Demonstrating that you "are who you
say" is generally know as "authentication". The most common form of
authentication, of course, is the signature. Its counterpart
in the online context is -- happily -- the "digital signature".
What is a digital signature?
A digital signature functions
for electronic documents like a handwritten signature does for printed
documents. The signature is an unforgeable piece of data that asserts
that a named person wrote or otherwise agreed to the document to
which the signature is attached.
A digital signature actually
provides a greater degree of security than a handwritten signature.
The recipient of a digitally signed message can verify both that
the message originated from the person whose signature is attached
and that the message has not been altered either intentionally or
accidentally since it was signed. Furthermore, secure digital signatures
cannot be repudiated; the signer of a document cannot later disown
it by claiming the signature was forged.
In other words, digital signatures
enable "authentication" of digital messages, assuring the recipient
of a digital message of both the identity of the sender and the
integrity of the message.
How is a digital signature used
for authentication?
Suppose Alice wants to send
a signed message to Bob. She creates a message digest by using a
hash function on the message. The message digest serves as a "digital
fingerprint" of the message; if any part of the message is modified,
the hash function returns a different result. Alice then encrypts
the message digest [ ]. This encrypted message digest is the digital
signature for the message.
Alice sends both the message
and the digital signature to Bob. When Bob receives them, he decrypts
the signature [ ], thus revealing the message digest. To verify
the message, he then hashes the message with the same hash function
Alice used and compares the result to the message digest he received
from Alice. If they are exactly equal, Bob can be confident that
the message did indeed come from Alice and has not changed since
she signed it. If the message digests are not equal, the message
either originated elsewhere or was altered after it was signed.
Note that using a digital
signature does not encrypt the message itself. If Alice wants to
ensure the privacy of the message, she must also encrypt it [ ].
Then only Bob can read the message by decrypting it [ ].
It is not feasible for anyone
to either find a message that hashes to a given value or to find
two messages that hash to the same value. If either were feasible,
an intruder could attach a false message onto Alice's signature.
Specific hash functions have been designed to have the property
that finding a match is not feasible, and are therefore considered
suitable for use in cryptography.
On June 30, 2000, President Clinton
Signed the "Electronic Signatures in Global and National Commerce
Act," the terms of which can be seen below:
ELECTRONIC SIGNATURES IN GLOBAL AND
NATIONAL COMMERCE ACT
June 30, 2000.
[edited version]
[effective date: October 1, 2000]
SECTION 1. SHORT
TITLE.
This Act may be cited as the ``Electronic Signatures in Global and
National Commerce Act''.
TITLE I--
ELECTRONIC RECORDS AND SIGNATURES IN COMMERCE SEC. 101.
GENERAL RULE OF VALIDITY.
(a) In General.--Notwithstanding any
statute, regulation, or other rule of law (other than this title
and title II), with respect to any transaction in or affecting interstate
or foreign commerce-- (1) a signature, contract, or other record
relating to such transaction may not be denied legal effect, validity,
or enforceability solely because it is in electronic form; and
(2)
a contract relating to such transaction may not be denied legal
effect, validity, or enforceability solely because an electronic
signature or electronic record was used in its formation.
(b)
Preservation of Rights and Obligations.--This title does not--
(1)
limit, alter, or otherwise affect any requirement imposed by a statute,
regulation, or rule of law relating to the rights and obligations
of persons under such statute, regulation, or rule of law other
than a requirement that contracts or other records be written, signed,
or in nonelectronic form; or
(2)
require any person to agree to use or accept electronic records
or electronic signatures, other than a governmental agency with
respect to a record other than a contract to which it is a party.
