Slashdot Mirror
Proposed Law:Electronic Signatures == Pen and Ink
Salgak1
writes wrote in to send us Washington Times Article
about Rep. Tom Bliley (R-VA) introducing a bill to make an
electronic signature legally equivalent to one done on
paper. Here is The Bill.
Seems Sen. Abraham (R-Mich) introduced a similar
bill in the Senate. (Full Text
That's not the point. Assuming a PGP-like program, anyone who can hack into my computer can get my encrypted private key. And anyone who can do that can probably set up something to capture me typing my password. With those two pieces of information, anyone could forge my signature. My private key could easily be posted to a newsgroup and it could cause me some serious problems.
I don't know of many people who are careful enough about system security to have digital signatures that are as secure as real ones.
Take a look at http://csrc.nist.gov/fips/ for the Digital Signature Standard (FIPS 186-1) Its the US governments public-private key signing standard for authentication purposes. PGP also supports it, its exportable, its reviews show no backdoors. So if the government already has a signature standard they should use it in any laws giving d-sigs legal strength.
As for matching identities between people & keys, key signing is pretty effective. Only trust keys you've signed or someone you strongly trust has signed.
It's a nifty concept, and ideally would make sense; to be able to show, with very high confidence, that somebody *did* agree to a deal on, say, E-bay, could give consumers a leg up. Such could inspire confidence in e-commerce, and also serve to promote widespread use of cryptographic software in even daily messaging -- although it makes me wonder if elements in the DoJ would ever consider *requiring* cryptographic signatures...
However, for cryptographic signatures, how does one confirm that the original key came from that person? There's not much right now, beyond paranoia in dealing with unsigned keys, that prevents somebody from pre-emptively and maliciously creating PGP keys for random individuals. This suggests that we need reliable key authorities, the equivalent of electronic notaries ala Verisign; for full accountability, somebody would need to be able to trace the key to a physical contact address.
Hand-written signatures have the advantage of
being a biometric measure: You can't steal
someones handwriting. (You can fake it, but that
is something different from stealing it.)
But I can get someones PGP key, or someone could
allow me access to his/her key for convenience
(so I can sign things for him/her). Thus,
I don't think a judge would be convinced
that a letter signed by a digital signature
must have been written by the person owning
the signature or the key with which the signature
has been made.
If I post my private PGP key on Usenet, I have
effectively taken any legal binding from my
digital signatures. Something that I can't do
with my real-world signature.
Therefore, for some things these digital signatures just won't work. For other
applications, they are already working,
because parties have agreed to accept them
as a means of authentication, and having
them "stolen" is negligence, making the
negligent party accountable for the damages.
Another interesting point is that you can't have
key escrow with those keys. (Sometimes, you just have to proove things, and not just rely on the honesty of the NSA.)
And having strong signatures, you can effectively
use this to create strong encryption (a process
called "chaffing" IIRC).
Thus, a law that makes digital signatures legally
binding automatically allows everyone to own
strong encryption software.
Think of a school ID, a driver's license and a passport. They're all photo ID's, but with different requirements for obtaining one. As a result, they provide differing levels of authentication and authorization.
Until we have legal, government-encouraged, secure (Ex: no key escrow repository) crypto, the electronic signiature is worth no more than a name pecked out on an old typewriter. No if's and's or but's about it, electronic sigs would be great, but until the strong crypto to ensure their validity is in place legally and widely, they're not going to happen, unless in some insecure half-assed form that would be bad news for everyone.
--
--
Just lurking, thanks!
They're much more secure than standard signatures, in fact, because they prevent tampering not only of the signature but the document itself.
Read Applied Cryptography; It talks about lots of other Neat Stuff (like e-cash). You'll find it interesting.
Well, that's all fine and dandy, but we all know how slow our legislators move, and how much slower than THAT it takes to get a law changed. My question is.. what if the encryption schema is cracked? What if tomorrow somebody found out how to factor all those numbers? You think I want THEM, on mere account of mathematics, to *legally take on my identity* ??
Talk about stupidity! And what will the NSA say about this? Can we only use 56 bit keys for our "signature" ?
--
>anyone who can hack into my computer can get my encrypted private key.
And anyone who can break into your house/office can get your paper signature. QED
0 1 - just my two bits
Does anyone know the bill number for the Bliley bill? Slashdot's link seems to be broken, and I can't find any digital signature bill by Bliley on Thomas.
It should be noted that none of these bills specify a particular digital signature technology. The Digital Signature Act directs the appropriate government agencies to draft guidelines within 6 months (for use in transactions with the government). The Millennium act just says that "the parties to an interstate transaction may establish by contract" the technologies they want to use (one wonders how you are supposed to sign the contract).
