Forgot your password?
typodupeerror
United States Your Rights Online

House Passes Digital Signature Bill 116

Posted by CmdrTaco
from the its-almost-as-good-as-ink dept.
DrewMIT writes "Finally," electronic signatures" will have the same validity legislatively as ink signatures." It still needs to go through the senate, and the White House has said it will veto it. The article is quite negative, it talks about how this will violate consumer rights, but all I can think is "Its about time." What do you think?
This discussion has been archived. No new comments can be posted.

House Passes Digital Signature Bill

Comments Filter:
  • After reading the article, I still don't understand why anyone would oppose this.
    It seems like if the politicians don't have a backwards stance on something, they don't think they're doing their job.

  • by wesmills (18791) on Wednesday November 10, 1999 @04:20AM (#1546114) Homepage
    The bill would also allow companies -- when consumers agree -- to deliver warranties, notices and other required disclosures in electronic form.

    This is absolutely what I *do* *not* want. I have a hard enough time as it is getting my CC company to follow the disclosure laws, and now they can just say "well, we sent it. your computer must've eaten the e-mail." As I read the bill, this would strengthen the corporation's rights of notification even beyond the standard you're-considered-notified-3-days-after-we-mail-th is provision. I also note that me notifying them electronically is not addressed.

    This will suck, I believe. Just think, you get an electronic notification in a lovely HTML message (that you can't read on text readers), with a note up top in 5pt type "please see below for account information." If you do take the time to read it, you find that in 15 days, your interest rate skyrockets from 13 to 23%, your payments are due in 10 days after the bill, oh and we're going to sell every bit of data we have about you. You may cancel your card under the original terms by sending written notice, in triplicate, to the following address that is written in off-white/grey text on a white background.

    Oh, but wait, you say! The consumer has to agree to this! So, now when you sign up for something like this, Agreement 2, Section 9, Paragraph 12, Sentence 48 specifically says that you agree to electronic notifications. Come on...since when have you gotten to negotiate the fine print on a contract with a big corporation?

    --------------------

  • Here's what I'm wondering. Not having much to do with the digital signature software & hardware, I'm curious as to a couple of things. First off, I'm wondering what the possibility of forgery is, and to what degree security is involved in the devices/software that implement the signature. Secondly (and possibly a branch from the first question), I'd be interested to know what prevents someone from copying this signature and using it themselves. I'm obviously not well versed on the subject, buy these are the kinds of concerns I would expect a businessman to raise. Also, does anyone know if the bill would allow for businesses to refuse to allow the use of the signature? The difference between genius and stupidity is that genius has limits.
  • Some consumer advocates oppose the relaxation of notification and information laws put in place by the states. For example, the bill would eliminate in many cases the requirement that banks notify their customers of agreements via snail mail. Email addresses are not as reliable as the USPS, they argue.

    The bill doesn't simply say that electronic signatures are valid. THEY ALWAYS HAVE BEEN!
  • Note that it is quite possible that a particular bill might have wording that would make it downright harmful even though it may provide legal support for our favorite technology.

    On the one hand, the US President has consistently opposed legislation to promote the public use of stronger cryptographic tools. Based on that, one might be led to assume that opposition to digital signatures might be based on that opposition to public access to cryptography.

    On the other hand, there may be something about the bill in question that actually is bad.

    On the gripping hand, it could be worthwhile to have validation of the legality of signatures "set" cryptographically, even if this has some intermediate side-effect that is "bad for consumers."

    Does anybody have the actual text of the bill? It's rather difficult to evaluate the merits of completely-pre-digested press releases...

  • According to the article, their concerned that businesses will do such things as "end warranties" through e-mail I guess. Then, according to others, that isn't allowed. If that's the case, why not pass the legislation?

    What I really don't get is how do you return something using this "system"? If everything is electronically generated, will we need to send an electronic receipt back before the return would be allowed. What will happen to paper receipts? Won't electronic receipts be fairly easy to doctor up?

    _________________________

    Mello like the Yello, but without the fizz.

  • 1) The bill appears to "exempt" some things from electronic delivery. Does this mean that companies don't have to send these things over E-mail, or that they must not (meaning, therefore, that they must continue to send them using more conventional means)? If it's the latter, then I don't see why this is so bad.

    2) The article talks about sending things in formats that people might not be able to read. That's what ASCII text is for. Warranties and such generally don't need anything in the way of special formatting. Perhaps that format should be required in the bill; it appears not to be.

    3) What the hell is wrong with the colors on this message? No offense to whosever idea this was, but the usual green and white looks much better.

    Or is this a sign of user-configurable colors to come?
  • From what I gather from the 'con' arguments presented in the article, some politicians fear that companies will ONLY start using digital signatures and that some won't be able to "read the fine print" since they don't have internet access.

    Correct me if I'm wrong here....If you were going to purchase something online, and agree to sign a contract digitally, then wouldn't you already be able to access all the fine print (via secured web sight, physically printing the contract, secure e-mail, etc.)?

    How and why some of these people get elected to any office is absolutely flaberghasting!
  • by walnut (78312)
    While this is progress, I'm not sure if this is progress forward (at least at this time). IMHO, this is this suffers from the same fundemental flaws as online voting:

    1. The general public does not understand the implications of sharing a password with a friend.
    2. Without forcing restrictions on the rights of the internet citizens as a whole (bad idea), it becomes extreemely difficult to enforce violations of this (i.e. someone from some other country impersonates you).
    3. Script-kiddies ('nuff said)
    4. In reference to warranties: (I'm going out on a limb) The ability to alter/change electronic information after the fact, a-la "Rising Sun" (maybe a 1 1/2 star movie) may be easier for companies rather than deal with "problems".
    5. Sending things to people via a digital signature (as opposed to ceritfied mail) relies on the receiver being able to keep a copy of in case of a hard drive crash.
    5b. Windows (controlling over 80% of the market - mac included) Crashes - lots.

    Well, try not to tear it completely apart... but thats some of the flaws I see.
  • I agree.

    Even as a 17 year old (with no credit card) I can see the downside to this. Nobody takes the time to read the gnat tracks at the bottom of any contract anyway....

    I like having a dead tree version, signed by a human (preferably, or one of those autopen thingies). Then again, with about $5 (US) in my checking account....

    As a side note, can we do SOMETHING about this color scheme? Brown and pea-soup green? Ugh... I think I'm gonna hurl.
  • Now, this thing says all these politicos and corp types are all fired up in supporting this, and they give a lot of reasons why - but where are the reasons from the consumer groups and the White House?

    Yes, I think digital signatures rule also - but before I run and call my congressman, I want to know what reasons the opponents are giving - just having sound bytes is not enough.

    In other words, this news story absolutely blows chunks...

  • by bill_mcgonigle (4333) on Wednesday November 10, 1999 @04:34AM (#1546125) Homepage Journal

    Good digital signatures would be good. Bad digital signatures would be bad. This seems like common sense, but there are vendors out there claiming they have digital signaturing without even having some basic features, like non-repudiation.

    I use PGP for signing, but you've got no guarantee that I own the key with my name on it. Anyone can submit a key with any name to the public servers.

    I don't see this being feasible without a big agency to certify algorithms and issue keys reliably. Big agencies are bad, and artifically impose geographic limitations on the 'net.

    Otherwise you have to implicitly trust everybody, and then who cares about signatures?

    Someone needs to think of a better private solution.
  • by Fish Man (20098) on Wednesday November 10, 1999 @04:36AM (#1546126) Homepage
    Everyone knows that pen and ink signatures are easily forged. It isn't conceivable that electronic signatures would be any less secure or certian in this respect.