(c)
Consumer Disclosures.--
(1)
Consent to electronic records.--Notwithstanding subsection (a),
if a statute, regulation, or other rule of law requires that information
relating to a transaction or transactions in or affecting interstate
or foreign commerce be provided or made available to a consumer
in writing, the use of an electronic record to provide or make available
(whichever is required) such information satisfies the requirement
that such information be in writing if--
(A)
the consumer has affirmatively consented to such use and has not
withdrawn such consent;
(B)
the consumer, prior to consenting, is provided with a clear and
conspicuous statement
(i)
informing the consumer of
(I)
any right or option of the consumer to have the record provided
or made available on paper or in nonelectronic form, and (II) the
right of the consumer to withdraw the consent to have the record
provided or made available in an electronic form and of any conditions,
consequences (which may include termination of the parties' relationship),
or fees in the event of such withdrawal; (ii) informing the consumer
of whether the consent applies
(I)
only to the particular transaction which gave rise to the obligation
to provide the record, or
(II)
to identified categories of records that may be provided or made
available during the course of the parties' relationship; (iii)
describing the procedures the consumer must use to withdraw consent
as provided in clause (i) and to update information needed to contact
the consumer electronically; and (iv) informing the consumer (I)
how, after the consent, the consumer may, upon request, obtain a
paper copy of an electronic record, and
(II)
whether any fee will be charged for such copy;
(C)
the consumer-- (i) prior to consenting, is provided with a statement
of the hardware and software requirements for access to and retention
of the electronic records; and (ii) consents electronically, or
confirms his or her consent electronically, in a manner that reasonably
demonstrates that the consumer can access information in the electronic
form that will be used to provide the information that is the subject
of the consent; and
(D)
after the consent of a consumer in accordance with subparagraph
(A), if a change in the hardware or software requirements needed
to access or retain electronic records creates a material risk that
the consumer will not be able to access or retain a subsequent electronic
record that was the subject of the consent, the person providing
the electronic record-- (i) provides the consumer with a statement
of
(I)
the revised hardware and software requirements for access to and
retention of the electronic records, and
(II)
the right to withdraw consent without the imposition of any fees
for such withdrawal and without the imposition of any condition
or consequence that was not disclosed under subparagraph (B)(i);
and (ii) again complies with subparagraph (C).
rights.--
(A) Preservation of consumer protections.--Nothing in this title
affects the content or timing of any disclosure or other record
required to be provided or made available to any consumer under
any statute, regulation, or other rule of law. (B) Verification
or acknowledgement.--If a law that was enacted prior to this Act
expressly requires a record to be provided or made available by
a specified method that requires verification or acknowledgment
of receipt, the record may be provided or made available electronically
only if the method used provides verification or acknowledgment
of receipt (whichever is required).
(3)
Effect of failure to obtain electronic consent or confirmation of
consent.--The legal effectiveness, validity, or enforceability of
any contract executed by a consumer shall not be denied solely because
of the failure to obtain electronic consent or confirmation of consent
by that consumer in accordance with paragraph (1)(C)(ii).
(4)
Prospective effect.--Withdrawal of consent by a consumer shall not
affect the legal effectiveness, validity, or enforceability of electronic
records provided or made available to that consumer in accordance
with paragraph (1) prior to implementation of the consumer's withdrawal
of consent. A consumer's withdrawal of consent shall be effective
within a reasonable period of time after receipt of the withdrawal
by the provider of the record. Failure to comply with paragraph
(1)(D) may, at the election of the consumer, be treated as a withdrawal
of consent for purposes of this paragraph.
(5)
Prior consent.--This subsection does not apply to any records that
are provided or made available to a consumer who has consented prior
to the effective date of this title to receive such records in electronic
form as permitted by any statute, regulation, or other rule of law.
(6)
Oral communications.--An oral communication or a recording of an
oral communication shall not qualify as an electronic record for
purposes of this subsection except as otherwise provided under applicable
law. (d) Retention of Contracts and Records.--
(1)
Accuracy and accessibility.--If a statute, regulation, or other
rule of law requires that a contract or other record relating to
a transaction in or affecting interstate or foreign commerce be
retained, that requirement is met by retaining an electronic record
of the information in the contract or other record that--
(A)
accurately reflects the information set forth in the contract or
other record; and (B) remains accessible to all persons who are
entitled to access by statute, regulation, or rule of law, for the
period required by such statute, regulation, or rule of law, in
a form that is capable of being accurately reproduced for later
reference, whether by transmission, printing, or otherwise.
(2)
Exception.--A requirement to retain a contract or other record in
accordance with paragraph (1) does not apply to any information
whose sole purpose is to enable the contract or other record to
be sent, communicated, or received.
(3)
Originals.--If a statute, regulation, or other rule of law requires
a contract or other record relating to a transaction in or affecting
interstate or foreign commerce to be provided, available, or retained
in its original form, or provides consequences if the contract or
other record is not provided, available, or retained in its original
form, that statute, regulation, or rule of law is satisfied by an
electronic record that complies with paragraph (1).
(4)
Checks.--If a statute, regulation, or other rule of law requires
the retention of a check, that requirement is satisfied by retention
of an electronic record of the information on the front and back
of the check in accordance with paragraph (1).
