Slashdot Mirror
House Passes Digital Signature Bill
DrewMIT writes "Finally," electronic signatures" will have the same validity legislatively as ink signatures." It still needs to go through the senate, and the White House has said it will veto it. The article is quite negative, it talks about how this will violate consumer rights, but all I can think is "Its about time." What do you think?
After reading the article, I still don't understand why anyone would oppose this.
It seems like if the politicians don't have a backwards stance on something, they don't think they're doing their job.
Hello little man. I will destroy you!
BROWN? ick.
Karnal
This is absolutely what I *do* *not* want. I have a hard enough time as it is getting my CC company to follow the disclosure laws, and now they can just say "well, we sent it. your computer must've eaten the e-mail." As I read the bill, this would strengthen the corporation's rights of notification even beyond the standard you're-considered-notified-3-days-after-we-mail-th is provision. I also note that me notifying them electronically is not addressed.
This will suck, I believe. Just think, you get an electronic notification in a lovely HTML message (that you can't read on text readers), with a note up top in 5pt type "please see below for account information." If you do take the time to read it, you find that in 15 days, your interest rate skyrockets from 13 to 23%, your payments are due in 10 days after the bill, oh and we're going to sell every bit of data we have about you. You may cancel your card under the original terms by sending written notice, in triplicate, to the following address that is written in off-white/grey text on a white background.
Oh, but wait, you say! The consumer has to agree to this! So, now when you sign up for something like this, Agreement 2, Section 9, Paragraph 12, Sentence 48 specifically says that you agree to electronic notifications. Come on...since when have you gotten to negotiate the fine print on a contract with a big corporation?
--------------------
Here's what I'm wondering. Not having much to do with the digital signature software & hardware, I'm curious as to a couple of things. First off, I'm wondering what the possibility of forgery is, and to what degree security is involved in the devices/software that implement the signature. Secondly (and possibly a branch from the first question), I'd be interested to know what prevents someone from copying this signature and using it themselves. I'm obviously not well versed on the subject, buy these are the kinds of concerns I would expect a businessman to raise. Also, does anyone know if the bill would allow for businesses to refuse to allow the use of the signature? The difference between genius and stupidity is that genius has limits.
Some consumer advocates oppose the relaxation of notification and information laws put in place by the states. For example, the bill would eliminate in many cases the requirement that banks notify their customers of agreements via snail mail. Email addresses are not as reliable as the USPS, they argue.
The bill doesn't simply say that electronic signatures are valid. THEY ALWAYS HAVE BEEN!
Note that it is quite possible that a particular bill might have wording that would make it downright harmful even though it may provide legal support for our favorite technology.
On the one hand, the US President has consistently opposed legislation to promote the public use of stronger cryptographic tools. Based on that, one might be led to assume that opposition to digital signatures might be based on that opposition to public access to cryptography.
On the other hand, there may be something about the bill in question that actually is bad.
On the gripping hand, it could be worthwhile to have validation of the legality of signatures "set" cryptographically, even if this has some intermediate side-effect that is "bad for consumers."
Does anybody have the actual text of the bill? It's rather difficult to evaluate the merits of completely-pre-digested press releases...
If you're not part of the solution, you're part of the precipitate.
Unless this bill has provisions (no I didnt read the fine print) that are at least as good as those for consumer protection like credit cards have I ain't buying it.
Call me a Luddite but: I don't *ever* send my credit card number over the net. I don't enter any personal information into any computer until I have seen and/or personally signed the paperwork and received a copy or the original myself.
I won't be buying stuff over the net. Mostly because I can get as good a deal locally as *anywhere* on the net (shipping and handeling costs bux boys).
Privacy and security will *never* be guarenteed on the net, get used to it.
What I really don't get is how do you return something using this "system"? If everything is electronically generated, will we need to send an electronic receipt back before the return would be allowed. What will happen to paper receipts? Won't electronic receipts be fairly easy to doctor up?
_________________________
Mello like the Yello, but without the fizz.
_______
I just wish I could c:\format Internet
1) The bill appears to "exempt" some things from electronic delivery. Does this mean that companies don't have to send these things over E-mail, or that they must not (meaning, therefore, that they must continue to send them using more conventional means)? If it's the latter, then I don't see why this is so bad.
2) The article talks about sending things in formats that people might not be able to read. That's what ASCII text is for. Warranties and such generally don't need anything in the way of special formatting. Perhaps that format should be required in the bill; it appears not to be.
3) What the hell is wrong with the colors on this message? No offense to whosever idea this was, but the usual green and white looks much better.