    When someone forges your pen and ink signature, the solution is to swear under oath before witnesses, that the forgery in question is indeed a false signature. The solution to a forged electronic signature would be the same.

    I really don't see a significant difference security or privacy-wise.

    For all the lip service that the White House plays to being pro-technology, it is so often obvious that they really don't have much of a clue.

    Remember, Al Gore invented the Internet! :-P

    Furthermore, anyone who was leary of electronic signature has no obligation to use them. They can just use pen and ink signatures instead!

    This is an idea who's time has come. We're about to enter a new millennium for cryin' out loud! Bill Clinton endlessly reminds us of this fact. He needs to actually live it!
  • by parc (25467)
    On a little side note, in August it became legal to digitally sign some legal documents in Texas. Digital signatures were not defined in detail in the law, but it's there.
  • How does the bill handle the problem of authentication? I am not keen on the idea that I might be legally bound by a spoofed signature, so how does the law ensure that signatures belong to who they say they do? It seems to me that in the case of notification this might be a real problem: I might be legally bound by a message that was not preceded by any communication from myself to the issuing company.
  • It seems to me that (according to the article) the problem with this bill is that it actually does two things;

    1) Allows digital signatures as a substitute for written signatures if the consumer agrees.

    This is a positive step and is in line with the common sense expansion of the internet as digital signatures are much more reliable than written signatures if sufficient security is implemented.

    (See for example the Georgia Electronic Records and Signature Act 1997); and

    2) Allows electronic notification in certain circumstances when originally written notification was required.

    This is where difficulties arise as although (according to the article) some types of transactions are exempted, the worry is that Mr and Mrs Everybody will sign documents ("just sign here sir - no don't worry about the fine print") which allow them to be notified electronically instead of in writing or even overriding present protective legislation.

    It seems to me that according to the article, there was an attempt to remove 2) while keeping 1).

    This seems logical to me as no-one seems to have problems with the former, while the latter has some kinks (to say the least) that need to be ironed out.

    ---

  • Here is the part that really ought to make you nervous (the rest is just policy, really):

    ``Electronic signatures provide a level of authentication that far surpasses the ink signature that has
    come to be the accepted standard,'' said Virginia Republican Thomas Bliley, chairman of the
    House Commerce Committee. ``Electronic transactions have much less of a chance for human
    error and provide for more reliable retention after the initial transaction takes place.''

    The implication that digital signatures magically sprinkle improved security on stuff is utterly bogus. While the signature algorithms themselves might be quite secure, there exists *no* acceptable (or even legally recognized) public key infrastructure that provides secure and reliable identification of public keys.

    That is, if I give you my public key in person, then you can verify my signatures with confidence. If you just look it up in a directory somewhere, you are really trusting the maintainer of the directory. Who do you trust to link your name with your public key? If that entity turns out to be untrustworthy, you are the potential victim of e.g. man-in-the-middle attacks.

    I think that digital signatures are a good thing that should gain legal standing. However, I think that there are significant infrastructure issues that should be resolved first. I did my master's work on electronic voting, which essentially requires little more than electronic signatures. I feel the same way on that subject: someday we should have it, but we need to iron out a *lot* of details.

    The number one issue to address is that of educating the public about basic public key cryptography. As far as I'm concerned, it should be taught in grade school. The basics aren't that difficult to grasp, and a public aware of the issues would contain far fewer potential victims than an ignorant one.
  • Here's what I'm wondering. Not having much to do with the digital signature software & hardware

    As I understand it, just typing your name in the "Sign Here" portion of a document, or clicking the "I agree" button on a web page is enough to represent your digital signature.

  • Actually if a clause in a contract really bothers you its almost always possible to find someone else who offers the same service with a different contract. However if you don't bother to read contracts thoroughly before signing them, then you deserve whatever you get.
  • It's not the brown that's icky, its the pea green. Brown and YellowChiffon might have been nice, though ...
  • Additionally, email address aren't as static as postal. Sure, people move, but short of that you're not going to stop getting snailmail because of nonpayment to an ISP. I've had the same email address for 5 years, but if the ISP tanks what can i do? Unless the guvm'nt wants to gaa-run-tee us an address...
  • I think that our government just made finding a way to easily factor primes alot more important.

    In other news *cough* unrelated news, a friend of mine has a program that uses a genetic algo to reverse-engineer formulas... which will be released under GPL once we get the client/server protocol stuff done (that's my job!) ala distributed.net. I'm rather hopeful that we'll be able to extract a factoring algo from it within several months' time. No, I don't have a link, no I won't release any info on it, and no, you can't have the source until the bloody thing works and we get a patent on it. =)



    --
  • Correct me if I'm wrong here....If you were going to purchase something online, and agree to sign a contract digitally, then wouldn't you already be able to access all the fine print (via secured web sight, physically printing the contract, secure e-mail, etc.)?

    Okay, you're wrong.

    Here's what I'd do if I was a company. I'd say "gee, here's a way to avoid notification costs, and also to screw people by not notifying them!" I'd have the legal department add a notice in the standard contract agreeing to digital notification. Most customers would just sign it without question, because no one reads those contracts anyway (at least people are always amazed when I do). The one percent that complained would be told that "it's just a formality--they don't notify anyone by email." I'd then provide a really inconvenient method for customers to receive email (i.e., an email-only Decwriter in one location in the metro area). Whatever would just barely meet whatever standard is mentioned in the law. And finally, I could do whatever I wanted so long as I sent email to myself first that would never be read.

    Of course, I'm sure no business would ever try to screw their customers....

  • On the other hand, electronic fine print lends itself more to greping.

    Which could lead to tricky wording on their part such as "The rent charged for borrowed money will be doubling in 15 days."

    But really, I don't think any large well-known companies would try to pull something like this. It's the same way with credit cards on the 'net: Don't deal with small untrustworthy companies.

  • Won't electronic receipts be fairly easy to doctor up?

    As easy as doctoring up someone else's digital signature...

    I assume the receipts would be signed with the company's private key so you could view it but not change it.

  • by Christopher B. Brown (1267) <cbbrowne@gmail.com> on Wednesday November 10, 1999 @04:57AM (#1546141) Homepage
    The problem that may be a quite legitimate cause to reject the bill is if the bill merely requires using "hopefully secure signatures," but does not require that secure protocols be used for transmission.

    For instance, if an "end of warrantee" notice is made legally binding merely because the company sending it used digital signatures, this is tremendously wrong, as it provides no mandate that said signature actually come to me, the one holding the product they're trying to end-of-life.

    In order for this to work, there needs to be some equivalent to a "two phase commit;" the signature is not valid until I respond back, indicating by sending a digitally signed response that signs their signature that I have received it.

    This sort of protocol is something banks doing transfers will doubtless be willing enough to set up; in order for it to be usable with consumers, some proxy that is able to manage the "sign-and-send-back" part is needed. The Post Office might be a good candidate; they have the infrastructure for not-dissimilar verification of receipt of mail that comes when you send something "registered."

    If the legislation doesn't offer such "secure protocols," then I would agree that it is a real bad idea. Of course, I don't know this; all that we are seeing is highly-predigested evaluations...

  • Just as you've said.. it'd be horrible if weakly encrypted signatures are allowed, giving ample opportunity for forging.

