Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

House Passes Digital Signature Bill

CmdrTaco posted more than 14 years ago | from the its-almost-as-good-as-ink dept.

United States 116

DrewMIT writes "Finally," electronic signatures" will have the same validity legislatively as ink signatures." It still needs to go through the senate, and the White House has said it will veto it. The article is quite negative, it talks about how this will violate consumer rights, but all I can think is "Its about time." What do you think?

cancel ×

116 comments

Opponents? (1)

RobNich (85522) | more than 14 years ago | (#1546112)

After reading the article, I still don't understand why anyone would oppose this.
It seems like if the politicians don't have a backwards stance on something, they don't think they're doing their job.

Offtopic..... (0)

karnal (22275) | more than 14 years ago | (#1546113)

BROWN? ick.

Ugh...more e-mail (4)

wesmills (18791) | more than 14 years ago | (#1546114)

The bill would also allow companies -- when consumers agree -- to deliver warranties, notices and other required disclosures in electronic form.

This is absolutely what I *do* *not* want. I have a hard enough time as it is getting my CC company to follow the disclosure laws, and now they can just say "well, we sent it. your computer must've eaten the e-mail." As I read the bill, this would strengthen the corporation's rights of notification even beyond the standard you're-considered-notified-3-days-after-we-mail-th is provision. I also note that me notifying them electronically is not addressed.

This will suck, I believe. Just think, you get an electronic notification in a lovely HTML message (that you can't read on text readers), with a note up top in 5pt type "please see below for account information." If you do take the time to read it, you find that in 15 days, your interest rate skyrockets from 13 to 23%, your payments are due in 10 days after the bill, oh and we're going to sell every bit of data we have about you. You may cancel your card under the original terms by sending written notice, in triplicate, to the following address that is written in off-white/grey text on a white background.

Oh, but wait, you say! The consumer has to agree to this! So, now when you sign up for something like this, Agreement 2, Section 9, Paragraph 12, Sentence 48 specifically says that you agree to electronic notifications. Come on...since when have you gotten to negotiate the fine print on a contract with a big corporation?

--------------------

I think it's a good idea, but.... (1)

choctaw (102631) | more than 14 years ago | (#1546115)

Here's what I'm wondering. Not having much to do with the digital signature software & hardware, I'm curious as to a couple of things. First off, I'm wondering what the possibility of forgery is, and to what degree security is involved in the devices/software that implement the signature. Secondly (and possibly a branch from the first question), I'd be interested to know what prevents someone from copying this signature and using it themselves. I'm obviously not well versed on the subject, buy these are the kinds of concerns I would expect a businessman to raise. Also, does anyone know if the bill would allow for businesses to refuse to allow the use of the signature? The difference between genius and stupidity is that genius has limits.

Consumer advocates (1)

troyboy (9890) | more than 14 years ago | (#1546116)

Some consumer advocates oppose the relaxation of notification and information laws put in place by the states. For example, the bill would eliminate in many cases the requirement that banks notify their customers of agreements via snail mail. Email addresses are not as reliable as the USPS, they argue.

The bill doesn't simply say that electronic signatures are valid. THEY ALWAYS HAVE BEEN!

A bad thing, or merely ignorance? (3)

Christopher B. Brown (1267) | more than 14 years ago | (#1546117)

Note that it is quite possible that a particular bill might have wording that would make it downright harmful even though it may provide legal support for our favorite technology.

On the one hand, the US President has consistently opposed legislation to promote the public use of stronger cryptographic tools. Based on that, one might be led to assume that opposition to digital signatures might be based on that opposition to public access to cryptography.

On the other hand, there may be something about the bill in question that actually is bad.

On the gripping hand, it could be worthwhile to have validation of the legality of signatures "set" cryptographically, even if this has some intermediate side-effect that is "bad for consumers."

Does anybody have the actual text of the bill? It's rather difficult to evaluate the merits of completely-pre-digested press releases...

I dont know about you but... (0)

Anonymous Coward | more than 14 years ago | (#1546118)

Unless this bill has provisions (no I didnt read the fine print) that are at least as good as those for consumer protection like credit cards have I ain't buying it.

Call me a Luddite but: I don't *ever* send my credit card number over the net. I don't enter any personal information into any computer until I have seen and/or personally signed the paperwork and received a copy or the original myself.

I won't be buying stuff over the net. Mostly because I can get as good a deal locally as *anywhere* on the net (shipping and handeling costs bux boys).

Privacy and security will *never* be guarenteed on the net, get used to it.

Am I missing something? (2)

jued0001 (95852) | more than 14 years ago | (#1546119)

According to the article, their concerned that businesses will do such things as "end warranties" through e-mail I guess. Then, according to others, that isn't allowed. If that's the case, why not pass the legislation?

What I really don't get is how do you return something using this "system"? If everything is electronically generated, will we need to send an electronic receipt back before the return would be allowed. What will happen to paper receipts? Won't electronic receipts be fairly easy to doctor up?

_________________________

Mello like the Yello, but without the fizz.

A few things... (2)

Millennium (2451) | more than 14 years ago | (#1546120)

1) The bill appears to "exempt" some things from electronic delivery. Does this mean that companies don't have to send these things over E-mail, or that they must not (meaning, therefore, that they must continue to send them using more conventional means)? If it's the latter, then I don't see why this is so bad.

2) The article talks about sending things in formats that people might not be able to read. That's what ASCII text is for. Warranties and such generally don't need anything in the way of special formatting. Perhaps that format should be required in the bill; it appears not to be.

3) What the hell is wrong with the colors on this message? No offense to whosever idea this was, but the usual green and white looks much better.

Or is this a sign of user-configurable colors to come?

yet again politicians fail to add 2 + 2 (1)

ravage (17762) | more than 14 years ago | (#1546121)

From what I gather from the 'con' arguments presented in the article, some politicians fear that companies will ONLY start using digital signatures and that some won't be able to "read the fine print" since they don't have internet access.

Correct me if I'm wrong here....If you were going to purchase something online, and agree to sign a contract digitally, then wouldn't you already be able to access all the fine print (via secured web sight, physically printing the contract, secure e-mail, etc.)?

How and why some of these people get elected to any office is absolutely flaberghasting!

Uh, oh (2)

walnut (78312) | more than 14 years ago | (#1546122)

While this is progress, I'm not sure if this is progress forward (at least at this time). IMHO, this is this suffers from the same fundemental flaws as online voting:

1. The general public does not understand the implications of sharing a password with a friend.
2. Without forcing restrictions on the rights of the internet citizens as a whole (bad idea), it becomes extreemely difficult to enforce violations of this (i.e. someone from some other country impersonates you).
3. Script-kiddies ('nuff said)
4. In reference to warranties: (I'm going out on a limb) The ability to alter/change electronic information after the fact, a-la "Rising Sun" (maybe a 1 1/2 star movie) may be easier for companies rather than deal with "problems".
5. Sending things to people via a digital signature (as opposed to ceritfied mail) relies on the receiver being able to keep a copy of in case of a hard drive crash.
5b. Windows (controlling over 80% of the market - mac included) Crashes - lots.

Well, try not to tear it completely apart... but thats some of the flaws I see.

Re:Ugh...more e-mail (2)

bgeiger (42769) | more than 14 years ago | (#1546123)

I agree.

Even as a 17 year old (with no credit card) I can see the downside to this. Nobody takes the time to read the gnat tracks at the bottom of any contract anyway....

I like having a dead tree version, signed by a human (preferably, or one of those autopen thingies). Then again, with about $5 (US) in my checking account....

As a side note, can we do SOMETHING about this color scheme? Brown and pea-soup green? Ugh... I think I'm gonna hurl.

I'm confused and I don't think I am the only one (2)

Randy Rathbun (18851) | more than 14 years ago | (#1546124)

Now, this thing says all these politicos and corp types are all fired up in supporting this, and they give a lot of reasons why - but where are the reasons from the consumer groups and the White House?

Yes, I think digital signatures rule also - but before I run and call my congressman, I want to know what reasons the opponents are giving - just having sound bytes is not enough.

In other words, this news story absolutely blows chunks...