Or is this a sign of user-configurable colors to come?
From what I gather from the 'con' arguments presented in the article, some politicians fear that companies will ONLY start using digital signatures and that some won't be able to "read the fine print" since they don't have internet access.
Correct me if I'm wrong here....If you were going to purchase something online, and agree to sign a contract digitally, then wouldn't you already be able to access all the fine print (via secured web sight, physically printing the contract, secure e-mail, etc.)?
How and why some of these people get elected to any office is absolutely flaberghasting!
-- "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."- Albert E.
While this is progress, I'm not sure if this is progress forward (at least at this time). IMHO, this is this suffers from the same fundemental flaws as online voting:
1. The general public does not understand the implications of sharing a password with a friend.
2. Without forcing restrictions on the rights of the internet citizens as a whole (bad idea), it becomes extreemely difficult to enforce violations of this (i.e. someone from some other country impersonates you).
3. Script-kiddies ('nuff said)
4. In reference to warranties: (I'm going out on a limb) The ability to alter/change electronic information after the fact, a-la "Rising Sun" (maybe a 1 1/2 star movie) may be easier for companies rather than deal with "problems".
5. Sending things to people via a digital signature (as opposed to ceritfied mail) relies on the receiver being able to keep a copy of in case of a hard drive crash.
5b. Windows (controlling over 80% of the market - mac included) Crashes - lots.
Well, try not to tear it completely apart... but thats some of the flaws I see.
You say you want a revolution?
Now, this thing says all these politicos and corp types are all fired up in supporting this, and they give a lot of reasons why - but where are the reasons from the consumer groups and the White House?
Yes, I think digital signatures rule also - but before I run and call my congressman, I want to know what reasons the opponents are giving - just having sound bytes is not enough.
In other words, this news story absolutely blows chunks...
Good digital signatures would be good. Bad digital signatures would be bad. This seems like common sense, but there are vendors out there claiming they have digital signaturing without even having some basic features, like non-repudiation.
I use PGP for signing, but you've got no guarantee that I own the key with my name on it. Anyone can submit a key with any name to the public servers.
I don't see this being feasible without a big agency to certify algorithms and issue keys reliably. Big agencies are bad, and artifically impose geographic limitations on the 'net.
Otherwise you have to implicitly trust everybody, and then who cares about signatures?
Someone needs to think of a better private solution.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Everyone knows that pen and ink signatures are easily forged. It isn't conceivable that electronic signatures would be any less secure or certian in this respect.
:-P
When someone forges your pen and ink signature, the solution is to swear under oath before witnesses, that the forgery in question is indeed a false signature. The solution to a forged electronic signature would be the same.
I really don't see a significant difference security or privacy-wise.
For all the lip service that the White House plays to being pro-technology, it is so often obvious that they really don't have much of a clue.
Remember, Al Gore invented the Internet!
Furthermore, anyone who was leary of electronic signature has no obligation to use them. They can just use pen and ink signatures instead!
This is an idea who's time has come. We're about to enter a new millennium for cryin' out loud! Bill Clinton endlessly reminds us of this fact. He needs to actually live it!
On a little side note, in August it became legal to digitally sign some legal documents in Texas. Digital signatures were not defined in detail in the law, but it's there.
How does the bill handle the problem of authentication? I am not keen on the idea that I might be legally bound by a spoofed signature, so how does the law ensure that signatures belong to who they say they do? It seems to me that in the case of notification this might be a real problem: I might be legally bound by a message that was not preceded by any communication from myself to the issuing company.
moderate this down please - I accidentally deleted some words (the comment is reposted elsewhere)
In other news *cough* unrelated news, a friend of mine has a program that uses a genetic algo to reverse-engineer formulas... which will be released under GPL once we get the client/server protocol stuff done (that's my job!) ala distributed.net. I'm rather hopeful that we'll be able to extract a factoring algo from it within several months' time. No, I don't have a link, no I won't release any info on it, and no, you can't have the source until the bloody thing works and we get a patent on it. =)
--
How, exactly?
For instance, if an "end of warrantee" notice is made legally binding merely because the company sending it used digital signatures, this is tremendously wrong, as it provides no mandate that said signature actually come to me, the one holding the product they're trying to end-of-life.
In order for this to work, there needs to be some equivalent to a "two phase commit;" the signature is not valid until I respond back, indicating by sending a digitally signed response that signs their signature that I have received it.
This sort of protocol is something banks doing transfers will doubtless be willing enough to set up; in order for it to be usable with consumers, some proxy that is able to manage the "sign-and-send-back" part is needed. The Post Office might be a good candidate; they have the infrastructure for not-dissimilar verification of receipt of mail that comes when you send something "registered."