    But then, do I really expect the government to require strong encryption on something? :P
  • They seem to like to bundle in multiple issues that may be somehow related. I seem to remember a few other bills that were opposed because of one particular issue on it, while the rest of it was good. Other issues have passed, but had an item appended to them that caused problems down the road. My thought it this:

    They can cause a bill to not be passed by appending an issue that is worse than if the bill is not passed, in order to keep the bill from passing.

    They can append issues that otherwise would not be passed, to a bill that will pass, thereby making law something that noone wants.

    By 'they' I wonder who I'm speaking of. "The man?" Hmmm.

  • by Anonymous Coward
    It looks like they're allowing companies (not human persons) to substitute "proof of transmission" for "proof of reception".

    That's hardly a good thing for the humans.

    What if your virus checker discards their notice because it's infected?

    I think that trees should be converted into boats, not junk mail, but legal notices are not junk mail.

    -----

    Brown? !

  • I'm wondering what the possibility of forgery is

    Check out this page about public key stuff [isoc.org].

    It uses public and private keys (like PGP does)...

    You encrypt a one-way hash of the confirmation message with your private key. The one-way hash results in a number that's a couple bytes long that represents the message you're sending. If you put your name and date in the confirmation message, someone can't just copy the letter and put their name in (or just alter the date) because that'd make the message result in a different hash. They can't correct the hash because it's encrypted with your private key, which (hopefully) nobody but you knows. Everyone can read the message by decrypting it with your public key, which proves again that you signed it.

  • I believe we were the first place in the world to allow digital signatures. Our governor has an amazingly high emphasis on anything computer-related (especially surprising considering the fact that he reminds me of Dan Quayle ;-).
  • However if you don't bother to read contracts thoroughly before signing them, then you deserve whatever you get.

    Really.. I think it's completely reasonable that most people do not want to read every last paragraph in every one of the agreements we see every day.
  • Strong cryptography is being cracked down on, and may even become illegal for residents IN the US. At the same time, "digital signatures" are now legally recognised.

    With no means of carrying out strong authentication on a signature, or strongly binding the signature to whatever is being transmitted, it would be impossible to verify if the signature is genuine.

  • A copy of the House Bill [loc.gov] is available on-line.

    Electronic signatures are almost certainly "valid" (that is, legally enforceable as signatures) under the common law of every state (except perhaps, Georgia, which has some renegade case law regarding facsimile transmissions), just as signatures using other non-pen-to-paper technologies have been for centuries. The Statute of Frauds has not, for example, excluded, typewritten or telex printing of names, shaved initials on the hide of a cow, impressions of a footprint cast in sand, and so forth. This legislation is not necessary, but it is helpful for a conservative lawyer to be able to rely on statutory law rather than inviting their client to be the first one to litigate these new fact patterns.

    In short, the law does not require more than a physical fixation of an intent to authenticate -- a ceremony if you will. A signature does not need to be non-repudiable to be valid -- I could mark "Micky Mouse" or "X" at the end of a document and be bound, if it can be shown that I intended to authenticate the document when I made the markings.

    On the other, hand, good commercial sense ordinarily precludes the use of or the accepting of such "alternative" signatures, even if they are legal, for the simple reasons that they create tremendous difficulties in proving authentication when push comes to shove.

    The decision to accept an "X" from a literate contractor when closing a deal involving zillions of dollars would be foolish, and we would ordinarily ask them, politely, to sign the document by writing their name. When a shaved cow is offered, in anticipation of the difficulties of getting the critter into the courthouse -- we smile, thank them, and offer them our pen instead.

    Its all about choice. The question is, who shall make the choice whether we use ink, pen-on-paper, crypto or typewritters: the individuals using the signatures, or the government?

    Two distinct views are prevalent in state electronic signature legislation: a minimalist statute that simply says that electronic writings are writings and manifestations of authentication of the writings are signed writings, leaving it to the market to decide (such as Florida's Electronic Signature Act [gate.net]); and more protective bills, which only validate signatures using certain technologies, such as assymetric encryption (Utah).

    The bill passed by Congress is a minimalist bill, like Florida's (apparently patterned after the present draft of the Uniform Electronic Transactions Act). It is neither good nor evil, IMHO, but can be very helfpul for encouraging certain types of transactions.

    TRUE, it makes an e-mail of the form:

    Bob, I agree to buy 100 widgets at $500/widget, FOB TAMPA -- ship immediately. /S/ Alice

    a valid memorandum for statute of frauds purposes (the statute of frauds requires signed writings memorializing certain kinds of contracts as a precondition to their enforceability). But so what? That is almost certainly already the law anyway!

    Whether Bob or Alice would agree to do business in that manner should be up to Bob and Alice. Of course Bob should be concerned that Alice might later repudiate the transmission, and must be concerned about how he can "prove up" (should it be necessary) the signature in court. On the other hand, who should make the choice as to what technology, if any, Bob should accept, Bob or the government?
  • by Anonymous Coward

    I have two concerns with digital signatures.

    First is that I don't trust the infrastructure enough to assure me that the document can't be modified after the fact.

    The second reason is the boiler-plate issue. I am concerned that there is no way to verify digital boiler-plate contracts. Many consumer contracts have be scrutinized by the consumer-rights folks, so I feel confident that I can sign without having my lawyer review it. It can be fraud to represent a contract as boilerplate when it is not, but who wants to go through that?

  • - Forge a check and I loose $50 bucks
    - Forge a letter and more than likely, a notery will get you off.
    - Forge a document and more than liklely it will be caught (lengthy court possible, but usually a notery can tell)

    Now:
    - Forge a digital signature and:
    Have my credit card statements ( anyone been to www.discover.com, or www.visa.com, or www.....)
    Have my credit card numbers
    Purchase a 35'ft replica of a viking ship on E-Bay
    (as the theif) Claim that someone has stolen your identy and may try to get back in touch with (whomever) doles out the digital sig... thus making things long and hard

    Yes, you have no obiligation to sign all of your documents with your digital signature, but tell that to the people who send you stuff regardless. Remeber: whether you choose to use something or turn a blind eye to it doesn't mean it exists...

    Its like rapping a towel around your head so the alien won't eat you... funny, good in a kids story, but not practical.
  • Privacy and security will *never* be guarenteed on the net, get used to it.

    Nor will they *ever* be guaranteed in real life. Someone could tap your phone... or use a tempest device to read your monitor. As far as security goes, a nuclear bomb could drop on you at any time (no physical security could prevent this (unless you own an EKV? But that won't stop hundreds of nukes that are coming for you...)).

    There are certain inherent risks in everything that you do. Using a long enough key can lower those risks, it's up to you to decide if it's worth it compared to what you gain.

  • by kickahaota (112048) on Wednesday November 10, 1999 @05:24AM (#1546157) Homepage

    Rather than speculate about what this bill will or won't do, let's take the time to read it for ourselves. Like all the other bills working their way through Congress, the text of this bill is available at the Library of Congress' THOMAS server [loc.gov]. Here's the full text of the bill [loc.gov]; that link may or may not work when you read this, since the URLs on THOMAS do have a habit of changing occasionally. If the link fails, then go to THOMAS' home page [loc.gov], type "HR 1714" in the 'Search by Bill Number' box at the top of the page, and do the search. In the list of bills that appears, choose 'HR 1714 EH'; that's the current version, at least as I'm writing this.

