Slashdot Mirror

← Back to Stories (view on slashdot.org)

Proposed Law:Electronic Signatures == Pen and Ink

Posted by ryuzaki0 on from the isn't-that-interesting dept.

Salgak1 writes wrote in to send us Washington Times Article about Rep. Tom Bliley (R-VA) introducing a bill to make an electronic signature legally equivalent to one done on paper. Here is The Bill. Seems Sen. Abraham (R-Mich) introduced a similar bill in the Senate. (Full Text

7 of 85 comments (clear)

  1. Mixed reaction. by Anonymous Coward · · Score: 3

    It's a nifty concept, and ideally would make sense; to be able to show, with very high confidence, that somebody *did* agree to a deal on, say, E-bay, could give consumers a leg up. Such could inspire confidence in e-commerce, and also serve to promote widespread use of cryptographic software in even daily messaging -- although it makes me wonder if elements in the DoJ would ever consider *requiring* cryptographic signatures...

    However, for cryptographic signatures, how does one confirm that the original key came from that person? There's not much right now, beyond paranoia in dealing with unsigned keys, that prevents somebody from pre-emptively and maliciously creating PGP keys for random individuals. This suggests that we need reliable key authorities, the equivalent of electronic notaries ala Verisign; for full accountability, somebody would need to be able to trace the key to a physical contact address.

  2. What about stolen signatures? by Anonymous Coward · · Score: 4

    Hand-written signatures have the advantage of
    being a biometric measure: You can't steal
    someones handwriting. (You can fake it, but that
    is something different from stealing it.)

    But I can get someones PGP key, or someone could
    allow me access to his/her key for convenience
    (so I can sign things for him/her). Thus,
    I don't think a judge would be convinced
    that a letter signed by a digital signature
    must have been written by the person owning
    the signature or the key with which the signature
    has been made.

    If I post my private PGP key on Usenet, I have
    effectively taken any legal binding from my
    digital signatures. Something that I can't do
    with my real-world signature.

    Therefore, for some things these digital signatures just won't work. For other
    applications, they are already working,
    because parties have agreed to accept them
    as a means of authentication, and having
    them "stolen" is negligence, making the
    negligent party accountable for the damages.

    Another interesting point is that you can't have
    key escrow with those keys. (Sometimes, you just have to proove things, and not just rely on the honesty of the NSA.)

    And having strong signatures, you can effectively
    use this to create strong encryption (a process
    called "chaffing" IIRC).

    Thus, a law that makes digital signatures legally
    binding automatically allows everyone to own
    strong encryption software.

  3. Clues for the clueless by Anonymous Coward · · Score: 5
    1. The keys used by signatures tend to be really, really big. Yeah, maybe someone will crack one in our lifetime, but it's going to be something on the order of the EFF DES machine, not a 5Kr1p7 K1dd33.
    2. There are no export restrictions or controls of any kind of encryption used for authentication. Get that through your thick, knee-jerking skulls.
    3. The essential element of signature security is your private key. You are the only person who should ever have access to this value. In fact, some of the most important aspects of digital signatures are voided if a second party (like key escrow) ever has access to this key.
    4. Crackers are clever, but they don't have magical powers. Private keys can be guarded successfully.
    5. If someone steals your private key, it can be revoked and you can get a new one. Try that with a written signature.
    6. Your private key can expire forcing you to get an entirely new one. Again, try that with a written signature.
    7. Many, many, states allow faxed signatures to be binding while a written signature is in transit. In the insurance industry, "digital signature" usually referes to a scanned image. Wouldn't you rather migrate to something that's a little secure?
    8. Signatures are issued under the auspices of a Certification Practice Statement. This policy not only controls who gets a signature, but how they get it and what is does and does not "prove" when it's presented.

      Think of a school ID, a driver's license and a passport. They're all photo ID's, but with different requirements for obtaining one. As a result, they provide differing levels of authentication and authorization.

  4. Woah... by BOredAtWork · · Score: 3
    Hang on a sec. A pen and ink sig can be verified by a handwriting expert. An electronic sig would have to be gauranteed by strong cryptography, most likely in the form of a PGP-ish key of some kind. Whoops... my bad... the same government that wants to use electronic sigs is also actively trying to stomp strong crypto...

