[ Home | What We Do | Our Clients | Press & Events | Library | Contact Us ]

Electronic Signatures

Commentary on the Electronic Signatures in Global and National Commerce Act

By Bill Zoellick[1]

Summary

The Electronic Signatures in Global and National Commerce Act (E-SIGN Act) is an important piece of legislation, but not for the reasons portrayed in most of the press coverage of the bill. The Act is not revolutionary, as some claim, but is in fact cautious and conservative in that it lets the market make the important decisions about electronic signatures and about the infrastructure required to use and trust them.

The focus on the market rather than legislation as the primary force to shape the use of electronic signatures has important implications for managers of businesses that might use such signatures. Rather than simply understanding the law, business managers also need to understand the risks and benefits associated with electronic signatures. They need to be able to identify the key capabilities that they need to put in place in order to prevent fraud and to reduce the potentially significant liabilities associated with uninformed use of electronic signatures. Most important, they need to be able to make judgments about when the use of electronic signatures makes business sense.

This article begins with a brief summary of the E-SIGN Act, explaining what it does and what it leaves to the market. The review of the legislation leads naturally to the broader question of what needs to be in place before the parties to a transaction can trust and use electronic signatures. Next, the article looks at the most important problems and risks that companies wishing to use electronic signatures must address. It closes with suggestions about how business managers involved with electronic transactions should evaluate and address opportunities to use electronic signatures.

The hype surrounding the passage of the E-SIGN Act gives the impression that a consumer can now replace his or her written signature with an electronic one, and that this suddenly opens up a new era of e-commerce in which people will be able to use this personal electronic signature to buy cars, acquire homes and mortgages, and execute dozens of other important transactions. The reality is more complicated than that. Electronic signatures will be important, but will also require substantial judgment on the part of business managers to determine when their use makes sense. Managers must also match the selection of electronic signature technology and infrastructure with the costs, risks, and benefits unique to each particular signature application. This article provides an introduction to the issues.

On June 30, 2000 President Clinton signed the "Electronic Signatures in Global and National Commerce Act" (E-SIGN Act) establishing the validity of electronic signatures for interstate and international commerce.[2] After signing the bill with pen and ink (still required for legislation, interestingly enough), he also signed it electronically.

President Clinton's use of an electronic signature for the E-SIGN Act contained symbolic messages other than the obvious one. One side effect of the publicity surrounding this event is that we all now know the password associated with Clinton's digital ID: it is "Buddy," the name of the his dog. In his choice of a weak password and in his more revealing willingness to publicize his password, President Clinton was telling us that he was certainly not going to be using electronic signatures himself. That's not surprising, of course. But, good communicator that he is, he was also demonstrating that there are still educational and infrastructure barriers in the way of broad, routine use of electronic signatures.

The hype surrounding the signing of the E-SIGN Act would have us believe that we will soon be using electronic signatures to buy homes and cars on the Internet, all without paper. Turning once again to the Internet as highway metaphor (could we legislate against that, perhaps?), Senator Spencer Abraham, a chief sponsor for the legislation, announced that "This bill literally supplies the pavement for the e-commerce lane of the information superhighway." (This is enough to make one wonder about the literal meaning of "literally.") In this article we take a closer look at what we really need to have in place before we can trust electronic signatures enough to commit to important agreements and transactions solely on the basis of a electronic signature. We are still a ways from having the whole road paved. On the other hand, there are sections of the road that are ready for use today.

Managers involved in any kind of electronic transactions need to understand what the E-SIGN Act does and doesn't do. What's changed? What problems remain? How are companies likely to make use of this legislation and of electronic signature technology? Does it make sense to start making more use of electronic signatures today?