If a thing is not diminished by being shared, it is not rightly owned if it is only owned & not shared. S. Augustine
I hate to tell you this, but werdna is correct about the modern day legalities of signitures.
First thing in the morning every day at the bank I work for, I check the signitures and account numbers on the dormant account activity checks. This review includes both deposits and withdrawls. It is actually a bit difficult to decern an imposter on one of these tickets. It has been my experience that a good forgery will get by the vast majority of people.
I would ordinarilly include myself in a generalization like that, but in this case that is not true. A friend of mine introduced me to the mishmash that is hand writting analysis. While the accuracy of hand writting analysis in the field of psychology may be bunk (I have yet to decide), it does teach you to look for certain characteristics in the letters. It is little things like "does the letter "o" have a stroke through it?" that make the difference. You really need at least 10 characteristics in the letters to match before you can be comfortable signing off on the ticket. To the trained eye, these traits are very easy to spot.
Now, I have to make sure that my bank is doing what it is supposed to in its work with the federal government on a day to day basis. I can tell you right here and now that our Chief Financial Officer would not accept just a signature as the conclusion of a deal. I like our CFO and I like my job, but common sense is the best asset around in any job. It is like you don't breath in Chlorine gas.
I really don't care for some ecommerce ideas for the simple reason that some things have exorbant shipping costs. This on the other hand, this idea scares me. I like the annonimity of the internet. I can go anywhere under my 4 names and no one can connect that to a face or a business. While people do actually call me telosphilos or telos in the real world out there, they are not the same people that I work with every day. Those people that know me online are not my flesh and blood familly, but they are the best of friends. My boyfriend even calls me by my nickname. Yet, I am very protective of my financial information. I am also very careful to keep any actuall pictures of me off the internet. (There are two out there, but they include facepaint and night Figment hunting (long story).)
I do not have a lot of money, but I work with large sums each day. As part of the customer services, we try to teach people how to protect themselves from con artists and your basic scams. Some are fairly simple like shielding your pin number from view when you use your atm card or not giving out credit card numbers in chat rooms. Some are vastly more complicated, preventing the real code warriors with a financial hole they want to fill from breaking into banking-on-line systems.
The big issue that I can see with this idea is that it can be taken too far and lead to very real finanicial risks involving banks, trusts, credit unions, and brokerage houses. In making the electronic signatures a legal signature, you open the door to a lot of problems like theft of the signature and signature duplication. Say you had $5,000.00 in a money market account, using a good bit of computer know how, another person gets your signature and basic account information (account number, ammount in there, the usual). Bet you dollars to donuts, that computer cluebie can find a way to fool the bank employee on the other side of the terminal into handing over the money.
You see, at some time we have to account for human error. It is also very easy to have human error occur on account of fraud. Most financial types really do not know computers or computer security. Computer people generally have better things to do then learn how to make up little slips of paper tracking where all of the money in the bank is. So, what do you get? You get some one that maybe has figured out that a mouse is a periferal authorizing a con job on an account in his first week at the bank. There, your account just went from $5,000.00 to zero.
Just think about it, it can mess up all sorts of financial deals. Would you like it if your paycheck which more likely then not goes through an automated clearing house was missing about $50.00 in income taxes over the course of six months due to an error on your account and the IRS not only caught it, but chose to audit you and your company? This is the sort of thing that can happen.
It is food for thought. Anyways, it is getting late and I am tired of ranting. Thank you for your time.
--telos
"Alt-F4 that's for quitting" quoth Dan_Wood
For all of the reasons stated in my prior posts, I was quite impressed by the laissez-faire nature of the bill. It leaves the decisions as to particular technologies used in the hands of the users, and makes a credible stab at handling electronic signatures effectively for international transactions.
There are some technical legal issues arising from the present language, but all in all, it appears on first reading to be an excellent job.
Yes, it does make "love, andy" at the end of an e-mail into a signature, but for the reasons otherwise stated here, I think this will be far better for commerce than a problem at the end of the day.
It is most certainly true that feeble efforts such as copying with carbons won't work. Of course, signatures would not be forged in that manner. (I understand that the weapons of choice relate to using light boards and the like).
Yes, it is difficult to get away with faking Abraham Lincoln's signature, because the physical evidence (paper and ink) can effectively date the paper out of period.
But we are talking about contemporaries forging contemporaries; and by using straightforward means of forgery. There was a great article on the subject fairly recently -- let me see if I can't dig it up for you.
As noted, the function of a signature is primarily unrelated to security or ability to authenticate the author -- it is merely a formal act to give legal effect to an instrument. Accordingly, the preceding remark is non-sequitur.
