Electronic Signatures |
Sheryl Canter
12/18/2000 PC Magazine from ZDWire Copyright (c) 2000 ZD Inc. All Rights Reserved. The Electronic Signatures Act (E-Sign), signed into law by President Clinton on June 30 and effective as of October 1, has received much fanfare but little clear and accurate explanation. Most people know they can now sign a mortgage agreement and other contracts online but don't know what this means in practical terms. Are electronic signatures safe? How do they work? E-Sign says nothing at all about how electronic signatures should work on a technical level; the law just says that the legal effectiveness cannot be denied solely because a signature is electronic. The act does not say how to implement the technology, just that you can. The law's technological neutrality is deliberate, not an omission to be filled in at a later time. In fact, E-Sign bars states from passing laws that require or favor the use of specific technologies, and neither federal nor state governments may issue regulations requiring specific technologies. Working out the implementation details is left to the marketplace. This approach allows for the use of future developments that may fill the need even better than existing technologies. The law does have some serious weaknesses, however. Electronic signatures aren't required to accomplish the same functional goals as wet ink signatures. No standards were set for the technology to be used. And with the exception of transferable records--loans secured by real property--E-Sign also fails to require that an electronic signature be unique to the signer, demonstrably executed by the signer, and logically connected to a document in such a way that changes after signing can be detected. These gaps can be filled in at the state level, but one can argue that the basic requirements should have been written into the federal law. There are also some gaps in consumer protection provisions. The full text of the law is available on the Web at www.ecommerce.gov/ecomnews/ElectronicSignatures_s761.pdf. Consumer Protections The definitions section of E-Sign states that an electronic signature is "an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record." Some commentators have taken this definition out of context, saying that you can interpret virtually any electronic sound, symbol, or process as an electronic signature, regardless of context. This is not true. The law does not specify the technology to be used but does detail the terms and circumstances governing the use of electronic signatures. The electronic signing of documents implies that the documents themselves are in an electronic form. Much of the law concerns the electronic records (contracts and notifications) and when they are legal to use. There are extensive consumer disclosure requirements. Consumers must explicitly consent to the use of electronic records, and have the right to withdraw this consent. If there are penalties for the withdrawal of consent (for example, to cover the higher cost of paper records), these must be specified in advance. Furthermore, a company cannot use electronic means to satisfy a legal requirement to provide information in writing if the consumer does not have access to the requisite hardware and software, or does not know how to use a computer. The company (or other legal entity) providing the electronic record must obtain demonstrative proof that the consumer can access information in the electronic form that will be used in the agreement. Unfortunately, this requirement is weakened in other parts of the legislation. Legal effectiveness cannot be denied solely because of a company's failure to obtain proof of consumer access. Also, the federal government reserves the right to grant exemptions from the consumer disclosure requirements if this will "eliminate a substantial burden on electronic commerce and will not increase the material risk of harm to consumers." So the possibility of a consumer entering into a legally binding electronic agreement without having the means to read the agreement does exist. Electronic notifications are prohibited in certain critical areas, including those involving wills, adoption, divorce, court orders, documents accompanying the transportation of hazardous materials, product recalls, cancellation of utilities such as water, heat, or power, and cancellation of health or life insurance. Legislators will evaluate these exceptions during the first three years the law is in effect to determine if they are necessary. Also, E-Sign specifically excludes recorded oral communication as an electronic record. Pushing a button on your phone keypad to indicate agreement with a telemarketer's spiel is not considered a contract. Signature Standards The most serious deficiency in E-Sign is the failure to require that electronic signatures match wet ink signatures in functional characteristics. Back in 1996, the American Bar Association published a detailed analysis of the legal RAMifications of electronic signatures, with some specific recommendations for implementation. The document, titled Digital Signature Guidelines, is available at www.abanet.org/scitech/ec/isc/dsgfree.html. The treatise starts with an analysis of the functional characteristics of a traditional signature, and then looks at how to implement these same characteristics electronically. In legal terms, a signature serves four general purposes: evidence, ceremony, approval, and efficiency. A signature's uniqueness is evidence that a particular individual was the signer. The act of signing a document--the ceremony--calls the signer's attention to the legal significance of the act; you can't sign something by accident or by default (by not taking an action). The signature itself indicates the signer's endorsement or approval of the information in the document--a contract or a check, for example. Finally, a signature indicates that the signer has fully reviewed and accepted the facts, and they can be taken at face value. This allows efficient handling and transfer of the document. Electronic signatures should accomplish these same goals. In fact, electronic signatures have the capacity to surpass wet ink signatures. With biometric techniques such as dynamic signature recognition, forgeries become virtually impossible. The use of a Digest--a value that works like a checksum and is calculated from the contents of an entire document--can ensure that a legal paper remains unaltered, once signed. The digest takes up much less space than the complete document, but even the smallest change in the document will result in a change in the digest. E-Sign does not, however, require that