ASI Communications and Information Policy Committee

For electronic communications to be viable, from both a legal and a business perspective, the messages that are exchanged and the records that are preserved of these communications must satisfy certain legal requirements. While not all of these requirements will apply in every situation, they generally include the following:

• Authenticity
• Integrity
• Nonrepudiation
• Writing and signature

A. Authenticity

Authenticity is concerned with the source or origin of a communication. Who is the message from? Is it genuine or a forgery?

A party entering into an online contract must be confident of the authenticity of the communications it receives. For example, when a bank receives an electronic payment order from a customer directing that money be paid to a third party, the bank needs to be able to verify the source of the request. The bank is faced with the problem of ensuring that it is not dealing with an impostor.

Likewise, a party must also be able to establish the authenticity of its electronic transactions should there ever be a dispute. To accomplish this, that party must retain a record of all relevant communications pertaining to the transaction, and keep those records in such a way that it can show that the records are authentic. For example, if one party to a contract later disputes the nature of its obligations, the other party may need to prove the terms of the contact to a court. A court, however, will first require that the party establish the authenticity of the record it retained of that communication before the court will consider it as evidence in the case.

Integrity is concerned with the accuracy and completeness of the communication. Is the document the recipient received the same as the document that the sender sent? Is it complete? Has the document been altered either in transmission or storage?

The recipient of an electronic message needs to be confident of a communication's integrity before he will rely and act on it. Integrity is critical to electronic commerce when it comes to the negotiation and formation of contracts online, the licensing of digital content, and the making of electronic payments, as well as to proving up these transactions using electronic records of them at a later date. For example, consider the case of a building contractor who wants to be able to solicit bids from subcontractors and submit its proposal to the government online. The building contractor needs to be able to verify the accuracy of the bids upon which it will rely in formulating its proposal. The building contractor is faced with the problem of how to confirm that the bids as received are accurate.

Likewise, if the contractor ever needs to prove the amount of the subcontractor's bid, a court will first require that the contractor establish the integrity of the record he retained of that communication before the court will consider it as evidence in the case. Even a communication that has been transmitted and received with its integrity intact may be accidentally or intentionally altered while in storage.

C. Nonrepudiation

Nonrepudiation is concerned with holding the sender to his communication. The sender should not be able to deny having sent the communication if he did, in fact, send it, or claim that the contents of the communication as received are not the same as what the sender sent if, in fact, they are what was sent. Nonrepudiation is essential to electronic commerce when it comes to a trading partner's willingness to rely on a communication, electronic contract, or funds transfer request. For example, a stockbroker who accepts buy/sell orders over the Internet would not want his client to be able to place an order for a volatile commodity, such as a pork bellies futures contract, and then be able to confirm the order if the market goes up and repudiate it if the market goes south.

Nonrepudiation becomes a legal requirement when the relying party seeks to hold the other party to the deal. The relying party must be able to establish the fact that the other party agreed to the contract and the terms of their agreement.

D. Writing and Signature

In many cases, the law requires that an agreement be both (1) documented in "writing" and (2) "signed" by the person who is sought to be held bound in order for that agreement to be enforceable. Contract law provides that contracts for the sale of goods for the price of $500 or more, and contracts that will not be fully performed within a year, are not enforceable unless there is both a writing sufficient to indicate that a contract has been made between the parties, and that it is signed by the party against whom enforcement is sought.

Numerous other federal, state, and local statutes and regulations also require that a transaction be documented by a writing and a signature. For example, federal government contracts must be in writing and executed, or signed, before the government will consider itself bound. Similarly, many municipal governments have adopted the Model Procurement Code which mandates that the purchase of supplies and services in excess of $5,000 be by formal, written contract.

For contracts formed online, the traditional form of a writing (paper), and the traditional handwritten signature, do not exist. So how can online contracts meet these legal requirements?

(1) The Writing Requirement

When the statute of frauds applies, there must be a writing sufficient to indicate that a contract has been made between the parties. As discussed below, electronic transmissions recorded in a tangible form should meet the writing requirement, although the law is not entirely clear.

The traditional definition of a "writing" is not limited to ink on paper. Rather, the essence of the requirement is that the communication be reduced to a tangible form. As early as 1869, a New Hampshire court found a telegraphed contract to be a sufficient writing under the statute of frauds, stating:

The courts have also found telexes, Western Union Mailgrams, and even tape recordings to be writings under the statute of frauds. Faxes have been assumed (without express decision) to be writings under the statute of frauds. Magnetic recordings of data on computer disks have been held to constitute "writings" for purposes other than the statute of frauds, including under forgery statutes and copyright law.

Electronic messages recorded in a tangible medium should therefore be deemed to satisfy the writing requirement.

(2) The Signature Requirement

Generally, a signature is "any symbol executed or adopted by a party with present intention to authenticate a writing." Thus, a signature need not be ink on paper -- rather, the issue is what the signer intended.

The courts have found many symbols to be signatures under the statute of frauds: names on telegrams, names on telexes, typewritten names, names on Western Union Mailgrams, and even names on letterhead. Faxed signatures have been assumed to constitute effective signatures, under non-statute of frauds cases.

Any symbol or code on an electronic record, intended as a signature, should also meet the statute of frauds requirement. Thus, even a name typed at the end of an e-mail can be a signature, so long as it was made with the proper intent. Digital signatures should also qualify. Both the ABA Digital Signature Guidelines and the digital signature statutes enacted in several states provide that a digital signature will meet any legal requirement for a signature.

Our comfort with traditional commerce can be attributed to the sense (sometimes misplaced) of security that dealing with paper gives us. Although admittedly imperfect, paper-based communications have certain attributes that help them satisfy the legal requirements of authenticity, integrity, nonrepudiation, writing and signature.

For example, the letterhead appearing at the top of correspondence, a company's name and logo appearing on a purchase order or invoice, and a handwritten signature are all examples of ways in which the authenticity, nonrepudiation, and writing requirements can be satisfied for traditional paper-based communications. Similarly, the use of watermarks, chemically-treated or patterned paper or special inks, and unique printing styles or processes also provide assurance that the paper-based communication is genuine and make erasures and alterations easy to detect.

However, we lose these attributes in moving to electronic communications. Electronic records are simply patterns of volts, "ons and offs", that are represented as "ones and zeros". There is nothing inherently distinctive about the ones and zeros that make up an authentic electronic communication that would distinguish them from the ones and zeros that make up a copy, a forgery, or an altered version of that electronic communication. Consequently, changes and forgeries are easy to make, but hard to detect.

Another problem with electronic communications is that it is relatively easy to "spoof" a network into sending a communication with a return "address" of someone other than the actual sender. Messages can be sent anonymously or may bear several forwarding headers with abbreviated or pseudonymous user names making it difficult to determine who sent the message. Even if the authenticity of the communication can be established at the time the communication is received, the ease with which it could be replaced by a convincing forgery makes authenticity a continuing issue with electronic records.

Moreover, paper-based communications are unitary. That is, the message and the medium are transmitted together in a tangible, physical object. Normally, a recipient can be reasonably assured that he received what the sender sent. Electronic communications, by contract, are "disembodied" from a tangible object. This makes them easy to alter.

Compounding this problem is that the opportunity to access electronic communications is great. Communications sent over the Internet pass through potentially dozens of forwarders and packet-switching nodes. Anyone with privileged access at any one of these transfer points can intercept, tamper with, and forward electronic information. Transmission errors can also corrupt the integrity of an electronic communication. Furthermore, a record of that communication could be easily altered while being stored on the recipient's computer system.

