Slashdot Mirror
Schneier Asks Why We Accept Fax Signatures
Bruce Schneier's latest commentary looks into one of my pet peeves: faxed signature requirements. He writes "Aren't fax signatures the weirdest thing? It's trivial to cut and paste -- with real scissors and glue -- anyone's signature onto a document so that it'll look real when faxed. There is so little security in fax signatures that it's mind-boggling that anyone accepts them. Yet people do, all the time. I've signed book contracts, credit card authorizations, nondisclosure..." It's amazing how organizations are sometimes willing to accept low-quality, unverified scans delivered over POTS as authoritative, when they won't take the same information in a high-resolution scan delivered over (relatively secure) email.
Thats the older generation for you... once you young-uns who grew up with email get promoted to PHB status, you too can adopt your favourite technology of your day to deliver signatures...
The acceptance of fax signatures has to do only with fact that fax machines have been around for a long time, and people think they understand how they work. It just seems safer.
Sadly, the same people who make decisions based on the comfort provided by the familiarity of a technology are those who make policy at companies.
Not just for signatures, but it really annoys me when a company will only accept faxes instead of scanned emails for any number of documents. Luckily the situation has been improving in the recent years.
I've seen this before. People will accept a fax as 'in writing' because someone puts a piece of paper in one machine and gets a piece of paper out of the other end. There's obviously no way anyone could tamper with it on the way. (Sarcasm) People who have different setups (where they see an electronic file rather than a piece of paper) seem to be a bit more wary.
I believe the problem is due to the fact that I, like most people I'm sure, have never heard of this simple exploit. Second, people obviously trust fax machines, perhaps because they're simplistic compared to computers. There's so much magic with email I can see why people don't trust it. It's unfortunate that people don't consider unforeseen physical hacks as serious threats as well.
I find it amazing that CC companies want customer sigs on the back of the card. I add CID and SIGN it. About half of the ppl will now check for my ID.
I prefer the "u" in honour as it seems to be missing these days.
Businesses have been using faxes for decades. The risk of forgery and other liabilities have pretty much been well-established by law and common knowledge. If a contract requires modifications to be in signed writing, it is a matter of established law that a faxed document counts. Does an e-mail count if the contract doesn't expressly say so? That's just an unnecessary risk at this point. In the future, things may be different but there's no reason to be the first person to settle that uncertainty.
Furthermore, faxes are relatively secure because it is a one-on-one communication. In contrast, e-mails can be intercepted or become widely disseminated. The risks of using e-mail in a business setting (for signatures and the like) have not been tested too thoroughly, either.
A NYC lawyer blogs. http://www.chuangblog.com/
Scott Adams already covered this in "Dilbert".
The accounting trolls told Dilbert that they wouldn't accept copies of his expenses... but he could FAX them.
I'm sure you can forge a signature, but not the number you're sending it from. Surely that can count as another level of security?
Yeah, people are stupid. What else is new?
Give me Classic Slashdot or give me death!
All we want are the fax, maam.
There, fixed it for you, Bruce.
Between people being quite apt at duplicating another's signature good enough for 'at a glance' acceptance
and
people's signatures changing over time (my bank just informed me that the last signature I gave them deviated too much from the one they had on file since 10 years ago, and so as to please put my signature on their form five times to get them a new basis. Guess what, the five looked alike, sure enough, but they could just as well have been forgery attempts from 5 different people...)
I'd say that signatures in general are relatively unacceptable. Except that they're usually 'good enough' for what we need them for. That's why we accept them in 'analog' writing, faxes and even e-mails. In the few cases where it was indeed forged, it's usually found out pretty easily.
Oh, but wait, Bruce already said as much; not included in the summary, of course. So go RTFA, then come back here to complain about Slashdot's shoddy headline/summary policy.. it's too much like an actual newspaper.
Now... where's the discussion of alternatives? One of those one-time 2D barcodes that uniquely identifies -moi- when used with the recipient's public key.. or something.
There's probably not. =)
I have been told on a few occasions "PGP signed email" is not sufficient, and that only a fax would be accepted. This even happens if the signature can be verified. Banks seem to do this a lot. I wish that they would catch up with the times.
I've signed a load of contracts in the US by having my publisher send me a PDF, which I've returned (by email) having copied and pasted a scanned copy of my signature over it. Interestingly, they would accept this but not a hash of the original PDF signed with a certificate signed by CACert, which had two people verify two pieces of government-issued ID to confirm that I am me.
I am TheRaven on Soylent News
The signature on the credit card or on the sales receipt have been for security purposes. It's there to indicate that you accept the terms and agreements to using the card, and that you agree to pay the credit card company for your purchases.
You never expect irony, do you?
Want to be a professional wrestler? Visit www.iyfwrestling.com
@iyfwrestling
They are about legal requirements.
Faking a fax signature isn't really that much harder than faking a real one.
Sending a fake signature over a fax isn't that much harder than faking a real one, but is no less criminal.
"Notarized" signatures are supposed to be more secure, though if you can produce a convincing fake ID, they probably aren't.
I was a property and casualty insurance adjuster for a few years. The state I dealt with had mandatory PIP, which means if you are injured in a car accident you have primary medical coverage through the auto insurance policy. I was constantly turning away both claimants and medical providers who wanted to fax medical records, notarized forms, etc. It wasn't the claimants who were the problem nearly as much as the medical providers, who would actually get ANGRY when I refused to accept faxed paperwork from them.
One thing I learned from a few years in the insurance industry is that the majority of medical providers, or at least their billing departments, are, at best, a bit shady.
Vaguely related to the topic at hand are the legal rules surrounding any communication.
It's generally accepted (in UK law, at least, so my source says) that once you reply and / or initiate a conversation over a medium, that that medium is then a valid method of contacting you indefinitely over the course of that action.
So if you email a solicitor, then for that solicitor to send you an email back is perfectly legally acceptable and may even be construed as "delivered" whether or not it arrives. Because *you* selected the method of transit. If your mortgage nearly falls through at the last minute and you need to do something incredibly urgent or lose your house, a solicitor acting on your behalf can just send you an email and they've "done their job". If your servers are down, tough, if you no longer have that email, tough. At least if you read the strict letter of the law.
It may be that this is related - once a person has contacted you by fax, then sending back your confirmation by fax is construed as legally acceptable for "signing" a contract. If you don't like it, then don't communicate with them by fax at all. Ever.
On a personal note, if I weren't able to fax legally-binding forms back to a company, I wouldn't have a house, but I still don't "like" it. My purchase of the house dragged on for six months longer than it should have and the solicitor in charge on my end was a close personal friend, so they were stopping all heel-dragging and pulling out all the stops for us.
However, just as we were approaching the signing date, we had an holiday booked (Hey, we thought a six month cushion on top of a six month estimate for the deal would be long enough!). We arrived in a foreign country for a holiday, and within a day we had a phone call to say that if a particular court didn't receive a signed document on an official form within the next eight hours (time differences etc.) then we wouldn't be able to complete the purchase now, or ever (the house would be sold at auction). We had to find a kind hotel (fortunately, we found a hotel receptionist who had recently had much worse problems selling their house and they let us use the hotel fax machine for free) and recieve several forms, sign them and fax them back (and pay a month's mortgage, in cash, within 8 hours but that was easily resolved by phoning relatives near our solicitor's, although we still technically owe them that).
So it worked out well that we were able. I don't think we could have got back in time on the first plane, and there was nothing we or our solicitor could do to negate the need for us to sign the forms and pay in cash (bank transfers etc. wouldn't have cleared in time, believe it or not). However, the fact that anyone could have signed the form just shows that 99% of paperwork is useless and a waste of time, not that fax machines are somehow "evil".
Bruce Schneier sure is oblivious sometimes.
They're accepted because they're good enough.
What does that mean? It means that if there is a problem later, the fax is sufficient evidence to resolve most problems, either by providing proof of a signature or proof of a forgery. As long as most businesses have some documentation to cover themselves that's generally good enough. Certainly some issues may not fall into this category, but enough do to make faxes acceptable.
Security, for many businesses, isn't about "making sure something bad doesn't ever happen" it's about having what you need to resolve a problem should it arise in the future.
I still think they are not really off the hook. Faxed signatures and POS scans won't stand up in court to prove anything. Just procedure infested companies taking too long to understand the impact of new technology. So many companies pay for proprietary software to lock out the print screen key and try to prevent screenshots of confidential documents from being leaked. But I have taken readable screenshots using my cell phone camera. What do they do? They pretend such camera's don't exist, and plan to feign surprise when shown a screen shot taken by a cell phone camera. Can't figure their logic out there either.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
I could easily forge my parents signatures when I was 9 (And did it a couple of time). I don't trust a penned signature, why should I trust a faxed one?
