Slashdot Mirror
House Passes Digital Signature Bill
DrewMIT writes "Finally," electronic signatures" will have the same validity legislatively as ink signatures." It still needs to go through the senate, and the White House has said it will veto it. The article is quite negative, it talks about how this will violate consumer rights, but all I can think is "Its about time." What do you think?
This is absolutely what I *do* *not* want. I have a hard enough time as it is getting my CC company to follow the disclosure laws, and now they can just say "well, we sent it. your computer must've eaten the e-mail." As I read the bill, this would strengthen the corporation's rights of notification even beyond the standard you're-considered-notified-3-days-after-we-mail-th is provision. I also note that me notifying them electronically is not addressed.
This will suck, I believe. Just think, you get an electronic notification in a lovely HTML message (that you can't read on text readers), with a note up top in 5pt type "please see below for account information." If you do take the time to read it, you find that in 15 days, your interest rate skyrockets from 13 to 23%, your payments are due in 10 days after the bill, oh and we're going to sell every bit of data we have about you. You may cancel your card under the original terms by sending written notice, in triplicate, to the following address that is written in off-white/grey text on a white background.
Oh, but wait, you say! The consumer has to agree to this! So, now when you sign up for something like this, Agreement 2, Section 9, Paragraph 12, Sentence 48 specifically says that you agree to electronic notifications. Come on...since when have you gotten to negotiate the fine print on a contract with a big corporation?
--------------------
Note that it is quite possible that a particular bill might have wording that would make it downright harmful even though it may provide legal support for our favorite technology.
On the one hand, the US President has consistently opposed legislation to promote the public use of stronger cryptographic tools. Based on that, one might be led to assume that opposition to digital signatures might be based on that opposition to public access to cryptography.
On the other hand, there may be something about the bill in question that actually is bad.
On the gripping hand, it could be worthwhile to have validation of the legality of signatures "set" cryptographically, even if this has some intermediate side-effect that is "bad for consumers."
Does anybody have the actual text of the bill? It's rather difficult to evaluate the merits of completely-pre-digested press releases...
If you're not part of the solution, you're part of the precipitate.
What I really don't get is how do you return something using this "system"? If everything is electronically generated, will we need to send an electronic receipt back before the return would be allowed. What will happen to paper receipts? Won't electronic receipts be fairly easy to doctor up?
_________________________
Mello like the Yello, but without the fizz.
_______
I just wish I could c:\format Internet
1) The bill appears to "exempt" some things from electronic delivery. Does this mean that companies don't have to send these things over E-mail, or that they must not (meaning, therefore, that they must continue to send them using more conventional means)? If it's the latter, then I don't see why this is so bad.
2) The article talks about sending things in formats that people might not be able to read. That's what ASCII text is for. Warranties and such generally don't need anything in the way of special formatting. Perhaps that format should be required in the bill; it appears not to be.
3) What the hell is wrong with the colors on this message? No offense to whosever idea this was, but the usual green and white looks much better.
Or is this a sign of user-configurable colors to come?
While this is progress, I'm not sure if this is progress forward (at least at this time). IMHO, this is this suffers from the same fundemental flaws as online voting:
1. The general public does not understand the implications of sharing a password with a friend.
2. Without forcing restrictions on the rights of the internet citizens as a whole (bad idea), it becomes extreemely difficult to enforce violations of this (i.e. someone from some other country impersonates you).
3. Script-kiddies ('nuff said)
4. In reference to warranties: (I'm going out on a limb) The ability to alter/change electronic information after the fact, a-la "Rising Sun" (maybe a 1 1/2 star movie) may be easier for companies rather than deal with "problems".
5. Sending things to people via a digital signature (as opposed to ceritfied mail) relies on the receiver being able to keep a copy of in case of a hard drive crash.
5b. Windows (controlling over 80% of the market - mac included) Crashes - lots.
Well, try not to tear it completely apart... but thats some of the flaws I see.
