Sign at the Digital X: E-Sign Law Takes Effect

Businesses see huge savings in electronic documents, but standards issue looms

Eric S. Brown, special to PCWorld.com

Thursday, October 05, 2000

If you thought the paper vs. plastic decision was hard, get ready for paper vs. digital. Thanks to the E-Sign law that takes effect this week, electronic signatures can be used with the same protections and financial disclosures of paper contracts.

Replacing paper-based legal documents could save businesses millions in overnight delivery, clerical labor, document storage, and legal fees. The Internet enables instant delivery, as well as the capability to tap into existing document management and database systems. As a result, digital signatures are set to streamline business-to-business exchanges, government applications, loan and credit agreements, and more.

E-Sign, more formally known as the Electronic Signatures in Global and National Commerce Act, backs up similar legislation in effect in 46 states. (See "Clinton E-Signs Off on Digital Signatures." )

E-Sign requires that businesses offer consumers the option of a paper-only transaction, confirm that consumers have a sufficient PC setup, and use paper documents for notices of termination. The law excludes a number of documents that still must exist in paper form, including wills, adoption papers, divorce documents, court orders, utility termination notices, foreclosures and eviction notices, insurance cancellations, and warnings required for transportation of hazardous materials. (See "E-Sign on the Dotted Line." )

While E-Sign doesn't require a particular technology, the vast majority of electronic signature solutions use encrypted digital signatures based on Public Key Infrastructure technology. Major PKI firms include Baltimore Technologies, CyberSafe, Entrust Technologies, RSA Security, and VeriSign.

With a typical PKI solution, you send a digital certificate created by a set of encrypted mathematical codes that uniquely identifies you. You use a combination of public and private keys to establish that a digital document has made it over the wires unmolested and that the sender owns the signature on the document. Usually, the signature transaction involves a third-party certificate authority such as Digital Signature Trust or ValiCert, which validates the signature.

 

Smart Cards, Smart Pens

For added security and convenience, some schemes call for smart cards that include digital IDs, so you can link a signature to an individual rather than a computer. This is not the same as simply a digitized version of a signature, which can be accomplished with, say, a scanner or digital pen.

Those who prefer to work with traditional handwritten signatures can call upon smart pens that register unique signature movements. These include LCI Technology 's Smartpen and a new product from digital certificate vendor PenOp, which incorporates Wacom's Graphire Pen. For high-security applications, more exacting biometric devices such as thumbprint scanners, voice-pattern recognition, and even retinal scans are on the way.

Many Alternatives

Digital signatures are just one part of a growing content security business that is attracting everyone from business-to-business software firms to document management companies and computer-security vendors.

Companies can hire a firm such as Entrust or VeriSign to help them create a signature solution customized for their business processes. UPS, for example, is using DataCert 's technology to create UPSDocument Exchange Invoices--a hedge against the day when digital certificates threaten the overnight carrier's contract cash cow.

Other companies may prefer to experiment with an off-the-shelf solution such as Silanis Technology 's ApproveIt, which lets you easily attach digital signatures to any document.

You can also outsource the process to Internet-based services such as DataCert, ILumin, and ISignOnline.com, which provide secure, neutral virtual meeting rooms for businesses to sign contracts online. These Internet notaries facilitate the core PKI and digital certificate functions. They also often handle everything from document management to secure VPN pipelines to online electronic storage.

Lack of Standards Remains E-Sign's Obstacle

Digital certificates can provide corporate customers with major paper-related savings, says Ben Gould, senior vice president at ILumin. "In a traditional system, you're paying for real estate, filing cabinets, and clerical work," Gould says. "There are huge costs in reentry of data."

Yet PKI technology by itself isn't enough, says Gould. You need to keep documents and signatures secure while still being able to get at the data within them.

"As soon as you move data into a document format and put a signature on it, you lose its attributes," Gould says. "When you separate the data from the document, the validity of the signature is no longer enforceable."

With ILumin's XML-based document management features, data can be viewed and extracted in database format. For example, it could be used to run a credit check without infringing upon the validity of the document.

 

Wanted: Interoperability

Just as formal signing ceremonies and overnight deliveries of contracts didn't disappear when fax signatures became legal, e-signatures won't replace paper anytime soon. The most pressing obstacle is the lack of standards, something E-Sign failed to address.

"There's not enough interoperability among PKI products," says Jeff Hodge, vice president of DataCert. "The government needs to take a role in setting standards around PKI."

Beyond PKI incompatibilities, advocates of electronic signatures face a variety of certificate-validation approaches and XML flavors, and a total lack of international standards. Only a handful of countries, including Finland and Singapore, accept electronic signatures.

Then there's the simple matter of customer trust. In a world of hackers and viruses, vendors must reassure customers that their online John Hancock will be at once more difficult to copy and easier to use than their handwritten signature.

 

Biometrics May Play a Role

To some, this obstacle can be overcome only by the added security of biometric devices.

"Biometrics will be tremendously important," says James Van Dyke, an analyst with Jupiter Communications. "Once you get a few major cases of fraud, with night janitors copying down passwords at 2 a.m., you'll see greater interest."

While biometrics may fly in corporate America, individual consumers may see these devices as more of a privacy intrusion than a protection of identity. Ease of use is a greater issue in the consumer realm, and it's harder to authenticate identities.

"The retail consumer sector won't go to digital signatures anytime soon, but there should be more acceptance in B2B," says Anne Marie Earley, an analyst with Gartner Group. Even in B2B, old habits die hard, says Earley.

"I'm not sure if companies will accept not having paper copies available," she adds. She expects business use will get a jump start by business-to-government transactions, since the government has been mandated to start making government applications available over the Internet.

Meanwhile, technical details still need to be improved, such as support for the multiple signings required in large enterprises. And costs need to drop before all those heralded savings appear.

"You won't be able to get rid of a paper system until you fully implement the technology, so you have to get enough trading partners to join in," says Van Dyke. "People will pay more before they pay less."