PRIVACY Forum Archive Document
PRIVACY Forum Digest Saturday, 17 June 2000 Volume 09 : Issue 17 (http://www.vortex.com/privacy/priv.09.17) Moderated by Lauren Weinstein (firstname.lastname@example.org) Vortex Technology, Woodland Hills, CA, U.S.A. http://www.vortex.com ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, Cable & Wireless USA, Cisco Systems, Inc., and Telos Systems. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- ********************************************** * PRIVACY Forum Eight Year Anniversary Issue * ********************************************** CONTENTS PFIR Statement on Electronic Signatures and Documents (Lauren Weinstein; PRIVACY Forum Moderator) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "email@example.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are via an automatic list server system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "firstname.lastname@example.org". Mailing list problems should be reported to "email@example.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the list server system. Please follow the instructions above for getting the list server "help" information, which includes details regarding the "index" and "get" list server commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com/". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 09, ISSUE 17 Quote for the day: "I'll make you two promises: a very good steak, medium rare, and the truth, which is very rare." Eleanor "Ellie" Holbrook (Ava Gardner) "Seven Days in May" (Joel Productions; 1964) ---------------------------------------------------------------------- Date: Sat, 17 Jun 2000 13:18 PDT From: firstname.lastname@example.org (Lauren Weinstein; PRIVACY Forum Moderator) Subject: PFIR Statement on Electronic Signatures and Documents PFIR Statement on Electronic Signatures and Documents (http://www.pfir.org/statements/2000-06-17) PFIR - People For Internet Responsibility - http://www.pfir.org [ To subscribe or unsubscribe to/from this list, please send the command "subscribe" or "unsubscribe" respectively (without the quotes) in the body of an e-mail to "email@example.com". ] 2000-06-17 Greetings. Laws usually tend to lag far behind technology, often allowing problems--like spam e-mail for example--to fester until they're impossible to ignore. Then we tend to see some action, with varying degrees of positive or negative results. When it comes to electronic signatures and digital documents, Congress' preemptive attempt at creating an e-commerce utopia, bereft of adequate consumer protections, may instead have laid the foundation for a range of very serious new problems. Both houses of the U.S. Congress have now passed the Millennium Digital Commerce Act. They acted nearly unanimously, and President Clinton is expected to sign the legislation (perhaps by the time you read this). The Act validates the use of "electronic" signatures and documents in place of the written signatures and paper records with which we are all familiar. Such a change has immense, complex, and far-reaching ramifications. A popular adage suggests that "the devil is in the details." This is especially true in this case. In their determination to jump onto the e-commerce bandwagon, Congress has found a convenient method to handle most of those pesky details--just ignore them completely! As a result, we may have just seen the creation of a new array of risks for businesses and consumers alike, but a true bonanza for the lawyers who will handle the inevitable litigation to follow. Just about anything that two parties care to call an "electronic" signature will be treated as valid. Online documents will have the same force of law as paper contracts and records. Remarkably though, the legislation makes no attempt to set any standards for how, or even if, such documents would need to be protected to prevent them from being easily modified by error or criminal design. E-mail, the reception of which is difficult to verify without introducing privacy problems, and which can be accidentally or purposely misrouted, could replace most conventionally mailed notices and other similar materials. The Act fails to set minimum security or other technical standards of any kind. It doesn't even specify how it could be determined that someone had authorized the use of electronic signatures or digital contracts in the first place. Nor is there even a requirement such as the minimal levels of communications security, e.g. Secure Sockets Layer (SSL), that most people have come to expect from their "routine" Internet credit card transactions. The legislation even requires the U.S. Department of Commerce to become a promoter of this standard-less view of electronic transactions and records around the world. On top of this, the Act appears to effectively prohibit individual states from establishing their own laws to specify meaningful technical standards in these areas. And while you're not supposed to be forced to use these hi-tech paper replacements, how long will it be before you find yourself paying more, perhaps much more, if you choose not to do so? The pattern is all too familiar--first there will be offers of discounts if you'll give up paper, but all too soon the fees for insisting on paper records and physical signatures will become so exorbitant that most of us will give in, whether we really want to or not. Congress did include some exceptions in their legislation where paper will still be required, including eviction notices, wills, court orders, and some others. Of