Schneier Asks Why We Accept Fax Signatures

Bruce Schneier's latest commentary looks into one of my pet peeves: faxed signature requirements. He writes "Aren't fax signatures the weirdest thing? It's trivial to cut and paste -- with real scissors and glue -- anyone's signature onto a document so that it'll look real when faxed. There is so little security in fax signatures that it's mind-boggling that anyone accepts them. Yet people do, all the time. I've signed book contracts, credit card authorizations, nondisclosure..." It's amazing how organizations are sometimes willing to accept low-quality, unverified scans delivered over POTS as authoritative, when they won't take the same information in a high-resolution scan delivered over (relatively secure) email.

Older generation

[FriendlyLurker]

Thats the older generation for you... once you young-uns who grew up with email get promoted to PHB status, you too can adopt your favourite technology of your day to deliver signatures...

Re:Older generation

[AKAImBatman]

Thats the older generation for you...Thats the older generation for you...

Actually, I'd say it's more a matter of practical security vs. air-tight security.

Most of the posts here act like signed faxes come out of the blue and magically make things happen. Well, that's not a very secure way to use a fax machine. e.g. I'd hate to have Presidential orders executed with only a fax as evidence that the order is issued!

In real life, faxes of documents occur after a verbal agreement is reached. For example, let's say a company owes me stock options. I tell the company that I wish to exercise the options. They tell me that I need to review the terms of the options and sign them before the stocks are issued to me. Documents are faxed (or emailed!) to me for review. I review the documents and either deliver a verbal rejection (perhaps followed by modified terms) or I sign the documents and fax them in.

Let's look at the possible attacks in this situation. I have already verbally agreed to pursue this contract. If someone tries to forge my signature (why?) before I decide to reject the contract, the forgery will be discovered when I contact the company to offer my rejection of the terms.

Well, what if someone poses as me and begins the process? That could potentially be a problem. Except that my identity is usually verified up front. In a smaller company they already know me, my voice, my email, and my address. When I contact them, they know who I am. In a larger company, they will usually require proof of identification along with any papers being signed.

Someone can still steal the certificates from my mail, but that goes above and beyond the issues with fax machines.

To give another example, let's say I'm offered an employment contract. Obviously such a contract has been under negotiation for some time. By the time it's been faxed, it's clear as day that it was me who signed it and agreed to the terms. If my signature was forged for whatever reason, it would become rather clear when I don't show up for work the first day, or when some impostor shows up.

Granted, someone could have been impersonating me the entire time, but then they'd also need forged proof of identification to fill out the necessary tax forms at employment time.

I think you'll find that any contracts where there is concern of forgery or claims of forgery are handled in one of two ways:

1. The fax is used to confirm your agreement and get the process started. The actual documents must be physically mailed before the terms of the contract are fully realized.

2. Fax is unacceptable. The documents must be FedExed and signed for so that they can be tracked from person to person. Someone is ALWAYS accountable for the documents.

In short, faxes are just fine. Just don't act stupid when working with them. If you ever find a company that does, work to get their legal counsel fired. If that company is signing important documents without legal counsel, RUN. Run far away and never look back.

Re:Older generation

[Tim4444]

In real life, faxes of documents occur after a verbal agreement is reached.

That's not always true. In real estate contract offers are often delivered solely by fax, and the response is also delivered by fax when an offer is accepted. Sometimes the offers and counter offers go back and forth so many times that part of the document becomes too illegible to hold up in court.

Anyone can go to Kinkos and send a fax pretending it's from me. Someone might not be able to get me hired as in your example, but they might do enough damage to get me fired.

Faxing was an important technology that served a specific function in its time. It allowed us to transmit documents on analog lines before digital networks were widely accessible. Now that we have the internet and suitable cryptographic techniques, there's no point holding onto faxing. You can push the merits of telegraphs all you want, but I'd rather use a cell phone. Why waste money on a phone line for a fax machine when you can get an internet connection for about the same amount?

One irony of faxing is that digital lines are taking over in the public phone network as well. However, people are still trying to use the analog fax protocol over digital lines. IP telephony is optimized for voice transmissions. If a packet is lost, many applications will fill extend the voice from adjacent packets to cover up the dead space from the lost packet. This kind of manipulation makes voice sound good, but it distorts fax signals in a way that the protocol wasn't designed to check. The fax protocol checks for a certain threshold of error before it requests a resend. The designers new that if they mandated a perfect transmission the resends would slow down the fax too much. They designed the checksums to catch the most common errors that occur with analog lines. With IP telephony manipulation, the fax protocol can't detect much of the manipulation and so you can get a completely munged document that didn't generate a single fax error.

I think faxing filled an important niche in its time, but the world has moved on so it's time to let go of it. Newer copy machines even let you email your scanned documents which is far more convenient than faxing ever was. I'd rather see companies put their energy into standardizing an email encryption system rather than trying to keep faxing alive.

Doesn't Make Sense To Start New Trends

[darkmeridian]

Businesses have been using faxes for decades. The risk of forgery and other liabilities have pretty much been well-established by law and common knowledge. If a contract requires modifications to be in signed writing, it is a matter of established law that a faxed document counts. Does an e-mail count if the contract doesn't expressly say so? That's just an unnecessary risk at this point. In the future, things may be different but there's no reason to be the first person to settle that uncertainty.

Furthermore, faxes are relatively secure because it is a one-on-one communication. In contrast, e-mails can be intercepted or become widely disseminated. The risks of using e-mail in a business setting (for signatures and the like) have not been tested too thoroughly, either.

PGP signed mail is also not enough.

I have been told on a few occasions "PGP signed email" is not sufficient, and that only a fax would be accepted. This even happens if the signature can be verified. Banks seem to do this a lot. I wish that they would catch up with the times.