The ease with which electronic documents can be altered or forged and the opportunities for unauthorized access to these communications create the related problem of repudiation. A sender, asserting that the document the recipient received is a forgery, could deny having sent a communication and thus having assented to anything. A sender, claiming that a hacker intercepted and altered the communication, could deny that its contents are accurate.

The lack of paper-based indicia of trustworthiness, the immediacy of electronic commerce, and the uncontrolled access to open systems raise a number of practical and legal problems in switching from paper-based to electronic commerce. Information security offers a solution to these problems.

A. Defining Security

Security is both an end and the means to get there. The end is security -- a document that meets the business and legal requirements of authenticity, integrity, nonrepudiation, writing and signature. The means are security measures. For paper documents, these include handwritten signatures, inks, reducing communications to writing, sealed envelopes, and couriers. For electronic documents, security procedures include digital signatures, encryption, acknowledgment procedures, and access controls. Like their more traditional counterparts, these new security procedures will provide significant legal benefits and consequences if properly implemented.

Security measures can be implemented at two levels in an open computing environment: (1) system security and (2) information security.

(1) System Security.

System security refers to the measures that a company itself can take to protect its own computer systems and the records and other information they contain from attack from outside (such as damage that can be caused by hackers, viruses, and natural disasters) and inside (such as damage that can be caused by disgruntled, dishonest, or snooping employees). System security measures include access controls designed to identify and authenticate the user to the system, usage controls designed to limit users' access to systems, databases, and files, and audit controls designed to monitor activity on the system.

Passwords and biometric tokens, such as a retinal or hand scans, are system security controls traditionally used to prevent unauthorized access. As systems are increasingly being connected to open networks, additional access controls may be needed that are specially designed to protect systems from outside attack. One such control is the firewall.

A firewall is software that provides a barrier between an internal network and an external network, like the Internet. Firewalls control all incoming and outgoing communications. If a user on an internal network wants to communicate with another user or server outside, the user's message is actually communicated to the firewall, and the firewall relays the message to the other user or server. Similarly, all outside computers communicate with the firewall which relays the communication to the internal network.

There are many system security measures that can be used in addition to passwords and firewalls; however, a user can employ such system security measures only on the computer systems or networks under its control. It cannot control the security of any outside network that it uses to send or receive messages (such as the Internet).

(2) Information Security

Once digital information leaves a computer system, systemic level security measures do nothing to protect that information while it is passing through an open network or while it resides on a computer system beyond the sender's control. Thus, perhaps the most important security strategy is to protect the information itself. Information or message level security can provide assurances that the digital information, although it can be accessed, is authentic and has not been modified, regardless of where it resides.

Information is protected through the use of a security procedure. A security procedure is a methodology or procedure used for the purpose of (1) verifying that an electronic record is that of a specific person, or (2) detecting error or alteration in the communication, content, or storage of an electronic record since a specific point in time. A security procedure may require the use of algorithms or codes, identifying words or numbers, encryption, answer back or acknowledgement procedures, or similar security devices.

There are a number of information security measures that can be used to satisfy the legal requirements for electronic communications. The most promising security procedure today is a digital signature.

In many cases, security procedures involve the implementation of sophisticated technology. Digital signatures, for example, are based on public key cryptography. But it is important to recognize that security procedures have legal significance. The first formal recognition of the legal effect of information security procedures occurred in 1989 with the approval of a UCC Article 4A.

UCC Article 4A addresses the electronic transfer of funds by wire. A person who wishes to transfer funds electronically does so by transmitting an electronic message, called a payment order, to his bank. Because that message cannot bear a traditional handwritten signature or other paper-based security measure, information security measures must be used instead. The UCC recognized this and the reality that a bank receiving a payment order needs something objective on which it can rely in determining whether it may safely act on that order. Article 4A modernized the law by providing that a bank could rely on information security procedures as a substitute for the traditional time-tested requirement of a signature. Under Article 4A, an electronic message instructing a bank to transfer funds to a payee is considered valid, and the bank is authorized to transfer the funds in accordance with the order if (1) the bank's customer actually authorized the order or (2) if the authenticity and integrity of the order is "verified" pursuant to a "commercially reasonable" security procedure regardless whether the order was actually authorized by that person.

The bottom line is that Article 4A adopts "security procedures" rather than "signatures" as the basis for verifying transactions and apportioning liability. This establishes an important precedent. Other electronic transactions that employ appropriate security procedures are also likely to satisfy the various legal requirements for electronic communications.

Draft UCC Article 2B also recognizes the legal impact of security procedures, which it refers to as an "attribution procedure." Modeled after the concept of a security procedure used in Article 4A Section 201, an attribution procedure is a procedure that is established by law, regulation, or agreement of both parties for the purpose of authenticating the source of electronic messages and/or to detect errors in the transmission of such messages.

Under Article 2B, when an attribution procedure is used, an enhanced level of legal reliability is attributed to the message. Thus, if two parties have agreed on an attribution procedure, a message is attributable to the party identified as the sender if application of the attribution procedure by the receiving party, in good faith, results in a conclusion that it was sent by the other party. Likewise, to the extent that the attribution procedure is designed for the detection of errors in the message, the sender is not bound to errors relating to material elements if the error would have been detected had the recipient applied the agreed-upon attribution procedure.

Both UCC Article 4A and Draft UCC Article 2B give legal effect to a security procedure that has previously been agreed to by both parties to the transaction. With digital signature legislation, on the other hand, many states are going beyond this position and giving legal effect to security procedures recognized as effective by the statute, regardless of any agreement between the parties.

The first such statute was the Utah Digital Signature Act, originally passed in 1995. The Utah Act provides that an electronic document that is digitally signed satisfies legal writing and signature requirements, and that, in certain cases, its authenticity and integrity are presumed. Washington and Minnesota have also passed similar digital signature legislation.

Also having an influence on legislation are the Digital Signature Guidelines prepared by the American Bar Association Information Security Committee. The Guidelines recognize that the authentication of computer-based business information interrelates both technology and the law. The Guidelines build on the earlier work of similar groups which has supported government action to encourage the use of security techniques to assure the authenticity and integrity of information in electronic form and their acceptance to satisfy legal requirements regarding a writing or signature.

Digital signatures are one of the most promising information security measures available to satisfy the legal and business requirements of authenticity, integrity, nonrepudiability, and writing and signature.

A digital signature is an electronic substitute for a manual signature that serves the same functions as a manual signature and more. It is an identifier created by a computer instead of a pen. In more technical terms, a digital signature is the sequence of bits that is created by running an electronic message through a one-way hash function and then encrypting the resulting message digest with the sender's private key. It looks like an unintelligible string of alphanumeric characters, such as the following:

owHtWX1sU1UUP+91G+22ysbHhDHcBeZAVmq7L9iAuNJ2UuhX2so
USpaufVsftu8tby1kUXTGsGhAgsEY4h9b+EPBgArBGNSELGpiNE
FM5A80xIzEoPiPSEiMRFbPfR/ajW7rlBjR/ZbfO/eed9+599177
j3ndS9CWlcIlqe3Df1w45vqJ85+dZ5hPkywt6uOjb5zYvRmy2dr
FnZKT17a/97n/Tt11d8dNmyvqVl2K7jt8LxfVr9We2jHyk

As the foregoing makes clear, a digital signature is not anything like a handwritten signature. A digital signature is not a digitized image of a handwritten signature or a typed signature such as "/s/john doe." Moreover, unlike a handwritten signature, which is unique to the signer, but presumably consistent across all documents signed, a digital signature is unique for each document signed. This is because a digital signature is derived from the document to be digitally signed. Any change to the document will produce a different digital signature.

