Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
News

Electronic Signatures Now Legal? 164

Posted by CmdrTaco from the sign-this-baby dept.
xpird writes "CNN is reporting this. -- A new federal law taking effect Sunday gives e-signatures the same legal standing as their handwritten counterparts, a significant change that promises new opportunities and risks on the Internet." Considering the amount of forged e-mail I get, this is gonna get interesting.
This discussion has been archived. No new comments can be posted.

Electronic Signatures Now Legal? More

Electronic Signatures Now Legal?

Comments Filter:

  • No Fraud Protection (Score:4)

    by Jerf ( 17166 ) on Monday October 02, 2000 @04:39AM (#739661) Journal
    I've been tracking this on my site for a while now (see URL in header above), and the Slashdot has unfortunately picked one of the crappier online articles on the topic to post a link to.

    The linked article talks about the potential dangers but tries to reassure us that "the experts" are saying it's OK. The problem is, the critics are right about the dangers of your signiture being stolen. (Cryptographic-type people may note that reasonably safe systems can be created, but you can still hack a computer and snarf the signiture key itself, which is pretty darned hard to protect against and still have a system usable by normal people in the real world.) What this article doesn't mention is the total lack of online fraud protection.

    Under the terms of this law, if your electronic signiture gets stolen and used, there are no provisions to make you not liable for any charges that are racked up, meaning at the very least that if a signiture is stolen, you could be looking at a total destruction of your credit rating, should you choose not to pay for the theif's actions, or arbitrarily large bills, if you choose to.

    This is in stark contrast to credit cards, where, subject to certain rules involving speed of notification of fraud upon discovery, your liability is limited to $50, no matter how much your stolen credit card number is used against your will.

    Despite my excitement at seeing the idea of digital signitures accepted, I must strongly recommend against using them in their current form. I'm hoping "That couldn't possibly have been my signiture because I've never used a digital signiture before" will be an adequate defense...

  • Have you ever posted something other than "Bababooey to you all"?

  • Anyone wanting to really use digital sigs for authentication purposes had better keep hard evidence of all changes to their key pairs - store them on read-only media along with the revocation notices for previously used keys and then get the government to timestamp 'em for you by posting them to yourself via registered mail and never opening the envelope when it arrives.

    Guess we'd all better start including disclaimers in our standard email .sig saying "Unless I cryptosigned this document it does not constitute a binding digital signature" or something to that effect too.

    Paranoid? Me? Surely not...

    # human firmware exploit
    # Word will insert into your optic buffer
    # without bounds checking

  • Would I trust the dutch government (you guessed it, I'm dutch) to manage my signatures? Maybe, provided that they have some process in place that maintains a certain level of quality.

    It's all a matter of trust. Trust no one is not an option and will hurt you economically if others do take the risk, nor is trust anyone. The truth is in the middle. I live in a country where I think I can trust the government to provide me this kind of services.

    While you may trust a government agency to do the right thing, you must remember that it is made up of individual people... some of whom may be likely to tamper with or steal your signature, validation key, or whatever they end up storing for their own personal gain, revenge or other motives. I don't trust government agencies any more than I trust a corporation to maintain and secure my privacy. Echelon, Carnivore, states selling their databases to advertisers( drivers licenses, etc are public data and in some US states the databases are sold just like the list marketing assholes do ), etc should go to show what happens when an agency at large gets too big for it's britches/has too much power. Now, imagine each of those agencies with 1% of their employees being unscrupulous and the damage that those individuals could do to someone...

  • I personally hate the idea of digital signatures for the reason illustrated (and yes, oversimplified) in the Subject of this post. For digital signatures to have value means that, like credit-card numbers, there will be steady and skilled attempts to steal and use them.

    I think we'll get spanked on this one.

  • The subject references the fact that even if expressing his honest opinion, AFCArchvile is at heart, a troll.

    But I thought I'd just relate a little international e-shopping experience I had the other day. I was sitting at home in Connecticut, instant messaging my friend in Colombia (you know, the place where cocaine comes from.) At the time, she was busy making hotel and car reservations online for her next vacation, while I was busy ordering some bicycle accessories and exercise equipment. Neither of us had to spend any time on hold, talking to an undertrained operator who's not familiar with their product line. Or worse, sitting in traffic. Instead, we chatted with each other in between filling out HTML forms.

    Sure, the e-industry is filled with marketdroid buzzwords and hype. But that shouldn't bother you any more than the next Jon Katz story about killer high school students whose Luddite tendencies have erotic undertones; just ignore it and go about your life.

  • This happened to me a few years ago:

    I was paying bills and it was getting late, and I mixed up a couple of checks. The county got my dental payment (made out to my dentist for, say $80), while my dentist got my taxes, made out to the county for about $1000.

    Result: The dentist cashed the check for the face value, and the county cashed the check as if it were for the money owed them. The bank ended up paying out $2000 instead of the $1080. Yes, and I got the overdraft fees. (The dentist refunded the money quickly once they figured out what happened.)

    I'm less dismayed that the dentist was able to cash the check made to the county than the fact that the county was able to take an $80 check and cash it for $1000.
  • They will certainly work, if the problem of authentication can be convincingly solved. Having circulated a popular initiative petition in California, I am convinced that given the opportunity people would gladly sign a petition online.

    The problem with e-petitions is not response rate; it's the integrity of the signature. People handwrite passphrases on Post-Its and keep them in "passphrase.txt" files; as long as this happens, forgery will be very easy.

    Now forgery of an electronic signature on an initative petition would be election fraud, punishable by severe fines, but would this be an effective deterrent? Unclear at best.

  • "The subject references the fact that even if expressing his honest opinion, AFCArchvile is at heart, a troll."

    A troll with a 33 karma, I might add!

  • what e-signatures will do is make signature fraud substantially more difficult to accomplish

    This is a nice post, but like many people here, you're confusing e-signatures (zero security) with digital signatures (cryptographic mechanism). Unfortunately, Congress picked the wrong one to make legally binding as well. :(

  • Perhaps I'm being stupid, but I don't really see how this is any worse than the situation with non-e-signatures

    Suppose someone shows up in court with a document with what looks like my signature on it. This is evidence that I signed it. But I can introduce evidence that I didn't (e.g. by saying I didn't). It's then up to the other person to show that I really did - e.g. by comparing it to real examples of my signature, or getting a handwriting effect in. And ultimately the court/judge/jury will have to decide whether on the evidence I did or did not sign the document.

    Similarly, someone may claim they have my electronic signature, but they still need to be able to prove to a court's satisfaction that I actually signed what they're holding. Depending on the sophistication of the technology used that may be more or less difficult.

    If one forgets normal Slashdot paranoia and accept that the courts have a certain amount of common sense, where's the problem?

    Don't forget that we've had technology around for 20 years that allows easy, undetectable duplication of signatures - fax machines. And yet the sky hasn't fallen.