It is certainly possible to write, in script form, anyone's name and not just your own. Why would a company accept any signed contract where one of their representatives didn't see the other party, to the contract, sign? Sure, hand writing analysis will reveal the forgery but who submits a signed contract to hand writing analysis before executing on their part of the contract? Considering the amount of identity fraud going on where the perpetrator submits a credit card application using your identity and "signs the application" to authorize, you would think that banks would get tired of losing money in this trick.
Least you digerati start smirking in smug superiority, an X.509 certificate is no better if the bad guys have gotten hold of your private key.
Get three pieces of black construction paper and a roll of scotch tape.
Tape them together top to bottom, creating one long sheet. On the bottom, place a piece of tape half over the edge.
Insert the long sheet into the fax machine, and dial the number. As it begins to feed through, quickly affix the top to the bottom sheet, creating a long loop.
Go get a cup of coffee.
are just as silly. It's pretty trivial to use fake IDs esp. with lazy notaries.
never mind that with eFax and just about any other service, you can fax someone the scanned image that is mentioned. Don't tell that to your bitch of an HR rep though. She'll probably fire you for whatever obscure reason...
http://www.youtube.com/watch?v=RJkx_oD63KM
-1 not first post
The answer is extremely simple. There is precedent in the courts that says a fax signature is acceptable and legally binding. There is no precedent saying that an e-mailed document in digital form is.
Hence on a contract, fax is accepted.
-M
when you see the word 'Linux', drink!
I assume the (il)logic is the same as that governing people's willingness to give their credit card numbers to an underpaid human, over an unsecure POTS line, frequently over a really insecure old school cordless phone; in preference to giving the said number to a machine over SSL.
In general, people's risk assessments are completely out to lunch. Back in 2001, my school had its student trip to Greece canceled by parental concern. Apparently, the parents wanted their kids "safe at home"(never mind that we all lived in a certain large city on the American east coast), rather than facing the foreign dangers of a fairly quiet and moderately obscure neutral country.
I think that there has been some work done on formalizing our understanding of what distorts risk perception; but it makes for depressing reading.
This might have been an interesting question to ask about 7-8 years ago but now it just seems like Bruce is running out of topics.
I have, however, cut and paste my signature electronically into a document and then printed it out before ultimately faxing it; looks more real. I realize this is silly - why not just print the document and sign it myself before faxing?
I think I just wouldn't get the same thrill out of cheating the required-signature-on-a-fax system.
I've learned that they're worthless, so I don't read AC comments anymore.
Faxs come with a telephone number of the sender as well. and often the personal cover letter. To forge a fax that is perpetually unquestionable you have to forge the phone number, signature, and stationary.
People are comfortable with that because they understand what is involved in doing that. With e-mail and digitial docs its harder for an untrained person to evaluate the threat. Also with digital docs it's harder later to raise questions about the authenticity. With the fax, one can later check for example fax logs on the sending machines and other trails of evidence.
In both cases forgeries are possible but in the case of faxes most humans are able to evaluate the threat.
Some drink at the fountain of knowledge. Others just gargle.
I see the security concerns, but there are situations that need this or something like it, right?
You're 1,000 miles away on vacation. You left your kids with your parents. They get in a bad car accident, and the hospital needs your signed permission to operate on your child. Since a fax can easily be forged and can't be trusted, what's a better solution?
The solution needs to use things equally available as a piece of paper, a pen, and a fax machine. I may not have my computer with PGP encryption etc. with me.
My signature is just a random scribble which nobody ever looked at until I bought a house. Then all they did was verify the scribbles matched each other from doc to doc; they didn't match my ID signature at all.
Bruce Schneier here. Disregard what I said about faxed signatures. They are perfectly OK.
Here's my OCR-ed signature: Bruce Schneier
It helps them with having their secretaries sign everything for them, and helps release them from liability as they can later say "I never signed that". As long as its accepted as a "good enough" practice it will still be only reasonably challengable, and grotesquely insecure, but still, good enough for government use.... Ah, America, land of the Luddite.
Like arts? Like cheesy little Indie mags? Check out www.artwerkmag.com, and don't laugh at the bad coding please.
That's the one that always amazed me -- no signature required, just as long as the request was printed on some special (and easily forgeable) paper.
At a job where I provided IT services for many clients I always kept a copy of each customer's letterhead on file to make it easier to deal with people like Network Solutions.
To get my last mortage I needed to provide several months of bank statements. It was absolutely unacceptable to send them the PDF's that my bank keeps online. I had to send them copies of the actual statement. No matter how much I talked to them I couldn't get them to see the light of day. So the easiest thing todo was print my PDF statements and then fax them the printouts.
First of all, legally, a copy of a contract is just as legitimate as the original (yes, IAAL). Both can be alleged to be forgeries just as easily. In fact a copy could be more easily proved to be a forgery than the original, as one could compare signatures and show that the signature was lifted from another source. It's like one of those infamous "Majestic 12" documents that was allegedly signed by Harry Truman - the best evidence we have that it is not authentic is that the Truman signature is exactly like another signature on another document, it was lifted, cut and pasted, onto the MJ-12 document. Note: I don't want to debate the MJ-12 documents here. Anyway, the other reason why fax signatures are not a security risk is that you know who is going to be sending you the fax. "Sign it and fax it over to me today." You get the fax today. Nobody else would reasonably know about that expectation. It's like going to pick up money from western union - "I'm here to pick up $100 for Brian Halloweth" ... the fact that you know about the 100 bucks for someone named Brian Halloweth is good evidence your claim is legitimate. Ditto with the fax signature. Of course this doesn't apply to general applications that can be signed and faxed at any time, unexpectedly. But those can just as easily be forged, and in this scenario the faxee is less likely to know the signature of the faxor.
Any alleged weakness in a fax signature is also a weakness in a real signature. That's the bottom line. I don't buy the notion that they are a huge security risk.
Stupid people make stupid things profitable.
why are signatures supposed to have represented security, in any context, at any time period in the past?
it's just a formality, a minor road block. it's not anything remotely secure, but it represents a tangible personalization. it's psychological more than it is security: making your personal mark on a deal
for that psychological reason, the signature will never go away. but nor should anyone have ever thought of them as a security feature in the first place. they are trivial to defeat, and always have been trivial to defeat. all you need is one copy of someone's signature and 15 minutes of patience and practice and anyone with a pen and a writing hand can copy your signature good enough to fool a third party
a white picket fence won't stop someone committed to getting in your yard either. but is that a reason to take down your fence? or upgrade to 10 foot chain link with barbed wire? no: you're simply thinking about the value of a white picket fence in the wrong context
the problem is not with the security questions surrounding a written signature, the problem is in ever thinking of them in a security context. it's a psychological and personalization context question, the use, and continued use, for a long time to come, of the written signature
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
sign the document, put it in an envelope and fax the whole thing, problem solved. These so-called security gurus are all very well but they lack common sense.
I've been surprised at this policy myself but it seems to be quite common. I wonder if there isn't some merit in it, though. For a non-technical person, the fax probably seems a lot more secure than email. Email requires spam filters and virus scanners and training in security practices for users. That makes the content of email pretty suspect.
Also, I wonder if a fax is more auditable ... I mean, you generally know what phone number it came in on, as opposed to an email whose originating ip can be easily forged. Legally, that might be meaningful if they had to hold you to the fact that you signed something. It might be easier for you to deny having sent an email with your signature than to deny having sent a fax that originated from your home or business phone number.
Prov 9:8 Do not rebuke mockers or they will hate you; rebuke the wise and they will love you.
An OTC derivatives trade is usually for some horrendously complicated thing that is so customised, it hasn't a chance of going the listed route. OTC trades are made by phone and they can be made for tens of millions of dollars. The signed trade confirmations go more often than not by fax.
The check is that I have a timed telephone call and a fax to confirm the transaction and so does my counterparty. Of course that's where the real fun begins as the deal needs rekeying.
In modern times there is something called FpML and then there are matching/confirmation systems such as SWIFTnet FPML, SwapsWire or DTCC Deriv/SERV which provide electronic signatures and non-repudiation, but they are still not used widely which means ultimately back to the good old fax.
See my journal, I write things there
So, why do companies accept easily faked signatures by fax? They have a signature, so you're bound to the agreement. The burden of proof is on you if you want to prove the signature was faked, not them, so they're protected. They'll either get paid by you, or you'll find the identity thief and they'll get paid by him or her.