You say you want a revolution?
Now, this thing says all these politicos and corp types are all fired up in supporting this, and they give a lot of reasons why - but where are the reasons from the consumer groups and the White House?
Yes, I think digital signatures rule also - but before I run and call my congressman, I want to know what reasons the opponents are giving - just having sound bytes is not enough.
In other words, this news story absolutely blows chunks...
Good digital signatures would be good. Bad digital signatures would be bad. This seems like common sense, but there are vendors out there claiming they have digital signaturing without even having some basic features, like non-repudiation.
I use PGP for signing, but you've got no guarantee that I own the key with my name on it. Anyone can submit a key with any name to the public servers.
I don't see this being feasible without a big agency to certify algorithms and issue keys reliably. Big agencies are bad, and artifically impose geographic limitations on the 'net.
Otherwise you have to implicitly trust everybody, and then who cares about signatures?
Someone needs to think of a better private solution.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Everyone knows that pen and ink signatures are easily forged. It isn't conceivable that electronic signatures would be any less secure or certian in this respect.
:-P
When someone forges your pen and ink signature, the solution is to swear under oath before witnesses, that the forgery in question is indeed a false signature. The solution to a forged electronic signature would be the same.
I really don't see a significant difference security or privacy-wise.
For all the lip service that the White House plays to being pro-technology, it is so often obvious that they really don't have much of a clue.
Remember, Al Gore invented the Internet!
Furthermore, anyone who was leary of electronic signature has no obligation to use them. They can just use pen and ink signatures instead!
This is an idea who's time has come. We're about to enter a new millennium for cryin' out loud! Bill Clinton endlessly reminds us of this fact. He needs to actually live it!
It seems to me that (according to the article) the problem with this bill is that it actually does two things;
1) Allows digital signatures as a substitute for written signatures if the consumer agrees.
This is a positive step and is in line with the common sense expansion of the internet as digital signatures are much more reliable than written signatures if sufficient security is implemented.
(See for example the Georgia Electronic Records and Signature Act 1997); and
2) Allows electronic notification in certain circumstances when originally written notification was required.
This is where difficulties arise as although (according to the article) some types of transactions are exempted, the worry is that Mr and Mrs Everybody will sign documents ("just sign here sir - no don't worry about the fine print") which allow them to be notified electronically instead of in writing or even overriding present protective legislation.
It seems to me that according to the article, there was an attempt to remove 2) while keeping 1).
This seems logical to me as no-one seems to have problems with the former, while the latter has some kinks (to say the least) that need to be ironed out.---
---
soni bo da
In other news *cough* unrelated news, a friend of mine has a program that uses a genetic algo to reverse-engineer formulas... which will be released under GPL once we get the client/server protocol stuff done (that's my job!) ala distributed.net. I'm rather hopeful that we'll be able to extract a factoring algo from it within several months' time. No, I don't have a link, no I won't release any info on it, and no, you can't have the source until the bloody thing works and we get a patent on it. =)
--
For instance, if an "end of warrantee" notice is made legally binding merely because the company sending it used digital signatures, this is tremendously wrong, as it provides no mandate that said signature actually come to me, the one holding the product they're trying to end-of-life.
In order for this to work, there needs to be some equivalent to a "two phase commit;" the signature is not valid until I respond back, indicating by sending a digitally signed response that signs their signature that I have received it.
This sort of protocol is something banks doing transfers will doubtless be willing enough to set up; in order for it to be usable with consumers, some proxy that is able to manage the "sign-and-send-back" part is needed. The Post Office might be a good candidate; they have the infrastructure for not-dissimilar verification of receipt of mail that comes when you send something "registered."
If the legislation doesn't offer such "secure protocols," then I would agree that it is a real bad idea. Of course, I don't know this; all that we are seeing is highly-predigested evaluations...
If you're not part of the solution, you're part of the precipitate.