What the Legislation Does

There are already 46 states with some kind of legislation that establishes the validity of electronic signatures. In some states, such as Utah, the legislation even specifies particular approaches to encryption, sets liability limits, and takes other steps toward constructing the infrastructure to support electronic signatures. But different states have passed different laws, and states cannot regulate interstate commerce or international transactions. The federal law provides a way to harmonize the different state regulations and a framework for interstate commerce. The primary purpose of the law is to ensure that no signature or contract will be ruled as invalid simply because it is in electronic form. In other words, electronic signatures and records are as good as paper ones, subject to the same general questions of authenticity that apply to paper documents.

The E-SIGN Act does not, of course, require that people use electronic signatures. In fact, it makes the use of electronic records and signatures in place of paper contingent upon the active consent of all parties involved in the transaction. Moreover, the consent must be provided electronically, in order to demonstrate that each person can actually access records electronically. Congress is attempting to ensure that people without access to the hardware to sign or access documents electronically are not excluded from doing business and contracting for services. On the other hand, the E-SIGN Act does give businesses the right to charge an extra fee for having to deal with paper rather than electronic signatures and records -- choosing to use paper can end up costing the customer more. Businesses also have the right to terminate a relationship with a customer who withdraws consent to receive electronic records. As use of electronic signatures and records matures and as market tolerance for "electronic only" operations increases, these provisions will allow businesses to accelerate movement away from paper.

Although the focus of most news coverage of the E-SIGN Act focused on electronic signatures, the legislation is also important because of its treatment of electronic records (to which the electronic signatures would be attached). Given the active consent of a party to receive electronic information, the E-SIGN Act establishes electronic records and electronic notice as satisfying requirements for notice in writing. Further, it makes it acceptable to use an electronic record in place of paper record in a broad class of instances where record retention is a requirement. Overall, the purpose of the E-SIGN Act is to establish that electronic records and signatures can replace paper for most transactions.

Another important feature of the E-SIGN Act is that it creates a class of transactions and contracts for which electronic records, notice, and signatures cannot be substituted for paper. This set of exceptions includes wills, divorce and adoption documents, court orders and other court documents, eviction or foreclosure notices, notice of cancellation of life insurance or health insurance, cancellation of utility services, and product recall notices that impact health or safety.

Finally, the E-SIGN Act preempts state legislation that contradicts the federal law or that requires use of specific technologies or methods of signing or encoding electronic documents. It does allow the states to specify alternative procedures or requirements for establishing the acceptability or validity of electronic signatures or documents.

What the Legislation Does Not Do

The E-SIGN Act does not say what an electronic signature is, other than to provide the very general definition that it is an "electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record." An electronic signature could be my name, spelled in ASCII characters, at the bottom of a document. It could be a digitized image of my handwritten signature. It could be a digital signature using a public key architecture and a certification authority. It could be a biometric signature such as an electronically recorded thumbprint or a retina scan. It could be a voiceprint of me saying my name or it could be the digital encoding of the biometric factors (pressure, speed, direction) that I use in creating my handwritten signature as detected on a digital pad. Clearly, some of these signature technologies will be more secure or easier to authenticate than others. The E-SIGN Act lets the market sort out the winners from the losers.[3]

Consistent with the refusal to evaluate and choose technologies, the E-SIGN Act does not deal with any of the infrastructure needed to establish the validity of signatures, other than to state that when a notary public is required to verify identity, the notary can use an electronic signature in performance of the notarization function. Similarly, the Act does not deal with liability issues associated with certification authorities or falsification of signatures or documents. These issues are, as they are with paper documents, left to the states or to the Uniform Commercial Code.

What Signatures Need to Do

Before attempting to assess the probable impact of the E-SIGN Act on business, let's step back and look at the broader question of what we need in order to have confidence in a signed document. Understanding the "big picture" issues will help us see how close we are to actually being able to use electronic signatures.

