Not All E-Signatures Are Equal

There’s been a lot of hype surrounding the new “e-sign” law (officially known as the Electronic Signature in Global and National Commerce Act), which gives electronic and digital signatures the legal enforceability of handwritten signatures. Whether the law—which took effect in October 2000—ignites an explosion of worry-free online business transactions or lays a minefield of privacy and security traps, one thing is clear: By legitimizing electronic and digital signatures, the federal government has moved e-commerce a step forward and created important choices for CIOs. Perhaps the most important choice CIOs face is whether to use simple electronic signatures or the more secure but more costly digital signatures.

The act, which President Clinton signed in June 2000, gives CIOs a lot of leeway in terms of the electronic-signature technology they can use. It broadly defines an electronic signature as “an electronic sound, symbol or process” executed or adopted with the intent to sign a contract or record, and the law doesn’t give examples of specific technologies. Valid electronic signatures might include such things as text blocks at the end of an e-mail, click-through agreements, digitized images of handwritten signatures, user names and passwords, and digital signatures.

Regardless of their legal validity, not all electronic signatures are created equal. The major differentiators are security and authentication. At the low end of the safety spectrum are click-through agreements, plain-text “signatures” (such as a name typed at the end of an e-mail message) and user name/password pairs. These are a lot cheaper than higher-end solutions, but you should weigh cost against the severity of your privacy needs when deciding whether to adopt lower-end solutions or the most secure technology out there: digital signatures. For example, it may not be worth the effort to require a digital signature to download a $20 piece of shareware software, but a digital signature may be perfectly appropriate to control downloads of $500,000 ERP packages.

Why Digital Signatures?

Digital signatures are to ordinary electronic signatures what calculus is to arithmetic. They’re much more complex mechanisms that rely on encryption technology to provide a tamper-resistant method of communicating and authenticating documents and signatures. Basically, you “sign” a document by attaching a piece of text encrypted with your private key (a type of encryption password that is matched to a public key that can decrypt what the private key encrypts). The recipient can then authenticate your identity using your public key. If the public key works, the recipient knows that the message must have come from you. An encrypted hash mark (a number generated by mathematically analyzing a document that will change if the document is changed) ensures that the document has in fact been sent without modification. This way, you can’t repudiate the document later on, and both you and the recipient face less risk of fraud.

Nonetheless, digital signatures have downsides. One is cost. Digital signatures tend to be complex, expensive and cumbersome to implement, and they often slow down the speed of the transmission. Public-key infrastructure (PKI) is particularly costly compared with other types of electronic signatures, like click-through agreements and user name/password combinations.

Another potential downside is that the technology isn’t particularly widespread. Until it begins to catch more fire, the challenges in obtaining a digital signature and learning to use its software may dissuade potential customers and business partners from engaging in e-commerce with your company. Worse, it might drive customers to other, less secure competitors that haven’t erected these barriers. Given these concerns, even the most security-conscious companies will want to limit the use of digital signatures to situations where the risk and cost of fraudulent transactions outweigh the challenges of the solution.

Safecracking

Obviously the biggest benefits of digital signatures are the security of the document and the ability to authenticate the sender. Because it’s so hard to tamper with an encrypted or digitally signed document, parties can rely on the document’s integrity from the time it’s sent to the time it’s received. But it’s not foolproof. For example, just because someone has a valid public/private key pair doesn’t mean you can always authenticate the sender’s identity. It could still be the proverbial “Dog on the Internet” from the now famous New Yorker cartoon—a very sophisticated dog, perhaps, but a dog nonetheless. Key pairs could also be issued in someone else’s name, allowing individuals to pose as others on the Internet. However, more certificate authorities are sprouting up and requiring various levels of authentication before they’ll issue a digital certificate to an individual. Using a digital certificate issued by a trusted third party (known in the industry as a certificate authority) can help prevent fraud and ensure the authenticity of the document. In some cases, it may even be appropriate for a company to invest in the necessary hardware and software to become its own certificate authority and issue digital certificates to customers and business partners.

But even a digital signature issued by the most trusted certificate authority won’t completely ensure the integrity or authenticity of digital documents or signatures. You still have to protect your passwords, or key pairs, from prying eyes. Because most digital signature users store their keys on their PCs and access them through a password, an unauthorized user sitting at someone else’s PC could hack into the private key and send out messages impersonating the owner. The hacker could use the stolen key pair like a rubber-stamp signature or a stolen credit card to wreak havoc in cyberspace for the rightful owner. It is therefore important to take standard security precautions against password theft. For example, lock your office doors, avoid easy-to-guess passwords, and change passwords often. You should also notify the certificate authority of any unauthorized use so that the authority can invalidate the digital signature and issue a new one.

Despite their shortcomings, digital signatures will likely take a prominent place in e-commerce and other areas where privacy, confidentiality and authenticity are concerns. Banks, credit bureaus and investment brokers could turn to digital signatures given the sensitivity and value of the information exchanged. The health-care sector is already focusing on digital signatures for help in complying with the impending regulations of the Health Information Portability and Accountability Act of 1996, which addresses the confidentiality of medical records that are digitally stored and distributed. Basically, if your business handles personal or confidential information—and risks liability for exposure—you should consider digital signatures as your way of doing business online. And as software vendors make digital signatures and PKIs faster, less expensive and easier to use, your cost-benefit analysis should become more clear.