Is the technology defined? (3)

bill_mcgonigle (4333) | more than 14 years ago | (#1546125)


Good digital signatures would be good. Bad digital signatures would be bad. This seems like common sense, but there are vendors out there claiming they have digital signaturing without even having some basic features, like non-repudiation.

I use PGP for signing, but you've got no guarantee that I own the key with my name on it. Anyone can submit a key with any name to the public servers.

I don't see this being feasible without a big agency to certify algorithms and issue keys reliably. Big agencies are bad, and artifically impose geographic limitations on the 'net.

Otherwise you have to implicitly trust everybody, and then who cares about signatures?

Someone needs to think of a better private solution.

Wake up Billy-Boy, it's 1999! (3)

Fish Man (20098) | more than 14 years ago | (#1546126)

Everyone knows that pen and ink signatures are easily forged. It isn't conceivable that electronic signatures would be any less secure or certian in this respect.

When someone forges your pen and ink signature, the solution is to swear under oath before witnesses, that the forgery in question is indeed a false signature. The solution to a forged electronic signature would be the same.

I really don't see a significant difference security or privacy-wise.

For all the lip service that the White House plays to being pro-technology, it is so often obvious that they really don't have much of a clue.

Remember, Al Gore invented the Internet! :-P

Furthermore, anyone who was leary of electronic signature has no obligation to use them. They can just use pen and ink signatures instead!

This is an idea who's time has come. We're about to enter a new millennium for cryin' out loud! Bill Clinton endlessly reminds us of this fact. He needs to actually live it!

Texas (1)

parc (25467) | more than 14 years ago | (#1546127)

On a little side note, in August it became legal to digitally sign some legal documents in Texas. Digital signatures were not defined in detail in the law, but it's there.

Authentication (1)

Chalst (57653) | more than 14 years ago | (#1546128)

How does the bill handle the problem of authentication? I am not keen on the idea that I might be legally bound by a spoofed signature, so how does the law ensure that signatures belong to who they say they do? It seems to me that in the case of notification this might be a real problem: I might be legally bound by a message that was not preceded by any communication from myself to the issuing company.

Re:appaling! (0)

Anonymous Coward | more than 14 years ago | (#1546129)

moderate this down please - I accidentally deleted some words (the comment is reposted elsewhere)

Re: Opponents? (2)

nero76 (112793) | more than 14 years ago | (#1546130)

It seems to me that (according to the article) the problem with this bill is that it actually does two things;

1) Allows digital signatures as a substitute for written signatures if the consumer agrees.

This is a positive step and is in line with the common sense expansion of the internet as digital signatures are much more reliable than written signatures if sufficient security is implemented.

(See for example the Georgia Electronic Records and Signature Act 1997); and

2) Allows electronic notification in certain circumstances when originally written notification was required.

This is where difficulties arise as although (according to the article) some types of transactions are exempted, the worry is that Mr and Mrs Everybody will sign documents ("just sign here sir - no don't worry about the fine print") which allow them to be notified electronically instead of in writing or even overriding present protective legislation.

It seems to me that according to the article, there was an attempt to remove 2) while keeping 1).

This seems logical to me as no-one seems to have problems with the former, while the latter has some kinks (to say the least) that need to be ironed out.

---

Re:I think it's a good idea, but.... (1)

[Zappo] (68222) | more than 14 years ago | (#1546131)

Here is the part that really ought to make you nervous (the rest is just policy, really):

``Electronic signatures provide a level of authentication that far surpasses the ink signature that has
come to be the accepted standard,'' said Virginia Republican Thomas Bliley, chairman of the
House Commerce Committee. ``Electronic transactions have much less of a chance for human
error and provide for more reliable retention after the initial transaction takes place.''

The implication that digital signatures magically sprinkle improved security on stuff is utterly bogus. While the signature algorithms themselves might be quite secure, there exists *no* acceptable (or even legally recognized) public key infrastructure that provides secure and reliable identification of public keys.

That is, if I give you my public key in person, then you can verify my signatures with confidence. If you just look it up in a directory somewhere, you are really trusting the maintainer of the directory. Who do you trust to link your name with your public key? If that entity turns out to be untrustworthy, you are the potential victim of e.g. man-in-the-middle attacks.

I think that digital signatures are a good thing that should gain legal standing. However, I think that there are significant infrastructure issues that should be resolved first. I did my master's work on electronic voting, which essentially requires little more than electronic signatures. I feel the same way on that subject: someday we should have it, but we need to iron out a *lot* of details.

The number one issue to address is that of educating the public about basic public key cryptography. As far as I'm concerned, it should be taught in grade school. The basics aren't that difficult to grasp, and a public aware of the issues would contain far fewer potential victims than an ignorant one.

Re:I think it's a good idea, but.... (1)

cruise (111380) | more than 14 years ago | (#1546132)

Here's what I'm wondering. Not having much to do with the digital signature software & hardware

As I understand it, just typing your name in the "Sign Here" portion of a document, or clicking the "I agree" button on a web page is enough to represent your digital signature.

Re:Ugh...more e-mail (1)

particle77 (24860) | more than 14 years ago | (#1546133)

Actually if a clause in a contract really bothers you its almost always possible to find someone else who offers the same service with a different contract. However if you don't bother to read contracts thoroughly before signing them, then you deserve whatever you get.

Re:Offtopic..... (1)

FreeUser (11483) | more than 14 years ago | (#1546134)

It's not the brown that's icky, its the pea green. Brown and YellowChiffon might have been nice, though ...

Re:Ugh...more e-mail (2)

mattsouthworth (24953) | more than 14 years ago | (#1546135)

Additionally, email address aren't as static as postal. Sure, people move, but short of that you're not going to stop getting snailmail because of nonpayment to an ISP. I've had the same email address for 5 years, but if the ISP tanks what can i do? Unless the guvm'nt wants to gaa-run-tee us an address...

What do I think? (2)

Signal 11 (7608) | more than 14 years ago | (#1546136)

I think that our government just made finding a way to easily factor primes alot more important.

In other news *cough* unrelated news, a friend of mine has a program that uses a genetic algo to reverse-engineer formulas... which will be released under GPL once we get the client/server protocol stuff done (that's my job!) ala distributed.net. I'm rather hopeful that we'll be able to extract a factoring algo from it within several months' time. No, I don't have a link, no I won't release any info on it, and no, you can't have the source until the bloody thing works and we get a patent on it. =)



--

Re:yet again politicians fail to add 2 + 2 (1)

Beede (105094) | more than 14 years ago | (#1546137)

Correct me if I'm wrong here....If you were going to purchase something online, and agree to sign a contract digitally, then wouldn't you already be able to access all the fine print (via secured web sight, physically printing the contract, secure e-mail, etc.)?

Okay, you're wrong.

Here's what I'd do if I was a company. I'd say "gee, here's a way to avoid notification costs, and also to screw people by not notifying them!" I'd have the legal department add a notice in the standard contract agreeing to digital notification. Most customers would just sign it without question, because no one reads those contracts anyway (at least people are always amazed when I do). The one percent that complained would be told that "it's just a formality--they don't notify anyone by email." I'd then provide a really inconvenient method for customers to receive email (i.e., an email-only Decwriter in one location in the metro area). Whatever would just barely meet whatever standard is mentioned in the law. And finally, I could do whatever I wanted so long as I sent email to myself first that would never be read.

Of course, I'm sure no business would ever try to screw their customers....

Re:I dunno (0)

Anonymous Coward | more than 14 years ago | (#1546138)

How, exactly?

Re:Ugh...more e-mail (1)

interiot (50685) | more than 14 years ago | (#1546139)

On the other hand, electronic fine print lends itself more to greping.

Which could lead to tricky wording on their part such as "The rent charged for borrowed money will be doubling in 15 days."

But really, I don't think any large well-known companies would try to pull something like this. It's the same way with credit cards on the 'net: Don't deal with small untrustworthy companies.

Re:Am I missing something? (1)

interiot (50685) | more than 14 years ago | (#1546140)

Won't electronic receipts be fairly easy to doctor up?

As easy as doctoring up someone else's digital signature...

I assume the receipts would be signed with the company's private key so you could view it but not change it.