The bigger question would be why do we agree to being bound to our faxed signatures? And the answer there is convenience. Sure, they can be faked, but it's a lot nicer than having to wait for the US Mail.
I swear, he makes some good points, but as a security professional he should understand why they accept it. The amount of business they'd loose by not accepting it is worth more than the potential loss if they didn't.
Of course, now that the cat's out of the bad, they'll need to reevaluate.
I work for a high tech, email centric company.
If I have something I need to sign (for HR, or whatever). They email me the form. I then need to print the form out, sign it and fax it back. In some cases they are in the same building, but I'm not allowed to walk over to them, or interoffice mail them, to deliver the actual signed form.
I think in large part it's just because they have an established standard, which they use to deal with all our remote offices and such, and they don't want to deviate by having people walk in to the department. But it's pretty silly to have to fax someone when you could be at their desk in 30 seconds.
Sometimes people get so used to a process that they can't see that it's not the most efficient process anymore. This is how it's always been, so this is how it will be. Amen.
We emerge from our mother's womb an unformatted diskette; our culture formats us. - Douglas Coupland
I wrote "See License" on the back of my credit card. I'm still amazed by the number of vendors who don't look, so I make sure to thank the ones that do, and chide the ones that don't.
Actually, Zug.com has an interesting tale of the author trying to see how much he could get away with when he signed credit card purchases. He even did musical notation once. Very funny.
http://www.zug.com/pranks/credit/
http://www.zug.com/pranks/credit_card/
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
That telephone number that is supposedly the sender's is just a setting in every fax machine. You can enter anything. It's entirely meaningless as proof of anything.
Allowing the sending of signatures by fax is STUPID, stupid, stupid. It got started when a fax was allowed as an initial application, to be completed when a mailed letter was received. Then work-avoidance schemes took control, and waiting for a letter and opening it and finding the application and continuing the processing was eliminated.
I don't know how things work in the US, but in many countries a signature delivered by Fax carries the same weight as a signature sent by snail-mail. But a scanned document sent by e-mail does not carry the same legal status - simply because no law has been passed to ensure that.
So one simple explanation/answer may be, that a fax simply has a higher legal status than a scanned document sent by e-mail. I am willing to bet that actual laws regarding the validity of signatures DOES have the word "fax" in them (or in some sub-clause) but the word "email" is nowhere to be found.
The problem may not be that the older generations "love their fax machines" or understand them better - but simply that nobody has updated the laws used to resolve legal issues surrounding signatures sent through e-mail.
- Jesper
My security clearance is so high I have to kill myself if I remember I have it...
Turns out, they do not. Or rather they do, to the limit where they start verifying signatures (which they do not for smaller transactions and the like). For larger things they require either an original signature or they call back.
This was something like 20 years ago, and I have no doubts they do something similar today. Recently I got called to verify a larger (not that large though) bank transfer I had done via online-banking. That is the state of the art in Germany though. No idea what US banks do, but the few contacts I had struck me as positively primitive compared to european banks. Less fraud in the US? I doubt it.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I'm no expert, but I'm pretty sure that forging a signature onto a high resolution scan of a document is even easier than doing so on a fax given an authentic signed document.
...but I don't know a single sensible European company that accepts a fax from a stranger (i.e. nobody they have a standing business relationship that is already built on a fair deal of mutual trust). Courts don't see faxes as legally binding contracts either. A fax may be used as a precursor for a contract, they may be used to exchange the documents for signing but you won't see a contract that is not transfered in the original to the recepient in the end.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
My wife is an RN for a clinic. Recently, the state of Oregon began requiring faxed prescription requests for certain meds, disallowing the more standard email system that was in use.
My opinion? It's a way to keep more state employees busy, manually typing in information that would have already been there with an email.
-- I really need to bleed off some of this
Is it the shite resolution?
All good reasons, to be sure, but ffs, stop with the fucking faxes, please.Is it the slowness?
The lack of security?
The 19th century technology?
The bulky machine?
The waste of paper?
It's any mark that you use with the intent to authenticate something. Your signature does not need to be the same every time. For fun, at self-checkout terminals, I occasionally sign with a tic-tac-toe grid, a drawing of an airplane or with my non-dominant hand. Those have exactly the same legal significance as the signature I used to sign my mortgage documents.
On an agreement, the signature is evidence that you agreed to it. But, if somebody wants to say "I didn't sign that," you can look at how he acted at the time. Was there an email saying "I'm faxing over the signed version now"? (Is there a copy in the sender's outbox, or a backup of the outbox?) After faxing it over, did the sender act like there was an agreement?
A signature that looks very similar to another signature is evidence that the same person signed both. But, once you start faxing and copying, the value of that evidence drops.
The bigger problem is when people start accepting faxed signatures for things that they shouldn't without any further checking: "Here's a fax from the president of the company, saying to write me a check for $1M," or "Mr. Rather, here's a scan of a document from when George W. Bush was in the air national guard."
Now imagine I have a high resolution scan of a contract for which I want a signature pasted to it, like the fax example you gave at first: You cut the signature of someone, paste it at the bottom of the contract, then scan it at a high resolution.
You then take Photoshop, enchance the contrast so the whites are white, and the blacks are black. Then you use that pretty little Photoshop eraser, and make sure the border of your pasted signature can't be seen. This is kid's stuff!
I still don't understand why a fax signature can be accepted too. The only signatures that should be approved should be Ink on paper handwritten signature, and certificate authority certified digital signature via EMail. I would feel a little safer then.
The document sent can be doctored in many ways, but there are lots of precedents about misrepresentation, forgery, larceny, and so on. The laws don't need to be changed. If someone forges or misrepresents information, then they're criminally and civilly liable for that action.
We accept and trust people and their submitted documents. Fancy that.
What? They're not real? That's a bad thing. Time to call the prosecutors. Jail for that? Really? Good.
---- Teach Peace. It's Cheaper Than War.
In North America and Europe, an electronic signature is generally legally binding, so it's the people, not the law that are the barrier.
We had one vendor who refused to accept a signature on a scanned and e-mailed document - They insisted that it be faxed. We even pointed out that we were just going to print out the scanned document and drop it in the fax machine because the physical document had already been handed off to somebody else and we suggested that they just print it themselves. They still wanted the fax, so we printed and faxed the document we'd already delivered and that satisfied them. Bizarre.
He's getting rather old, but he's a good mouse.
AFAIK, the reason why faxes gained status as legally binding is because that it is very hard to falsify that a tele-communication transaction actually took place between to parties since the telecom industry keeps detailed logs. So in case of a business dispute that turns into a lawsuit, the court can request log files from a neutral 3. party. No such neutral 3. party logfiles existed for email.
Legally binding faxes doesn't give protection against 3. party frauds, but gives some measure of protection that a communication took place between two business partners. The fax signature is of course easily falsified, but AFAIK the reason they became accepted was because old well established laws governing falsifying signatures existed. It is easy to raise charges against someone who falsified a signature, whether on fax or paper, but what about altering the "From:" field in an email? There will also exist an original of the fax with the real signature on at the sender of the fax.
That faxes are legally binding has everything to do with system of justice and law suits/disputes between business partners, but not very much about security. If you want content security use a pgp-signed email, if you want security for being able to sue somebody for breach of contract use a fax.
--
Regards
I sign loads of stuff every day, a simple thing to do to add a bit of security is always to use blue ink for signatures, and always send documents scanned in color.
I have a reluctance to _send_ a facsimile of my signature via e-mail (especially when sent from an aerioplane on the week-end). True, someone can cut and paste my faxed signature, but my scanned signature is more easily distributable to more unpleasant people at once.
Winston Smith's job would have been all the easier if the Party paper were on-line only....
Query:
People who understand the laws about this:
What about the legal status of documents received by systems whose "fax" machines dump directly to a stored image?
Faxed copies of documents are legally binding, scanned+printed are not. Blame the law that hasn't caught up yet.
It has to do with what is considered a legally equivalent fraud to creating and mailing forged documents.
Additionally a fax normally has an independent audit trail via 3rd party phone records (at least in theory).
So if you sign a contract and fax it through then later claim it wasn't you that sent it i'd ask for a verfied copy of the you or the senders phone bill to start with.
As Schneier says in the article, the acceptance of faxed signatures is not nearly as insecure as it seems on the surface, because almost no transactions ever hinge solely on a single faxed document.
I've faxed signed forms for all sorts of things, from insurance forms to e-file authorizations for my tax preparer. In every single case, this was done in the middle of an ongoing process that had been started face to face or by mailing real, signed forms. The faxed documents were always sent after having a phone conversation that confirmed the content of the fax with someone I had already dealt with on the other end.
