Digital Signatures Offer Potential, if not Protection

By Martin Goslar, Ph.D.

signatures accomplish three goals: protection from data tampering; signature
authentication; and nonrepudiation, which means all parties are legally
bound by digitally signed agreements. To endow transactional parties with
the ability to establish digital signature mechanisms to make online contracts
and transactions legally binding, President Clinton, on June 30, 2000, signed
into law the Electronic Signatures in Global and National Commerce (E-Sign)
Act. The electronic signature provisions took effect on Oct. 1, 2000. Electronic
record-keeping requirements will take effect on March 1, 2001.

Motivated by the
wide disparity in state electronic signature and commerce statutes passed
in the past five years, the E-Sign Act supports added corporate protection
in the process of building more efficient business-to-business (B2B) and
business-to-consumer (B2C) e-commerce systems. With E-Sign’s passage,
electronic signatures essentially gained equal legal status with those
created by using pen and paper. Businesses can now accept electronic signatures
in the transaction process, thereby enabling faster, easier, more efficient,
and less expensive alternatives to conduct online trade.

However, the E-Sign
Act’s approach is both endorsing and damning due to the open-ended definition
of electronic signatures. As stated in the E-Sign Act, electronic signatures
can be an “electronic sound, symbol, or process, attached to or logically
associated with a contract or other record and executed or adopted by
a person with the intent to sign the record.” It’s up to the sender and
receiver to agree upon the form of signature acceptable to both.

Considering that
electronic signature products impact online privacy and fraud as well
as transaction efficiencies, there is little doubt signature-related technology
will get a boost from the E-Sign Act. In fact, thanks to E-Sign’s passage,
several vendors have developed or expanded signature products and services
to take advantage of what will ultimately be a significant revenue increase
for the security market (see text box, “Signature Alternatives”). However,
corporate security professionals and individual consumers must look out
for operational inconsistencies, such as software conflicts, that vendors
wont disclose when rolling out their new signature products and services.

Benefits That
May Bite

By embracing electronic/digital
signatures, companies involved in high-volume, online B2B transaction
activity may benefit from several advantages. Digital signatures offer
a greater degree of security than handwritten signatures because recipients
of digitally signed messages can confirm message origination and can also
verify that messages were not altered. In addition:

  • Paper-based transaction
    authorization inefficiencies, such as transportation, notarization,
    deterioration, and falsification are largely avoided.

  • Authenticity can
    be granular from document down to packet level.

  • Online commercial
    interaction can take place from negotiation to relationship agreement
    through operational transaction certification until ultimate mutual
    or unilateral withdrawal.

  • Ultimately, e-commerce
    can be deployed faster and information mass-marketed more rapidly. Innovative
    competition will be dynamically rewarded.

Unfortunately, the
wide variation of acceptable signatures enabled by law places further
pressure on corporate security professionals to closely oversee signature
conveyance to ensure transactions cannot be repudiated or later disowned
with signature forgery claims.

Here lies a conundrum.
Given the broad range of signature alternatives available, the wide range
of related state laws previously passed, and the lack of standardized
technology for message authentication and validation, can corporations
moving high volumes of electronic transactions and communications find
a seamless, straightforward, inexpensive, and robust signature solution?

Since the E-Sign Act
impacts B2C as well as B2B e-commerce, consumers buying and selling online
can feel more confident that their financial identities are less likely
to be counterfeited. But consumers must be as diligent as corporate security
professionals because consumer e-signature options are not defined.

Will corporations
selling consumer products and services online ultimately mandate e-signature
conventions to their customers? Will consumers embrace unique retailer
signature “protections” and expect other organizations to accept the same
signature techniques? Or will customers obtain signature products offered
by seemingly independent and trusted consumer security vendors so that
online retailers must flexibly anticipate and accept these signatures?

My bet is that both
will occur on the B2C side until a robust, standard, and inexpensive signature
technology becomes an online convention. Remember the “other golden rule”–those
who have the gold make the rules. Some good news for B2C: Substantial
decreases in fraud losses should occur as a result of consumer electronic
signature acceptance.

Bottom line: Large
to enterprise-level corporations will integrate electronic signature technologies
developed by the leading e-commerce infrastructure vendors that already
handle much of their transaction activity. Mid- to small-sized firms will
likely adopt more best-of-breed software tools from innovative vendors
offering greater operational savings for lower transactional volume. //

Dr. Goslar is
principal security analyst of E-PHD LLC, a security industry research
and analysis firm. He is also on the editorial board of the International
Journal of Electronic Commerce and can be reached at [email protected].