Many people think that electronic signatures are still a thing of the future, out there with flying cars and human cloning. But most of us have already become used to performing electronic acts that serve as signatures. For example, when we withdraw money from an automatic teller machine or when we use a pay-at-the-pump gas station, we are electronically signing these transactions by punching pass codes or swiping cards. We can also sign digital transactions from our personal computers, using a variety of methods to make our mark on a transaction. Electronic signatures allow us to bypass traditional pen and ink authorization, greatly increasing the speed at which we do business. The primary purpose of a signature is nonrepudiation: linking a specific person's actions and identity in such a way that the person can't easily deny performing the action. If a person claims that he or she didn't approve an electronic transaction, the method used for signing should provide a way to prove otherwise. There are several types of electronic signatures, ranging from a simple mouse click to encryption-based digital signatures. While each type has appropriate uses, important digital transactions require a level of protection that goes beyond a mouse click or typed name. The technology behind a digital signature is foreign to most people, and the fact that it doesn't involve penmanship might cause some discomfort. A close examination of the different kinds of electronic signatures, and the purpose of signatures in general, shows that digital signatures are a safe, effective tool for ensuring nonrepudiation and preventing fraud in digital documents.
We take signatures for granted, often signing without really thinking about it. Most of our important documents require a signature to be valid. We also use signatures for seemingly insignificant transactions, like the check for the gas bill, a credit card charge at a restaurant, or renting a pair of bowling shoes. We sign our names to both business and personal correspondence and type our names at the bottom of e-mail messages. All these signatures allow us to make our mark on the world. Signatures serve four main functions:
Legislation and Electronic Signatures
Signatures have been in use for at least 4,000 years. But for most of that time, signatures were a convention rather than a legal requirement. From a historical perspective, the single most important legislation concerning signatures was the "Act for Prevention of Frauds and Perjuries," enacted in 1677 by the British parliament. This act stipulated that any contract for goods or services worth at least £500 must be executed as a "note or memorandum in writing" and that a contract must be "signed by the parties" to be valid. These basic principles have had a profound effect on the American legal system; echoes of the 1677 language can be found in the contract requirements of both U.S. federal and state legislation today. Slightly more recent signature law comes in the form of legal precedent established by the courts. After its invention in 1844, the telegraph became the first means of transmitting information using electricity. As the device became widely used, people began to telegraph entire contracts—complete with Morse-coded signatures—from one location to another. In 1869 a judge upheld a contract containing one of these electronically transmitted signatures by making the following statement: It makes no difference whether that operator writes the offer or the acceptance … with a steel pen an inch long attached to an ordinary penholder, or whether his pen be a copper wire a thousand miles long. …Nor does it make any difference that in one case common record ink is used, while in the other case a more subtle fluid, known as electricity, performs the same office. This decision comes more than 130 years before two modern laws regarding electronic signatures: the Uniform Electronic Transactions Act (UETA) and the Federal Electronic Signatures in Global and National Commerce Act (E-SIGN). Introduced in 1999 by the National Conference of Commissioners on Uniform State Laws, UETA provides states with ready-to-enact legislation to promote the use of electronic signatures in most business and government transactions. Some of UETA's more important provisions state:
A Variety of Electronic Signatures
Neither E-SIGN nor UETA specifically endorses or prohibits a particular technology for use in creating or signing an electronic document. The language in E-SIGN says that a signature in an electronic agreement can be "an electronic sound, symbol, or process attached to or logically associated with an electronic record and executed or adopted by a person with the intent to sign the electronic record." An electronic signature doesn't necessarily have to involve the name (handwritten or otherwise) of the signer. Just as a stamp in sealing wax and an X on a line can function as a signature, an electronic signing action can take several different forms:
Digitally Signing and Authenticating Documents
Creating a digital signature requires a digital certificate, which is issued by an agency called a certificate authority (CA). This method of signing also requires a pair of numeric keys. The first is the private key, which is known only to the signer and must be kept absolutely secret for the entire system to work. The second key, the public key, is freely available to anyone who wants it and is part of the public information in the signer's published digital certificate. Because of the mathematical nature of these two keys, only documents that are locked by one key can be unlocked by the other. The final requirement is a digital document, ready to be signed.
1.The document's numerical content is processed using a hash function. This creates a document fingerprint.
2. The signer's private key is used to encrypt the document fingerprint, resulting in a digital signature.
3. The digital signature is embedded within the original document, creating a digitally signed document.
Anyone who receives a digitally signed document will want to authenticate it before accepting it as real. Document validation ensures that a signature was created by the specified signer and that the document has not been tampered with in any way. The validation process goes as follows (see Diagram 2):
1. After separating the document and signature, the original document is processed using the hash function. This creates a second document fingerprint.
2. The signer's public key is obtained, either from the certificate authority's online certificate repository or from within the document itself.
3. The public key is used to decrypt the digital signature,releasing the first document fingerprint.
4. The two document fingerprints are electronically compared.
5. If the two fingerprints are not absolutely identical, the document is considered invalid. If they match, then the signature—and the document to which it is attached—is proved valid, and the signed document is accepted as legitimate.
The Future of Electronic Signatures
There has been a great deal of discussion in the mortgage industry regarding electronic signatures. Some believe that public-key digital signatures require too much of the consumer for them to catch on for everyday use. Others point out that digital signatures are the most effective tool available to "lock" signed documents and enable easy, automated detection of document fraud and tampering. The fact is, digital signatures are already being used extensively in court e-filings, in electronic commerce, and in the health care industry. The digital signature has been adopted by the Mortgage Banking Association of America as an approved method of protecting electronic mortgage transactions. Powerful encryption technology makes digital signatures the ideal option for nonrepudiation and automated authentication for digital documents in any market or industry. More than a century ago our legal system began coming to terms with the changes introduced by the advent of electronic information. The federal government and most states have approved the use of electronic signatures in many everyday transactions. Since the digital signature is the only type of electronic signature that can effectively protect both the signer and receiver of a document, it makes sense to use this safe, reliable technology as an integral part of mission-critical digital document systems.
Todd Hougaard is president of Ingeo, a leader in the electronic document industry. He can be reached at firstname.lastname@example.org or 435-755-9837. This article is an elaboration on his presentation at ALTA®'s 2002 Tech Forum.