A digital signature can serve the same purpose as a handwritten signature in that it may signify authorship, acknowledgment, or assent, among other things. However, a digital signature also serves important information security purposes that handwritten signatures cannot. A digital signature allows the recipient of a digitally signed communication to determine whether the communication was created by the purported signer and whether it was changed since it was digitally signed. That is, a digital signature provides assurance as to the authenticity and integrity of the communication. Because a digital signature provides assurances as to integrity, it is to this extent superior to a handwritten signature.

B. How Is an Electronic Communication Digitally Signed?

Before a sender can digitally sign an electronic communication, the sender must first create a public-private key pair. The private key is kept confidential by the sender, and is used for the purpose of creating digital signatures. The public key can be disclosed generally by posting the key in online databases, repositories, or anywhere else the recipient of the digitally signed message can access it.

To digitally sign an electronic communication, the sender runs a computer program that creates a unique message digest (or hash value) of the communication. The program then encrypts the resulting message digest using the sender's private key. The encrypted message digest is the digital signature. The sender then attaches the digital signature to the communication and sends both to the intended recipient. A digitally signed communication looks like this:

owHtWX1sU1UUP+91G+22ysbHhDHcBeZAVmq7L9iAuNJ2UuhX2soUSpaufVsf
tu8tby1kUXTGsGhAgsEY4h9b+EPBgArBGNSELGpiNEFM5A80xIzEoPiPSEiM
RFbPfR/ajW7rlBjR/ZbfO/eed9+599177j3ndS9CWlcIlqe3Df1w45vqJ85+
dZ5hPkywt6uOjb5zYvRmy2drFnZKT17a/97n/Tt11d8dNmyvqVl2K7jt8Lxf
Vr9We2jHyk

The digital signature process can be made very easy. With a user-friendly software interface, the user may complete the signature process by using a mouse to click on applicable buttons. No special technical expertise is needed to digitally sign a document. The end user should, however, appreciate the legal effects and consequences of digitally signing an electronic communication.

C. Verifying a Digital Signature

When a recipient gets a digitally signed communication, the recipient's computer runs a computer program containing the same cryptographic algorithm and hash function the sender used to create the digital signature. The program automatically decrypts the digital signature (the encrypted message digest) using the sender's public key. If the program is able to decrypt the digital signature, the recipient knows that the communication came from the purported sender, that is, the recipient has verified its authenticity. This is because only the sender's public key will decrypt a digital signature encrypted with the sender's private key.

The program then creates a second message digest of the communication and compares the decrypted message digest with the digest the recipient created. If the two message digests match, the recipient knows that the communication has not been altered or tampered with, that is, the recipient has verified its integrity.

D. Prerequisites for Use of Digital Signatures

The effectiveness of the digital signature process depends upon the reliable association of a public-private key pair with an identified person. The discussion thus far has made one critical assumption. That is, that the public-private key pair of the sender does, in fact, belong to the sender. Any assurance of authenticity would be worthless if the public key used to decrypt a digital signature belonged to an impostor and not the named sender.

Paper signatures usually have an intrinsic association with a particular person because they consist of that person's unique handwriting. However, public-private key pairs used to create digital signatures have no intrinsic association with anyone -- they are nothing more than large numbers. When a recipient obtains the public key of someone from whom he has received a digitally signed communication, how does he know that the public key does, in fact, belong to the purported sender? An impostor could have generated the public-private key pair and entered that public key in public database under the purported sender's name.

The solution to this problem is to enlist a third party trusted by both the sender and recipient with performing the tasks necessary to associate a person or entity on one end of the transaction with the key pair used to create the digital signature on the other. Such a trusted third party is called a certification authority.

5. Certification Authorities

A. Function and Role

A certification authority ("CA") is a trusted third person or entity that ascertains the identity of a person, called a "subscriber" and certifies that the public key of a public-private key pair used to create digital signatures belongs to that person. The certification process generally works in the following way. The subscriber:

1. generates his or her own public/private key pair;

These three steps in the certification process are likely to vary somewhat from CA to CA. For example, one CA may require a subscriber to appear in person before the CA as part of the second step of establishing the subscriber's identity. Another CA may be willing to rely on a third party, such as a notary, to establish the subscriber's identity.

Once the certification authority has verified the association between an identified person and a public key, the certification authority then issues a certificate. A certificate is a computer-based record that attests to the connection of a public key to an identified person or entity. A certificate identifies the certification authority issuing it and the person (called a subscriber) identified with the public key. The certificate also contains the subscriber's public key and possibly other information, such as an expiration date for the public key. To provide assurance as to the authenticity and integrity of the certificate the certification authority attaches its own digital signature to the certificate.

In some cases, the certification authority notifies the subscriber that the certificate has been issued so as to give the subscriber an opportunity to review the contents of the certificate before it is made public. It is important that the subscriber be given an opportunity to double-check the accuracy of the contents of the certificate because the subscriber may be bound by any communication digitally signed with the private key that corresponds to the public key contained in the certificate or held liable for misrepresentations to the certification authority.

If the subscriber finds that the certificate is accurate, the subscriber may publish the certificate, or direct the CA to do so, making it available to third parties who may wish to communicate with the subscriber. A certificate is published by being recorded in one or more repositories or circulated by any other means so as to make it accessible to all intended correspondents. A repository is an electronic database of certificates -- the equivalent of a digital Yellow Pages. A repository is generally available online and may be maintained by the certification authority or by anyone providing repository services. A repository is generally available online and may be maintained by a certification authority or by anyone providing repository services. Repositories are generally accessible to anyone.

Repositories contain other important information as well. If a private key is compromised or lost, such as through loss of the medium on which it is stored or accidental deletion, it is generally necessary to suspend or revoke the corresponding certificate so that others will know not to rely on communications digitally signed with that key. This information is also posted in the repository.

Once a certificate has been published, the subscriber may then append the certificate to any electronic communication. If the recipient wants to verify the connection between the sender and his public key, the recipient can look to the attached certificate for some assurance.

In theory, any one can be a certification authority. This includes federal and state governmental entities, and private persons or entities acting as certification authorities for commercial purposes. For example, the U.S. Postal Service has considered offering services designed to facilitate electronic commerce, including functioning as an all-purpose certification authority. The USPS may be well-suited to function as a certification authority: In transactions between companies or individuals, it is an objective third party with an established reputation for credibility. Through its nationwide network of post offices, the USPS can register public keys for applicants who appear in person. This will enable USPS to provide an added level of security, such as photographs and fingerprinting, to ensure that each registered public key corresponds to a real person not an alias or assumed identity.

The Los Angeles County Superior Court has established a limited-purpose certification authority in connection with an electronic filing and retrieval system that will rely on digital signatures to assure the authenticity, and integrity of electronic court filings. The court will act as certification authority for its own personnel. Private parties authorized by the court will act as the certification authority for attorneys and litigants.

A number of private commercial certification authorities are also currently operating. These include VeriSign, Inc. which issues certificates and provides related services to corporations and individuals for use in digitally signing documents for any purpose, and GTE.

To provide assurances as to the authenticity of a certificate it issues, a certification authority digitally signs each such certificate itself. Anyone can verify the authenticity and integrity of a certificate issued by a certification authority by verifying the certification authority's digital signature using the certification authority's public key.