    A few personal comments after reading the bill:

    • Like many other Congressional bills, this one contains lots of contradictory paragraphs and "Notwithstanding paragraph b..."; it takes a very careful reading to figure out what it does and doesn't do, and I'm personally still not sure I've got it figured out. This alone gives me reason to distrust it.
    • In order for an electronic document to satisfy a requirement that a consumer be informed of something in writing, the consumer must first be informed that electronic notification may be used, and the consumer must agree to that "by means of a consent that is conspicuous and visually separate from other terms". Furthermore, the consumer can withdraw consent at any time. This doesn't seem bad to me.
    • A consumer is still allowed to claim that notification was never given or that an electronic signature isn't the consumer's, just as a consumer can claim that a document was never mailed or that a physical signature is a forgery.
    • States are allowed to pass laws modifying the use of electronic signatures within their states; however, there are restrictions on their ability to do that, and those restrictions seem extremely muddy to me. Lots of potential for arguments and Supreme Court action here.
    • If a notification is "necessary for the protection of the public health or safety of consumers", then the notification cannot be only electronic, even if the consumer has consented.
    • A will still cannot be electronic. Those probate lawyers are a conservative bunch, I guess.
    • Court orders and notices still can't be electronic. All those lawyers are a conservative bunch.
    • Notices about the cancellation of utility service, foreclosure of a home, or cancellation of health or life insurance can't be electronic-only.

    Overall, I wish that it were written more clearly, but it doesn't seem onerous to me.

  • 3) What the hell is wrong with the colors on this message? No offense to whosever idea this was, but the usual green and white looks much better.

    I think this is the color scheme for the "Your Rights Online" subsection that this article belongs to. It has its own color scheme, like "Ask Slashdot" does.

    I agree; the colors don't fit. Especially with the green/white Slashdot logo at the top.

    --
    Interested in XFMail? New XFMail home page [slappy.org]

  • I must have missed something... As far as I could tell, the article was fairly balanced and presented both sides of the issue.

    Or were you expecting any article written about digital signatures to be gushing and adoring without presenting any of the negative aspects?


    - Drew

  • In other articles (sorry, no references right now) it mentioned that the danger was that consumers could be tricked into accepting electronic documents because the acceptance could be buried in a contract the same way other things are buried in the fine print. In other words the bill was two parts 1) digital signatures are valid 2) digital contracts and amendmants from companies are valid.

    The original alternative only covered 1) digital signatures are valid but was squashed mightily. A democratic provision 3) any agreement that the consumer will accept digital documents must be highly visible and seperate was also killed.

  • Really.. I think it's completely reasonable that most people do not want to read every last paragraph in every one of the agreements we see every day.

    If you live in the US you have to read the fine print on every piece of paper that you sign otherwise you're just inviting anyone to mess you up royaly. Just check the case with the Danish student who got mugged and the hospital decided to pull the plug on him and take all his organs for donation, just because he didn't read the fine print on the insurance agreement. Apparently his parents tried to sue the hospital but failed because of the insurance agreement said the decision to pull the plug was up to the hospital.
  • USPS is more reliable than email? In what universe do they live?! Why kill trees just to send somebody junk mail they won't read anyway. It'd seem to me the easiest way to handle this would be just a requirement of notification within 30 days of the fact but not within 24 hours and require the person being notified to verify they recieved the item. That way they could use any means they wanted as long as they got a reply or made a resonable effort at doing so. Still who really needs idiot proofing as law? Let idiots hang themselfs if they like. I vote for an object oriented replacement for bills. Why don't we require each little bit be in it's own section that can be selected or deselected on it's own. Or even provide several options that could be voted for on given sections. Polymorphisms kind of. Woo!
  • I disagree with your assertion that we will have the choice not to use them. In five or so years, it is easily conceivable that some businesses will only take digital signatures since, as you say, they are supposedly harder to forge than pen & paper signatures. I can see certain credit card companies, insurance companies, and e-commerce companies doing this.

    You say that digital signatures are harder to forge, but we have all seen article after article on Slashdot talking about breaking crypto. How long until you digital signature is cracked? Someone can simply keep a bunch of signatures that they've snooped on file until such time as they can crack them and then use them freely. Remember, digital data can be perfectly copied without errors. Your signature may be "forged" perfectly without any evidence that it is not genuinely your signature. There will be no more court experts in forgery to save you.

    What the President and consumer advocates object to, however, is not this whole issue about the signatures themselves. It's the provisions that certain kinds of notification which must currently be delivered to you in writing will be able to be delivered to you electronically. This means that some people will not be able to get that notification and are no longer protected by getting it in writing. This is what some parts of the industry want and what consumer advocates are all against.

    There's a quick little sanity check I do on any of these articles when I hear about them. When businesses are all over a bill and consumer advocates are against it, it usually means that we're about to get screwed if it passes. Always find out why. Bills in Congress almost never involve just one thing. They always let a law that only certain special interests want ride on the back of a law everyone wants so get it passed since it wouldn't be passed normally. It's an attempt to get another law in favor of big business passed with a law that helps everybody.

  • If the bill (I haven't seen it - anyone have a URL?) was designed simply to recognise digital signatures then this would be positive step - the idea is the same as past legal recognition of photoes, photocopies, faxes, phone communications, audio and video recording devices etc.

    Of course these forms of technology can also be forged, but they are still useful as evidence of legal transactions.

    The problem seems to be that (according to the article) the bill goes further and allows digital signatures to replace written signatures in some circumstances causing possible consumer protection problems.

    It seems that the first bit is good and the second bit is bad. The proposed ammended bill seems to split these up and just have the first (good) bit without the second (questionable) one.

    ---

  • "Oh, but wait, you say! The consumer has to agree to this! So, now when you sign up for something like this, Agreement 2, Section 9, Paragraph 12, Sentence 48 specifically says that you agree to electronic notifications. Come on...since when have you gotten to negotiate the fine print on a contract with a big corporation?

    That's an excellent point, but there's a couple of things that should be mentioned here:

    • Under the terms of the bill, the consent to electronic notice has to be "conspicuous and visually separate from other terms"; it can't be something that's slipped into the middle of a paragraph somewhere.
    • "Stealth changes" like the ones you're subscribing are nothing new; a number of credit card companies are particularly fond of stuffing things in their bills that look like advertisements but that are actually changes to the agreement. Of course, there are some unique consumer threats to the electronic approach; instead of hiding the changes in a larger message like you're describing, a company could send a notification in a way that made it look like spam (complete with the email header format that spam-mailer software usually uses), hoping that the consumer's spam-filtering software would filter it out and that the user would never even see it.
  • Wow, that sounds remarkably like corporate murder. Do you have a link for that?
  • There's at least one critical point where esignatures are different from their real-life counterpart:

    Everyone over the age of five has a real-life signature.

    Let me explain why this is a problem by providing a true analogy.

    A certain bank (who shall remain nameless) [bankofamerica.com] has a pretty nice online banking setup. The hole, though, is in their online signup procedure. How do you prove that you are indeed you? You simply provide your social security number, one of your account numbers (it doesn't matter which one), and your bank card number. For those of you less paranoid than myself:

    • A lot of people have their SSN printed on their checks for convenience, so if someone writes you a check, then you have two of the three required identifiers.
    • If they happen to also pay you with a bank card, then voila, you're three-for-three.

    Think of all the places where people are likely to have used both checks and check cards, such as grocery stores they frequent, motels they're staying at, etc. Now, think of how much the employees who handle your financial information actually get paid. Nervous yet? Good!

    Here's the fun part: once J. Random Minimum-Wage has all three of your identifiers, they can do you the additional service of setting up your online banking for you. Keen, huh?

    Until the day you decide to take the leap and start using the service yourself, your accounts are compromised, and you've never noticed.