On the other hand, I've never seen a case where a fax would initiate a transaction on its own, or even determine dollar amounts of an ongoing transaction. They're mostly just used to speed up the process when a signature is needed as a formality, so the potential for abuse is really limited.
This reminds me of a boss who demanded that we deploy "digital signatures" - by which he meant we scanned our signatures into image files and attached them to an email. No amount of articles explaining actual PKI signatures would convince him that this was, in fact, less than useless because it gave a really false sense of security. I think I finally convinced him by emailing myself a directive to abandon the project, using his scanned signature, and copying him on it.
The problem is that for any real authentication to work, you usually have to have a trusted third-party, and because of all the costs involved in maintaining compliance with industry standards like PCI (for credit card processing, not motherboard card slots), this is going to cost money. Factor in the tin-foil hat paranoia we all have regarding trusting anybody to authoritatively authenticate on our behalf, and real digital signatures become really difficult to implement.
Can it be done? Absolutely, there are plenty of ways to do it now, and for individuals, it can be free. But for companies who spend thousands upon thousands of dollars on compliance issues, it becomes more difficult.
And anyway, do we really want signatures that are authoritatively authenticated with the force of law? I'm guessing we don't, which is why you don't see a bigger corporate push for this. There is some comfort in the wiggle room to say "that really wasn't me."
Sometimes I wonder why things are signed at all when they're clearly fake - it must just be an artifact of the medium. The other day I got a nicely written bulk-mail letter from my vehicle insurance agent. It was signed at the bottom, but I could see the edges of the pixels in his signature. Ok... there's nothing official contained, it's basically a flyer. I guess most people just won't notice? But even then they wouldn't think the guy wrote a letter to each customer individually. ...though now I know the shape and thickness of the lines in his real signature...
The premise of the commentary doesn't make sense to me. E-mail signatures have been accepted by most businesses for years now, for everything from vacation rentals to mortgage applications. Recently, in the process of signing a contract on a home purchase, we were forced to use a fax machine because no scanner was immediately available. The entire document later had to be re-sent by e-mail because the fax copy wasn't legible enough.
Sure would be nice if the signature could be verified easily BEFORE there is a problem, don't you think? Would be even nicer if the verification wasn't based on the subjective opinion of a handwriting expert.
if outlook had a clearly identified [PRINT] button, then email would be preferred over fax. Funny how the perception of paper with a requirement of 1 extra step (i.e. press a print button) creates such a backwards mentality.
The law of signatures places more emphasis on the ceremonial aspect of signing than on security. --Ben http://hack-igations.blogspot.com/2008/04/text-message-investigations.html
Benjamin Wright, Dallas, Texas, benjaminwright.us
Just to inform all of you (mostly Americans); In Sweden, we haven't used fax machines for about 20 years. Well, surely some people do, but it's extremely rare, and no one consider them safe. We've used E-mail or snail mail since it's either simpler, or more secure.
Me, and most people I know, have almost never used a fax machine, and we don't understand why people around the world ever use them, at all.
This issue is very local and applies only to countries still using fax machines. Perhaps the issue isn't really about if fax machines are secure, but more general; why use them at all? They are stone age, insecure, crap quality, slow, consumes an entire phone line, etc. Much like checks. I don't think I know any swedish person who have ever used a check in his/her whole life, and that includes parents and grand parents.
So what's wrong? Fax being insecure? No, keeping bad and obsolete depricated technology. Fax machines, checks, inch, feet, Fahrenheit, etc...
Come on, the entire world is laughing at you. I'm not trying to troll, but rather to enlight. We do laugh; "Well, you know Yanks" and so on. Please give us a reason to stop that.
Ah! The old bang path. I haven't seen one of those in years. I was going to put that down as a missing option in the recent navigation poll, but I figured it was too late in the game.
When our name is on the back of your car, we're behind you all the way!
That answers the immediate question, but there's still the question of why the -law- considers a fax to be a legal facsimile.
... yet, my company's pretax account takes documentation via fax. I could mail the documents, of course, but that will add time and processing costs to all parties involved. (I'm sure they use electronic copies of the faxes, not paper copies.) So it's a significant benefit to all parties to use 'legal fascimile' faxes.
I think the answer to that, ironically, comes back to businesses. Businesses needed a way to send 'signed' documents quickly, and pre-FedEx there weren't really many options. Fax machines were bulky and expensive. They didn't accept signed documents from just anyone, they had already vetted the other party to some extent.
So, on balance, the convenience of 'legal facsimile' faxes outweighed the cost of the rare forgery. They pushed the law to recognize the same.
Now things have totally reversed. You can send documents to anywhere in the country in a day for a modest amount, you can create perfect forgeries using a scanner, basic editing software and fax modem, etc. People would be insane to trust faxes for anything but the most trivial things...
Bottom line is that businesses use faxes since it's legal, and it's legal because businesses want to use faxes. It's not going away soon, but I agree 100% that it's insane to trust faxed documents for anything of significant value. (E.g., we used faxes to the seller when I bought my house a decade ago.)
I think the ultimate question is refutability. I don't care if a business accepts faxes -as long as I can refute a forged fax-. That's the only same solution -- put all liability on the receiver. They can continue to accept low-balance transactions if it's convenient, while I can be confident that nobody will try to forge documents "selling" my house to a third party.
(It turns out we have a good recent example of this -- credit card companies don't require signed receipts for low-balance credit card transactions. The cardholder always wins any dispute, but businesses are willing to accept that risk in exchange for the convenience of moving people through the line quicker or avoiding the need for customer interaction at all (e.g., at gas stations))
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
I'm always impressed by the Slashdot posters that are heroes in their own minds. If you'd read the post in his blog instead of the Fine Summary, you'd know that's exactly what he says.
My understanding (based on the contracts I have worked with over the years) is that this condition isn't a legal condition, but rather something that is specified in the agreements between companies. Our contracts specifically call out that faxed approvals are sufficient, and newer contracts say the same about e-mail. This is working with financial institutions on matters such as project approvals and change control approvals.
I wouldn't do this for big deals involving large amounts of money (exceeding 6 or 7 figures), but I for one don't worry too much about an email approval.
I was taught to respect my elders. The trouble is, it's getting harder and harder to find some.
"Get three pieces of black construction paper and a roll of scotch tape.
Tape them together top to bottom, creating one long sheet. On the bottom, place a piece of tape half over the edge.
Insert the long sheet into the fax machine, and dial the number. As it begins to feed through, quickly affix the top to the bottom sheet, creating a long loop.
Go get a cup of coffee."
You forgot to change your own fax settings to "Fax Directly" instead of "Fax from Memory". VERY important point.
"As God is my witness, I thought turkeys could fly." A. Carlson
Actually you're not correct there. Digitally scanned documents are legal substitutes for the original.
Don't believe me? Check with your bank. Checks are not physically distributed to other banks for payment/clearing (I believe) and virtually all banks use digital images for "returning" your check (I know for a fact). Print out that digital image and it's perfectly valid in court.
The law this is based off is the one that says 'a copy of a document is legally equivilant to the original'. Heck, you realize most modern photocopy machines are actually a fancy scanner and laser printer with a computer inbetween right?
You can get rich if you own a politician, but you have to be rich to buy one in the first place.
Back in the bad old days before I worked in IT. I worked in a call center / customer order entry for a place that sold various holiday pastries and such products.
We had people FAX us checks all the time, and than call up and get abusively angry at the agents because their order was not processed (They usually neglected to put a phone number on the form to).
The only thing sillier at that job was the phone system, antiqated even for the day. The order taker would push a button after each call to signal the ACD that she was ready for the next call. Of course every holiday we'd clean out the temp agencies of agents, a good percentage of which would choose to take a call and than read for the rest of their shift if somebody didn't come over and push the button for them.
yes...and that it's been in use of a while.
I've signed contracts over email/pdf before. The last job I had, I didn't need to fax my acceptance letter. They had some online system where they sent me the pdf and I accepted it through some website. I don't even remember the process. I'm assuming it is just as valid as it was a very large company.
In Canada, there's also http://www.datawitness.com/products/signoff which seems to have some kind of legitimacy. I think they also have contracts with the government of british columbia for online Wills and other things.
The law takes time to change. The proper legal use of online methods (email, PGP, certificates...) will get there.
To quote: "It's amazing how organizations are sometimes willing to accept low-quality, unverified scans delivered over POTS as authoritative, when they won't take the same information in a high-resolution scan delivered over (relatively secure) email."
