House Passes Digital Signature Bill 116
DrewMIT writes "Finally," electronic signatures" will have the same validity legislatively as ink signatures." It still needs to go through the senate, and the White House has said it will veto it. The article is quite negative, it talks about how this will violate consumer rights, but all I can think is "Its about time." What do you think?
Opponents? (Score:1)
It seems like if the politicians don't have a backwards stance on something, they don't think they're doing their job.
Ugh...more e-mail (Score:4)
This is absolutely what I *do* *not* want. I have a hard enough time as it is getting my CC company to follow the disclosure laws, and now they can just say "well, we sent it. your computer must've eaten the e-mail." As I read the bill, this would strengthen the corporation's rights of notification even beyond the standard you're-considered-notified-3-days-after-we-mail-th is provision. I also note that me notifying them electronically is not addressed.
This will suck, I believe. Just think, you get an electronic notification in a lovely HTML message (that you can't read on text readers), with a note up top in 5pt type "please see below for account information." If you do take the time to read it, you find that in 15 days, your interest rate skyrockets from 13 to 23%, your payments are due in 10 days after the bill, oh and we're going to sell every bit of data we have about you. You may cancel your card under the original terms by sending written notice, in triplicate, to the following address that is written in off-white/grey text on a white background.
Oh, but wait, you say! The consumer has to agree to this! So, now when you sign up for something like this, Agreement 2, Section 9, Paragraph 12, Sentence 48 specifically says that you agree to electronic notifications. Come on...since when have you gotten to negotiate the fine print on a contract with a big corporation?
--------------------
I think it's a good idea, but.... (Score:1)
Consumer advocates (Score:1)
The bill doesn't simply say that electronic signatures are valid. THEY ALWAYS HAVE BEEN!
A bad thing, or merely ignorance? (Score:3)
Note that it is quite possible that a particular bill might have wording that would make it downright harmful even though it may provide legal support for our favorite technology.
On the one hand, the US President has consistently opposed legislation to promote the public use of stronger cryptographic tools. Based on that, one might be led to assume that opposition to digital signatures might be based on that opposition to public access to cryptography.
On the other hand, there may be something about the bill in question that actually is bad.
On the gripping hand, it could be worthwhile to have validation of the legality of signatures "set" cryptographically, even if this has some intermediate side-effect that is "bad for consumers."
Does anybody have the actual text of the bill? It's rather difficult to evaluate the merits of completely-pre-digested press releases...
Am I missing something? (Score:2)
What I really don't get is how do you return something using this "system"? If everything is electronically generated, will we need to send an electronic receipt back before the return would be allowed. What will happen to paper receipts? Won't electronic receipts be fairly easy to doctor up?
_________________________
Mello like the Yello, but without the fizz.
A few things... (Score:2)
2) The article talks about sending things in formats that people might not be able to read. That's what ASCII text is for. Warranties and such generally don't need anything in the way of special formatting. Perhaps that format should be required in the bill; it appears not to be.
3) What the hell is wrong with the colors on this message? No offense to whosever idea this was, but the usual green and white looks much better.
Or is this a sign of user-configurable colors to come?
yet again politicians fail to add 2 + 2 (Score:1)
Correct me if I'm wrong here....If you were going to purchase something online, and agree to sign a contract digitally, then wouldn't you already be able to access all the fine print (via secured web sight, physically printing the contract, secure e-mail, etc.)?
How and why some of these people get elected to any office is absolutely flaberghasting!
Uh, oh (Score:2)
1. The general public does not understand the implications of sharing a password with a friend.
2. Without forcing restrictions on the rights of the internet citizens as a whole (bad idea), it becomes extreemely difficult to enforce violations of this (i.e. someone from some other country impersonates you).
3. Script-kiddies ('nuff said)
4. In reference to warranties: (I'm going out on a limb) The ability to alter/change electronic information after the fact, a-la "Rising Sun" (maybe a 1 1/2 star movie) may be easier for companies rather than deal with "problems".
5. Sending things to people via a digital signature (as opposed to ceritfied mail) relies on the receiver being able to keep a copy of in case of a hard drive crash.
5b. Windows (controlling over 80% of the market - mac included) Crashes - lots.
Well, try not to tear it completely apart... but thats some of the flaws I see.
Re:Ugh...more e-mail (Score:2)
Even as a 17 year old (with no credit card) I can see the downside to this. Nobody takes the time to read the gnat tracks at the bottom of any contract anyway....
I like having a dead tree version, signed by a human (preferably, or one of those autopen thingies). Then again, with about $5 (US) in my checking account....
As a side note, can we do SOMETHING about this color scheme? Brown and pea-soup green? Ugh... I think I'm gonna hurl.
I'm confused and I don't think I am the only one (Score:2)
Yes, I think digital signatures rule also - but before I run and call my congressman, I want to know what reasons the opponents are giving - just having sound bytes is not enough.
In other words, this news story absolutely blows chunks...
Is the technology defined? (Score:3)
Good digital signatures would be good. Bad digital signatures would be bad. This seems like common sense, but there are vendors out there claiming they have digital signaturing without even having some basic features, like non-repudiation.
I use PGP for signing, but you've got no guarantee that I own the key with my name on it. Anyone can submit a key with any name to the public servers.
I don't see this being feasible without a big agency to certify algorithms and issue keys reliably. Big agencies are bad, and artifically impose geographic limitations on the 'net.
Otherwise you have to implicitly trust everybody, and then who cares about signatures?
Someone needs to think of a better private solution.
Wake up Billy-Boy, it's 1999! (Score:3)
When someone forges your pen and ink signature, the solution is to swear under oath before witnesses, that the forgery in question is indeed a false signature. The solution to a forged electronic signature would be the same.
I really don't see a significant difference security or privacy-wise.
For all the lip service that the White House plays to being pro-technology, it is so often obvious that they really don't have much of a clue.