Authentication. The first requirement for a useful signature is to be able to know that it actually belongs to the person who is believed to be buying the home, signing the contract, incurring the debt, and so on. In other words, we need to know that the signature is not a forgery. In the world outside of electronic signatures we use a number of systems to ensure against forgery. For frequent and typically relatively low value transactions we keep a record of the authentic signature on file (e.g., a bank's signature card). For more critical transactions we require that the signature be "notarized," which is to say that we trust a third party to verify that the signature is authentic. In order to make sure that the notary does his or her job, state laws make notaries liable for damages (usually limited to some fixed amount) if the signature turns out to be a forgery. For really important transactions, such as the sale of a house and the signing of a mortgage, we sometimes even require that the signatories be physically present for the signing or provide power of attorney to someone who can be physically present. For such critical deals we still want to be able to look the other party in the eye. The ceremony surrounding the signing event signifies to all parties that the deal is done.

Integrity. Once the document is signed we want to make sure that it is not altered. I want to be bound by the agreement that I sign, not by some other agreement. With paper documents we typically do this by giving each signatory a copy of the signed document. When documents are sent back and forth to be executed over distance, we trust that the mail or express delivery packages are not opened and that the documents are not tampered with in transit. One of the more famous examples illustrating the critical importance of integrity is Hamlet's opening the letter that Claudius sent with Rosencrantz and Guildenstern to the King of England, sealed with the Danish king's royal seal, giving the order for Hamlet's immediate execution. Hamlet changed the order to request the execution of the letter's bearers, affixed his father's copy of the royal seal, and sent Rosencrantz and Guildenstern to their deaths. Integrity in transit matters.

Non-repudiation. If I loan you money and you sign a note promising to repay it, I want to ensure that you cannot later "repudiate" your signature, claiming that it is not yours at all and that you made no promise to repay. Faced with such a claim, I could hire an expert in handwriting analysis who might be able to convince a court that the signature is indeed yours. I would be in a much better position if I had also required the signatures of witnesses to the act of your signing. Notaries can serve as witnesses, since they keep a record of each signature that they authenticate.

Unresolved Issues

Given this outline of what is required in order to give us the confidence necessary to act on a signed document, how close are electronic signatures to meeting the requirements?

Authentication

I have a digital signature of my own. It consists of a public key and a private key that allow me to send encrypted email to other people with digital signatures. I can assert, through use of my private key, that a signed document came from me. Should you believe me?

I obtained my digital signature by going to the website of a Certification Authority (CA) and giving them my name and email address, along with $15. That's it. Nobody looked at my driver's license, passport, or birth certificate. There is no checking mechanism that would prevent me from, say, creating a new email address for my brother, Bob, and then paying another $15 to get a digital signature for Bob. The problem (or opportunity) would be that I, not Bob, would have the private key for Bob's signature. If I started using Bob's digital signature, and if companies accepted it as Bob's, I might be able to spend a lot of my brother's money.

The issue here is not the security of the actual digital signature, but the nature of the certification that authenticates it. The kind of digital certificate that I can get for my email, and Bob's email, is a "Class 1" certificate. There are other kinds of authentication and other kinds of certificates. For example, to get a Class 3 certificate from VeriSign, one well known digital signature certification authority, one has to appear in person.[4] The point is that electronic signatures are not all alike and are not all equally worthy of your trust, even when they use the same technology for keys and encryption.

Remember what the E-SIGN Act does. It simply states that it is permissible to use an electronic signature in places where I would have used pen and ink. It does not speak to the technical merits of different signature technologies, much less to the requirements for certification. It does not augment the existing authentication infrastructure with a new one that is appropriate for e-commerce. This is a critically important fact for business people to keep in mind as they try to understand the impact of this legislation. The infrastructure does not change just because of E-SIGN Act.

Before electronic signatures are used in new ways, supporting new kinds of paperless commerce, we need to establish mechanisms for authenticating electronic signatures. As we will see in looking at liability concerns associated with authentication, the problem is more complicated than simply having everyone get a Class 3 digital ID. The complexity and the need to allocate risk in different ways for different contexts is why it is exactly right that the E-SIGN Act does not prescribe how to authenticate signatures, leaving it to the market to figure out what works best.