This is Timothy's comment, not Bruce's, and makes me think that Timothy missed the point. Scanned and emailed signatures have EXACTLY the same problems as faxed ones. The point isn't that we should encourage MORE bad security practices, but rather eliminate them. The faxed signature from McDonald's to release a prisoner could have been just as handily done by email if we accepted scans of signatures as attachments. In fact, it could have been done more easily because "relatively secure email" is easier to forge than fax sources.
Making email secure would require hashing which would involve cryptographic keys. At that point, we could actually eliminate visual signatures in all cases except for in-person, pen-and-ink signing of documents, by using digital signatures.
Faxed signatures are a bad idea. Scanned and emailed signatures are the same thing, but more democratic--let's bring a bad idea to a larger audience!
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
PHBs are not logical at all.
Whilst working for a bank, they wanted absolute proof that certain Emails that they sent to clients, were, in fact, received. When they found that "return receipt requested" could be turned off by clients, they insisted on another way.
I asked if they did this for paper snail mail. The resounding answer was "Of course not". So I asked why this was any different. They could not come up with a good answer. Their best argument was about paper being a physical medium that they PAID to send, so there was proof that they sent it.
Again I explained that the Email copy in the out box was equivalent proof. They said the data could be deleted. I said that the proof of payment of the snail mail could burn if a fire, or blow away in a hurricane.
Then I realized that management does not function on logic. Supposedly they function to get themselves promoted and get themselves more money. But that does even hold true here.
So, after all that, it was decided, when an Email return receipt is not received, we sent out a paper snail mail to cover our butts.
I dunno. -- I fired them as my employer and have a wonderful job now.
- I live the greatest adventure anyone could possibly desire. - Tosk the Hunted
American law is more open to interpretation on these matters. Basically, whatever fits the circumstances tends to work out. If you type your name at the bottom of an e-mail with the intent that it act as your signature, then a good lawyer can usually convince a smart judge that the e-mail is a signed writing.
They're accepted because they're good enough. That's exactly what Schneier explains in his essay. The questions he asks are rhetorical.
Jane Jacobs, "Systems of Survival", of Greenwich Village, NYC, anti-housing projects fame. This dialogue is a quick read. The short answer is that in commerce honesty (a faxed signature) can be presumed, if it can't, commerce will fail.
I've often wondered about the electronic signature pads for credit card purchases. Once they have a copy of my signature they can put it on anything. Why would such a signature have any value whatsoever?
All that is required to be legally binding is an offer and acceptance. This can even happen orally. For some kinds of contracts -- covered by the Statute of Frauds -- you need to have a written document which must be "signed," but this refers only to some indication in the document that the person has knowingly agreed to be bound; a suitable email will suffice.
Here, some googling found this: "Signature" merely means any authentication which identifies the party to be charged. Even a letterhead or an "X" will do, provided it is placed on the wriiting with the intent to authenticate it. (Merrill Lynch, Pierce, Fenner & Smith, Inc. v. Cole 457 A.2d 656, 663 (Conn.,1983).) http://www.west.net/~smith/frauds.htm
(I'm not your lawyer and none of this was legal advice, obviously.)
Working for a startup company back in 1992 we solved the distance signature problem. It was called Telesignature (patent # 5,222,138). I am listed as co-inventor ( the other person who hired me had no technical knowledge ). You would place a document into an secure enclosure and a scanner would scan it and send the image to via modem (9600bps in 1992) to a pen computer on the other end. The person would review and sign the document and the signature would be sent back and written with a pen plotter on the original document. We got lots of raves on the signature quality. Virtually no who was shown the signatures could tell it was written by a machine. We used RSA keys to ensure the whole process was tamper proof and an audit trail was left. A year alter we brought out a companion product called fax-a-check. The digital copies of the document are what actually provided proof of the transaction. The legal system at the time demanded written documents and so it seems still does.
(Sigh) Kudos.
I have a refrigerator magnet of a FAX machine that has that quote on it with "FAX" for "FACTS". I used to watch that show regularly and contrary to what SNOPES says, I could SWEAR Friday or Gannon said it on at least one occasion --- Maybe without the "ma'am" part...
But, "Don't taze me bro!"
"He's dead, Jim".
I filed an auto insurance claim once, and I had a police report. The adjuster asked me, via email, if I could give the the police report. I replied, asking whether she needed the original, or if a copy would do. "Oh, you can fax it to me," she emailed.
"Well," I replied, "I don't have a fax machine, but I've attached a scan of the document to this email."
Adjuster: "That's great, but I really need you to fax me a hardcopy."
I had to explain to her that she could simply print the image I'd sent to accomplish the same thing, since it would be identical to my scanning the image with a fax machine and transmitting it to a printer at her office. In fact, my scanned image was even in color, if she wanted to print it to a color printer, and would probably be unreadable as a fax anyway. This woman couldn't have been older than thirty, so the argument about "the older generation" does not apply.
Is there an argument for "the stupider generation?"
Web 2.0 == Giant Blogspam Circle Jerk
Faxed signatures are accepted because a lot of business would grind down to a slow pace if it didn't. Also, companies want to grab you now, rather than wait for you to mail or bring in an original- more chance you might forget, get side-tracked or go to a competitor. Also, speaking from a b2b perspective, business people don't have the time to bring things to eachother, nor the funds (or time) to mail/courier papers all over the place. Fax is still a major method of sending signed work orders, contracts, purchase orders etc.
If a company is smart though, they should know the person they're talking to before they accept a faxed signature. Although, how many companies actually analyze a signature to check if it's forged? And who can tell if it is? The whole concept of signatures is rather flawed in my opinion.
Check it out: Signature Requirement
"Signature" merely means any authentication which identifies the party to be charged. Even a letterhead or an "X" will do, provided it is placed on the wriiting with the intent to authenticate it. (Merrill Lynch, Pierce, Fenner & Smith, Inc. v. Cole 457 A.2d 656, 663 (Conn.,1983).) http://www.west.net/~smith/frauds.htm
The reason your bank can use a digital image for your check is because Congress created a legally binding document called a "substitute check" (this was in the wake of 911 when paper checks were stuck on the ground for 3 days). See http://en.wikipedia.org/wiki/Check_21_Act. Before that act, the original dead-tree check had to be sent to the account bearer's bank for actual processing.
I would be wary of stretching that logic to apply to any legal document -- if scanned documents were valid, banks could have been doing this with checks before the intervention of Congress. Then again, I don't know why faxed documents are presumed any better.
Faxes are legally binding, emails are not (yet).
I was a programmer, now I'm a law student. From what I've seen so far of the personalities in law, my guess is that the generation who was running the legal community felt comfortable with faxes because they *seemed* simple, while email clearly had more mysterious techo-magic involved.
Are you sure about that? State law varies, but under the UCC , email and electronic agents may bind you without a signature at all. If checking "I accept" on a EULA or TOS is binding (and it is) emailed signatures should work in most states for most contracts.
My company recently asked a bunch of us to send in updated information to the corporate security department. We were told to fax this and not email it because "the information was too sensitive for email." I think that may be one of the dumbest things I've ever read. I sent mine by FedEx in a sealed envelope.
here's the answer to every question about people and security: "Because people are stupid." You're welcome Bruce, thanks for your variation of the question.
FreeBSD for the impatient.
I have many times sent an email with some document to a company or a government agency, and gotten the response back that I need to fax it instead. So I just take the same document and then use print to fax directly on my laptop, no fax machine needed. It's just amazing how "normal" people don't understand how fax is not more secure than email. The only possible advantage of using fax is that at least it can be tied to a physical phone number, however I seriously doubt people check the fax logs for the number the fax came from, do fax machines even keep logs or print out the originating fax number?
If that is so, then how did I close on my house?
EVERY document in the process, except the final 237 million signatures done at closing was sent to me in PDF, and I used a pen tool on a Wacom tablet to sign them, and email them back. Probably not the most secure way, but neither is the US Postal Service if you think about it.
Don't blame the law when it's just the luddites in the way.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
The only difference, but that seems to be an important one for some people, is that the fax machine prints status data with the date, time and remote fax number. That's strange to me, but this has greater value than email envelope, even though both can be easily forged.
Check 21 didnt "allow" banks to accpet an electronic replacement, it forced them to do so.
This has annoyed me for years. I had a discussion over what a fax actually is with a lawyer a few years back. My issue was that many firms had electronic fax systems that allowed them to send 'faxes' from within their email client. If I send an email/fax via this system to a company with a similar system I wanted to know how it was a different means of communication to an email. I could stick a jpeg of my signature in both, but one is legally binding.