    To tie this in to the topic at hand, I wonder what sort of proof you'll have to offer to establish an esignature? If I decide that it's pretty likely that you'll never use yours, what's going to stop me from setting it up for you?

    Now, multiply this scenario by the number of people who don't have the slightest contact with computers, and I think we might have a problem.

    Did you think that "The Net" was creepy? Wait until I create the esignature you never bothered with and use it to sign for a few credit cards.

  • email address aren't as static as postal.

    Really? I've had two Email addresses in the last, erm, six years or so since I first got online and during that time I've moved house about 10 times. I think it probably depends on things like whether you buy or rent and if you're prepared to switch cities for the sake of a job. I haven't lived anywhere longer than 2 years since I left my folks house and most places I've only stayed at for six months.
    not going to stop getting snailmail because of nonpayment to an ISP

    Whereas if you stop paying your rent they don't throw you out?

    Pre.....
  • Georgia (as of last time I checked - sorry if I'm wrong) has specific digital signature legislation - one of the first pieces of digital signature legislation created.

    The Georgia Electronic Records and Signature Act 1997 recognises digital signatures (s.5) and sets out actions for unauthorised use of a digital signature.

    This seems to me to be a good example of how this sort of legislation should be created (ie keep the recognition of signatures but discard the problematic notification/consumer protection problems)

    ---

  • by MindStalker (22827) <mindstalker@NOSPAM.gmail.com> on Wednesday November 10, 1999 @06:09AM (#1546171) Journal
    http://thomas.loc.gov/cgi-bin/query/D?c106:1:./tem p/~c106rV3Xiy::

    Text of the bill that deals with private transations (the rest of it deal with federal government accepting digital signatures, which is exactly the same wording .. read it for yourself anyways


    SEC. 7. NATIONAL POLICY PANEL FOR DIGITAL SIGNATURES.

    (a) ESTABLISHMENT- Not later than 90 days after the date of the enactment of this Act, the Under Secretary shall establish a National Policy Panel for Digital Signatures. The Panel shall be composed of government, academic, and industry technical and legal experts on the implementation of digital signature technologies, State officials, including officials from States which have enacted laws establishing digital signature infrastructures, and representative individuals from the interested public.
    (b) RESPONSIBILITIES- The Panel shall serve as a forum for exploring all relevant factors associated with the development of a national digital signature infrastructure based on uniform standards to enable the widespread availability and use of digital signature systems. The Panel shall develop--
    (1) model practices and procedures for certification authorities to ensure the accuracy, reliability, and security of operations associated with issuing and managing digital certificates;
    (2) standards to ensure consistency among jurisdictions that license certification authorities; and
    (3) audit standards for certification authorities.
    (c) COORDINATION- The Panel shall coordinate its efforts with those of the Director under section 3.
    (d) ADMINISTRATIVE SUPPORT- The Under Secretary shall provide administrative support to enable the
    Panel to carry out its responsibilities.
    (e) REPORT- Not later than 1 year after the date of the enactment of this Act, the Under Secretary shall transmit to the Congress a report containing the recommendations of the Panel.


    All this does it create a panel to investigate, and start their recommendations within a year. Sounds like the oppositions just sees that there is a potential for problems as desribes and whats to specifically made it illigal for those provisions to happen. But the whole thing isn't even formed yet!!

  • Well.. there is nothing wrong with being carefull, but you are at a bigger risk when you give your credit card to a waiter/waitress at your favorite restaurnt then when you send it encrytped over the net.

  • by Anonymous Coward
    That it has NOT been proven that current methods of cryptography cannot be 'cracked' in less than exponential time? What happens when our entire ifrastructure is based on this mathmatical ignorance and we finally figure out how to factor large numbers in linear or even constant time? The fact that almost no one knows this (I've never seen in mentioned anywhere except number theory books) means that society is absolutely not prepared to be 'wired.' I'm worried.
  • by MikeBabcock (65886) <mtb-slashdot@mikebabcock.ca> on Wednesday November 10, 1999 @06:13AM (#1546174) Homepage Journal
    I don't know where you come from, but I've been begging companies to send me my information by E-mail instead of paper form for a long time now. Why should we live in an "almost paperless" society working with computers and generate paper to communicate all the time?

    I use electronic banking on the Internet to pay my bills and I shop online for books and movies as well. I don't like getting spam in my mail (physical) or in my E-mail, but the E-mail stuff is easier to delete ... and I don't have to take out the garbage afterward.

    And why, pray tell, do you think that the fine print will change on contracts just because they're sent electronically? Most people don't read the Xerox contract when they buy a new fax machine that states "New shall be defined as any new or used or remanufactured part that Xerox deems suitable for sale" ... I'd just rather have an electronic version of my warrantees to file on floppy (or ZIP) than paper versions lying around somewhere.

    I hope other Slashdotters are with me on this one, or we're a bunch of digital hypocrites.

    - Michael T. Babcock <homepage [linuxsupportline.com]>
  • All I can say is "Hey! I just got wall-to-wall carpet, man! Yeah, like, it is pea green shag!"
    On a serious note; I do like the color schemes, but I think that the Slashdot logo in the upper-right of the screen should match with the scheme for that page. Tealish blue-green clashes very badly with browns and yellows.
  • Sorry, saw a documentary about it on Swedish television about 2 months ago.
  • I've used electronic/online banking with two banks and they both did it the same (correct) way. After applying for access, I received a temporary PIN code via snail mail to use on first connection (along with account number, etc.).

    Sure it's a bit slower, but it's a lot safer. I would imagine that to get a valid digital signature, one would have to go through a notary-type service where you show proof of ID to a licensed individual, who then signs the key you provide and submits the signed public key to the centralized registry.


    --

  • I don't know where you come from, but I've been begging companies to send me my information by E-mail instead of paper form for a long time now.

    I like getting information electronically as well. My CC provider (Aria [aria.com]) is good at this, and its a handy feature. However, I do worry greatly about the potential for abuse. Warranties generally do not change, neither do home loan documents generally change. But credit card notices, bank notices, etc, are things that I receive on almost a bi-monthly basis. I do not want them to have the out to (whether the law says its legal to or not) hide stuff or send it in a fashion that is as unreliable as electronic notification is.

    Unreliable? Yep, it is. My mailbox out front, or my PO box, is not prone to flatly refusing to receive anything for long periods of time. My computer, after my wonderful kid pours coke down the insides, is. Say I receive perfectly valid notice that, unless I do A-B-C, my card will be cancelled. How am I supposed to respond to this if my electronic receiving device is unavailable? Yes, the postal service loses letters, but not nearly as often as I've lost e-mail due to freak occurances of Operating System Nature. (FWIW: Yes, I run Linux.)

    --------------------

  • Under the terms of the bill, the consent to electronic notice has to be "conspicuous and visually separate from other terms"; it can't be something that's slipped into the middle of a paragraph somewhere.

    Oops, you're right. However, where is the protection that says, unless I initial RIGHT HERE, they can't send my notices electronically? My point is, where is the "opt-in," the choice to receive electronic notices or not. Sure, they are required to tell me that I'll be receiving them this way, same as they are required to tell me that my late fee is now $400, if they so choose, but either way, there is no method for me to say "No, I don't want this."

    I wouldn't have such a big problem with this if they (Congress) were able to structure the notification requirement in such a way that it couldn't be made a fundamental part of the contract. Instead, it would have to be a seperate choice made after you agreed to the "primary" contract and wouldn't adversely affect you either way. (i.e. CC can't tell you the next time you send in a payment, "sign here to receive electronic notices or your card gets cancelled.") That's probably not going to happen because it gets into the murky waters of affecting a company and/or individual's right to do business the way they choose.