With no means of carrying out strong authentication on a signature, or strongly binding the signature to whatever is being transmitted, it would be impossible to verify if the signature is genuine.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
A copy of the House Bill is available on-line.
/S/ Alice
Electronic signatures are almost certainly "valid" (that is, legally enforceable as signatures) under the common law of every state (except perhaps, Georgia, which has some renegade case law regarding facsimile transmissions), just as signatures using other non-pen-to-paper technologies have been for centuries. The Statute of Frauds has not, for example, excluded, typewritten or telex printing of names, shaved initials on the hide of a cow, impressions of a footprint cast in sand, and so forth. This legislation is not necessary, but it is helpful for a conservative lawyer to be able to rely on statutory law rather than inviting their client to be the first one to litigate these new fact patterns.
In short, the law does not require more than a physical fixation of an intent to authenticate -- a ceremony if you will. A signature does not need to be non-repudiable to be valid -- I could mark "Micky Mouse" or "X" at the end of a document and be bound, if it can be shown that I intended to authenticate the document when I made the markings.
On the other, hand, good commercial sense ordinarily precludes the use of or the accepting of such "alternative" signatures, even if they are legal, for the simple reasons that they create tremendous difficulties in proving authentication when push comes to shove.
The decision to accept an "X" from a literate contractor when closing a deal involving zillions of dollars would be foolish, and we would ordinarily ask them, politely, to sign the document by writing their name. When a shaved cow is offered, in anticipation of the difficulties of getting the critter into the courthouse -- we smile, thank them, and offer them our pen instead.
Its all about choice. The question is, who shall make the choice whether we use ink, pen-on-paper, crypto or typewritters: the individuals using the signatures, or the government?
Two distinct views are prevalent in state electronic signature legislation: a minimalist statute that simply says that electronic writings are writings and manifestations of authentication of the writings are signed writings, leaving it to the market to decide (such as Florida's Electronic Signature Act); and more protective bills, which only validate signatures using certain technologies, such as assymetric encryption (Utah).
The bill passed by Congress is a minimalist bill, like Florida's (apparently patterned after the present draft of the Uniform Electronic Transactions Act). It is neither good nor evil, IMHO, but can be very helfpul for encouraging certain types of transactions.
TRUE, it makes an e-mail of the form:
Bob, I agree to buy 100 widgets at $500/widget, FOB TAMPA -- ship immediately.
a valid memorandum for statute of frauds purposes (the statute of frauds requires signed writings memorializing certain kinds of contracts as a precondition to their enforceability). But so what? That is almost certainly already the law anyway!
Whether Bob or Alice would agree to do business in that manner should be up to Bob and Alice. Of course Bob should be concerned that Alice might later repudiate the transmission, and must be concerned about how he can "prove up" (should it be necessary) the signature in court. On the other hand, who should make the choice as to what technology, if any, Bob should accept, Bob or the government?
Rather than speculate about what this bill will or won't do, let's take the time to read it for ourselves. Like all the other bills working their way through Congress, the text of this bill is available at the Library of Congress' THOMAS server. Here's the full text of the bill; that link may or may not work when you read this, since the URLs on THOMAS do have a habit of changing occasionally. If the link fails, then go to THOMAS' home page, type "HR 1714" in the 'Search by Bill Number' box at the top of the page, and do the search. In the list of bills that appears, choose 'HR 1714 EH'; that's the current version, at least as I'm writing this.
A few personal comments after reading the bill:
Overall, I wish that it were written more clearly, but it doesn't seem onerous to me.
I think this is the color scheme for the "Your Rights Online" subsection that this article belongs to. It has its own color scheme, like "Ask Slashdot" does.
I agree; the colors don't fit. Especially with the green/white Slashdot logo at the top.
--
Interested in XFMail? New XFMail home page
I disagree with your assertion that we will have the choice not to use them. In five or so years, it is easily conceivable that some businesses will only take digital signatures since, as you say, they are supposedly harder to forge than pen & paper signatures. I can see certain credit card companies, insurance companies, and e-commerce companies doing this.
