Digital Signatures Offer Potential, if not Protection

By - cin.earthweb.com Staff

(Back to article)

By Martin Goslar, Ph.D.

Electronic/digital signatures accomplish three goals: protection from data tampering; signature authentication; and nonrepudiation, which means all parties are legally bound by digitally signed agreements. To endow transactional parties with the ability to establish digital signature mechanisms to make online contracts and transactions legally binding, President Clinton, on June 30, 2000, signed into law the Electronic Signatures in Global and National Commerce (E-Sign) Act. The electronic signature provisions took effect on Oct. 1, 2000. Electronic record-keeping requirements will take effect on March 1, 2001.

Motivated by the wide disparity in state electronic signature and commerce statutes passed in the past five years, the E-Sign Act supports added corporate protection in the process of building more efficient business-to-business (B2B) and business-to-consumer (B2C) e-commerce systems. With E-Sign's passage, electronic signatures essentially gained equal legal status with those created by using pen and paper. Businesses can now accept electronic signatures in the transaction process, thereby enabling faster, easier, more efficient, and less expensive alternatives to conduct online trade.

However, the E-Sign Act's approach is both endorsing and damning due to the open-ended definition of electronic signatures. As stated in the E-Sign Act, electronic signatures can be an "electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record." It's up to the sender and receiver to agree upon the form of signature acceptable to both.

Considering that electronic signature products impact online privacy and fraud as well as transaction efficiencies, there is little doubt signature-related technology will get a boost from the E-Sign Act. In fact, thanks to E-Sign's passage, several vendors have developed or expanded signature products and services to take advantage of what will ultimately be a significant revenue increase for the security market (see text box, "Signature Alternatives"). However, corporate security professionals and individual consumers must look out for operational inconsistencies, such as software conflicts, that vendors wont disclose when rolling out their new signature products and services.

Benefits That May Bite

By embracing electronic/digital signatures, companies involved in high-volume, online B2B transaction activity may benefit from several advantages. Digital signatures offer a greater degree of security than handwritten signatures because recipients of digitally signed messages can confirm message origination and can also verify that messages were not altered. In addition:

Unfortunately, the wide variation of acceptable signatures enabled by law places further pressure on corporate security professionals to closely oversee signature conveyance to ensure transactions cannot be repudiated or later disowned with signature forgery claims.

Here lies a conundrum. Given the broad range of signature alternatives available, the wide range of related state laws previously passed, and the lack of standardized technology for message authentication and validation, can corporations moving high volumes of electronic transactions and communications find a seamless, straightforward, inexpensive, and robust signature solution?

Since the E-Sign Act impacts B2C as well as B2B e-commerce, consumers buying and selling online can feel more confident that their financial identities are less likely to be counterfeited. But consumers must be as diligent as corporate security professionals because consumer e-signature options are not defined.

Will corporations selling consumer products and services online ultimately mandate e-signature conventions to their customers? Will consumers embrace unique retailer signature "protections" and expect other organizations to accept the same signature techniques? Or will customers obtain signature products offered by seemingly independent and trusted consumer security vendors so that online retailers must flexibly anticipate and accept these signatures?

My bet is that both will occur on the B2C side until a robust, standard, and inexpensive signature technology becomes an online convention. Remember the "other golden rule"--those who have the gold make the rules. Some good news for B2C: Substantial decreases in fraud losses should occur as a result of consumer electronic signature acceptance.

Bottom line: Large to enterprise-level corporations will integrate electronic signature technologies developed by the leading e-commerce infrastructure vendors that already handle much of their transaction activity. Mid- to small-sized firms will likely adopt more best-of-breed software tools from innovative vendors offering greater operational savings for lower transactional volume. //

Dr. Goslar is principal security analyst of E-PHD LLC, a security industry research and analysis firm. He is also on the editorial board of the International Journal of Electronic Commerce and can be reached at Comments@E-PHD.COM.