Digital Signatures Create New Opportunities For Electronic Commerce
by Tom Melling*
Laws rarely affect the development of new technology. Although the U.S. Justice Department’s antitrust lawsuit against Microsoft may become a high-profile exception, a less well-known example is the enactment of laws recognizing the use of digital signatures. Not surprisingly, Washington state is leading the development of these new laws. On January 1, 1998, the Washington Electronic Authentication Act became effective, making Washington the first state to legally recognize digital signatures.
Digital signature laws such as the Washington Act have the potential of dramatically increasing electronic commerce. Although the Internet has grown at a phenomenal pace, electronic commerce has been slower to develop. The question everyone would like to answer is what are the barriers to electronic commerce, and how can we overcome these barriers. There is not a simple answer because a variety of factors are affecting its development. For example, one barrier may be simply psychological -- it takes time for individuals and businesses to feel comfortable conducting business over the Internet. Fundamentally, however, the barriers to electronic commerce are both technical and legal. Digital signature technology and recently enacted legislation establishing rules governing the use of digital signatures may help overcome these barriers.
Overcoming the Barriers to Electronic Commerce
The challenge posed by an public communication system such as the Internet is the establishment of trust. For example, if you receive an e-mail from someone claiming to be John Smith, how do you know that the person sending the e-mail is in fact John Smith? The truth is that you cannot know for sure. Maybe you know John Smith and he has told you that his e-mail address is "johnsmith@abc.com." Even if you receive an e-mail from that address, it is possible that someone else accessed John Smith’s account, and sent an e-mail claiming to be John Smith. Although this example is rare, it has occurred causing significant problems for the persons involved. Trust is more problematic if you have never met John Smith. Although trust may not be important for using e-mail to chat, it is critical for individuals and companies who want to use the Internet to conduct business.
Existing laws also create problems. Assume you are a business and you receive an order for a variety of parts via e-mail. At the bottom of the order is typed "John Smith". You then ship the parts to John Smith and demand payment. John Smith, however, denies having sent the e-mail. Under our laws, a person relying on a signature has the burden of proving the validity of the signature. This would be relatively simple in a paper-based transaction, because you could show that John Smith actually signed the order (unless his signature was forged). In a paperless transaction, however, the task is much more difficult. It is not clear how you could prove that John Smith typed "John Smith" on the order. You could argue that the e-mail came from John Smith’s account and that evidence is sufficient to satisfy your burden of proving John Smith actually signed the e-mail, but it is unclear how a court would rule in such a case. In any event, few businesses want to take the risk. This issue is legally known as nonrepudiation.
Digital signatures can solve both problems of trust and nonrepudiation. Digital signatures create a means by which a person may verify that John Smith actually signed the e-mail. What is more significant, however, is that digital signature legislation like the Washington Act shifts the burden of proof regarding the validity of the signature. A person relying on John Smith’s digital signature is not obligated to prove that John Smith actually digitally signed the e-mail to be able to legally enforce the offer contained in the e-mail. Instead, the Washington Act provides that John Smith has the burden of demonstrating that in fact he did not sign the e-mail. By shifting the burden of proof, businesses are much more likely to be willing rely on digital signatures to conduct business over the Internet. To better understand how digital signatures can solve the problems of trust and nonrepudiation, it is helpful to describe how digital signatures work.
Understanding How Digital Signatures Work
Many people have the misconception that a "digital signature" is a handwritten signature that is electronically scanned or digitized, and then copied into an electronic document. Although it may be a digitized signature, it is different than the type of digital signature contemplated by the Washington Act. In fact, a digital signature is simply a unique series of characters that is generated for an electronic document.
Here’s how digital signatures work. A person wishing to "sign" an electronic document must first have software capable of creating a digital signature. Companies such as Certco and Entrust produce digital signature software. For electronic mail, Microsoft’s Outlook Express and Netscape Messenger also have digital signature capabilities. The software uses a mathematical function known as a hash function to create a unique identifier for the document. For example, the unique identifier for this article might look something like "3ojf93je8uvnme09u$fed&rdOJjifwDoi." This unique identifier is known as the hash result. Although it is theoretically possible that two different documents could have the same hash result, for practical purposes it is safe to say that each document has a unique hash result.
Although the hash result is a unique identifier of the document, it does not identify the "signer" of the document. Here’s where encryption technology comes into play. A person wishing to digitally sign a document must also have a pair of "keys" known as a "private key" and a "public key." These keys are related to each other through the mathematical principle known as asymmetric cryptography. As stated in the Digital Signature Guidelines published by the American Bar Association, an asymmetric cryptosystem is "a system which generates and employs a secure key pair consisting of a private key for creating a digital signature and a public key to verify a digital signature." The principle feature of this key pair is that although the public key can be used to verify a digital signature created by the private key, it is nevertheless not feasible to determine the private key.
