Slashdot Mirror

← Back to Stories (view on slashdot.org)

House Passes Digital Signature Bill

Posted by CmdrTaco on from the its-almost-as-good-as-ink dept.

DrewMIT writes "Finally," electronic signatures" will have the same validity legislatively as ink signatures." It still needs to go through the senate, and the White House has said it will veto it. The article is quite negative, it talks about how this will violate consumer rights, but all I can think is "Its about time." What do you think?

10 of 116 comments (clear)

  1. Ugh...more e-mail by wesmills · · Score: 4
    The bill would also allow companies -- when consumers agree -- to deliver warranties, notices and other required disclosures in electronic form.

    This is absolutely what I *do* *not* want. I have a hard enough time as it is getting my CC company to follow the disclosure laws, and now they can just say "well, we sent it. your computer must've eaten the e-mail." As I read the bill, this would strengthen the corporation's rights of notification even beyond the standard you're-considered-notified-3-days-after-we-mail-th is provision. I also note that me notifying them electronically is not addressed.

    This will suck, I believe. Just think, you get an electronic notification in a lovely HTML message (that you can't read on text readers), with a note up top in 5pt type "please see below for account information." If you do take the time to read it, you find that in 15 days, your interest rate skyrockets from 13 to 23%, your payments are due in 10 days after the bill, oh and we're going to sell every bit of data we have about you. You may cancel your card under the original terms by sending written notice, in triplicate, to the following address that is written in off-white/grey text on a white background.

    Oh, but wait, you say! The consumer has to agree to this! So, now when you sign up for something like this, Agreement 2, Section 9, Paragraph 12, Sentence 48 specifically says that you agree to electronic notifications. Come on...since when have you gotten to negotiate the fine print on a contract with a big corporation?

    --------------------

    1. Re:Ugh...more e-mail by MikeBabcock · · Score: 3

      I don't know where you come from, but I've been begging companies to send me my information by E-mail instead of paper form for a long time now. Why should we live in an "almost paperless" society working with computers and generate paper to communicate all the time?

      I use electronic banking on the Internet to pay my bills and I shop online for books and movies as well. I don't like getting spam in my mail (physical) or in my E-mail, but the E-mail stuff is easier to delete ... and I don't have to take out the garbage afterward.

      And why, pray tell, do you think that the fine print will change on contracts just because they're sent electronically? Most people don't read the Xerox contract when they buy a new fax machine that states "New shall be defined as any new or used or remanufactured part that Xerox deems suitable for sale" ... I'd just rather have an electronic version of my warrantees to file on floppy (or ZIP) than paper versions lying around somewhere.

      I hope other Slashdotters are with me on this one, or we're a bunch of digital hypocrites.

      - Michael T. Babcock <homepage>

      --
      - Michael T. Babcock (Yes, I blog)
  2. A bad thing, or merely ignorance? by Christopher+B.+Brown · · Score: 3

    Note that it is quite possible that a particular bill might have wording that would make it downright harmful even though it may provide legal support for our favorite technology.

    On the one hand, the US President has consistently opposed legislation to promote the public use of stronger cryptographic tools. Based on that, one might be led to assume that opposition to digital signatures might be based on that opposition to public access to cryptography.

    On the other hand, there may be something about the bill in question that actually is bad.

    On the gripping hand, it could be worthwhile to have validation of the legality of signatures "set" cryptographically, even if this has some intermediate side-effect that is "bad for consumers."

    Does anybody have the actual text of the bill? It's rather difficult to evaluate the merits of completely-pre-digested press releases...

    --
    If you're not part of the solution, you're part of the precipitate.
  3. Is the technology defined? by bill_mcgonigle · · Score: 3


    Good digital signatures would be good. Bad digital signatures would be bad. This seems like common sense, but there are vendors out there claiming they have digital signaturing without even having some basic features, like non-repudiation.

    I use PGP for signing, but you've got no guarantee that I own the key with my name on it. Anyone can submit a key with any name to the public servers.

    I don't see this being feasible without a big agency to certify algorithms and issue keys reliably. Big agencies are bad, and artifically impose geographic limitations on the 'net.

