Digital Signatures

When Mark Bender, CIO of Williams Communications, first examined the tangled web of communications within the Tulsa, Okla.-based company, he hoped to find a technology to ease the confusion. But because much of the company’s correspondence consisted of sensitive documents—from employee time sheets and performance reviews to contracts and agreements with customers and other companies—a technical solution seemed impossible.

“All these items required physical signatures to ensure their accuracy, integrity and validity,” says Bender. “But gathering those signatures meant lots of paper, slow cycles and a real loss of efficiency within the company.”

Then Bender discovered electronic signatures—a technology that allows digital documents to be “signed,” keeping them valid and secure while retaining the efficiency of electronic storage and transmission. Soon after, Bender and his staff implemented two pieces of electronic signature technology—ApproveIt from Silanis Technology and a form of public-key infrastructure technology from Entrust Technologies. The technology not only helped alleviate the company’s paper-generated internal struggles; it also paved the way for faster and easier e-commerce interactions with customers and business partners.

Sign on the Line

The phrase “electronic signature technology” can generate some confusion, as the terms digital signature and electronic signature are often used interchangeably. In fact, they are two quite different things.

Electronic signatures refer to the broader, overall category of e-signature technologies, which don’t necessarily have to be based on cryptography (encoding). Instead, they may be based on biometrics (reading fingerprints or voices) or the digitization of a regular, handwritten signature.

A subset of electronic signatures—digital signatures—uses cryptography to convert data into a secret code for transmission over a public network. These technologies are often considered the most secure and reliable form of electronic signature because they use public-key infrastructure technologies to ensure that the electronic message has not been altered during transmission.

Say you wanted to draft and complete a contract with a customer using a digital signature. To do so, you’d first have to acquire a digital certificate—the electronic equivalent of an ID card. Several companies, including VeriSign and Entrust Technologies, are licensed to issue such certificates. Once you sign up, the provider transmits the certificate to your computer. You also receive two digital keys—one private and one public.

To sign a document, you enter a password or PIN and affix your electronic signature—the private key—to the document. The person or company receiving your document would then use the public key to unlock your certificate and verify that the signature is valid. Once confirmed, they could sign the document using their own digital tools and return it to you. Throughout the process, the software documents the date and time of each signing, while built-in security measures ensure that the documents haven’t been altered anywhere along the process.

A Changing Landscape

It sounds like a fine solution to a significant problem, but there was an issue: Where a manually signed document carried force of law behind it, digital signatures often weren’t worth the virtual paper they were written on. That all changed this June, when Congress passed the Electronic Signatures in Global and National Commerce Act. The act, which became effective Oct. 1, makes digitally signed electronic agreements as legally valid as hand-signed, printed documents. Proponents say the bill will mean significant increases in the number of companies employing digital-signature technology.

“It’s a tremendously important piece of legislation in that it mandates that electronic signatures can be accepted with just as much importance as paper and ink signatures,” says James Van Dyke, senior analyst with New York City-based Jupiter Communications, an Internet research and advisory company. “It will give businesses more confidence in implementing electronic signature technology.”

Though some companies have already begun using electronic signatures and 40 states had passed their own electronic signature laws, the lack of federal guidelines had, until now, served to deter the majority of businesses from implementation. But with the new law in place, companies are likely to put aside their reservations. In fact, according to an IDC (sister company to CIO’s publisher, CXO Media) report, the public-key infrastructure market will grow rapidly over the coming years, expanding from $132.2 million in 1999 to $431.2 million by 2003.

Increased use of digital signature technology is expected to generate a boom for e-commerce, particularly the B2B kind, where millions of transactions, contracts and agreements take place every day.

Ways and Means

The new federal electronic signature bill specifies the use of electronic signatures, not just digital signatures, so that companies will have a degree of flexibility with the type of technology they use. And they will have choices. Three categories currently serve the electronic signature market. The first category—which includes Entrust Technologies, Litronic and VeriSign—provides digital certificates. The second group—including eOriginal, iLumin and signOnline—sells software and other infrastructure required for electronic signature transactions to take place. The third category—which includes DataKey and OS Crypto—sells hardware such as smart cards, fingerprint scanners and retina-scanning devices designed to add a biometric element of safety to electronic signature transactions.

There are several ways a business can implement electronic signature technology. One of the most basic is within the company’s e-mail program. In this manner the massive amounts of information associated with personnel matters, such as benefits, could be posted to an intranet. Employees could then use digital certificates to direct changes to their 401(k) plans, dental or medical coverage, personnel records and so on.

Companies can also extend digital signatures outside corporate walls. Using an extranet, a company could set up electronic signatures with its business partners, suppliers or buyers, allowing those parties to order materials, goods and services securely online without the hassle of sending paper documents back and forth via fax or FedEx.

Ultimately, the concept will likely extend to business-to-consumer transactions as well, though this area looks likely to proceed more slowly. “On the business-to-consumer side, the issue of case law and precedent will be more important,” says Van Dyke. “Because businesses no longer have to send paperwork to their customers under this law, it is perceived as taking a lot of power out of consumers’ hands. Privacy groups and consumer rights groups are going to be very active when it comes to this topic, and businesses will proceed with caution.”

Potential Downfalls

Privacy issues aren’t the only hurdle. Private keys, for instance, need to be protected in order to work. If stored on a computer’s hard drive, it’s not that difficult for an unauthorized party to gain access to a key. “If I’m a night janitor working at your business and I see your password, I can claim to be you, making me suddenly much more effective at committing fraud,” says Van Dyke. “In the long run, this will make obvious the needs for other types of authentication down to a personal level.” Such authentication would likely include biometric identifiers like fingerprints or retina scans, which require additional infrastructure to implement.

“Things like smart cards that can be used to store your private key and essentially be as secure as your credit card are one of the missing pieces,” says John Pescatore, vice president of Internet security at Stamford, Conn.-based Gartner Group. “Portability is another issue. In the world of physical signatures, pens are very portable. A private key that’s stored on a hard drive is not.”

Another issue of concern involves the interoperability of multiple key technologies and the question of how electronic signatures will integrate with digital signatures. The language of the e-sign bill reflects a concern that government policies could bog down the development of the technology. Therefore the issue of standards was left open. The U.S. Department of Commerce, however, is charged with coming back within 180 days to give recommendations on how the harmonization of electronic signature technology might be achieved on a global basis. Until then, incompatibilities are likely to emerge.

“The passing of the bill generated a lot of interest among software vendors, several of whom are coming out with new products,” said Van Dyke. “That may mean more proprietary systems out there and more software incompatibilities.”

But to Williams’ Bender, the advantages so far have already outweighed the risks. “It’s reducing our costs and increasing our efficiencies,” he says. “What used to take days due to snail mail and paper shuffling now takes virtually minutes.”