Note, however, that anyone who wants to verify authenticity has the same problem with the CA's public key as the person does with any other public key. How does the person know whether the public key really belongs to the CA? One answer is that the CA has its public key certified by another, higher-level CA which acts as a certification authority for it. That higher-level CA then digitally signs the certificate it has issued verifying the connection between the lower-level CA and the lower-level CA's public key. The lower-level CA may then make the certificate for its key available to anyone who seeks to verify the lower-level CA's digital signature.

The higher-level CA, in turn, needs to have its connection to a public key certified to by an even higher level CA, and so on and on. This process of higher and higher CAs certifying public keys is often referred to as chaining certificates.

Of course, the chain has to stop somewhere. Where it stops will depend on the importance of a communication to the recipient. Depending on the nature of the electronic communication, the recipient may not bother to verify the sender's signature, much less the lowest level CA's signature. If the communication is of greater importance, the recipient may trace the certificates up the chain till he reaches a certificate issued by a CA he knows and trusts.

Unless they are subject to state licensure and regulation, certification authorities generally do not adhere to any uniform standard or procedures for verifying the identities of persons for whom they issue certificates. Thus, a digital signature is only as reliable as the certification authority is trustworthy in performing its functions. Consequently, a party needs some way to gauge how much reliance it should place on a digital signature supported by a certificate a particular CA issued. For example, if a certification authority verifies identity based on any single piece of identification, the third party might be more cautious in its reliance than it would if the certification authority requires the subscriber to appear in person with a driver's license and passport and to be fingerprinted.

To help recipients of a digitally signed communication gauge their level of risk, the particular procedure a certification authority follows in issuing certificates may be stated in a certification practice statement. A certification practice statement may also include information about the practices the CA follows in its operations and about the details of the security of its system.

Certification practice statements may serve an important function for a certification authority as well. A certification authority that follows its announced practices may be able to avoid a claim that it was negligent in failing to do more to connect a user to a public key.

B. Certificate Revocation Lists

With public-key cryptography, each person has to keep his or her key private, confidential and secure. This is easier than two people trusting each other to keep a key secret, as in conventional cryptography; nevertheless, the security of private keys is a problem. It is inevitable that someone's key will be lost or compromised, either through carelessness or a successful cryptanalytic attack. In addition, there are times -- such as when a person dies; a company goes out of business; or an employee quits, is fired, or transferred to a new position -- when a key may no longer be needed or used. Thus, there will be times when a key needs to be revoked before it expires.

A key is revoked by revoking its certificate. The problem is how to notify people that they should no longer rely on a key. The solution to this problem is the certificate revocation list or CRL. A CRL is simply a database of certificates that have been revoked before their expiration date. A CRL may be part of the repository maintained by the certification authority. If a private key is lost, compromised, or no longer used for any other reason, the corresponding public key and its certificate would be placed on the CRL. Before relying on a public key, a person should verify its status by checking the CRL.

It is possible for a cryptographic key to be compromised even though its holder conscientiously safeguarded it. With a little luck and a lot of motivation, keys can be broken through what is known as a brute-force attack. In a brute-force attack, every possible key is tried until one decrypts the ciphertext. The greater the key length, the longer it takes to try all the possible keys. For example, for a key that is 56 bits long, it would take approximately 10 hours to find the key. For a key that is 128 bits long, it would take 5.4 x 10¹⁸ years to find the key.

Thus, one way to guard against a successful brute-force attack is to use a long key. Another is to change keys periodically.

As with revoked keys, there must be some way to let people know when a key expires. This can be done simply by including a validity period in the certificate for a public key. Anyone who then consults the certificate for that key will know whether it has expired.

Once a key and its certificate expire, the user may create a new key pair and have a new certificate issued for the public key.

Encryption keys generally expire after a relatively short time. This raises a question of how a digital signature can be verified after the public key has expired. For example, if a company enters into a twenty-year lease, how can the integrity of the digitally signed lease be verified when the corresponding certificate has already expired?

One solution is to have the digital signature date/time stamped. The date/time-stamped version of the digital signature could be used years later to enforce the original contract. The date/time stamp would establish the date and time at which the document was signed, and thus establish that at such time there was a valid certificate connecting the signer to the public key.

D. Limits of Liability

A certification authority may be subject to claims for negligence in performing its functions or for misrepresentation in issuing certificates that contain false or misleading information. A certification authority's liability for such claims may be limited either by law or by contract. For example, Utah's Digital Signature Act provides that a licensed certification authority is not liable for any loss caused by a false or forged digital signature if it complied with the requirements prescribed by that law. The Act also limits a certification authority's liability to the amount of any specified reliance limit.

In the absence of a statute, a certification authority may seek to limit its potential liability by specifying such a limit in its contracts with its subscribers. A certification authority may also seek to limit its potential liability to third parties who rely on certificates it has issued by notifying them of such limit in its certification practice statement. Whether such a limit would be enforceable against such a relying party depends in part on whether that party had notice of the limit.

There are typically three parties to a digitally signed electronic communication: the sender of the message (who digitally signs the message), the recipient of the message, and the certification authority who issues the certificate used by the recipient to verify the digital signature. The obligations and responsibilities of each of these three parties have been the source of extensive debate and, in several cases, the subject of legislation. The following summary of the obligations of the various parties is based upon the analysis of these issues set forth in the American Bar Association Digital Signature Guidelines, and the statutory approach to these issues taken in the Utah Digital Signature Act. However, it is important to understand that there is not yet universal agreement with respect to these issues.

A. Signer

When a party to an electronic transaction uses a digital signature, that party undertakes certain obligations and makes certain representations. First, a party digitally signing a document has an obligation to do so using a private key that was generated using a trustworthy system. A trustworthy system is hardware, software, and procedures that:

(1) are reasonably secure from intrusion and misuse;

(2) provide a reasonable level of availability, reliability, and correct operation; and

(3) are reasonably suited to performing their intended functions.

Trustworthiness is in part a question of security. It requires, among other things, the use of system security measures such as access controls, division of duties among personnel so that a single employer could not compromise key pairs or the system without colluding with another employee, and audit procedures. Security measures need only be reasonable, not absolute, under the circumstances.

To the extent that the public key used to verify a digital signature is the subject of a certificate issued by a certification authority, the signer has an obligation to see that all representations made to the certification authority for inclusion in the certificate or use in generating the certificate are accurate to the best of the signer's knowledge and belief. If any information is false or misleading -- or becomes so as a result of future events -- the signer has an obligation to notify the certification authority so that it may be corrected.

If a third party relies on this false information and is damaged as a result, the signer may be liable to both the relying party and the certification authority. Because of this potential liability, a signer is given an opportunity to review and accept a certificate before it is published.

A signer also has an obligation to retain control of the private key, protect it from being compromised, and keep it secret. A signer may lose control over the key by voluntarily disclosing it to someone not authorized to sign on the signer's behalf, by losing the disk, smartcard, or other object on which the key is stored, or by theft. If the signer loses control over the key, the signer may be held liable for any obligations or bills incurred by an unauthorized user. A failure to safeguard the private key can have serious consequences.

A signer may limit his exposure by requesting that the certification authority suspend or revoke his certificate as soon as the signer learns the key has been compromised. Because a certification authority will generally have no duty or ability to monitor either the continuing accuracy of information in the certificate or events (such as loss of a key), that may warrant suspension or revocation, the signer has an obligation to request that the certificate be suspended or revoked (and to stop using the private key to create digital signatures).

A signer also has an obligation to make the corresponding certificate available to the recipient of the communication if the signer expects the recipient to rely on the digital signature. The signer may make the certificate available by publishing it in a repository maintained by the certification authority or a public repository or by attaching the certificate to the communication itself.