    Otherwise you have to implicitly trust everybody, and then who cares about signatures?

    Someone needs to think of a better private solution.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  4. Wake up Billy-Boy, it's 1999! by Fish+Man · · Score: 3

    Everyone knows that pen and ink signatures are easily forged. It isn't conceivable that electronic signatures would be any less secure or certian in this respect.

    When someone forges your pen and ink signature, the solution is to swear under oath before witnesses, that the forgery in question is indeed a false signature. The solution to a forged electronic signature would be the same.

    I really don't see a significant difference security or privacy-wise.

    For all the lip service that the White House plays to being pro-technology, it is so often obvious that they really don't have much of a clue.

    Remember, Al Gore invented the Internet! :-P

    Furthermore, anyone who was leary of electronic signature has no obligation to use them. They can just use pen and ink signatures instead!

    This is an idea who's time has come. We're about to enter a new millennium for cryin' out loud! Bill Clinton endlessly reminds us of this fact. He needs to actually live it!

  5. Possible Problem: Protocols by Christopher+B.+Brown · · Score: 3
    The problem that may be a quite legitimate cause to reject the bill is if the bill merely requires using "hopefully secure signatures," but does not require that secure protocols be used for transmission.

    For instance, if an "end of warrantee" notice is made legally binding merely because the company sending it used digital signatures, this is tremendously wrong, as it provides no mandate that said signature actually come to me, the one holding the product they're trying to end-of-life.

    In order for this to work, there needs to be some equivalent to a "two phase commit;" the signature is not valid until I respond back, indicating by sending a digitally signed response that signs their signature that I have received it.

    This sort of protocol is something banks doing transfers will doubtless be willing enough to set up; in order for it to be usable with consumers, some proxy that is able to manage the "sign-and-send-back" part is needed. The Post Office might be a good candidate; they have the infrastructure for not-dissimilar verification of receipt of mail that comes when you send something "registered."

    If the legislation doesn't offer such "secure protocols," then I would agree that it is a real bad idea. Of course, I don't know this; all that we are seeing is highly-predigested evaluations...

    --
    If you're not part of the solution, you're part of the precipitate.
  6. Let's educate ourselves on this. by kickahaota · · Score: 3

    Rather than speculate about what this bill will or won't do, let's take the time to read it for ourselves. Like all the other bills working their way through Congress, the text of this bill is available at the Library of Congress' THOMAS server. Here's the full text of the bill; that link may or may not work when you read this, since the URLs on THOMAS do have a habit of changing occasionally. If the link fails, then go to THOMAS' home page, type "HR 1714" in the 'Search by Bill Number' box at the top of the page, and do the search. In the list of bills that appears, choose 'HR 1714 EH'; that's the current version, at least as I'm writing this.

    A few personal comments after reading the bill:

    • Like many other Congressional bills, this one contains lots of contradictory paragraphs and "Notwithstanding paragraph b..."; it takes a very careful reading to figure out what it does and doesn't do, and I'm personally still not sure I've got it figured out. This alone gives me reason to distrust it.
    • In order for an electronic document to satisfy a requirement that a consumer be informed of something in writing, the consumer must first be informed that electronic notification may be used, and the consumer must agree to that "by means of a consent that is conspicuous and visually separate from other terms". Furthermore, the consumer can withdraw consent at any time. This doesn't seem bad to me.
    • A consumer is still allowed to claim that notification was never given or that an electronic signature isn't the consumer's, just as a consumer can claim that a document was never mailed or that a physical signature is a forgery.
    • States are allowed to pass laws modifying the use of electronic signatures within their states; however, there are restrictions on their ability to do that, and those restrictions seem extremely muddy to me. Lots of potential for arguments and Supreme Court action here.
    • If a notification is "necessary for the protection of the public health or safety of consumers", then the notification cannot be only electronic, even if the consumer has consented.
    • A will still cannot be electronic. Those probate lawyers are a conservative bunch, I guess.
    • Court orders and notices still can't be electronic. All those lawyers are a conservative bunch.
    • Notices about the cancellation of utility service, foreclosure of a home, or cancellation of health or life insurance can't be electronic-only.