Of course, signatures serve plural non-legal purposes, among which are precisely the issues of identification and non-deniability. Those purposes are served, or are not served, adequately in the eyes of the parties involved in the transaction. If they trust one another, the only issue is the authentication of the instrument (the giving of legal effect). If they do not, or the risks are too great, they will take greater measures.
But this has nothing to do with the question whether of whether two people who trust one another can engage in the legally effective transfer of title in land by means of an e-mail. The law gives legal effect to the shaving of a mark on the hide of a cow, or the mere writing of a number and an X on a sheet of paper. Why not, then to the following words:
Love, me.
In recent years, many states have been addressing Digital and Electronic signatures; and there are solid legal arguments that a digital signature would be legally enforceable even in the absence of such legislation.
Florida's, for example, is among the clearest and most consistent with the common law, defining a "writing" to include "information which is created or stored in any electronic medium and is retrievable in perceptable form," an "electronic signature" to mean "any letters, characters or symbols, manifested by electronic or similar means, executed or adopted by a party with intent to authenticate a writing," and further providing that a writing is electronically signed if an electronic signature is logically associated with the writing.
With those definitions, it provides simply that "Unless otherwise provided by law, an electronic signature may be used to sign a writing and shall have the same force and effect as a written signature."
Other states, such as Utah and Washington, have required that to receive the benefit of the statute, the signature must be made by use of asymmetric encryption, with varying definitions and limitations.
Accordingly, this bill isn't really all that new. However, the defintion of a signature is one of those things that has been traditionally determined by state law -- it may be unclear whether a Federal law purporting to preempt State law in this regard would be unconstitutional.
Various folks have written, expressing concern that permitting electronic signatures would be too easily forged or spoofed. There are several responses to this:
(1) At common law, the typing of your initials at the end of an e-mail with intent to authenticate is probably a signature anyway (mileage may vary state to state);
(2) Have you considered how trivial it is to undetectably duplicate a paper signature? Moreover, how easy it is to lift a signature from one document and apply it to another? In comparison, digital signatures are checksummed to the documents they sign, and are very difficult to forge without human engineering;
(3) In practice, disputes over signatures are not really ever resolved by comparing testimony of signature experts (except in extraordinary cases). The two experts cancel each other out trivially, and the jury judges based upon the demeanor of the parties and the overall circumstances of the transaction. In a recent case, where a party denied signing a written agreement to sell some goods, the other side simply asked on the stand whether he routinely sent goods of the type to the other side -- "no"; whether he did after the date of the disputed document -- "yes"; whether he did in accordance with the schedule set forth in the disputed document -- "yes." It was all over, notwithstanding the conflicting expert testimony. (Ironically, the argument was that the signature was "too good," too close to a specimen the other party was known to have and therefor copied. Yeah, right.)
The real deal is this: signatures are not there (for legal reasons) for the purpose of authentication -- they are a mechanism to formally "close" a deal, to distinguish those deals that aren't done from those that are, and in some cases to seal certain types of agreements that require a signed writing.
The authentication purposes are an issue of "risk management," not legal effectiveness. The law only raises the question of whether the act, if it took place, was legally effective to seal the deal, and not whether the act took place.
On the other hand, a businessperson might want to be able to prove a signature was real more readily than usual. This is why when a multi-zillion dollar deal is being closed, a lawyer will not accept from the other side to sign "Minnie Mouse," or "X" (if literate), even though doing so is legally effective for any statute of frauds purposes. Likewise, I would never accept for a meaningful transaction an e-mail stating:
"Yeah, I accept your offer to sell Blackacre for 100,000 lucre. Sure.
Love, Mandy."
Even though it would be enforceable under Florida law for the purpose of the statute of frauds.
Its all about eggs in baskets. How much comfort do you need, and how much certainty do you want to avoid being spoofed. If you make it a personal policy never to sign electronic signatures, it will be hard for the other side to prove that you actually did when you didn't, no matter how good the forgery. On the other hand, if you do, make sure you do a good job of making it difficult for others to forge or spoof you.
Agreed that certification authorities are an important part of making use of signatures safe and commercially sensible. Disagreed in the strongest terms that they are necessary for the law to give effect to an instrument.
In my view, the less the law tells us about how we do business, the better. Leave it to the marketplace to decide what technology and form of signature they want to use. Whether they rely on EDI agreements, e-mail typewritten messages or elaborate cryptographical structure using state-authorized or state-licensed "trusted parties," should be decided by those doing the signing, not those pretending to be high-tech-aware and make some press in Washington.
The law SHOULD make clear that electronic signatures should be used and useful, just so folks don't feel they need to see a case before using the technology. After that, legislators should get out of the way.