B. Certification Authority

A certification authority's primary function is to issue a certificate that verifies the relationship between a public key and a person or entity. That third parties will rely on certificates it issues to verify digital signatures is a given. Accordingly, a certification authority has some level of obligation to verify the identity of the person to whom it issues a certificate, and that the public key listed in the certificate corresponds to a private key held by that person. Otherwise, a recipient of a digital signature who is misled by a certificate into relying on a digital signature may have a claim against the certification authority for misrepresentation.

The amount of investigation a certification authority will undertake may vary according to the purposes for which the digital signature and certificate are to be used. The amount of investigation may be specified by the certification authority in its certification practice statement or by contract between the certification authority and subscriber. State statutes may establish minimum requirements.

In order to limit the certification authority's liability stemming from representations attributed to them by the act of issuing a certificate, a certificate will normally include an expiration date. This helps eliminate liability for claims of reliance on stale information. Upon expiration of a certificate, the certification authority no longer makes any representations as to the expired certificate and is discharged of its duties. A person who relies on an expired certificate and is damaged will have no claim against the certification authority because it was not reasonable to have relied on the expired certificate.

In addition, certification authorities may also include in a certificate other forms of limitations of their liability, such as dollar limits, which are sometimes referred to as reliance limits. A reliance limit is a warning that certificates the CA issues should not be relied on for transactions in excess of a specified dollar amount. Such a reliance limit may also be specified in a certification practice statement or set by a licensing body as a limit on a certification authority's license to issue certificates. If a third party who knows of the reliance limit, relies on a digital signature in connection with a transaction that exceeds the limit, that third party may not be able to recover its losses from the certification authority because it was not reasonable to so rely.

Because of the importance of certificates in electronic commerce, a certification authority must promptly suspend a certificate at the request of the person named in the certificate. A certification authority must have a reasonable belief that the request is authorized, but may not be obligated to confirm the identify of the person requesting suspension. This reflects the reality that many suspension requests will be emergencies in which there will not be time to confirm the identity of the person requesting suspension.

A certification authority also has an obligation to revoke certificates upon request. With revocation requests, however, the certification authority must confirm the identity of the person making the request. Unlike a suspension which can be undone, a revocation is permanent and irreversible. If the subscriber has digitally signed a large number of documents or is itself a certification authority, revoking its certificate could cause monumental problems. Consequently, a certification authority must be more cautious in revoking certificates than in suspending them.

In addition, a certification authority may have an obligation to revoke or suspend a certificate even without the subscriber's request or consent if it is put on notice that certain representations appearing in the certificate are false or if the certification authority's private key or trustworthy system are compromised in a manner that effects the reliability of the certificate.

C. Relying Party

A recipient of a digitally signed communication, or other relying party, does not have prescribed obligations or duties as such. A relying party, for instance, has no duty to examine a certificate to determine whether a key is expired or not. Nor does a relying party have a duty to check a CRL to determine whether a certificate has been suspended or revoked. However, if a relying party fails to do these things or to otherwise verify the signature, the relying party assumes the risk that the digital signature is a fake and the relying party's recourse may be limited.

Although there is no generally accepted, uniform law on the subject, several states have recognized the need to provide the legal infrastructure to support the use of digital signatures. Utah was the first to pass digital signature legislation. Utah's Digital Signature Act establishes a scheme of optional licensure and regulation for private companies, individuals, and governmental bodies wishing to act as certification authorities. The legislation establishes minimum standards that certification authorities must meet in order to be licensed. These standards include things such as minimum procedures that a certification authority must follow in issuing a certificate. The legislation accords to a digitally signed communication, that has been certified by a licensed certification authority, certain legal presumptions and effects that a communication certified by a nonlicensed certification authority does not receive, such as that the communication satisfies writing and a signature requirements and was signed by the subscriber with the intention of signing the message. The Utah Act also addresses the respective duties and liabilities of licensed certification authorities, subscribers, and repositories.

California has also enacted digital signature legislation. California's legislation as originally introduced was very similar to Utah's. The statute that was enacted takes a more limited approach. In that it applies only to communications with public entities, whereas the Utah statute applies to anyone who wishes to use digital signatures.

A more comprehensive effort to address the legal effect of a digital signature has been undertaken by the Information Security Committee of the American Bar Association's Electronic Commerce Division, which has formulated Digital Signature Guidelines. Based on these early efforts, it appears that certain legal conclusions can be drawn about the likely legal effect of using digital signatures.

Digital signatures provide a means to verify the integrity of an electronic communication. Generally, if a digital signature can be properly verified through the use of the corresponding public key, then it will be presumed that the message has not been altered since the digital signature was created.

B. Authenticity

Digital signatures also verify the source of an electronic communication. The recipient knows that the communication is authentic in that it came from the sender because only the sender's public key will decrypt a digital signature encrypted with the sender's private key. Since the public and private keys are associated with an identified signer and are unique to each signer, the key effectively links the signer to the document.

Thus, if a digital signature can be verified through the use of the sender's public key, then it will be presumed that the digital signature was created by the private key corresponding to the public key, and that the digital signature was affixed with the intention of the sender to identify herself as the source of the communication.

C. Nonrepudiation

When the authenticity and integrity of a communication can be established, the sender is prevented from repudiating the contents of the communication or having sent it. The digital signature cannot be forged unless the sender lost control of his private key. The recipient cannot forge a document to herself either. Even if the recipient were to create a digital signature using the sender's public key, the digital signature can only be decrypted using the sender's private key. The same key cannot encrypt and decrypt a single communication.

D. Writing and Signature Requirements

Like paper documents, electronic documents are governed by rules (such as the Statute of Frauds) that require certain documents to be "in writing" and "signed." The general view is that the use of a digital signature will satisfy the signature and any writing requirement.

E. Right to Rely

If a digital signature can be verified by the recipient, then the recipient is entitled to rely generally on the communication, and the sender (the person digitally signing the message) will be bound. However, if the digital signature cannot be verified, the recipient is not required to rely on it for identification of the purported sender, and may not be justified in doing so.

F. New Paradigm Shift

With handwritten signatures, the law provides that a person is not liable for forgeries or other unauthorized signatures. With digital signatures, especially under some of the new and proposed legislation, a person may be liable for messages signed with his or her private key until he revokes his or her certificate. In such case, a person who holds a public-private key pair has an increased responsibility similar to that of a person who signs documents using a signature machine. The person with the machine may not be able to challenge an unauthorized machine-made signature if that person has been negligent in keeping the machine secure. The signer must understand that he or she may be bound by any communication digitally signed with the private key that corresponds to the public key, and will be held liable to anyone who relies on the public key before they key was revoked and is damaged. The result is similar to that in the electronic payments context in which a person who has agreed that a bank may honor a payment order that the bank has verified through the use of commercially reasonable security procedures will bear the loss for a payment that was not in fact authorized. If this potential liability is not enough to cause a person to safeguard his or her private key, the law may impose an affirmative duty on the person to do so.

A wave of digital signature and electronic signature legislation is sweeping across the country. At last count, 46 states have either enacted, or are currently considering, legislation addressing issues raised by digital signatures and/or electronic signatures.

While the level of activity among the states evidences the importance of the subject to electronic commerce, an analysis of the pending and enacted legislation makes clear that there is little consensus on how to approach the subject. Moreover, several states have recognized that the subject requires more study before the appropriate legislative solution can be determined. Accordingly, they have established or proposed commissions, task forces, or study groups to more thoroughly evaluate the problem before promulgating legislation. States in this category include Illinois, where the Commission on Electronic Commerce and Crime has been meeting since July, 1996 in order to develop appropriate digital signature legislation, and Georgia and Oklahoma where legislation establishing study commissions has recently been enacted. Other states where bills to establish task forces were proposed (but not enacted) include Connecticut, Maryland, Nebraska, and North Carolina.

