PC Magazine from ZDWire
Copyright (c) 2000 ZD Inc. All Rights Reserved.
The Electronic Signatures Act (E-Sign), signed into law by President
Clinton on June 30 and effective as of October 1, has received much
fanfare but little clear and accurate explanation. Most people know they
can now sign a mortgage agreement and other contracts online but don't
know what this means in practical terms. Are electronic signatures safe?
How do they work?
E-Sign says nothing at all about how electronic signatures should
work on a technical level; the law just says that the legal
effectiveness cannot be denied solely because a signature is electronic.
The act does not say how to implement the technology, just that you can.
The law's technological neutrality is deliberate, not an omission to
be filled in at a later time. In fact, E-Sign bars states from passing
laws that require or favor the use of specific technologies, and neither
federal nor state governments may issue regulations requiring specific
technologies. Working out the implementation details is left to the
marketplace. This approach allows for the use of future developments
that may fill the need even better than existing technologies.
The law does have some serious weaknesses, however. Electronic
signatures aren't required to accomplish the same functional goals as
wet ink signatures. No standards were set for the technology to be used.
And with the exception of transferable records--loans secured by real
property--E-Sign also fails to require that an electronic signature be
unique to the signer, demonstrably executed by the signer, and logically
connected to a document in such a way that changes after signing can be
detected. These gaps can be filled in at the state level, but one can
argue that the basic requirements should have been written into the
federal law. There are also some gaps in consumer protection provisions.
The full text of the law is available on the Web at
The definitions section of E-Sign states that an electronic signature
is "an electronic sound, symbol, or process, attached to or logically
associated with a contract or other record and executed or adopted by a
person with the intent to sign the record." Some commentators have taken
this definition out of context, saying that you can interpret virtually
any electronic sound, symbol, or process as an electronic signature,
regardless of context. This is not true. The law does not specify the
technology to be used but does detail the terms and circumstances
governing the use of electronic signatures.
The electronic signing of documents implies that the documents
themselves are in an electronic form. Much of the law concerns the
electronic records (contracts and notifications) and when they are legal
to use. There are extensive consumer disclosure requirements. Consumers
must explicitly consent to the use of electronic records, and have the
right to withdraw this consent. If there are penalties for the
withdrawal of consent (for example, to cover the higher cost of paper
records), these must be specified in advance. Furthermore, a company
cannot use electronic means to satisfy a legal requirement to provide
information in writing if the consumer does not have access to the
requisite hardware and software, or does not know how to use a computer.
The company (or other legal entity) providing the electronic record must
obtain demonstrative proof that the consumer can access information in
the electronic form that will be used in the agreement.
Unfortunately, this requirement is weakened in other parts of the
legislation. Legal effectiveness cannot be denied solely because of a
company's failure to obtain proof of consumer access. Also, the federal
government reserves the right to grant exemptions from the consumer
disclosure requirements if this will "eliminate a substantial burden on
electronic commerce and will not increase the material risk of harm to
consumers." So the possibility of a consumer entering into a legally
binding electronic agreement without having the means to read the
agreement does exist.
Electronic notifications are prohibited in certain critical areas,
including those involving wills, adoption, divorce, court orders,
documents accompanying the transportation of hazardous materials,
product recalls, cancellation of utilities such as water, heat, or
power, and cancellation of health or life insurance. Legislators will
evaluate these exceptions during the first three years the law is in
effect to determine if they are necessary.
Also, E-Sign specifically excludes recorded oral communication as an
electronic record. Pushing a button on your phone keypad to indicate
agreement with a telemarketer's spiel is not considered a contract.
The most serious deficiency in E-Sign is the failure to require that
electronic signatures match wet ink signatures in functional
characteristics. Back in 1996, the American Bar Association published a
detailed analysis of the legal RAMifications of electronic signatures,
with some specific recommendations for implementation. The document,
titled Digital Signature Guidelines, is available at
www.abanet.org/scitech/ec/isc/dsgfree.html. The treatise starts with an
analysis of the functional characteristics of a traditional signature,
and then looks at how to implement these same characteristics
In legal terms, a signature serves four general purposes: evidence,
ceremony, approval, and efficiency. A signature's uniqueness is evidence
that a particular individual was the signer. The act of signing a
document--the ceremony--calls the signer's attention to the legal
significance of the act; you can't sign something by accident or by
default (by not taking an action). The signature itself indicates the
signer's endorsement or approval of the information in the document--a
contract or a check, for example. Finally, a signature indicates that
the signer has fully reviewed and accepted the facts, and they can be
taken at face value. This allows efficient handling and transfer of the
Electronic signatures should accomplish these same goals. In fact,
electronic signatures have the capacity to surpass wet ink signatures.
With biometric techniques such as dynamic signature recognition,
forgeries become virtually impossible. The use of a Digest--a value that
works like a checksum and is calculated from the contents of an entire
document--can ensure that a legal paper remains unaltered, once signed.