If the legislation doesn't offer such "secure protocols," then I would agree that it is a real bad idea. Of course, I don't know this; all that we are seeing is highly-predigested evaluations...
If you're not part of the solution, you're part of the precipitate.
Just as you've said.. it'd be horrible if weakly encrypted signatures are allowed, giving ample opportunity for forging.
:P
But then, do I really expect the government to require strong encryption on something?
This color is horrible but it fits the recent spat of pointless aritcles that have nothing to do with tech...UGLY... I will still REQUIRE all my notices in print...you can do what u want but as far as I am concerned no printed signature no sale...AND I still win with VISA...no signature no sale...The contract I signed with VISA requires a signature...even electronic purchases truly violate the conract and I have gotten several items for free that way :) Too many times VISA has called me and asked did you take a trip to CAIRO, as $2000 worth of charges just surfaced there, or a book store in Scottland...it is easy to fake this stuff and leaves consumers with little or no recourse...NOT this KID :)
I believe we were the first place in the world to allow digital signatures. Our governor has an amazingly high emphasis on anything computer-related (especially surprising considering the fact that he reminds me of Dan Quayle ;-).
With no means of carrying out strong authentication on a signature, or strongly binding the signature to whatever is being transmitted, it would be impossible to verify if the signature is genuine.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
A copy of the House Bill is available on-line.
/S/ Alice
Electronic signatures are almost certainly "valid" (that is, legally enforceable as signatures) under the common law of every state (except perhaps, Georgia, which has some renegade case law regarding facsimile transmissions), just as signatures using other non-pen-to-paper technologies have been for centuries. The Statute of Frauds has not, for example, excluded, typewritten or telex printing of names, shaved initials on the hide of a cow, impressions of a footprint cast in sand, and so forth. This legislation is not necessary, but it is helpful for a conservative lawyer to be able to rely on statutory law rather than inviting their client to be the first one to litigate these new fact patterns.
In short, the law does not require more than a physical fixation of an intent to authenticate -- a ceremony if you will. A signature does not need to be non-repudiable to be valid -- I could mark "Micky Mouse" or "X" at the end of a document and be bound, if it can be shown that I intended to authenticate the document when I made the markings.
On the other, hand, good commercial sense ordinarily precludes the use of or the accepting of such "alternative" signatures, even if they are legal, for the simple reasons that they create tremendous difficulties in proving authentication when push comes to shove.
The decision to accept an "X" from a literate contractor when closing a deal involving zillions of dollars would be foolish, and we would ordinarily ask them, politely, to sign the document by writing their name. When a shaved cow is offered, in anticipation of the difficulties of getting the critter into the courthouse -- we smile, thank them, and offer them our pen instead.
Its all about choice. The question is, who shall make the choice whether we use ink, pen-on-paper, crypto or typewritters: the individuals using the signatures, or the government?
Two distinct views are prevalent in state electronic signature legislation: a minimalist statute that simply says that electronic writings are writings and manifestations of authentication of the writings are signed writings, leaving it to the market to decide (such as Florida's Electronic Signature Act); and more protective bills, which only validate signatures using certain technologies, such as assymetric encryption (Utah).
The bill passed by Congress is a minimalist bill, like Florida's (apparently patterned after the present draft of the Uniform Electronic Transactions Act). It is neither good nor evil, IMHO, but can be very helfpul for encouraging certain types of transactions.
TRUE, it makes an e-mail of the form:
Bob, I agree to buy 100 widgets at $500/widget, FOB TAMPA -- ship immediately.
a valid memorandum for statute of frauds purposes (the statute of frauds requires signed writings memorializing certain kinds of contracts as a precondition to their enforceability). But so what? That is almost certainly already the law anyway!
Whether Bob or Alice would agree to do business in that manner should be up to Bob and Alice. Of course Bob should be concerned that Alice might later repudiate the transmission, and must be concerned about how he can "prove up" (should it be necessary) the signature in court. On the other hand, who should make the choice as to what technology, if any, Bob should accept, Bob or the government?
I have two concerns with digital signatures.
First is that I don't trust the infrastructure enough to assure me that the document can't be modified after the fact.
The second reason is the boiler-plate issue. I am concerned that there is no way to verify digital boiler-plate contracts. Many consumer contracts have be scrutinized by the consumer-rights folks, so I feel confident that I can sign without having my lawyer review it. It can be fraud to represent a contract as boilerplate when it is not, but who wants to go through that?
- Forge a check and I loose $50 bucks
- Forge a letter and more than likely, a notery will get you off.
