Secure e-Signature Law

Electronic Signatures in Global and National Commerce Act (E-SIGN)

In some countries electronic signature law wrestles with whether a signature must be secure to be legally effective. An outstanding work in this field is Electronic Signatures in Law by Stephen Mason. Mr. Mason analyzes e-signature legislation and case law from around the world.

The History of Secure e-Signature Law

In the mid-1990s, an influential school of thought held that e-commerce needed reliable digital signatures (based on public key infrastructure, or PKI), and reliability required government licensure and regulation. This school of thought led to adoption of the pioneering Utah Digital Signature Act of 1995, which unabashedly aimed to promote PKI digital signatures. At the time the Utah Act attracted much attention and inspired similar legislation in other states such as Washington and in other countries such as Malaysia.

A related school of thought said law should favor secure or advanced forms of e-signatures over other kinds of e-signatures, such as voice signatures. For this school of thought, "secure" or "advanced" e-signatures was code language intended for PKI digital signatures (although the school champions stuggled to develop definitions for "secure" or "advanced" that achieved their goal of advancing PKI while locking out its competitors). This school of thought led to adoption of influential regulations by the California Secretary of State and strange legislation in Illinois.

These two schools of thought -- I'll call them the secure-signature movement – were vocal in the US through the end of the 1990s.

Secure e-Signature Law Died in US

As US legal experts drafted national legislation for e-commerce –- the E-SIGN for federal law and the UETA for state law –- the secure-signature movement advocated special favor for digital signatures, or at least special favor for secure or advanced signatures. The debate was intense, but the secure-signature movement lost. Fortunately, E-SIGN and UETA became the law in the US.  E-SIGN and UETA are technology neutral and do not favor digital signatures or secure/advanced signatures. For this reason, we in the US have largely liberated ourselves from the distractions caused by the secure-signature movement.

And, as Mr. Mason indicates on page 586 of his book, Utah formally repealed its Digital Signature Act in 2006. Utah's repeal was the coup de grĂ¢ce for the secure-signature movement in the US.

Secure e-Signature Law Lives in Europe and Causes Confusion

In Europe, however, the secure-signature movement was more influential. The European Union’s Directive on electronic signatures elevates “advanced” (or more secure) electronic signatures over other kinds of signatures. See Mr. Mason’s Chapter 4.

It has been eight years since the EU’s Directive went into effect, and its elevation of advanced signatures has come to nothing but trouble. As Mr. Mason explains on page 144, a Finnish court denied effect to an e-mail because it was not authenticated with an advanced e-signature. But as Mr. Mason says on page 161 advanced e-signatures (digital signatures) have been a commercial failure in Europe. PKI vendors have not been able to offer digital signatures in a way that appeals to users. What does this mean? It means the EU adopted a directive that lends special emphasis and support to a technology that exists more in theory than practice. Such lawmaking confuses both courts (like the one in Finland) and the public, and retards the adoption of e-commerce.

Mr. Mason astutely observes: "[I]t is to be wondered why the digital signature (which is, arguably, a flawed concept looking for a problem to solve) is considered to be so important by some legislators."

For More Information

Electronic Signatures in Law (Second Edition) is published by Tottel Publishing.

For more on electronic signatures, see demonstration of webcam signature to preserve evidence in a cyber investigation.

Update: A new case, Kerr v Dillard Store Services, Inc, ___F.Supp. 2d___(D. Kans. February 17, 2009), invalidated an employee's so-called electronic signature on an online arbitration agreement. The employer was not able to produce enough evidence of password reliability and e-mail accountability to support its contention that the employee had approved the agreement. My analysis:  The same outcome could be possible had the alleged signature been a PKI digital signature.  Just as the signature in this Kerr case was unprovable because there was inadequate evidence of password reliability, a PKI digital signature can be unprovable if there is inadequate evidence that the password protecting the PKI private key is reliable.

Update 2014:  A problem with legislation that holds PKI digital signatures to be powerful legal signatures is that it invests great authority in the signer's private key. But when so much authority is invested in a single bit of code (the private key), hackers have much incentive to steal it. See stories about hackers stealing private keys from entities like Sony Pictures. Similarly, hackers have stolen the private keys that control valuable Bitcoin. For that reason Bitcoin is evolving to a multi-signature model, so that less power resides in any given private key.


No comments:

Post a Comment