electronic signatures meet these standards except in the case of transferable records--loans secured by real property. If you are obtaining a mortgage electronically, the signature must be demonstrably unique to the signer, in the control of the signer, and attached to the document in such a way that changes to the document after signing are clearly evident. For electronic records that don't involve transferable real property, there are no such requirements. The law also fails to require electronic signatures to protect against fraud. Virtually all the products available today do use technologies that provide security and safety, but companies doing business electronically may choose not to use such precautions. A consumer has no assurance that the electronic signature system used by a company meets even minimal standards for protection against fraud. Should fraud occur, the consumer will find no protection under the law. The burden to prove the deception lies with the customer, and there are no limits on liability. Contrast this with the law governing credit cards. Disputed charges are immediately removed from the purchaser's bill pending investigation by the credit card issuer. And the cap on consumer liability for charges to a stolen card is $50 if the cardholder reports the theft. Digital Signatures E-Sign was not the first law passed that allowed electronic signatures. At the time E-Sign was enacted, 46 states and numerous foreign countries already had similar laws. Because of this, the industry was ready to hit the ground running. The most common technology used for electronic signatures is the digital signature. Many vendors use this approach. E-Lock Technologies (www.elock.com) is one example. To create a digital signature, the document content is condensed into a unique digest, which is then encrypted. The digital signature--this encrypted digest--is then permanently attached to the document. As noted earlier, because even tiny changes will result in a different digest, the digest allows you to verify that the document has remained unaltered. The special key used for encryption can authenticate the identity of the signer. To provide verification you must decrypt the signature. Transmission of an encryption key is inherently insecure, so digital signatures use dual-key encryption, also called public key infrastructure (PKI) technology. PKI uses two keys--one public, one private. The public key is stored in a widely accessible database similar to an electronic telephone directory. The private key is stored on the signer's computer, and can only be accessed with a password. The public key can decrypt any document encrypted with the private key, and vice versa. The two keys are mathematically related, but you cannot derive the private key from the public key. The private key uniquely identifies the signer and is in that person's sole control, as long as the media isn't stolen and the password remains private. The danger that password and private key file theft presents is the weakest element with digital signatures. If a password or private key is stolen, the "forgery" is perfect. A consumer whose identity is appropriated in this way will have a hard time proving any unauthorized use. Using dual-key encryption, you can also create a document that only the specified recipient can read. The sender encrypts the message with the public key of the recipient, who uses the appropriate private key to decrypt the contents. (PKI technology is also used in s/mime, a secure e-mail standard.) The technology works but has not received broad consumer acceptance because people tend to find the process confusing and difficult to use. To make digital signatures more familiar and appealing, one company has added a signature bitmap to the mixture. OnSign.com, an internal start-up company owned by Silanis Technology, is distributing OnSign software for free, online. There are two versions: one for Microsoft Word 97 and 2000, and one for Outlook 98, Outlook 2000, and Outlook Express 5 or later. The underlying technology uses digital signatures, but a bitmap of a traditional signature is also affixed to the document. If the document changes after signing, a red circle enclosing a diagonal line appears over the signature to indicate tampering. Other Technologies A number of E-Sign critics complain that the law not only fails to require digital signature technology, which many consider the preferred technology, but also prohibits states from enacting laws that require digital signature technology. But digital signatures are not the only approach to personal authentication--and may not be the most reliable. Two other personal authentication technologies are in use today. One, the smart card, looks like a credit card and contains circuitry that encodes personal information and handles password protection. When inserted into a specially equipped computer, a smart card can establish the user's identity. One company offering the technology is CyberSafe (www .cybersafe.com). The main problem with smart cards is that, as with private encryption keys, they're subject to theft. Biometrics--electronic recognition of personal characteristics--provides another approach to authentication. You can forget or lose a password, encryption key, or smart card, but no one can steal your signature, voice, fingerprints, or face. Dynamic signature recognition is one biometric strategy. The technique is far more sophisticated than a simple analysis of a finished signature. As a person signs on a pressure-sensitive tablet, the software records character shape, writing speed, stroke order, off-tablet motion, pen pressure, and timing. These characteristics uniquely identify a person and cannot be mimicked or stolen. Two companies offering dynamic signature verification are Communication Intelligence Corp. (www .cic .com) and Cyber-Sign (www .cybersign .com). Prospects The early adopters of electronic signature technology are expected to be banks and other financial institutions. Because banks deal with transferable records, for which the requirements are more stringent, these institutions will tend to use secure technologies that protect against fraud. As the use of electronic signatures becomes more widespread, however, the risk of fraud will increase. Consumers should routinely ask for information about the technology they're asked to use and the fraud protection provided. One hopes that Congress will enhance the law governing electronic signatures to include standards for electronic signature technology. As things stand, though, the burden of determining whether an electronic transaction is safe falls on the consumer. |