Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Electronic Signatures Act open to abuses, forgery?

By marlowe in News
Fri Jul 14, 2000 at 12:45:42 PM EST
Tags: Please Choose a Topic (all tags)
Please Choose a Topic

According to this story, that Electronic Signatures Act (S.761) that Clinton recently signed is wide open to abuses, because it doesn't require encryption.

In fact, the article suggests that all sorts of easily forged user actions, such as e-mails or even keypresses on a telephone pad, will be legally binding. As Clinton might say, it depends on what the definition of "signature" is.

Lots of fancy names are quoted as being concerned: National consumer Law Center, Consumer Project on Technology, even an IPsec co-author.

Just sensationalism? Let's hope. This doesn't exactly give me the warm fuzzies. But then I could be biased. I simply don't trust anything that has a grandstanding politician involved in its promotion. Or any man with too much power and too little regard for the truth, especially if his name is Bill.


Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o this story
o Also by marlowe


Display: Sort:
Electronic Signatures Act open to abuses, forgery? | 19 comments (15 topical, 4 editorial, 0 hidden)
Sign this! (2.61 / 13) (#2)
by orthox on Fri Jul 14, 2000 at 11:30:44 AM EST

By clicking on the "Rate" button below I agree to have selected a value of "5" in the "drop-down" list to the left of the "Rate" button...

Re: Sign this! (1.00 / 1) (#5)
by Anonymous Hero on Fri Jul 14, 2000 at 11:43:24 AM EST

Doh! I didn't mean to mod this to a 5!!!
I want my money back.

[ Parent ]
Whoops! (1.00 / 1) (#7)
by Notromda on Fri Jul 14, 2000 at 01:11:11 PM EST

Ok, lets see you prove how I rated this comment. Of course, besides all the usual court costs, you'd have to supenae (sp?) k5 logs, and issue a warrent to freeze the current database (I might change my vote, after all), and then, trickiest of all, you'd have to prove that it was me sitting at my keyboard. :P

Ack, this law is shaky at best.. a good try, but it's gonna get shot down.

[ Parent ]

Re: Whoops! (3.00 / 1) (#13)
by orthox on Fri Jul 14, 2000 at 07:12:25 PM EST

I know. The whole law is a joke. It was probably just a publicity stunt on Clinton's part to be the first president to electronically sign a piece of legistation.

But it does give a "EULA" some large teeth. (read: a great tool for companies to slap around people with)

[ Parent ]

Re: Sign this! (2.00 / 1) (#12)
by Anonymous Hero on Fri Jul 14, 2000 at 05:29:53 PM EST

By clicking on the reply link to this comment, you agree to donate $20 to the Electronic Frontier Foundation.

[ Parent ]
Why is Encryption bad? (3.33 / 3) (#8)
by argent on Fri Jul 14, 2000 at 01:15:37 PM EST

One thing I cannot understand is why the govt. is so dead set against encryption of any kind? It's not like the NSA couldn't crack anything put in front of it anyways. And I do include PGP in that sweeping generalization as well. And allowing "press 1 on your keypad to accept" as a legally binding contract is outrageous. Grrr.....Just when you think that the house and senate are starting to "get it"...
cd /pub more Beer
Re: Why is Encryption bad? (none / 0) (#11)
by Anonymous Hero on Fri Jul 14, 2000 at 05:27:26 PM EST

It's really not that likely that the NSA can break strong encryption. The best cryptographers in the world don't all work for the NSA any more, because they don't get to publish their research if they do. So if you go by the extensive academic literature, the amount of compute time required to break large keys is far more than what's available on the entire planet. What the NSA can do, however, quite well, is come up with clever workarounds that attack implementation details. Judging by some comments by Schneier, anything by Microsoft is probably toast, and IPSec is probably toast. PGP seems pretty strong though--it keeps thing simple and never stores plaintext.

[ Parent ]
Re: Why is Encryption bad? (none / 0) (#15)
by argent on Fri Jul 14, 2000 at 11:07:09 PM EST

I agree, PGP is pretty damn good. I use it, both at home and at work. But the paranoid in me (damn drugs supposed to fix that! :-)) says that THEY wouldn't allow an encryption scheme THEY couldn't break. If THEY could, would it be allowed to exist?? Just some late night beer-induced rantings.... argent
cd /pub more Beer
[ Parent ]
Re: Why is Encryption bad? (none / 0) (#19)
by Anonymous Hero on Mon Jul 17, 2000 at 09:52:45 AM EST

I'm pretty paranoid too, but the question to ask is, how can they suppress it? They certainly have tried. But when the basic algorithm is published by an academic, the secret's out. When Phil Zimmerman writes and releases free code implementing it, they can throw him in jail (and nearly did), but the code is out. PGP is available to anyone from overseas, and there's nothing the U.S. government can do about it. All this latest decision does is recognize reality.

I'm sure they would make all use of strong encryption illegal if they could, but there are enough lobbyists for commercial concerns that depend on encryption, to make that unlikely.

Of course, maybe they have a giant quantum computer...I need a pizza...