    /me thinks it'd probably be better to leave this out until we either a) work out a more equitable solution or b) corporations become more trustworthy. :)

    --------------------

  • by Overt Coward (19347) on Wednesday November 10, 1999 @06:32AM (#1546181) Homepage
    I don't trust the infrastructure enough to assure me that the document can't be modified after the fact.

    A "digital signuture" in a PKI system is actually an encrypted hash of the message, along with timestamp info. With a good PKI system, such as PGP, it is improbable enough to be considered impossible to create a substitute message that will generate a duplicate hash result. Therefore, if the message is altered in any way (intentionally or not), the signature check will fail due to the modified hash result.

    The PGP manuals are an excellent source of information not just on PGP, but on cryptography in general and PKI systems in particular.
    --

  • Why couldn't a "digital signature"?


    We all know this, anything that's digital can be duplicated perfectly, it's just a matter of time. Digital Signature Piracy (DSP) anyone?


    My pen and wet ink signature is still far superior in this respect.

  • It doesn't specify what the "digital signature" is. It just says they can be used. Basically it says that digital contracts using digital signatures can be made legally binding if all the parties involved mutually agree on the exact form of those signatures.

    Actually there are a whole bunch of other details as well, but that's one of the important points. Have a look at the bill itself. [loc.gov]
  • How can you support this? Think of the implications!

    There are already people out there that don't leave there house if there really don't need to. And do you think this is going to make things better? People need social contact, sun light, etc. and they aren't going to get it sitting infront of a computer all day.

    Besides that, what do think is protecting those signatures? Probably the most popular is going to be PGP for the layman. Is this enough? Don't think so with a max of a 40-bit key for a layman with a buddy that thinks he knows what he is doing.

    How about M$s' PPTP. It's one of the weakest
    protocols I've ever seen.

    Some talk of making the internet more secure and then things like this get done. And we wonder why systems get cracked.

    With such poor security, how easy is it going to be to hijack a signal?
  • After applying for access, I received a temporary PIN code via snail mail to use on first connection (along with account number, etc.).

    I wouldn't have any problems with that, aside from the possibility of someone watching my mailbox for the letter (and that's a little too paranoid even for me). However, this bank doesn't work like that. After submit the information, you're asked to create an 8-digit numeric ID, and then a password. After that there is no additional authentication.

  • IT amazes me how two things that are so simalar that they are almost equivalent, can be seen as not only different but helpful in one case, and harmful in another.

    If I read a disclosure over E-mail, its exactly the same as snail mail, and the failure rate for snail is, I would guess, higher than the failure rate for delivery of E-mail, but even if it wasn't thats my choice...

    This bill is so you can sign up for something, and recieve disclosure information online, it doesn't mandate it.

    If you are afraid of the Internet and what will happen to your discloser CHOOSE snail instead.

    *sigh* progress is overwhelming, people are underwhelming.

    John
  • by Danse (1026)

    Maybe spammers learn to disguise their crap as electronic legal notices from various vendors.

  • I think that our government just made finding a way to easily factor primes a lot more important.

    Err, factor primes?

    I do not think that means what you think it means...


  • In general I think that opposition to digital signatures is the harmful kind of technophobia. It seems that people are ready to read a million problems into the system of signature when computers are involved, but at the same time they are completely comfortable with a system where you authenticate yourself by drawing a squiggle?

    From a security engineers perspective, conventional signatures are insane. They are easy to fake, even easier to get around (how many cashiers even check for a signature on your ID? how many are trained in handwriting recognition? how hard is it to fake an ID? How hard is it to leave a space open on a contract and then print another clause onto it?) The fact that I can be accused of having signed something just because somebody could draw a squiggle like mine: now that is a rights violation if you ask me.

    Yes, there is reason for healthy skeptisism on any system like this, after all the American government has a bad track record with both crypto and consumer rights. But DSA signatures have stood up until now, and there is little reason to believe they will be broken (they work a lot like other asymmetric cryptos). As a whole however, a truely functional system for digital signatures is an amazing blessing: a way to be truly, mathematically, sure that nobody can fake your signature.

    I think that in the foreseeable future, people will think we were insane in basing our entire legal system on a bunch of squiggles...

    -
    We cannot reason ourselves out of our basic irrationality. All we can do is learn the art of being irrational in a reasonable way.
  • Yes, but you know what I mean - two primes, multiply them together, it's hard to factor the result.

    --
  • I'm not convinced that this is possible; or at least I think it would be extremely hard and dependent upon a really trick GA coding. A GA is basically a parallel search technique that exploits regularities in a fitness landscape. 2 points: 1. In a fitness landscape based upon prime factoring, do such regularities exist. 2. If they do, is the resulting function generalisable (ie will it work with data other than the training/validation data) I think that (1) is quite possibly true, but I'd be extremely surprised if (2) is.
  • Aside: The URL that you gave to the legislation has indeed already expired; someone ought to determine something more precise that invokes the CGI query mechanism. My first draft [loc.gov] doesn't quite work; perhaps someone else can suggest better...

    Thank you very much for referencing the real legislation; this is a vastly superior thing to discuss than mere commentaries on journalistic commentaries.

    It appears to me that there may need to be a clearer "Opt Out" mechanism; aside from that, the fact that the bill expects that parties

    should be permitted to determine the appropriate authentication technologies and implementation models for their transactions
    implies (as does other parts of the wording) that both parties to a transaction need to be involved in this determination.

    There perhaps needs to be some allowance for there being a period of time during which people don't fully understand the implications of this, and some coherent method for repudiation of such agreement, perhaps modelled after the manner in which consumers are permitted to reject certain sorts of transactions from door-to-door salescritters if cancellation is done in some specified period of time...

  • All you can do with the key system is verify that a person that sent you a message twice has the same private key. As you say, you cannot verify the physical identity of a person without going through some central agency (government or not), which opens a hole for abuses.

    In order to implement a digital signature system without a central agency would require a shift in what we think of as a "signature". A secure digital signature could not verify that I am anyone in particular, but only that I am the person (or entity) that opened the account. Of course, this could easily subvert income tracking for individuals and corporations, and could be easily used to subvert tax laws. But then, this will probably happen eventually anyway, as soon as overseas tax-haven banks get a clue and start allowing anonymous accounts accessable electronically.

    --Bob

  • There are already people out there that don't leave there house if there really don't need to. And do you think this is going to make things better? People need social contact, sun light, etc. and they aren't going to get it sitting infront of a computer all day.

    People may need these thing's, butn that should be their choice. I don't see why electronic signatures/notifications should be hindered on the excues that "people should get out more."

    Besides that, what do think is protecting those signatures? Probably the most popular is going to be PGP for the layman. Is this enough? Don't think so with a max of a 40-bit key for a layman with a buddy that thinks he knows what he is doing.

    There are good systemas and bad systems. The buggest limitation of key-based cryptography today is the simple fact that use is not widespread. This kind of legislation would encourage more widespread use of strong encryption in modern business. This will happen eventually, at some pace. There will be msitakes, and systems will be broken. Overall, however,digital signatures will be effective and convenient.

    I believe the best thing about digital signatures is that they are easy to check! While I'm sure a professional could compare handwritten signatures and (with reasonable accuracy) detect a forgery, I'm pretty certain that this has NEVER happened with my signature! I have been able to take a paycheck made out to "Shawn Blakeley" to the bank, sign my nearly illegible "Sean Blakey" on the back, and deposit it into my account!

