Secure e-Signature Law

Electronic Signatures in Global and National Commerce Act (E-SIGN)

In some countries electronic signature law wrestles with whether a signature must be secure to be legally effective. An outstanding work in this field is Electronic Signatures in Law by Stephen Mason. Mr. Mason analyzes e-signature legislation and case law from around the world.

The History of Secure e-Signature Law

In the mid-1990s, an influential school of thought held that e-commerce needed reliable digital signatures (based on public key infrastructure, or PKI), and reliability required government licensure and regulation. This school of thought led to adoption of the pioneering Utah Digital Signature Act of 1995, which unabashedly aimed to promote PKI digital signatures. At the time the Utah Act attracted much attention and inspired similar legislation in other states such as Washington and in other countries such as Malaysia.

A related school of thought said law should favor secure or advanced forms of e-signatures over other kinds of e-signatures, such as voice signatures. For this school of thought, "secure" or "advanced" e-signatures was code language intended for PKI digital signatures (although the school champions stuggled to develop definitions for "secure" or "advanced" that achieved their goal of advancing PKI while locking out its competitors). This school of thought led to adoption of influential regulations by the California Secretary of State and strange legislation in Illinois.

These two schools of thought -- I'll call them the secure-signature movement – were vocal in the US through the end of the 1990s.

Secure e-Signature Law Died in US

As US legal experts drafted national legislation for e-commerce –- the E-SIGN for federal law and the UETA for state law –- the secure-signature movement advocated special favor for digital signatures, or at least special favor for secure or advanced signatures. The debate was intense, but the secure-signature movement lost. Fortunately, E-SIGN and UETA became the law in the US. E-SIGN and UETA are technology neutral and do not favor digital signatures or secure/advanced signatures. For this reason, we in the US have largely liberated ourselves from the distractions caused by the secure-signature movement.

And, as Mr. Mason indicates on page 586 of his book, Utah formally repealed its Digital Signature Act in 2006. Utah's repeal was the coup de grâce for the secure-signature movement in the US.

Secure e-Signature Law Lives in Europe and Causes Confusion

In Europe, however, the secure-signature movement was more influential. The European Union’s Directive on electronic signatures elevates “advanced” (or more secure) electronic signatures over other kinds of signatures. See Mr. Mason’s Chapter 4.

It has been eight years since the EU’s Directive went into effect, and its elevation of advanced signatures has come to nothing but trouble. As Mr. Mason explains on page 144, a Finnish court denied effect to an e-mail because it was not authenticated with an advanced e-signature. But as Mr. Mason says on page 161 advanced e-signatures (digital signatures) have been a commercial failure in Europe. PKI vendors have not been able to offer digital signatures in a way that appeals to users. What does this mean? It means the EU adopted a directive that lends special emphasis and support to a technology that exists more in theory than practice. Such lawmaking confuses both courts (like the one in Finland) and the public, and retards the adoption of e-commerce.

Mr. Mason astutely observes: "[I]t is to be wondered why the digital signature (which is, arguably, a flawed concept looking for a problem to solve) is considered to be so important by some legislators."

For More Information

Electronic Signatures in Law (Second Edition) is published by Tottel Publishing.

For more on electronic signatures, see demonstration of webcam signature to preserve evidence in a cyber investigation.

Update: A new case, Kerr v Dillard Store Services, Inc, ___F.Supp. 2d___(D. Kans. February 17, 2009), invalidated an employee's so-called electronic signature on an online arbitration agreement. The employer was not able to produce enough evidence of password reliability and e-mail accountability to support its contention that the employee had approved the agreement. My analysis: The same outcome could be possible had the alleged signature been a PKI digital signature. Just as the signature in this Kerr case was unprovable because there was inadequate evidence of password reliability, a PKI digital signature can be unprovable if there is inadequate evidence that the password protecting the PKI private key is reliable.

Update 2014: A problem with legislation that holds PKI digital signatures to be powerful legal signatures is that it invests great authority in the signer's private key. But when so much authority is invested in a single bit of code (the private key), hackers have much incentive to steal it. See stories about hackers stealing private keys from entities like Sony Pictures. Similarly, hackers have stolen the private keys that control valuable Bitcoin. For that reason Bitcoin is evolving to a multi-signature model, so that less power resides in any given private key.

--Benjamin Wright

About

Benjamin Wright is an attorney in private practice. He teaches the Law of Data Security and Investigations for the SANS Institute. He is author of The Law of Electronic Commerce (published by Wolters Kluwer) and Business Law and Computer Security (published by SANS). He helps others navigate the law of data compliance, including privacy, e-commerce, e-discovery, cloud contracts, records management and cyber investigations.

He is spotlighted in the book The Devil Inside the Beltway for his uncommonly insightful advice to LabMD in its now famous information security law dispute.

Public Statements Are Not Legal Advice

None of Mr. Wright's public statements, such as remarks on blogs, twitter, youtube web pages, social media and the like, are guaranteed for accuracy or are legal advice for any particular situation. You use the ideas in those statements at your own risk. If you need legal advice, you should consult a lawyer.

Mr. Wright's blogs, updates, tweets, web comments, youtube videos, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer.

Mr. Wright does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Wright has done anything illegal or unethical, he asks that person promptly to telephone him at 1.214.403.6642. Promptness helps mitigate damage.

Any person accessing any of Mr. Wright's blogs, tweets, profiles, comments, web pages or other public activities or statements agrees not to use data from them in a way that is adverse to Wright's interests.

No Advertisement

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Communication with Mr. Wright via private message does not, in itself, create an attorney-client relationship.

Privacy/Security Vision

Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

IMPORTANT Confidentiality Notice

Benjamin Wright is licensed as an attorney. Some of Mr. Wright's non-public records stored in the cloud are confidential and subject to protections associated with attorney work and communications. The laws of many countries recognize such protections. Mr. Wright insists that you recognize those protections with respect to his records and communication.

Relationships

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has earned money from some organizations he mentions online, such as Messaging Architects/Netmail, SANS Institute and LabMD.

Attribution

Some images, sounds and font output associated with Wright's work and comments are copyrighted by Corel Corporation or its licensors or partners like iStockphoto; they reserve all their rights. Some images are declared on wikimedia to be public domain. Mr. Wright strives to respect IP rights, but sometimes technology behaves in surprising ways. If you are an IP owner and you have a problem with something published by Mr. Wright, please telephone him promptly. Trademarks are property of their respective owners.

Dallas, Texas. Tel: +1.214.403.6642

InfoSec & Forensics Law

Secure e-Signature Law

Electronic Signatures in Global and National Commerce Act (E-SIGN)

No comments:

Post a Comment

SANS Quote

How to Get Electronic Evidence

Government Agency & School Records