Integrity

If Claudius had ordered Hamlet's death in an email sent in clear text to the King of England, Hamlet may have still been able to change it to a request for the execution of Rosencrantz and Guildenstern, assuming he could intercept the email. Perhaps relying on the connections of his friend Horatio, he could have captured it using a filter placed on the primary Internet links leaving Denmark. In that case he wouldn't have even needed his copy of the king's seal.

But if Claudius had encrypted the message using a strong encryption algorithm and kept the key to himself, Hamlet would have been a dead prince much earlier in the play.

Electronic signatures, coupled with encryption, are currently capable of ensuring the integrity of a message. This is what my class 1 Digital ID does well. You may not be able to be sure just who the real person is who sent the message, but you can be sure that the message that you received was the message that was sent.

The biggest barrier to message integrity at the moment the fact that a surprising number of business people do not encrypt their email, even when it concerns sensitive, business critical information.

Non-repudiation

If you cannot authenticate the identity of the sender, the issue of non-repudiation is moot. We're back to the same infrastructure problem behind authenticating the identity behind a signature. However, as we will see, it is possible to solve the authentication problem for many business applications. If you can take care of the authentication, you can get non-repudiation as well. The reason for this is that certain kinds of digital signatures act like a kind of electronic fingerprint and can be uniquely associated with the signer. It is worth noting that there are also kinds of "electronic signatures" included in the broad definition of the E-SIGN Act that would not address non-repudiation (e.g., the ASCII representation of my name.) It will take a while for the market to settle on technologies that work and to weed out the ones that don't.

Liability

The E-SIGN Act simply states that legal documents will not be declared invalid solely because they are in electronic form and contain electronic signatures. It does not make other changes in law or infrastructure. So nothing else should change, right?

Unfortunately, because electronic signatures are new technology, untested in the courts, the use of electronic signatures will inevitably raise new questions about who is responsible for paying the costs if something goes wrong. For example, consider the following hypothetical situation, presented and explored by C. Bradford Biddle[5]. Biddle's scenario assumes that some company or other entity steps forward to act as a certification authority -- kind of like a super notary -- keeping track of digital certificates, or signatures, and vouching for their validity. In this scenario, the "private key" is the part of the signature that signer uses to assert authenticity.

Cedric, a licensed certification authority, duly issues a certificate to Susan, who accepts it. Cedric publishes the certificate in a recognized repository. Susan's private key, which corresponds to the public key in the certificate, is kept on a floppy disk. Irving, a malicious computer hacker, releases a computer virus on the Internet that finds its way onto Susan's computer. Subsequently when Susan uses her private key, the virus program surreptitiously sends a copy of Susan's private key to Irving. Irving immediately uses the private key to cash a $10,000 electronic check drawn upon Susan's account payable to a numbered, anonymous account in a state having rigorous bank secrecy laws. Irving disappears and cannot be found. As soon as Susan learns of the fraud she revokes her certificate.

Who covers the $10,000 loss? Susan' first hurdle if she wants to avoid the $10,000 loss is to repudiate the false signature. The new Electronic Signatures Act doesn't say what the standard for non-repudiation should be. Some states, such as Utah, have set up more specific rules to deal with such issues. Under the Utah law a document containing a person's electronic signature is presumed to have been signed by that person unless he or she can present "clear and convincing" evidence that he or she did not, in fact, sign the document. So, if she lived in Utah, Susan would need to start out by hiring an attorney and the technical expertise required to meet a high standard of proof in convincing the court that she did not sign the check.

However, even if Susan gets past that hurdle, she may still be liable for the loss. The Utah law makes the person who owns the electronic signature completely responsible for any loss due to a failure to exercise "reasonable care" in safeguarding the private key. If Utah were making the laws for the U.S., Bill Clinton would already be headed down the slippery slope for letting us all know that his password is "Buddy," among other things. Susan, too, may be in trouble. Wouldn't "reasonable care" include use of a virus protection program? The Utah law doesn't say, so Susan would be left with the task of convincing the court that her inability to detect the virus was within the bounds of "reasonable care."

