Utah may erase early but unused e-commerce law

Utah State Sen. Lyle Hillyard plans to introduce a bill in January that would delete from the law books what he described to CNET News.com as "cutting-edge legislation at the time." If his proposal passes, the repeal would take effect on May 1.

Enacted in 1996, the Utah Digital Signature Act was the first of its kind and went on to receive praise from groups like the National Association of State Chief Information Officers, which granted the state its 1997 e-commerce award a year later.

The law was intended to prevent e-commerce fraud and forged digital signatures. It required, among other things, for those issuing digital certificates to register with the government and to adhere to certain guidelines; to be subject to third-party audits; and to follow financial guidelines and international information security standards.

But several years have passed since anyone registered with the state's corporations office as a result of the law, Hillyard acknowledged, "so the consensus is to repeal it."

The lack of registrations is due in large part to the state beginning to rely on other laws that don't require such a practice: federal legislation known as the Electronic Signatures in Global and National Commerce Act, or E-sign for short, and a state-level law known as the Uniform Electronic Transactions Act, or UETA, which is now on the books in 45 other states and the District of Columbia. Both came into the picture in Utah beginning in 2000.

Those laws set out a broad legal framework for use of "electronic signatures," which, despite the seemingly similar name, are in a different class from the "digital signatures" the Utah law concerns. Electronic signatures can mean everything from clicking a checkbox on a Web site to signify agreement with its terms of service to attaching an encrypted signature to an e-mail. That latter category--use of cryptography--is what defines a true digital signature.

"What happens is, you take the electronic file and you create a hash, which is unique to that document," said Benjamin Wilson, a Salt Lake City attorney and consultant who co-chairs the American Bar Association's information security committee. "Then you encrypt that hash with your private key, and because only you have the private key, you're the only one that can use that digital signature."

While E-sign and UETA invite encryption, they don't require it, meaning that an electronic signature "doesn't have to meet any specific standards," Wilson said.

"My personal view is that E-sign and UETA did not preempt the entire Digital Signature Act," he said. "There are some good things in the Utah legislation that are innocuous," such as a provision stipulating that those in possession of a private key should "take reasonable care" to keep it secret.

Although he acknowledged that Utah's digital-signature law can be overly restrictive, prescribing myriad steps that entities would have to follow before receiving certificates, Wilson said eradicating the law entirely would create a "vacuum" that would likely be filled over time through court decisions.

Utah representatives were quick to defend the decision. "We're not getting rid of digital signatures," said Associate General Counsel Erik Weeks, who helped draft the bill. "We're getting rid of the old version that ended up being sort of a dinosaur."

"We do it rather routinely," Weeks added. "We get a lot of criticism when we don't pull outdated stuff out."