If a contract requires modifications to be in signed writing, it is a matter of established law that a faxed document counts. Does an e-mail count if the contract doesn't expressly say so? That's just an unnecessary risk at this point. In the future, things may be different but there's no reason to be the first person to settle that uncertainty.
Furthermore, faxes are relatively secure because it is a one-on-one communication. In contrast, e-mails can be intercepted or become widely disseminated. The risks of using e-mail in a business setting (for signatures and the like) have not been tested too thoroughly, either.
A NYC lawyer blogs. http://www.chuangblog.com/
Sounds like there's an untapped market out there for 419 fax-scams!
which is totally what she said
I have been told on a few occasions "PGP signed email" is not sufficient, and that only a fax would be accepted. This even happens if the signature can be verified. Banks seem to do this a lot. I wish that they would catch up with the times.
I've signed a load of contracts in the US by having my publisher send me a PDF, which I've returned (by email) having copied and pasted a scanned copy of my signature over it. Interestingly, they would accept this but not a hash of the original PDF signed with a certificate signed by CACert, which had two people verify two pieces of government-issued ID to confirm that I am me.
I am TheRaven on Soylent News
Vaguely related to the topic at hand are the legal rules surrounding any communication.
It's generally accepted (in UK law, at least, so my source says) that once you reply and / or initiate a conversation over a medium, that that medium is then a valid method of contacting you indefinitely over the course of that action.
So if you email a solicitor, then for that solicitor to send you an email back is perfectly legally acceptable and may even be construed as "delivered" whether or not it arrives. Because *you* selected the method of transit. If your mortgage nearly falls through at the last minute and you need to do something incredibly urgent or lose your house, a solicitor acting on your behalf can just send you an email and they've "done their job". If your servers are down, tough, if you no longer have that email, tough. At least if you read the strict letter of the law.
It may be that this is related - once a person has contacted you by fax, then sending back your confirmation by fax is construed as legally acceptable for "signing" a contract. If you don't like it, then don't communicate with them by fax at all. Ever.
On a personal note, if I weren't able to fax legally-binding forms back to a company, I wouldn't have a house, but I still don't "like" it. My purchase of the house dragged on for six months longer than it should have and the solicitor in charge on my end was a close personal friend, so they were stopping all heel-dragging and pulling out all the stops for us.
However, just as we were approaching the signing date, we had an holiday booked (Hey, we thought a six month cushion on top of a six month estimate for the deal would be long enough!). We arrived in a foreign country for a holiday, and within a day we had a phone call to say that if a particular court didn't receive a signed document on an official form within the next eight hours (time differences etc.) then we wouldn't be able to complete the purchase now, or ever (the house would be sold at auction). We had to find a kind hotel (fortunately, we found a hotel receptionist who had recently had much worse problems selling their house and they let us use the hotel fax machine for free) and recieve several forms, sign them and fax them back (and pay a month's mortgage, in cash, within 8 hours but that was easily resolved by phoning relatives near our solicitor's, although we still technically owe them that).
So it worked out well that we were able. I don't think we could have got back in time on the first plane, and there was nothing we or our solicitor could do to negate the need for us to sign the forms and pay in cash (bank transfers etc. wouldn't have cleared in time, believe it or not). However, the fact that anyone could have signed the form just shows that 99% of paperwork is useless and a waste of time, not that fax machines are somehow "evil".
Bruce Schneier sure is oblivious sometimes.
They're accepted because they're good enough.
What does that mean? It means that if there is a problem later, the fax is sufficient evidence to resolve most problems, either by providing proof of a signature or proof of a forgery. As long as most businesses have some documentation to cover themselves that's generally good enough. Certainly some issues may not fall into this category, but enough do to make faxes acceptable.
Security, for many businesses, isn't about "making sure something bad doesn't ever happen" it's about having what you need to resolve a problem should it arise in the future.
I could easily forge my parents signatures when I was 9 (And did it a couple of time). I don't trust a penned signature, why should I trust a faxed one?
The answer is extremely simple. There is precedent in the courts that says a fax signature is acceptable and legally binding. There is no precedent saying that an e-mailed document in digital form is.
Hence on a contract, fax is accepted.
-M
when you see the word 'Linux', drink!
I assume the (il)logic is the same as that governing people's willingness to give their credit card numbers to an underpaid human, over an unsecure POTS line, frequently over a really insecure old school cordless phone; in preference to giving the said number to a machine over SSL.
In general, people's risk assessments are completely out to lunch. Back in 2001, my school had its student trip to Greece canceled by parental concern. Apparently, the parents wanted their kids "safe at home"(never mind that we all lived in a certain large city on the American east coast), rather than facing the foreign dangers of a fairly quiet and moderately obscure neutral country.