Yes, an "X" counts as a signature, so does your thumbprint, or even your noseprint. The point, dear lad, is that the signature/X/mark/stamp/etc. binds the person making the mark, not the other party.
Please go back and read my post, continuing past the first sentence, and if you have to, simply recite "... or any other mark sufficient to identify the party being charged" in your head when I say signature.
Oh, and don't tell people they're wrong when you don't understand what they're talking about.
Not quite true.
America, Home of the Brave.
In the US it is a State by State issue. Some States have inacted legislation that provides for faxed documents being legal. The same could be said on an international level. There are US federal laws and regulations on the issue but there are many and they are usually department of the federal government specific.
Is buying a Harley Davidson as your first motorcycle since you were 16 at age 49 a midlife crisis issue?
Scanned and printed copies are treated the same as a "xerox" photocopy.
I suspect that your confusion stems from the fact that if you print two copies of a document from e.g. MS-Word, neither is considered a copy of the other. If the law requires you to provide someone with a "copy", you need to print one copy then photocopy it (scanning and printing counts). IOW, the copy must be made from a physical document, not from the data which was used to generate it.
Cool. So I can copy some money and it's equivalent?
I thought it was:
4 melvon
5 mevon
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
A signature is not an identification tool. It is a deliberate act signifying agreement. Since you have to put some effort into signing a document, it means you agree to the terms.
Some documents are so important that you must write the whole thing out by hand before signing. This is to make sure you've agree to terms with full knowledge of them. There will *not* be teams of handwriting analysts pouring over it and everything else you've written to make sure it's really you.
Presumably identification is done through more secure means. The signature is just a symbol of acquiescence.
Can you be Even More Awesome?!
damn, how come I missed that! ;0{
America, Home of the Brave.
The fax they receive will have the 'from' fax number printed on it. They probably like that verification, rather than some random email address that won't print out on the emailed document.
If you really need to verify a signature, you use a notary.
When your are looking at the choice of signing and getting what you want from your contract now, people choose the easy way.
The Kruger Dunning explains most post on
I worked for an A paper lender from 1996 to 2001. For the majority of that time, we didn't accept faxed in loan submissions. The idea was that a broker or loan officer could simply fax a loan to a dozen different lenders all at once instead of committing his business with us and because it was too easy to doctor loan docs and fax 'em in. We demanded original signatures and docs printed using a laser printer (yes, that was a requirement) or on original pre-printed loan applications. The only faxes we would accept would be loan conditions like a flood cert, mortgage insurance or something like that. We also didn't accept loan packages with appraisals done with a digital camera because the images could be doctored easily. Sometime near 1999, we started a limited doc fax program for brokers we had high confidence in and were pretty sure wouldn't send in bogus loan info.
Years later, I worked as an Account Executive for a subprime lender, we accepted EVERYTHING by fax. They're out of business now and the industry on a whole is reeling from rampant fraud.
Fifty watts per channel, baby cakes.
If they accept a credit card that is not signed (even if it says See ID and they check the ID), they have violated the rules of the credit card company. Should there be a problem with that purchase, they will have to eat the chargeback.
I managed a retail shop for several years and the credit card companies are dead serious about their rules. The card MUST be signed with a personal signature--"See ID" or "CID" does not satisfy that. The shop must keep the original of the signed copy of the credit charge slip (if they accidentally keep the carbon, the purchase is not covered). The shop is not allowed to require ID for the purchase. In addition there are a variety of rules about data storage and security.
On the other hand, merchants are also forbidden from setting a minimum credit card purchase...if you ever get told "there is a $5 minimum to use a card," that shop is violating the rules and you can report them to your credit card company. But only do that if you're really pissed, because they might lose their account and that can literally kill a small business.
Build a man a fire, he's warm for one night. Set him on fire, and he's warm for the rest of his life.
I don't disagree that faxed signatures, or pen-to-paper signatures of any sort for that matter, are next to useless and have been since the invention of the copy machine (possibly since writing became something that everyone learns to do). But what's the alternative? How does someone provide indisputable record that (s)he has had the chance to review and approve some bit of information?
I know everyone is thinking cryptographic signatures, but they're even worse. A cryptographic signature is only a secure as the private key and the algorithm. How do you educate the masses on how to properly protect their private key? How is it even possible to protect a private key if you have to sometimes connect the storage device to hardware that isn't yours. And yes, I know about RSA's tamper-proof devices that decrypt and sign data internally rather than making the private key available, but I've also seen demos of them being cracked (the crackers claimed 80% accuracy) when hooped up to the proper oscilloscopes. An as for the algorithms, how many of us even here on slashdot can say we truly understand them, even if we're confident that we could if we dedicated the time to studying them.
The point is that only a fool would claim that even cryptographic signatures are truly indisputable. But if we used a less disputable form of signature, the supposed signer would have a much weaker case when a signature is faked.
I recently had my credit card stolen. It cost me exactly $0. I simply told my bank which charges I didn't make, signed (paper on ink and faxed) a form stating that I didn't authorize the transactions and that I expected that if they found any signatures on receipts they would be faked. As a consumer, Visa and Mastercard's policies (and, by extension, my Bank's) give me zero liability, which is beyond even what the law requires. This makes credit cards not only the fastest and easiest form of payment, but the most secure to me as a consumer. If my bank wants to put a chip in my credit card that does cryptographic signatures to help minimize their losses, that's fine so long as they don't change their policy reguarding my liability. If I have to accept anything other than zero liability, I would immediatly cancle all of my credit cards and go to cash-only. That way, the most I can lose is what I have in my wallet, not the entire contents of my bank account and the instant line of credit that I never asked for.
I dread the day when people commonly use a form of authorization that the masses believe is indisputable. Security is attained through constant effort, not some "can't be cracked" system. And justice requires reason and careful examination of the facts, not blind faith in technology.
In fact large (multi-million dollar) deals are made all day long with oral contracts (for the US they are usually recorded too).
I was doing document presentation t a trial where someone had to pay mid 7 figures because they made an oral agreement to sell stock and bonds and then didn't produce. The brokerage doing the purchase then sold them the same day (orally). When the original seller (who himself had made the purchase on a non-recorded phone conversation, and didn't understand what he was purchasing, which is where the benefit of writing comes in, since it became he said/he said) didn't come through the brokerage still had to cover their oral agreements (by purchasing over market price).
these few brokers had done deals worth more than I am likely to spend my entire life (mid 8 figures, the 7 figures was the amount they spend over market price to sell it at such) with purely oral agreements in a span of time under 48 hours. Big money can move without a scrap of paper (and in th case of the people working in France, there was not even a phone recording).
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
It is very common for contracts to specify fax as an approved form of written notice and to exchange signature documents. (I have worked in Fortune 500 companies with IT contracts written in the 70's and 80's -- many of these contracts are still active under the original terms, as modified. Most of these early contracts specified fax or facsimile as an approved method of written notice or signature.
Today it's common for commercial contracts to contain terms approving email as a form of notice.
a r b o r l a w -- legal blog for entrepreneurs and small business
Where I live (and no, it's not Uzbekistan) banks fax everything. I've had a look into the "transmission room" in some locations when doing hardware maintenance and seen some BAD ASS faxing monsters, with auto feeder accepting variable paper size and quality, error checking, scheduler, reporting, multiple user access levels etc. The amount of money and technology invested in such a tool that after all goes biii bzzt bzzt over a tiny cable at the business end was simply mind-boggling.
I mean, a fake signature may be fraud, but at the end of the day your argument is like arguing that you should be alive after getting hit by a drunk driver because he broke the law.
"Just because you're right doesn't make you any less dead/injured/royally boned"
+5, Truth
Depends on where you live.
My wife is a real-estate agent. Has to deal with passing a lot of signatures around. It was only a couple of years ago that North Carolina passed a law to make faxed signatures legally binding.
Lot of Fedexing going on up till then.
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
that signatures are meaningless.
I'm also really uncomfortable with the idea of signing some box so my signature is in a computer. Not that it can't be scanned in, but when they test your signature they look at how hard you pressed the pen and stuff like that--undetectable through a digital medium...
And if they did record it, they could easily replicate it--even adding minor changes so it can't be detected as an obvious replica.
Email is even worse--Email is insecure, easy to spoof, is not guaranteed delivery, and shouldn't be used for anything official--ever.
Overall the fact is that the only advantage we have is obscurity. There are so many people you just have to hope that you aren't the one randomly chosen for identity theft or the target of some other shenanigans.
I don't trust bio signatures much yet either. Not that they couldn't be made reliable, but right now--nobody is willing to invest the money to do so.