Possible Problem: Protocols (3)

Christopher B. Brown (1267) | more than 14 years ago | (#1546141)

The problem that may be a quite legitimate cause to reject the bill is if the bill merely requires using "hopefully secure signatures," but does not require that secure protocols be used for transmission.

For instance, if an "end of warrantee" notice is made legally binding merely because the company sending it used digital signatures, this is tremendously wrong, as it provides no mandate that said signature actually come to me, the one holding the product they're trying to end-of-life.

In order for this to work, there needs to be some equivalent to a "two phase commit;" the signature is not valid until I respond back, indicating by sending a digitally signed response that signs their signature that I have received it.

This sort of protocol is something banks doing transfers will doubtless be willing enough to set up; in order for it to be usable with consumers, some proxy that is able to manage the "sign-and-send-back" part is needed. The Post Office might be a good candidate; they have the infrastructure for not-dissimilar verification of receipt of mail that comes when you send something "registered."

If the legislation doesn't offer such "secure protocols," then I would agree that it is a real bad idea. Of course, I don't know this; all that we are seeing is highly-predigested evaluations...

Exactly; Is Strong Encryption Required? (1)

ToastyKen (10169) | more than 14 years ago | (#1546142)

Just as you've said.. it'd be horrible if weakly encrypted signatures are allowed, giving ample opportunity for forging.

But then, do I really expect the government to require strong encryption on something? :P

colors and such (0)

Anonymous Coward | more than 14 years ago | (#1546143)

This color is horrible but it fits the recent spat of pointless aritcles that have nothing to do with tech...UGLY... I will still REQUIRE all my notices in print...you can do what u want but as far as I am concerned no printed signature no sale...AND I still win with VISA...no signature no sale...The contract I signed with VISA requires a signature...even electronic purchases truly violate the conract and I have gotten several items for free that way :) Too many times VISA has called me and asked did you take a trip to CAIRO, as $2000 worth of charges just surfaced there, or a book store in Scottland...it is easy to fake this stuff and leaves consumers with little or no recourse...NOT this KID :)

Re: Opponents? (1)

RobNich (85522) | more than 14 years ago | (#1546144)

They seem to like to bundle in multiple issues that may be somehow related. I seem to remember a few other bills that were opposed because of one particular issue on it, while the rest of it was good. Other issues have passed, but had an item appended to them that caused problems down the road. My thought it this:

They can cause a bill to not be passed by appending an issue that is worse than if the bill is not passed, in order to keep the bill from passing.

They can append issues that otherwise would not be passed, to a bill that will pass, thereby making law something that noone wants.

By 'they' I wonder who I'm speaking of. "The man?" Hmmm.

Re:Ugh...more e-mail (1)

Anonymous Coward | more than 14 years ago | (#1546145)

It looks like they're allowing companies (not human persons) to substitute "proof of transmission" for "proof of reception".

That's hardly a good thing for the humans.

What if your virus checker discards their notice because it's infected?

I think that trees should be converted into boats, not junk mail, but legal notices are not junk mail.

-----

Brown? !

Re:I think it's a good idea, but.... (1)

interiot (50685) | more than 14 years ago | (#1546146)

I'm wondering what the possibility of forgery is

Check out this page about public key stuff [isoc.org] .

It uses public and private keys (like PGP does)...

You encrypt a one-way hash of the confirmation message with your private key. The one-way hash results in a number that's a couple bytes long that represents the message you're sending. If you put your name and date in the confirmation message, someone can't just copy the letter and put their name in (or just alter the date) because that'd make the message result in a different hash. They can't correct the hash because it's encrypted with your private key, which (hopefully) nobody but you knows. Everyone can read the message by decrypting it with your public key, which proves again that you signed it.

Re:Ugh...more e-mail (0)

Anonymous Coward | more than 14 years ago | (#1546147)

>But really, I don't think any large well-known companies would try to pull something like this.

Thanks, I really needed a good, hard laugh to start my day off.

Old news in Utah (1)

RickyRay (73033) | more than 14 years ago | (#1546148)

I believe we were the first place in the world to allow digital signatures. Our governor has an amazingly high emphasis on anything computer-related (especially surprising considering the fact that he reminds me of Dan Quayle ;-).

Re:Ugh...more e-mail (1)

ToastyKen (10169) | more than 14 years ago | (#1546149)

However if you don't bother to read contracts thoroughly before signing them, then you deserve whatever you get.

Really.. I think it's completely reasonable that most people do not want to read every last paragraph in every one of the agreements we see every day.

This concerns me... (2)

jd (1658) | more than 14 years ago | (#1546150)

Strong cryptography is being cracked down on, and may even become illegal for residents IN the US. At the same time, "digital signatures" are now legally recognised.

With no means of carrying out strong authentication on a signature, or strongly binding the signature to whatever is being transmitted, it would be impossible to verify if the signature is genuine.

Neither Novel, Good Nor Bad (2)

werdna (39029) | more than 14 years ago | (#1546151)

A copy of the House Bill [loc.gov] is available on-line.

Electronic signatures are almost certainly "valid" (that is, legally enforceable as signatures) under the common law of every state (except perhaps, Georgia, which has some renegade case law regarding facsimile transmissions), just as signatures using other non-pen-to-paper technologies have been for centuries. The Statute of Frauds has not, for example, excluded, typewritten or telex printing of names, shaved initials on the hide of a cow, impressions of a footprint cast in sand, and so forth. This legislation is not necessary, but it is helpful for a conservative lawyer to be able to rely on statutory law rather than inviting their client to be the first one to litigate these new fact patterns.

In short, the law does not require more than a physical fixation of an intent to authenticate -- a ceremony if you will. A signature does not need to be non-repudiable to be valid -- I could mark "Micky Mouse" or "X" at the end of a document and be bound, if it can be shown that I intended to authenticate the document when I made the markings.

On the other, hand, good commercial sense ordinarily precludes the use of or the accepting of such "alternative" signatures, even if they are legal, for the simple reasons that they create tremendous difficulties in proving authentication when push comes to shove.

The decision to accept an "X" from a literate contractor when closing a deal involving zillions of dollars would be foolish, and we would ordinarily ask them, politely, to sign the document by writing their name. When a shaved cow is offered, in anticipation of the difficulties of getting the critter into the courthouse -- we smile, thank them, and offer them our pen instead.

Its all about choice. The question is, who shall make the choice whether we use ink, pen-on-paper, crypto or typewritters: the individuals using the signatures, or the government?

Two distinct views are prevalent in state electronic signature legislation: a minimalist statute that simply says that electronic writings are writings and manifestations of authentication of the writings are signed writings, leaving it to the market to decide (such as Florida's Electronic Signature Act [gate.net] ); and more protective bills, which only validate signatures using certain technologies, such as assymetric encryption (Utah).

The bill passed by Congress is a minimalist bill, like Florida's (apparently patterned after the present draft of the Uniform Electronic Transactions Act). It is neither good nor evil, IMHO, but can be very helfpul for encouraging certain types of transactions.

TRUE, it makes an e-mail of the form:

Bob, I agree to buy 100 widgets at $500/widget, FOB TAMPA -- ship immediately. /S/ Alice

a valid memorandum for statute of frauds purposes (the statute of frauds requires signed writings memorializing certain kinds of contracts as a precondition to their enforceability). But so what? That is almost certainly already the law anyway!

Whether Bob or Alice would agree to do business in that manner should be up to Bob and Alice. Of course Bob should be concerned that Alice might later repudiate the transmission, and must be concerned about how he can "prove up" (should it be necessary) the signature in court. On the other hand, who should make the choice as to what technology, if any, Bob should accept, Bob or the government?

Either Way (1)

Anonymous Coward | more than 14 years ago | (#1546152)

I have two concerns with digital signatures.

First is that I don't trust the infrastructure enough to assure me that the document can't be modified after the fact.

The second reason is the boiler-plate issue. I am concerned that there is no way to verify digital boiler-plate contracts. Many consumer contracts have be scrutinized by the consumer-rights folks, so I feel confident that I can sign without having my lawyer review it. It can be fraud to represent a contract as boilerplate when it is not, but who wants to go through that?