Remember, Al Gore invented the Internet!
Furthermore, anyone who was leary of electronic signature has no obligation to use them. They can just use pen and ink signatures instead!
This is an idea who's time has come. We're about to enter a new millennium for cryin' out loud! Bill Clinton endlessly reminds us of this fact. He needs to actually live it!
Texas (Score:1)
Authentication (Score:1)
Re: Opponents? (Score:2)
It seems to me that (according to the article) the problem with this bill is that it actually does two things;
1) Allows digital signatures as a substitute for written signatures if the consumer agrees.
This is a positive step and is in line with the common sense expansion of the internet as digital signatures are much more reliable than written signatures if sufficient security is implemented.
(See for example the Georgia Electronic Records and Signature Act 1997); and
2) Allows electronic notification in certain circumstances when originally written notification was required.
This is where difficulties arise as although (according to the article) some types of transactions are exempted, the worry is that Mr and Mrs Everybody will sign documents ("just sign here sir - no don't worry about the fine print") which allow them to be notified electronically instead of in writing or even overriding present protective legislation.
It seems to me that according to the article, there was an attempt to remove 2) while keeping 1).
This seems logical to me as no-one seems to have problems with the former, while the latter has some kinks (to say the least) that need to be ironed out.---
Re:I think it's a good idea, but.... (Score:1)
``Electronic signatures provide a level of authentication that far surpasses the ink signature that has
come to be the accepted standard,'' said Virginia Republican Thomas Bliley, chairman of the
House Commerce Committee. ``Electronic transactions have much less of a chance for human
error and provide for more reliable retention after the initial transaction takes place.''
The implication that digital signatures magically sprinkle improved security on stuff is utterly bogus. While the signature algorithms themselves might be quite secure, there exists *no* acceptable (or even legally recognized) public key infrastructure that provides secure and reliable identification of public keys.
That is, if I give you my public key in person, then you can verify my signatures with confidence. If you just look it up in a directory somewhere, you are really trusting the maintainer of the directory. Who do you trust to link your name with your public key? If that entity turns out to be untrustworthy, you are the potential victim of e.g. man-in-the-middle attacks.
I think that digital signatures are a good thing that should gain legal standing. However, I think that there are significant infrastructure issues that should be resolved first. I did my master's work on electronic voting, which essentially requires little more than electronic signatures. I feel the same way on that subject: someday we should have it, but we need to iron out a *lot* of details.
The number one issue to address is that of educating the public about basic public key cryptography. As far as I'm concerned, it should be taught in grade school. The basics aren't that difficult to grasp, and a public aware of the issues would contain far fewer potential victims than an ignorant one.
Re:I think it's a good idea, but.... (Score:1)
As I understand it, just typing your name in the "Sign Here" portion of a document, or clicking the "I agree" button on a web page is enough to represent your digital signature.
Re:Ugh...more e-mail (Score:1)
Re:Offtopic..... (Score:1)
Re:Ugh...more e-mail (Score:2)
What do I think? (Score:2)
In other news *cough* unrelated news, a friend of mine has a program that uses a genetic algo to reverse-engineer formulas... which will be released under GPL once we get the client/server protocol stuff done (that's my job!) ala distributed.net. I'm rather hopeful that we'll be able to extract a factoring algo from it within several months' time. No, I don't have a link, no I won't release any info on it, and no, you can't have the source until the bloody thing works and we get a patent on it. =)
--
Re:yet again politicians fail to add 2 + 2 (Score:1)
Okay, you're wrong.
Here's what I'd do if I was a company. I'd say "gee, here's a way to avoid notification costs, and also to screw people by not notifying them!" I'd have the legal department add a notice in the standard contract agreeing to digital notification. Most customers would just sign it without question, because no one reads those contracts anyway (at least people are always amazed when I do). The one percent that complained would be told that "it's just a formality--they don't notify anyone by email." I'd then provide a really inconvenient method for customers to receive email (i.e., an email-only Decwriter in one location in the metro area). Whatever would just barely meet whatever standard is mentioned in the law. And finally, I could do whatever I wanted so long as I sent email to myself first that would never be read.
Of course, I'm sure no business would ever try to screw their customers....
Re:Ugh...more e-mail (Score:1)
Which could lead to tricky wording on their part such as "The rent charged for borrowed money will be doubling in 15 days."
But really, I don't think any large well-known companies would try to pull something like this. It's the same way with credit cards on the 'net: Don't deal with small untrustworthy companies.
Re:Am I missing something? (Score:1)
As easy as doctoring up someone else's digital signature...
I assume the receipts would be signed with the company's private key so you could view it but not change it.
Possible Problem: Protocols (Score:3)
For instance, if an "end of warrantee" notice is made legally binding merely because the company sending it used digital signatures, this is tremendously wrong, as it provides no mandate that said signature actually come to me, the one holding the product they're trying to end-of-life.
In order for this to work, there needs to be some equivalent to a "two phase commit;" the signature is not valid until I respond back, indicating by sending a digitally signed response that signs their signature that I have received it.
This sort of protocol is something banks doing transfers will doubtless be willing enough to set up; in order for it to be usable with consumers, some proxy that is able to manage the "sign-and-send-back" part is needed. The Post Office might be a good candidate; they have the infrastructure for not-dissimilar verification of receipt of mail that comes when you send something "registered."
If the legislation doesn't offer such "secure protocols," then I would agree that it is a real bad idea. Of course, I don't know this; all that we are seeing is highly-predigested evaluations...
Exactly; Is Strong Encryption Required? (Score:1)
But then, do I really expect the government to require strong encryption on something?
Re: Opponents? (Score:1)
They can cause a bill to not be passed by appending an issue that is worse than if the bill is not passed, in order to keep the bill from passing.
They can append issues that otherwise would not be passed, to a bill that will pass, thereby making law something that noone wants.
