Slashdot Mirror
House Nixes Digital Signature Bill
Seth Scali writes "The Electronic Signature in Global and National Commerce Act was nixed by the House of Representatives on Monday. According to the article over at ZD Net, the vote was 234 to 122-- or about 1/2 of what would be needed to pass." It needed a 2/3 majority. Most Congressmen seem to agree that we need some sort of legally binding digital signature capability, but say they don't think the current proposal offered enough security or consumer protection. Oh, well. Maybe next time.
You don't need a lot of skill to forge a signature in reality. It's far easier to set up your business in an ignored inner city area and rip off the poor since few people give a damn about it. This happens frequently, either by outright deeds such as those who are ripped off by heating contractors every year for heating systems that are never installed, misrepresentation such as concealing the true nature of the legally binding contract you just signed or by falsifying signatures which has happened with numerous shady financial services. Most times the person being victimized doesn't realize it, they're just suddenly faced with an unexpected bill. Even if they do its an uphill battle getting anything done about it. If they're lucky the local news will take an interest.
I didn't like the fact that the credit companies (and others) could force providing account information electronically, just by burying it in the account agreement. Don't know about the rest of you, but I get enough e-mail as it is, and I don't need CapOne burying a huge interest rate increase in their (probably HTML) message about a shiny new card design.
This is a very good thing, it is bad enough that somebody could steal my credit card or other personal information. Think of what damage could be done when somebody could have that much more credit to masquerade as you...
Just like Microsoft, the government can't be wrong *all* the time.
This space for sale
I would hope that such a bill would be rejected. While there does need to be at some point some form of legally binding electronic signature, I don't think we're at the point where we have the technology to really support this. A normal signature and its individuality is based on the indiosyncrasies and mannerism of each human being and their fine motor systems, and requires a lot of practise if you ever hope to copy it, an electronic signature however, is merely a piece of data, which at this point is far too easily replicated and misused. The current technology just has too many security holes to allow it to be a viable alternative as an individual authentication device.
Bingo. This is exactly what I was talking about when I asked Bruce earlier this week what he thought of digital signatures. Physical copies of your signature are there to be evaluated. They've been a legally viable method of verification for a /long/ time.. and the cost of forging a signature generally exceeds the benefits of the forgery. Is it perfect? No. But binding us to weak-crypto to please some wrinkled prunes in congress would only result in fradulent activity on an unimaginable scale if such a scheme was cracked. And the government, being what it is, would not admit to it until many many lives had been destroyed or a few large businesses sunk over fradulent signatures.
--
minor picky point:
the blurb said the bill only got half the votes needed to pass, but by my math, it was only 4 votes away from passing. That's pretty close.
So it makes me wonder if what they did was protect our privacy and security, or if they just reacted aversely to a new technology they don't understand.
I mean, gosh, there are still people out there who are afraid of using the ATM to make withdrawals! There's surely plenty enough technophobia amongst politicians to fear digital signature, what they probably consider to be, 'your name at the bottom of an email' or something.
So, it's not a good thing. If they had shot down the Bill for reasonable security concerns over expert advice on cryptanalysis, it would be great. But now, it just smacks of technophobia, and so the breakthrough of a nation-wide digital signature standard won't make its way into the US just yet.
Maybe we should ask Al to do something about it...
"Knowledge = Power = Energy = Mass"
I thought that the vote was 234 AGAINST the bill, with 122 FOR it. Since it needs a two-thirds majority to pass, 122 *would* be about 1/2 the proper amount (the real number of votes would be 118 or 119). As it is, 234 + 122 = 356, and two thirds of that is 237.3, which we'll round up to get 238. So, actually, it needed four more votes to pass, as a number of people have pointed out-- thanks!
So, based on my (mis) understanding of the article, I came to a mathematically correct conclusion based upon a faulty assumption-- I don't need more math, I need more common sense!
The House passed the bill in question (It only takes 218 votes for a majority in the House, and this bill got 234). It won't become law because the President will veto it, thus the need for a 2/3rds majority to override. It's misleading to say that the House killed the bill.