    There may easily be something I've missed - for a start I haven't seen the text of the act itself (URL anybody?). But I haven't seen anything here on Slashdot that points out any actual problems.
  • This was asked a while ago, but I guess it's useful to ask it again (sorry, I'm too lazy to dig up the URL):

    Q: Why sign something? In real life, when you sign something it means you said it and mean it. If you don't sign it, it's just chatter. So why sign stuff on the Internet?

    The answer previously was that digital signatures aren't valid "signatures" and the value of them only is in that the recipiant can know for certain who sent it.

    How does this bill change this situation? Can a signature you meant to be only ensurance that you have sent it be used law-bindingly? Where's the difference?

  • Oh boy... (Score:5)

    by Palin Majere ( 4000 ) on Monday October 02, 2000 @04:40AM (#739673)
    You know that 'Accept' button you clicked on as part of the Microsoft installation process? You know, the one about the EULA?

    Start reading it. Really carefully.
    To quote the CNN article:
    But the expanded definition of legal signatures and flaws in the technology could contribute to fraud. The law does not specify a type of technology for e-signatures. They can be obtained through secured processes, like secret passwords or digital fingerprints, as well as unsecured ones, such as faxed signatures or
    clicking an acceptance button on a Web page.
    (emphasis mine)
    This means that the EULA you're clicking 'Accept' for can now be as legally binding as, oh, say, a loan from a bank. Or a bill of sale.

    Watch for Microsoft's next version of its EULA, where you agree not to compete with the company for the next 5 years. Or watch for the inevitable rash of popup boxes that require you to hit 'okay' to get rid of. Nevermind mind the fact that when you hit okay, you're legally signing away all your worldly possessions.

    Who needs the DMCA to trample our software rights? This law will do it all for us by itself...
  • "They can be obtained through secured processes,
    like secret passwords or digital fingerprints,
    as well as unsecured ones, such as faxed signatures
    or clicking an acceptance button on a Web page."
    How about a new virus that automatically transfers $1000 from every MS Outlook (C) user's bankaccount
    to some Swiss acount?

    LastWOLF
    "Take your wings, go out and fly.
    Learn, read and soar the sky."

  • It's actually been legal since July this year. However, you wouldn't know it. We still send all of our contracts out from here FedEx around the world even though all of our authors have e-mail. And most companies won't allow digital signing of things (except of course for credit card transactions). However, the Royal Mail is supposedly going to be sending out digital signatures to everyone (or nearly everyone) so that we can use that to prove it is us and obviously the Royal Mail will vouch for its authenticity.

    So far, there haven't been any high profile court battles over this - or none that I have heard of anyway.

  • Think an unsigned check is "worthless"? Think again, simply writing a check and giving it to someone as a payment makes that check a legal instrument and it CAN be cashed sans signature (although quite often the bank may try REALLY REALLY REALLY hard to get a signature before they will honor it).

    Not really related to the topic, but can you point me somewhere that states this assumption? Somewhere besides /. I mean..

    Thanks!
  • So what do you do nowadays when you're worried about the validity of an ink signature being disputed? Right -- you get the document notarized.

    I don't see how things would be much different with e-signatures.

    Hey, how do I get licensed as an e-Notary-Public?

  • Postscript: Current fraud laws may provide some level of protection, which is why I hope claiming that you've never ever used one might help somehow, but as our society found them unacceptable when credit cards were developed, I think what protections may exist are just as unacceptable now.
  • I imagine that much of this was discussed back in June [slashdot.org] when Congress was still thinking about it, but we're all going to rehash it anyway, so I'll put in my two cents.

    The "E-signatures" referred to in this bill are not synonymous with digital signatures. As the article itself states:
    • They can be obtained through secured processes, like secret passwords or digital fingerprints, as well as unsecured ones, such as faxed signatures or clicking an acceptance button on a Web page.

    In other words, the law actually makes really stupid things legally binding. A signature in the real world sense is a mark of authenticity. Yes, this check is really mine, yes it's really me taking 20 dollars out of my bank account, etc. How can clicking an acceptance button compare to these things? Yes, I realize that real signatures can be faked, but there's a law to handle that. I have a hard time comparing falsely clicking a button to forging someone's signature.

    Furthermore, this bill in no way applies to forged mail headers, and it isn't going to cut down on your spam. It doesn't require people to use E-signatures, it just makes them more legally binding.
  • This bill was signed into law three months ago, and was discussed quite a bit in the weeks/months preceeding. It's even been discussed here on Slashdot [slashdot.org].

    Too late now, it's law. Everyone had their chance over the last year to get this thing knocked down, or looked at critically by technical folks. Best you can hope for now is an amendment or that something will come along to strike it down.

  • How is this "easier to break" than existing forgery methods? I mean, if you ask me, pen and paper forgery has got to be one of the simplest methods of committing fraud. Or how about the telephone or the mail or fabricated ID cards? As long as identification technology is hindered by those who fear progress based on the supposition that the crime of identity theft is somehow rampant and pernicious, we will be stuck with the simple tools (like photo cards, signatures, etc etc) which will always be easy to forge. The next step is ensuring that digital signatures are unique and tied to an individual in an inseparable way, like with a biometric method of some sort. Then security will be LESS of a concern as far as fear of criminals goes. Then we can get back to worrying about the government and corporations, like normal.
  • So I should no longer need to use my credit card to verify my age (Yahoo! made me do that to use my spam-trap email account). Now I can just digitally "sign" an affirmation of my age, right?

    Everyone knows that credit cards are not proof of age, but they use them anyways because it covers their ass, legal-wise. With "e-signatures" given the full force of law, they should be able to point to this law and use an "e-signature" form post button to prove your age with just as much ass-covering legaility.
  • I saw the story on TV (forget which news station) and it showed some guy signing a form with a digitizing pad using a standard signature, and another guy "signing" by putting his thumb against a thumbprint reader.

    The one commentator said "If someone steals your credit card, you get a new one. What do you do if someone steals your thumbprint? Get a new thumb?"

    That's the gist of it. Once my signature is digitized, it can be reproduced and sent along with anything.

    The only way I can see this working is if it is some sort of secret that is known only to me, and it is revocable. I somehow doubt that that digitizing tablet and thumbprint reader on TV was using the data to unlock an internal secret key and using THAT to sign the data. No, I'm sure it was just digitizing the actual sig or print and sending THAT along.

    I also get very nervous signing credit card slips using digitizing tablets at stores now, even though I'm fairly sure it doesn't record stroke and weight. All you need to do is sign once some tablet that DOES do that, and then anyone can print out perfect stroke and weight sigs using a plotter and a pen. (In these cases, I alter my sig by signing the name of the store across my sig on the table...)

    I'd be more comfortable with a smart-card idea like the America Express Blue Card [americanexpress.com] than what I've seen so far. At least it's something only issued to you and it can be revoked.

    Yeah, things like PGP signatures could be used to do this, but I can't imagine the average person managing that correctly. I could easily, for example, go to someone's office at work and ask them to type in their PGP sig so I can debug their computer, then go back to my office and scarf their private key file. But I would have far less success going into their office and asking to borrow their smart-card for a while..