They do accept scanned signatures

[TheRaven64]

I've signed a load of contracts in the US by having my publisher send me a PDF, which I've returned (by email) having copied and pasted a scanned copy of my signature over it. Interestingly, they would accept this but not a hash of the original PDF signed with a certificate signed by CACert, which had two people verify two pieces of government-issued ID to confirm that I am me.

Vaguely related to the topic at hand

[ledow]

Vaguely related to the topic at hand are the legal rules surrounding any communication.

It's generally accepted (in UK law, at least, so my source says) that once you reply and / or initiate a conversation over a medium, that that medium is then a valid method of contacting you indefinitely over the course of that action.

So if you email a solicitor, then for that solicitor to send you an email back is perfectly legally acceptable and may even be construed as "delivered" whether or not it arrives. Because *you* selected the method of transit. If your mortgage nearly falls through at the last minute and you need to do something incredibly urgent or lose your house, a solicitor acting on your behalf can just send you an email and they've "done their job". If your servers are down, tough, if you no longer have that email, tough. At least if you read the strict letter of the law.

It may be that this is related - once a person has contacted you by fax, then sending back your confirmation by fax is construed as legally acceptable for "signing" a contract. If you don't like it, then don't communicate with them by fax at all. Ever.

On a personal note, if I weren't able to fax legally-binding forms back to a company, I wouldn't have a house, but I still don't "like" it. My purchase of the house dragged on for six months longer than it should have and the solicitor in charge on my end was a close personal friend, so they were stopping all heel-dragging and pulling out all the stops for us.

However, just as we were approaching the signing date, we had an holiday booked (Hey, we thought a six month cushion on top of a six month estimate for the deal would be long enough!). We arrived in a foreign country for a holiday, and within a day we had a phone call to say that if a particular court didn't receive a signed document on an official form within the next eight hours (time differences etc.) then we wouldn't be able to complete the purchase now, or ever (the house would be sold at auction). We had to find a kind hotel (fortunately, we found a hotel receptionist who had recently had much worse problems selling their house and they let us use the hotel fax machine for free) and recieve several forms, sign them and fax them back (and pay a month's mortgage, in cash, within 8 hours but that was easily resolved by phoning relatives near our solicitor's, although we still technically owe them that).

So it worked out well that we were able. I don't think we could have got back in time on the first plane, and there was nothing we or our solicitor could do to negate the need for us to sign the forms and pay in cash (bank transfers etc. wouldn't have cleared in time, believe it or not). However, the fact that anyone could have signed the form just shows that 99% of paperwork is useless and a waste of time, not that fax machines are somehow "evil".

Re:telephone number

[MoonBuggy]

But most people don't have a fax machine, so almost any forms that have to be faxed from customer to business will just have the number of the nearest copy shop with a fax service. If you're faxing a form that you've filled in then the "stationary" is already covered.

The only thing left is the signature, and the security of that is no different whether it's email, fax or a photocopy delivered by carrier pigeon.

Re:It's an "older" technology

[MoonBuggy]

That's interesting, but all it really means is that the law is inconsistent and needs to be fixed.

Re:Should have stop at, Aren't FAXes the weirdest

[Dog-Cow]

Faxed copies of documents are legally binding, scanned+printed are not. Blame the law that hasn't caught up yet.

Re:telephone number

[moderatorrater]

No method of getting a signature is going to be foolproof. We could sit here and discuss how notaries are ridiculously insecure because of how easy it is to get fake IDs and fake a signature, but that's not the point. The point is to make it so that we can be reasonably certain that the person who's sending the fax is the person we expect it to be. Getting a fax out of the blue will prompt a phone call to the number on file. When someone faxes a form from the nearest copy service, the receiving business has already been in communication with this person and is expecting it. So while the fax in and of itself isn't necessarily all that secure, the overall structure is fairly secure.

Re:Should have stop at, Aren't FAXes the weirdest

[Alpha830RulZ]

My understanding (based on the contracts I have worked with over the years) is that this condition isn't a legal condition, but rather something that is specified in the agreements between companies. Our contracts specifically call out that faxed approvals are sufficient, and newer contracts say the same about e-mail. This is working with financial institutions on matters such as project approvals and change control approvals.

I wouldn't do this for big deals involving large amounts of money (exceeding 6 or 7 figures), but I for one don't worry too much about an email approval.

Re:Should have stop at, Aren't FAXes the weirdest

[Pendersempai]

Faxed copies of documents are legally binding, scanned+printed are not. Blame the law that hasn't caught up yet. I'm going to call BS on this one. Do you have a citation to the law of any state that holds faxes to be legally binding but not scanned and printed documents? Seriously, where are you getting this point of law?

All that is required to be legally binding is an offer and acceptance. This can even happen orally. For some kinds of contracts -- covered by the Statute of Frauds -- you need to have a written document which must be "signed," but this refers only to some indication in the document that the person has knowingly agreed to be bound; a suitable email will suffice.

Here, some googling found this:

"Signature" merely means any authentication which identifies the party to be charged. Even a letterhead or an "X" will do, provided it is placed on the wriiting with the intent to authenticate it. (Merrill Lynch, Pierce, Fenner & Smith, Inc. v. Cole 457 A.2d 656, 663 (Conn.,1983).) http://www.west.net/~smith/frauds.htm

(I'm not your lawyer and none of this was legal advice, obviously.)

Re:A watermelon, eh?

[utopianfiat]

I mean, a fake signature may be fraud, but at the end of the day your argument is like arguing that you should be alive after getting hit by a drunk driver because he broke the law.
"Just because you're right doesn't make you any less dead/injured/royally boned"