(e)
Accuracy and Ability To Retain Contracts and Other Records.--Notwithstanding
subsection (a), if a statute, regulation, or other rule of law requires
that a contract or other record relating to a transaction in or
affecting interstate or foreign commerce be in writing, the legal
effect, validity, or enforceability of an electronic record of such
contract or other record may be denied if such electronic record
is not in a form that is capable of being retained and accurately
reproduced for later reference by all parties or persons who are
entitled to retain the contract or other record.
(f)
Proximity.--Nothing in this title affects the proximity required
by any statute, regulation, or other rule of law with respect to
any warning, notice, disclosure, or other record required to be
posted, displayed, or publicly affixed. (g) Notarization and Acknowledgment.--If
a statute, regulation, or other rule of law requires a signature
or record relating to a transaction in or affecting interstate or
foreign commerce to be notarized, acknowledged, verified, or made
under oath, that requirement is satisfied if the electronic signature
of the person authorized to perform those acts, together with all
other information required to be included by other applicable statute,
regulation, or rule of law, is attached to or logically associated
with the signature or record.
(h)
Electronic Agents.--A contract or other record relating to a transaction
in or affecting interstate or foreign commerce may not be denied
legal effect, validity, or enforceability solely because its formation,
creation, or delivery involved the action of one or more electronic
agents so long as the action of any such electronic agent is legally
attributable to the person to be bound.
(i)
Insurance.--It is the specific intent of the Congress that this
title and title II apply to the business of insurance.
(j)
Insurance Agents and Brokers.--An insurance agent or broker acting
under the direction of a party that enters into a contract by means
of an electronic record or electronic signature may not be held
liable for any deficiency in the electronic procedures agreed to
by the parties under that contract if-- (1) the agent or broker
has not engaged in negligent, reckless, or intentional tortious
conduct; (2) the agent or broker was not involved in the development
or establishment of such electronic procedures; and (3) the agent
or broker did not deviate from such procedures.
Many, though not all, states have
passed legislation authorizing digital signatures.
While digital signatures seem like
an easy issue to support, it is worth noting that there remains at
least some opposition.
One commentator has noted that digital
signature legislation doesn't solve the current mess of standards
relating to digital signatures, and that digital signatures may leave
the "unconnected" (those without access to the net) behind.
The Consumer Project on Technology,
a group affiliated with Ralph Nader, has issued the following statement
about the Federal "E-Sign" Act:
People should understand
that this bill is about legal issues. It does not create any new
technology. The bill was pushed to solve the problems of businesses,
and not to protect consumers. The legislation will increase the
risks of identity theft. According to the National Consumer Law
Center, the bill places new burdens on consumers to provide evidence
in disputes over electronic transactions.
The E-sign Act increases
the legal obligations on consumers who interact with businesses
on the Internet and through other digital media.
The E-sign Act raises the
legal status of agreements that are 'signed' using electronic technologies,
including such authorizations as click-on buttons on web pages,
as well as many other electronic authorizations, of varying degrees
of security. On the one hand, it overrides other statutes and regulations,
and declares as a general rule, that no contract or signature can
be denied legal effect, solely on the grounds that it was in electronic
form. On the other hand, it fails in important ways to guarantee
that consumers will be protected from fraud or unfair business practices
in a wide range of matters.
In general, electronic transactions
may leave consumers more vulnerable to unauthorized use, compared
to conventional transactions. Technology residing on a consumer's
personal computer can hardly be expected to be shielded from malicious
intrusions. Unlike a handwritten signature, if an electronic authorization
is stolen or forged, the legitimate owner will be hard-pressed to
prove that it was used fraudulently. The E-sign Act contains no
provision to limit the liability of consumers victimized by fraudulent
spending.
Congress rejected pleas from
consumer groups that the e-sign bill include a provision to ensure
that a contract cannot be altered once a consumer's digital signature
is affixed. The Senate language on this was dropped from the bill
that was signed by the President today. The risk is that consumers
will be victimized by changes in contractual text, inadvertent or
otherwise, eroding the consumer's ability to reproduce copies of
digital contracts at a later date, or admit such documents as evidence.
The digital signature bill
is likely to hurt consumers lacking access to the Internet, especially
low-income consumers and minorities. The E-sign Act does allow the
consumer the choice of receiving a contract in electronic or paper
form. However, given the prevalence of adhesion contracts in business-to-consumer
transactions, this 'choice' may very well be "take-it-or-leave it,"
or constrained by penalty fees for paper-based contracting, a practice
not prohibited by the legislation.