  • ...if you did it right.

    I had a job once doing programming and technical development of a device that allowed remote signatures.

    It used an overhead scanner and a plotter, in an electronically sealed box. Neither end could have the box opened during the transaction to prevent swapping of papers, and the stream was encrypted between 'em.

    It was legal as it met the requirements for a person actually signing a piece of paper in person.

    Remote tele-signatures!

  • The constitution doesn't allow for national ballot initiatives, but most states do. Get 5%-10% of voters signatures, and you've got a question on the ballot.

    And while collecting paper signatures requires an army of supporters at malls, airports, college campuses, etc. to collect the signatures in the alloted time. One person with a web site could do it.

    And IMO, people would be more willing to "click" their support for an on-line ballot measure, than to actually sign in person.

    I think legislators failed to think of this. Oops. More power to the people.

  • Once upon a time contracts were infrequent things. You signed a contract when you sold your house, maybe you signed a marriage license or other official documents. You could definitely say that what you signed was Important.

    Over time, the signature gets more play. Sign this W2. Sign this NDA. Fill out our Video Rental Membership Form. Don't forget your tax return... Oh, could you sign this liability release?

    Still, there was a natural barrier to presenting a contract. You had to provide the paper, get the signature, keep a copy on file, etc. Contracts for Stupid Shit didn't exist. No more.

    Now anything, no matter how stupid, can have a contract associated with it. Visit our website? First agree to our terms. Shop at our grocery store? Please touch this touch-screen first. The thing that distresses me about this, aside from the forgery aspect, is that it introduces a galaxy of new contracts into my world. Contracts I don't want to review, don't want to think about, and don't want to sign. Now I can sign them with a button.

    It would be nice to use technology to free me from this. How? For one, a proxy server that recognizes these "agreements" and "agrees" to them. Would this be legal? Right now, it's my best hope, next to Refusing to Sign.
  • This has been the case (to some extent) for some time in the UK. Indeed, an act of parliament was digitally signed recently, to show how up to date our lovely government is.

  • Good thing ... (Score:3)

    by spankenstein ( 35130 ) on Monday October 02, 2000 @04:19AM (#739688) Homepage

    I never filled out that signature line in the user prefs page!

  • This is a partial summary of the law. I am taking it from an "impact on application" document as we are implementing it for the hiring process in our stores. No more paper for you to sign!

    E-signatures can not be used on: wills, codicils, testamentary trusts, adoption laws, divorce laws, any matter of family court law, court orders, court notices, cancellation of utilities, reposession, foreclosure, eviction, cancellation of health or life insurance and bennies, transport of hazardous materials, and product recalls where health and safety are involved.

    Very important point to note: The signature must be bound to the document that is being signed. Which means if you sign this form, you cannot use the same sig on the next form. In our stores you must sign the little electronic pad 5 times. The very good part of this is if the binding process is not as good as it should be, the company that failed to bind correctly will be open to lawsuits from you to recover any losses through their negligence. Someone steals your sig from our db? We have to pay to fix it.

    Hope this clears up some of the fears. I have not seen the whole law but a lot of thought did go into it.
  • Here in the UK we've had electronic signatures deemed 'acceptable' by law for many years, long before the interent ever became popular enough for the law to take notice.

    Our law was specifically amended a while back to allow the 'electronic' signature of documents sent by fax to be binding.

  • This is Public Law 106-229, available in text [gpo.gov] and PDF [gpo.gov]. It is not clear to me that clicking on a web page's order icon or similar act will constitute an electronic signature. The original legislation defined an electronic signature to be something intended by the person to indicate agreement, but the final law defines it to be something executed with intent to sign a record. It seems to me an electronic signature is not created unless the person specifically intends to create a signature, not just agree to a contract.

  • All the time I spent forging my fathers signature is now down the crapper...
    Its good to see the Feds are making laws that are easier to break. That's what they are there for, right? Keepin themselves in business. I think the Judicial Branch of Government has more bugs than windows....


    -- "Microsoft can never die! They make the best damn joysticks around!"

  • Why? (Score:1)

    by dnnrly ( 120163 )
    Does anyone here actually have any confidence in signatures as they stand now? I certainly wouldn't! It's not even as if there's been some major development recently that suddenly changed everyone!

    dnnrly

  • If it were done right is the key phrase
    There are NO (zero, zip, nada) requirements for any encryption on the signature

    1) A button click (yes, that means EULA's) is a signature
    2) A press of a number on the phone is a signature (press 1 to sign...)
  • A point to remember is that the law enables eSigs--which is just about anything (X) or /S/GriffJon or whatever else. It's instructive to realize that physical signatures work the same way--a physical mark is a legally binding signature if it was made with 'the intent to sign'
    .

    Will there be fraud in eSigs? yes. There will be an immediate move towards digital (cryptographic) signatures, and higher security. This might even get more intelligent password use, or hell, even hardware solutions (smartcards, dongles, etc)

    The law is well-written, and in 5 years people will wonder how things got done before the ESIGN law.

    Naturally, a lot will happen in those five years, and people dealing with eSigs and certificates will have to deal with identity, accountability and such so as to get trusted eSigs.
  • Here in Europe the European Parliament passed a guideline last year (I think, or was ist this year?) that would equal the electronic signature with a handwritten one. Now the EU member states have 2 years time to pass this into local law... So, this whole thing is not at all US only!!!

  • This is kinda a good idea, the problem is that we need more standardised technology for signature authentication.

    The most obvious problem is people hacking into your computer, and copying your signature. I'd suggest that storing the signature on external media (a smartcard would probably be good for this) should significantly help with that problem.

    Then there is the issue of your signature being copied, once it is sent. PGP offers a suitable service, where messages can be signed, allowing people to verify that the message came from you, without the "signature" being usable on other messages/documents.

    Perhaps an application which presents a document to be signed, and if you accept, signs it using a key stored on the smart card, before sending the signature back to the originator?

    Thoughts?

  • As opposed to the statement that you agree to their terms when you open the CD?

    Guess what... you can still be brought to court for violating the EULA, even if you don't agree with it.

    A signature doesn't mean squat. Signatures can be forged. Its a signature, combined with a witness, id, etc. that people go by. Stop inventing a conspiracy.
  • Wow... then people would be voting solely on their conscience. What a concept.
  • A troll with a 33 karma, I might add!

    No accounting for taste!

    I had a 45-year old friend of mine express a similar sentiment to yours, in about 1995: "I really don't see the point of shopping on the web, I've never bought anything that way." Of course, in '95, options were more limited and perhaps he couldn't anticipate how things were going to change. (I noticed he still invested in tech stocks and made some money on the ride up, though.)

    But it's 2000 now, and he buys all sorts of stuff online. When I reminded him of what he had said, he laughed. The web and e-commerce is a fait accompli. In 2000, a Slashdot post saying "I hate shopping online" and "I've only bought two things online" is a troll, almost by definition.