BTW, I really hate it when articles quote blatant spin as if it were actually newsworthy.
Anything worth doing is worth doing badly.
A GPG digital signature is currently nearly 100% authenticatable.
A digital signature used to sign a document is both specific to that document and specific to that sender. If it was sent by the wrong person, the signature will be invalid. If the data changes between the time of signing and the time of verifying, the signature becomes invalid.
Try playing with GPG [http://www.gnupg.org] for yourself. It's an extremely neat app.
-- The act of censorship is always worse than whatever is being censored. Always.
Hard?? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Easy to duplicate? I think not. -----BEGIN PGP SIGNATURE----- Version: GnuPG v0.9.8 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4IEh8KV5kReY9sP8RAn8JAKCZKGZ23q5U8NBxFrVyQ+ DNiYollQCfZ8vP pqUx8DUPME1AjzB1bqdDD08= =rvgZ -----END PGP SIGNATURE-----
The issues you're raising are important, but I don't think that you can simply say that "all the different arguments about the technological merits of one solution vs another can just sit by the wayside until these larger issues are worked out and understood." Those larger issues have to influence the technical solutions, and vice versa. For example, there are several protocols available for performing contract signing online. It's an old problem (well, older than I am). I don't think any of them explicitly address the issue you raise -- what if one or both parties lose the contract afterwards? How do you archive the contract (and do you want to) ? So that's a case where your "larger issues" need to direct technical research. At the same time, you can't just plug in one of these contract signing protocols and then expect it to work just like your usual notion of signing a contract. They require things like trusted third parties, or random beacons, or that you be willing to tolerate a probability of error here and there. If you don't watch it, you can be burned...for example, if Alice and Bob are negotiating a contract, should Bob be able to show the progress of that negotiation to Carol? What if Bob is negotiating for a new job with Alice and Carol? Whose interests does it serve if Bob can do that? if he can't? A recent protocol by Markus Jakobsson aims to prevent this(see it at http://www-cse.ucsd.edu/users/markus/); other protocols don't. Which you use depends on what you want. and though I hate to say it, sometimes what you want has to deal with what's possible.
I think there is a need for legally binding digital signatures, but its something I wouldn't want to see rushed through the legislature to make some withered old republicans look digitally saavy. This could have disastorous effects.
Any legislation has to be written realizing that protocol or key length requirements need to change with time. A given protocol and keylength may be fine for early November 1999 but may be cryptographically weak in early November 2009. This brings up another point. The protocol and key length requirements need to be strict enough that the chances of them being compromised before the signature on the document no longer protects anything is vanishingly small. In other words the strength behind the signature is directly proportional to the lifetime of the document.
Consider an earnings report for a company for a given quarter. It only requires a years worth of strength in its digital signature. If a third party were to release an October 1998 earnings report in an attempt to manipulate the stock price it would be quickly caught and discredited.
Consider an individual taking out a 30 year mortgage on their home. If the digital signature can be forged in under 30 years this puts the consumer who took out the mortgage at risk. A malignant mortgage company could change interest rates or terms of the agreement to profit at the expense of the consumer. Things like this happen now with pen and paper signatures.
The security requirements for taking out a second thirty year mortgage after the first could be different than those for the first. Technology has increased, computers are faster and maybe new hiccups like quantum computation are a reality.
Digital signatures have the capability of being many orders of magnitude safer than pen and ink signatures if and only if people aren't legistated into weak signatures.
Technophobia isn't rampant there, but skeptisism towards large companies who try to worm their way out of accountability is.
How does this affect digital signatures? Well, unless there is a -close- to 100% foolproof way of authenticating a digital signature, we're just going to run into the same old hastles we're having now, where signatures are forged or copied, or transactions deliberately tampered with or fabricated.
IMHO, digital signatures =must= be coupled with user input which is simply too complex to forge. Using a random sampling of the retina as a one-time pad would work for this. Then use the pad to encrypt the signature, and any other data.
But that only gives you a measure of security against outsiders. What about dodgy bank employees? There, encryption is useless, as the bank has to have the decryption key to be able to make use of the data. At -some- point, in the bank, the information has to be in the clear, and all someone has to do is inject false data there.