- Forge a document and more than liklely it will be caught (lengthy court possible, but usually a notery can tell)
Now:
- Forge a digital signature and:
Have my credit card statements ( anyone been to www.discover.com, or www.visa.com, or www.....)
Have my credit card numbers
Purchase a 35'ft replica of a viking ship on E-Bay
(as the theif) Claim that someone has stolen your identy and may try to get back in touch with (whomever) doles out the digital sig... thus making things long and hard
Yes, you have no obiligation to sign all of your documents with your digital signature, but tell that to the people who send you stuff regardless. Remeber: whether you choose to use something or turn a blind eye to it doesn't mean it exists...
Its like rapping a towel around your head so the alien won't eat you... funny, good in a kids story, but not practical.
You say you want a revolution?
Excuse me for my ignorance, but if the someone signs a message with a small-bit-size private key, how easy would it be to decrypt? And how does this relate to the birthday effect with hashes, does this have any impact?
Cheers.
Rather than speculate about what this bill will or won't do, let's take the time to read it for ourselves. Like all the other bills working their way through Congress, the text of this bill is available at the Library of Congress' THOMAS server. Here's the full text of the bill; that link may or may not work when you read this, since the URLs on THOMAS do have a habit of changing occasionally. If the link fails, then go to THOMAS' home page, type "HR 1714" in the 'Search by Bill Number' box at the top of the page, and do the search. In the list of bills that appears, choose 'HR 1714 EH'; that's the current version, at least as I'm writing this.
A few personal comments after reading the bill:
Overall, I wish that it were written more clearly, but it doesn't seem onerous to me.
I think this is the color scheme for the "Your Rights Online" subsection that this article belongs to. It has its own color scheme, like "Ask Slashdot" does.
I agree; the colors don't fit. Especially with the green/white Slashdot logo at the top.
--
Interested in XFMail? New XFMail home page
I must have missed something... As far as I could tell, the article was fairly balanced and presented both sides of the issue.
Or were you expecting any article written about digital signatures to be gushing and adoring without presenting any of the negative aspects?
- Drew
- In Capitalist America, law violates YOU!
In other articles (sorry, no references right now) it mentioned that the danger was that consumers could be tricked into accepting electronic documents because the acceptance could be buried in a contract the same way other things are buried in the fine print. In other words the bill was two parts 1) digital signatures are valid 2) digital contracts and amendmants from companies are valid.
The original alternative only covered 1) digital signatures are valid but was squashed mightily. A democratic provision 3) any agreement that the consumer will accept digital documents must be highly visible and seperate was also killed.
I disagree with your assertion that we will have the choice not to use them. In five or so years, it is easily conceivable that some businesses will only take digital signatures since, as you say, they are supposedly harder to forge than pen & paper signatures. I can see certain credit card companies, insurance companies, and e-commerce companies doing this.
You say that digital signatures are harder to forge, but we have all seen article after article on Slashdot talking about breaking crypto. How long until you digital signature is cracked? Someone can simply keep a bunch of signatures that they've snooped on file until such time as they can crack them and then use them freely. Remember, digital data can be perfectly copied without errors. Your signature may be "forged" perfectly without any evidence that it is not genuinely your signature. There will be no more court experts in forgery to save you.
What the President and consumer advocates object to, however, is not this whole issue about the signatures themselves. It's the provisions that certain kinds of notification which must currently be delivered to you in writing will be able to be delivered to you electronically. This means that some people will not be able to get that notification and are no longer protected by getting it in writing. This is what some parts of the industry want and what consumer advocates are all against.
There's a quick little sanity check I do on any of these articles when I hear about them. When businesses are all over a bill and consumer advocates are against it, it usually means that we're about to get screwed if it passes. Always find out why. Bills in Congress almost never involve just one thing. They always let a law that only certain special interests want ride on the back of a law everyone wants so get it passed since it wouldn't be passed normally. It's an attempt to get another law in favor of big business passed with a law that helps everybody.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
Of course these forms of technology can also be forged, but they are still useful as evidence of legal transactions.
The problem seems to be that (according to the article) the bill goes further and allows digital signatures to replace written signatures in some circumstances causing possible consumer protection problems.
It seems that the first bit is good and the second bit is bad. The proposed ammended bill seems to split these up and just have the first (good) bit without the second (questionable) one.
---
---
soni bo da
There's at least one critical point where esignatures are different from their real-life counterpart:
Everyone over the age of five has a real-life signature.
Let me explain why this is a problem by providing a true analogy.