    Until we have legal, government-encouraged, secure (Ex: no key escrow repository) crypto, the electronic signiature is worth no more than a name pecked out on an old typewriter. No if's and's or but's about it, electronic sigs would be great, but until the strong crypto to ensure their validity is in place legally and widely, they're not going to happen, unless in some insecure half-assed form that would be bad news for everyone.

    --

    --

    --
    Just lurking, thanks!

  5. I check signitures for a living. by telos · · Score: 3

    I hate to tell you this, but werdna is correct about the modern day legalities of signitures.



    First thing in the morning every day at the bank I work for, I check the signitures and account numbers on the dormant account activity checks. This review includes both deposits and withdrawls. It is actually a bit difficult to decern an imposter on one of these tickets. It has been my experience that a good forgery will get by the vast majority of people.



    I would ordinarilly include myself in a generalization like that, but in this case that is not true. A friend of mine introduced me to the mishmash that is hand writting analysis. While the accuracy of hand writting analysis in the field of psychology may be bunk (I have yet to decide), it does teach you to look for certain characteristics in the letters. It is little things like "does the letter "o" have a stroke through it?" that make the difference. You really need at least 10 characteristics in the letters to match before you can be comfortable signing off on the ticket. To the trained eye, these traits are very easy to spot.



    Now, I have to make sure that my bank is doing what it is supposed to in its work with the federal government on a day to day basis. I can tell you right here and now that our Chief Financial Officer would not accept just a signature as the conclusion of a deal. I like our CFO and I like my job, but common sense is the best asset around in any job. It is like you don't breath in Chlorine gas.



    I really don't care for some ecommerce ideas for the simple reason that some things have exorbant shipping costs. This on the other hand, this idea scares me. I like the annonimity of the internet. I can go anywhere under my 4 names and no one can connect that to a face or a business. While people do actually call me telosphilos or telos in the real world out there, they are not the same people that I work with every day. Those people that know me online are not my flesh and blood familly, but they are the best of friends. My boyfriend even calls me by my nickname. Yet, I am very protective of my financial information. I am also very careful to keep any actuall pictures of me off the internet. (There are two out there, but they include facepaint and night Figment hunting (long story).)



    I do not have a lot of money, but I work with large sums each day. As part of the customer services, we try to teach people how to protect themselves from con artists and your basic scams. Some are fairly simple like shielding your pin number from view when you use your atm card or not giving out credit card numbers in chat rooms. Some are vastly more complicated, preventing the real code warriors with a financial hole they want to fill from breaking into banking-on-line systems.



    The big issue that I can see with this idea is that it can be taken too far and lead to very real finanicial risks involving banks, trusts, credit unions, and brokerage houses. In making the electronic signatures a legal signature, you open the door to a lot of problems like theft of the signature and signature duplication. Say you had $5,000.00 in a money market account, using a good bit of computer know how, another person gets your signature and basic account information (account number, ammount in there, the usual). Bet you dollars to donuts, that computer cluebie can find a way to fool the bank employee on the other side of the terminal into handing over the money.



    You see, at some time we have to account for human error. It is also very easy to have human error occur on account of fraud. Most financial types really do not know computers or computer security. Computer people generally have better things to do then learn how to make up little slips of paper tracking where all of the money in the bank is. So, what do you get? You get some one that maybe has figured out that a mouse is a periferal authorizing a con job on an account in his first week at the bank. There, your account just went from $5,000.00 to zero.



    Just think about it, it can mess up all sorts of financial deals. Would you like it if your paycheck which more likely then not goes through an automated clearing house was missing about $50.00 in income taxes over the course of six months due to an error on your account and the IRS not only caught it, but chose to audit you and your company? This is the sort of thing that can happen.


    It is food for thought. Anyways, it is getting late and I am tired of ranting. Thank you for your time.


    --telos

    --
    "Alt-F4 that's for quitting" quoth Dan_Wood
  6. Not new . . . by werdna · · Score: 5

    In recent years, many states have been addressing Digital and Electronic signatures; and there are solid legal arguments that a digital signature would be legally enforceable even in the absence of such legislation.