Actually, there's a way to solve that, too. If the bank's software is "incomplete", and your signature includes self-decrypting executable code, which is necessary to complete the transaction, it would be necessary to obtain that code before false transactions could be made in your name. However, if this code requires a "ping" or "traceroute" to your card, before it will work, it would be beyond most employees to fake a response. It doesn't make it impossible, but that's not the point. At present, any bank clerk with an IQ of -5, who can tell the difference between a keyboard and a ham sandwich has 99% of the tools they need to do a phantom withdrawl. Make it hard enough, and the people left who still could would probably be earning so much that they wouldn't bother with such petty cash.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
House Republicans intend on bringing this bill back up for a vote before the end of the current congressional session. When you consider it was rushed to the floor and missed being approved by only 4 votes (where did that "about 1/2 of what would be needed to pass" come from?) you can understand their optimism in trying again. This time, instead of bringing it up on the suspension calendar (with the required a 2/3rds vote) they will try to run it through the rules committee and get a "closed rule" on the bill, meaning no amendments to it on the floor. That way they only need a simple majority to pass it.
If the House is going to go down this route, look for it to happen by Friday. But with Lott saying the target adjournment date is Nov. 10, you can be fairly certain this bill will expire with the session (unless they manage to get it appended to a year-ending omnibus appropriation bill, then anything goes . . . ).
In the news I read, the reasons given for nixing Digital Signatures had to do with creating a second class of enforceable, legally binding contracts. I wholeheartedly agree with this. There is no sense in rushing into a new use of technology and forcing it down the throats of consumers who will not understand the message they are receiving. Contract law is one area that is clear enough for a great many people to understand. It is well thought out and well documented in the Uniform Commercial Code and a great many state laws.
This applies to a whole huge list of transaction types and contract law situations.
As much as I love technology and all the cool benefits of it in terms of information flow, I think that for something as important as this, it's imperative that the plan be well thought out and understood by even those who do not understand the underlying technology. It was prudent to wait.
So, who cares about key length? Really. If the consumer will not even understand they are entering a legally binding agreement or receiving information which legally binds them, then we are not ready as a society to take the step. It's really as simple as that, and all the different arguments about the technological merits of one solution vs another can just sit by the wayside until these larger issues are worked out and understood.
If that doesn't take place first, then passing a digital signature act will be something the goverment does to us, not for us.
And what if I think that it's just more junk mail from Honda or Dell and I throw it away today? They only have to make a reasonable effort. I don't have to (they ask for it, but I never do it) sign and return anything today. They don't know that I got it.
Data Integrity Issues: What happens when a consumer's data is lost and it contained contracts in electronic form? Can he get a copy from the other party?
It would be helpful to the other party to just do so, since a subpoenae is all that is required. Same thing applies if the office burns to the ground today. You should keep your copy, but the agreement is just that... the paper is only a physical means for remembering it later.
What happens when the corporation loses their copy? If it's a contract that I have the only copy left, may I say I don't have a copy either and stop taking actions for which the agreement applies if the terms are later found to be unfavorable?
But what about the fact that they've been doing the same things for several years? That's the legal precedent anyway (at least partially, in terms of establishing how the contract was actually implemented). And yes, you could say you lost it. But if they subpoenae your copy and you lie... well, you've committed a number of felonies. Again, same issues as the non-digital world.
We would be forcing the courts to decide the question... Would you trust that the outcome in determining such basic facts to be favorable?
Yes. Our current Supreme Court is very pro-individual.
For the past few years, I and several other people I know, have been using Microsoft Word documents with a scan of my signature in the appropriate place. I've never had a problem with this, and though it's never been taken to court, I've issued invoices to state agencies via e-mail and been paid. It doesn't seem dramatically different than using a fax machine to finish the contract.
Have a little more faith. Our society, believe it or not, still operates on the premise of individuals not really screwing other individuals. The exceptions are always a bit interesting and sleazy. (Like forged signatures or ambigous contract language.)
-Derek