PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page

PRIVACY Forum Digest      Saturday, 17 June 2000      Volume 09 : Issue 17


            Moderated by Lauren Weinstein (         
              Vortex Technology, Woodland Hills, CA, U.S.A.
                       ===== PRIVACY FORUM =====              

                 The PRIVACY Forum is supported in part by
               the ACM (Association for Computing Machinery)     
                 Committee on Computers and Public Policy,      
                 Cable & Wireless USA, Cisco Systems, Inc., 
                           and Telos Systems.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.

              * PRIVACY Forum Eight Year Anniversary Issue *

        PFIR Statement on Electronic Signatures and Documents
           (Lauren Weinstein; PRIVACY Forum Moderator)

 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are via an automatic list server system;
for subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"".  Mailing list problems should be reported to

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the list server system.  Please follow the instructions above
for getting the list server  "help" information, which includes details
regarding the "index" and "get" list server commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "";
full keyword searching of all PRIVACY Forum files is available via
WWW access.


     Quote for the day:
        "I'll make you two promises: a very good steak, 
         medium rare, and the truth, which is very rare."
                Eleanor "Ellie" Holbrook (Ava Gardner)
                "Seven Days in May" (Joel Productions; 1964)


Date:    Sat, 17 Jun 2000 13:18 PDT
From: (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: PFIR Statement on Electronic Signatures and Documents

             PFIR Statement on Electronic Signatures and Documents


        PFIR - People For Internet Responsibility -

        [ To subscribe or unsubscribe to/from this list, please send the
          command "subscribe" or "unsubscribe" respectively (without the 
          quotes) in the body of an e-mail to "". ]


Greetings.  Laws usually tend to lag far behind technology, often allowing
problems--like spam e-mail for example--to fester until they're impossible
to ignore.  Then we tend to see some action, with varying degrees of
positive or negative results.  When it comes to electronic signatures and
digital documents, Congress' preemptive attempt at creating an e-commerce
utopia, bereft of adequate consumer protections, may instead have laid the
foundation for a range of very serious new problems.

Both houses of the U.S. Congress have now passed the Millennium Digital
Commerce Act.  They acted nearly unanimously, and President Clinton is
expected to sign the legislation (perhaps by the time you read this).  The
Act validates the use of "electronic" signatures and documents in place of
the written signatures and paper records with which we are all familiar. 

Such a change has immense, complex, and far-reaching ramifications.  A
popular adage suggests that "the devil is in the details."  This is
especially true in this case.  In their determination to jump onto the
e-commerce bandwagon, Congress has found a convenient method to handle most of
those pesky details--just ignore them completely!  As a result, we may have
just seen the creation of a new array of risks for businesses and consumers
alike, but a true bonanza for the lawyers who will handle the inevitable
litigation to follow. 

Just about anything that two parties care to call an "electronic"
signature will be treated as valid.  Online documents will have the same
force of law as paper contracts and records.  Remarkably though, the
legislation makes no attempt to set any standards for how, or even if, such
documents would need to be protected to prevent them from being easily
modified by error or criminal design.  E-mail, the reception of which is
difficult to verify without introducing privacy problems, and which can be
accidentally or purposely misrouted, could replace most conventionally
mailed notices and other similar materials.

The Act fails to set minimum security or other technical standards of any
kind.  It doesn't even specify how it could be determined that someone had
authorized the use of electronic signatures or digital contracts in the
first place.  Nor is there even a requirement such as the minimal levels
of communications security, e.g. Secure Sockets Layer (SSL), that most people
have come to expect from their "routine" Internet credit card transactions.
The legislation even requires the U.S. Department of Commerce to become a
promoter of this standard-less view of electronic transactions and records
around the world.

On top of this, the Act appears to effectively prohibit individual states
from establishing their own laws to specify meaningful technical standards
in these areas.  And while you're not supposed to be forced to use these
hi-tech paper replacements, how long will it be before you find yourself
paying more, perhaps much more, if you choose not to do so?  The pattern is
all too familiar--first there will be offers of discounts if you'll give up
paper, but all too soon the fees for insisting on paper records and physical
signatures will become so exorbitant that most of us will give in, whether
we really want to or not.