course, by the time you receive, for example, an eviction notice, a tremendous amount of damage could have already been done. The legislation does not establish any protections, like the existing $50 exposure limit in the U.S. on fraudulent credit card purchases, for these electronic transactions. The Act allows you to dispute the authenticity of particular electronic signatures or digital documents, but this means you have to prove an electronic signature or document isn't yours or is not otherwise authentic. Given the lack of even minimal a priori standards for such materials, this ensures that our courts will have plenty of such cases to handle in their anything but copious free time. We can certainly be sure of one other thing though--no doubt there are already crooks rubbing their hands together in glee at the prospect of these newly-enabled e-frauds! There are of course technical methods that can be employed to make such electronic transactions and digital documents safer and more secure, most of them involving various cryptographic techniques. As a practical matter, one of the firms most likely to benefit from the use of such systems would seem to be VeriSign, Inc., which after their purchase of former competitor Thawte, has a virtual monopoly on the issuing of the widely-accepted digital certificates crucial to most existing such technologies. Yet even the most advanced of these systems have major problems in some extremely critical areas. How do you verify the actual consent and authority of a person relating to these new electronically-signed transactions, or know that the electronic signature wasn't stolen from a PC by some inside or outside entity? Even knowing that the authorization comes from a particular computer isn't good enough. As we've seen, most PC and many other systems are easily compromised. Many passwords are trivially guessed or otherwise determined, even assuming that they haven't been left in an unencrypted disk file or stuck to a monitor on a Post-it note! We know all too well that in the case of distributed denial of service and other attacks, viruses and trojans can embed software into systems to perform other insidious functions at some later time. This same technique could be used to "take over" a PC to perform seemingly authorized electronic signature transactions. Biometrics (fingerprints, iris scans) could provide better identification, but their implementation in a manner that cannot be easily subverted to cause additional problems, and that does not introduce serious privacy concerns, is a non-trivial task. Nearly every day we see new reports of computer-related attacks on the Internet or other network environments. Poorly-designed systems and misconfigured servers result in continuing episodes of Internet credit card fraud--now a major proportion of all fraudulent credit card activity--even when communications are protected by SSL. We constantly learn of Web sites and databases which find themselves hacked and their contents altered, and those are just the ones that are discovered, and that we actually find out about! Identity fraud is already a major and growing problem, even without the boost that this legislation is likely to provide to its perpetrators. Each time these sorts of events are publicized, we hear politicians pontificating about how "something needs to be done"--usually a suggestion for harsher "after the fact" criminal penalties, not proactive technical actions or standards which could have helped to avoid the problems in the first place. In the case of this new electronic commerce legislation, we've even heard various Congressmen express concern about its lack of establishing any standards for the electronic transactions and digital documents that it is widely validating. Congress still plowed ahead anyway, and passed the legislation with enthusiastic gusto. While it would not have been appropriate for the Act to have mandated the use of particular products or technologies, it would have been completely appropriate, indeed expected, for it to specify minimum requirements for the authentication, protection, security, and related aspects of such electronic transactions and documents. Though it might be assumed that reputable businesses would attempt to provide the best security that they could, without such requirements there is nothing to prevent them from not doing so, and this could be an invitation to poor decisions, flawed implementations, confusion, and errors that could have serious repercussions for both themselves and their customers. When it comes to less-scrupulous "businesses" it could be a direct invitation to fraud. The temptation for businesses and consumers alike to participate in this new but totally nebulous world of electronic transactions and virtual documents will be significant. All manner of pie-in-the-sky cost reductions and wonderful benefits are being promised. Unfortunately, it seems probable that the real costs are likely to be the problems that such systems, implemented in a standards and security vacuum of truly staggering proportions, could bring to us all. --Lauren-- Lauren Weinstein firstname.lastname@example.org or email@example.com Co-Founder, PFIR: People for Internet Responsibility - http://www.pfir.org Moderator, PRIVACY Forum - http://www.vortex.com Member, ACM Committee on Computers and Public Policy ------------------------------ End of PRIVACY Forum Digest 09.17 ************************
Vortex Technology Home Page
Copyright © 2005 Vortex Technology. All Rights Reserved.