By 'they' I wonder who I'm speaking of. "The man?" Hmmm.
Re:Ugh...more e-mail (Score:1)
That's hardly a good thing for the humans.
What if your virus checker discards their notice because it's infected?
I think that trees should be converted into boats, not junk mail, but legal notices are not junk mail.
-----
Brown? !
Re:I think it's a good idea, but.... (Score:1)
Check out this page about public key stuff [isoc.org].
It uses public and private keys (like PGP does)...
You encrypt a one-way hash of the confirmation message with your private key. The one-way hash results in a number that's a couple bytes long that represents the message you're sending. If you put your name and date in the confirmation message, someone can't just copy the letter and put their name in (or just alter the date) because that'd make the message result in a different hash. They can't correct the hash because it's encrypted with your private key, which (hopefully) nobody but you knows. Everyone can read the message by decrypting it with your public key, which proves again that you signed it.
Old news in Utah (Score:1)
Re:Ugh...more e-mail (Score:1)
Really.. I think it's completely reasonable that most people do not want to read every last paragraph in every one of the agreements we see every day.
This concerns me... (Score:2)
With no means of carrying out strong authentication on a signature, or strongly binding the signature to whatever is being transmitted, it would be impossible to verify if the signature is genuine.
Neither Novel, Good Nor Bad (Score:2)
Electronic signatures are almost certainly "valid" (that is, legally enforceable as signatures) under the common law of every state (except perhaps, Georgia, which has some renegade case law regarding facsimile transmissions), just as signatures using other non-pen-to-paper technologies have been for centuries. The Statute of Frauds has not, for example, excluded, typewritten or telex printing of names, shaved initials on the hide of a cow, impressions of a footprint cast in sand, and so forth. This legislation is not necessary, but it is helpful for a conservative lawyer to be able to rely on statutory law rather than inviting their client to be the first one to litigate these new fact patterns.
In short, the law does not require more than a physical fixation of an intent to authenticate -- a ceremony if you will. A signature does not need to be non-repudiable to be valid -- I could mark "Micky Mouse" or "X" at the end of a document and be bound, if it can be shown that I intended to authenticate the document when I made the markings.
On the other, hand, good commercial sense ordinarily precludes the use of or the accepting of such "alternative" signatures, even if they are legal, for the simple reasons that they create tremendous difficulties in proving authentication when push comes to shove.
The decision to accept an "X" from a literate contractor when closing a deal involving zillions of dollars would be foolish, and we would ordinarily ask them, politely, to sign the document by writing their name. When a shaved cow is offered, in anticipation of the difficulties of getting the critter into the courthouse -- we smile, thank them, and offer them our pen instead.
Its all about choice. The question is, who shall make the choice whether we use ink, pen-on-paper, crypto or typewritters: the individuals using the signatures, or the government?
Two distinct views are prevalent in state electronic signature legislation: a minimalist statute that simply says that electronic writings are writings and manifestations of authentication of the writings are signed writings, leaving it to the market to decide (such as Florida's Electronic Signature Act [gate.net]); and more protective bills, which only validate signatures using certain technologies, such as assymetric encryption (Utah).
The bill passed by Congress is a minimalist bill, like Florida's (apparently patterned after the present draft of the Uniform Electronic Transactions Act). It is neither good nor evil, IMHO, but can be very helfpul for encouraging certain types of transactions.
TRUE, it makes an e-mail of the form:
Bob, I agree to buy 100 widgets at $500/widget, FOB TAMPA -- ship immediately.
a valid memorandum for statute of frauds purposes (the statute of frauds requires signed writings memorializing certain kinds of contracts as a precondition to their enforceability). But so what? That is almost certainly already the law anyway!
Whether Bob or Alice would agree to do business in that manner should be up to Bob and Alice. Of course Bob should be concerned that Alice might later repudiate the transmission, and must be concerned about how he can "prove up" (should it be necessary) the signature in court. On the other hand, who should make the choice as to what technology, if any, Bob should accept, Bob or the government?
Either Way (Score:1)
I have two concerns with digital signatures.
First is that I don't trust the infrastructure enough to assure me that the document can't be modified after the fact.
The second reason is the boiler-plate issue. I am concerned that there is no way to verify digital boiler-plate contracts. Many consumer contracts have be scrutinized by the consumer-rights folks, so I feel confident that I can sign without having my lawyer review it. It can be fraud to represent a contract as boilerplate when it is not, but who wants to go through that?
Here's the difference: (Score:1)
- Forge a letter and more than likely, a notery will get you off.
- Forge a document and more than liklely it will be caught (lengthy court possible, but usually a notery can tell)
Now:
- Forge a digital signature and:
Have my credit card statements ( anyone been to www.discover.com, or www.visa.com, or www.....)
Have my credit card numbers
Purchase a 35'ft replica of a viking ship on E-Bay
(as the theif) Claim that someone has stolen your identy and may try to get back in touch with (whomever) doles out the digital sig... thus making things long and hard
Yes, you have no obiligation to sign all of your documents with your digital signature, but tell that to the people who send you stuff regardless. Remeber: whether you choose to use something or turn a blind eye to it doesn't mean it exists...
Its like rapping a towel around your head so the alien won't eat you... funny, good in a kids story, but not practical.
Re:I dont know about you but... (Score:1)
Nor will they *ever* be guaranteed in real life. Someone could tap your phone... or use a tempest device to read your monitor. As far as security goes, a nuclear bomb could drop on you at any time (no physical security could prevent this (unless you own an EKV? But that won't stop hundreds of nukes that are coming for you...)).
There are certain inherent risks in everything that you do. Using a long enough key can lower those risks, it's up to you to decide if it's worth it compared to what you gain.
