IP: RE: PFIR Statement on Electronic Signatures and Documents

[Dave Farber <farber () cis upenn edu>]

> X-Server-Uuid: 47feacc6-2336-11d3-82c6-0008c7db26d1
> From: "Baker, Stewart" <SBaker () steptoe com>
> To: farber () cis upenn edu
> cc: "Albertazzie, Sally" <SAlbertazzie () steptoe com>
> Subject: RE: PFIR Statement on Electronic Signatures and Documents
> Date:  Sun, 18 Jun 2000 16:35:16 -0400
> X-Mailer: Internet Mail Service (5.5.2650.21)
> X-WSS-ID: 1553ECB425042-01-01
>
> Dave,
>
> Lauren Weinstein's rant about passage of the electronic signature bill
> deserves a longer rebuttal than I can provide on a beautiful Sunday
> afternoon, but there are a number of errors that can be pointed out quickly.
> They are serious enough to cast doubt on the whole thrust of PFIR's
> statement.
>
> First, the notion that the bill allows "anything" to be an electronic
> signature and that it should have enacted security standards seems to be
> based on a romantic notion that handwritten signatures are secure in a way
> that protects us from fraud.  This is just false.  In fact, for most
> business transactions, typed or faxed or telegraphed names have been treated
> as meeting signature requirements for nearly 150 years.  In an age of
> xerography and facsimile, requiring something that looks like a signature at
> the bottom of a document is not exactly a bulwark against fraud.  So how is
> fraud prevented in such a world?  By allowing the purported signer to say
> that he didn't actually put that symbol on the page or send that telegram or
> fax that document.  The e-signature bill allows precisely the same
> protections.
>
> The idea that Congress should enact technology security standards is, well,
> unlikely.  How long would such standards reflect current technology and
> practices?  About a month would be my guess.  How long would they be a
> source of politicking and standards lobbying by otherwise uncompetitive
> companies?  More or less forever would be my guess.  Instead, Congress
> eliminated any legal bar on accepting electronic signatures while leaving it
> to companies to work out the particular technologies they will use.  In my
> experience, which includes building legal frameworks for more than a dozen
> PKI and electronic signature systems, the kind of technologies being used
> grow progressively more secure depending on the size of the transactions,
> which is pretty much what we'd expect and want.  In fact, if anything, the
> signature technology is stronger than the rest of the computer system's
> security, which is pretty much in line with the more general observation
> that most computer security professionals measure themselves against the
> resources of 20-year-old hackers while the cryptographers are measuring
> themselves against the resources of NSA.
>
> Finally, the suggestion that Verisign has achieved a monopoly by buying
> Thawte is wrong, but perhaps understandably so.  In fact, the only market
> where that is even arguable is for SSL certs, where Thawte was the low-cost
> alternative to Verisign.  But since the merger, Entrust and Equifax,
> especially Equifax, have roared into the market.  I think Equifax is now
> offering SSL certs for half the price that Thawte used to charge, and its
> market share is rising fast.  Some monopoly!
>
> In short, there's a reason this bill passed almost unanimously in an age of
> bitter partisanship.  At bottom, it's a good idea that both parties and
> practically all consumer groups agreed with.
>
> Stewart Baker
> Steptoe & Johnson LLP
> phone -- 202.429.6413
> email fax -- 202.261.9825
> main fax -- 202.429.3902
> sbaker () steptoe com