    Digital signatures, in sharp contrast, are EASY to check. Any operation set up to handle digital signatures could take the time and effort to verify EVERY signature they encounter. If this legislation passes, I wouldn't be suprised if, a few years down the road, we see a push for digital signatures accompanying EVERY online transaction, just because it is a cheap, effective verification measure.

  • USPS is more reliable than email? In what universe do they live?!

    ... a universe where fewer than half of american homes have computers -- to say nothing about the rest of the world. Don't get out much, do you?

    bumppo

  • ... factor primes ...

    You know, of course, that factoring primes is really easy. Yeah, yeah, everyone knows you meant factor INTO primes - the hard problem.

    So I'm being pedantic today.

    Torrey Hoffman (Azog).
  • Excellent comments. For the benefit of those who want to look up the legislation for themselves, here's a link that almost leads to just the right place, and that should be durable: http://thomas.loc.gov/cgi-bin/ query/z?c106:H.R.1714: [loc.gov]. That link will display a list of all the versions of the bill; just click on the "H.R.1714.EH" link to get the version that's currently in the House.

  • I have a few problems with your post:

    1) you seem to have a double standard: on one side you want people to recognize your electronic signature but on the other side you are not prepared to receive electronic confirmations of stuff you signed. Odd.

    2) You use a very primitive email reader (one that only displays ASCII), while this isprobably good enough for most applications, the majority of users uses a more advanced mail client (one that allows HTML layout). So from my point of view you're blocking progress by demanding that everything sent to you is in ancient ascii. Really if HTML is such a big problem to you, use an email client with lynx embedded (if it doesn't exist you may develop it yourself) or something but don't bother the rest of the world with whining that you can't read HTML.

    That's the part I disagreed with. I do agree with you that this way of notifying leaves to much room for abuse by bigger companies. Email is rather popular these days but many people still don't check their email on a daily or even weekly basis.

    Also I have a big doubt about the type of encryption used for the signatures. I don't like the idea that somebody can crack the encrypted signature and can start using my signature. And that is something that is going to happen if they use 56 bit encryption.

  • According to the yahoo article, the bill (with digital signatures and electronic notification of consumers) passed 356-66. As others have pointed out, the latter section would seriously erode consumers' rights. A move to drop the electronic notification section failed 278-126. That's over 200 reps solidly sold out to banks and other large corporations on this issue (among others).

    The Christian Coalition [christian-coalition.org] has a great site to keep track of each rep's voting record on issues that concern them, and has many links enabling interested people to contract their reps. Why not the EFF or Slashdot? Before the 2000 (USA) elections, I hope to see Slashdot/ANDN invest some of their upcoming IPO cash in a "Slashdot slate".

    JMC

  • Credit card apps. Healthcare forms. Asterisks with conditions on checks to be cashed. And I keep copies of everything before mailing it off to whomever. If they issue the credit card, health insurance, or cash the check. I've got them on MY terms. They often process these "standard" forms they mail out to loads of people so fast that they onten FAIL to treat them like the real contracts they are and just approve and process them. Oops! But the oops is in my favor this time. If they notice the items crossed out or added on and bitch... fuck 'em... There's only 6.02e23 different other credit cards I can apply for. Heh heh.
  • Yeah, US Mail is generally considered "safe". The safest way to do it would probably be to physically go to the bank and provide positive identification. The bank you're describing is just asking for a lawsuit for failing to protect its customers and itself from fraud here.

    For a digital signute system, as I've said in another post, you'd want to use a notary system (and I'm sure banks would be a good place to do this) where you have to have your key signed by a certified agent, who then uploads your public key into a public, central repository.
    --

  • John Hancock's digital sig would be 8 megabytes big...

    Couldn't resist.
  • 1) you seem to have a double standard: on one side you want people to recognize your electronic signature but on the other side you are not prepared to receive electronic confirmations of stuff you signed. Odd.

    Actually, I'd prefer to stick with the pen and paper route, if I so choose. My belief is this: If I sign something in pen and paper, you will communicate with me via paper. If I sign it electronically, you will communicate with me digitally. The problem I have with this bill is it doesn't allow the choice. It says that they have to notify you that you will receive electronic notices, but they don't have to give you the chance to say no unless they want to (and if electronically reduces their costs, they won't want to).

    2) You use a very primitive email reader (one that only displays ASCII), while this isprobably good enough for most applications, the majority of users uses a more advanced mail client (one that allows HTML layout).

    I suspect that users of pine, mutt, Eudora Lite, Pegasus (which may now support HTML) and people with low speed connections heartily disagree with you. I use Outlook Express 5, and can receive HTML messages. However, I also use a cellular modem to download the same messages, and do not want to suck a huge HTML message down a 9.6k straw. My original intent was to point out that not everyone who is "electronic" uses, or even likes, HTML messages, and may not even be capable of receiving them. (Outlook is set to convert everything to text for me)

    Email is rather popular these days but many people still don't check their email on a daily or even weekly basis.

    And, as I stated earlier, what happens if your computer is down when that all-important notice arrives? I've never had my outside mailbox self-destruct, but I have had my computer lose all traces of my e-mail (which may have arrived before my latest backup).

    --------------------

  • "...so forget about swearing that it's a false signature- there's no such thing as a false digital signature!"
    "...or email viruses, and anyway as long as you don't open attachments and are sure to use the latest software, you're absolutely safe..."

    Sorry man: I don't trust you or your argument. You're drunk on technology, which is great, but it's blinding you, and that's not great. I'm still stubbornly in favor of keeping as many sanity checks and old technologies effective as I can. I use plaintext email and news. I write receipts for computer repair I do on carbon paper receipt pads and have a set of file folders with all my papers organised by year and quarter. I write checks on paper, and sign them with my laborious signature. I _hate_ writing with a pen, always did, but I'm not gonna give it up for you. My checks, for instance, have certain common features all my own- if I draw a slash there is _never_ a 35/100 on it as if it were a fraction, and my signature uses some print characters rather than cursive characters. If I was to use digital signatures I'd be buying them pre-made- probably from Microsoft, as they'd try to kill everyone else in the area. Sorry, no way. I may be a programmer, I may be a geek, I may be totally 'wired' but that doesn't make me a _fscking_ _idiot_.
  • "To better serve your needs our ordering is going 100% online. To serve the needs of computerless customers we've established computer terminals in all our major service locations and most of the minor ones, which can be used for an inexpensive 20 dollars an hour. Customers with their own Internet access can log on to our site securely for only 10 dollars a transaction, where they can place orders and read any news of retroactively amended contracts or cancellations. This is much more immediate than postal mail, plus FOR FREE we will send email alerting customers of such changes, email like the following:
    Hi! We have changed one of your contracts. This email announcement is entirely free. To read the changes for the low low fee of 10$, please click on the following link-
    Tell me more about the changes in my contracts! [airwindows.com] Thank you for being one of our most valued customers!

    Thank you for being one of our most valued customers! DigSigSecurityCode: HKJGHJ77867B5BMBNBHF56786876GGFNDRFGUH5745V"
  • The reintroduction of this bill is not about doing The Right Thing and finally removing the biggest hurdle facing e-commerce, it's about electioneering. The only reason it passed the House is because the Democrats don't want to hand the Republicans the anti-technology brick that will later be hurled at their heads.