Biddle notes that under the Utah digital signature law Susan accepts much greater risk than she does by using her credit card, where consumer liability in the case of fraud is capped at $50. If she kept using only handwritten signatures she would have no liability, since one cannot be bound by a fraudulent handwritten signature. Biddle observes that "no rational consumer would agree to accept this level of risk in a marketplace transaction. The benefits of having a certificate simply do not outweigh the very real possibility of facing extraordinarily large unreimbursed losses."[6]

But if we don't want to hold Susan responsible for the loss, who should get stuck holding the bag? The certification authority? If the CA is a third party that is not involved in the transaction, but only in validating the signature key, this could be quite a burden. Such a company would have no way of knowing whether the signature was tied to a micropayment of a few cents or tied to the purchase of a home. Unbounded liability for transactions to which you are not a party sounds like a great way to go broke.

The third alternative is to make the party who accepted the signature liable for the loss. In Susan's case, this would be the bank receiving the payment. In such a case, the bank might want to do away with the services of a third party certification authority, establishing its own records of signatures and its own rules for accepting them. The bank might, for example, set a limit on how much risk it is willing to take on the authenticity of an electronic signature, requiring additional evidence of authenticity for amounts exceeding that limit. Note that the bank, as a party to the transaction, is in a better position to assess risk than would be a third party certification authority.

My point here is not to resolve these issues or to argue for a particular solution. The examples and detailed discussion of liability is intended to drive home the idea that authentication is not a technical problem, but is sometimes a legislative problem and always a business problem. There is overhead and expense associated with authentication -- electronic signatures do not make that expense go away. The amount that you spend to reduce the probability of fraud needs to be balanced against the costs of fraud. If you are engaged in transactions where your worst case loss can be held to a few dollars, you may be willing to make signatures quick and easy, accepting some loss, in order to do more business. If you are, however, incurring substantial exposure, you will want to make the investment required to buy substantial assurance of authenticity.

Existing State Laws

The E-SIGN Act is catholic (some might even say indiscriminate) in its embrace of electronic signature technologies and infrastructures. Its approach is to let the market do the work of sorting things out. Some state laws, such as Utah's, prescribe particular approaches to electronic signatures. The federal law preempts state laws that "require, or accord greater legal status or effect to, the implementation or application of a specific technology or technical specification." How will this effect the law and the use of the digital signature infrastructures that are already in place in Utah and in other states? This is a complicated question that will take time, and perhaps additional action on the part of state legislatures, to answer.

Probable Impact

We've looked at what the E-SIGN Act does. We have also looked at what else needs to be in place before electronic signatures can be trusted. Let's summarize before moving on to a look at probable impacts.

• The E-SIGN Act deals broadly with the use of electronic documents. Its intent is to ensure that, with a few exceptions, no contract, signature, or other legal document is invalidated solely because it is in electronic form.
• The Act provides for a relatively small number of exceptions where a signature, notice, or agreement can still be required to be in paper form.
• The Act relies on the market to decide what kinds of electronic signatures are useful. The definition of "electronic signature" in the E-SIGN Act is broad enough to cover any conceivable approach to recording electronic signatures.
• Before companies will accept electronic signatures they need to know when to trust them as authentic and when not to. Just as the E-SIGN Act leaves it to the market to sort out useful electronic signature technologies from those that are not secure, convenient, or are flawed in some other way, the Act also leaves it to the market to develop useful mechanisms for validating signatures and establishing trust in electronic documents.
• There are important questions about liability associated with the use of electronic documents and signatures that are not clearly resolved by reference to existing laws and regulations concerning paper transactions. The E-SIGN Act does not touch on these. This is consistent with the decision not to prescribe details of signature technologies or authentication and trust mechanisms. But it does mean that there may be potentially large liabilities associated with the use of electronic signatures until there is more experience, legal precedent, and, possibly, legislation dealing with electronic signatures and records.
• The E-SIGN Act preempts state laws to the extent that they are not consistent with the federal law and to the extent that they exhibit preference for particular technologies. Since state laws can augment the federal law in important areas such as authentication and liability, it will take time and perhaps some testing in the courts before the lines between federal law and state law are clear.

