Beware: E-signatures can be easily forged

Consumer groups say the electronic signatures recently authorized by President Clinton are easy to forge.

3 min read
You may need to be more careful about whom you do business with from now on.

Consumer groups say the electronic signatures recently authorized by President Clinton are easy to forge.

"This law has very, very lax standards as to what constitutes your electronic signature," says Vergil Bushnell, e-commerce policy analyst for the Consumer Project on Technology in Washington.

Many people believe that the Electronic Signatures Act (ESA) requires "digital signatures." Digital signatures, which are a type of e-signature, make it practically impossible to alter a document without the changes being detectable.

Digital signatures rely on encrypted algorithms that must be used with a single password to identify an individual. The password uses special software to lock, or encrypt, the signature, which a freely given public key--or second password--can open.

But the ESA does not require digital signatures--or any form of verification. In fact, the term "digital signature" does not appear anywhere in the ESA.

As a result, businesses and consumers face uncharted waters. Many familiar legal protections may or may not apply. The ESA gives legal force to things that are not electronic and are not signatures.

"The problem with not having a digital signature is that you're open to forgery," says William Allen Simpson, a co-author of the Internet security protocol IPSec.

The House version of the ESA, which included some minimum privacy and security standards, was rewritten in the Senate. The final bill defined an e-signature merely as any "electronic sound, symbol or process."

Technology experts say the following are now legally binding "signatures" under the "sound, symbol or process" rule:

 Pressing a touch-tone key. As Simpson puts it, "Telemarketers can now call people and execute electronic contracts by saying, 'Press 1 to agree.'" The touch-tone beep is considered an "electronic sound."

 Sending fraudulent email. A malicious novice could fake the identity of an email to make it look like part of a legitimate purchase order process. "Someone sending email with your name on it to a company would constitute an electronic signature under this law," Bushnell says.

 Clicking "OK" on a salesperson's computer. An auto salesperson might inform a buyer that a sales contract must be signed electronically on his or her laptop computer. When the buyer clicks "OK" (an electronic symbol), a legally binding contract has been signed.

In none of these three examples does the ESA require a copy of the contract to be made available to both parties immediately. A copy can be sent by email. One party might accidentally or deliberately change text in the contract. Lacking a digital signature, it's hard to prove which of two versions is genuine.

Of course, no responsible business is going to deliberately falsify contracts. But it might take only two or three widely publicized frauds to frighten consumers away from all kinds of e-commerce.

Legal rights groups such as the National Consumer Law Center say the ESA wipes out many common-sense protections.

Take the all-too-familiar case of the elderly woman who is convinced by a door-to-door salesman to sign a loan contract for overpriced repairs on her home.

"Today, consumer laws give the woman a chance to review the documents, or get help to review them, and cancel the loan within a certain period of time," the center said in a statement. But if she clicked "OK" on a salesman's portable computer under the new law, "the woman would be effectively deprived of these rights."

Consumer groups say existing credit card laws should have been used as a model. Under the Fair Credit Billing Act of 1975, Congress gave consumers protection such as defense against fraud over $50, the right to dispute the quality of goods purchased within 100 miles of their home, and so forth. These protections made credit cards (which were rare in 1975) popular with consumers and profitable for business.

Because the ESA now prohibits states from requiring digital signatures or credit card-like protections, only Congress can fix the insecure environment it has created.

For a copy of the ESA, go to the Thomas site. Search for bill number S.761. Then click S.761.ENR and select "Full Display" or "PDF."

Consumer advocate Brian Livingston appears at CNET News.com every Friday. Do you know of a problem affecting consumers? Send info to tips@BrianLivingston.com. He'll send you a book of high-tech secrets free if you're the first to submit a tip he prints.