Let's educate ourselves on this. (Score:3)
Rather than speculate about what this bill will or won't do, let's take the time to read it for ourselves. Like all the other bills working their way through Congress, the text of this bill is available at the Library of Congress' THOMAS server [loc.gov]. Here's the full text of the bill [loc.gov]; that link may or may not work when you read this, since the URLs on THOMAS do have a habit of changing occasionally. If the link fails, then go to THOMAS' home page [loc.gov], type "HR 1714" in the 'Search by Bill Number' box at the top of the page, and do the search. In the list of bills that appears, choose 'HR 1714 EH'; that's the current version, at least as I'm writing this.
A few personal comments after reading the bill:
Overall, I wish that it were written more clearly, but it doesn't seem onerous to me.
OT: colors (Score:2)
I think this is the color scheme for the "Your Rights Online" subsection that this article belongs to. It has its own color scheme, like "Ask Slashdot" does.
I agree; the colors don't fit. Especially with the green/white Slashdot logo at the top.
--
Interested in XFMail? New XFMail home page [slappy.org]
The article was negative? (Score:1)
I must have missed something... As far as I could tell, the article was fairly balanced and presented both sides of the issue.
Or were you expecting any article written about digital signatures to be gushing and adoring without presenting any of the negative aspects?
- Drew
Re:I'm confused and I don't think I am the only on (Score:1)
The original alternative only covered 1) digital signatures are valid but was squashed mightily. A democratic provision 3) any agreement that the consumer will accept digital documents must be highly visible and seperate was also killed.
Re:Ugh...more e-mail (Score:1)
If you live in the US you have to read the fine print on every piece of paper that you sign otherwise you're just inviting anyone to mess you up royaly. Just check the case with the Danish student who got mugged and the hospital decided to pull the plug on him and take all his organs for donation, just because he didn't read the fine print on the insurance agreement. Apparently his parents tried to sue the hospital but failed because of the insurance agreement said the decision to pull the plug was up to the hospital.
Re: Opponents? (Score:1)
Choice, Security, & the Other Part of the Bill (Score:2)
I disagree with your assertion that we will have the choice not to use them. In five or so years, it is easily conceivable that some businesses will only take digital signatures since, as you say, they are supposedly harder to forge than pen & paper signatures. I can see certain credit card companies, insurance companies, and e-commerce companies doing this.
You say that digital signatures are harder to forge, but we have all seen article after article on Slashdot talking about breaking crypto. How long until you digital signature is cracked? Someone can simply keep a bunch of signatures that they've snooped on file until such time as they can crack them and then use them freely. Remember, digital data can be perfectly copied without errors. Your signature may be "forged" perfectly without any evidence that it is not genuinely your signature. There will be no more court experts in forgery to save you.
What the President and consumer advocates object to, however, is not this whole issue about the signatures themselves. It's the provisions that certain kinds of notification which must currently be delivered to you in writing will be able to be delivered to you electronically. This means that some people will not be able to get that notification and are no longer protected by getting it in writing. This is what some parts of the industry want and what consumer advocates are all against.
There's a quick little sanity check I do on any of these articles when I hear about them. When businesses are all over a bill and consumer advocates are against it, it usually means that we're about to get screwed if it passes. Always find out why. Bills in Congress almost never involve just one thing. They always let a law that only certain special interests want ride on the back of a law everyone wants so get it passed since it wouldn't be passed normally. It's an attempt to get another law in favor of big business passed with a law that helps everybody.
Using the proposed ammended bill would be smarter? (Score:1)
Of course these forms of technology can also be forged, but they are still useful as evidence of legal transactions.
The problem seems to be that (according to the article) the bill goes further and allows digital signatures to replace written signatures in some circumstances causing possible consumer protection problems.
It seems that the first bit is good and the second bit is bad. The proposed ammended bill seems to split these up and just have the first (good) bit without the second (questionable) one.
---
Re:Ugh...more e-mail (Score:2)
"Oh, but wait, you say! The consumer has to agree to this! So, now when you sign up for something like this, Agreement 2, Section 9, Paragraph 12, Sentence 48 specifically says that you agree to electronic notifications. Come on...since when have you gotten to negotiate the fine print on a contract with a big corporation?
That's an excellent point, but there's a couple of things that should be mentioned here:
Re:Ugh...more e-mail (Score:1)
Where I think the system breaks down (Score:3)
There's at least one critical point where esignatures are different from their real-life counterpart:
Everyone over the age of five has a real-life signature.
Let me explain why this is a problem by providing a true analogy.
A certain bank (who shall remain nameless) [bankofamerica.com] has a pretty nice online banking setup. The hole, though, is in their online signup procedure. How do you prove that you are indeed you? You simply provide your social security number, one of your account numbers (it doesn't matter which one), and your bank card number. For those of you less paranoid than myself:
Think of all the places where people are likely to have used both checks and check cards, such as grocery stores they frequent, motels they're staying at, etc. Now, think of how much the employees who handle your financial information actually get paid. Nervous yet? Good!
Here's the fun part: once J. Random Minimum-Wage has all three of your identifiers, they can do you the additional service of setting up your online banking for you. Keen, huh?
Until the day you decide to take the leap and start using the service yourself, your accounts are compromised, and you've never noticed.
To tie this in to the topic at hand, I wonder what sort of proof you'll have to offer to establish an esignature? If I decide that it's pretty likely that you'll never use yours, what's going to stop me from setting it up for you?
Now, multiply this scenario by the number of people who don't have the slightest contact with computers, and I think we might have a problem.
Did you think that "The Net" was creepy? Wait until I create the esignature you never bothered with and use it to sign for a few credit cards.
Re:Ugh...more e-mail (Score:1)
Really? I've had two Email addresses in the last, erm, six years or so since I first got online and during that time I've moved house about 10 times. I think it probably depends on things like whether you buy or rent and if you're prepared to switch cities for the sake of a job. I haven't lived anywhere longer than 2 years since I left my folks house and most places I've only stayed at for six months.