Legislation that has been enacted or proposed addresses two different categories of signatures -- electronic signatures and digital signatures. The more general term "electronic signature" is generally defined as any letters, characters, or symbols manifested by electronic or similar means and executed or adopted by a party with an intent to authenticate a writing. Examples of electronic signatures include a name typed at the end of an e-mail message by the sender, a digitized image of a handwritten signature that is attached to an electronic document, a PIN number, a code or "handle" that the sender of a message uses to identify himself, and a digital signature. Thus, a "digital signature" is a subset of electronic signatures, and represents a unique way to "sign" an electronic message.

Typically, the legislation in each state addresses either electronic signatures (25 states) or digital signatures (15 states), but not both. The only exception is the proposed Illinois legislation, which seeks to thoroughly address issues raised by both electronic signatures and digital signatures. The legislation in Florida, Indiana, Mississippi, and New Hampshire includes definitions of both electronic and digital signatures, but only addresses issues raised by one of the two categories.

In many cases, confusion is also created because the legislation fails to properly distinguish between electronic signatures and digital signatures. Thus, several statutes use the specific term "digital signature" when what is meant is the more general term "electronic signature." States in this category include California, Georgia, Illinois, and Nebraska. Further confusion is introduced by some statutes that use, but make no attempt to define, the subject of the legislation. States in this category include Arizona (digital signature), Connecticut (electronic signature), Hawaii (digital signature), Kansas (digital signature).

In many of the states, the electronic signature legislation that has been introduced is limited in scope to certain types of transactions. These limitations generally fall into two categories.

First, legislation in several states authorizes the use of electronic signatures only for transactions involving government entities. States in this category include Arizona, California, Delaware, Illihois, Indiana, Minnesota, Nebraska, Nevada, Rhode Island, and Texas.

Second, several states have statutes that limit the category or type of transaction in which the use of electronic signatures is authorized. States with statutes in this category include Colorado (UCC Financing Statements), Connecticut (Medical Records), Georgia (Motor Vehicle related documents and tax returns), Iowa (voter registration and prescriptions), Louisiana (medical records), main motor vehicle records), Missouri (reports by candidates for public offices), Montana (filings with the Secretary of State), New Jersey (medical records) North Carolina (health records), North Dakota (tax and motor vehicle registration), Ohio (Medical Records), Tennessee (judical filings), and Wyoming (filings with the Secretary of State).

States with legislation limited to electronic signatures differ on the question of what qualifies as an electronic signature. The current definition of signature in the UCC includes "any symbol made with an intent to authenticate". There is no requirement as to the nature of the mark that qualifies, and indeed, courts have found quite a wide variety of marks will qualify in addition to the traditional handwritten signature. Several states have taken the same approach with respect to electronic signatures -- that is, any form of electronic "mark" on a message can qualify as an electronic signature. Legislation taking this approach includes Colorado, Florida, Illinois, Indiana, Mississippi, New Hampshire, North Carolina, Rhode Island, Texas, and Virginia.

In other states, however, the legislation imposes significant limitations on the type of electronic signature that will be considered legally enforceable. Virtually all of the states that take this position impose the same five requirements, which derive from the California legislation enacted in late 1995. In these states, an electronic signature is effective only if it is: (1) unique to the person using it; (2) capable of verification; (3) under the sole control of the person using it; (4) linked to the data in such a manner that if the data is changed the signature is invalidated; and (5) conforms to regulations adopted by the Secretary of State. This approach is somewhat interesting, in that it requires attributes of security as a precondition to the validity of the signature itself, something not required for paper-based signatures. States that have adopted this approach include California, Georgia, Kansas, and Nebraska.

Of the 46 states actively addressing electronic and digital signature issues, 19 of those states deal specifically with pki-based digital signatures, and the legal infrastructure necessary to utilize digital signatures. Of those 19 states, eight have enacted statutes.

Most of the states that have sought to address the issues raised by the use of PKI digital signatures have concluded that it is necessary for a state agency (typically the Secretary of State) to issue regulations governing the implementation and use of a digital signature infrastructure, and most of those states have also concluded that licensing of certification authorities is appropriate. In all such states, however, the licensing of certification authorities is voluntary, although there are statutorily-granted advantages to the use of a certificate issued by a licensed certification authority. Moreover, all of the PKI digital signature statutes are based primarily on the model initially enacted in Utah, the first state to enact digital signature legislation. The only exceptions are Florida, Illinois, and Mississippi.

Another interesting element of digital and electronic signature legislation is the legal effect of using a signature. All of the electronic signature statutes simply provide that use of an electronic signature on an electronic record will be treated in the same manner as handwritten signature on paper -- that is, it meets applicable legal writing and signature requirements. Thus, the burden remains on the plaintiff to authenticate the signature on an electronic record, a burden that might be some difficult to meet in an electronic environment.

Most of the pki-based digital signature statutes, on the other hand, provide that digitally signed messages, assuming they are properly verified by reference to a certificate issued by a licensed certification authority, will be treated as self-authenticating documents. That is, there will be a legal presumption that the person whose name is associated with the signature is, in fact, the person who signed the document, thereby shifting the burden to the defendant to deny that he or she signed the document.

G. Further Information

A summary of pending and enacted digital signature legislation within the United States and several foreign countries as of March 17, 1998 is attached as Appendix A. A comprehensive summary of, and links to, all state, federal, and international electronic and digital signature legislation is maintained (and updated weekly) at www.mbc.com.

A more detailed summary of all of the enacted and pending electronic and digital signature legislation at the state, federal, and international level, including links to copies of the legislation, is maintained (and updated weekly) at www.mbc.com

Two bills pending in the Alaska legislature would give legal effect to electronic signatures. The bills would provide that electronic signatures could be used in either public or private transactions, but any state agency wishing to accept electronic signatures in the course of its business would be required to adopt regulations governing their use.

Arizona legislation requires the Arizona Secretary of State to accept electronic signatures in connection with documents filed with the Office of the Secretary, and requires the Secretary to approve electronic signatures for use by all other state agencies. The Secretary is required to adopt rules to implement this legislation.

Arizona is currently considering a bill that would amend the above legislation so as to, among other things, specifically require the Secretary to approve the use of digital signatures as well as electronic signatures in connection with documents filed with and by the state's agencies, boards and commissions. The Secretary would also be authorized to coordinate demonstration projects for the purpose of facilitating the use of electronic and digital signatures by state governmental and private entities.

California legislation authorizes the use of electronic signatures in connection with communications with public entities. The Act provides that an electronic signature (referred to as a "digital signature" in the statute) shall have the same force and effect as a manual signature if it embodies the five attributes set forth in the Act.

California has also specifically approved the use of electronic signatures in connection with the electronic filing of certain securities-related documents, certificates of death and certain reports and statements required under California's Political Reform Act.

Currently under consideration in California is a bill that would authorize health care service plans and insurers to accept electronic signatures. Another bill being considered would require the Board of Governors of the California Community Colleges to allow local community college districts to accept admission applications and state residency determination forms to be submitted electronically.

California is currently in the process of adopting electronic signature regulations to allow electronic signatures to be used by public entities in California. The proposed regulations pre-approve two forms of electronic signature technology: public key cryptography and signature dynamics. A final draft of the regulations was issued by the Secretary of State on November 18, 1997 and is now awaiting approval from the Office of Administrative Law.