    Overall, I wish that it were written more clearly, but it doesn't seem onerous to me.

  7. Where I think the system breaks down by Just+Some+Guy · · Score: 3

    There's at least one critical point where esignatures are different from their real-life counterpart:

    Everyone over the age of five has a real-life signature.

    Let me explain why this is a problem by providing a true analogy.

    A certain bank (who shall remain nameless) has a pretty nice online banking setup. The hole, though, is in their online signup procedure. How do you prove that you are indeed you? You simply provide your social security number, one of your account numbers (it doesn't matter which one), and your bank card number. For those of you less paranoid than myself:

    • A lot of people have their SSN printed on their checks for convenience, so if someone writes you a check, then you have two of the three required identifiers.
    • If they happen to also pay you with a bank card, then voila, you're three-for-three.

    Think of all the places where people are likely to have used both checks and check cards, such as grocery stores they frequent, motels they're staying at, etc. Now, think of how much the employees who handle your financial information actually get paid. Nervous yet? Good!

    Here's the fun part: once J. Random Minimum-Wage has all three of your identifiers, they can do you the additional service of setting up your online banking for you. Keen, huh?

    Until the day you decide to take the leap and start using the service yourself, your accounts are compromised, and you've never noticed.

    To tie this in to the topic at hand, I wonder what sort of proof you'll have to offer to establish an esignature? If I decide that it's pretty likely that you'll never use yours, what's going to stop me from setting it up for you?

    Now, multiply this scenario by the number of people who don't have the slightest contact with computers, and I think we might have a problem.

    Did you think that "The Net" was creepy? Wait until I create the esignature you never bothered with and use it to sign for a few credit cards.

    --
    Dewey, what part of this looks like authorities should be involved?
  8. THE TRUTH! by MindStalker · · Score: 3

    http://thomas.loc.gov/cgi-bin/query/D?c106:1:./tem p/~c106rV3Xiy::

    Text of the bill that deals with private transations (the rest of it deal with federal government accepting digital signatures, which is exactly the same wording .. read it for yourself anyways


    SEC. 7. NATIONAL POLICY PANEL FOR DIGITAL SIGNATURES.

    (a) ESTABLISHMENT- Not later than 90 days after the date of the enactment of this Act, the Under Secretary shall establish a National Policy Panel for Digital Signatures. The Panel shall be composed of government, academic, and industry technical and legal experts on the implementation of digital signature technologies, State officials, including officials from States which have enacted laws establishing digital signature infrastructures, and representative individuals from the interested public.
    (b) RESPONSIBILITIES- The Panel shall serve as a forum for exploring all relevant factors associated with the development of a national digital signature infrastructure based on uniform standards to enable the widespread availability and use of digital signature systems. The Panel shall develop--
    (1) model practices and procedures for certification authorities to ensure the accuracy, reliability, and security of operations associated with issuing and managing digital certificates;
    (2) standards to ensure consistency among jurisdictions that license certification authorities; and
    (3) audit standards for certification authorities.
    (c) COORDINATION- The Panel shall coordinate its efforts with those of the Director under section 3.
    (d) ADMINISTRATIVE SUPPORT- The Under Secretary shall provide administrative support to enable the
    Panel to carry out its responsibilities.
    (e) REPORT- Not later than 1 year after the date of the enactment of this Act, the Under Secretary shall transmit to the Congress a report containing the recommendations of the Panel.

    All this does it create a panel to investigate, and start their recommendations within a year. Sounds like the oppositions just sees that there is a potential for problems as desribes and whats to specifically made it illigal for those provisions to happen. But the whole thing isn't even formed yet!!

  9. Re:Either Way by Overt+Coward · · Score: 3
    I don't trust the infrastructure enough to assure me that the document can't be modified after the fact.

    A "digital signuture" in a PKI system is actually an encrypted hash of the message, along with timestamp info. With a good PKI system, such as PGP, it is improbable enough to be considered impossible to create a substitute message that will generate a duplicate hash result. Therefore, if the message is altered in any way (intentionally or not), the signature check will fail due to the modified hash result.

    The PGP manuals are an excellent source of information not just on PGP, but on cryptography in general and PKI systems in particular.
    --