You say that digital signatures are harder to forge, but we have all seen article after article on Slashdot talking about breaking crypto. How long until you digital signature is cracked? Someone can simply keep a bunch of signatures that they've snooped on file until such time as they can crack them and then use them freely. Remember, digital data can be perfectly copied without errors. Your signature may be "forged" perfectly without any evidence that it is not genuinely your signature. There will be no more court experts in forgery to save you.
What the President and consumer advocates object to, however, is not this whole issue about the signatures themselves. It's the provisions that certain kinds of notification which must currently be delivered to you in writing will be able to be delivered to you electronically. This means that some people will not be able to get that notification and are no longer protected by getting it in writing. This is what some parts of the industry want and what consumer advocates are all against.
There's a quick little sanity check I do on any of these articles when I hear about them. When businesses are all over a bill and consumer advocates are against it, it usually means that we're about to get screwed if it passes. Always find out why. Bills in Congress almost never involve just one thing. They always let a law that only certain special interests want ride on the back of a law everyone wants so get it passed since it wouldn't be passed normally. It's an attempt to get another law in favor of big business passed with a law that helps everybody.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
There's at least one critical point where esignatures are different from their real-life counterpart:
Everyone over the age of five has a real-life signature.
Let me explain why this is a problem by providing a true analogy.
A certain bank (who shall remain nameless) has a pretty nice online banking setup. The hole, though, is in their online signup procedure. How do you prove that you are indeed you? You simply provide your social security number, one of your account numbers (it doesn't matter which one), and your bank card number. For those of you less paranoid than myself:
Think of all the places where people are likely to have used both checks and check cards, such as grocery stores they frequent, motels they're staying at, etc. Now, think of how much the employees who handle your financial information actually get paid. Nervous yet? Good!
Here's the fun part: once J. Random Minimum-Wage has all three of your identifiers, they can do you the additional service of setting up your online banking for you. Keen, huh?
Until the day you decide to take the leap and start using the service yourself, your accounts are compromised, and you've never noticed.
To tie this in to the topic at hand, I wonder what sort of proof you'll have to offer to establish an esignature? If I decide that it's pretty likely that you'll never use yours, what's going to stop me from setting it up for you?
Now, multiply this scenario by the number of people who don't have the slightest contact with computers, and I think we might have a problem.
Did you think that "The Net" was creepy? Wait until I create the esignature you never bothered with and use it to sign for a few credit cards.
Dewey, what part of this looks like authorities should be involved?
http://thomas.loc.gov/cgi-bin/query/D?c106:1:./tem p/~c106rV3Xiy::
.. read it for yourself anyways
Text of the bill that deals with private transations (the rest of it deal with federal government accepting digital signatures, which is exactly the same wording
SEC. 7. NATIONAL POLICY PANEL FOR DIGITAL SIGNATURES.
(a) ESTABLISHMENT- Not later than 90 days after the date of the enactment of this Act, the Under Secretary shall establish a National Policy Panel for Digital Signatures. The Panel shall be composed of government, academic, and industry technical and legal experts on the implementation of digital signature technologies, State officials, including officials from States which have enacted laws establishing digital signature infrastructures, and representative individuals from the interested public.
(b) RESPONSIBILITIES- The Panel shall serve as a forum for exploring all relevant factors associated with the development of a national digital signature infrastructure based on uniform standards to enable the widespread availability and use of digital signature systems. The Panel shall develop--
(1) model practices and procedures for certification authorities to ensure the accuracy, reliability, and security of operations associated with issuing and managing digital certificates;
(2) standards to ensure consistency among jurisdictions that license certification authorities; and
(3) audit standards for certification authorities.
(c) COORDINATION- The Panel shall coordinate its efforts with those of the Director under section 3.
(d) ADMINISTRATIVE SUPPORT- The Under Secretary shall provide administrative support to enable the
Panel to carry out its responsibilities.
