IP: PFIR Statement on Electronic Signatures and Documents

[Dave Farber <farber () cis upenn edu>]

Date:    Sat, 17 Jun 2000 13:18 PDT
From:    lauren () vortex com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: PFIR Statement on Electronic Signatures and Documents


             PFIR Statement on Electronic Signatures and Documents

                    (http://www.pfir.org/statements/2000-06-17)

        PFIR - People For Internet Responsibility - http://www.pfir.org

         [ To subscribe or unsubscribe to/from this list, please send the
           command "subscribe" or "unsubscribe" respectively (without the
          quotes) in the body of an e-mail to "pfir-request () pfir org". ]


2000-06-17

Greetings.  Laws usually tend to lag far behind technology, often allowing
problems--like spam e-mail for example--to fester until they're impossible
to ignore.  Then we tend to see some action, with varying degrees of
positive or negative results.  When it comes to electronic signatures and
digital documents, Congress' preemptive attempt at creating an e-commerce
utopia, bereft of adequate consumer protections, may instead have laid the
foundation for a range of very serious new problems.

Both houses of the U.S. Congress have now passed the Millennium Digital
Commerce Act.  They acted nearly unanimously, and President Clinton is
expected to sign the legislation (perhaps by the time you read this).  The
Act validates the use of "electronic" signatures and documents in place of
the written signatures and paper records with which we are all familiar.

Such a change has immense, complex, and far-reaching ramifications.  A
popular adage suggests that "the devil is in the details."  This is
especially true in this case.  In their determination to jump onto the
e-commerce bandwagon, Congress has found a convenient method to handle most of
those pesky details--just ignore them completely!  As a result, we may have
just seen the creation of a new array of risks for businesses and consumers
alike, but a true bonanza for the lawyers who will handle the inevitable
litigation to follow.

Just about *anything* that two parties care to call an "electronic"
signature will be treated as valid.  Online documents will have the same
force of law as paper contracts and records.  Remarkably though, the
legislation makes no attempt to set any standards for how, or even if, such
documents would need to be protected to prevent them from being easily
modified by error or criminal design.  E-mail, the reception of which is
difficult to verify without introducing privacy problems, and which can be
accidentally or purposely misrouted, could replace most conventionally
mailed notices and other similar materials.

The Act fails to set minimum security or other technical standards of any
kind.  It doesn't even specify how it could be determined that someone had
authorized the use of electronic signatures or digital contracts in the
first place.  Nor is there even a requirement such as the *minimal* levels
of communications security, e.g. Secure Sockets Layer (SSL), that most people
have come to expect from their "routine" Internet credit card transactions.
The legislation even requires the U.S. Department of Commerce to become a
promoter of this standard-less view of electronic transactions and records
around the world.

On top of this, the Act appears to effectively prohibit individual states
from establishing their own laws to specify meaningful technical standards
in these areas.  And while you're not supposed to be forced to use these
hi-tech paper replacements, how long will it be before you find yourself
paying more, perhaps much more, if you choose not to do so?  The pattern is
all too familiar--first there will be offers of discounts if you'll give up
paper, but all too soon the fees for insisting on paper records and physical
signatures will become so exorbitant that most of us will give in, whether
we really want to or not.

Congress did include some exceptions in their legislation where paper will
still be required, including eviction notices, wills, court orders, and some
others.  Of course, by the time you receive, for example, an eviction
notice, a tremendous amount of damage could have already been done.  The
legislation does not establish any protections, like the existing $50
exposure limit in the U.S. on fraudulent credit card purchases, for these
electronic transactions.  The Act allows you to dispute the authenticity of
particular electronic signatures or digital documents, but this means you
have to prove an electronic signature or document isn't yours or is not
otherwise authentic.  Given the lack of even minimal a priori standards for
such materials, this ensures that our courts will have plenty of such cases
to handle in their anything but copious free time.

We can certainly be sure of one other thing though--no doubt there are
already crooks rubbing their hands together in glee at the prospect of
these newly-enabled e-frauds!

There are of course technical methods that can be employed to make such
electronic transactions and digital documents safer and more secure, most of
them involving various cryptographic techniques.  As a practical matter, one
of the firms most likely to benefit from the use of such systems would seem
to be VeriSign, Inc., which after their purchase of former competitor
Thawte, has a virtual monopoly on the issuing of the widely-accepted
digital certificates crucial to most existing such technologies.

Yet even the most advanced of these systems have major problems in some
extremely critical areas.  How do you verify the actual consent and
authority of a *person* relating to these new electronically-signed
transactions, or know that the electronic signature wasn't stolen from a PC
by some inside or outside entity?  Even knowing that the authorization comes
from a particular computer isn't good enough.  As we've seen, most PC and
many other systems are easily compromised.  Many passwords are trivially
guessed or otherwise determined, even assuming that they haven't been left
in an unencrypted disk file or stuck to a monitor on a Post-it note!

We know all too well that in the case of distributed denial of service and
other attacks, viruses and trojans can embed software into systems to perform
other insidious functions at some later time.  This same technique could be
used to "take over" a PC to perform seemingly authorized electronic
signature transactions.  Biometrics (fingerprints, iris scans) could provide
better identification, but their implementation in a manner that cannot be
easily subverted to cause additional problems, and that does not introduce
serious privacy concerns, is a non-trivial task.

Nearly every day we see new reports of computer-related attacks on the
Internet or other network environments.  Poorly-designed systems and
misconfigured servers result in continuing episodes of Internet credit card
fraud--now a major proportion of all fraudulent credit card activity--even
when communications are protected by SSL.  We constantly learn of Web sites
and databases which find themselves hacked and their contents altered, and
those are just the ones that are discovered, and that we actually find out
about!  Identity fraud is already a major and growing problem, even without
the boost that this legislation is likely to provide to its perpetrators.

Each time these sorts of events are publicized, we hear politicians
pontificating about how "something needs to be done"--usually a suggestion
for harsher "after the fact" criminal penalties, not proactive technical
actions or standards which could have helped to avoid the problems in the
first place.  In the case of this new electronic commerce legislation, we've
even heard various Congressmen express concern about its lack of
establishing any standards for the electronic transactions and digital
documents that it is widely validating.  Congress still plowed ahead anyway,
and passed the legislation with enthusiastic gusto.

While it would not have been appropriate for the Act to have mandated the
use of particular products or technologies, it would have been completely
appropriate, indeed expected, for it to specify minimum requirements for
the authentication, protection, security, and related aspects of such
electronic transactions and documents.  Though it might be assumed that
reputable businesses would attempt to provide the best security that they
could, without such requirements there is nothing to prevent them from not
doing so, and this could be an invitation to poor decisions, flawed
implementations, confusion, and errors that could have serious repercussions
for both themselves and their customers.  When it comes to less-scrupulous
"businesses" it could be a direct invitation to fraud.

The temptation for businesses and consumers alike to participate in this new
but totally nebulous world of electronic transactions and virtual documents
will be significant.  All manner of pie-in-the-sky cost reductions and
wonderful benefits are being promised.  Unfortunately, it seems probable
that the real costs are likely to be the problems that such systems,
implemented in a standards and security vacuum of truly staggering
proportions, could bring to us all.

--Lauren--
Lauren Weinstein
lauren () pfir org or lauren () vortex com
Co-Founder, PFIR: People for Internet Responsibility - http://www.pfir.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy