World & Nation
AP The Wire
Comics & Games
Home & Garden
Advertise with the Times
E-signatures face concern along with curiousity
By DAVE GUSSOW
© St. Petersburg Times, published June 29, 2000
Even in the digital age, marking an X on a dotted line can pass for a signature.
There's little doubt the X marks a proper signature if someone signs it on a document in a lawyer's office in front of witnesses. But what if someone clicks that X online? In a digital world already infamous for scams and fake IDs, how does one know that the X really came from the right person?
Such questions are gaining attention, and urgency, because of legislation Congress passed this month giving digital signatures the same legal status as those penned in ink on paper. President Clinton has said he will sign the bill, to the cheers of e-commerce companies that think it could mean a big boost to online transactions. In Florida, Gov. Jeb Bush recently signed similar legislation.
Some consumer protection advocates say the prospect of signing contracts online will only encourage scams, privacy violations and identify theft. Those who develop the technology to verify e-signatures say they have methods that work.
"There's already technology that exists that provides a solution to this electronically," said Deanna Anderson, senior director of product marketing at Xcert International Inc. (www.xcert.com) in Walnut Creek, Calif. "And that's called digital signatures."
Congress left the choice of technology open so as not to limit future choices. Among the options: a computer with a stylus so users can physically sign something and it shows up on the screen. And biometric technology that can use fingerprints or eye scans to verify the identity of the person making the electronic signature. But both of those technologies require a user to buy special hardware and plug it into a computer.
The technology likeliest to be widely used is one already developed to provide electronic authentication for digital signatures.
These essentially involve giving someone a digital ID, typically a series of numbers that serve as an individual code. Many companies offer products and services based on this technology, and they formed a consortium, the PKI Forum (www.pkiforum.org), to advocate its use and "increase confidence in deployment."
How does it work? Starting with a definition of PKI helps. It stands for public-key infrastructure. So far, it's a system without one standard, so methods of verification can differ from product to product.
Experts liken it to using a driver's license, credit card or bank ATM card for ID. As the use of PKIs increases, consumers may have a virtual wallet full of these digital IDs, just as their wallets are stuffed with various forms of plastic ID now.
The system can be so technical to explain that even experts refer people to books for explanations. (Adobe has an easy-to-follow tutorial on digital signatures at http://www.adobe.com/epaper/tips/acrsignatures/main.html.)
In a typical PKI system, users have what's known as a public and private key pair. The public key is an identity code that can be shared with other people. The private key is a code number known only to the user. It usually requires the parties involved in the communication to make arrangements beforehand to exchange signed electronic documents.
A user can create this key pair through secure encryption software, or go through a third-party vendor, such as Verisign Internet Trust Services (www.verisign.com) in Mountain View, Calif., and apply for a digital certificate that creates an online ID. Many e-mail programs, including Microsoft Outlook, and Internet browsers include authentication features to set these up.
For example, using Microsoft Outlook Express, a user clicks on the "Sign" icon in the menubar at the top of the screen.
Choosing among several options to create a public-private key pair, a user might go to the Verisign Web site. It offers two months' free service, after which it charges $14.95 a year. The sign-up process includes authenticating the user's e-mail address and asks whether the user wants to be listed in a directory where anyone can look up the "public" key digital ID.
The registration requires little personal information: country, ZIP code, date of birth and gender. Once completed, an e-mail arrives with instructions on setup. The whole process takes maybe 15 minutes.
Only the user knows what his private key is. If he sends an e-mail, he can sign simply by clicking an icon. However, unless the user makes some arrangement with the recipient to let him know the public key beforehand, it might not be immediately apparent that a message has been signed. If someone were to intercept the message and make a change, the signature would no longer be valid, and the missing signature would tip the recipient that someone other than the signer had tinkered, experts say. Entire messages and documents also can be encrypted for added security, so only the sender and recipient can see the contents.
In the business world, where electronic signatures have been used for years, larger companies such as banks and insurance companies might set up their own systems and give employees smart cards with the authentication code embedded. In those cases, the user would need a smart card reader or scan device connected to a computer.
Those backing such technology say it's no riskier than using a credit card in a brick-and-mortar store, but they acknowledge it will take a while for consumers to get used to the idea after the new law goes into effect Oct. 1.
"We don't expect a great flash of light and everyone getting a great revelation all at once," said Bob Pratt, director of product marketing at Verisign.
Chanley Howell, a lawyer in the Jacksonville office of Foley & Lardner, predicted transactions such as signing mortgages and car sales will work slowly into the electronic routine of consumers. But some experts predict more resistance by average computer users.
"I don't think consumers are ready" to use the technology, said Jack Moskowitz, vice president of security architecture at eOriginal (www.eoriginal.com) in Baltimore, which focuses on business-to-business transactions. "Some are, techies are, but the majority aren't."
Times news researcher Kitty Bennett contributed to this report.
© St. Petersburg Times. All rights reserved.