Electronic Signatures
Sheryl Canter

12/18/2000

PC Magazine from ZDWire

Copyright (c) 2000 ZD Inc. All Rights Reserved.

The Electronic Signatures Act (E-Sign), signed into law by President

Clinton on June 30 and effective as of October 1, has received much

fanfare but little clear and accurate explanation. Most people know they

can now sign a mortgage agreement and other contracts online but don't

know what this means in practical terms. Are electronic signatures safe?

How do they work?

E-Sign says nothing at all about how electronic signatures should

work on a technical level; the law just says that the legal

effectiveness cannot be denied solely because a signature is electronic.

The act does not say how to implement the technology, just that you can.

The law's technological neutrality is deliberate, not an omission to

be filled in at a later time. In fact, E-Sign bars states from passing

laws that require or favor the use of specific technologies, and neither

federal nor state governments may issue regulations requiring specific

technologies. Working out the implementation details is left to the

marketplace. This approach allows for the use of future developments

that may fill the need even better than existing technologies.

The law does have some serious weaknesses, however. Electronic

signatures aren't required to accomplish the same functional goals as

wet ink signatures. No standards were set for the technology to be used.

And with the exception of transferable records--loans secured by real

property--E-Sign also fails to require that an electronic signature be

unique to the signer, demonstrably executed by the signer, and logically

connected to a document in such a way that changes after signing can be

detected. These gaps can be filled in at the state level, but one can

argue that the basic requirements should have been written into the

federal law. There are also some gaps in consumer protection provisions.

The full text of the law is available on the Web at

www.ecommerce.gov/ecomnews/ElectronicSignatures_s761.pdf.

Consumer Protections

The definitions section of E-Sign states that an electronic signature

is "an electronic sound, symbol, or process, attached to or logically

associated with a contract or other record and executed or adopted by a

person with the intent to sign the record." Some commentators have taken

this definition out of context, saying that you can interpret virtually

any electronic sound, symbol, or process as an electronic signature,

regardless of context. This is not true. The law does not specify the

technology to be used but does detail the terms and circumstances

governing the use of electronic signatures.

The electronic signing of documents implies that the documents

themselves are in an electronic form. Much of the law concerns the

electronic records (contracts and notifications) and when they are legal

to use. There are extensive consumer disclosure requirements. Consumers

must explicitly consent to the use of electronic records, and have the

right to withdraw this consent. If there are penalties for the

withdrawal of consent (for example, to cover the higher cost of paper

records), these must be specified in advance. Furthermore, a company

cannot use electronic means to satisfy a legal requirement to provide

information in writing if the consumer does not have access to the

requisite hardware and software, or does not know how to use a computer.

The company (or other legal entity) providing the electronic record must

obtain demonstrative proof that the consumer can access information in

the electronic form that will be used in the agreement.

Unfortunately, this requirement is weakened in other parts of the

legislation. Legal effectiveness cannot be denied solely because of a

company's failure to obtain proof of consumer access. Also, the federal

government reserves the right to grant exemptions from the consumer

disclosure requirements if this will "eliminate a substantial burden on

electronic commerce and will not increase the material risk of harm to

consumers." So the possibility of a consumer entering into a legally

binding electronic agreement without having the means to read the

agreement does exist.

Electronic notifications are prohibited in certain critical areas,

including those involving wills, adoption, divorce, court orders,

documents accompanying the transportation of hazardous materials,

product recalls, cancellation of utilities such as water, heat, or

power, and cancellation of health or life insurance. Legislators will

evaluate these exceptions during the first three years the law is in

effect to determine if they are necessary.

Also, E-Sign specifically excludes recorded oral communication as an

electronic record. Pushing a button on your phone keypad to indicate

agreement with a telemarketer's spiel is not considered a contract.

Signature Standards

The most serious deficiency in E-Sign is the failure to require that

electronic signatures match wet ink signatures in functional

characteristics. Back in 1996, the American Bar Association published a

detailed analysis of the legal RAMifications of electronic signatures,

with some specific recommendations for implementation. The document,

titled Digital Signature Guidelines, is available at

www.abanet.org/scitech/ec/isc/dsgfree.html. The treatise starts with an

analysis of the functional characteristics of a traditional signature,

and then looks at how to implement these same characteristics

electronically.

In legal terms, a signature serves four general purposes: evidence,

ceremony, approval, and efficiency. A signature's uniqueness is evidence

that a particular individual was the signer. The act of signing a

document--the ceremony--calls the signer's attention to the legal

significance of the act; you can't sign something by accident or by

default (by not taking an action). The signature itself indicates the

signer's endorsement or approval of the information in the document--a

contract or a check, for example. Finally, a signature indicates that

the signer has fully reviewed and accepted the facts, and they can be

taken at face value. This allows efficient handling and transfer of the

document.

Electronic signatures should accomplish these same goals. In fact,

electronic signatures have the capacity to surpass wet ink signatures.

With biometric techniques such as dynamic signature recognition,

forgeries become virtually impossible. The use of a Digest--a value that

works like a checksum and is calculated from the contents of an entire

document--can ensure that a legal paper remains unaltered, once signed.