The digest takes up much less space than the complete document, but even
the smallest change in the document will result in a change in the
E-Sign does not, however, require that electronic signatures meet
these standards except in the case of transferable records--loans
secured by real property. If you are obtaining a mortgage
electronically, the signature must be demonstrably unique to the signer,
in the control of the signer, and attached to the document in such a way
that changes to the document after signing are clearly evident. For
electronic records that don't involve transferable real property, there
are no such requirements.
The law also fails to require electronic signatures to protect
against fraud. Virtually all the products available today do use
technologies that provide security and safety, but companies doing
business electronically may choose not to use such precautions. A
consumer has no assurance that the electronic signature system used by a
company meets even minimal standards for protection against fraud.
Should fraud occur, the consumer will find no protection under the
law. The burden to prove the deception lies with the customer, and there
are no limits on liability. Contrast this with the law governing credit
cards. Disputed charges are immediately removed from the purchaser's
bill pending investigation by the credit card issuer. And the cap on
consumer liability for charges to a stolen card is $50 if the cardholder
reports the theft.
E-Sign was not the first law passed that allowed electronic
signatures. At the time E-Sign was enacted, 46 states and numerous
foreign countries already had similar laws. Because of this, the
industry was ready to hit the ground running.
The most common technology used for electronic signatures is the
digital signature. Many vendors use this approach. E-Lock Technologies
(www.elock.com) is one example. To create a digital signature, the
document content is condensed into a unique digest, which is then
encrypted. The digital signature--this encrypted digest--is then
permanently attached to the document. As noted earlier, because even
tiny changes will result in a different digest, the digest allows you to
verify that the document has remained unaltered. The special key used
for encryption can authenticate the identity of the signer.
To provide verification you must decrypt the signature. Transmission
of an encryption key is inherently insecure, so digital signatures use
dual-key encryption, also called public key infrastructure (PKI)
technology. PKI uses two keys--one public, one private. The public key
is stored in a widely accessible database similar to an electronic
telephone directory. The private key is stored on the signer's computer,
and can only be accessed with a password. The public key can decrypt any
document encrypted with the private key, and vice versa. The two keys
are mathematically related, but you cannot derive the private key from
the public key.
The private key uniquely identifies the signer and is in that
person's sole control, as long as the media isn't stolen and the
password remains private. The danger that password and private key file
theft presents is the weakest element with digital signatures. If a
password or private key is stolen, the "forgery" is perfect. A consumer
whose identity is appropriated in this way will have a hard time proving
any unauthorized use.
Using dual-key encryption, you can also create a document that only
the specified recipient can read. The sender encrypts the message with
the public key of the recipient, who uses the appropriate private key to
decrypt the contents. (PKI technology is also used in s/mime, a secure
e-mail standard.) The technology works but has not received broad
consumer acceptance because people tend to find the process confusing
and difficult to use.
To make digital signatures more familiar and appealing, one company
has added a signature bitmap to the mixture. OnSign.com, an internal
start-up company owned by Silanis Technology, is distributing OnSign
software for free, online. There are two versions: one for Microsoft
Word 97 and 2000, and one for Outlook 98, Outlook 2000, and Outlook
Express 5 or later. The underlying technology uses digital signatures,
but a bitmap of a traditional signature is also affixed to the document.
If the document changes after signing, a red circle enclosing a diagonal
line appears over the signature to indicate tampering.
A number of E-Sign critics complain that the law not only fails to
require digital signature technology, which many consider the preferred
technology, but also prohibits states from enacting laws that require
digital signature technology. But digital signatures are not the only
approach to personal authentication--and may not be the most reliable.
Two other personal authentication technologies are in use today. One,
the smart card, looks like a credit card and contains circuitry that
encodes personal information and handles password protection. When
inserted into a specially equipped computer, a smart card can establish
the user's identity. One company offering the technology is CyberSafe
(www .cybersafe.com). The main problem with smart cards is that, as with
private encryption keys, they're subject to theft.
Biometrics--electronic recognition of personal
characteristics--provides another approach to authentication. You can
forget or lose a password, encryption key, or smart card, but no one can
steal your signature, voice, fingerprints, or face. Dynamic signature
recognition is one biometric strategy. The technique is far more
sophisticated than a simple analysis of a finished signature. As a
person signs on a pressure-sensitive tablet, the software records
character shape, writing speed, stroke order, off-tablet motion, pen
pressure, and timing. These characteristics uniquely identify a person
and cannot be mimicked or stolen. Two companies offering dynamic
signature verification are Communication Intelligence Corp. (www .cic
.com) and Cyber-Sign (www .cybersign .com).
The early adopters of electronic signature technology are expected to
be banks and other financial institutions. Because banks deal with
transferable records, for which the requirements are more stringent,
these institutions will tend to use secure technologies that protect
against fraud. As the use of electronic signatures becomes more
widespread, however, the risk of fraud will increase. Consumers should
routinely ask for information about the technology they're asked to use
and the fraud protection provided. One hopes that Congress will enhance
the law governing electronic signatures to include standards for
electronic signature technology. As things stand, though, the burden of
determining whether an electronic transaction is safe falls on the