A certain bank (who shall remain nameless) has a pretty nice online banking setup. The hole, though, is in their online signup procedure. How do you prove that you are indeed you? You simply provide your social security number, one of your account numbers (it doesn't matter which one), and your bank card number. For those of you less paranoid than myself:
Think of all the places where people are likely to have used both checks and check cards, such as grocery stores they frequent, motels they're staying at, etc. Now, think of how much the employees who handle your financial information actually get paid. Nervous yet? Good!
Here's the fun part: once J. Random Minimum-Wage has all three of your identifiers, they can do you the additional service of setting up your online banking for you. Keen, huh?
Until the day you decide to take the leap and start using the service yourself, your accounts are compromised, and you've never noticed.
To tie this in to the topic at hand, I wonder what sort of proof you'll have to offer to establish an esignature? If I decide that it's pretty likely that you'll never use yours, what's going to stop me from setting it up for you?
Now, multiply this scenario by the number of people who don't have the slightest contact with computers, and I think we might have a problem.
Did you think that "The Net" was creepy? Wait until I create the esignature you never bothered with and use it to sign for a few credit cards.
Dewey, what part of this looks like authorities should be involved?
The Georgia Electronic Records and Signature Act 1997 recognises digital signatures (s.5) and sets out actions for unauthorised use of a digital signature.
This seems to me to be a good example of how this sort of legislation should be created (ie keep the recognition of signatures but discard the problematic notification/consumer protection problems)
---
---
soni bo da
http://thomas.loc.gov/cgi-bin/query/D?c106:1:./tem p/~c106rV3Xiy::
.. read it for yourself anyways
Text of the bill that deals with private transations (the rest of it deal with federal government accepting digital signatures, which is exactly the same wording
SEC. 7. NATIONAL POLICY PANEL FOR DIGITAL SIGNATURES.
(a) ESTABLISHMENT- Not later than 90 days after the date of the enactment of this Act, the Under Secretary shall establish a National Policy Panel for Digital Signatures. The Panel shall be composed of government, academic, and industry technical and legal experts on the implementation of digital signature technologies, State officials, including officials from States which have enacted laws establishing digital signature infrastructures, and representative individuals from the interested public.
(b) RESPONSIBILITIES- The Panel shall serve as a forum for exploring all relevant factors associated with the development of a national digital signature infrastructure based on uniform standards to enable the widespread availability and use of digital signature systems. The Panel shall develop--
(1) model practices and procedures for certification authorities to ensure the accuracy, reliability, and security of operations associated with issuing and managing digital certificates;
(2) standards to ensure consistency among jurisdictions that license certification authorities; and
(3) audit standards for certification authorities.
(c) COORDINATION- The Panel shall coordinate its efforts with those of the Director under section 3.
(d) ADMINISTRATIVE SUPPORT- The Under Secretary shall provide administrative support to enable the
Panel to carry out its responsibilities.
(e) REPORT- Not later than 1 year after the date of the enactment of this Act, the Under Secretary shall transmit to the Congress a report containing the recommendations of the Panel.
All this does it create a panel to investigate, and start their recommendations within a year. Sounds like the oppositions just sees that there is a potential for problems as desribes and whats to specifically made it illigal for those provisions to happen. But the whole thing isn't even formed yet!!
That it has NOT been proven that current methods of cryptography cannot be 'cracked' in less than exponential time? What happens when our entire ifrastructure is based on this mathmatical ignorance and we finally figure out how to factor large numbers in linear or even constant time? The fact that almost no one knows this (I've never seen in mentioned anywhere except number theory books) means that society is absolutely not prepared to be 'wired.' I'm worried.
Would this also apply to those porn sites that say, "Under penalty of by clicking "Enter" I agree that blah, blah, blah..."
Or did I misunderstand the bill completely?
We all know this, anything that's digital can be duplicated perfectly, it's just a matter of time. Digital Signature Piracy (DSP) anyone?
My pen and wet ink signature is still far superior in this respect.
"Reactionaries must be deprived of the right to voice their opinions; only the people have that right." - Mao
It doesn't specify what the "digital signature" is. It just says they can be used. Basically it says that digital contracts using digital signatures can be made legally binding if all the parties involved mutually agree on the exact form of those signatures.
Actually there are a whole bunch of other details as well, but that's one of the important points. Have a look at the bill itself.
IT amazes me how two things that are so simalar that they are almost equivalent, can be seen as not only different but helpful in one case, and harmful in another.
If I read a disclosure over E-mail, its exactly the same as snail mail, and the failure rate for snail is, I would guess, higher than the failure rate for delivery of E-mail, but even if it wasn't thats my choice...