    We all know you can't feel stuff online (well, not without a Vivid Video bodysuit [time.com], anyway.) You're not telling anybody anything new. Perhaps you don't buy things like software, CDs, CD-R disks, books, videos, electronics, and perhaps you don't book flights, hotels, or rental cars, and perhaps you don't purchase information in any form online. I, and millions of others, including many here on Slashdot, do. (Lately I've been renting DVDs online at netflix.com [netflix.com]: it rocks! No late fees or time limits; beats Blockbuster senseless.)

    So if you have something to say about why this all isn't good, or doesn't make sense, by all means, say it. But "I'm sick of this stupid "e-commerce"" isn't particularly constructive or interesting, and might just as easily be posted by a clever troll as by someone who really feels that way.

  • The way i see it, unless digital signatures are backed by cryptography, what's to stop me from "signing" something for you? How do you opt in and opt out of this thing? Do you have to show up at a government office and say "yes, i'd like my clicks to be legally binding". Or do you have to show and say "NO! I don't want to participate"? How many forms of ID do you need? Or can this be done via postal mail?

    Digital signatures are supposed to be HARDER to forge than real ones. Not just more convienient, otherwise we'll be seeing a huge rise in fraud... That means being based on public key encryption (I think), so everyone can verify you, but no one can be you.

  • Re:As we read this article... (Score:3)

    by mcelrath ( 8027 ) on Monday October 02, 2000 @04:55AM (#739713) Homepage
    Guess we'd all better start including disclaimers in our standard email .sig saying "Unless I cryptosigned this document it does not constitute a binding digital signature" or something to that effect too.

    Ack, not cryptosignatures! Without a legal definition of what constitutes an electronic signature, this law is worthless at best, and extremely dangerous at worst. My GPG signature is 2 things: identity verification, and verification that the message hasn't been modified since I sent it. I DO NOT want it to constitute a legally binding order. If it always constitutes a legally binding order, how do we do identity verification and checking that a message hasn't been modified without the "signature" carrying more weight than it should?

    What's particularly dangerous is that the "--Bob" at the end of this message could be a signature. ANY SSL enabled website could have a button (that does anything in the world) that could be a signature. Anything sent electronically could be a signature!

    No. A signature should be something cryptographically verifiable, and protected from fraud. It should also be something that I have to sit down and create, with full realization that this is legally binding. How about a message containing only my name and the date, that is PGP/GPG signed. Whatever the case, this law is crap without some definitions.

    --Bob

  • Re:Oh yay... (Score:5)

    by mindstrm ( 20013 ) on Monday October 02, 2000 @04:55AM (#739714)
    The purpose of the law is to make digital signatures (a purposefully vague term) have the same legal standing as written ones. This is becuase, BEFORE this law existed, it was very easy to dismiss most 'contracts' that didn't have a written signature.

    Now, in order to enforce something, you will *still* have to prove that a signature was that of the person who you think signed it. Just like with handwriting.
    Of course fraud can happen as well. Thats' what witnesses are for.
    If someone signs my name on a cheque, and buys something.. I can walk in and say 'look, this is NOT mine, I did not sign this'. Unless they can prove I did.. they are out of luck. Generally this can be done by handwriting analysis, fairly easily.
    For more serious contracts, there are *always* witnesses. Notaries even. People who actually ask you for ID as well before they notarize what's going on.

    So now, the point is, this can be done digitally, and the contracts can't be invalidated solely because the signature was digital.

  • If an e-signature were done right, adding it wouldn't make forging your signature any easier at all. Your kids will have a choice, and they will pick the written one because it's the one they have a chance in hell of faking. You're back to square one.

    Interesting that you picked your kids as the example.... I hope you're not really a parent.
  • I'm not sure.. there are rules stating what things a cheque needs to have in order to be valid.
    One of them is a signature from the issuer.

    The reason many cheques can be cashed without either party signing them, especially when deposited through ATMs and such, is that it is more economical for the banks to simply pass them all and deal with any issues that arise than it is to visually inspect each and every cheque.

    A check is not a contract per-se, it is an instrument of trade. The bank says that if you hand a document with your signature, your account number, the payee, and a few other minor details, they will honor it.
  • Neither.
    The law simply means that the signatures in and of themselves cannot be invalidated simply because they are not handwritten, and are digital.

  • Like in all legal agreements, they must first prove beyond a reasonable doubt that you did in fact agree to it.

    If this does anything, it gives you an easy way out of a contract that you do not want to honor... it does not however get you screwed by some "hacker".

  • I'm starting the process of being appointed as a Notary Public for my state[*], just because it's such a useful thing to be. Maybe we need something similar for the Internet -- volunteer witnesses who can be trusted. Possibly even professional witnesses (think the Fair Witness from Stranger In A Strange Land).

    [*] That would be the state of Ohio, not the state of confusion or state of delirium, thank you.

  • Want to NOT be nervous next time?

    REFUSE TO SIGN!

    REFUSE TO SIGN!

    REFUSE TO SIGN!

    In fact, refuse to sign, and if they hassle you, tell them why you are refusing to sign (the digitization/copying issue), and threaten to walk away and take your business "elsewhere". If they STILL refuse to cooperate - WALK AWAY - and go elsewhere (even if means you must go out of your way, DO IT).

    YOU ARE IN CONTROL - NOT THEM!

    This works even better if you explain your reasoning when there are several people behind you. In fact, explain to the cashier and to those in line why this is a BAD thing - as well as how it can be improved - you seem to know enough about this to be effective. Explain it to the store manager as well (they are generally called when someone refuses to sign).

    Finally - don't sign in the box on the receipt. My paranoid side tells me that they probably just stuff these "manual" receipts into a bag to be digitised later. Call me paranoid, but if I were a business, or a company peddling this tech, that is what I would do (or in the case of the vendor of the tech, tout as a "feature" to prospective clients)...

    * Side note - I love to do this, every time I go to Best Buy, or Sears (don't go there much, though), or Home Base (Gah! At a hardware store now?!). I just love the look on the cashier's and managers faces, like I was refusing to use a laser scanner for fear of radiation or something - heh, heh...

    Want to know another scary place that _may_ initiate it? The US Post Office. They have the machines needed, same as everywhere else - so far though, I haven't been asked to use it (when purchasing money orders for Ebay transactions)...

    I support the EFF [eff.org] - do you?

  • PureEdge [pureedge.com] offers a secure digital signature methodology that should a solution to many of the questions raised here.

  • What would the most convenient device be for y'all?

    1. Magstripe card/reader
    Limited to a small key, really easy to clone. Easy to carry around.

    2. SmartCard/reader
    Slightly larger key, hard to clone. Still easy to carry around.

    3. Hardware dongle
    No key limit, hard to clone. Not so easy to carry.

    4. Trusted Software.
    No key limit, easy to exploit. No need to carry.

    Of course, the least secure (and most insidious) will be the "Click" signature, which I sincerly hope is legislated into oblivion.
  • E-Signatures are NOT cryptographically verified, and the law does not require them to be so. Digital Signatures are crypto, eSignatures include [X] and /S/Your Name and faxes and scans of your written signature (read the CNN article for a longer list).