The digest takes up much less space than the complete document, but even

the smallest change in the document will result in a change in the

digest.

E-Sign does not, however, require that electronic signatures meet

these standards except in the case of transferable records--loans

secured by real property. If you are obtaining a mortgage

electronically, the signature must be demonstrably unique to the signer,

in the control of the signer, and attached to the document in such a way

that changes to the document after signing are clearly evident. For

electronic records that don't involve transferable real property, there

are no such requirements.

The law also fails to require electronic signatures to protect

against fraud. Virtually all the products available today do use

technologies that provide security and safety, but companies doing

business electronically may choose not to use such precautions. A

consumer has no assurance that the electronic signature system used by a

company meets even minimal standards for protection against fraud.

Should fraud occur, the consumer will find no protection under the

law. The burden to prove the deception lies with the customer, and there

are no limits on liability. Contrast this with the law governing credit

cards. Disputed charges are immediately removed from the purchaser's

bill pending investigation by the credit card issuer. And the cap on

consumer liability for charges to a stolen card is $50 if the cardholder

reports the theft.

Digital Signatures

E-Sign was not the first law passed that allowed electronic

signatures. At the time E-Sign was enacted, 46 states and numerous

foreign countries already had similar laws. Because of this, the

industry was ready to hit the ground running.

The most common technology used for electronic signatures is the

digital signature. Many vendors use this approach. E-Lock Technologies

(www.elock.com) is one example. To create a digital signature, the

document content is condensed into a unique digest, which is then

encrypted. The digital signature--this encrypted digest--is then

permanently attached to the document. As noted earlier, because even

tiny changes will result in a different digest, the digest allows you to

verify that the document has remained unaltered. The special key used

for encryption can authenticate the identity of the signer.

To provide verification you must decrypt the signature. Transmission

of an encryption key is inherently insecure, so digital signatures use

dual-key encryption, also called public key infrastructure (PKI)

technology. PKI uses two keys--one public, one private. The public key

is stored in a widely accessible database similar to an electronic

telephone directory. The private key is stored on the signer's computer,

and can only be accessed with a password. The public key can decrypt any

document encrypted with the private key, and vice versa. The two keys

are mathematically related, but you cannot derive the private key from

the public key.

The private key uniquely identifies the signer and is in that

person's sole control, as long as the media isn't stolen and the

password remains private. The danger that password and private key file

theft presents is the weakest element with digital signatures. If a

password or private key is stolen, the "forgery" is perfect. A consumer

whose identity is appropriated in this way will have a hard time proving

any unauthorized use.

Using dual-key encryption, you can also create a document that only

the specified recipient can read. The sender encrypts the message with

the public key of the recipient, who uses the appropriate private key to

decrypt the contents. (PKI technology is also used in s/mime, a secure

e-mail standard.) The technology works but has not received broad

consumer acceptance because people tend to find the process confusing

and difficult to use.

To make digital signatures more familiar and appealing, one company

has added a signature bitmap to the mixture. OnSign.com, an internal

start-up company owned by Silanis Technology, is distributing OnSign

software for free, online. There are two versions: one for Microsoft

Word 97 and 2000, and one for Outlook 98, Outlook 2000, and Outlook

Express 5 or later. The underlying technology uses digital signatures,

but a bitmap of a traditional signature is also affixed to the document.

If the document changes after signing, a red circle enclosing a diagonal

line appears over the signature to indicate tampering.

Other Technologies

A number of E-Sign critics complain that the law not only fails to

require digital signature technology, which many consider the preferred

technology, but also prohibits states from enacting laws that require

digital signature technology. But digital signatures are not the only

approach to personal authentication--and may not be the most reliable.

Two other personal authentication technologies are in use today. One,

the smart card, looks like a credit card and contains circuitry that

encodes personal information and handles password protection. When

inserted into a specially equipped computer, a smart card can establish

the user's identity. One company offering the technology is CyberSafe

(www .cybersafe.com). The main problem with smart cards is that, as with

private encryption keys, they're subject to theft.

Biometrics--electronic recognition of personal

characteristics--provides another approach to authentication. You can

forget or lose a password, encryption key, or smart card, but no one can

steal your signature, voice, fingerprints, or face. Dynamic signature

recognition is one biometric strategy. The technique is far more

sophisticated than a simple analysis of a finished signature. As a

person signs on a pressure-sensitive tablet, the software records

character shape, writing speed, stroke order, off-tablet motion, pen

pressure, and timing. These characteristics uniquely identify a person

and cannot be mimicked or stolen. Two companies offering dynamic

signature verification are Communication Intelligence Corp. (www .cic

.com) and Cyber-Sign (www .cybersign .com).

Prospects

The early adopters of electronic signature technology are expected to

be banks and other financial institutions. Because banks deal with

transferable records, for which the requirements are more stringent,

these institutions will tend to use secure technologies that protect

against fraud. As the use of electronic signatures becomes more

widespread, however, the risk of fraud will increase. Consumers should

routinely ask for information about the technology they're asked to use

and the fraud protection provided. One hopes that Congress will enhance

the law governing electronic signatures to include standards for

electronic signature technology. As things stand, though, the burden of

determining whether an electronic transaction is safe falls on the

consumer.