Re:Ugh...more e-mail (0)

Anonymous Coward | more than 14 years ago | (#1546153)

Yeah, and what if your e-mail server thing is using the RBL and they have blacklisted the relay agent that the company has used to send the mail to you? --fish.

Here's the difference: (1)

walnut (78312) | more than 14 years ago | (#1546154)

- Forge a check and I loose $50 bucks
- Forge a letter and more than likely, a notery will get you off.
- Forge a document and more than liklely it will be caught (lengthy court possible, but usually a notery can tell)

Now:
- Forge a digital signature and:
Have my credit card statements ( anyone been to www.discover.com, or www.visa.com, or www.....)
Have my credit card numbers
Purchase a 35'ft replica of a viking ship on E-Bay
(as the theif) Claim that someone has stolen your identy and may try to get back in touch with (whomever) doles out the digital sig... thus making things long and hard

Yes, you have no obiligation to sign all of your documents with your digital signature, but tell that to the people who send you stuff regardless. Remeber: whether you choose to use something or turn a blind eye to it doesn't mean it exists...

Its like rapping a towel around your head so the alien won't eat you... funny, good in a kids story, but not practical.

Re:I dont know about you but... (1)

interiot (50685) | more than 14 years ago | (#1546155)

Privacy and security will *never* be guarenteed on the net, get used to it.

Nor will they *ever* be guaranteed in real life. Someone could tap your phone... or use a tempest device to read your monitor. As far as security goes, a nuclear bomb could drop on you at any time (no physical security could prevent this (unless you own an EKV? But that won't stop hundreds of nukes that are coming for you...)).

There are certain inherent risks in everything that you do. Using a long enough key can lower those risks, it's up to you to decide if it's worth it compared to what you gain.

Bits/Strength/Collisions (0)

Anonymous Coward | more than 14 years ago | (#1546156)

On the one hand, the US President has consistently opposed legislation to promote the public use of stronger cryptographic tools.

Excuse me for my ignorance, but if the someone signs a message with a small-bit-size private key, how easy would it be to decrypt? And how does this relate to the birthday effect with hashes, does this have any impact?

Cheers.

Let's educate ourselves on this. (3)

kickahaota (112048) | more than 14 years ago | (#1546157)

Rather than speculate about what this bill will or won't do, let's take the time to read it for ourselves. Like all the other bills working their way through Congress, the text of this bill is available at the Library of Congress' THOMAS server [loc.gov] . Here's the full text of the bill [loc.gov] ; that link may or may not work when you read this, since the URLs on THOMAS do have a habit of changing occasionally. If the link fails, then go to THOMAS' home page [loc.gov] , type "HR 1714" in the 'Search by Bill Number' box at the top of the page, and do the search. In the list of bills that appears, choose 'HR 1714 EH'; that's the current version, at least as I'm writing this.

A few personal comments after reading the bill:

  • Like many other Congressional bills, this one contains lots of contradictory paragraphs and "Notwithstanding paragraph b..."; it takes a very careful reading to figure out what it does and doesn't do, and I'm personally still not sure I've got it figured out. This alone gives me reason to distrust it.
  • In order for an electronic document to satisfy a requirement that a consumer be informed of something in writing, the consumer must first be informed that electronic notification may be used, and the consumer must agree to that "by means of a consent that is conspicuous and visually separate from other terms". Furthermore, the consumer can withdraw consent at any time. This doesn't seem bad to me.
  • A consumer is still allowed to claim that notification was never given or that an electronic signature isn't the consumer's, just as a consumer can claim that a document was never mailed or that a physical signature is a forgery.
  • States are allowed to pass laws modifying the use of electronic signatures within their states; however, there are restrictions on their ability to do that, and those restrictions seem extremely muddy to me. Lots of potential for arguments and Supreme Court action here.
  • If a notification is "necessary for the protection of the public health or safety of consumers", then the notification cannot be only electronic, even if the consumer has consented.
  • A will still cannot be electronic. Those probate lawyers are a conservative bunch, I guess.
  • Court orders and notices still can't be electronic. All those lawyers are a conservative bunch.
  • Notices about the cancellation of utility service, foreclosure of a home, or cancellation of health or life insurance can't be electronic-only.

Overall, I wish that it were written more clearly, but it doesn't seem onerous to me.

Re:Ugh...more e-mail (0)

Anonymous Coward | more than 14 years ago | (#1546158)

This is a purely unfounded concern.

It looks like they're allowing companies (not human persons) to substitute "proof of transmission" for "proof of reception".

Actually, unless the consumer protection laws themselves are being re-written, which is not mentioned in the article, it would be far easier to prove receipt in court for an email: ISP server logs.

OT: colors (2)

Brian Knotts (855) | more than 14 years ago | (#1546159)

3) What the hell is wrong with the colors on this message? No offense to whosever idea this was, but the usual green and white looks much better.

I think this is the color scheme for the "Your Rights Online" subsection that this article belongs to. It has its own color scheme, like "Ask Slashdot" does.

I agree; the colors don't fit. Especially with the green/white Slashdot logo at the top.

--
Interested in XFMail? New XFMail home page [slappy.org]

The article was negative? (1)

The Wing Lover (106357) | more than 14 years ago | (#1546160)

I must have missed something... As far as I could tell, the article was fairly balanced and presented both sides of the issue.

Or were you expecting any article written about digital signatures to be gushing and adoring without presenting any of the negative aspects?


- Drew

Re:I'm confused and I don't think I am the only on (1)

substrate (2628) | more than 14 years ago | (#1546161)

In other articles (sorry, no references right now) it mentioned that the danger was that consumers could be tricked into accepting electronic documents because the acceptance could be buried in a contract the same way other things are buried in the fine print. In other words the bill was two parts 1) digital signatures are valid 2) digital contracts and amendmants from companies are valid.

The original alternative only covered 1) digital signatures are valid but was squashed mightily. A democratic provision 3) any agreement that the consumer will accept digital documents must be highly visible and seperate was also killed.

Re:Ugh...more e-mail (1)

CPol (112725) | more than 14 years ago | (#1546162)

Really.. I think it's completely reasonable that most people do not want to read every last paragraph in every one of the agreements we see every day.

If you live in the US you have to read the fine print on every piece of paper that you sign otherwise you're just inviting anyone to mess you up royaly. Just check the case with the Danish student who got mugged and the hospital decided to pull the plug on him and take all his organs for donation, just because he didn't read the fine print on the insurance agreement. Apparently his parents tried to sue the hospital but failed because of the insurance agreement said the decision to pull the plug was up to the hospital.

Re: Opponents? (1)

MikeFM (12491) | more than 14 years ago | (#1546163)

USPS is more reliable than email? In what universe do they live?! Why kill trees just to send somebody junk mail they won't read anyway. It'd seem to me the easiest way to handle this would be just a requirement of notification within 30 days of the fact but not within 24 hours and require the person being notified to verify they recieved the item. That way they could use any means they wanted as long as they got a reply or made a resonable effort at doing so. Still who really needs idiot proofing as law? Let idiots hang themselfs if they like. I vote for an object oriented replacement for bills. Why don't we require each little bit be in it's own section that can be selected or deselected on it's own. Or even provide several options that could be voted for on given sections. Polymorphisms kind of. Woo!

Choice, Security, & the Other Part of the Bill (2)

Valdrax (32670) | more than 14 years ago | (#1546164)

I disagree with your assertion that we will have the choice not to use them. In five or so years, it is easily conceivable that some businesses will only take digital signatures since, as you say, they are supposedly harder to forge than pen & paper signatures. I can see certain credit card companies, insurance companies, and e-commerce companies doing this.

You say that digital signatures are harder to forge, but we have all seen article after article on Slashdot talking about breaking crypto. How long until you digital signature is cracked? Someone can simply keep a bunch of signatures that they've snooped on file until such time as they can crack them and then use them freely. Remember, digital data can be perfectly copied without errors. Your signature may be "forged" perfectly without any evidence that it is not genuinely your signature. There will be no more court experts in forgery to save you.