The short summary of these points is that a signature or contract cannot be considered invalid solely because it is electronic, but there are currently many other considerations that might make an electronic signature invalid. As of the date of the E-SIGN Act's passage, there is very little in the way of legislation, accepted practice, or widely used infrastructure that makes use of electronic signature safe for use between parties that do not already have a basis for trusting each other.

All the same, the E-SIGN ACT will succeed in stimulating increased use of electronic signatures and documents. But the initial increased use will not come in the form of auto purchases, home loans, and other general consumer commerce applications featured in early stories and commentary about the Act. Instead, the initial use will come in contexts where the issues of trust and authentication are already addressed through existing relationships or mechanisms.

Consider for example the relationship between a manufacturer and a supplier where signatures are required for each order from the supplier, but where the overall relationship has been established in an existing purchase agreement. In this case each party can exercise control over the signature authority granted to employees and concerns about liability and indemnification are already covered in the separate agreement. Dealing with paper or faxed signatures is simply an added cost. If such parties are not already using electronic signatures, the E-SIGN should give them the green light to do so now.

Or consider the variety of transactions and the exchange of documents between insurance companies, insurance brokers, and customers. the E-SIGN Act states that it is the express intent of Congress that the new law apply to the business of insurance. Insurance is a good candidate for early application of electronic signatures and record delivery because the costs of moving everything back and forth in paper are high. Just as important, the insurance company is in a position to establish an agreement with each customer that establishes the specific technologies that will be used for signatures, authenticates the signature for each customer, and establishes the specific terms of the agreement between the company and the customer concerning loss or theft of digital keys, forgery, liability, and so on. In short, the insurance company can set up its own authentication infrastructure and liability agreements with its agents and customers, and so is free to make immediate use of electronic signatures.

What emerges from these examples is a picture of electronic signature use that is very different from the view presented in popular press coverage. Most people have one handwritten signature. By analogy, one might expect to have one electronic signature and that this signature would be recognized and accepted by your insurance agent, your bank, and by the general business community. But, as we have seen, there are substantial problems associated with authenticating such signatures and with assigning liability for forgery in such a general scheme. Those problems disappear, however, when the parties to a transaction can set up a separate, private agreement, as in the case of our manufacturer and supplier or our hypothetical insurance company, broker, and customer. Such case by case agreements governing electronic documents and signatures can treat the technology, authentication, and liability issues in ways that are appropriate to the scale and to the nature of the transactions being conducted. So, rather than having one electronic signature, analogous to your one handwritten signature, you will probably have a number of different electronic signatures for use in the different business contexts.

Analysis and Suggestions

Despite news stories that suggest otherwise, the E-SIGN Act is not going to be the catalyst for a sudden revolution in e-commerce. The aims of the bill are more modest than that, simply removing legal obstructions that might stand in the way of letting market do its work in sorting out electronic signature technologies and approaches to authentication. Managers could misread the impact of the legislation if they look for broad, sweeping effects or expect the E-SIGN Act to resolve matters that are still left to the market to sort out.

The real impact of the E-SIGN Act is that it removes barriers to the use of electronic signatures in business contexts where such signatures already make business sense. The challenge for the manager is to recognize those contexts. You should look for the following kinds of business situations::

1. A high volume of transactions requiring signatures, so that there are real cost savings or performance improvements from adopting electronic signatures. Frequently, electronic signatures will not make business sense for infrequent transactions between parties. The costs of establishing satisfactory authentication will often outweigh the savings from the use of the electronic signature.
    