Colorado legislation authorizes the use of electronic signatures in connection with the electronic filing of UCC financing statements, termination statements and certain other UCC filings. The Act requires that electronically filed UCC statements must contain an electronic signature that complies with the procedures to be adopted by the filing officer with whom the filing is made in order to be effective.

Colorado is currently considering legislation that would authorize the use of an electronic signature in connection with any written communication in which a signature is required or used, provided that such signature complies with certain enumerated requirements. The Secretary of State would be required to adopt initial regulations no later than January 1, 1999.

The Georgia Electronic Records and Signatures Act authorizes the general use of electronic signatures in connection with communications among public or private parties. The Act also authorizes all state agencies to establish pilot projects for the purpose of serving as models for the application of electronic signature technology, and creates the Electronic Commerce Study Committee to study issues relating to electronic records and signatures. (A bill currently being considered would amend the Georgia Electronic Records and Signatures Act to expressly provide for the use of an electronic signature to witness or notarize an electronic document.)

Georgia has also amended its state revenue code and motor vehicle code to expressly authorize the use of electronic signatures in connection with income tax returns and certain documents relating to motor vehicles, provided that the respective oversight authority establishes security measures which assure security and verification of the electronic signature process.

Finally, Georgia is currently considering a bill that would make financial identity fraud a criminal offense. Financial identity fraud would include unlawfully obtaining or recording identifying information which would assist in accessing the financial resources of another person, and accessing or attempting to access the financial resources of another person through the use of identifying information. Digital signatures would constitute a form of identifying information.

Hawaii has a bill currently in legislative committee which would provide for the licensing and regulation of certification authorities by the Hawaii Department of Commerce and Consumer Affairs. To obtain a license, a certification authority would have to be an attorney, a financial institution, a title insurance company or a department or division of the state government, would have to employ at least one notary public, and would have to file a suitable guarantee with the Department of Commerce. The Department of Commerce would also act as a certification authority.

Illinois is currently considering a bill entitled the Illinois Electronic Commerce Security Act. This Act would approve the use of digital and electronic signatures generally in connection with all electronic communications, regardless of whether they occur between public or private parties. Certain electronic or digital signatures meeting the requirements of a "secure electronic signature" would be recognized as possessing enhanced reliability and trustworthiness.

Any person or entity, public or private, could act as a certification authority subject to the Act's requirements. The Illinois Secretary of State would be authorized to establish standards applicable to certification authorities, and would be required to adopt standards for the use of electronic signatures by the State.

Illinois is also considering a bill entitled the Financial Institutions Digital Signature Act. This bill would expressly authorize the use of electronic signatures (referred to as a "digital signature" in the bill) in connection with communications with financial institutions, provided that the electronic signature embodies the attributes set forth in the bill.

Illinois has amended its State Comptroller Act to expressly authorize the use of electronic signatures (referred to as "digital signatures" in the statute) in connection with communications between the Comptroller and state agencies, provided that the electronic signature embodies the five attributes set forth in the statute, including conformance with regulations to be adopted by the Comptroller.

Indiana's Electronic Digital Signature Act authorizes the limited use of electronic and digital signatures in connection with communications with the State and its agencies, but does not apply to the state judiciary, legislature, educational institutions or certain other state offices unless those bodies expressly elect otherwise. Digital signatures may be used in connection with documents received by or filed with the State and its agencies, provided that the digital signature embodies the five attributes set forth in the Act. The State Board of Accounts is required to adopt regulations to implement the Act before July 1, 1998, and to establish and administer a method used by the State and its agencies to conduct authenticated electronic transactions using digital signatures.

Iowa

Iowa has enacted two bills relating to electronic signatures, one amending the Iowa Pharmacy Act to provide for the acceptance of electronic signatures on prescriptions, and the other authorizing the state voter registration commission to establish rules governing the use of electronic signatures on voter registration forms.

Iowa is currently considering enacting the Iowa Electronic Commerce Security Act. This Act is based on the Illinois Electronic Commerce Security Act and would approve the use of digital and electronic signatures generally in connection with all electronic communications, regardless of whether they occur between public or private parties. Certain electronic or digital signatures meeting the requirements of a "secure electronic signature" would be recognized as possessing enhanced reliability and trustworthiness. Any person or entity, public or private, could act as a certification authority subject to the Act's requirements. The Iowa Commissioner of Insurance would be authorized to establish standards applicable to certification authorities, and would be responsible for adopting standards for the use of electronic signatures by government agencies.

Kentucky is considering a bill, entitled the Kentucky Electronic Records and Signatures Act, that would authorize the general use of electronic and digital signatures in place of manual signatures in both public and private communications. Electronic and digital signatures would not be legally recognized, however, in connection with the execution of a will, trust or deed, or in connection with any other record that serves as a unique and transferable physical token of rights and obligations such as negotiable instruments and other instruments of title. The bill would also require certification authorities to register with the Secretary of State.

The Maryland Certification Authority and Digital Signature Act, if enacted, would authorize the use of digital signatures generally and would establish a voluntary licensure program for private certification authorities. The Secretary of State would act as a certification authority for state and local governments, and would act as a certification authority for the private sector if six months were to elapse during which time no private certification authority was licensed in the State under the voluntary licensure program. The Secretary would also be required to adopt regulations for the oversight and licensing of private certification authorities and for the recognition of repositories.

The Minnesota Electronic Authentication Act authorizes the use of digital signatures and applies generally to all electronic communications, regardless of whether they occur between public or private parties. The Act also provides for the voluntary licensing of certification authorities and requires the Minnesota Secretary of State to issue rules governing such licensing. A task force established by the Secretary is currently drafting those rules.

Minnesota has also amended various state code sections to expressly provide for the use of electronic signatures in connection with certain state filings, including income and sales tax returns and motor carrier documents.

Minnesota is currently considering several bills that would amend portions of the Minnesota Electronic Authentication Act. One pair of bills would amend the Act to exempt private keys in the possession of state or local governmental entities from public inspection and copying under the Government Data Practices Act. Another pair of bills would require the Secretary to act as a certification authority (rather than being contingent upon no private certification authority being licensed in the State for six months), and would expressly prohibit a certification authority from holding a private key on behalf of one of its subscribers.

Finally, another pair of bills currently being considered would call for the electronic conduct of state business using digital signatures.

Missouri legislation authorizes the use of electronic signatures in connection with certain reports filed electronically with the Missouri Ethics Commission by lobbyists and candidates for public office "if a means becomes available which will allow a verifiable electronic signature." The legislation also requires the Commission to establish and maintain an electronic reporting system for collecting, filing and disseminating such reports. Proposed amendments to this legislation would add "all other committees" to the list of those expressly authorized to file electronically using an electronic signature.

Missouri is also currently considering enactment of the Missouri Digital Signatures Act. The Act would authorize the use of digital signatures and would apply generally to all electronic communications, regardless of whether they occur between public or private parties. The Act would also provide for the voluntary licensing of certification authorities. The Missouri Secretary of State would be authorized to act as a certification authority and would be required to adopt rules necessary to effectuate the Act.

Another bill currently under consideration would authorize the electronic filing of statements, documents and notices with the Missouri Secretary of State using an electronically transmitted signature, provided that such documents are filed in an electronic format prescribed by the Secretary. The bill would also authorize the use of a "properly authenticated digital signature" to notarize such documents.

Nebraska legislation authorizes the limited use of electronic signatures in connection with electronic seals by persons licensed to practice architecture or engineering, provided that such signatures are "protected with an electronic revision approval system."