What the President and consumer advocates object to, however, is not this whole issue about the signatures themselves. It's the provisions that certain kinds of notification which must currently be delivered to you in writing will be able to be delivered to you electronically. This means that some people will not be able to get that notification and are no longer protected by getting it in writing. This is what some parts of the industry want and what consumer advocates are all against.

There's a quick little sanity check I do on any of these articles when I hear about them. When businesses are all over a bill and consumer advocates are against it, it usually means that we're about to get screwed if it passes. Always find out why. Bills in Congress almost never involve just one thing. They always let a law that only certain special interests want ride on the back of a law everyone wants so get it passed since it wouldn't be passed normally. It's an attempt to get another law in favor of big business passed with a law that helps everybody.

Using the proposed ammended bill would be smarter? (1)

nero76 (112793) | more than 14 years ago | (#1546165)

If the bill (I haven't seen it - anyone have a URL?) was designed simply to recognise digital signatures then this would be positive step - the idea is the same as past legal recognition of photoes, photocopies, faxes, phone communications, audio and video recording devices etc.

Of course these forms of technology can also be forged, but they are still useful as evidence of legal transactions.

The problem seems to be that (according to the article) the bill goes further and allows digital signatures to replace written signatures in some circumstances causing possible consumer protection problems.

It seems that the first bit is good and the second bit is bad. The proposed ammended bill seems to split these up and just have the first (good) bit without the second (questionable) one.

---

Re:Ugh...more e-mail (2)

kickahaota (112048) | more than 14 years ago | (#1546166)

"Oh, but wait, you say! The consumer has to agree to this! So, now when you sign up for something like this, Agreement 2, Section 9, Paragraph 12, Sentence 48 specifically says that you agree to electronic notifications. Come on...since when have you gotten to negotiate the fine print on a contract with a big corporation?

That's an excellent point, but there's a couple of things that should be mentioned here:

  • Under the terms of the bill, the consent to electronic notice has to be "conspicuous and visually separate from other terms"; it can't be something that's slipped into the middle of a paragraph somewhere.
  • "Stealth changes" like the ones you're subscribing are nothing new; a number of credit card companies are particularly fond of stuffing things in their bills that look like advertisements but that are actually changes to the agreement. Of course, there are some unique consumer threats to the electronic approach; instead of hiding the changes in a larger message like you're describing, a company could send a notification in a way that made it look like spam (complete with the email header format that spam-mailer software usually uses), hoping that the consumer's spam-filtering software would filter it out and that the user would never even see it.

Re:Ugh...more e-mail (1)

hadron (139) | more than 14 years ago | (#1546167)

Wow, that sounds remarkably like corporate murder. Do you have a link for that?

Where I think the system breaks down (3)

Just Some Guy (3352) | more than 14 years ago | (#1546168)

There's at least one critical point where esignatures are different from their real-life counterpart:

Everyone over the age of five has a real-life signature.

Let me explain why this is a problem by providing a true analogy.

A certain bank (who shall remain nameless) [bankofamerica.com] has a pretty nice online banking setup. The hole, though, is in their online signup procedure. How do you prove that you are indeed you? You simply provide your social security number, one of your account numbers (it doesn't matter which one), and your bank card number. For those of you less paranoid than myself:

  • A lot of people have their SSN printed on their checks for convenience, so if someone writes you a check, then you have two of the three required identifiers.
  • If they happen to also pay you with a bank card, then voila, you're three-for-three.

Think of all the places where people are likely to have used both checks and check cards, such as grocery stores they frequent, motels they're staying at, etc. Now, think of how much the employees who handle your financial information actually get paid. Nervous yet? Good!

Here's the fun part: once J. Random Minimum-Wage has all three of your identifiers, they can do you the additional service of setting up your online banking for you. Keen, huh?

Until the day you decide to take the leap and start using the service yourself, your accounts are compromised, and you've never noticed.

To tie this in to the topic at hand, I wonder what sort of proof you'll have to offer to establish an esignature? If I decide that it's pretty likely that you'll never use yours, what's going to stop me from setting it up for you?

Now, multiply this scenario by the number of people who don't have the slightest contact with computers, and I think we might have a problem.

Did you think that "The Net" was creepy? Wait until I create the esignature you never bothered with and use it to sign for a few credit cards.

Re:Ugh...more e-mail (1)

Priestess (30745) | more than 14 years ago | (#1546169)

email address aren't as static as postal.

Really? I've had two Email addresses in the last, erm, six years or so since I first got online and during that time I've moved house about 10 times. I think it probably depends on things like whether you buy or rent and if you're prepared to switch cities for the sake of a job. I haven't lived anywhere longer than 2 years since I left my folks house and most places I've only stayed at for six months.
not going to stop getting snailmail because of nonpayment to an ISP

Whereas if you stop paying your rent they don't throw you out?

Pre.....

Re:Georgia (1)

nero76 (112793) | more than 14 years ago | (#1546170)

Georgia (as of last time I checked - sorry if I'm wrong) has specific digital signature legislation - one of the first pieces of digital signature legislation created.

The Georgia Electronic Records and Signature Act 1997 recognises digital signatures (s.5) and sets out actions for unauthorised use of a digital signature.

This seems to me to be a good example of how this sort of legislation should be created (ie keep the recognition of signatures but discard the problematic notification/consumer protection problems)

---

THE TRUTH! (3)

MindStalker (22827) | more than 14 years ago | (#1546171)

http://thomas.loc.gov/cgi-bin/query/D?c106:1:./tem p/~c106rV3Xiy::

Text of the bill that deals with private transations (the rest of it deal with federal government accepting digital signatures, which is exactly the same wording .. read it for yourself anyways


SEC. 7. NATIONAL POLICY PANEL FOR DIGITAL SIGNATURES.

(a) ESTABLISHMENT- Not later than 90 days after the date of the enactment of this Act, the Under Secretary shall establish a National Policy Panel for Digital Signatures. The Panel shall be composed of government, academic, and industry technical and legal experts on the implementation of digital signature technologies, State officials, including officials from States which have enacted laws establishing digital signature infrastructures, and representative individuals from the interested public.
(b) RESPONSIBILITIES- The Panel shall serve as a forum for exploring all relevant factors associated with the development of a national digital signature infrastructure based on uniform standards to enable the widespread availability and use of digital signature systems. The Panel shall develop--
(1) model practices and procedures for certification authorities to ensure the accuracy, reliability, and security of operations associated with issuing and managing digital certificates;
(2) standards to ensure consistency among jurisdictions that license certification authorities; and
(3) audit standards for certification authorities.
(c) COORDINATION- The Panel shall coordinate its efforts with those of the Director under section 3.
(d) ADMINISTRATIVE SUPPORT- The Under Secretary shall provide administrative support to enable the
Panel to carry out its responsibilities.
(e) REPORT- Not later than 1 year after the date of the enactment of this Act, the Under Secretary shall transmit to the Congress a report containing the recommendations of the Panel.


All this does it create a panel to investigate, and start their recommendations within a year. Sounds like the oppositions just sees that there is a potential for problems as desribes and whats to specifically made it illigal for those provisions to happen. But the whole thing isn't even formed yet!!

Re:I dont know about you but... (2)

Zoltar (24850) | more than 14 years ago | (#1546172)

Well.. there is nothing wrong with being carefull, but you are at a bigger risk when you give your credit card to a waiter/waitress at your favorite restaurnt then when you send it encrytped over the net.

Has everyone forgotten? (2)

Anonymous Coward | more than 14 years ago | (#1546173)

That it has NOT been proven that current methods of cryptography cannot be 'cracked' in less than exponential time? What happens when our entire ifrastructure is based on this mathmatical ignorance and we finally figure out how to factor large numbers in linear or even constant time? The fact that almost no one knows this (I've never seen in mentioned anywhere except number theory books) means that society is absolutely not prepared to be 'wired.' I'm worried.

Re:Ugh...more e-mail (3)

MikeBabcock (65886) | more than 14 years ago | (#1546174)

I don't know where you come from, but I've been begging companies to send me my information by E-mail instead of paper form for a long time now. Why should we live in an "almost paperless" society working with computers and generate paper to communicate all the time?

I use electronic banking on the Internet to pay my bills and I shop online for books and movies as well. I don't like getting spam in my mail (physical) or in my E-mail, but the E-mail stuff is easier to delete ... and I don't have to take out the garbage afterward.