I think that there has been some work done on formalizing our understanding of what distorts risk perception; but it makes for depressing reading.
But most people don't have a fax machine, so almost any forms that have to be faxed from customer to business will just have the number of the nearest copy shop with a fax service. If you're faxing a form that you've filled in then the "stationary" is already covered.
The only thing left is the signature, and the security of that is no different whether it's email, fax or a photocopy delivered by carrier pigeon.
I swear, he makes some good points, but as a security professional he should understand why they accept it. The amount of business they'd loose by not accepting it is worth more than the potential loss if they didn't.
Of course, now that the cat's out of the bad, they'll need to reevaluate.
The document sent can be doctored in many ways, but there are lots of precedents about misrepresentation, forgery, larceny, and so on. The laws don't need to be changed. If someone forges or misrepresents information, then they're criminally and civilly liable for that action.
We accept and trust people and their submitted documents. Fancy that.
What? They're not real? That's a bad thing. Time to call the prosecutors. Jail for that? Really? Good.
---- Teach Peace. It's Cheaper Than War.
Faxed copies of documents are legally binding, scanned+printed are not. Blame the law that hasn't caught up yet.
No method of getting a signature is going to be foolproof. We could sit here and discuss how notaries are ridiculously insecure because of how easy it is to get fake IDs and fake a signature, but that's not the point. The point is to make it so that we can be reasonably certain that the person who's sending the fax is the person we expect it to be. Getting a fax out of the blue will prompt a phone call to the number on file. When someone faxes a form from the nearest copy service, the receiving business has already been in communication with this person and is expecting it. So while the fax in and of itself isn't necessarily all that secure, the overall structure is fairly secure.
That answers the immediate question, but there's still the question of why the -law- considers a fax to be a legal facsimile.
... yet, my company's pretax account takes documentation via fax. I could mail the documents, of course, but that will add time and processing costs to all parties involved. (I'm sure they use electronic copies of the faxes, not paper copies.) So it's a significant benefit to all parties to use 'legal fascimile' faxes.
I think the answer to that, ironically, comes back to businesses. Businesses needed a way to send 'signed' documents quickly, and pre-FedEx there weren't really many options. Fax machines were bulky and expensive. They didn't accept signed documents from just anyone, they had already vetted the other party to some extent.
So, on balance, the convenience of 'legal facsimile' faxes outweighed the cost of the rare forgery. They pushed the law to recognize the same.
Now things have totally reversed. You can send documents to anywhere in the country in a day for a modest amount, you can create perfect forgeries using a scanner, basic editing software and fax modem, etc. People would be insane to trust faxes for anything but the most trivial things...
Bottom line is that businesses use faxes since it's legal, and it's legal because businesses want to use faxes. It's not going away soon, but I agree 100% that it's insane to trust faxed documents for anything of significant value. (E.g., we used faxes to the seller when I bought my house a decade ago.)
I think the ultimate question is refutability. I don't care if a business accepts faxes -as long as I can refute a forged fax-. That's the only same solution -- put all liability on the receiver. They can continue to accept low-balance transactions if it's convenient, while I can be confident that nobody will try to forge documents "selling" my house to a third party.
(It turns out we have a good recent example of this -- credit card companies don't require signed receipts for low-balance credit card transactions. The cardholder always wins any dispute, but businesses are willing to accept that risk in exchange for the convenience of moving people through the line quicker or avoiding the need for customer interaction at all (e.g., at gas stations))
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
I'm always impressed by the Slashdot posters that are heroes in their own minds. If you'd read the post in his blog instead of the Fine Summary, you'd know that's exactly what he says.
My understanding (based on the contracts I have worked with over the years) is that this condition isn't a legal condition, but rather something that is specified in the agreements between companies. Our contracts specifically call out that faxed approvals are sufficient, and newer contracts say the same about e-mail. This is working with financial institutions on matters such as project approvals and change control approvals.
I wouldn't do this for big deals involving large amounts of money (exceeding 6 or 7 figures), but I for one don't worry too much about an email approval.
I was taught to respect my elders. The trouble is, it's getting harder and harder to find some.
All that is required to be legally binding is an offer and acceptance. This can even happen orally. For some kinds of contracts -- covered by the Statute of Frauds -- you need to have a written document which must be "signed," but this refers only to some indication in the document that the person has knowingly agreed to be bound; a suitable email will suffice.
Here, some googling found this: "Signature" merely means any authentication which identifies the party to be charged. Even a letterhead or an "X" will do, provided it is placed on the wriiting with the intent to authenticate it. (Merrill Lynch, Pierce, Fenner & Smith, Inc. v. Cole 457 A.2d 656, 663 (Conn.,1983).) http://www.west.net/~smith/frauds.htm
(I'm not your lawyer and none of this was legal advice, obviously.)
