US Centrix -- THE VERDICT ON PLAINTEXT SIGNATURES: THEY'RE LEGAL

[David Farber <farber () central cis upenn edu>]

Date: Wed, 6 Jul 1994 09:03:50 -0400 (EDT)
Date: 05 Jul 94 23:26:34 EDT
From: "Mich Kabay [NCSA Sys_Op]" <75300.3232 () compuserve com>
Subject: Signatures in electronic commerce


[Ben Wright, an attorney teaching the online seminar on The Law of Electronic
Commerce in the NCSAFORUM of CompuServe, has granted permission to post the
following article on signatures.  I recommend that it be posted in RISKS
because it addresses assumptions about the need for non-repudiation of
contracts--an area which has been fuzzy for many of us.  I hope it will be as
useful for others as it has been for me.  --MK]


<<begin article>>


       THE VERDICT ON PLAINTEXT SIGNATURES:  THEY'RE LEGAL


Summary: Contrary to conventional wisdom, commercial law generally does not
require that a signature be "secure" to be legally effective.  That is good
news for e-mail, and electronic commerce in general.




By Benjamin Wright


According to the digital cognoscenti, the only legally effective way to sign
an e-mail message is to run it through a cryptographic algorithm (such as that
for DES or RSA), compute a mathematically unique authentication code,<1> and
append it to the message.  But if that's true, it will be many years before
real (legal) electronic commerce comes to e-mail users because very few people
authenticate their e-mail with cryptography.


But fortunately, that reading of the law is not true.  Many business e-mail
users already practice electronic commerce.  What's more, the law should
generally recognize and enforce it.




Forming Contracts


In commerce the central transaction is the contract.  Classically speaking, a
contract is born any time an offer (e-mail from Joe Nightclub owner: "Will you
make me three custom discs for $1000 and deliver next week?") meets acceptance
(e-mail from Artist: "Yes!").  Once a contract is formed, the law gives one
party a remedy if the other backs out.


The orthodox view is that a simple, wholly plaintext e-mail contract cannot be
enforced because it is not signed in a secure way and it will be impossible to
prove in court.  This excerpt from a popular magazine exemplifies the
orthodoxy:


     [C]onsider an attempt to create an enforceable contract by
     exchanging an E-mail offer and acceptance.  In the real world,
     exchanging letters of offer and acceptance does create an
     enforceable contract (assuming something of value is also
     eventually exchanged).  Unfortunately, without authentication
     techniques (e.g., digital signatures), E-mail agreements are
     probably unenforceable in court.  Under legal rules governing
     evidence and contracts, it's hard to prove the existence of a
     contract based on E-mail; fabricating an E-mail message is
     just too easy.<2>


With all professional respect to the author of this passage, I disagree.  The
orthodoxy is wrong.


Many types of contracts do have to be signed, says a law called the Statute of
Frauds (which dates back to Seventeenth Century England),<3> but that law is
admirably liberal in its use of the term _signed_.  One signs a document when
he adopts a symbol (any symbol) on the document as his signature.  A signature
need not be in ink; it need not be an autograph; and it need not be the least
bit secure against forgery.  Remember the illiterate geezer in the western
movies who couldn't write his name?  He just marked an X on the document.  The
law recognizes that X as his signature.


A signature can be the ASCII characters "Joe Nightclub" appearing in plaintext
in the From line of an e-mail message.  "Joe Nightclub" need not even be the
sender's real name.  What is important is not the nature of the symbol Joe
uses to identify himself, but rather the intent behind the symbol.  If Joe
intends the characters to be a token of his responsibility, then they are his
signature.  When Joe sends e-mail offering to buy discs, he intends the
characters in the From line to show he is responsible for the message and the
consequences that flow from it.  If that's not his intent, what is it?


Along with Canada, Australia and many other countries, the United States
inherits the common law tradition of ancient England -- a set of living,
breathing principles that are more limber than you might think.  The common
law, being the law of the leading industrial civilization over the past
several centuries, has ample experience negotiating waves of new technology --
handwriting, printing press, typewriter, telegraph, telephone, telex, fax --
and it is today suffering no particular problems digesting e-mail as a medium
for transacting commerce.


Given how many thousands of courts and judges there are, it is possible that
the odd one will disagree with my reading of the law.  If this worries you
(and those conducting more valuable transactions might be worried), you can
minimize the risk by insisting that the e-mail sender include a statement that
his name in the e-mail is his signature.  This makes it very difficult for him
later to claim in court that his name, written in plaintext, is not his
signature.




Proving It


"But wait!" cry the advocates of cryptographic authentication.  You can't
prove that e-mail came from Joe Nightclub.  Anyone could have sent it.  The
Artist herself could have fabricated it.


True.  You can write e-mail and make it appear to come from someone
else.  You can easily send e-mail from an address opened under a
false name.  But just as you can send fake e-mail, so you can send
fake letters, telegrams, telexes, and faxes.


Nonetheless, regardless of the medium through which a business
message is carried, the origin and genuineness of the message can
usually be proven in court.  Rarely are they proven from the
signature that happens to be attached to the message (or document),
despite what you may think from watching _Perry Mason_.  Much more
often, origin and genuineness are determined in court from all the
facts and circumstances that surround the message -- the full
relationship of the people involved.