And why, pray tell, do you think that the fine print will change on contracts just because they're sent electronically? Most people don't read the Xerox contract when they buy a new fax machine that states "New shall be defined as any new or used or remanufactured part that Xerox deems suitable for sale" ... I'd just rather have an electronic version of my warrantees to file on floppy (or ZIP) than paper versions lying around somewhere.

I hope other Slashdotters are with me on this one, or we're a bunch of digital hypocrites.

- Michael T. Babcock <homepage [linuxsupportline.com] >

Re:Offtopic..... (1)

Dman33 (110217) | more than 14 years ago | (#1546175)

All I can say is "Hey! I just got wall-to-wall carpet, man! Yeah, like, it is pea green shag!"
On a serious note; I do like the color schemes, but I think that the Slashdot logo in the upper-right of the screen should match with the scheme for that page. Tealish blue-green clashes very badly with browns and yellows.

Re:Ugh...more e-mail (1)

CPol (112725) | more than 14 years ago | (#1546176)

Sorry, saw a documentary about it on Swedish television about 2 months ago.

just curious... (0)

Anonymous Coward | more than 14 years ago | (#1546177)

Would this also apply to those porn sites that say, "Under penalty of by clicking "Enter" I agree that blah, blah, blah..."

Or did I misunderstand the bill completely?

Re:Where I think the system breaks down (1)

Overt Coward (19347) | more than 14 years ago | (#1546178)

I've used electronic/online banking with two banks and they both did it the same (correct) way. After applying for access, I received a temporary PIN code via snail mail to use on first connection (along with account number, etc.).

Sure it's a bit slower, but it's a lot safer. I would imagine that to get a valid digital signature, one would have to go through a notary-type service where you show proof of ID to a licensed individual, who then signs the key you provide and submits the signed public key to the centralized registry.


--

Re:Ugh...more e-mail (1)

wesmills (18791) | more than 14 years ago | (#1546179)

I don't know where you come from, but I've been begging companies to send me my information by E-mail instead of paper form for a long time now.

I like getting information electronically as well. My CC provider (Aria [aria.com] ) is good at this, and its a handy feature. However, I do worry greatly about the potential for abuse. Warranties generally do not change, neither do home loan documents generally change. But credit card notices, bank notices, etc, are things that I receive on almost a bi-monthly basis. I do not want them to have the out to (whether the law says its legal to or not) hide stuff or send it in a fashion that is as unreliable as electronic notification is.

Unreliable? Yep, it is. My mailbox out front, or my PO box, is not prone to flatly refusing to receive anything for long periods of time. My computer, after my wonderful kid pours coke down the insides, is. Say I receive perfectly valid notice that, unless I do A-B-C, my card will be cancelled. How am I supposed to respond to this if my electronic receiving device is unavailable? Yes, the postal service loses letters, but not nearly as often as I've lost e-mail due to freak occurances of Operating System Nature. (FWIW: Yes, I run Linux.)

--------------------

Re:Ugh...more e-mail (1)

wesmills (18791) | more than 14 years ago | (#1546180)

Under the terms of the bill, the consent to electronic notice has to be "conspicuous and visually separate from other terms"; it can't be something that's slipped into the middle of a paragraph somewhere.

Oops, you're right. However, where is the protection that says, unless I initial RIGHT HERE, they can't send my notices electronically? My point is, where is the "opt-in," the choice to receive electronic notices or not. Sure, they are required to tell me that I'll be receiving them this way, same as they are required to tell me that my late fee is now $400, if they so choose, but either way, there is no method for me to say "No, I don't want this."

I wouldn't have such a big problem with this if they (Congress) were able to structure the notification requirement in such a way that it couldn't be made a fundamental part of the contract. Instead, it would have to be a seperate choice made after you agreed to the "primary" contract and wouldn't adversely affect you either way. (i.e. CC can't tell you the next time you send in a payment, "sign here to receive electronic notices or your card gets cancelled.") That's probably not going to happen because it gets into the murky waters of affecting a company and/or individual's right to do business the way they choose.

/me thinks it'd probably be better to leave this out until we either a) work out a more equitable solution or b) corporations become more trustworthy. :)

--------------------

Re:Either Way (3)

Overt Coward (19347) | more than 14 years ago | (#1546181)

I don't trust the infrastructure enough to assure me that the document can't be modified after the fact.

A "digital signuture" in a PKI system is actually an encrypted hash of the message, along with timestamp info. With a good PKI system, such as PGP, it is improbable enough to be considered impossible to create a substitute message that will generate a duplicate hash result. Therefore, if the message is altered in any way (intentionally or not), the signature check will fail due to the modified hash result.

The PGP manuals are an excellent source of information not just on PGP, but on cryptography in general and PKI systems in particular.
--

If DVD's can be copied... (1)

Squeeze Truck (2971) | more than 14 years ago | (#1546182)

Why couldn't a "digital signature"?


We all know this, anything that's digital can be duplicated perfectly, it's just a matter of time. Digital Signature Piracy (DSP) anyone?


My pen and wet ink signature is still far superior in this respect.

This is just the first step. (1)

Ky'dishar (104865) | more than 14 years ago | (#1546183)

It doesn't specify what the "digital signature" is. It just says they can be used. Basically it says that digital contracts using digital signatures can be made legally binding if all the parties involved mutually agree on the exact form of those signatures.

Actually there are a whole bunch of other details as well, but that's one of the important points. Have a look at the bill itself. [loc.gov]

Re:Opponents? (1)

DustStorm (112660) | more than 14 years ago | (#1546184)

How can you support this? Think of the implications!

There are already people out there that don't leave there house if there really don't need to. And do you think this is going to make things better? People need social contact, sun light, etc. and they aren't going to get it sitting infront of a computer all day.

Besides that, what do think is protecting those signatures? Probably the most popular is going to be PGP for the layman. Is this enough? Don't think so with a max of a 40-bit key for a layman with a buddy that thinks he knows what he is doing.

How about M$s' PPTP. It's one of the weakest
protocols I've ever seen.

Some talk of making the internet more secure and then things like this get done. And we wonder why systems get cracked.

With such poor security, how easy is it going to be to hijack a signal?

Re:Where I think the system breaks down (2)

Just Some Guy (3352) | more than 14 years ago | (#1546185)

After applying for access, I received a temporary PIN code via snail mail to use on first connection (along with account number, etc.).

I wouldn't have any problems with that, aside from the possibility of someone watching my mailbox for the letter (and that's a little too paranoid even for me). However, this bank doesn't work like that. After submit the information, you're asked to create an 8-digit numeric ID, and then a password. After that there is no additional authentication.

Silly ... Internet FUD (1)

john187 (32291) | more than 14 years ago | (#1546186)

IT amazes me how two things that are so simalar that they are almost equivalent, can be seen as not only different but helpful in one case, and harmful in another.

If I read a disclosure over E-mail, its exactly the same as snail mail, and the failure rate for snail is, I would guess, higher than the failure rate for delivery of E-mail, but even if it wasn't thats my choice...

This bill is so you can sign up for something, and recieve disclosure information online, it doesn't mandate it.

If you are afraid of the Internet and what will happen to your discloser CHOOSE snail instead.

*sigh* progress is overwhelming, people are underwhelming.

John

Re:Or... (1)

Danse (1026) | more than 14 years ago | (#1546187)

Maybe spammers learn to disguise their crap as electronic legal notices from various vendors.

Re:What do I think? (1)

Simon Tatham (66941) | more than 14 years ago | (#1546188)

I think that our government just made finding a way to easily factor primes a lot more important.

Err, factor primes?

I do not think that means what you think it means...

yeah, but how safe is you squiggle? (2)

Hobbex (41473) | more than 14 years ago | (#1546189)


In general I think that opposition to digital signatures is the harmful kind of technophobia. It seems that people are ready to read a million problems into the system of signature when computers are involved, but at the same time they are completely comfortable with a system where you authenticate yourself by drawing a squiggle?

