Electronic/digital signatures accomplish three goals: protection from data tampering; signature authentication; and nonrepudiation, which means all parties are legally bound by digitally signed agreements. To endow transactional parties with the ability to establish digital signature mechanisms to make online contracts and transactions legally binding, President Clinton, on June 30, 2000, signed into law the Electronic Signatures in Global and National Commerce (E-Sign) Act. The electronic signature provisions took effect on Oct. 1, 2000. Electronic record-keeping requirements will take effect on March 1, 2001.
Motivated by the wide disparity in state electronic signature and commerce statutes passed in the past five years, the E-Sign Act supports added corporate protection in the process of building more efficient business-to-business (B2B) and business-to-consumer (B2C) e-commerce systems. With E-Sign's passage, electronic signatures essentially gained equal legal status with those created by using pen and paper. Businesses can now accept electronic signatures in the transaction process, thereby enabling faster, easier, more efficient, and less expensive alternatives to conduct online trade.
Considering that electronic signature products impact online privacy and fraud as well as transaction efficiencies, there is little doubt signature-related technology will get a boost from the E-Sign Act. In fact, thanks to E-Sign's passage, several vendors have developed or expanded signature products and services to take advantage of what will ultimately be a significant revenue increase for the security market (see text box, Signature Alternatives). However, corporate security professionals and individual consumers must look out for operational inconsistencies, such as software conflicts, that vendors won't disclose when rolling out their new signature products and services.
Benefits That May Bite
By embracing electronic/digital signatures, companies involved in high-volume, online B2B transaction activity may benefit from several advantages. Digital signatures offer a greater degree of security than handwritten signatures because recipients of digitally signed messages can confirm message origination and can also verify that messages were not altered. In addition:
Unfortunately, the wide variation of acceptable signatures enabled by law places further pressure on corporate security professionals to closely oversee signature conveyance to ensure transactions cannot be repudiated or later disowned with signature forgery claims.
Here lies a conundrum. Given the broad range of signature alternatives available, the wide range of related state laws previously passed, and the lack of standardized technology for message authentication and validation, can corporations moving high volumes of electronic transactions and communications find a seamless, straightforward, inexpensive, and robust signature solution?
Among those vendors demonstrating the variety of signature alternatives currently available are:
Cyber-SIGN Inc., San Jose, Calif. Offers a biometric signature authentication system.
Cylink Corp., Santa Clara, Calif. Offers PKI software for signature certification.
Entrust Technologies Inc.,
onSign Inc., St. Laurent, Quebec Combines personal signatures with accompanying documents using RSA and SHA-1 algorithms to create unique codes that identify and protect messages.
VeriSign Inc., Mountain View, Calif. Provides managed digital certification services.
Will corporations selling consumer products and services online ultimately mandate e-signature conventions to their customers? Will consumers embrace unique retailer signature protections and expect other organizations to accept the same signature techniques? Or will customers obtain signature products offered by seemingly independent and trusted consumer security vendors so that online retailers must flexibly anticipate and accept these signatures?
My bet is that both will occur on the B2C side until a robust, standard, and inexpensive signature technology becomes an online convention. Remember the golden rule--those who have the gold make the rules. Some good news for B2C: Substantial decreases in fraud losses should occur as a result of consumer electronic signature acceptance.
Bottom line: Large to enterprise-level corporations will integrate electronic signature technologies developed by the leading e-commerce infrastructure vendors that already handle much of their transaction activity. Mid- to small-sized firms will likely adopt more best-of-breed software tools from innovative vendors offering greater operational savings for lower transactional volume. //
Dr. Goslar is principal security analyst of E-PHD LLC, a security industry research and analysis firm. He is also on the editorial board of the International Journal of Electronic Commerce and can be reached at Comments@E-PHD.COM.