Whereas if you stop paying your rent they don't throw you out?
Re:Georgia (Score:1)
The Georgia Electronic Records and Signature Act 1997 recognises digital signatures (s.5) and sets out actions for unauthorised use of a digital signature.
This seems to me to be a good example of how this sort of legislation should be created (ie keep the recognition of signatures but discard the problematic notification/consumer protection problems)
---
THE TRUTH! (Score:3)
Text of the bill that deals with private transations (the rest of it deal with federal government accepting digital signatures, which is exactly the same wording
SEC. 7. NATIONAL POLICY PANEL FOR DIGITAL SIGNATURES.
(a) ESTABLISHMENT- Not later than 90 days after the date of the enactment of this Act, the Under Secretary shall establish a National Policy Panel for Digital Signatures. The Panel shall be composed of government, academic, and industry technical and legal experts on the implementation of digital signature technologies, State officials, including officials from States which have enacted laws establishing digital signature infrastructures, and representative individuals from the interested public.
(b) RESPONSIBILITIES- The Panel shall serve as a forum for exploring all relevant factors associated with the development of a national digital signature infrastructure based on uniform standards to enable the widespread availability and use of digital signature systems. The Panel shall develop--
(1) model practices and procedures for certification authorities to ensure the accuracy, reliability, and security of operations associated with issuing and managing digital certificates;
(2) standards to ensure consistency among jurisdictions that license certification authorities; and
(3) audit standards for certification authorities.
(c) COORDINATION- The Panel shall coordinate its efforts with those of the Director under section 3.
(d) ADMINISTRATIVE SUPPORT- The Under Secretary shall provide administrative support to enable the
Panel to carry out its responsibilities.
(e) REPORT- Not later than 1 year after the date of the enactment of this Act, the Under Secretary shall transmit to the Congress a report containing the recommendations of the Panel.
All this does it create a panel to investigate, and start their recommendations within a year. Sounds like the oppositions just sees that there is a potential for problems as desribes and whats to specifically made it illigal for those provisions to happen. But the whole thing isn't even formed yet!!
Re:I dont know about you but... (Score:2)
Has everyone forgotten? (Score:2)
Re:Ugh...more e-mail (Score:3)
I use electronic banking on the Internet to pay my bills and I shop online for books and movies as well. I don't like getting spam in my mail (physical) or in my E-mail, but the E-mail stuff is easier to delete
And why, pray tell, do you think that the fine print will change on contracts just because they're sent electronically? Most people don't read the Xerox contract when they buy a new fax machine that states "New shall be defined as any new or used or remanufactured part that Xerox deems suitable for sale"
I hope other Slashdotters are with me on this one, or we're a bunch of digital hypocrites.
- Michael T. Babcock <homepage [linuxsupportline.com]>
Re:Offtopic..... (Score:1)
On a serious note; I do like the color schemes, but I think that the Slashdot logo in the upper-right of the screen should match with the scheme for that page. Tealish blue-green clashes very badly with browns and yellows.
Re:Ugh...more e-mail (Score:1)
Re:Where I think the system breaks down (Score:1)
Sure it's a bit slower, but it's a lot safer. I would imagine that to get a valid digital signature, one would have to go through a notary-type service where you show proof of ID to a licensed individual, who then signs the key you provide and submits the signed public key to the centralized registry.
--
Re:Ugh...more e-mail (Score:1)
I like getting information electronically as well. My CC provider (Aria [aria.com]) is good at this, and its a handy feature. However, I do worry greatly about the potential for abuse. Warranties generally do not change, neither do home loan documents generally change. But credit card notices, bank notices, etc, are things that I receive on almost a bi-monthly basis. I do not want them to have the out to (whether the law says its legal to or not) hide stuff or send it in a fashion that is as unreliable as electronic notification is.
Unreliable? Yep, it is. My mailbox out front, or my PO box, is not prone to flatly refusing to receive anything for long periods of time. My computer, after my wonderful kid pours coke down the insides, is. Say I receive perfectly valid notice that, unless I do A-B-C, my card will be cancelled. How am I supposed to respond to this if my electronic receiving device is unavailable? Yes, the postal service loses letters, but not nearly as often as I've lost e-mail due to freak occurances of Operating System Nature. (FWIW: Yes, I run Linux.)
--------------------
Re:Ugh...more e-mail (Score:1)
Oops, you're right. However, where is the protection that says, unless I initial RIGHT HERE, they can't send my notices electronically? My point is, where is the "opt-in," the choice to receive electronic notices or not. Sure, they are required to tell me that I'll be receiving them this way, same as they are required to tell me that my late fee is now $400, if they so choose, but either way, there is no method for me to say "No, I don't want this."
I wouldn't have such a big problem with this if they (Congress) were able to structure the notification requirement in such a way that it couldn't be made a fundamental part of the contract. Instead, it would have to be a seperate choice made after you agreed to the "primary" contract and wouldn't adversely affect you either way. (i.e. CC can't tell you the next time you send in a payment, "sign here to receive electronic notices or your card gets cancelled.") That's probably not going to happen because it gets into the murky waters of affecting a company and/or individual's right to do business the way they choose.
--------------------
Re:Either Way (Score:3)
A "digital signuture" in a PKI system is actually an encrypted hash of the message, along with timestamp info. With a good PKI system, such as PGP, it is improbable enough to be considered impossible to create a substitute message that will generate a duplicate hash result. Therefore, if the message is altered in any way (intentionally or not), the signature check will fail due to the modified hash result.
The PGP manuals are an excellent source of information not just on PGP, but on cryptography in general and PKI systems in particular.
--
If DVD's can be copied... (Score:1)
We all know this, anything that's digital can be duplicated perfectly, it's just a matter of time. Digital Signature Piracy (DSP) anyone?
My pen and wet ink signature is still far superior in this respect.
This is just the first step. (Score:1)
Actually there are a whole bunch of other details as well, but that's one of the important points. Have a look at the bill itself. [loc.gov]
Re:Opponents? (Score:1)
There are already people out there that don't leave there house if there really don't need to. And do you think this is going to make things better? People need social contact, sun light, etc. and they aren't going to get it sitting infront of a computer all day.
Besides that, what do think is protecting those signatures? Probably the most popular is going to be PGP for the layman. Is this enough? Don't think so with a max of a 40-bit key for a layman with a buddy that thinks he knows what he is doing.
How about M$s' PPTP. It's one of the weakest
protocols I've ever seen.
Some talk of making the internet more secure and then things like this get done. And we wonder why systems get cracked.
With such poor security, how easy is it going to be to hijack a signal?
Re:Where I think the system breaks down (Score:2)
After applying for access, I received a temporary PIN code via snail mail to use on first connection (along with account number, etc.).
I wouldn't have any problems with that, aside from the possibility of someone watching my mailbox for the letter (and that's a little too paranoid even for me). However, this bank doesn't work like that. After submit the information, you're asked to create an 8-digit numeric ID, and then a password. After that there is no additional authentication.
Silly ... Internet FUD (Score:1)
If I read a disclosure over E-mail, its exactly the same as snail mail, and the failure rate for snail is, I would guess, higher than the failure rate for delivery of E-mail, but even if it wasn't thats my choice...
This bill is so you can sign up for something, and recieve disclosure information online, it doesn't mandate it.
If you are afraid of the Internet and what will happen to your discloser CHOOSE snail instead.
*sigh* progress is overwhelming, people are underwhelming.
John
Re:Or... (Score:1)
Maybe spammers learn to disguise their crap as electronic legal notices from various vendors.
Re:What do I think? (Score:1)
Err, factor primes?
I do not think that means what you think it means...
yeah, but how safe is you squiggle? (Score:2)
In general I think that opposition to digital signatures is the harmful kind of technophobia. It seems that people are ready to read a million problems into the system of signature when computers are involved, but at the same time they are completely comfortable with a system where you authenticate yourself by drawing a squiggle?
From a security engineers perspective, conventional signatures are insane. They are easy to fake, even easier to get around (how many cashiers even check for a signature on your ID? how many are trained in handwriting recognition? how hard is it to fake an ID? How hard is it to leave a space open on a contract and then print another clause onto it?) The fact that I can be accused of having signed something just because somebody could draw a squiggle like mine: now that is a rights violation if you ask me.
Yes, there is reason for healthy skeptisism on any system like this, after all the American government has a bad track record with both crypto and consumer rights. But DSA signatures have stood up until now, and there is little reason to believe they will be broken (they work a lot like other asymmetric cryptos). As a whole however, a truely functional system for digital signatures is an amazing blessing: a way to be truly, mathematically, sure that nobody can fake your signature.
I think that in the foreseeable future, people will think we were insane in basing our entire legal system on a bunch of squiggles...
-
We cannot reason ourselves out of our basic irrationality. All we can do is learn the art of being irrational in a reasonable way.
Re:What do I think? (Score:1)
--
using a ga for prime factoring (Score:1)
Looking At Real Legislation- YES! (Score:2)
Thank you very much for referencing the real legislation; this is a vastly superior thing to discuss than mere commentaries on journalistic commentaries.
It appears to me that there may need to be a clearer "Opt Out" mechanism; aside from that, the fact that the bill expects that parties
implies (as does other parts of the wording) that both parties to a transaction need to be involved in this determination.There perhaps needs to be some allowance for there being a period of time during which people don't fully understand the implications of this, and some coherent method for repudiation of such agreement, perhaps modelled after the manner in which consumers are permitted to reject certain sorts of transactions from door-to-door salescritters if cancellation is done in some specified period of time...
Re:Is the technology defined? (Score:1)
All you can do with the key system is verify that a person that sent you a message twice has the same private key. As you say, you cannot verify the physical identity of a person without going through some central agency (government or not), which opens a hole for abuses.
In order to implement a digital signature system without a central agency would require a shift in what we think of as a "signature". A secure digital signature could not verify that I am anyone in particular, but only that I am the person (or entity) that opened the account. Of course, this could easily subvert income tracking for individuals and corporations, and could be easily used to subvert tax laws. But then, this will probably happen eventually anyway, as soon as overseas tax-haven banks get a clue and start allowing anonymous accounts accessable electronically.
--Bob
Re:Opponents? (Score:1)
There are already people out there that don't leave there house if there really don't need to. And do you think this is going to make things better? People need social contact, sun light, etc. and they aren't going to get it sitting infront of a computer all day.
People may need these thing's, butn that should be their choice. I don't see why electronic signatures/notifications should be hindered on the excues that "people should get out more."
Besides that, what do think is protecting those signatures? Probably the most popular is going to be PGP for the layman. Is this enough? Don't think so with a max of a 40-bit key for a layman with a buddy that thinks he knows what he is doing.
There are good systemas and bad systems. The buggest limitation of key-based cryptography today is the simple fact that use is not widespread. This kind of legislation would encourage more widespread use of strong encryption in modern business. This will happen eventually, at some pace. There will be msitakes, and systems will be broken. Overall, however,digital signatures will be effective and convenient.
I believe the best thing about digital signatures is that they are easy to check! While I'm sure a professional could compare handwritten signatures and (with reasonable accuracy) detect a forgery, I'm pretty certain that this has NEVER happened with my signature! I have been able to take a paycheck made out to "Shawn Blakeley" to the bank, sign my nearly illegible "Sean Blakey" on the back, and deposit it into my account!
Digital signatures, in sharp contrast, are EASY to check. Any operation set up to handle digital signatures could take the time and effort to verify EVERY signature they encounter. If this legislation passes, I wouldn't be suprised if, a few years down the road, we see a push for digital signatures accompanying EVERY online transaction, just because it is a cheap, effective verification measure.
"what universe" indeed (Score:1)
bumppo
Re:What do I think? (Score:1)
You know, of course, that factoring primes is really easy. Yeah, yeah, everyone knows you meant factor INTO primes - the hard problem.
So I'm being pedantic today.
Torrey Hoffman (Azog).
Re:Looking At Real Legislation- YES! (Score:1)
Excellent comments. For the benefit of those who want to look up the legislation for themselves, here's a link that almost leads to just the right place, and that should be durable: http://thomas.loc.gov/cgi-bin/ query/z?c106:H.R.1714: [loc.gov]. That link will display a list of all the versions of the bill; just click on the "H.R.1714.EH" link to get the version that's currently in the House.
Re:Ugh...more e-mail (Score:2)
1) you seem to have a double standard: on one side you want people to recognize your electronic signature but on the other side you are not prepared to receive electronic confirmations of stuff you signed. Odd.
2) You use a very primitive email reader (one that only displays ASCII), while this isprobably good enough for most applications, the majority of users uses a more advanced mail client (one that allows HTML layout). So from my point of view you're blocking progress by demanding that everything sent to you is in ancient ascii. Really if HTML is such a big problem to you, use an email client with lynx embedded (if it doesn't exist you may develop it yourself) or something but don't bother the rest of the world with whining that you can't read HTML.
That's the part I disagreed with. I do agree with you that this way of notifying leaves to much room for abuse by bigger companies. Email is rather popular these days but many people still don't check their email on a daily or even weekly basis.
Also I have a big doubt about the type of encryption used for the signatures. I don't like the idea that somebody can crack the encrypted signature and can start using my signature. And that is something that is going to happen if they use 56 bit encryption.
Remember these reps on election day. (Score:1)
The Christian Coalition [christian-coalition.org] has a great site to keep track of each rep's voting record on issues that concern them, and has many links enabling interested people to contract their reps. Why not the EFF or Slashdot? Before the 2000 (USA) elections, I hope to see Slashdot/ANDN invest some of their upcoming IPO cash in a "Slashdot slate".
JMC
I "line item veto" stuf in contracts w Big Co's. (Score:1)
Re:Where I think the system breaks down (Score:1)
For a digital signute system, as I've said in another post, you'd want to use a notary system (and I'm sure banks would be a good place to do this) where you have to have your key signed by a certified agent, who then uploads your public key into a public, central repository.
--
If this were 1776 (Score:2)
Couldn't resist.
Re:Ugh...more e-mail (Score:1)
Actually, I'd prefer to stick with the pen and paper route, if I so choose. My belief is this: If I sign something in pen and paper, you will communicate with me via paper. If I sign it electronically, you will communicate with me digitally. The problem I have with this bill is it doesn't allow the choice. It says that they have to notify you that you will receive electronic notices, but they don't have to give you the chance to say no unless they want to (and if electronically reduces their costs, they won't want to).
2) You use a very primitive email reader (one that only displays ASCII), while this isprobably good enough for most applications, the majority of users uses a more advanced mail client (one that allows HTML layout).
I suspect that users of pine, mutt, Eudora Lite, Pegasus (which may now support HTML) and people with low speed connections heartily disagree with you. I use Outlook Express 5, and can receive HTML messages. However, I also use a cellular modem to download the same messages, and do not want to suck a huge HTML message down a 9.6k straw. My original intent was to point out that not everyone who is "electronic" uses, or even likes, HTML messages, and may not even be capable of receiving them. (Outlook is set to convert everything to text for me)
Email is rather popular these days but many people still don't check their email on a daily or even weekly basis.
And, as I stated earlier, what happens if your computer is down when that all-important notice arrives? I've never had my outside mailbox self-destruct, but I have had my computer lose all traces of my e-mail (which may have arrived before my latest backup).
--------------------
"It's computerised, so it couldn't be forged!" (Score:2)
"...or email viruses, and anyway as long as you don't open attachments and are sure to use the latest software, you're absolutely safe..."
Sorry man: I don't trust you or your argument. You're drunk on technology, which is great, but it's blinding you, and that's not great. I'm still stubbornly in favor of keeping as many sanity checks and old technologies effective as I can. I use plaintext email and news. I write receipts for computer repair I do on carbon paper receipt pads and have a set of file folders with all my papers organised by year and quarter. I write checks on paper, and sign them with my laborious signature. I _hate_ writing with a pen, always did, but I'm not gonna give it up for you. My checks, for instance, have certain common features all my own- if I draw a slash there is _never_ a 35/100 on it as if it were a fraction, and my signature uses some print characters rather than cursive characters. If I was to use digital signatures I'd be buying them pre-made- probably from Microsoft, as they'd try to kill everyone else in the area. Sorry, no way. I may be a programmer, I may be a geek, I may be totally 'wired' but that doesn't make me a _fscking_ _idiot_.
Simple. (Score:2)
Thank you for being one of our most valued customers! DigSigSecurityCode: HKJGHJ77867B5BMBNBHF56786876GGFNDRFGUH5745V"
Smoke, mirrors, and FUD (Score:1)
If we want the legally recognized ability to execute binding contracts via the internet, we must keep pounding on Congress until they can come up with a decent bill and the support needed to override any presidential veto. This one will surely not make it past Clinton's desk.
In order to create solid digital signatures, we must first have strong encryption -- of course, privacy is a threat to our national security, because terrorists might use it to discuss their plans to build weapons of mass destruction. Yeah, yeah, that's it. There's no way that a terrorist seeking to build a thermonuclear device is going to risk being busted for exporting encryption software.
Re:Here's the difference: (Score:2)
To put it in catastrophic terms: say Bob the Cracker figures out how to crack the sigs, and then loots thousands or even millions of people's life earnings from a desert island. All the while canceling insurance, selling your house, and basically making it look like somebody moving to a desert island.