    I agree, however, that authentication is going to be the real problem with eSigs. After a few forehead slaps, everyone will require cryptographically-verified sigs.
  • I don't know about the UK, But I would trust signitures that are unique for each transaction that would include a hash consisting of my signature serial number, my name, the other party's signature serial number(invoice number?) and the other parties name. A copy of all signitures gets sent to a third party repository. They should recieve 1 copie from each of the parties that would match. All other copies would be returned as Check Fraud! After both parties receive confirmation from the repository the signiture is valid. Only a system like that would work for me. A signiture that does not get submitted by both parties(outstanding signature) is void in say 20 minutes. Out of serial number sequence submissions and unconfirmed signitures are rejected. It rejects duplicate signiture submissions and hacked signatures. Each signature would be valid for only one transaction. All other uses would not be validated. Anybody find a security hole in this one?

  • Re:E-Petitions (Score:3)

    by jilles ( 20976 ) on Monday October 02, 2000 @05:40AM (#739737) Homepage
    Petitions are a way of showing a government that a large part of the electorate supports a certain issue. Knowing and dealing with these issues is essential to any democratically elected government because failing to do so will hurt them.

    However, I think that it is to early for governments to adopt this sort of technology for voting and petitions. My main objection is that only a small portion of the population can be reached this way. In my opinion having an AOL account does not actually mean you know how to use the internet in an efficient way. Seen in this light, you'd reach about 20% (guestimate, don't kill me for it) of the popuation, dominantly male and generally with good education. Not exactly a representative sample of the population and basing government policies on the opinion of this elite would not be a good thing for democracy. Although you might argue that this is exactly the portion of the population that comes up with good ideas frequently.

    So maybe in a few years this when most of us know how to use the internet and related technologies (i.e. past the 'wow this is cool' stage) this is a good idea but not now.
  • Great... how many "I didn't sign that" lawsuits are going to be neccessary before they realize that this whole e-commerce thing is a huge mistake.

    Don't worry. In some jurisdictions, "I didn't sign that" won't be an admissable defence. It's called non-repudiation, and is state law in some places.

  • I'm reporting you right to Pater to have your UID revoked! 224634 shall live no more! (hey, I made it rhyme!)
  • As I have noted several times before, the law of signatures has NEVER BEFORE required that any particular technology or form be used to satisfy the statute of frauds. Period. You can sign, "Minnie Mouse," shave a slash on the side of a cow, make a plaster cast with a finger-mark in it, or any other fixation manifesting an intent to authenticate -- any or all of that can be enough.

    It is up to the people engaged in a transaction to worry about deniability, forgeability and so forth. A forged signature does not bind me to an agreement, and the most casual X on a contract I didn't read does. That's the way it is, and has been for hundreds of years.

    On the other hand, if you want to enforce an agreement, you will want to be able to prove that the signature existed and was signed by the person to be bound. If you accepted a difficult-to-prove, but legal technology, you should be prepared for the consequences. Likewise, be careful about the documents you sign, whether electronic or otherwise.

    The case law has already been clear that teletyped and typewritten documents can be binding agreements, and the bits of case law that has come to date all supports the proposition that this law doesn't materially change the status quo. What it does do is to give comfort to those who would engage in high-stakes comemrcial transactions by electronic means -- who needn't fear that the enforceability of their documents may depend upon some seminal case based upon a new technology, however likely the result.

    That's what drove this legislation. The rest is already well-inscribed in the common law.
  • It's probably important to note that what the law means by "e-signatures" is NOT the same as digital signatures (like PGP-signing your e-mail).

    "E-signatures" are things like click-through licensing. "Click here to accept the agreement." "By pressing 'Accept', you agree to...". In other words, it's a way of making legally binding the bogus licenses that companies have been forcing on users for years (e.g., the Windows EULA).

    I highly recommend the following URL for great info on e-sigs:

    http://cryptome.org/esigs-suck.htm [cryptome.org]

    ~Mr. Bad
  • You can also make it illegal to allow corporations to indirectly give to politicians. Whether through incentives or what not.

    No you can't, not unless you're willing to shred the 1st Amendment. If you make it illegal for corporations to give money to politicians, then high-ranking officers of the corporation will give money allegedly as private citizens. Try to ban that, and they will instead give money to advocacy groups that will in turn give it to politicians. Ban that, and not only will they find another loophole, but you've directly violated the rights of speech, press, assembly, and petition.

    An alternative solution is for the government to stop passing unconstitutional laws that favor certain corporations; that way there would be no incentive to lobby and corporations would have to actually focus on producing what consumers want.

  • I say cheque because that's the appropriate Canadian spelling, but I'm actually referring to US law.

    I take this from the web page http://www.goodthink.com/$$parti.html
    I realize this is not really a legal citation, however..

    Here is the excerpt:
    Then my eyes caught sight of a small, pocket-sized book titled Negotiable Instruments and Check Collection, a guide for laymen. And plain as day, it listed the nine criteria for a negotiable instrument. Read for yourself what I read, and I believe you'll yell out loud just as I did when I came to the very last word:

    "1. Must be in writing.
    2. Signed by maker or drawer.
    3. Promise or order....A check usually meets the requirement because the drawee's name is printed and encoded on the face of the instrument.
    4. Unconditional....
    5. Order to pay money.
    6. Must be a fixed amount.
    7. Payable on demand or at a definite time....
    8. Payable to order or to bearer....
    9. No other undertaking or instruction. The final requirement of negotiability is that beyond the maker's order...the instrument must not contain 'any other undertaking or instruction'....The opposite issue is whether or not the parties can use a form that is a negotiable instrument and avoid negotiability by declaring, on the instrument, that it is not negotiable. The answer is yes, except for a check."

    BTW.. it's an interesting story. Basically, it ammounts to the fact that a cheque cannot be made non-negotiable simply by writing 'non-negotiable' on it.

  • faxed signatures???? Oh c'mon, I was in 4th grade when I figured out how easy it was to copy my dad's signature from his checkbook onto my dentention notices. (Of course I got caught one time when I left the notice in the copying machine!)
  • You don't even need a check! In fact, you can just give your bank account number over the telephone... Most banks will require the depositor to print out an actual draft, complete with account number in the special ink that can be read by the banks computer.

    Telephone checks and all paper drafts are established as a legal method of payment as provided in the Uniform Commercial Code, Title 1, Section 1-201 (39) and Title 3, Sections 3-104, and 3-403;

    Code of Federal Regulations, Title 12 chapter II, Part 210 and Regulations J, Federal Reserve Bank, Part 2, Sections 4a-201 to 4a-212. Only verbal agreement is required for authorization.

    Also see Romani V Harris, 255Md 389.
  • You're screwed because the burden of proof is on you... and it's oh-so-easy to hit 10 stores & legal agreements with your sig; it's a lot harder to get out of 10 purchases and legal agreements.