This bill is so you can sign up for something, and recieve disclosure information online, it doesn't mandate it.
If you are afraid of the Internet and what will happen to your discloser CHOOSE snail instead.
*sigh* progress is overwhelming, people are underwhelming.
John
Maybe spammers learn to disguise their crap as electronic legal notices from various vendors.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
In general I think that opposition to digital signatures is the harmful kind of technophobia. It seems that people are ready to read a million problems into the system of signature when computers are involved, but at the same time they are completely comfortable with a system where you authenticate yourself by drawing a squiggle?
From a security engineers perspective, conventional signatures are insane. They are easy to fake, even easier to get around (how many cashiers even check for a signature on your ID? how many are trained in handwriting recognition? how hard is it to fake an ID? How hard is it to leave a space open on a contract and then print another clause onto it?) The fact that I can be accused of having signed something just because somebody could draw a squiggle like mine: now that is a rights violation if you ask me.
Yes, there is reason for healthy skeptisism on any system like this, after all the American government has a bad track record with both crypto and consumer rights. But DSA signatures have stood up until now, and there is little reason to believe they will be broken (they work a lot like other asymmetric cryptos). As a whole however, a truely functional system for digital signatures is an amazing blessing: a way to be truly, mathematically, sure that nobody can fake your signature.
I think that in the foreseeable future, people will think we were insane in basing our entire legal system on a bunch of squiggles...
-
We cannot reason ourselves out of our basic irrationality. All we can do is learn the art of being irrational in a reasonable way.
I'm not convinced that this is possible; or at least I think it would be extremely hard and dependent upon a really trick GA coding. A GA is basically a parallel search technique that exploits regularities in a fitness landscape. 2 points: 1. In a fitness landscape based upon prime factoring, do such regularities exist. 2. If they do, is the resulting function generalisable (ie will it work with data other than the training/validation data) I think that (1) is quite possibly true, but I'd be extremely surprised if (2) is.
Yeah i know, offtopic, so what =P
Crichton is the arguably the best fiction writer of our time =]
Thank you very much for referencing the real legislation; this is a vastly superior thing to discuss than mere commentaries on journalistic commentaries.
It appears to me that there may need to be a clearer "Opt Out" mechanism; aside from that, the fact that the bill expects that parties
implies (as does other parts of the wording) that both parties to a transaction need to be involved in this determination.There perhaps needs to be some allowance for there being a period of time during which people don't fully understand the implications of this, and some coherent method for repudiation of such agreement, perhaps modelled after the manner in which consumers are permitted to reject certain sorts of transactions from door-to-door salescritters if cancellation is done in some specified period of time...
If you're not part of the solution, you're part of the precipitate.
This minute, as we speak, there is a scumbag somewhere cracking a banks online computer system and stealing account information to sell. (There was a large bust in my town recently of just such a ring, which mostly used modified script kiddie technology to break in more discretely than your usual script sociopath). With digital signatures, your life is gone--totally and copletely ruined--if somebody breaks into a bank (and they are all online) and grabs your personal info. At present, the banks are very hush-hush about this and eat the expense. With a digital signature, IP masquarading, etc., you are going to have a hell of a fight to say that's not my signature and I'm not liable for the acts of the thief who emptied my bank account and maxed out my credit cards--no $50 liability limit, no limits of any kind.
This is like the old "holder in due course" doctrine that was abolished in consumer transactions (largely because of the Bank of America's pracitces of buying and enforcing the paper California bunko artists got the victims of their home improvement or whatever scam to sign). They used to be able to buy a note from a *known* bunco artist and enforce it with a straight face because they didn't know he was conning this particular person, never mind that he had ripped of 10,000 others in exactly the same kind of scheme. Digital signatures have a lot of implications which very few of the slashdot responses show any awareness of: if you are debating in court over a forged check you maybe have a document authentication expert who will look at the signature (and you may get lucky and find an honest one--they generally work for banks and know how they will get their next paycheck if it comes to that); now imagine you are debating whether a digital impersonator is really you, and how you need experts on cracking, cryptology, IPmasquarading and other net trickery, etc., etc. Do you really want to spend $60,000 in attorney and expert witness fees trying to prove that you really didn't run up those $4000 in credit charges which were digitally signed for and really didn't authorize that $40,000 second mortgage on the house (the proceeds of which were electronically transferred to the Bahamas, along with your life savings plus the proceeds of the sale of the 401K you had maintained through the now legal brokerage office at your bank). The goddamn bank is going to have your life stored up in a computer connected to the net (so you can bank at home, and just because you have an atm card with a four digit password--that's all I get at my bank, thank you--and/or signed a piece pf paper to set up an account).