(e) REPORT- Not later than 1 year after the date of the enactment of this Act, the Under Secretary shall transmit to the Congress a report containing the recommendations of the Panel.
All this does it create a panel to investigate, and start their recommendations within a year. Sounds like the oppositions just sees that there is a potential for problems as desribes and whats to specifically made it illigal for those provisions to happen. But the whole thing isn't even formed yet!!
Well.. there is nothing wrong with being carefull, but you are at a bigger risk when you give your credit card to a waiter/waitress at your favorite restaurnt then when you send it encrytped over the net.
That it has NOT been proven that current methods of cryptography cannot be 'cracked' in less than exponential time? What happens when our entire ifrastructure is based on this mathmatical ignorance and we finally figure out how to factor large numbers in linear or even constant time? The fact that almost no one knows this (I've never seen in mentioned anywhere except number theory books) means that society is absolutely not prepared to be 'wired.' I'm worried.
A "digital signuture" in a PKI system is actually an encrypted hash of the message, along with timestamp info. With a good PKI system, such as PGP, it is improbable enough to be considered impossible to create a substitute message that will generate a duplicate hash result. Therefore, if the message is altered in any way (intentionally or not), the signature check will fail due to the modified hash result.
The PGP manuals are an excellent source of information not just on PGP, but on cryptography in general and PKI systems in particular.
--
In general I think that opposition to digital signatures is the harmful kind of technophobia. It seems that people are ready to read a million problems into the system of signature when computers are involved, but at the same time they are completely comfortable with a system where you authenticate yourself by drawing a squiggle?
From a security engineers perspective, conventional signatures are insane. They are easy to fake, even easier to get around (how many cashiers even check for a signature on your ID? how many are trained in handwriting recognition? how hard is it to fake an ID? How hard is it to leave a space open on a contract and then print another clause onto it?) The fact that I can be accused of having signed something just because somebody could draw a squiggle like mine: now that is a rights violation if you ask me.
Yes, there is reason for healthy skeptisism on any system like this, after all the American government has a bad track record with both crypto and consumer rights. But DSA signatures have stood up until now, and there is little reason to believe they will be broken (they work a lot like other asymmetric cryptos). As a whole however, a truely functional system for digital signatures is an amazing blessing: a way to be truly, mathematically, sure that nobody can fake your signature.
I think that in the foreseeable future, people will think we were insane in basing our entire legal system on a bunch of squiggles...
-
We cannot reason ourselves out of our basic irrationality. All we can do is learn the art of being irrational in a reasonable way.
Thank you very much for referencing the real legislation; this is a vastly superior thing to discuss than mere commentaries on journalistic commentaries.
It appears to me that there may need to be a clearer "Opt Out" mechanism; aside from that, the fact that the bill expects that parties
implies (as does other parts of the wording) that both parties to a transaction need to be involved in this determination.There perhaps needs to be some allowance for there being a period of time during which people don't fully understand the implications of this, and some coherent method for repudiation of such agreement, perhaps modelled after the manner in which consumers are permitted to reject certain sorts of transactions from door-to-door salescritters if cancellation is done in some specified period of time...
If you're not part of the solution, you're part of the precipitate.
John Hancock's digital sig would be 8 megabytes big...
Couldn't resist.
"...so forget about swearing that it's a false signature- there's no such thing as a false digital signature!"
"...or email viruses, and anyway as long as you don't open attachments and are sure to use the latest software, you're absolutely safe..."
Sorry man: I don't trust you or your argument. You're drunk on technology, which is great, but it's blinding you, and that's not great. I'm still stubbornly in favor of keeping as many sanity checks and old technologies effective as I can. I use plaintext email and news. I write receipts for computer repair I do on carbon paper receipt pads and have a set of file folders with all my papers organised by year and quarter. I write checks on paper, and sign them with my laborious signature. I _hate_ writing with a pen, always did, but I'm not gonna give it up for you. My checks, for instance, have certain common features all my own- if I draw a slash there is _never_ a 35/100 on it as if it were a fraction, and my signature uses some print characters rather than cursive characters. If I was to use digital signatures I'd be buying them pre-made- probably from Microsoft, as they'd try to kill everyone else in the area. Sorry, no way. I may be a programmer, I may be a geek, I may be totally 'wired' but that doesn't make me a _fscking_ _idiot_.