Congress did include some exceptions in their legislation where paper will
still be required, including eviction notices, wills, court orders, and some
others.  Of course, by the time you receive, for example, an eviction
notice, a tremendous amount of damage could have already been done.  The
legislation does not establish any protections, like the existing $50
exposure limit in the U.S. on fraudulent credit card purchases, for these
electronic transactions.  The Act allows you to dispute the authenticity of
particular electronic signatures or digital documents, but this means you
have to prove an electronic signature or document isn't yours or is not
otherwise authentic.  Given the lack of even minimal a priori standards for
such materials, this ensures that our courts will have plenty of such cases
to handle in their anything but copious free time.

We can certainly be sure of one other thing though--no doubt there are
already crooks rubbing their hands together in glee at the prospect of
these newly-enabled e-frauds!

There are of course technical methods that can be employed to make such
electronic transactions and digital documents safer and more secure, most of
them involving various cryptographic techniques.  As a practical matter, one
of the firms most likely to benefit from the use of such systems would seem
to be VeriSign, Inc., which after their purchase of former competitor
Thawte, has a virtual monopoly on the issuing of the widely-accepted
digital certificates crucial to most existing such technologies.

Yet even the most advanced of these systems have major problems in some
extremely critical areas.  How do you verify the actual consent and
authority of a person relating to these new electronically-signed
transactions, or know that the electronic signature wasn't stolen from a PC
by some inside or outside entity?  Even knowing that the authorization comes
from a particular computer isn't good enough.  As we've seen, most PC and
many other systems are easily compromised.  Many passwords are trivially
guessed or otherwise determined, even assuming that they haven't been left
in an unencrypted disk file or stuck to a monitor on a Post-it note! 

We know all too well that in the case of distributed denial of service and
other attacks, viruses and trojans can embed software into systems to perform
other insidious functions at some later time.  This same technique could be
used to "take over" a PC to perform seemingly authorized electronic
signature transactions.  Biometrics (fingerprints, iris scans) could provide
better identification, but their implementation in a manner that cannot be
easily subverted to cause additional problems, and that does not introduce
serious privacy concerns, is a non-trivial task.

Nearly every day we see new reports of computer-related attacks on the
Internet or other network environments.  Poorly-designed systems and
misconfigured servers result in continuing episodes of Internet credit card
fraud--now a major proportion of all fraudulent credit card activity--even
when communications are protected by SSL.  We constantly learn of Web sites
and databases which find themselves hacked and their contents altered, and
those are just the ones that are discovered, and that we actually find out
about!  Identity fraud is already a major and growing problem, even without
the boost that this legislation is likely to provide to its perpetrators.

Each time these sorts of events are publicized, we hear politicians
pontificating about how "something needs to be done"--usually a suggestion
for harsher "after the fact" criminal penalties, not proactive technical
actions or standards which could have helped to avoid the problems in the
first place.  In the case of this new electronic commerce legislation, we've
even heard various Congressmen express concern about its lack of
establishing any standards for the electronic transactions and digital
documents that it is widely validating.  Congress still plowed ahead anyway,
and passed the legislation with enthusiastic gusto.  

While it would not have been appropriate for the Act to have mandated the
use of particular products or technologies, it would have been completely
appropriate, indeed expected, for it to specify minimum requirements for
the authentication, protection, security, and related aspects of such
electronic transactions and documents.  Though it might be assumed that
reputable businesses would attempt to provide the best security that they
could, without such requirements there is nothing to prevent them from not
doing so, and this could be an invitation to poor decisions, flawed
implementations, confusion, and errors that could have serious repercussions
for both themselves and their customers.  When it comes to less-scrupulous
"businesses" it could be a direct invitation to fraud.

The temptation for businesses and consumers alike to participate in this new
but totally nebulous world of electronic transactions and virtual documents
will be significant.  All manner of pie-in-the-sky cost reductions and
wonderful benefits are being promised.  Unfortunately, it seems probable
that the real costs are likely to be the problems that such systems,
implemented in a standards and security vacuum of truly staggering
proportions, could bring to us all.

Lauren Weinstein or
Co-Founder, PFIR: People for Internet Responsibility -
Moderator, PRIVACY Forum -
Member, ACM Committee on Computers and Public Policy


End of PRIVACY Forum Digest 09.17

PRIVACY Forum Home Page

Vortex Technology Home Page

Copyright © 2005 Vortex Technology. All Rights Reserved.