As the saying goes: Thimk! (No, that is not a misspelling.)
bumppo
IMO digital signatures are insecure. I no longer care to hear arguments on this. The point is moot as far as I care, and you'll be wasting your breath. Just give me the power to "opt out" and have it decreed on public file somewhere that all digital signatures are invalid for my name. Then, I will not have to worry about fraud. Just like I can "opt out" of having a credit card. Then, I do not have to worry about my number being stolen by 31337 h4x0rZ because... I never had one to steal.
The Christian Coalition has a great site to keep track of each rep's voting record on issues that concern them, and has many links enabling interested people to contract their reps. Why not the EFF or Slashdot? Before the 2000 (USA) elections, I hope to see Slashdot/ANDN invest some of their upcoming IPO cash in a "Slashdot slate".
JMC
Just imagine. Install windows. Before it "activates", it now asks you to "digitally sign" the EULA agreement. No longer can "click yes to agree" remain legally murky, you are now signing a real contract. Make no mistake about, it's the software publishers (MS in particular) that reeeally wants this bad. And MS doesn't care about h4x0rz abusing this system so long as the system works for them. They'll let legislators tewak things later. They just want our souls right now and consumer interests and protections be damned.
Credit card apps. Healthcare forms. Asterisks with conditions on checks to be cashed. And I keep copies of everything before mailing it off to whomever. If they issue the credit card, health insurance, or cash the check. I've got them on MY terms. They often process these "standard" forms they mail out to loads of people so fast that they onten FAIL to treat them like the real contracts they are and just approve and process them. Oops! But the oops is in my favor this time. If they notice the items crossed out or added on and bitch... fuck 'em... There's only 6.02e23 different other credit cards I can apply for. Heh heh.
not that close to first post!!!!
John Hancock's digital sig would be 8 megabytes big...
Couldn't resist.
"...so forget about swearing that it's a false signature- there's no such thing as a false digital signature!"
"...or email viruses, and anyway as long as you don't open attachments and are sure to use the latest software, you're absolutely safe..."
Sorry man: I don't trust you or your argument. You're drunk on technology, which is great, but it's blinding you, and that's not great. I'm still stubbornly in favor of keeping as many sanity checks and old technologies effective as I can. I use plaintext email and news. I write receipts for computer repair I do on carbon paper receipt pads and have a set of file folders with all my papers organised by year and quarter. I write checks on paper, and sign them with my laborious signature. I _hate_ writing with a pen, always did, but I'm not gonna give it up for you. My checks, for instance, have certain common features all my own- if I draw a slash there is _never_ a 35/100 on it as if it were a fraction, and my signature uses some print characters rather than cursive characters. If I was to use digital signatures I'd be buying them pre-made- probably from Microsoft, as they'd try to kill everyone else in the area. Sorry, no way. I may be a programmer, I may be a geek, I may be totally 'wired' but that doesn't make me a _fscking_ _idiot_.
Thank you for being one of our most valued customers! DigSigSecurityCode: HKJGHJ77867B5BMBNBHF56786876GGFNDRFGUH5745V"
If we want the legally recognized ability to execute binding contracts via the internet, we must keep pounding on Congress until they can come up with a decent bill and the support needed to override any presidential veto. This one will surely not make it past Clinton's desk.
In order to create solid digital signatures, we must first have strong encryption -- of course, privacy is a threat to our national security, because terrorists might use it to discuss their plans to build weapons of mass destruction. Yeah, yeah, that's it. There's no way that a terrorist seeking to build a thermonuclear device is going to risk being busted for exporting encryption software.
It's a good thing that tomorrow never comes, because most of us are stuck in yesterday.
I believe this is correct. A decision the year before last (in a case called Norton, or the like), held that a facsimile transmission was not a "writing." This largely provoked the adoption of the new bill.
I agree that a statute providing that any electronic signature constitutes notice to a would-be recipient would be unconcionable, inviting all sorts of foul conduct. I saw little in this bill to do that -- to the contrary, all it provides is that the electronic writing wouldn't FAIL TO BE NOTICE, just because it was electronic.
I actually think the solution is to state that notice must be accomplished in such manner as to ACTUALLY OR REASONABLY BE CALCULATED TO GIVE NOTICE, rather than quibble about the technoloy used to do so -- which will change over time. If an obscure means is treated as a notice, whether paper or otherwise (for example, as fine print hidden in a document purporting to be junk mail selling magazines), it is not treated as notice, notwithstanding the fact that it is most assuredly a writing.
