Schneier Asks Why We Accept Fax Signatures

Bruce Schneier's latest commentary looks into one of my pet peeves: faxed signature requirements. He writes "Aren't fax signatures the weirdest thing? It's trivial to cut and paste -- with real scissors and glue -- anyone's signature onto a document so that it'll look real when faxed. There is so little security in fax signatures that it's mind-boggling that anyone accepts them. Yet people do, all the time. I've signed book contracts, credit card authorizations, nondisclosure..." It's amazing how organizations are sometimes willing to accept low-quality, unverified scans delivered over POTS as authoritative, when they won't take the same information in a high-resolution scan delivered over (relatively secure) email.

Older generation

[FriendlyLurker]

Thats the older generation for you... once you young-uns who grew up with email get promoted to PHB status, you too can adopt your favourite technology of your day to deliver signatures...

Re:Older generation

[AKAImBatman]

Thats the older generation for you...Thats the older generation for you...

Actually, I'd say it's more a matter of practical security vs. air-tight security.

Most of the posts here act like signed faxes come out of the blue and magically make things happen. Well, that's not a very secure way to use a fax machine. e.g. I'd hate to have Presidential orders executed with only a fax as evidence that the order is issued!

In real life, faxes of documents occur after a verbal agreement is reached. For example, let's say a company owes me stock options. I tell the company that I wish to exercise the options. They tell me that I need to review the terms of the options and sign them before the stocks are issued to me. Documents are faxed (or emailed!) to me for review. I review the documents and either deliver a verbal rejection (perhaps followed by modified terms) or I sign the documents and fax them in.

Let's look at the possible attacks in this situation. I have already verbally agreed to pursue this contract. If someone tries to forge my signature (why?) before I decide to reject the contract, the forgery will be discovered when I contact the company to offer my rejection of the terms.

Well, what if someone poses as me and begins the process? That could potentially be a problem. Except that my identity is usually verified up front. In a smaller company they already know me, my voice, my email, and my address. When I contact them, they know who I am. In a larger company, they will usually require proof of identification along with any papers being signed.

Someone can still steal the certificates from my mail, but that goes above and beyond the issues with fax machines.

To give another example, let's say I'm offered an employment contract. Obviously such a contract has been under negotiation for some time. By the time it's been faxed, it's clear as day that it was me who signed it and agreed to the terms. If my signature was forged for whatever reason, it would become rather clear when I don't show up for work the first day, or when some impostor shows up.

Granted, someone could have been impersonating me the entire time, but then they'd also need forged proof of identification to fill out the necessary tax forms at employment time.

I think you'll find that any contracts where there is concern of forgery or claims of forgery are handled in one of two ways:

1. The fax is used to confirm your agreement and get the process started. The actual documents must be physically mailed before the terms of the contract are fully realized.

2. Fax is unacceptable. The documents must be FedExed and signed for so that they can be tracked from person to person. Someone is ALWAYS accountable for the documents.

In short, faxes are just fine. Just don't act stupid when working with them. If you ever find a company that does, work to get their legal counsel fired. If that company is signing important documents without legal counsel, RUN. Run far away and never look back.

Re:Older generation

[Tim4444]

In real life, faxes of documents occur after a verbal agreement is reached.

That's not always true. In real estate contract offers are often delivered solely by fax, and the response is also delivered by fax when an offer is accepted. Sometimes the offers and counter offers go back and forth so many times that part of the document becomes too illegible to hold up in court.

Anyone can go to Kinkos and send a fax pretending it's from me. Someone might not be able to get me hired as in your example, but they might do enough damage to get me fired.

Faxing was an important technology that served a specific function in its time. It allowed us to transmit documents on analog lines before digital networks were widely accessible. Now that we have the internet and suitable cryptographic techniques, there's no point holding onto faxing. You can push the merits of telegraphs all you want, but I'd rather use a cell phone. Why waste money on a phone line for a fax machine when you can get an internet connection for about the same amount?

One irony of faxing is that digital lines are taking over in the public phone network as well. However, people are still trying to use the analog fax protocol over digital lines. IP telephony is optimized for voice transmissions. If a packet is lost, many applications will fill extend the voice from adjacent packets to cover up the dead space from the lost packet. This kind of manipulation makes voice sound good, but it distorts fax signals in a way that the protocol wasn't designed to check. The fax protocol checks for a certain threshold of error before it requests a resend. The designers new that if they mandated a perfect transmission the resends would slow down the fax too much. They designed the checksums to catch the most common errors that occur with analog lines. With IP telephony manipulation, the fax protocol can't detect much of the manipulation and so you can get a completely munged document that didn't generate a single fax error.

I think faxing filled an important niche in its time, but the world has moved on so it's time to let go of it. Newer copy machines even let you email your scanned documents which is far more convenient than faxing ever was. I'd rather see companies put their energy into standardizing an email encryption system rather than trying to keep faxing alive.

Doesn't Make Sense To Start New Trends

[darkmeridian]

Businesses have been using faxes for decades. The risk of forgery and other liabilities have pretty much been well-established by law and common knowledge. If a contract requires modifications to be in signed writing, it is a matter of established law that a faxed document counts. Does an e-mail count if the contract doesn't expressly say so? That's just an unnecessary risk at this point. In the future, things may be different but there's no reason to be the first person to settle that uncertainty.

Furthermore, faxes are relatively secure because it is a one-on-one communication. In contrast, e-mails can be intercepted or become widely disseminated. The risks of using e-mail in a business setting (for signatures and the like) have not been tested too thoroughly, either.

Re:telephone number

[MoonBuggy]

But most people don't have a fax machine, so almost any forms that have to be faxed from customer to business will just have the number of the nearest copy shop with a fax service. If you're faxing a form that you've filled in then the "stationary" is already covered.

The only thing left is the signature, and the security of that is no different whether it's email, fax or a photocopy delivered by carrier pigeon.

Re:Should have stop at, Aren't FAXes the weirdest

[Dog-Cow]

Faxed copies of documents are legally binding, scanned+printed are not. Blame the law that hasn't caught up yet.

Re:A watermelon, eh?

[utopianfiat]

I mean, a fake signature may be fraud, but at the end of the day your argument is like arguing that you should be alive after getting hit by a drunk driver because he broke the law.
"Just because you're right doesn't make you any less dead/injured/royally boned"