From a security engineers perspective, conventional signatures are insane. They are easy to fake, even easier to get around (how many cashiers even check for a signature on your ID? how many are trained in handwriting recognition? how hard is it to fake an ID? How hard is it to leave a space open on a contract and then print another clause onto it?) The fact that I can be accused of having signed something just because somebody could draw a squiggle like mine: now that is a rights violation if you ask me.

Yes, there is reason for healthy skeptisism on any system like this, after all the American government has a bad track record with both crypto and consumer rights. But DSA signatures have stood up until now, and there is little reason to believe they will be broken (they work a lot like other asymmetric cryptos). As a whole however, a truely functional system for digital signatures is an amazing blessing: a way to be truly, mathematically, sure that nobody can fake your signature.

I think that in the foreseeable future, people will think we were insane in basing our entire legal system on a bunch of squiggles...

-
We cannot reason ourselves out of our basic irrationality. All we can do is learn the art of being irrational in a reasonable way.

Re:What do I think? (1)

Signal 11 (7608) | more than 14 years ago | (#1546190)

Yes, but you know what I mean - two primes, multiply them together, it's hard to factor the result.

--

using a ga for prime factoring (1)

tree_frog (113005) | more than 14 years ago | (#1546191)

I'm not convinced that this is possible; or at least I think it would be extremely hard and dependent upon a really trick GA coding. A GA is basically a parallel search technique that exploits regularities in a fitness landscape. 2 points: 1. In a fitness landscape based upon prime factoring, do such regularities exist. 2. If they do, is the resulting function generalisable (ie will it work with data other than the training/validation data) I think that (1) is quite possibly true, but I'd be extremely surprised if (2) is.

Rising Sun was a 4 star book before it was a movie (0)

Anonymous Coward | more than 14 years ago | (#1546192)

Yeah i know, offtopic, so what =P

Crichton is the arguably the best fiction writer of our time =]

Looking At Real Legislation- YES! (2)

Christopher B. Brown (1267) | more than 14 years ago | (#1546193)

Aside: The URL that you gave to the legislation has indeed already expired; someone ought to determine something more precise that invokes the CGI query mechanism. My first draft [loc.gov] doesn't quite work; perhaps someone else can suggest better...

Thank you very much for referencing the real legislation; this is a vastly superior thing to discuss than mere commentaries on journalistic commentaries.

It appears to me that there may need to be a clearer "Opt Out" mechanism; aside from that, the fact that the bill expects that parties

should be permitted to determine the appropriate authentication technologies and implementation models for their transactions
implies (as does other parts of the wording) that both parties to a transaction need to be involved in this determination.

There perhaps needs to be some allowance for there being a period of time during which people don't fully understand the implications of this, and some coherent method for repudiation of such agreement, perhaps modelled after the manner in which consumers are permitted to reject certain sorts of transactions from door-to-door salescritters if cancellation is done in some specified period of time...

Re:Is the technology defined? (1)

mcelrath (8027) | more than 14 years ago | (#1546194)

All you can do with the key system is verify that a person that sent you a message twice has the same private key. As you say, you cannot verify the physical identity of a person without going through some central agency (government or not), which opens a hole for abuses.

In order to implement a digital signature system without a central agency would require a shift in what we think of as a "signature". A secure digital signature could not verify that I am anyone in particular, but only that I am the person (or entity) that opened the account. Of course, this could easily subvert income tracking for individuals and corporations, and could be easily used to subvert tax laws. But then, this will probably happen eventually anyway, as soon as overseas tax-haven banks get a clue and start allowing anonymous accounts accessable electronically.

--Bob

Re:Opponents? (1)

seanb (27295) | more than 14 years ago | (#1546195)

There are already people out there that don't leave there house if there really don't need to. And do you think this is going to make things better? People need social contact, sun light, etc. and they aren't going to get it sitting infront of a computer all day.

People may need these thing's, butn that should be their choice. I don't see why electronic signatures/notifications should be hindered on the excues that "people should get out more."

Besides that, what do think is protecting those signatures? Probably the most popular is going to be PGP for the layman. Is this enough? Don't think so with a max of a 40-bit key for a layman with a buddy that thinks he knows what he is doing.

There are good systemas and bad systems. The buggest limitation of key-based cryptography today is the simple fact that use is not widespread. This kind of legislation would encourage more widespread use of strong encryption in modern business. This will happen eventually, at some pace. There will be msitakes, and systems will be broken. Overall, however,digital signatures will be effective and convenient.

I believe the best thing about digital signatures is that they are easy to check! While I'm sure a professional could compare handwritten signatures and (with reasonable accuracy) detect a forgery, I'm pretty certain that this has NEVER happened with my signature! I have been able to take a paycheck made out to "Shawn Blakeley" to the bank, sign my nearly illegible "Sean Blakey" on the back, and deposit it into my account!

Digital signatures, in sharp contrast, are EASY to check. Any operation set up to handle digital signatures could take the time and effort to verify EVERY signature they encounter. If this legislation passes, I wouldn't be suprised if, a few years down the road, we see a push for digital signatures accompanying EVERY online transaction, just because it is a cheap, effective verification measure.

Re:Where the system breaks down (0)

Anonymous Coward | more than 14 years ago | (#1546196)

This minute, as we speak, there is a scumbag somewhere cracking a banks online computer system and stealing account information to sell. (There was a large bust in my town recently of just such a ring, which mostly used modified script kiddie technology to break in more discretely than your usual script sociopath). With digital signatures, your life is gone--totally and copletely ruined--if somebody breaks into a bank (and they are all online) and grabs your personal info. At present, the banks are very hush-hush about this and eat the expense. With a digital signature, IP masquarading, etc., you are going to have a hell of a fight to say that's not my signature and I'm not liable for the acts of the thief who emptied my bank account and maxed out my credit cards--no $50 liability limit, no limits of any kind.

This is like the old "holder in due course" doctrine that was abolished in consumer transactions (largely because of the Bank of America's pracitces of buying and enforcing the paper California bunko artists got the victims of their home improvement or whatever scam to sign). They used to be able to buy a note from a *known* bunco artist and enforce it with a straight face because they didn't know he was conning this particular person, never mind that he had ripped of 10,000 others in exactly the same kind of scheme. Digital signatures have a lot of implications which very few of the slashdot responses show any awareness of: if you are debating in court over a forged check you maybe have a document authentication expert who will look at the signature (and you may get lucky and find an honest one--they generally work for banks and know how they will get their next paycheck if it comes to that); now imagine you are debating whether a digital impersonator is really you, and how you need experts on cracking, cryptology, IPmasquarading and other net trickery, etc., etc. Do you really want to spend $60,000 in attorney and expert witness fees trying to prove that you really didn't run up those $4000 in credit charges which were digitally signed for and really didn't authorize that $40,000 second mortgage on the house (the proceeds of which were electronically transferred to the Bahamas, along with your life savings plus the proceeds of the sale of the 401K you had maintained through the now legal brokerage office at your bank). The goddamn bank is going to have your life stored up in a computer connected to the net (so you can bank at home, and just because you have an atm card with a four digit password--that's all I get at my bank, thank you--and/or signed a piece pf paper to set up an account).

As the saying goes: Thimk! (No, that is not a misspelling.)

Re:If DVD's can be copied... (0)

Anonymous Coward | more than 14 years ago | (#1546197)

A digital signature cannot be copied. It is not like a pen signature that is the same every time it appears. A digital signature is based on the document you are signing; each different document will have a different signature. (Any changes to either the document, or the signature, will be noticed)

"what universe" indeed (1)

bumppo (15745) | more than 14 years ago | (#1546198)

USPS is more reliable than email? In what universe do they live?!

... a universe where fewer than half of american homes have computers -- to say nothing about the rest of the world. Don't get out much, do you?

bumppo

Re:What do I think? (1)

Azog (20907) | more than 14 years ago | (#1546199)

... factor primes ...

You know, of course, that factoring primes is really easy. Yeah, yeah, everyone knows you meant factor INTO primes - the hard problem.

So I'm being pedantic today.

Torrey Hoffman (Azog).

