Laws on E-Sigs
Competing technologies test states' definitions of an electronic signature.
A DRUNK DRIVING case is not the likeliest candidate to be the first challenge to the validity of an electronic signature.
But last spring, Massachusetts State Police Trooper Thomas Kelley arrested Michael F. Doherty in Boston and charged him with driving under the influence of alcohol. Mr. Doherty's license was suspended.
He appealed, alleging that the trooper's report, which bore a notation typed into a computer--"This is the report of Trooper Thomas Kelley and was made...under the penalties of perjury"--was not signed, and thus did not satisfy the perjury statute's signature requirement. Justice Peter W. Agnes held that a handwritten signature was not required. Doherty v. Registry of Motor Vehicles, 97CV0050 (Dist. Ct., Suffolk Co., 1997). The opinion is at www.magnet.state.ma.us/itd/legal/case.htm.
From the days when many people signed documents with an "X," through the age of the the telegram, the fax machine, and now the electronic era, debates have raged over the validity and verifiability of signatures. Signatures are required on many contracts to satisfy the Statute of Frauds. But electronic signatures raise new issues because of the novelty and complexity of the technologies, the anonymity of e-mail and the ease with which electronic documents can be altered. [NLJ, 12-18-95.]
Everyone can see how convenient it would be to conduct a real estate closing electronically rather than have all parties gather at the same time in the same place. How far away are we, legally and technologically, from that?
The technology is here. In fact, many existing technologies allow an electronic document to be "signed" in a variety of ways--and the law is rushing to catch up. As of late October, all but five states had bills pending or laws on the books dealing with electronic signatures. (The five laggards are Alaska, Arkansas, South Carolina, South Dakota and West Virginia.)
Legally the barriers are not great, say some experts. "The [U.S.] common law says a signature is any symbol affixed to a document with the intent to take responsibility for its contents," says Benjamin Wright, a sole practitioner in Dallas who writes and lectures on electronic signatures and represents electronic signature companies.
The simplicity of the common law's requirements is reflected in California's law, adopted in January 1997, allowing any technology to be used that satisfies existing signature requirements governing the filing of documents with the state. Insurance companies file state claims using "signature dynamics," a technology that captures and encrypts a handwritten signature drafted with a special pen attached to a computer.
But proponents of a subset of electronic signatures--digital signatures--scoff at the security of anything but the use of public key, or asymmetric, cryptography. A digital signature guarantees both that the signature belongs to the signer and that the document was not altered since it was signed. "I don't think, in the absence of public key cryptography, you get beyond a signature on a piece of paper," says Theodore S. Barassi, vice president and counsel of CertCo., a Cambridge, Mass., digital signature company. "Digital signatures are much more secure."
Digital signatures involve generating two mathematically related keys, one of which is used to sign a document and must be kept private, and one of which is public and used to verify the signature. But to be truly secure, digital signatures require a legally recognized certification authority, or CA, to issue the key pair, identify the owner of the keys, certify the validity of the public key and serve as a repository for public keys.
These private, for-profit entities are operating today without, in many places, a legal framework for determining basic issues. If a private key is stored on a laptop's hard drive, and the laptop is stolen and used without authorization, who is liable for the unauthorized transaction?
Some feel that consumers need protection. "There has to be a recognition that consumers don't have the sophistication with regard to the technology, or the wherewithal, to put in protections that might be needed [to safeguard their private key]," says Thomas J. Smedinghoff, a partner at Chicago's McBride Baker & Coles who co- chairs the firm's information technology and electronic commerce law department. "The use of the technology in many settings is imposed on the consumer," says Mr. Smedinghoff, adding that consumers can't choose the technology of their digital signature any more than they can choose what technology their bank uses for its ATMs.
But the CAs want protection from unlimited liability. "It's important to have a system in place that supports digital signatures and CAs," says Mark Silvern, an attorney at Verisign Inc., a CA in Cambridge, Mass. Mr. Silvern asserts that Verisign has issued 35,000 digital certificates enabling businesses to secure transmission of personal information or credit card numbers at such Web sites as Virtual Vineyards www.virtualvin.com, a food and wine shop that takes credit cards over the Internet.
Do such transactions enjoy the protection of credit card transactions--a $50 limit on losses? Probably not, says Stephen Wu, another attorney at Verisign. The company has an insurance program to protect consumers and merchants from loss or misuse of a private key. But, says Mr. Wu, "there does come a point where you have to have an incentive for people to exercise reasonable care."
Some proponents of digital signatures do not want to replicate the credit card cap on liability. Banks swallow $5 billion to $10 billion a year in bad credit card charges, says Charles R. Merrill, the partner in the computer law group of Newark, N.J.'s McCarter & English who co-authored the American Bar Association's August 1996 book on digital signature guidelines. The charges are passed on to consumers, he says.
But the status quo is not necessarily fair to the credit card companies or to CAs, says Prof. A. Michael Froomkin, who teaches cyberspace law at the University of Miami School of Law. On the other hand, he says, a system that requires the consumer to safeguard a private key or creates liability for any use of it is not appealing. "I'd never want to have one of these things," says Professor Froomkin. "Or I'd get a key with a lifespan of 5 milliseconds," use it for one purchase and notify the CA that the key was no longer valid.
The Illinois Legislature's digital signature drafting committee is grappling with the liability issue now. "Consumers should not lose the ordinary protection of the law simply because they use digital signatures," says Mr. Smedinghoff, who chairs the Illinois Legislature's Commission on Electronic Commerce and Crime. He says the commission agreed that "if [dual key] technology is imposed, the consumer should not bear the risk of the lost key."
In May 1995, Utah became the first state to provide a detailed framework for digital signatures; 36 states now have digital signature laws on the books.
But no two bills are the same. Utah and the state of Washington impose strict requirements on certification authorities, specifying what constitutes adequate record- keeping and detailing the procedures CAs must follow when they issue, revoke or suspend a digital signature certificate. "The Utah Act is too complex," says Mr. Wright, who calls himself a supporter of "common-sense alternatives" to public key cryptography, such as signature dynamics. "It's been 2 1/2 years since Utah's bill was enacted, and no one has registered" as a CA there, he notes.
A bill similar to Utah's was introduced in California in 1995 but met with opposition from those who thought that the technology might become obsolete or that a detailed bill would lock the state into one particular type of technology. California's final bill simply authorizes the use of digital signatures or any technology that satisfies the existing requirements for a legal signature.
"It's become clear there are difficult policy choices," says Stuart A. Baker, a partner at Washington, D.C.'s Steptoe & Johnson L.L.P., who testified in late October in the House of Representatives' Science Committee on electronic signature issues. "The [digital signature] people...imagine a world of heavily regulated, highly structured entitites issuing identity cards. This turns out to be not the way things are going," he says, noting that biometric technologies, allowing hand shapes or retinal scans to qualify as signatures, will soon become commercially available. "Public key/private key technology requires more in the rules....Other technologies want less."
The state-by-state approach ignores the fact that the Internet is oblivious to state boundaries, says Sen. Bob Bennett, R-Utah. Federal legislation is needed, says the senator, who plans to introduce legislation early in 1998 to standardize electronic signature requirements, including digital signatures, mainly to facilitate online banking.
The true value of the Internet is in international commerce, says Patricia Brumfield Fry, a professor at the University of North Dakota's law school, who chairs the Drafting Committee on the Uniform Electronic Transactions Act. Germany has a digital signature statute on the books that uses a private key almost like a national identity card, says Professor Fry. Malaysia and Japan may soon follow. Argentina is using digital signatures to file documents with its equivalent of the Securities and Exchange Commission, says CertCo's Mr. Barassi.
But uniform standards are not central to international law. "Germany is quite proud of its statute," Professor Fry jokes, "because the only company that meets all the stringent requirements to be a CA is Siemens," a German electronics company.
As bills are introduced, a proponent of digital signatures who requested anonymity says he despairs of what he calls the "technological handicaps" that afflict those drafting, proposing and voting on the legislation.
But Professor Fry is more sanguine. "Experience tells us that it's quite wise to filter what the experts tell us through good old-fashioned common sense. No doubt some legislators might not understand all the nuances. That is not unique to technology or to this issue."
Commerce Department General Counsel Andrew Pincus asked the Science Committee's technology subcommittee not to draft federal standards, testifying that not enough about them is understood. But McCarter & English's Mr. Merrill is pressing ahead with a draft of the ABA guidelines for certifying CAs. "Many people are ready for this," he says, and besides, "it's a voluntary thing" between the contracting parties.
This article is reprinted with permission from the November 17, 1997 edition of The National Law Journal. © 1997 NLP IP Company.