    If we want the legally recognized ability to execute binding contracts via the internet, we must keep pounding on Congress until they can come up with a decent bill and the support needed to override any presidential veto. This one will surely not make it past Clinton's desk.

    In order to create solid digital signatures, we must first have strong encryption -- of course, privacy is a threat to our national security, because terrorists might use it to discuss their plans to build weapons of mass destruction. Yeah, yeah, that's it. There's no way that a terrorist seeking to build a thermonuclear device is going to risk being busted for exporting encryption software.

  • Agreed, the danger of a forged digital signature is much greater than a normal one. Now the forger can have Total access to everything you own and all your info, all your cash, medical records, credit reports, transcripts, etc. AND they can all be accessed and stolen remotely, so even if they are "caught" you'll never see them face to face.

    To put it in catastrophic terms: say Bob the Cracker figures out how to crack the sigs, and then loots thousands or even millions of people's life earnings from a desert island. All the while canceling insurance, selling your house, and basically making it look like somebody moving to a desert island.

    The simple hassle of settling the whole thing increases greatly when you have the absolute remote access capability that a digital signature can offer.
  • I believe this is correct. A decision the year before last (in a case called Norton, or the like), held that a facsimile transmission was not a "writing." This largely provoked the adoption of the new bill.

    I agree that a statute providing that any electronic signature constitutes notice to a would-be recipient would be unconcionable, inviting all sorts of foul conduct. I saw little in this bill to do that -- to the contrary, all it provides is that the electronic writing wouldn't FAIL TO BE NOTICE, just because it was electronic.

    I actually think the solution is to state that notice must be accomplished in such manner as to ACTUALLY OR REASONABLY BE CALCULATED TO GIVE NOTICE, rather than quibble about the technoloy used to do so -- which will change over time. If an obscure means is treated as a notice, whether paper or otherwise (for example, as fine print hidden in a document purporting to be junk mail selling magazines), it is not treated as notice, notwithstanding the fact that it is most assuredly a writing.

    Why should electronic instruments be any different? If a reasonable person in the place of the consumer (or if its consumer protection legislation, like insurance), then a reasonable idiot in the place of the consumer would consider they had notice, why does it matter if it arrived by e-mail? Likewise, if the manner used was sneaky, regardless how it was given, why does it matter whether it was in writing?

    If a person uses e-mail for every interaction in his or her life, and receives an e-mail, reads it and actually got notice, why should she be able to rely upon a technical defense of the "non-writingness" of the e-mail? Why should it matter for these purposes whether the notice used digisigs?
  • Clickwraps (as opposed to mere shrinkwraps) are fairly well-established as binding, but I doubt that a click would be a signature. On the other hand, type "OK" WOULD constitute a signature.

    This is also the law in almost every jurisdiction today anyway. Further, no writing would be required for many license provisions in any case -- the statute of frauds may not apply, particularly if the package price is less than $500.00.
  • This bill does not require the use of crypto.
  • (1) unclear, it would depend upon state law and common law development for each excluded arena. Most state laws governing wills require them to be executed at a face-to-face ceremony, regardless how the document is executed, so most e-mail transactions would fail. Other laws require "writings" (as opposed to "signatures"), and local state law would determine whether an electronic instrument is a writing, even if it is "signed."

    In short, a lawyer's answer: it depends.

    (2) unlikely, and probably an unfair interpretation of the statute or its consequences.

    (3) I am on the fence on these subtle religious points.
  • First, common law has recognized typewritten an telex signatures for years. (As well as shaven cows, for that matter).

    Pen-and-ink signatures cannot be strongly authenticated, or strongly bind the signature to whatever is being transmitted (indeed, forging and lifting paper signatures is a trivial exercise).

    While I cannot argue with the proposition that assymetrical encryption is clearly superior, done right, to pen-and-ink signatures, this does not render electronic documents not asymmetrically encrypted inferior TO PEN-AND-INK signatures (or X-marking, cow shaving, foot casting and other bizarre but legally valid signatures)
  • all that we are seeing is highly-predigested evaluations...

    Your exactly right, I've almost lost my faith in the whole slashdot community over this whole thing. If you read the bill
    http://thomas.loc.gov search for h. 1572.
    You will read that all this bill does is set up a panel to investigate how to properly impliment digital signatures, and then to require the federal government to accept them within a year. (Only requiring feds to accept.. not private companies/citizens) And sets up another panel for giving recommendations on creating a private digital signature legal framework no later than a year from now.
    THATS IT!.
    the reason all the commotion is that the Democratic party decided that instead of waiting till the panel came with its conclusions and then trying to form law around that. That they needed to add an ammendment to this bill to force the later laws to be changed in certain ways. So they veto it.. not even knowning what the eventual law is going to be. Anyways I already posted a comment [slashdot.org] quoting parts from the bill explaining this. But was a few hours late to stop the spread of this horrific FUD implimented by the opposition to this bill, and the mass media. :(
  • > I can get as good a deal locally as *anywhere* on the net (shipping and handeling costs bux boys).

    Not with this country's quaint laws on sales tax - I'm in Austin TX, Dell's here in town, so I pay 8.25% to the Lone Star tax collector for the privilege of doing e-commerce with them. But Red Hat's in North Carolina, so I don't pay sales tax to *either* state when buying from them. More than makes up for the postage. But does it make sense?

    Whole towns with names like like Nowhere NM and Brigadoon ID subsist on the mail order business due to this quirk in US law. (Get your combined bean slicer and back scratcher, just 19.95 + 5.95 shipping and handling...)

    I won't even get started on the fact that there are 6,500 local state tax regions all with their own concept of what should and shouldn't be taxed, and different categories and sets of rates. In Europe, they think they need to simplify the fact that each whole country has a different, single VAT rate, poor souls.

    On the security issue, apart from the fact that it is harder to judge who you're dealing with, using credit cards on the net is generally safer than using them over the phone.

    In a physical store, at least here in Texas, no-one EVER checks signatures, so if you lose a card, you're hosed. A colleague's wallet got swiped from work, and they ran up $9000 in 90 minutes before Amex's computer jangled alarm bells. Don't know if it was smart software, or it just hit the credit limit - probably just the latter.

  • Not just number theory, Computer Science too - though that's become an obscure specialism around here lately. :-)

    As a corollary to the fact that they have to work at all, which means that (a) the algorithm to perform them executes quickly and (b) the plaintext contains sufficient redundancy to verify it has been successfully decrypted, most if not all public key systems are subject to an NP exploit based on simply guessing a key and trying it.

    Roll out that quantum computer.....
  • Looking over the bill (which I finally did and should have done when you first mentioned where it was ;)) I agree with you.

    I actually think the solution is to state that notice must be accomplished in such manner as to ACTUALLY OR REASONABLY BE CALCULATED TO GIVE NOTICE

    Do you think, therefore, that the bill is designed to not exclude the use of digital signatures as evidence of transactions merely because they are digital signatures (apart from the specific exclusions) - which seems logical?

    If so, what do you think the people opposing the bill are worried about then?

    ---

  • DVD's can be copied because they use extremely weak encryption [wired.com]. Any widespread usage of legally binding digital signatures would require that the U.S. relax its export regulations -- unless, of course, we want the rest of the world to leave us behind in yet another way.

    Pen-and-paper signatures are laughably weak. I once had a boss who asked me to forge his signature at work; he was out of the office knew that any scribble that I made on the paper would count. (For the record, I flat-out refused.)

    -- Rene

Successful and fortunate crime is called virtue. - Seneca

Working...