The simple hassle of settling the whole thing increases greatly when you have the absolute remote access capability that a digital signature can offer.
Re:Georgia (Score:2)
I agree that a statute providing that any electronic signature constitutes notice to a would-be recipient would be unconcionable, inviting all sorts of foul conduct. I saw little in this bill to do that -- to the contrary, all it provides is that the electronic writing wouldn't FAIL TO BE NOTICE, just because it was electronic.
I actually think the solution is to state that notice must be accomplished in such manner as to ACTUALLY OR REASONABLY BE CALCULATED TO GIVE NOTICE, rather than quibble about the technoloy used to do so -- which will change over time. If an obscure means is treated as a notice, whether paper or otherwise (for example, as fine print hidden in a document purporting to be junk mail selling magazines), it is not treated as notice, notwithstanding the fact that it is most assuredly a writing.
Why should electronic instruments be any different? If a reasonable person in the place of the consumer (or if its consumer protection legislation, like insurance), then a reasonable idiot in the place of the consumer would consider they had notice, why does it matter if it arrived by e-mail? Likewise, if the manner used was sneaky, regardless how it was given, why does it matter whether it was in writing?
If a person uses e-mail for every interaction in his or her life, and receives an e-mail, reads it and actually got notice, why should she be able to rely upon a technical defense of the "non-writingness" of the e-mail? Why should it matter for these purposes whether the notice used digisigs?
Re:Supporters=Microsoft! EULA is now legally bindi (Score:2)
This is also the law in almost every jurisdiction today anyway. Further, no writing would be required for many license provisions in any case -- the statute of frauds may not apply, particularly if the package price is less than $500.00.
Re:A bad thing, or merely ignorance? (Score:2)
Re:A few answers . . . (Score:2)
In short, a lawyer's answer: it depends.
(2) unlikely, and probably an unfair interpretation of the statute or its consequences.
(3) I am on the fence on these subtle religious points.
These problems are also true of written signatures (Score:2)
Pen-and-ink signatures cannot be strongly authenticated, or strongly bind the signature to whatever is being transmitted (indeed, forging and lifting paper signatures is a trivial exercise).
While I cannot argue with the proposition that assymetrical encryption is clearly superior, done right, to pen-and-ink signatures, this does not render electronic documents not asymmetrically encrypted inferior TO PEN-AND-INK signatures (or X-marking, cow shaving, foot casting and other bizarre but legally valid signatures)
Re:Possible Problem: Protocols (Score:2)
Your exactly right, I've almost lost my faith in the whole slashdot community over this whole thing. If you read the bill
http://thomas.loc.gov search for h. 1572.
You will read that all this bill does is set up a panel to investigate how to properly impliment digital signatures, and then to require the federal government to accept them within a year. (Only requiring feds to accept.. not private companies/citizens) And sets up another panel for giving recommendations on creating a private digital signature legal framework no later than a year from now.
THATS IT!.
the reason all the commotion is that the Democratic party decided that instead of waiting till the panel came with its conclusions and then trying to form law around that. That they needed to add an ammendment to this bill to force the later laws to be changed in certain ways. So they veto it.. not even knowning what the eventual law is going to be. Anyways I already posted a comment [slashdot.org] quoting parts from the bill explaining this. But was a few hours late to stop the spread of this horrific FUD implimented by the opposition to this bill, and the mass media.
US sales tax a mess - Re:I dont know about you... (Score:1)
Not with this country's quaint laws on sales tax - I'm in Austin TX, Dell's here in town, so I pay 8.25% to the Lone Star tax collector for the privilege of doing e-commerce with them. But Red Hat's in North Carolina, so I don't pay sales tax to *either* state when buying from them. More than makes up for the postage. But does it make sense?
Whole towns with names like like Nowhere NM and Brigadoon ID subsist on the mail order business due to this quirk in US law. (Get your combined bean slicer and back scratcher, just 19.95 + 5.95 shipping and handling...)
I won't even get started on the fact that there are 6,500 local state tax regions all with their own concept of what should and shouldn't be taxed, and different categories and sets of rates. In Europe, they think they need to simplify the fact that each whole country has a different, single VAT rate, poor souls.
On the security issue, apart from the fact that it is harder to judge who you're dealing with, using credit cards on the net is generally safer than using them over the phone.
In a physical store, at least here in Texas, no-one EVER checks signatures, so if you lose a card, you're hosed. A colleague's wallet got swiped from work, and they ran up $9000 in 90 minutes before Amex's computer jangled alarm bells. Don't know if it was smart software, or it just hit the credit limit - probably just the latter.
Re:Has everyone forgotten? (Score:1)
As a corollary to the fact that they have to work at all, which means that (a) the algorithm to perform them executes quickly and (b) the plaintext contains sufficient redundancy to verify it has been successfully decrypted, most if not all public key systems are subject to an NP exploit based on simply guessing a key and trying it.
Roll out that quantum computer.....
Re:Georgia (Score:1)
I actually think the solution is to state that notice must be accomplished in such manner as to ACTUALLY OR REASONABLY BE CALCULATED TO GIVE NOTICE
Do you think, therefore, that the bill is designed to not exclude the use of digital signatures as evidence of transactions merely because they are digital signatures (apart from the specific exclusions) - which seems logical?
If so, what do you think the people opposing the bill are worried about then?
---
Talk about (Score:1)
DVD's can be copied because they use extremely weak encryption [wired.com]. Any widespread usage of legally binding digital signatures would require that the U.S. relax its export regulations -- unless, of course, we want the rest of the world to leave us behind in yet another way.
Pen-and-paper signatures are laughably weak. I once had a boss who asked me to forge his signature at work; he was out of the office knew that any scribble that I made on the paper would count. (For the record, I flat-out refused.)
-- Rene