    Florida's, for example, is among the clearest and most consistent with the common law, defining a "writing" to include "information which is created or stored in any electronic medium and is retrievable in perceptable form," an "electronic signature" to mean "any letters, characters or symbols, manifested by electronic or similar means, executed or adopted by a party with intent to authenticate a writing," and further providing that a writing is electronically signed if an electronic signature is logically associated with the writing.

    With those definitions, it provides simply that "Unless otherwise provided by law, an electronic signature may be used to sign a writing and shall have the same force and effect as a written signature."

    Other states, such as Utah and Washington, have required that to receive the benefit of the statute, the signature must be made by use of asymmetric encryption, with varying definitions and limitations.

    Accordingly, this bill isn't really all that new. However, the defintion of a signature is one of those things that has been traditionally determined by state law -- it may be unclear whether a Federal law purporting to preempt State law in this regard would be unconstitutional.

  7. Purpose of a Signature by werdna · · Score: 5

    Various folks have written, expressing concern that permitting electronic signatures would be too easily forged or spoofed. There are several responses to this:

    (1) At common law, the typing of your initials at the end of an e-mail with intent to authenticate is probably a signature anyway (mileage may vary state to state);

    (2) Have you considered how trivial it is to undetectably duplicate a paper signature? Moreover, how easy it is to lift a signature from one document and apply it to another? In comparison, digital signatures are checksummed to the documents they sign, and are very difficult to forge without human engineering;

    (3) In practice, disputes over signatures are not really ever resolved by comparing testimony of signature experts (except in extraordinary cases). The two experts cancel each other out trivially, and the jury judges based upon the demeanor of the parties and the overall circumstances of the transaction. In a recent case, where a party denied signing a written agreement to sell some goods, the other side simply asked on the stand whether he routinely sent goods of the type to the other side -- "no"; whether he did after the date of the disputed document -- "yes"; whether he did in accordance with the schedule set forth in the disputed document -- "yes." It was all over, notwithstanding the conflicting expert testimony. (Ironically, the argument was that the signature was "too good," too close to a specimen the other party was known to have and therefor copied. Yeah, right.)

    The real deal is this: signatures are not there (for legal reasons) for the purpose of authentication -- they are a mechanism to formally "close" a deal, to distinguish those deals that aren't done from those that are, and in some cases to seal certain types of agreements that require a signed writing.

    The authentication purposes are an issue of "risk management," not legal effectiveness. The law only raises the question of whether the act, if it took place, was legally effective to seal the deal, and not whether the act took place.

    On the other hand, a businessperson might want to be able to prove a signature was real more readily than usual. This is why when a multi-zillion dollar deal is being closed, a lawyer will not accept from the other side to sign "Minnie Mouse," or "X" (if literate), even though doing so is legally effective for any statute of frauds purposes. Likewise, I would never accept for a meaningful transaction an e-mail stating:

    "Yeah, I accept your offer to sell Blackacre for 100,000 lucre. Sure.

    Love, Mandy."

    Even though it would be enforceable under Florida law for the purpose of the statute of frauds.

    Its all about eggs in baskets. How much comfort do you need, and how much certainty do you want to avoid being spoofed. If you make it a personal policy never to sign electronic signatures, it will be hard for the other side to prove that you actually did when you didn't, no matter how good the forgery. On the other hand, if you do, make sure you do a good job of making it difficult for others to forge or spoof you.

    Agreed that certification authorities are an important part of making use of signatures safe and commercially sensible. Disagreed in the strongest terms that they are necessary for the law to give effect to an instrument.

    In my view, the less the law tells us about how we do business, the better. Leave it to the marketplace to decide what technology and form of signature they want to use. Whether they rely on EDI agreements, e-mail typewritten messages or elaborate cryptographical structure using state-authorized or state-licensed "trusted parties," should be decided by those doing the signing, not those pretending to be high-tech-aware and make some press in Washington.

    The law SHOULD make clear that electronic signatures should be used and useful, just so folks don't feel they need to see a case before using the technology. After that, legislators should get out of the way.