Thank you for being one of our most valued customers! DigSigSecurityCode: HKJGHJ77867B5BMBNBHF56786876GGFNDRFGUH5745V"
Agreed, the danger of a forged digital signature is much greater than a normal one. Now the forger can have Total access to everything you own and all your info, all your cash, medical records, credit reports, transcripts, etc. AND they can all be accessed and stolen remotely, so even if they are "caught" you'll never see them face to face.
To put it in catastrophic terms: say Bob the Cracker figures out how to crack the sigs, and then loots thousands or even millions of people's life earnings from a desert island. All the while canceling insurance, selling your house, and basically making it look like somebody moving to a desert island.
The simple hassle of settling the whole thing increases greatly when you have the absolute remote access capability that a digital signature can offer.
+&x
I believe this is correct. A decision the year before last (in a case called Norton, or the like), held that a facsimile transmission was not a "writing." This largely provoked the adoption of the new bill.
I agree that a statute providing that any electronic signature constitutes notice to a would-be recipient would be unconcionable, inviting all sorts of foul conduct. I saw little in this bill to do that -- to the contrary, all it provides is that the electronic writing wouldn't FAIL TO BE NOTICE, just because it was electronic.
I actually think the solution is to state that notice must be accomplished in such manner as to ACTUALLY OR REASONABLY BE CALCULATED TO GIVE NOTICE, rather than quibble about the technoloy used to do so -- which will change over time. If an obscure means is treated as a notice, whether paper or otherwise (for example, as fine print hidden in a document purporting to be junk mail selling magazines), it is not treated as notice, notwithstanding the fact that it is most assuredly a writing.
Why should electronic instruments be any different? If a reasonable person in the place of the consumer (or if its consumer protection legislation, like insurance), then a reasonable idiot in the place of the consumer would consider they had notice, why does it matter if it arrived by e-mail? Likewise, if the manner used was sneaky, regardless how it was given, why does it matter whether it was in writing?
If a person uses e-mail for every interaction in his or her life, and receives an e-mail, reads it and actually got notice, why should she be able to rely upon a technical defense of the "non-writingness" of the e-mail? Why should it matter for these purposes whether the notice used digisigs?
Clickwraps (as opposed to mere shrinkwraps) are fairly well-established as binding, but I doubt that a click would be a signature. On the other hand, type "OK" WOULD constitute a signature.
This is also the law in almost every jurisdiction today anyway. Further, no writing would be required for many license provisions in any case -- the statute of frauds may not apply, particularly if the package price is less than $500.00.
(1) unclear, it would depend upon state law and common law development for each excluded arena. Most state laws governing wills require them to be executed at a face-to-face ceremony, regardless how the document is executed, so most e-mail transactions would fail. Other laws require "writings" (as opposed to "signatures"), and local state law would determine whether an electronic instrument is a writing, even if it is "signed."
In short, a lawyer's answer: it depends.
(2) unlikely, and probably an unfair interpretation of the statute or its consequences.
(3) I am on the fence on these subtle religious points.
First, common law has recognized typewritten an telex signatures for years. (As well as shaven cows, for that matter).
Pen-and-ink signatures cannot be strongly authenticated, or strongly bind the signature to whatever is being transmitted (indeed, forging and lifting paper signatures is a trivial exercise).
While I cannot argue with the proposition that assymetrical encryption is clearly superior, done right, to pen-and-ink signatures, this does not render electronic documents not asymmetrically encrypted inferior TO PEN-AND-INK signatures (or X-marking, cow shaving, foot casting and other bizarre but legally valid signatures)