    And there's nothing limiting it to 10.

  • I'm not sure.. there are rules stating what things a cheque needs to have in order to be valid. One of them is a signature from the issuer.

    You say "cheque", the rules may be different in your country. I know this because in the US I operate a business, and this is one of the many things that I've learned "The hard way".
  • But in practice I've found that signatures are often meaningless unless you actually dispute things.

    I once forgot to sign a whole batch of checks. Sent them out to the power company, phone company, etc, etc.

    Only discovered this a month later when I got the cancelled checks back from my bank. Every single check had been honored.

    Good for me in that case, though a little frightening, to say the least...

  • Watch for Microsoft's next version of its EULA, where you agree not to compete with the company for the next 5 years. Or watch for the inevitable rash of popup boxes that require you to hit 'okay' to get rid of. Nevermind mind the fact that when you hit okay, you're legally signing
    away all your worldly possessions.


    Holy Conspiracy Theory!
    No judge will ever allow something like that to hold up in court.

    And not even Microsoft would be so bold as to try something like that.

    Here's an easy way of getting out of a legally binding contract: "I'm sorry your Honor, but someone else must've been using my computer."

    Even contracts are pretty much useless unless you can verify the persons signature via eyewitness or otherwise.
  • Here's some bits from Finnish law:

    The signature must contain:

    1)The name of the signer and an unique id other than the SSN
    ....

    The signature must be based on encryption that is sufficiently secure and use publically available specifications. It must be based on public key crypto or something that is at least as secure.

    ...

    Then some bits about how the CA must store the keys and how the users must be able to revoke their keys if they want to.

    Then some more bits about how your identity must be verified when you get one of these id's and also that the CA is liable if someone uses your key and it was their fault.

    The way they do it is issuing smartcards (which also work as a normal id card and are valid for travel inside most of Europe)

    There's some information about the Finnish system at http://www.fineid.fi/Default.asp?todo=setlang&lang =uk

    Works pretty nicely, supposedly even with Linux...

  • I'd just use the PGP "web of trust" concept, but with some extensions (and legal changes required as well).

    I see it as absolutely essential that the keys used be issued by some trusted group. However, I don't trust the government, and I don't trust Verisign; both are too big, located outside my community (so I can't come in and yell at them) and (as they've never met me as a person) don't really care for my interests. I'd put much more trust in my local notary public.

    One way of handling this: A licensed notary public could be given a key with which they could sign clients' keys. These notary public's keys would be signed by the government office which issued them, and these signatures backed by a central key.

    As for a set of hosts to store the public keys on, the existing PGP keyserver architecture seems to be doing just fine.

    If any notary was found to be dishonest or allow their key to be stolen, a revocation would be issued; their clients would then have to have their keys resigned by someone else.

    First of all, the fee is no longer ongoing.
    Second, decentralization is encouraged.
    Third, I'm dealing with someone local I can walk over to and yell at -- and (at least until I yell at them) who thinks of me as a Real Person. Don't underestimate the value of this.

    Yes, it's more expensive for the consumer. However, I think that's a Good Thing -- binding signatures are
  • Technically, I could take a dump on a piece of toilet paper, and write "I owe you $7" on it, and the bank should honor it. However since the world has a few people with common sense left in it (they're running the banks), that'll never happen.
  • No judge will ever allow something like that to hold up in court.

    And it has to hold up in court because...?
    Do you honestly believe the "average" American consumer would go to court against Microsoft to fight, say, an additional 5 dollar licensing fee snuck into the EULA?

    Large companies like Microsoft will threaten people with Lawsuits over the most inane details. See the recent thread on MS threatening the NTFS developers. The threat of a lawsuit is often far more effective in getting things done than the actual lawsuit itself.

    And not even Microsoft would be so bold as to try something like that.

    Right. And not even Microsoft would engage in blatant violations of a consumer's rights. And it would never invade a user's privacy with its online software update service. Or its web browser. And it would never, ever violate any anti-trust laws whatsoever. Did I mention that all those "bugs" people complain about in Windows are actually features?

    Oh wait. I guess it has, hasn't it? Saying Microsoft would never be so "bold" as to try something like this is begging them to do it. If not Microsoft, then certainly another company will. Don't be naive. If there's a way to exploit a law in a legal fashion like, there are plenty of companies that will leap at the chance to.

    Here's an easy way of getting out of a legally binding contract: "I'm sorry your Honor, but someone else must've been using my computer."

    Sure, you can claim someone else was using your computer. Microsoft will just claim you're lying and trying to escape the terms of the agreement.

    Can you prove you didn't install the OS on your machine? How about proving that you didn't accept the EULA when you started using it?

    Remember, thanks to the lack of definition as to what an "electronic signature" is, _using Windows_ could be viewed as a signature.

    If I were you, I'd read those EULA's very carefully before clicking on "I Accept". Especially if they require you to register your product with your name like Microsoft does. I know I will be.
  • So then you're limited to $1000. You can also make it illegal to allow corporations to indirectly give to politicians. Whether through incentives or what not.

  • E-Petitions (Score:5)

    by SeanTobin ( 138474 ) <`moc.liamtoh' `ta' `rtnuhdryb'> on Monday October 02, 2000 @04:22AM (#739769)
    Now that electronic signatures are legal, is it possible to create an electronic petition? Say, for the purposes of bring the DMCA up to general election? It would seem to me that such an action would naturaly be very easy over the internet. I'm sure CNN would love it too, "DMCA to be reviewed after government receives 12 million petition e-signatures"
  • ...a whole new generation of skr1p7 k1dd13z is pondering ways to twist this around for fun and profit. I wonder who will be the first to "sign" CmdrTaco up for a lifetime subscription to MSN.

    On the other hand, the whole concept of signatures is pretty ridiculous in the first place. How does putting one's name down in ink make something more valid than anything else?

  • The only thing that an e-signature confirms (cryptographically) is that the person who signed the document is the same person who owns the secret key. The word "owns" is a source of a plethora of problems: what happens if a key becomes corrupted (gets lost or stolen)? How is the connection made between the key owner (a user account on a computer) and the real person behind it?
    The latter problem can be solved in two ways - with a web of trust (PGP approach) or via certification authorities. The first approach has the advantage that it does not need a central authority and that it is decentralized. However, if someone has to relocate, he/she first has to build up such a "web of trust" again, which is clearly impractical for many people.
    With CAs (certification authorities), the problem is that there exist too many right now, and there is no standard procedure to establish the authenticity of the keys. In order to make this technology really accessible, public authorities would have to give out certicates as well. E. g. you go to the city hall and get a certificate for your public key in the same way you obtain a passport.
    The cryptographical problems have been solved (at least for now, unless new algorithms are detected), but the "real world problem" of authenticity will always remain. It is important to establish good practices to cope with that.
  • When it comes to signatures on paper, they must be done in permanent ink. No exceptions.
    I feel that this stupid e-signature fiasco will undermine all that. Sure, perhaps some e-sigs will change by only a few bytes, but that's corruption nonetheless, akin to this [flyingbuttmonkeys.com].