Nebraska is currently considering other bills concerning the use of electronic signatures. One bill would authorize the use of electronic signatures (referred to in the bill as "digital signatures") in connection with communications with state agencies. Another would authorize the use of electronic signatures (referred to in the bill as "digital signatures") in connection with any electronic communications in which a signature is required to be used, regardless of whether the communications occur between public or private parties. Both bills would require the Secretary of State to adopt appropriate rules and regulations.

A third bill currently under consideration would authorize county officials to sign warrants using a facsimile or electronic signature. The county treasurer would be authorized to establish procedures and processes for signing warrants.

The New Hampshire Digital Signature Act authorizes the use of electronic signatures in connection with communications with the state and its agencies or instrumentalities. The Act provides that an electronic signature (referred to as a "digital signature" in the statute) shall have the same force and effect as a manual signature if it embodies the five attributes set forth in the Act. The commissioner of administrative services is required to adopt rules necessary to implement the Act.

New Hampshire is also currently considering a bill which would recognize private use of digital and electronic signatures.

New Jersey is currently considering legislation that would allow for the use of electronic signatures to serve as authorization for the release of protected medical records.

New York is currently considering two bills which would authorize the use of digital signatures and apply generally to all electronic communications, regardless of whether they occur between public or private parties. The Act would also provide for the voluntary licensing of certification authorities and require the Department of State to issue rules governing such licensing.

Ohio has enacted legislation that establishes standards for using electronic signatures in connection with records of health care facilities. The legislation provides that health care records may be authenticated by electronic signatures provided that certain conditions are met, including adoption by the health care facility of an appropriate policy permitting the use of such signatures. The legislation is primarily intended to facilitate in-hospital verifications of medical reports, diagnoses and similar administrative documents. The Public Health Council is required to establish protocols for the use of electronic signatures.

Oklahoma has created a Task Force on Electronic Signature Technology to study the technology of and applications for electronic signatures, and to prepare recommendations for legislation. The Task Force was required to submit a preliminary report of its findings and recommendations by December 1, 1997, and to issue a final report by January 1, 1998.

A bill currently being considered in Oklahoma would establish a pilot program for the use of electronic commerce, including the use of digital signatures in state government. Certain state agencies would test the technology in government-to-government transactions and government-to-private entity transactions. The Bill would also provide for the continuation of the Task Force on Electronic Signature Technology (see above) until February 1, 1999.

Oklahoma is also considering a bill that would authorize the use of electronic records and electronic signatures for any purpose and in any transaction, with certain enumerated exceptions such as the creation or execution of a will. Entitled the Electronic Records and Signature Act of 1998, this bill would become effective January 1, 1999.

Effective January 1, 1998, the Rhode Island Electronic Signatures and Records Act authorizes the limited use of electronic signatures in connection with communications among state departments and/or public agencies, and between individuals and entities engaged in transactions or communications with the State.

Rhode Island is also considering a comprehensive bill that would authorize the use of digital signatures and would apply generally to all electronic communications, regardless of whether they occur between public or private parties. The Bill would also require the Division of Public Utilities to serve as a certification authority and to oversee the voluntary licensing of other certification authorities.

Tennessee legislation specifically authorizes courts to implement procedures governing the use of electronic signatures in connection with the signing of pleadings, court orders and other court documents. Tennessee has also amended various statutes defining the terms "record," "writing," "signature" and "signed" to provide for the use of electronic writings and signatures.

Texas has enacted three statutes concerning the use of electronic signatures. One statute amends the Business and Commerce Code to authorize the use of electronic signatures in connection with documents filed electronically with state agencies, subject to compliance with rules adopted by the State Comptroller, State Auditor and the Attorney General. Such electronic signatures must also comply with regulations adopted by the Department of Information Resources.

The second statute specifically authorizes the State Comptroller to establish procedures for using electronic signatures and provides that such signatures shall have the same legal force and effect as a manual signature for purposes of state agency transactions. Finally, the third statute specifically authorizes the use of an electronic signature in connection with the electronic filing of motor vehicle license applications and the issuance of licenses by electronic means.

The Utah Digital Signature Act authorizes the use of digital signatures and applies generally to all electronic communications, regardless of whether they occur between public or private parties. It also requires the Utah Department of Commerce to serve as a certification authority and to oversee the voluntary licensing of other certification authorities.

As required under the Act, the Utah Department of Commerce adopted Digital Signature Administrative Rules effective November 1, 1997. Within a few weeks the Department issued the world's first certification authority license to Digital Signature Trust Company.

Utah has also enacted legislation that authorizes the use of digital signatures by notaries public to acknowledge electronic messages or documents.

Vermont is considering two bills that would authorize the use of digital signatures and would apply generally to all electronic communications, regardless of whether they occur between public or private parties. The bills would also require the Secretary of State to serve as a certification authority and to oversee the voluntary licensing of other certification authorities.

Virginia has enacted legislation to provide legal recognition of the use of electronic signatures by both public and private parties. State agencies may accept electronic signatures in lieu of manual signatures, provided that such signatures meet standards which are to be adopted by the Council on Information Management by September 1, 1998. (A Bill currently under consideration, however, would no longer require the Council to issue regulations, but instead would provide that state agencies can use electronic signatures only if such signatures embody the five attributes set forth in the Bill.)

Virginia is also considering a Bill that would authorize the State Board to implement a system to enable eligible persons to request, receive and file absentee ballot applications electronically through the Internet using an electronic signature.

Effective January 1, 1998, the Washington Electronic Authentication Act authorizes the use of digital signatures and applies generally to all electronic communications, regardless of whether they occur between public or private parties. It also provides for the voluntary licensing of certification authorities.

As required under the Act, the Washington Secretary of State adopted Rules for Implementation of the Washington Electronic Authentication Act in December of 1997.

West Virginia legislation authorizes medical service professionals to use electronic signatures to sign medical care-related documents under the West Virginia Medical Practice Act.

Wisconsin has amended its state code to expressly permit the Department of Administration to accept electronic signatures (referred to as a "digital signature" in the statute) in connection with state construction project contracts, bids and proposals, provided that the electronic signature embodies the five attributes set forth in the statute. The Department is required to promulgate rules to govern the use of electronic signatures and to establish procedures for their verification.

THOMAS J. SMEDINGHOFF is a partner with the Chicago law firm of McBride Baker & Coles and head of the Firm's Information Technology and Electronic Commerce (ITEC) Law Department. His practice focuses on emerging information technology legal issues relating to developing topics such as electronic commerce, the Internet, digital signatures, encryption, multimedia, software, electronic publishing, data security, e-mail, electronic recordkeeping, electronic licensing and distribution, and interactive on-line services.

Mr. Smedinghoff serves as chair of the Illinois Commission on Electronic Commerce and Crime, and chair of the Electronic Commerce Division of the American Bar Association Section of Science & Technology. He is a member of the U.S. Delegation to the United Nations Commission on International Trade Law (UNCITRAL) where he participates on the Working Group on Electronic Commerce that is developing international electronic and digital signature legislation. He is also an Adjunct Professor of Computer Law at The John Marshall Law School in Chicago.

He is also the author of several books on information technology law topics, including: ONLINE LAW: The SPA's Legal Guide to Doing Business on the Internet (Addison-Wesley, 1996), the SPA Guide to Contracts and the Legal Protection of Software (Software Publishers Association, 1996), and Multimedia Law Handbook (Wiley Law Publications, 1995).

ASI Communications and Information Policy Committee