, SecurityFocus 2000-06-21
A new federal law will make electronic signatures legally binding, without setting security standards. Does it favor forgers?
“
Your PC could be made to generate an electronic transaction that, under the terms of this legislation, would be considered valid and binding.
”
"You pass a number of security audits," recalls Trell Rohovit, a vice president at the competing Digital Signature Trust Co. "They did different technical attacks against our firewall and different technical attacks against our secure facility." In the end, both companies passed, and are now two of only four companies licensed by Utah to authenticate the digital certificates that underpin that state's electronic signature standard.
The annual licensing process has been de rigueur since Utah's forward-looking Digital Signature Act passed in 1995. The law made Utah the first state to sign-off on electronic signatures as a legal and enforceable substitute for the traditional John Hancock. Five years later, electronic signatures have achieved only limited use in the Beehive State. But the Utah law's well-defined technology standards and security requirements stand in sharp contrast to legislation that swept through both branches of Congress last week, and is expected to receive quick approval from President Clinton.
The Electronic Signatures in Global and National Commerce Act (E-Sign) gives electronic signatures the same legal weight as "wet" signatures, without defining exactly what an electronic signature is. Anything the parties to a contract agree to use as a signature is legally binding, whether a scanned image of a handwritten scrawl, biometrics like fingerprints or corneal scans, or a simple click on a "sign here" button at the foot of a web page.
Supporters expect E-Sign to amp up e-commerce by allow businesses and individuals to enter into legally binding contracts online, without tedious paper shuffling, shipping or faxing. Consumers can purchase cars, buy insurance or take out loans, for example, over the Internet.
But without security standards, some consumer advocates believe that E-Sign will bring the age-old crime of forgery to the Internet age. "It's remarkable that the legislation does not even generically address some minimum security requirements that obviously would be required to protect both consumers and business," says Lauren Weinstein, cofounder of People for Internet Responsibility. Weinstein points out that the bill doesn't mandate use of Secure Sockets Layer (SSL), which protects most online credit card transactions today, and it sets no standards for linking an electronic signature to its owner. "It says that anything that you declare as a signature, is one."
Supporters of the bill say the lack of security standards is one of E-Sign's greatest selling points.
"For lots of reason, most commonly human factors, standards aren't always the highest level of technology," says Allison Taylor, director of product marketing at Network Associates' PGP group. "I think the fact that they are not selecting a digital signature technology reflects a maturing."
Additionally, Taylor says, some applications of electronic signatures don't justify costly security measures, such as a company manager signing off on a contractor's timecard. "Security has to be customized," says Taylor.
"Not every digital signature needs to be authenticated at the highest levels," agrees USERTrusts's Tuscano. Perhaps surprisingly considering his company's investment in meeting Utah's vigorous standards, Tuscano supports E-Sign's silence on security. "That really is far sighted. We don't know what technologies will develop in the future in this arena, so it's better to leave that open."
In Utah, only digital signatures carry legal weight. Digital signatures are a particular type of electronic signature built on public key encryption, with the signer's public key typically lodged with a "certificate authority" which certifies the signer's identity. In Utah only licensed certificate authorities that have met the states' security standards -- a group that also includes Arcanvs, Inc., and California giant VeriSign - may certify legally binding signatures
"I'm in the business of digital certificates, so if I'm speaking from selfish viewpoint, I'd say 'yes' to standards," says Rohovit. "But from a technology standpoint, I think we should say, 'let the best technology win.' The fact that there is kind of a neutral position in the law puts the law in a position to be effective over a long period of time."
Digital signatures have grown to common use on the Internet, but a government mandated standard could just as easily have become an albatross, says Rohovit. "Utah guessed right." As for fraud concerns, handwritten signatures hardly provide strong authentication, Rohovit points out, and crimes like identity theft are already rampant. "We kid ourselves sometimes into thinking that we're much more secure in the paper world, and we're not."
Weinstein agrees that a handwritten signature is a weak security mechanism. "But it has one redeeming characteristic, which is that someone who hasn't had any dealings with you isn't likely to know what it looks like a prior. If a hacker were to get into your computer right now, he'd be unlikely to find a copy of your signature," says Weinstein.
"That PC could be made to generate an electronic transaction that, under the terms of this legislation, would be considered valid and binding," says Weinstein, who adds that the bill doesn't provide the kind of consumer protection that credit card laws do, where consumers are liable for no more than $50.00 of fraudulent use.
Once signed by the President, the law will take effect October 1st. Wills, adoptions, divorces and organ donations are excluded, and will still require pen and paper.