  • how how how (Score:3)

    by photozz ( 168291 ) <photozz&gmail,com> on Monday October 02, 2000 @04:25AM (#739778) Homepage
    How are they planing to avoid rampant fraud? Haven't enough people lost their domain names through forged signatures already?? Reset my bank account pin #?? OK! regester a stolen car? No problem!

  • this is like giving a ten-year-old a loaded M-16

  • Oh yay... (Score:4)

    by um... Lucas ( 13147 ) on Monday October 02, 2000 @04:25AM (#739782) Journal
    The law does not specify a type of technology for e-signatures. They can be obtained through secured processes, like secret passwords or digital fingerprints, as well as unsecured ones, such as faxed signatures or clicking an acceptance button on a Web page

    Oh great. I just clicked a button that and sold my house. Seriously, how could anyone pass such a vague law? If that's hwo the wording of the actual bill really is, then we're in trouble.

    I thought the entire purpose of digital signatures was to prevent forgeries, since signatures based on encryption algorithms are very hard to crack. And then it gets convoluted to the point that clicking a button on a non-secure webpage could constitute signing a contract? What next?
  • This is why you have certification authorities on the Internet, such as Thawte, Verisign, etc. They cross sign your keys and guarantee that anything cross signed by them is authentic. So naturally, before they cross sign, they verify that the person is authentic and the key belongs to him. They take responsibility in the case of any bad identity mis-haps.

    If somebody digitally signs a new credit card application "for me", and I don't find out for several months, what is Verisign going to "guarantee"? A situation like this could make life such a pain in the ass, that just about any "guarantee" isn't going to do much for me.
  • Simple petition:

    No Vote, No donation.
    Translation:
    Corporations do not have the right to vote, therefore cannot make campaign and party donations.

    I'd say that atleast 85% of the population would sign this without a second thought.

  • Re:Why? (Score:5)

    by jilles ( 20976 ) on Monday October 02, 2000 @05:28AM (#739789) Homepage
    There's a chicken egg problem here. Digital signatures will not be safe&secure before we use them and technical issues won't surface untill we use them. Using them will have to involve legal recognition.

    People will get burned using digital signatures, companies providing the technology for these signatures will respond by improving their technology.

    Of course nobody will want to be the person to get burned. My trust in both analog and digital signatures is not very high. Yet I sign checks, contracts, etc. all the time. However, in the long term I think it will be a lot harder to forge a digital signature than it is to forge an analog signature.

    I think the main issues are not technical. Would I trust AOL to manage my signatures? Probably not. Would I trust the dutch government (you guessed it, I'm dutch) to manage my signatures? Maybe, provided that they have some process in place that maintains a certain level of quality.

    It's all a matter of trust. Trust no one is not an option and will hurt you economically if others do take the risk, nor is trust anyone. The truth is in the middle. I live in a country where I think I can trust the government to provide me this kind of services.

    Countries all over the world are already giving digital signatures legal status. I know of several european countries and now apparently also the US. From now on its a matter of economics. Digital signatures make it easier to do ecommerce which leads to certain cost savings. Countries which opt out won't benefit and will suffer economically. Remember, countries tried to opt out of the internet and most of them failed. Most of them are opening up or suffering economically because they refuse to do so.

    So, whether you trust it or not is not very relevant. The major advancement here is legalization. The technology is already in place and legalization will put it to the test.

  • Yup--I mean it. Spend a little time in the business world and you'll be amazed at how often a business process depends upon there being a signature on a document--without the slightest regard for whether or not that is your signature.

    For example, consider your checking account. When you opened the account you had to sign a card, right? So the bank could compare your signature on each check to prove that it's really you? Guess what--banks do not check signatures on checks. In fact, if you ask your bank to validate the signature on each check cashed they will typically charge you for the "service." So unless you allege that a check was forged, your signature at the bottom of that check is meaningless.

    Case in point: ABC News is a client. For some reason, known only to ABC's Accounts Payable department, they pay their invoices from a bank in North Dakota--on a joke of a check form. The bank name, transit routing numbers, and the signature are all printed in place on an old-fashioned chain printer--they don't even have one of those stamps that purports to be an authorized signature. The first time we got paid we looked at the check and said, "yeah, right. No way on earth is this going to be accepted by the bank." We took it to the bank in town, the teller looked at it, said, "are you going to be on TV?" and processed the deposit. Without any "signature" beyond the words "American Broadcasting Companies, Inc."

    I have a project starting later in the month designing a new system for a U.S. sports sanctioning body. As part of the entry process for competitions a competitor has to present copies of various documents (medical forms, membership cards, etc.). The system, in theory, depends upon the validity of signatures--but the forms are typically photocopied. It is child's play to create a phony medical certificate--in essence to cheat--using any $99 graphics program. But--if we assign the competitor a digital signature (using the PGP trust method), and counter-sign with a trusted medical provider and a date, we have a substantially more trustworthy certificate. It becomes vastly harder to cheat. We really, really like the idea of digital signatures--and we really, really hope that the client (the sanctioning body) will adopt the plan.

    It will be possible to cheat with e-signatures. You will hear horror stories repeated by breathless bimbos on the 11 o'clock news. But signature fraud happens all the time today--what e-signatures will do is make signature fraud substantially more difficult to accomplish, and therefore a crime that occurs much less frequently.

    IMHO, this is a very good thing.

  • You just don't pay. If they brought me to court over $5, then I'd show up, as myself, and tell the judge "I never agreed to anything, I don't know who did... those database logs could very easily be forged, and there is not witness to this legal agreement". The judge would then drop the suit because there _IS_ no evidence.

  • Probably the best method (Score:3)

    by JayFlatland ( 125245 ) on Monday October 02, 2000 @05:59AM (#739795)
    would be to implement a public key algorithm. Signing a contract would entail encrypting the contract with your private key. Verifying the contract would entail using your public key to see if the cyphertext decrypts to the original contract text. The problem that then arises is protecting your private key. Perhaps a standard method would be to use a type of removable media to prevent hacking and whatnot.

  • ZDNET reported [zdnet.com] Friday that if you have a Synaptics touchpad on your notebook they will be letting you download a fully licensed copy of Silanis [silanis.com] ApproveIt [silanis.com] software.

    I think it is only available currently for Windows, but there is a developer toolkit version that supports C++ so maybe there is hope for porting at the API to other OS's.

  • err it already is illegal.
  • Electronic signatures. The article does not even state of some type of standard for the electronic signatures. USA in the race in tring to be the first they are not looking ahead too much.
  • - Bruce Shneier makes a lot of good points -

    ``But some computer security experts downplayed the online dangers.''

    "It's always a risk between the criminals and the good guys. So the better they become at hacking it, the better we'll become at making it stronger," said Stratton Sclavos, CEO of Verisign, an Internet securities firm.''