[ Parent ]

telemarketing scams... (4.00 / 3) (#9)
by Anonymous Hero on Fri Jul 14, 2000 at 02:15:48 PM EST

The bill was clearly written with telemarketers (and others with legitimate interests) in mind. Today they have to record your voice agreeing for any contract to be binding, but now they can get by with a computer record indicating that you pressed the right key on your telephone keypad.

N.B., some of these uses *are* legitimate. E.g., I normally pay off my credit card balance every month and keep charges under $2000. However I allow them to keep the credit line much, much higher than that in case of an emergency. If I hit the limit one month, I *want* my credit card company to call me and confirm that I've been making these charges. Likewise, I do want a call before my insurance lapses for non-payment - I've been known to missplace invoices, payments have been lost/delayed in the mail, etc.

HOWEVER, I've also heard of some extremely blantant violations of this law - especially by telco "slammers." The worst was probably a woman who was trying to shake the telco pest when her "husband" came on the line and agreed to switch carriers. The only problem was it wasn't her husband - it was another employee of the telco attempting to impersonate the customer for the purposes of recording consent. It was totally bogus - and IIRC that company did eventually get slammed (in the historic sense) by the regulators for fradulent activity - but it takes time and effort to disprove this type of crap. But at least it *can* be disproved - not all male voices sound alike.

But how could you ever prove that the touch tone "1" which indicated your consent to switch to DSH (Dewey Screwum & Howe) Long Distance carrier (only $0.10/minute, 480 min. minimum per call) was forged?


Re: telemarketing scams... (3.50 / 2) (#14)
by argent on Fri Jul 14, 2000 at 11:03:06 PM EST

I'm pretty sure, any phone phreaker worth his salt could generate a tone for a #1 on a phone. So, read up on $COLOR boxes, start up a business, and do pure phone solicitation, and record the conversations. Phreaker > So Mr.Alvereze, if you would like to give me $1000 dollars for the super delux hyperbole slicer, press one now Phreaker > BEEEEEP!!! Mr.Alvereze > WHAT THE HELL WAS THAT!?!?!! Phreaker > Thanks for your business Mr.Alvereze. Enjoy that slicer! argent
cd /pub more Beer
[ Parent ]
Re: telemarketing scams... (3.00 / 1) (#18)
by Anonymous Hero on Sat Jul 15, 2000 at 09:12:58 AM EST

"If I hit the limit one month, I *want* my credit card company to call me and confirm that I've been making these charges." Why? I find these calls annoying. If I buy a laptop online (and I have three) I soon get a call from some person who I don't know from Adam wanting to ask me question about this purchase. Luckily, the answering machine usually gets them, and I never bother to call them back. I wonder why you *want* them to call you? If you didn't make those charges, their not your responsibility. You aren't responsible for the gross lack of security in credit card charges (well documented in other forums). The most significant stories I know regarding these 'monitoring' people are disasters. A friend of mine went on a business trip recently - Europe, Asia, and Australia. The credit card company decided that his card had been stolen, and promptly cancelled it - leaving him stranded in a foreign country with a dead credit card. NoneSuch

[ Parent ]
(3.33 / 3) (#10)
by royh on Fri Jul 14, 2000 at 03:04:35 PM EST

I'm reading the bill, and apart from the usual legal bloat (it is pretty small though), it seems remarkably sane. It is filled with "this does not apply to [insert some prior rules]" and "nothing in this [law/section] shall affect..." type language.

The National Consumer Law Center's web page linked from this article is incredibly... well... stupid. They detail three scenarios, all basically of this form: "Joe signs an electronic contract with Bill. Bill changes contract. Joe has no right to contest" (although they make it longer all three times).

I thought a signature that is known to be forgeable or compromised is invalid, and aren't courts supposed to decide all of those messy details anyways?

The law, besides defining an electronic signature in very broad terms, pretty much states "signatures are not invalid just because they are electronic". It really sounds fine to me...

Alarmist (3.00 / 2) (#16)
by PresJPolk on Sat Jul 15, 2000 at 01:12:06 AM EST

Have you actually read the thing? All the bill does, is say that a document is no to be considered less valid, sole because it is in electronic form. Signatures can still be challenged in court if the signature scheme is insecure, or if the key has been invalidated.

This bill does allows people and businesses to conduct paperless business, without fear of the other side backing out due to there being no inked signature somewhere.

Signature validation is best left to cryptographic protocols, not laws. The early signature challenges in court will be interesting, but this law will force the courts to get dirty in the math, rather than just dismissing the math as irrelevant.

Alarmist (3.00 / 2) (#17)
by PresJPolk on Sat Jul 15, 2000 at 01:13:28 AM EST

Have you actually read the thing? All the bill does, is say that a document is no to be considered less valid, sole because it is in electronic form. Signatures can still be challenged in court if the signature scheme is insecure, or if the key has been invalidated.

This bill does allows people and businesses to conduct paperless business, without fear of the other side backing out due to there being no inked signature somewhere.

Signature validation is best left to cryptographic protocols, not laws. The early signature challenges in court will be interesting, but this law will force the courts to get dirty in the math, rather than just dismissing the math as irrelevant.

Electronic Signatures Act open to abuses, forgery? | 19 comments (15 topical, 4 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!