The only thing I can imagine being valid is something like a USB Dongle you carry on your keychain that will encrypt anything sent to it with a gigantic private key (forget 1024 bits, how about 1M bit key?) It should be physically impossible to get the private key out of your keychain, but the public one can be pulled out for publishing at any time.
Use the same resin technology that they use to stop people from copying chips--or fill the damn thing with acid in a little glass vial like the theft-protection tags on clothes.
The software source must be available for review.
Readers wouldn't need protection because they couldn't actually "Steal" anything from the card, only feed it a one-time random string that the key encrypts, then compares the result against a published public key.
Maybe that wouldn't prevent it from being stolen, but at least you'd know that if it wasn't you were relatively safe, and if it was you could cancel it pretty easily...
They are getting close to this with some credit cards, but that's not a generic "Signature" mechanism, and I'm guessing that they are more hackable than I'd like.
Schneier is not so much obvlivious as in love with his own ideas, sometimes at the cost of his logical consistency.
Really, signatures are not "proof" of anything, and never have been. Back when many people were illiterate, simply making a mark was an acceptable signature. A signature is just a sign of an agreement that is sustained by collective memory, not the signature itself.
For example, how do we know that John Hancock signed the Declaration of Independence? It's not because his handwriting is hard to forge. (I wanted to say that it's because a lot of people saw him sign it, but that turns out to be a myth.) No, it's part of the collective memory of the time: Hancock was the presiding officer of the Continental Congress, and would have had to sign it; he acknowledged signing it; etc. etc.
I don;t think it is so much that faxes have been codified as legally binding, and scan + print and or e-mail have not been, its that faxes have been tested. Court cases where faxed documents were disputed, have been found to be a valid method in court. Chances are pretty good an E-mailed PDF or similar would be as well. Its just that there is a risk it might not be, however small nobody wants to take the chance.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
That's why whenever I have an oral agreement, I put it in writing and have all parties sign it to make sure there are no misunderstandings!
"But this one goes to 11!"
I know for a fact, from someone who was specialised in faxes and fax software (1997, Belgium) that a fax document with a signature is not a lawful proof of anything. The only lawful document would have been a telex, because the time stamp from the post office was an official proof.
I have recently done some car insurance stuff using a scanner and email. It is just habit I guess. The risk is reduced when people talk over the phone, repeated emails and then follow up over snail mail to confirm the changes. For the whole process to work up to the end, it is relatively secure.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Yes, indeed, why would you fax, sign, and fax when you can skip all of that and scan, save, atach, email, print, sign, scan, save, attach, and email? What kind of dinosaur would use such an old technology when new technology is available that can replace it, with only a few more steps!
(Yes, I'm aware that there are a hundred and one ways to streamline the exchange of electronic documents. The problem is most of them are just as expensive and less reliable than an analog fax machine using copper wire.)
The countries that use fax machines are the ones that do the most business. The US, yes, and Japan and the UK. Partly because business is slow to change, but mostly because the replacements are harder to use and more trouble prone.
The US free market: two halves of a government-granted duopoly are free to set the market price.
This may be off-topic, but it reminds me of how my mother-in-law gave me money for a down payment on a house. Because the money was in cash, the bank required us to go to a bank, and have her get the money changed over to a cashiers check, which I then had to photocopy, deposit into my account, and keep into that account, until the day of the closing (when it had to be transferred to another cashiers check). All this to prove that the cash was given by her (which it didn't), and to create a paper trail (which was created in a process that could probably be described as "money laundering").
But they DID accept high-res scans in lieu of photocopies or faxes.
Well, I wish someone would tell the idiotic head of HR of my previous company that...
While I was looking for a new job, one prospective employer wanted to verify my employment history, and called her.
She refused to verify my history over the phone - claiming privacy issues.
Fortunately the company hired to do my background check called me about this problem (apparently it's rather common.) They had me digitally sign a request for the stupid HR officer to verify my employment history with the background checking company.
She refused - claiming that digitally signed documents are not legally binding.
Instead, I had to fax a signed request to her - and then call my former boss to politely ask "WTF?!?"
FORTUNATELY the background check company was willing to work with me on this and I got the job.
However, I still have to wonder how many other job offers I may have missed due to this b*tch's refusal to do her job. Now that I think about, I did have a few job prospects abruptly dry up even though I knew the hiring manager and engineers were impressed with me, only to be told by their HR department "we've decided on someone else." without so much of an explanation as to why I was not being considered any further.
Anything is legally binding if the content of it is legally binding and you can prove its authenticity.
There are US federal laws and regulations on the issue but there are many and they are usually department of the federal government specific. Again, I'd like to see a cite if you're claiming that ANY state recognizes faxed contracts but not email.
I have a hard time accepting torkus' statement as truth when he uses the phrase "I believe" in parentheses while trying to make a point.
In any case I have not been able to fax a signature for legal documents in Virginia for as long as I've been here.
Kriston
I found out the hard way that my bank doesn't even check the signatures on checks.
Coder's Stone: The programming language quick ref for iPad
Provided you are willing and capable of relinquishing the original within approximately a time period specified by the holder of your debt to the holder of your debt, sure I don't see why not.
That's ridiculous. Far more contracts occur online than in writing. Every single purchase from Amazon.com, every single bid on an auction at eBay, and every sale that occurs over craigslist happens without a physical pen-and-paper signature. There is no doubt that these are valid orders.
And it's not all small transactions, either. Amateur and professional traders alike make trades worth vast sums of money online. Even wire transfers, which can be billions of dollars, happen over the phone and online within hours.
The idea that emailed contracts aren't enforceable -- or even that there's reasonable fear of them not being enforceable -- is just plain wrong.
Add a half twist, forming a Moebuis strip, which can then cause a rip in the space time continuum at the receiver's end.
Of course, you'll need to get a Klein bottle of coffee (which has its own problems)
probably just a poor choice of words on your part. I am certain their is no form of communication that is more or less legally binding than another. As long as both parties understand and agree, (barring some other deception) in the US you have a contract.
Verbal contracts are legally binding, but don't leave good evidence if disputed. What I think you mean is that if the veracity of a document is brought into question, that a scanned+printed document is not going to hold much weight in most courts.
The issue is whether a contract would be disputed, and one party would be stuck as a result.
For example, with wire transfers there are all kinds of non-consumer-friendly bank laws out there. If the bank followed the appropriate processes and some identity thief gets the bank to send $1M of some customers money to some foreign bank, the bank probably could care less. Chances are that banking laws will make the customer liable and they weren't involved.
Now, imagine this scenario. You pay me $50k in untraceable cash as consideration for me privately providing you with some form of insurance (say a million dollars worth). You suffer a loss that I am liable for. I simply deny having ever signed the contract. If the contract were on paper you would have an expert witness testify that it could be forensically traced to me. If the contract were faxed you would point to all kinds of court precedents for faxed documents. If the contract were emailed there would not be much precedent - maybe I'd owe you, and may be not. Unless you like taking your chances (and who buys insurance when they like to take chances?), you're going to insist on some well-tested form of transmission.
Basically the issue comes down to repudiation. It is easy to repudiate a document transitted electronically unless crytographic safeguards are used. FAX should be easy to repudiate but for various reasons it has a perception of authority and it has been well-tested in court.
The Uniform Commercial Code (UCC), which has been adopted by all 50 states, discusses what is a valid signature in Article 1, Section 1-201(39):(Writing is defined as "printing, typewriting, or any other intentional reduction to tangible form.")
While that doesn't rule out the possibility of states having other requirements for signatures, the "least common denominator" between all states -- the UCC -- is pretty format-agnostic.
I think it's also worth pointing out that some 48 states, according to one source, have put digital-signature laws in place that allow some form of non-physical, electronic signature. Some of them are pretty specific to PK crypto, while others are technology-agnostic. I find it a little hard to believe that any state that's gone to the trouble of crafting and passing a digital-signature law would still require faxed signatures.
What seems more likely to me is that private agreements between parties are the major driver for faxed signatures, because there are contracts forming standing arrangements between businesses that weren't written to take advantage of anything besides the dominant technology (POTS fax) at the time they were written. Therefore, you end up with change orders, POs, and other authorizations having to go by fax, because of some hoary old contract, even though some other form of signature would be theoretically acceptable.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Finally, I don't know where you get the idea that emailed contracts haven't been tested in court. They have, and they're effective.
A letterhead cut and pasted at the top of a page will add plenty of official-ness for some.
/. -- the Free Republic of technology.
Indeed, this is an important point; faxed signatures do one thing only: they provide evidence that someone saw the document and that there EXISTS an original signed document. Remember to keep those signed documents you fax, you might be asked to provided them in case of legal issues.