The software uses the signer’s private key to encrypt the hash result for the document. The encrypted hash result for this article would look something like "dljme_E&ioj@sejoecUksfjFD#fgM&@klj." This encrypted hash result is appended to the end of the document, and it is the signer’s digital signature for the document. In summary, it is an identifier that is unique to both the document and the person signing the document.
To verify the authenticity of a digital signature, the recipient’s software also calculates the hash result for the document. Then, using the public key of the signer, the software confirms that the hash result was encrypted (or "signed") by the person holding the private key. If the encrypted hash result can be confirmed, the recipient of the digital signature knows that the document has not been altered, and that John Smith signed the document.
Although digital signature technology makes this process possible, it assumes that the recipient knows the public key actually belongs to John Smith. This is where the Washington Electronic Authentication Act is important. Entities known as "certification authorities" issue certificates that confirm the public key belongs to the person signing the document (in this case John Smith). Thus, these certification authorities act as independent third-parties who certify the identity of the signer.
Washington Electronic Authentication Act
The Washington Act establishes standards for licensing certification authorities. The certification authority must (i) use a trustworthy system in the issuance of keys and certificates, (ii) obtain a bond or other suitable guaranty, (iii) show that its employees have a minimum level of competence and have not been convicted of fraud or a recent felony, and (iv) satisfy annual auditing requirements. Although the licensing requirements attempt to provide some assurances to a relying party that the certification authority is trustworthy, the reputation and financial stability of the certification authority should also be considered before obtaining or relying on a certificate.
Although certification authorities are not required to obtain a license to conduct business in Washington, the Act creates special rules for licensed certification authorities that affects all parties. For example, licensed certification authorities enjoy limited liability under the Act. A person who uses a private key to digitally sign documents is liable for any loss if the person negligently loses control of his or her private key. This is significantly different than federal laws governing the loss of credit cards, which limits liability at $50.
Finally, as discussed above the Act establishes a presumption that a digital signature verifiable to a public key listed in a certificate issued by a licensed certification authority is presumed valid. This presumption is not applicable, however, if reliance on the certificate was not reasonable. For example, relying parties have a duty under the Act to check the certification authority’s repository to confirm that the certificate has not been revoked. There are other factors that may affect the validity of a digital signature or the liability of parties, so all parties should know and understand the provisions of the Washington Act before using or relying on a digital signature. (The Act is codified in Chapter 19.34 of the Revised Code of Washington, and can be found at http://leginfo.leg.wa.gov/www/rcw.htm.)
The Washington Secretary of State is the governmental authority that is issuing licenses to certification authorities. This February, it issued the first license to Integrated Electronic Authorization, Inc., a Washington corporation. Other national certification authorities such as Verisign are reportedly working to obtain a license as well. Although other states have enacted digital signature legislation, Washington is the first to broadly implement digital signature legislation.
Future of Digital Signatures
For electronic commerce to flourish, the transfer of electronic information must be trustworthy and cost effective. The Washington Act opens the door for the widespread use of digital signatures. Initially, the biggest user of digital signatures may be state and local governments. In the near future it will be possible to electronically file documents with Washington state or local government. For example, individuals will be able to file corporate documents, real estate deeds, and court pleadings electronically.
As the use of digital signatures become more widespread, private businesses will also discover the benefits of digital signatures. Some industries may be radically transformed by the ability to simultaneously and reliably transfer information. For example, transaction costs will be significantly reduced for international deals, which will be able to close with the click of a keystroke even though the parties are thousands of miles apart. Because of the opportunities created by digital signatures, Pacific Rim countries are working with Washington state to develop uniform standards for the use of digital signatures.
In this dawn of electronic commerce, Washington state is trying to create new opportunities for electronic commerce by enacting legislation to remove barriers. Ultimately national legislation may be required before digital signatures become widely used, although Washington’s Act may become the model for those national standards.
(NOTE: "Digital Signatures Create New Opportunities For Electronic Commerce" first appeared in the PUGET SOND COMPUTER USER.)
*Attorney, Hillis Clark Martin & Peterson, P.S. Mr. Melling is a member of the Washington Digital Signature Implementation Task Force and is the Vice Chair of the Washington State Bar Committee of the Law of Commerce in Cyberspace. He is also a member of the Information Security Committee of the American Bar Association.