Re:Looking At Real Legislation- YES! (1)

kickahaota (112048) | more than 14 years ago | (#1546200)

Excellent comments. For the benefit of those who want to look up the legislation for themselves, here's a link that almost leads to just the right place, and that should be durable: http://thomas.loc.gov/cgi-bin/ query/z?c106:H.R.1714: [loc.gov] . That link will display a list of all the versions of the bill; just click on the "H.R.1714.EH" link to get the version that's currently in the House.

Re:Ugh...more e-mail (2)

jilles (20976) | more than 14 years ago | (#1546201)

I have a few problems with your post:

1) you seem to have a double standard: on one side you want people to recognize your electronic signature but on the other side you are not prepared to receive electronic confirmations of stuff you signed. Odd.

2) You use a very primitive email reader (one that only displays ASCII), while this isprobably good enough for most applications, the majority of users uses a more advanced mail client (one that allows HTML layout). So from my point of view you're blocking progress by demanding that everything sent to you is in ancient ascii. Really if HTML is such a big problem to you, use an email client with lynx embedded (if it doesn't exist you may develop it yourself) or something but don't bother the rest of the world with whining that you can't read HTML.

That's the part I disagreed with. I do agree with you that this way of notifying leaves to much room for abuse by bigger companies. Email is rather popular these days but many people still don't check their email on a daily or even weekly basis.

Also I have a big doubt about the type of encryption used for the signatures. I don't like the idea that somebody can crack the encrypted signature and can start using my signature. And that is something that is going to happen if they use 56 bit encryption.

Can people "opt out" of the program? (0)

Anonymous Coward | more than 14 years ago | (#1546202)

IMO digital signatures are insecure. I no longer care to hear arguments on this. The point is moot as far as I care, and you'll be wasting your breath. Just give me the power to "opt out" and have it decreed on public file somewhere that all digital signatures are invalid for my name. Then, I will not have to worry about fraud. Just like I can "opt out" of having a credit card. Then, I do not have to worry about my number being stolen by 31337 h4x0rZ because... I never had one to steal.

Remember these reps on election day. (1)

chandoni (28843) | more than 14 years ago | (#1546203)

According to the yahoo article, the bill (with digital signatures and electronic notification of consumers) passed 356-66. As others have pointed out, the latter section would seriously erode consumers' rights. A move to drop the electronic notification section failed 278-126. That's over 200 reps solidly sold out to banks and other large corporations on this issue (among others).

The Christian Coalition [christian-coalition.org] has a great site to keep track of each rep's voting record on issues that concern them, and has many links enabling interested people to contract their reps. Why not the EFF or Slashdot? Before the 2000 (USA) elections, I hope to see Slashdot/ANDN invest some of their upcoming IPO cash in a "Slashdot slate".

JMC

Supporters=Microsoft! EULA is now legally binding! (0)

Anonymous Coward | more than 14 years ago | (#1546204)

Just imagine. Install windows. Before it "activates", it now asks you to "digitally sign" the EULA agreement. No longer can "click yes to agree" remain legally murky, you are now signing a real contract. Make no mistake about, it's the software publishers (MS in particular) that reeeally wants this bad. And MS doesn't care about h4x0rz abusing this system so long as the system works for them. They'll let legislators tewak things later. They just want our souls right now and consumer interests and protections be damned.

I "line item veto" stuf in contracts w Big Co's. (1)

Anonymous Coward | more than 14 years ago | (#1546205)

Credit card apps. Healthcare forms. Asterisks with conditions on checks to be cashed. And I keep copies of everything before mailing it off to whomever. If they issue the credit card, health insurance, or cash the check. I've got them on MY terms. They often process these "standard" forms they mail out to loads of people so fast that they onten FAIL to treat them like the real contracts they are and just approve and process them. Oops! But the oops is in my favor this time. If they notice the items crossed out or added on and bitch... fuck 'em... There's only 6.02e23 different other credit cards I can apply for. Heh heh.

not that close to first post!!!! (0)

metawronka (90656) | more than 14 years ago | (#1546206)

not that close to first post!!!!

Re:Where I think the system breaks down (1)

Overt Coward (19347) | more than 14 years ago | (#1546207)

Yeah, US Mail is generally considered "safe". The safest way to do it would probably be to physically go to the bank and provide positive identification. The bank you're describing is just asking for a lawsuit for failing to protect its customers and itself from fraud here.

For a digital signute system, as I've said in another post, you'd want to use a notary system (and I'm sure banks would be a good place to do this) where you have to have your key signed by a certified agent, who then uploads your public key into a public, central repository.
--

If this were 1776 (2)

gad_zuki! (70830) | more than 14 years ago | (#1546208)

John Hancock's digital sig would be 8 megabytes big...

Couldn't resist.

Re:Ugh...more e-mail (1)

wesmills (18791) | more than 14 years ago | (#1546209)

1) you seem to have a double standard: on one side you want people to recognize your electronic signature but on the other side you are not prepared to receive electronic confirmations of stuff you signed. Odd.

Actually, I'd prefer to stick with the pen and paper route, if I so choose. My belief is this: If I sign something in pen and paper, you will communicate with me via paper. If I sign it electronically, you will communicate with me digitally. The problem I have with this bill is it doesn't allow the choice. It says that they have to notify you that you will receive electronic notices, but they don't have to give you the chance to say no unless they want to (and if electronically reduces their costs, they won't want to).

2) You use a very primitive email reader (one that only displays ASCII), while this isprobably good enough for most applications, the majority of users uses a more advanced mail client (one that allows HTML layout).

I suspect that users of pine, mutt, Eudora Lite, Pegasus (which may now support HTML) and people with low speed connections heartily disagree with you. I use Outlook Express 5, and can receive HTML messages. However, I also use a cellular modem to download the same messages, and do not want to suck a huge HTML message down a 9.6k straw. My original intent was to point out that not everyone who is "electronic" uses, or even likes, HTML messages, and may not even be capable of receiving them. (Outlook is set to convert everything to text for me)

Email is rather popular these days but many people still don't check their email on a daily or even weekly basis.

And, as I stated earlier, what happens if your computer is down when that all-important notice arrives? I've never had my outside mailbox self-destruct, but I have had my computer lose all traces of my e-mail (which may have arrived before my latest backup).

--------------------

Re:Ugh...more e-mail (0)

Anonymous Coward | more than 14 years ago | (#1546210)

However, where is the protection that says, unless I initial RIGHT HERE, they can't send my notices electronically?

Well, for me anyway, none of my creditors have my email address. I don't see how they can require me to give it to them. And further, I don't see how they could require me to keep that email address if I subsequently chose to close the account.

Or am I missing something here. Is the government soon going to assign us email addresses that we'll keep permanently?


I've had my Freenet address about four years now. The account provides forwarding, so I generally use it as my address for all 'e' communications (I key it in as the return address no matter what ISP I am really receiving my email through). I could never deal with not having an address like that, but I wouldn't want it to be permanently assigned like a Social Security number. My Freenet account is always one telnet session away. It gives me Lynx access to the web if I dial up the local number, too. The Information Superhighway can indeed be accessed through a VT-100 interface...

"It's computerised, so it couldn't be forged!" (2)

Chris Johnson (580) | more than 14 years ago | (#1546211)

"...so forget about swearing that it's a false signature- there's no such thing as a false digital signature!"
"...or email viruses, and anyway as long as you don't open attachments and are sure to use the latest software, you're absolutely safe..."

Sorry man: I don't trust you or your argument. You're drunk on technology, which is great, but it's blinding you, and that's not great. I'm still stubbornly in favor of keeping as many sanity checks and old technologies effective as I can. I use plaintext email and news. I write receipts for computer repair I do on carbon paper receipt pads and have a set of file folders with all my papers organised by year and quarter. I write checks on paper, and sign them with my laborious signature. I _hate_ writing with a pen, always did, but I'm not gonna give it up for you. My checks, for instance, have certain common features all my own- if I draw a slash there is _never_ a 35/100 on it as if it were a fraction, and my signature uses some print characters rather than cursive characters. If I was to use digital signatures I'd be buying them pre-made- probably from Microsoft, as they'd try to kill everyone else in the area. Sorry, no way. I may be a programmer, I may be a geek, I may be totally 'wired' but that doesn't make me a _fscking_ _idiot_.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...