-- Humans, because the hardware IS the software.
The whole thing is even more silly when you consider that many of the "fax machines" in use today aren't even fax machines at all, but some sort of fax-to-email service. In my industry I see a lot of this sort of thing. People get all worked up over how email won't do, they must fax whatever it is -- and they end up using an e-fax service which probably ends up in some other guy's email box anyway through his own e-fax service. :)
Yet both sides are convinced that this is somehow better than just scanning the document and emailing it normally. Truly bizarre, if you ask me.
mirrorshades radio -- darkwave, industrial, futurepop, ebm.
Aside from the law allowing faxed, but not emailed, documents, I'm also going to guess that a fax has far less likelihood of being intercepted and modified, or being forged altogether, than an email.
Don't thank God, thank a doctor!
Sounds like a reasonable explanation. I'd add that people, for whatever reason, believe that a physical pen-and-paper signature has some sort of legal magic to it that simply writing out "I, [name], agree to be bound by the foregoing" does not. If even the tech-loving crowd here at Slashdot labors under this misapprehension -- as apparently it does -- then the more technophobic mainstream could only be less comfortable with contracts by email.
Me too,
But that is not how it seams to be done once you get to 7 or 8 figures. Of course in the US it is all recorded at least.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
he was generalizing there: as in a threshold of people who knew how to falsify each tech. At least it works better for me...
damaged by dogma
When you require a fax, you create additional verification in the form of a record of a phone call placed between the originator and receiver of the fax transmission. That way, after the fact, it's fairly easy to show that at least the fax originated from a fax machine in the office of the person who sent it.
With email, the person sending the signed document could be doing so from Nigeria and there's no good way to know that they're not.
paintball
Signatures are a throw back to when it was unusual and the mark of being gentility to be able to write. They were the next best thing to using your wax seal with the family crest and usually accompanied it.
Seriously how many people who work at a till or even a bank have had the nessary 10 plus years of training to be able to tell a real signature for a fake one? Even if they did would it be reasonable for them to look at all the signatures?
I know personaly of more then one occasion when a bank has cashed a check with th e signature Mickey Mouse on it ( the person who wrote the check was just seeing if it would work and the store still got the money.)
THAT is for a real signature from a real person standing in front of you, and a computer is supposed to do better?
âoeTolerance applies only to persons, but never to truth. Intolerance applies only to truth, but never to persons.
This is true as long as the electronic copy isn't able to be altered (ie. PDF, picture format, etc). A Word document or editable file can't be used. I know this cos I worked for the Australian government, and we constantly have people asking us how to turn a PDF into a Word document. Our legal stand-point is no, nadda, not-a-snowflakes-chance-in-hades.
For important documents there may be more procedures, but a lot of faxes are sent in a pretty routine manner with no authentication.
For example, I just faxed a copyright-transfer form to a journal so they'll publish a paper of mine. How did I fax it? From an online fax service, which didn't even require me to create an account. I gave them a PDF, and they faxed it. The only "authentication" is the receipt of this PDF at the other fax machine, which will be filed away somewhere; there is no other protocol being followed. Now why couldn't I have just emailed that same PDF to them? How does routing it through a free online fax service increase security?
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
The whole point of the faxed signature was to get the ball rolling. A hardcopy of the signature used to follow and most large companies still practice this.
... Iwas there when faxed signatures started becoming popular in the early 90s.
Youth, often not understanding events and practices preceding them do not practice the hardcopy follow up.
Maybe he is missing the whole point: the security in the fax comes not from the printed paper you are sending, BUT from the fact that they can check the origin of the fax transmission. Faxes are point-to-point communication channels, so it is VERY difficult to intercept them or the impersonate other's people fax number.
All that is required to be legally binding is an offer and acceptance. This can even happen orally.
It can but good luck convining a court that the agreement exists when it's you and your mates word against your supposed partner and thier mates.
Afaict that is the point of a signed written contract, it is evidence that someone agreed to something should they ever claim that they did not do so.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Interesting... which reminds me, didn't Clinton make digital signatures legal before leaving office, and if so, then wouldn't that then allow printed copies of a digitally signed document count as being legally binding?
...in Soviet Russia official Visa website says that merchants are allowed to check ID. And sometimes they really do. It's double strange, because most merchants don't use PIN verification.
Or:
1,000 meMon
America, Home of the Brave.
Yes and no.
You want a very heavy club you can pound over a fraudster's head.
Remember that one of the things the government can get marijuana smokers on is not buying a marijuana tax stamp. Nobody does this, of course, because they're afraid of it being a glowing neon sign over their heads, despite the government being forbidden from tracking the stamp buyers for that reason.
But it's another club nevertheless.
Weird. Never has a 0 -- offtopic post (which it wasn't) generated so much good karma to responders before.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
By law, all pleadings and motions filed in a United States District Court must be signed by an attorney of record or by the litigant appearing pro per. Fed Rul. Civ. Proc. 11(a); http://www.law.cornell.edu/rules/frcp/Rule11.htm. United States District Courts in all states now require counsel to e-file substantially everything, effectively requiring e-signatures on every court document that is filed.
In the Eastern District of California, attorneys' e-signatures under Rule 11(a) and mis-use of e-signature privileges are specifically covered by Local Rules 7-131(c) and (d), insuring the integrity of the process. http://www.caed.uscourts.gov/caed/staticOther/page_459.htm And after at two years of experience with the system, our Judges, US Magistrates, court staff, attorneys, and paralegals would NEVER willingly go back to the old ways (which included fax-filing options).
In complex cases, California State Courts can order the parties to use Case Home Page, a well-run private, user-supported e-case management service that also requires e-signatures. (http://www.casehomepage.com). I am litigating a class action lawsuit and at least 12 related individual cases in San Diego County that would be logistically and economically impossible without the help of Case Home Page.
By taking advantage of off-the-shelf IT products (including video-conference capability), the Bench and Bar have cut our previously HUGE environmental footprint while providing user-friendly, fast, accessible, and substantially more economical service to our clients.
I'm prejudiced, of course: I helped beta the Eastern District Court's e-filing and case retrieval systems and take proud ownership of what my colleagues, our Judges, and the Court's consulting and resident geek staff members accomplished at extremely low cost to the Taxpayer. I beta tested a number of browsers running Linux (I think I used Yellow Dog and Red Hat for the tests), Windoze XP (both native and using a PowerPC compatible emulator), and MacOS 9 and X in a number of configurations using dial-ups, DSL, T-1 and T-3 access points. The Court's IT staff was a joy to work with and, as a Federal Bar Assn. Member, I'm really stoked to have been a part of the process.
So faxes? " . . we don' need no steenkin' Faxes!"
I don't know for sure if banks distribute physical checks for clearning (someone else said they, in fact, do not and can not post-9/11) but that does not change the rest of my statement. You're arguing one point based on the validity of a different, independant point.
... but your photocopy, fax, or scan of that document is still 100% legally valid. They may decline to recognize it as policy but if you wound up in court a judge would (assuming no evidence of tampering existed) accept that copy as having the same status as the original copy.
If you don't believe a statement is true do your own homework.
Many companies prefer (or require) original documents in certain situations. They may or may not be wrong to do so
Since virtually all copies these days are digitized and then printed; a fax, photocopy, scan+print, etc. are all essentially the same if you've got the technical aptitude to understand how they work.
You can get rich if you own a politician, but you have to be rich to buy one in the first place.
I have to say that
a) I'm never impressed by assholes who throw insults from the Anonymous Coward seat.
b) THAT IS NOT IN ANY WAY "exactly what he says", you, in all your AC stupidity, are not only a genuine cowrd, you're a moron AND wrong.
No it isn't. Save the stupid fucking insults for when you're not completely wrong.
Fuck off now.
You have no excuse for posting inaccurate, invalid information. You need to do YOUR homework.
After all, you are trying to make a point, aren't you?
If you "don't know for sure" then you should not bother.
Checking your spelling wouldn't hurt, either.
Kriston
There is no way that Clinton could make them legal. The whole concept of 'legality' is muddy here. It is more a matter of "will the signature be recognized".
All a signature does is provide evidence to the fact that you were there and agreed to a contract. It is your "seal of approval". A court can say that they won't recognize a signature written in pencil. A bank has the option to reject a check signed in red pen. Clinton probably passed a directive saying that Federal Agencies will accept digital signatures of some sort. I honestly don't know.
That said, any signature can be contested in a court. It would be very difficult for a handwriting expert to confirm that a copied signature was yours if he doesn't have the pressure clues to go on.
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba