| The
Law Of Digital Signatures By Benjamin Wright Digital signatures can be legal signatures. The best implementations will confirm the signer's legal purpose and understanding when he applies his signature and will ensure that effective archives are created. Whitepaper sections include: A New Technology For Legal TransactionsA NEW TECHNOLOGY FOR LEGAL TRANSACTIONS The day for digital signatures has come. This article explains why under law that is so. Then, it looks beyond pure legal issues to examine the practical challenges facing digital signatures and the methods for overcoming them. Digital signatures have long been popular as computer security devices. Now their use for signing legal documents is set to begin. A "digital signature" is a security code mathematically affixed to an electronic document under a public-key infrastructure (PKI). A PKI is a system for confirming the association of particular people (subscribers) with public and private cryptographic keys. At the heart of a PKI is a "certification authority" who issues to each subscriber a "certificate" that attests to the association of that subscriber to a known public key. "Electronic signature" (or e-signature) is a more generic term than digital signature, as it refers to any kind of electronic symbol (including a password or voice record) intended to act as a legal signature. A digital signature can be a type of e-signature. Digital signatures are not a closed technology. Industry is inventing myriad digital signature products and approaches. Digital Signatures can be used in conjunction with other signature technologies, such as those involving biometric measurements of autographs or voiceprints. ^ Back to Top COMPELLING LEGISLATION A raft of favorable e-signature laws has been enacted recently. The dominate one is the Electronic Signatures in Global and National Commerce Act (E-SIGN), S. 761, passed by the US Congress and digitally signed by the President in June 2000. E-SIGN preempts part of the state law of signatures and sets uniform national policy on e-signatures. It is inspired by the Uniform Electronic Transactions Act (UETA), recommended by the National Conference of Commissioners for Uniform State Law for adoption by all state legislatures http://www.law.upenn.edu/library/ulc/ulc.htm#ueccta. Both E-SIGN and UETA promote the use of digital signatures. Given how supportive law now is to digital signatures, what is most in need for digital signatures to flourish is experience on the part of people who might use them. What is also needed are well conceived and marketed products like those from Signonline. To be most effective at a practical level, a legal digital signature product must reach three objectives: symbol of intent, warning to the signer, and proof & security. Proper implementation of a digital signature, like that provided by Signonline, can meet these objectives. ^ Back to Top FIRST OBJECTIVE: SYMBOL OF INTENT The first objective is to satisfy the formal demand for a signature under a particular law, such as a statute requiring that a contract or a tax return be "signed". In the overwhelming majority of instances, this objective can be satisfied by any symbol (including a digital signature) adopted by a person with the intent that the symbol be a signature. American common law has long held that a legal signature is a symbol adopted by a person with the intent to sign a document. The signature need not be any specific kind of device. It can include just an X or a number. At least one judicial decision has even held that a legal signature can include the characters of a typed name in an e-mail message. Doherty v. Registry of Motor Vehicles (Mass. 1997 - Suffolk Dist. Ct. Dept. 97CV0050). Accordingly, if an X, a number or the typed characters of a name can be a legal signature, then so can a digital signature like that created with the Signonline technology. This principle is confirmed by E-SIGN, which defines an electronic signature as a symbol adopted with intent to sign a record. E-SIGN says a signature will not be denied legal effect solely because it is electronic.i Establishing Intent Notice of course that the key to transforming any kind of a symbol, including a digital signature, into a legal signature is the intent of the signer . . . what was on her mind at the time the signature was created. And, in a functional sense, this means the status of a digital signature as a legally binding mark depends on the intent that is evident -- and can be proved -- from the available records at any time (maybe years) into the future. Those records might come from any number of sources. One might be the content of the signed document itself. A clause in an electronic contract might for instance say that Frank acknowledges his digital signature is his legal signature. And that could be effective if it can be shown that Frank had a fair chance to read and understand this clause thanks to the user interface available to him or thanks to his own sophistication in the use of technology. This is one reason for particular optimism about digital signatures among people, like bank officers, who know what they are doing. Alternatively, the necessary record of intent could come from a special user interface (screens or cues presented to Frank at the time of signing to make sure he intended to be legally bound), where details of the steps performed by the interface are transcribed and archived with the document, along with the digital signature. Yet another record of intent might come from Frank's known and provable habits. Habitual use of a digital signature in the past, in a way that shows Frank intended it as his legal signature, is itself evidence that the same intent applies when the signature is used in the future. Of course, the reverse is also true. Routine use of a digital signature as a mere guarantor of message integrity - rather than a symbol of legal intent - is evidence that the device was never intended by Frank to be legally binding.  For
example, suppose Frank sends dozens of e-mails every day. Suppose
further that Frank's email software automatically applies a digital
signature to every transmission. These digital signatures could be
valuable toward showing Frank as the source of the e-mails and confirming
their integrity. But it is hard to say each of these signatures is
Frank's legal signature, intended to obligate him to the content of
each e-mail, because the digital signature process is too routine,
pedestrian and transparent to Frank. Rather than legal instruments,
these signatures behave more like envelopes, bearing Frank's name,
which just confirm source and integrity. An envelope with a name is
not a legal signature. Frank can place in an envelope something, like
a preliminary draft of a contract, to which he would never intend
to be legally obligated. Accordingly, a workable digital signature product will make clear which are intended as legal signatures and keep provable records of that intention. (See the section titled Archives below.) ^ Back to Top SECOND OBJECTIVE: WARNING TO THE SIGNER Closely related to the issue of intent is the second objective of a workable signature. The signature process must give the signer, as she is signing, good warning about what she is doing, which document she is signing and the gravity of the event. If she can later claim that she was confused or unaware when the signature was applied, she can repudiate the signature by simply saying she did not intend it as her legal signature. A digital signature system might achieve this warning objective in either of two ways. One, the signer might know from experience or training that when she allows her digital signature to be affixed to a document she is becoming legally bound. Sometimes when an organization begins to let employees use digital signatures, it requires them to attend seminars about PKI, methods for using digital signatures responsibly and the legal significance they are expected to carry. That seminar can be effective to warn signers about the binding nature of the signatures they create. A second way to warn signers is to provide at the time the signature is affixed a user interface that conspicuously cautions the signer about the significance of her signature and confirms her informed consent to the process. For example, as a signer invokes her private key to sign, a window could pop up on a monitor and inquire, "Are you sure you are Mary Smith and you wish to complete this process as your legally binding signature on your 2001 state tax return? If so, click yes and proceed with the digital signing." ^ Back to Top THIRD OBJECTIVE: PROOF AND SECURITY The third objective of a workable legal signature is to bring an adequate degree of proof and security. Good digital signature systems can do that. Realistic Expectations Of course, different digital signature implementations will have different degrees of proof and security. What is adequate for Sam may not be so for Sally. Although real-world experience with the question of adequate security is scarce, practical business people must (and will) make decisions and move ahead with e-commerce. A digital signature often does show association between the document and the person assigned the private key (the subscriber). In a reasonably competent system, the subscriber must have identified himself to a certification authority before receiving the certificate. And the subscriber was probably instructed (or even contractually obligated) not to give the private key to others. What's more, the proof carried by a digital signature may be corroborated by separate but persuasive circumstantial evidence such as acknowledgments of communication or timely payments from the alleged signer. For example, if a digital signature on an insurance application purports to be that of Sarah, the associated payment by Sarah of the first insurance premium tends to confirm the signature is hers. Plus, one of the big selling points of a valid digital signature is that it provides solid evidence that a document has not changed since the signature was affixed. Hence, a digital signature may often meet or exceed the standard of proof set by its noble ancestor, the handwritten ink-and-paper signature. Furthermore digital signatures can be provided at a low enough cost, that a world of e-business can bloom because of it. ^ Back to Top ARCHIVES Another component to a good digital signature system is the long-term storage of the document to which the signature is attached, as well as the software used to cause the attachment and other related records. For most companies, long-term archival of legal documents can be a big, underestimated headache. The task requires much more expertise than the archival of paper records does. It demands careful selection of hardware, software and archival media and the maintenance of those things across many years. Fortunately, Signonline addresses this task with a third party archival service (SAFE Secure Accessible File Environment). A key advantage to third party archival is that the third party can amass economies of scale to do the job more professionally and efficiently than a user organization can. Note also that E-SIGN Section 103(e) requires that many important legal documents be in a form that allows each party to keep a copy. Digital signature implementations therefore need to ensure that final records are available for retention. A third party archivist can serve this need by storing signed records on behalf of all parties. ^ Back to Top PROMISING OUTLOOK The formal principle that a digital signature can be a legal signature is firmly rooted in American law. Digital signatures can of course be done in many different ways, ways that have both technical and cultural dimensions. Niches may develop, where for example one flavor of digital signature is embraced for a specific application (say, issuance of electronic subpoenas by government) because it is compatible with the customs and motivations that animate that application. But that type of digital signature may not seem apt for other applications. People may come to use different kinds of digital signatures for different chapters in their lives. It is the calling of developers like Signonline to fashion digital signature products that people come in emotional terms to regard as legal marks. As with any revolutionary technology, the decision to start using a digital signature requires some leap of faith. A conservative person is tempted to seek a guarantee that the signature will meet all expectations. But guarantees are unrealistic. Remember that paper-and-ink signatures did not come with guarantees. Paper-and-ink signatures were never assured to be verifiable or accepted in court. They merely performed well enough . . . well enough that people embraced them with abandon and gave them no further thought. The same can happen for digital signatures. Signonline, Inc. http://www.signonline.com is a leader in e-commerce, devoted to the electronic replacement of paper documents used for legal purposes, such as contracts and mortgages. Signonline is an application service provider, supplying the B2C and B2B arenas with technology for digital signatures, as well as the electronic storage and retrieval of legal archives. iLike much of the other mainstream legislation in this area, E-SIGN excludes certain types of transactions, such as those relating to probate and family law. See Section 103(a) of E-SIGN. This exclusion does not necessarily mean that digital signatures are ineffective on the excluded transactions; effectiveness depends on the particular law governing the transactions. |