    Great... how many "I didn't sign that" lawsuits are going to be neccessary before they realize that this whole e-commerce thing is a huge mistake.

    If you really want something, buy it in person. The cost of traveling will be much, much less than the court costs of trying to getting yourself out of a forged deal.
  • I saw in a news article a few days ago (of course, I forgot where) that two insurance companies (one is Chubb, I forgot the other one; damn, I'm getting old) are now offering insurance against identity theft. It really sucks that this is becoming necessary, but I am afraid that it is.
  • I will MAKE it legal.

  • Building better security (Score:3)

    by MorboNixon ( 130386 ) on Monday October 02, 2000 @04:29AM (#739804)
    "It's always a risk between the criminals and the good guys. So the better they become at hacking it, the better we'll become at making it stronger," said Stratton Sclavos, CEO of Verisign, an Internet securities firm."

    Banker: Oh my god! They broke in and stole all the money!
    Bank Guard: Yep! Them rascals sure are clever!
    Banker: What?!
    Bank Guard: A few more break-ins like that and we'll have the best security system in town!
    Banker: You're fired.
    Bank Guard: Well, I guess it's time for me to start up that online encryption monopoly that I've been dreaming about....

  • And how's it working there so far?

    -

  • Bad, bad politicians!... (Score:5)

    by BrK ( 39585 ) on Monday October 02, 2000 @04:30AM (#739807) Homepage
    On the surface this seems like a great step toward the "Digital Future" (TM)(C)(R)(etc). However, even in Real Life when it comes right down to it, signatures have little value. Think an unsigned check is "worthless"? Think again, simply writing a check and giving it to someone as a payment makes that check a legal instrument and it CAN be cashed sans signature (although quite often the bank may try REALLY REALLY REALLY hard to get a signature before they will honor it). Other documents require a signature only to minimize the possibility that you can dispute the contract terms later.

    Digital signatures introduce a HUGE problem, they will lead the Sheeple (those that follow the "herd") to beleive a level of safety has been added to the WWW that isn't really there. It also seems that there is almost NO way to verify the identity of the person who is signing the digital signature. This would also lead on-line merchants to possibly relax a little bit about credit card fraud, when in reality they now have a new form of fraud to look out for.

    I don't know what the right answer is, it is probably a smart card reader coupled with a fingerprint scanner as a form of ID. This would probably require a central database of people's info, though (so that you could "sign" for things anywhere, not just at your home PC), and we all know that big databases are a Bad Thing. Perhaps there is a better solution, or perhaps this will end up being an area where Real Life is safer/better than the 'Net.

  • Just what we need.... (Score:3)

    by flieghund ( 31725 ) on Monday October 02, 2000 @04:30AM (#739808) Homepage
    "I think there's going to be a lot of work for consumer advocates and lawyers as the new e-signature law unfolds," said Susan Grant of the National Consumers League.

    Great. So lawyers get richer while every click of my mouse becomes a legally binding contract. Pay attention to this, boys and girls, this makes all those website disclaimers ("By visiting this site, you agree to the following terms and conditions...") legally binding.

    Well, in theory anyway. Anyone wanna test that one?

  • The way i see it, unless digital signatures are backed by cryptography, what's to stop me from "signing" something for you? How do you opt in and opt out of this thing? Do you have to show up at a government office and say "yes, i'd like my clicks to be legally binding". Or do you have to show and say "NO! I don't want to participate"? How many forms of ID do you need? Or can this be done via postal mail?

    I don't know. You could try reading the text of the law [loc.gov] yourself and see if you can figure it out. (Good luck trying to understand it without a lawyer's help!)

    Digital signatures are supposed to be HARDER to forge than real ones. Not just more convienient, otherwise we'll be seeing a huge rise in fraud... That means being based on public key encryption (I think), so everyone can verify you, but no one can be you.

    The law saws nothing about digital signatures. It gives legal standing to electronic signatures, an extremely vague term. (Probably deliberately so.) Yes, this is vague enough that clicking a button on a license screen or web page might constitute an "electronic signature". Forget what you know about digital signatures; this is a different beast, and a very disturbing one.

    I tried to bring attention to this bill before it was signed by the President, but Slashdot rejected my submission:
    • 2000-06-27 20:19:19 UCITA-like e-signature bill will be law soon! (articles,usa) (rejected)
    Of course, the bird's already flown the coop now...
  • You're missing the point.

    It's not about the amount you have to pay. They could just as easily insert a clause specifying 500,000 dollars as 5.

    The fact is that they can do this now, and have specific Federal Law addressing this eventuality and backing them up.

    Would you rather it be an agreement to transfer the entire contents of your bank account to Microsoft? Or how about a contractual agreement were you agree to work for Microsoft at minimum wage for the next 5 years?

    The potential for abuse here is simply far, far too high.
  • The bank says that if you hand a document with your signature, your account number, the payee, and a few other minor details, they will honor it.

    Actually, that used to be the case, but nowadays most banks have a clause in your agreement you signed in order to get the account stating what is acceptable, and it usually mentions pre-printed checks in some way.

    Your mileage may most assuredly vary, of course.

    -
  • While your comment is relevant to referenda and elections, petitions are all about not-necessarily-representative minorities. They are used to determine if enough people care about an issue/candidate/party to bring it to the wider population. If all the signers of a petition use the internet, or are named Jilles, it doesn't matter, as long as there are enough signatures.

    And this is exactly how it works today. By gathering signatures door-to-door, or through mailings and calls to members, all sorts of groups with limited appeal manage to get issues, candidates, and parties on ballots.

  • woo hoo! (Score:4)

    by Frac ( 27516 ) on Monday October 02, 2000 @04:32AM (#739819)
    Now I can finally launch my e-marraige.com and e-divorce.com website.

    speaking of security (or lackof) - click here [slashdot.org] to marry CmdrTaco!

    I'll link those two sites to each other to make things even more convenient - how's that?

  • I fully expect to see nearly all software refuse to fully install until it can register itself with corporate HQ somehow, either via an internet connection, or a modem call to some 800 number. It will present you with its EULA and require you to digitally sign and agree to the EULA under threat of non-rendering of SERVICES PAID FOR (your purchase price of the software).

    Did anyone really think this "digital signatures as legally binding as real ones" was ever meant to help out the average citizen?

    Here's proof that it wasn't. Govt's are now scared shitless because grass roots organizations have announced plans to have ON-LINE BALLOT INITIATIVE PETITIONS to get various porpisitions, etc., on state, county, and municipal elections. And hey! The digital signatures collected via the web are "as legally binding as paper signatures". Holy shit! We gave power to the poeple? This was supposed to just help corps and the UCITA. JUDAS! We gotta do something!

    So for this, I applaud the new digital signature bill. Because now it gives ME THE POWER to start writing new state legislation myself. Watch out corps., I've got a pen in my hand and web site running from my desk.

Slashdot Top Deals

FORTRAN is not a flower but a weed -- it is hardy, occasionally blooms, and grows in every computer. -- A.J. Perlis

Close