2. Parties that already know each other, or some other already-in-place or easy-to-establish mechanism for authenticating signatures. If authentication is cheap and easy, then it is easier to make the business case for electronic signature use.
    
3. The ability to easily create agreements (or use existing ones) covering liability and fraud. Again, existing infrastructure that can be adapted for use with electronic signatures makes the business case for electronic signatures easier by bringing down the costs.
    
4. Situations where the cost of fraud is relatively low (e.g., transactions with a low value for each transaction.) As noted above, if your risk of loss is lower, you can accept more risk of fraudulent transactions.

As the E-SIGN Act suggests directly, the insurance business is form and paper intensive and deals with a great many transactions that meet at least some of these criteria. Supply chain relationships are another area in which many transactions meet these criteria.

The E-SIGN Act will also stimulate new areas of business for software vendors and service providers. The problems associated with presenting, tracking, managing, and authenticating electronic signatures and records are opportunities for the companies that can address them. Given the complexity and critical importance of being able to authenticate signatures, there will be interesting opportunities for companies that can outsource that capability for clients or that can provide customer companies with the tools and processes to manage the authentication themselves.

One important point that software vendors and service providers should remember as they address these opportunities is that the early applications will be industry and situation specific. For example, insurance companies will need technology and perhaps services in order to set up their own electronic signature management and authentication systems. The same will be true of financial services companies, retailers managing their supply chains, manufacturers sourcing materials from suppliers, and so on. The problems associated with authentication and liability in the general case will ensure that, for a while at least, these applications will be relatively narrow and focused on the needs of individual companies in particular vertical markets. The way for a software vendor or service provider to go wrong here would be to believe the hype about sudden revolution, wish away the authentication issues, and go after an undifferentiated, horizontal market. The technologies will be applied horizontally, but the approach to the markets must be vertical.

If, as Senator Abraham said, the Electronic Signatures in Global and National Commerce Act supplies the pavement for the e-commerce lane of the information highway, it will be supplying it one stone at a time, at least for awhile. All the same, most businesses will want to begin using the road soon, since early markets are the time to build advantage. But you should also be realistic about how much of the highway is complete and about how rough the ride can be if you drive fast where the pavement is still under construction.

Notes

1.  The author would like to acknowledge the helpful criticism and discussion of an early draft of this article by Randy Kahn and Robert F. Williams of Cohasset Associates and by Scott Allison of Walker Digital.

2. A copy of the full text of the bill is available on the Library of Congress' "Thomas" service. Search for bill number S.761 within the bills for the 106th Congress at http://thomas.loc.gov/.

3. From a computer scientist's or web business person's viewpoint, anything moving on the Internet is necessarily in digital form, and so any kind of signature sent across the Internet would be a "digital signature." Attorneys and legislators, however, prefer to reserve the term "digital signature" for applications that use public encryption keys and matching private encryption keys to transmit documents securely and to "sign" them. The broader term "electronic signature," includes this more restricted class of "digital" signatures as well as other kinds of electronic signatures that do not use public key encryption.

4. For more information about Versign's classes of service, see the VeriSign OnSite 4.0 Administrator's Handbook, section 12.1.1, available on the web at http://www.verisign.com/onsite/doc/adminBook/adminBook/admin.html

5. C. Bradford Biddle, COMMENT: Misplaced Priorities: The Utah Digital Signature Act and Liability Allocation in a Public Key Infrastructure, 33 San Diego L. Rev. 1143 (1996). Draft version available on the Internet. Accessed 9 July 2000 at http://www.acusd.edu/~biddle/mp.html

6. C. Bradford Biddle, "Legislating Market Winners: Digital Signature Laws and the Electronic Commerce Marketplace." World Wide Web Journal. (Summer, 1997). Accessed 9 July 2000 at http://www.w3journal.com/7/s3.biddle.wrap.html

[ Home | What We Do | Our Clients | Press & Events | Library | Contact Us ]