The Electronic Signature Act that President Clinton signed into law on June 30 (which takes effect on March 1, 2001) has received a lot of attention. The new law, dubbed E-SIGN law, is part of Capitol Hill''s "eContract 2000," a program aimed at modernizing the nation''s laws to be in-step with advancing technologies. The House of Representatives and the Senate approved the bill earlier in June. It was created to pave the way for a new era of e-commerce. The measure requires that consumers consent to doing business online and that they are assured consumer protection that is equivalent to those in the paper world. For an in-depth analysis of what it means both to consumers and to merchants, I spoke with Richard Bondi, an expert on computer cryptography, and author of Cryptography for Visual Basic: A Programmer''s Guide to the Microsoft CryptoAPI.
"It''s a first step wading into the digital waters, but they got into completely the wrong end of the pool," explained Mr. Bondi about Congress'' attempts to make digital agreements binding on both parties. "The law is very broad. Instead of legalizing the signature, they''ve legalized the digital part: the method of signing. It''s as if 200 years ago the use of ink in signatures was legalized, but the law forgot to add that a signature written in ink and purporting to be yours actually has to look like your signature, too.
"The new law seems to allow saying ''okay'' in any old way. It accepts pressing a touch-tone on the phone, clicking on ''I agree'' at the bottom of an agreement, or clicking on a hyperlink as legally binding."
"When a merchant and a customer sign a contract, the merchant is interested in the identity of the customer and the identity of the document. She doesn''t want the customer saying ''I never signed that! That''s someone else''s signature!'' in order to back out of the contract. She also doesn''t want the customer to be able to alter the contract and say ''The contract I signed said I could have your Exercycle for $10, not $1000! So that''s all I''m sending you!'' When cryptographers talk about a digital signature, they are talking about something that is capable of guaranteeing both these things (among others)."
"This new law finally makes such digital signatures as legal as pen and ink signatures, but it also makes ways of signing things legal that ought not to be. Among other things, a digital signature should be very difficult to forge, and make the signed document tamper-proof. Pressing a button on your phone doesn''t even come close. But then again, neither does signing your name in ink on a document. In terms of security, pen and ink signatures fall somewhere in the middle of the broad spectrum this new law defines. One commentator has said that the law legalizes electronic signatures but not digital ones, but that''s a subtlety only cryptographers will pick up on. If I had to summarize, I''d say it legalizes both very secure and very insecure ways of electronically signing things."
Even more startling is that nothing is required to prove that the person doing the clicking is really who he says he is - the non-repudiation issue. How can it possibly save merchants and businesses all this money if they still don''t know whether the person agreeing is really who he says he is? Mr. Bondi opines, "It doesn''t really seem like a good thing. It does not require client-side authentication." Client-side authentication is generally some sort of digital token, issued by a third party, that a consumer can send along with a document to prove that he is who he says he is; it''s the rough equivalent of a driver''s license.
The problem remains that of repudiation. If you''ve been following any of the columns Mark Merkow or I have written recently about alternate payment methods, you''ve read aboutthe issue of non-repudiation, and how non-repudiation will ultimately be the lynchpin that successful payment mechanisms will guarantee. Without non-repudiation, it''s as if a merchant had to accept checks from customers without asking for a photo ID or merchants had to accept credit cards without matching the signature of the purchaser with the one on the back of the card. Merchants use techniques like these to try to assure non-repudiation in brick-and-mortar stores, but nothing comparable to them has caught on online. Without non-repudiation, all the risk rests on the merchant to prove that the purchaser had authorization to make the purchase using that credit card and that the purchaser, in fact, was at that merchant and made the purchase. If the customer denies having authorized the purchase, the merchant is out the money plus some fees.
"It''s hard to say what''s going to happen. It''s not clear how this law is going to hasten the use of digital certificates. This solves the legally binding issue but it''s not clear about the repudiation issue. What you have is a legally binding document between you and you''re-not-sure-whom. Businesses do have to ask in the contract whether the consumer wants this to be the digital signature or whether he wants to require a paper one. The law should have only legalized non-repudiable signatures."
Congress was clearly trying not to favor one technology for assuring digital identity over another one, but the result was probably a loss for both consumers and businesses.
Alexis D. Gutzman is an E-commerce Technology Author and Consultant and author of The HTML 4 Bible, FrontPage 2000 Answers!, and ColdFusion 4 for Dummies. Her newest book, The E-commerce Arsenal: 12 Technologies You Need to Prevail in the Digital Arena will be out in October. She can be reached at agutzman@internet.com
IE 7
Firefox 2.0