Why should electronic instruments be any different? If a reasonable person in the place of the consumer (or if its consumer protection legislation, like insurance), then a reasonable idiot in the place of the consumer would consider they had notice, why does it matter if it arrived by e-mail? Likewise, if the manner used was sneaky, regardless how it was given, why does it matter whether it was in writing?
If a person uses e-mail for every interaction in his or her life, and receives an e-mail, reads it and actually got notice, why should she be able to rely upon a technical defense of the "non-writingness" of the e-mail? Why should it matter for these purposes whether the notice used digisigs?
Clickwraps (as opposed to mere shrinkwraps) are fairly well-established as binding, but I doubt that a click would be a signature. On the other hand, type "OK" WOULD constitute a signature.
This is also the law in almost every jurisdiction today anyway. Further, no writing would be required for many license provisions in any case -- the statute of frauds may not apply, particularly if the package price is less than $500.00.
(1) unclear, it would depend upon state law and common law development for each excluded arena. Most state laws governing wills require them to be executed at a face-to-face ceremony, regardless how the document is executed, so most e-mail transactions would fail. Other laws require "writings" (as opposed to "signatures"), and local state law would determine whether an electronic instrument is a writing, even if it is "signed."
In short, a lawyer's answer: it depends.
(2) unlikely, and probably an unfair interpretation of the statute or its consequences.
(3) I am on the fence on these subtle religious points.
First, common law has recognized typewritten an telex signatures for years. (As well as shaven cows, for that matter).
Pen-and-ink signatures cannot be strongly authenticated, or strongly bind the signature to whatever is being transmitted (indeed, forging and lifting paper signatures is a trivial exercise).
While I cannot argue with the proposition that assymetrical encryption is clearly superior, done right, to pen-and-ink signatures, this does not render electronic documents not asymmetrically encrypted inferior TO PEN-AND-INK signatures (or X-marking, cow shaving, foot casting and other bizarre but legally valid signatures)
> I can get as good a deal locally as *anywhere* on the net (shipping and handeling costs bux boys).
Not with this country's quaint laws on sales tax - I'm in Austin TX, Dell's here in town, so I pay 8.25% to the Lone Star tax collector for the privilege of doing e-commerce with them. But Red Hat's in North Carolina, so I don't pay sales tax to *either* state when buying from them. More than makes up for the postage. But does it make sense?
Whole towns with names like like Nowhere NM and Brigadoon ID subsist on the mail order business due to this quirk in US law. (Get your combined bean slicer and back scratcher, just 19.95 + 5.95 shipping and handling...)
I won't even get started on the fact that there are 6,500 local state tax regions all with their own concept of what should and shouldn't be taxed, and different categories and sets of rates. In Europe, they think they need to simplify the fact that each whole country has a different, single VAT rate, poor souls.
On the security issue, apart from the fact that it is harder to judge who you're dealing with, using credit cards on the net is generally safer than using them over the phone.
In a physical store, at least here in Texas, no-one EVER checks signatures, so if you lose a card, you're hosed. A colleague's wallet got swiped from work, and they ran up $9000 in 90 minutes before Amex's computer jangled alarm bells. Don't know if it was smart software, or it just hit the credit limit - probably just the latter.
you sign an "I Agree: statement that references external caluses - which then change several days later. you may get suckered, 'cos you can't prove what you agreed to. The company may not have a valid contract with you, 'cos you didn't know what you agreed to - as with paper signatures, agreeing to misleading contracts voids the signature. So, are we any better off? Nah! Lyal
Today, PKI/digital certificates requires everyone to be their own security manager.
Guess what?
Most of us internet users are very, very bad at being security manager.
So, certificate and password abuse is as real and as simple as this message - or the Bill we are discussing
Lyal
I actually think the solution is to state that notice must be accomplished in such manner as to ACTUALLY OR REASONABLY BE CALCULATED TO GIVE NOTICE
Do you think, therefore, that the bill is designed to not exclude the use of digital signatures as evidence of transactions merely because they are digital signatures (apart from the specific exclusions) - which seems logical?
If so, what do you think the people opposing the bill are worried about then?
---
---
soni bo da
DVD's can be copied because they use extremely weak encryption. Any widespread usage of legally binding digital signatures would require that the U.S. relax its export regulations -- unless, of course, we want the rest of the world to leave us behind in yet another way.
Pen-and-paper signatures are laughably weak. I once had a boss who asked me to forge his signature at work; he was out of the office knew that any scribble that I made on the paper would count. (For the record, I flat-out refused.)
-- Rene