Jon Udell: Digital Signature Laws

Tangled in the Threads
Jon Udell, December 13, 2000
Digital Signature Laws

UETA, and now E-Sign, only lay the foundation

While legal in an abstract sense, nobody yet knows the concrete implications of digital signatures. The new legislation is an invitation to start finding out.

Last summer, President Clinton signed S.761, aka "E-Sign," into law. Formally entitled the Electronic Signatures in Global and National Commerce Act, E-Sign is colloquially known as the "digital signature act" and has been widely hailed as a boon to e-commerce.

E-Sign did not spring fully-formed from the mind of Congress. It derives from, and shares much language in common with, UETA, the Uniform Electronic Transactions Act, which a majority of states have either already adopted, or are considering.

The PKI (public key infrastructure) industry has made what marketing hay it can of E-Sign. But the fact remains that, while E-Sign certainly confers a stamp of approval on PKI, this set of technologies is as complex and esoteric as anything the high-tech industry has ever created. There's a huge disconnect here. Although I'm a proponent of digital signatures, and have used and advocated them for years, PKI remains a complete mystery to most people.

Like UETA before it, E-Sign does not try to define digital signatures except in abstract and technology-neutral terms:

UETA definition of electronic signature:

(8) "Electronic signature" means an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.

E-Sign definition of electronic signature:

The term ``electronic signature'' means information or data in electronic form, attached to or logically associated with an electronic record, and executed or adopted by a person or an electronic agent of a person, with the intent to sign a contract, agreement, or record.

While E-Sign general seeks to avoid pre-empting states' UETA efforts, it appears to threaten at least one state -- Utah -- whose Digital Signature Act tries to spell out an explicit integration of PKI into state government.

E-Sign's technology-neutral stance initially struck me as odd. How, I asked in the newsgroup, could Congress base legislation on such a vague and general definitin? But as several folks pointed out, this was in fact exactly the right approach:

James Power:

It has nothing to do with proof of identity. Your signature on a document means something only if it is not a forgery.

I think all it is saying is that if you agree to something electronically, it can be as legally binding as by signing your name on paper. Of course, if you say you didn't sign it, it was forged, that would complicate matters, just as it would if you say your signature on a check was forged.

James was right. According to E-Sign:

Nothing in this section shall be construed to limit or otherwise affect the rights of any person to assert that an electronic signature is a forgery, is used without authority, or otherwise is invalid for reasons that would invalidate the effect of a signature in written form. The use or acceptance of an electronic record or electronic signature by a consumer shall not constitute a waiver of any substantive protections afforded consumers under the Consumer Protection Act.

Todd Boyle:

I think the wording of the bill is just right. If they encoded [specific technology] into the law, it would be obsolete in months.. and whoever owned the patents and gateways would be set for life, collecting rents, while other acceptable/superior digital signature technologies were NOT enforceable.

The financial encryption industry is characterized by healthy and independent discussion of these issues, not to worry,

I think digital signatures are the greatest thing since sliced bread. They are another step towards the free and geodesic model of commerce, between individuals and small business, outside of the control of central hubs and corporations and banks, which I hunger for.

I stand corrected. Digital signature technology is not something the government should meddle with. After all, its past interventions in cryptographic matters -- the Clipper initiative, crypto export -- have been clumsy and counterproductive. Rather, the appropriate role for government is to signal its desire for industry to develop and refine digital signatures and related technologies, and to proclaim its intention to remove obstacles to such progress.

New legal status for digital record-keeping

One of the chief obstacles swept away by this new legislation is the requirement that a signed piece of paper accompany every commercial agreement. UETA and E-Sign don't guarantee that a digital signature, or a name typed at the end of an email message, or a mouse click on a "click-wrap" agreement, will necessarily carry the same weight as a signature on a piece of paper. Rather, they guarantee that an agreement cannot be held to be invalid solely because the method used to sign it, or the medium used to represent it, is digital:

E-Sign:

(1) a signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form; and

(2) a contract relating to such transaction may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic record was used in its formation.

E-Sign, more aggressively than UETA, seeks to protect us from the risks inherent in this kind of e-commerce, by asserting that all parties must agree to use electronic records and abide by electronic signatures. How is that agreement to be expressed? If such acknowledgement is itself digital, do we fall into an infinite regress? No, quite the reverse. E-Sign in fact requires consent to be given electronically:

(C) the consumer--

(i) prior to consenting, is provided with a statement of the hardware and software requirements for access to and retention of the electronic records; and

(ii) consents electronically, or confirms his or her consent electronically, in a manner that reasonably demonstrates that the consumer can access information in the electronic form that will be used to provide the information that is the subject of the consent;

As the National Consumer Law Center notes in its analysis of UETA and E-Sign, this requirement that consent be given electronically is a key consumer protection, since merely paper-based consent "creates a risk that consumers will be offered boilerplate paper agreements to receive future electronic notices that they may or may not be able to open and read."

The challenge of document integrity

My signature on a document is worthless, obviously, if you alter the document after I sign it. E-Sign does not say anything about how electronic records can be made tamper-proof, but it does specify that the integrity must, by some means, be assured:

...the legal effect, validity, or enforceability of an electronic record of such contract or other record may be denied if such electronic record is not in a form that is capable of being retained and accurately reproduced for later reference by all parties or persons who are entitled to retain the contract or other record.

The challenges, as UETA acknowledges, are formidable:

2. In an electronic medium, the concept of an original document is problematic. For example, as one drafts a document on a computer the "original" is either on a disc or the hard drive to which the document has been initially saved....Indeed, it may be argued that the "original" exists solely in RAM and, in a sense, the original is destroyed when a "copy" is saved...In any event, in the context of record retention, the concern focuses on the integrity of the information, and not with its "originality."

Document integrity is, of course, closely intertwined with digital signature. When I digitally sign a digest (hash) of a document, using my private key, I prove two things at once:

That I was the signer, because it's my public key that decrypts the digest.

That the document wasn't tampered with, because your freshly-generated digest matches the one I sent.

These effects are mysterious and magical, even to those who've studied how they work. It will be a very long time before they sink into the popular consciousness. First, people will have to start using cryptographic means of assuring the integrity of electronic records. Then, courts will have to begin testing the implications of such use.

Will electronic signatures hold up as proof of assent to a contract, or as proof of the integrity of a document? Writing for the New Hampshire Bar Journal (December 2000), attorneys Paul Remus and Todd Sullivan note that such matters have never yet arisen in court. They add:

Software engineers and computer scientists must work toward designing the means of electronic contracting that protect the legal needs of consumers, business, and the government. At some point, entrepeneurs must also take the chances that will eventually result in disputes, trials, and appeals, where much of our law is crafted.

In other words, it's a bit of a Catch-22. Digital signatures are now legal, in an abstract sense. But most people, quite sensibly, will be skeptical until precendents have been established. How will you prove that you did, or didn't, have control of your private key? How can certification authorities show impartiality? What happens when keys are self-signed, and exchanged in a purely peer-to-peer manner (PGP, Groove)? Nobody knows the answers to these questions. The so-called digital signature laws are really just an invitation to begin taking steps that will lead us to ask them. And that's a good thing.

Jon Udell (http://udell.roninhouse.com/) was BYTE Magazine's executive editor for new media, the architect of the original www.byte.com, and author of BYTE's Web Project column. He's now an independent Web/Internet consultant, and is the author of Practical Internet Groupware, from O'Reilly and Associates. His recent BYTE.com columns are archived at http://www.byte.com/index/threads

This work is licensed under a Creative Commons License.