We don't do business in vacuums.  We do business based on
relationships.  When the Artist receives e-mail from Joe Nightclub,
she wants to learn more before she parts with her precious discs.
If she's never dealt with this customer before, she's going to
check the guy out:  call him on the phone, go meet him, ask for
references, or ask for advance payment.  Lest she be a fool, the
Artist wants to collect evidence that this is a bona fide customer
who is very likely to pay as promised.


All the mundane facts and circumstances she collects can be,
through testimony and otherwise, used in court to lend credence to
Joe's e-mail.  Sure, there will be disputed evidence.  And under no
circumstances are the judge and jury guaranteed to believe that any
given message is genuine.  But that is just the way commercial law
works.  Proving things in law is much more sloppy than proving
things in science.




Forgeries


A supposed virtue of paper over e-mail as a legal medium is that it
is hard to make inconspicuous changes to paper, whereas plaintext
ASCII can easily be changed.  Upon receipt of Joe's e-mail offering
$1000, the Artist could change it to say the offer is for $2000.
If she took this e-mail to court, there would be no way to tell
from the face of the message whether it originally said $1000 or
$2000.


Yet paper suffers the same infirmity.  If the Artist receives a
letter from Joe offering $1000, she could rip it up and write a
replacement, offering $2000, on a sheet of cheap, fake letterhead.
She could then scribble something that purports to be Joe's
handwritten signature.  Later, a court could not tell from the face
of the document whether Joe did or did not send it.  Although Joe
would repudiate it, sternly declaring that neither the letterhead
nor the signature is his, the Artist would swear that this is
indeed the letter she received.  If this is not Joe's normal
letterhead and signature, she'd contend, then Joe must have sought
to deceive her, and the court, by sending an offer using unusual
letterhead and signature.  Although the Artist would be lying, the
court would not know it just from inspecting the letter.


Indeed, we can play the same authentication games with paper that
we can with plaintext e-mail.  When you receive a paper letter in
the mail, bearing what looks to be an original autograph, you have
no technical proof of its origin.  Neither do you have technical
proof of origin when you get a telegram or telex (unless you
require it be authenticated with a cipher code, which is rarely
done).  So the reality is that routine business communications are,
and have always been, risky.  Still, business traders seem to have
compensated for this risk.




Cryptography's Role


Don't misunderstand.  I'm not denigrating cryptography as a means
for ensuring the authenticity of messages or denying its rightful
role in electronic commerce.  Just as the engraved and magnetized
paper used for currency is necessary for financial transactions in
the world of paper, so cryptographic authentication is needed for
electronic funds transfers.  But just as we don't securely engrave
and magnetize the pulp on which we write business letters and
contracts, so we don't need to cryptographically authenticate most
of our business e-mail.


Sure, if you use e-mail for business you should keep complete
records, and the more secure the records, the better.  Consult your
own lawyer.  If you work for a large organization, records can be
secured by placing them under the control of an independent
department (e.g., internal audit).<4>  But if you work solo, you
can just establish a routine for making a log of business messages
on your PC.  Yes, someone could claim you falsified your log.  But
if you faithfully keep the log as a regular business practice, you
can, if ever called to court, confidently vouch for the integrity
of your records, and your story will more likely jibe with the
ambient facts and circumstances.


It is ironic that some of the most ardent champions of e-mail are
so quick to assume that plaintext e-mail is somehow deficient.  If,
as they suggest, it is necessary to use fancy cryptographic methods
to make e-mail legal, then they ask much more of digital media than
we do of its predecessors.


=========
NOTES:


<1>  The proponents of cryptography often refer to unique
authentication codes as "message authentication codes" or "digital
signatures."  These are streams of scrambled numbers that, when
unscrambled using the necessary cryptographic keys, give
mathematically supportable evidence as to who created a message and
whether the message has changed.  See Larry Oyama, "Using
Encryption and Authentication for Securing Data," EDI Forum,
Special Edition on EDI Legal and Audit Issues (1992) p. 111.


<2>  Victor J. Cosentino, Virtual Legality, BYTE (March 1994) p.
278.


<3>  For example, the statute of frauds, as rendered in Section 2-
201 of the Uniform Commercial Code, says that a contract for the
sale of goods worth $500 or more is generally not enforceable
unless it is supported by a "writing" that is "signed."


<4>  See, Benjamin Wright, The Law of Electronic Commerce (Boston:
Little, Brown and Company) Section 6.4.


============


Benjamin Wright (bwrigh01 () reach com) is a Dallas-based attorney and
author of _The Law of Electronic Commerce:  EDI, Fax and E-mail_.
He is the instructor for a series of "virtual" seminars on the law
of electronic commerce, sponsored by the National Computer Security
Association (75300.2557 () compuserve com or (800) 488-4595).  These
seminars will be delivered via online computer conference.


This article provides general information and is not legal advice
for any specific situation.  The formation of contracts is
inherently risky, and this article does not advise which level of
risk is appropriate for you.  If you plan to conduct legal
transactions, you should consult your own attorney.


Copyright (c) 1994 by Benjamin Wright.  All Rights Reserved.  This
article may be reprinted or redistributed as a whole, but only with
the above information.


<<end article>>


Michel E. Kabay, Ph.D. / Dir Education / Natl Computer Security Assn