Are you sure about that? State law varies, but under the UCC , email and electronic agents may bind you without a signature at all. If checking "I accept" on a EULA or TOS is binding (and it is) emailed signatures should work in most states for most contracts.
Not stupid.
She has a habitual way of doing business, one that is expected in her industry. The fact that she is technologically ignorant doesn't mean she is stupid.
BTW, the 'older people don't get technology' really only applies to 1 or two generations.
It's pretty much over. At 43 I can hold my own against any generation. This will come to an end with certain types of games do to event do to aging.
The Kruger Dunning explains most post on
I mean, a fake signature may be fraud, but at the end of the day your argument is like arguing that you should be alive after getting hit by a drunk driver because he broke the law.
"Just because you're right doesn't make you any less dead/injured/royally boned"
+5, Truth
I don;t think it is so much that faxes have been codified as legally binding, and scan + print and or e-mail have not been, its that faxes have been tested. Court cases where faxed documents were disputed, have been found to be a valid method in court. Chances are pretty good an E-mailed PDF or similar would be as well. Its just that there is a risk it might not be, however small nobody wants to take the chance.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
That's why whenever I have an oral agreement, I put it in writing and have all parties sign it to make sure there are no misunderstandings!
"But this one goes to 11!"
probably just a poor choice of words on your part. I am certain their is no form of communication that is more or less legally binding than another. As long as both parties understand and agree, (barring some other deception) in the US you have a contract.
Verbal contracts are legally binding, but don't leave good evidence if disputed. What I think you mean is that if the veracity of a document is brought into question, that a scanned+printed document is not going to hold much weight in most courts.
The issue is whether a contract would be disputed, and one party would be stuck as a result.
For example, with wire transfers there are all kinds of non-consumer-friendly bank laws out there. If the bank followed the appropriate processes and some identity thief gets the bank to send $1M of some customers money to some foreign bank, the bank probably could care less. Chances are that banking laws will make the customer liable and they weren't involved.
Now, imagine this scenario. You pay me $50k in untraceable cash as consideration for me privately providing you with some form of insurance (say a million dollars worth). You suffer a loss that I am liable for. I simply deny having ever signed the contract. If the contract were on paper you would have an expert witness testify that it could be forensically traced to me. If the contract were faxed you would point to all kinds of court precedents for faxed documents. If the contract were emailed there would not be much precedent - maybe I'd owe you, and may be not. Unless you like taking your chances (and who buys insurance when they like to take chances?), you're going to insist on some well-tested form of transmission.
Basically the issue comes down to repudiation. It is easy to repudiate a document transitted electronically unless crytographic safeguards are used. FAX should be easy to repudiate but for various reasons it has a perception of authority and it has been well-tested in court.
Finally, I don't know where you get the idea that emailed contracts haven't been tested in court. They have, and they're effective.
The whole thing is even more silly when you consider that many of the "fax machines" in use today aren't even fax machines at all, but some sort of fax-to-email service. In my industry I see a lot of this sort of thing. People get all worked up over how email won't do, they must fax whatever it is -- and they end up using an e-fax service which probably ends up in some other guy's email box anyway through his own e-fax service. :)
Yet both sides are convinced that this is somehow better than just scanning the document and emailing it normally. Truly bizarre, if you ask me.
mirrorshades radio -- darkwave, industrial, futurepop, ebm.
Sounds like a reasonable explanation. I'd add that people, for whatever reason, believe that a physical pen-and-paper signature has some sort of legal magic to it that simply writing out "I, [name], agree to be bound by the foregoing" does not. If even the tech-loving crowd here at Slashdot labors under this misapprehension -- as apparently it does -- then the more technophobic mainstream could only be less comfortable with contracts by email.
When you require a fax, you create additional verification in the form of a record of a phone call placed between the originator and receiver of the fax transmission. That way, after the fact, it's fairly easy to show that at least the fax originated from a fax machine in the office of the person who sent it.
With email, the person sending the signed document could be doing so from Nigeria and there's no good way to know that they're not.
paintball
Signatures are a throw back to when it was unusual and the mark of being gentility to be able to write. They were the next best thing to using your wax seal with the family crest and usually accompanied it.
Seriously how many people who work at a till or even a bank have had the nessary 10 plus years of training to be able to tell a real signature for a fake one? Even if they did would it be reasonable for them to look at all the signatures?
I know personaly of more then one occasion when a bank has cashed a check with th e signature Mickey Mouse on it ( the person who wrote the check was just seeing if it would work and the store still got the money.)
THAT is for a real signature from a real person standing in front of you, and a computer is supposed to do better?
âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.