IP: RE: PFIR Statement on Electronic Signatures and Documents

[Dave Farber <farber@cis.upenn.edu>]

>X-Server-Uuid: 47feacc6-2336-11d3-82c6-0008c7db26d1
>From: "Baker, Stewart" <SBaker@steptoe.com>
>To: farber@cis.upenn.edu
>cc: "Albertazzie, Sally" <SAlbertazzie@steptoe.com>
>Subject: RE: PFIR Statement on Electronic Signatures and Documents
>Date:  Sun, 18 Jun 2000 16:35:16 -0400
>X-Mailer: Internet Mail Service (5.5.2650.21)
>X-WSS-ID: 1553ECB425042-01-01
>
>Dave,
>
>Lauren Weinstein's rant about passage of the electronic signature bill
>deserves a longer rebuttal than I can provide on a beautiful Sunday
>afternoon, but there are a number of errors that can be pointed out quickly.
>They are serious enough to cast doubt on the whole thrust of PFIR's
>statement.
>
>First, the notion that the bill allows "anything" to be an electronic
>signature and that it should have enacted security standards seems to be
>based on a romantic notion that handwritten signatures are secure in a way
>that protects us from fraud.  This is just false.  In fact, for most
>business transactions, typed or faxed or telegraphed names have been treated
>as meeting signature requirements for nearly 150 years.  In an age of
>xerography and facsimile, requiring something that looks like a signature at
>the bottom of a document is not exactly a bulwark against fraud.  So how is
>fraud prevented in such a world?  By allowing the purported signer to say
>that he didn't actually put that symbol on the page or send that telegram or
>fax that document.  The e-signature bill allows precisely the same
>protections.
>
>The idea that Congress should enact technology security standards is, well,
>unlikely.  How long would such standards reflect current technology and
>practices?  About a month would be my guess.  How long would they be a
>source of politicking and standards lobbying by otherwise uncompetitive
>companies?  More or less forever would be my guess.  Instead, Congress
>eliminated any legal bar on accepting electronic signatures while leaving it
>to companies to work out the particular technologies they will use.  In my
>experience, which includes building legal frameworks for more than a dozen
>PKI and electronic signature systems, the kind of technologies being used
>grow progressively more secure depending on the size of the transactions,
>which is pretty much what we'd expect and want.  In fact, if anything, the
>signature technology is stronger than the rest of the computer system's
>security, which is pretty much in line with the more general observation
>that most computer security professionals measure themselves against the
>resources of 20-year-old hackers while the cryptographers are measuring
>themselves against the resources of NSA.
>
>Finally, the suggestion that Verisign has achieved a monopoly by buying
>Thawte is wrong, but perhaps understandably so.  In fact, the only market
>where that is even arguable is for SSL certs, where Thawte was the low-cost
>alternative to Verisign.  But since the merger, Entrust and Equifax,
>especially Equifax, have roared into the market.  I think Equifax is now
>offering SSL certs for half the price that Thawte used to charge, and its
>market share is rising fast.  Some monopoly!
>
>In short, there's a reason this bill passed almost unanimously in an age of
>bitter partisanship.  At bottom, it's a good idea that both parties and
>practically all consumer groups agreed with.
>
>Stewart Baker
>Steptoe & Johnson LLP
>phone -- 202.429.6413
>email fax -- 202.261.9825
>main fax -- 202.429.3902
>sbaker@steptoe.com