PFIR - People For Internet Responsibility
PFIR Statement on
Electronic Signatures and Documents

June 17, 2000
(updated July 1, 2000)

PFIR Home Page

Greetings. Laws usually tend to lag far behind technology, often allowing problems--like spam e-mail for example--to fester until they're impossible to ignore. Then we tend to see some action, with varying degrees of positive or negative results. When it comes to electronic signatures and digital documents, Congress' preemptive attempt at creating an e-commerce utopia, bereft of adequate consumer protections, may instead have laid the foundation for a range of very serious new problems.

Both houses of the U.S. Congress have now passed the "Electronic Signatures in Global and National Commerce Act" legislation. They acted nearly unanimously. President Clinton signed the bill (S. 761) on June 30, first using pen and paper, and then "symbolically" via a digital signature system (the Act is directed specifically towards commerce, and does not authorize official electronic signing of legislation in any case). This new law validates the use of "electronic" signatures and documents in business transactions, replacing the written signatures and paper records with which we are all familiar.

Such a change has immense, complex, and far-reaching ramifications. A popular adage suggests that "the devil is in the details." This is especially true in this case. In their determination to jump onto the e-commerce bandwagon, Congress has found a convenient method to handle most of those pesky details--just ignore them completely! As a result, we may have just seen the creation of a new array of risks for businesses and consumers alike, but a true bonanza for the lawyers who will handle the inevitable litigation to follow.

Just about anything that two parties care to call an "electronic" signature will be treated as valid. Online documents will have the same force of law as paper contracts and records. Remarkably though, the legislation makes no attempt to set any standards for how, or even if, such documents would need to be protected to prevent them from being easily modified by error or criminal design. E-mail, the reception of which is difficult to verify without introducing privacy problems, and which can be accidentally or purposely misrouted, could replace most conventionally mailed notices and other similar materials.

The Act fails to set minimum security or other technical standards of any kind. It doesn't even specify how it could be determined that someone had authorized the use of electronic signatures or digital contracts in the first place. Nor is there even a requirement such as the minimal levels of communications security, e.g. Secure Sockets Layer (SSL), that most people have come to expect from their "routine" Internet credit card transactions. The legislation even requires the U.S. Department of Commerce to become a promoter of this standard-less view of electronic transactions and records around the world. On top of this, the Act appears to effectively prohibit individual states from establishing their own laws to specify meaningful technical standards in these areas.

While you're not supposed to be forced to use these hi-tech paper replacements, how long will it be before you find yourself paying more, perhaps much more, if you choose not to do so? The pattern is all too familiar--first there will be offers of discounts if you'll give up paper, but all too soon the fees for insisting on paper records and physical signatures will become so exorbitant that most of us will give in, whether we really want to or not.

Congress did include some exceptions in their legislation where paper will still be required, including eviction notices, wills, court orders, and some others. Of course, by the time you receive, for example, an eviction notice, a tremendous amount of damage could have already been done. The legislation does not establish any protections, like the existing $50 exposure limit in the U.S. on fraudulent credit card purchases, for these electronic transactions. The Act allows you to dispute the authenticity of particular electronic signatures or digital documents, but this means you have to prove an electronic signature or document isn't yours or is not otherwise authentic. Given the lack of even minimal a priori standards for such materials, this ensures that our courts will have plenty of such cases to handle in their anything but copious free time.

We can certainly be sure of one other thing though--no doubt there are already crooks rubbing their hands together in glee at the prospect of these newly-enabled e-frauds!

There are of course technical methods that can be employed to make such electronic transactions and digital documents safer and more secure, most of them involving various cryptographic techniques. As a practical matter, one of the firms most likely to benefit from the use of such systems would seem to be VeriSign, Inc., which after their purchase of former competitor Thawte, has a virtual monopoly on the issuing of the widely-accepted digital certificates crucial to most existing such technologies.

Yet even the most advanced of these systems have major problems in some extremely critical areas. How do you verify the actual consent and authority of a person relating to these new electronically-signed transactions, or know that the electronic signature wasn't stolen from a PC by some inside or outside entity? Even knowing that the authorization comes from a particular computer isn't good enough. As we've seen, most PC and many other systems are easily compromised. Many passwords are trivially guessed or otherwise determined, even assuming that they haven't been left in an unencrypted disk file or stuck to a monitor on a Post-it note!

We know all too well that in the case of distributed denial of service and other attacks, viruses and trojans can embed software into systems to perform other insidious functions at some later time. This same technique could be used to "take over" a PC to perform seemingly authorized electronic signature transactions. Biometrics (fingerprints, iris scans) could provide better identification, but their implementation in a manner that cannot be easily subverted to cause additional problems, and that does not introduce serious privacy concerns, is a non-trivial task.

Nearly every day we see new reports of computer-related attacks on the Internet or other network environments. Poorly-designed systems and misconfigured servers result in continuing episodes of Internet credit card fraud--now a major proportion of all fraudulent credit card activity--even when communications are protected by SSL. We constantly learn of Web sites and databases which find themselves hacked and their contents altered, and those are just the ones that are discovered, and that we actually find out about! Identity fraud is already a major and growing problem, even without the boost that this legislation is likely to provide to its perpetrators.

Each time these sorts of events are publicized, we hear politicians pontificating about how "something needs to be done"--usually a suggestion for harsher "after the fact" criminal penalties, not proactive technical actions or standards which could have helped to avoid the problems in the first place. In the case of this new electronic commerce legislation, we've even heard various Congressmen express concern about its lack of establishing any standards for the electronic transactions and digital documents that it is widely validating. Congress still plowed ahead anyway, and passed the legislation with enthusiastic gusto.

While it would not have been appropriate for the Act to have mandated the use of particular products or technologies, it would have been completely appropriate, indeed expected, for it to specify minimum requirements for the authentication, protection, security, and related aspects of such electronic transactions and documents. Though it might be assumed that reputable businesses would attempt to provide the best security that they could, without such requirements there is nothing to prevent them from not doing so, and this could be an invitation to poor decisions, flawed implementations, confusion, and errors that could have serious repercussions for both themselves and their customers. When it comes to less-scrupulous "businesses" it could be a direct invitation to fraud.

The temptation for businesses and consumers alike to participate in this new but totally nebulous world of electronic transactions and virtual documents will be significant. All manner of pie-in-the-sky cost reductions and wonderful benefits are being promised. Unfortunately, it seems probable that the real costs are likely to be the problems that such systems, implemented in a standards and security vacuum of truly staggering proportions, could bring to us all.

--Lauren--
Lauren Weinstein
lauren@pfir.org or lauren@vortex.com
Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy