Short History of Digital Signature Legislation

Brad Biddle (http://bradbiddle.com)
August 26, 2001

[published in Simson Garfinkel, WEB SECURITY, PRIVACY AND COMMERCE (2nd Edition, O'Reilly, 2001)]

A short history of “digital signature” and “electronic signature” legislation

Beginning in 1995 there was a flurry of legislative attention related to "digital signatures." The state of Utah enacted its Digital Signature Act, which was based on work done by the Information Security Committee of the American Bar Association's Section of Science and Technology. The Utah legislation, which became a model for other legislative bodies, envisioned a public key infrastructure supported by state-licensed certification authorities.

Through 1996 and 1997 the Utah model increasingly came under fire. Critics levied a number of arguments against the Utah approach:

The Utah legislation was premised in part on an assumption that certification authorities faced an uncertain and potentially huge liability risk, and therefore wouldn’t enter the marketplace. Critics argued that this assumption was wrong, and that any “excessive” CA liability risk was due to flawed CA business models, not a flawed legal environment.
The Utah approach provided one particular technology (PKI) and business model (the authentication model championed at the time primarily by VeriSign) with legal advantages over other authentication technologies and business models; this would potentially stifle innovation.
The Utah legislation enshrined a speculative vision for how authentication would work in the commercial marketplace, rather than building on and clarifying a market-developed model.
The Utah model didn’t solve the immediate, pressing problem facing online businesses: could contracts be formed electronically (e.g., via “clickthrough” agreements or via e-mail)?
The Utah legislation contained draconian liability rules for consumers. This became known as the “Grandma loses her house” problem: under the Utah Act, if a consumer lost control of their private key they could face unlimited liability for resulting damages – i.e., Grandma could fail to secure her computer from a malicious hacker and end up losing everything she owns.
Under the Utah approach government-licensed CAs would collect vast amounts of sensitive transactional data, but the privacy issues associated with this fact were not addressed in the legislation (leaving the question to privacy-unfriendly default rules).

States began considering alternative approaches to digital and “electronic” (non public key) signatures. Massachusetts emerged at the opposite extreme from Utah, with a spare, minimalist approach designed to remove barriers to e-commerce posed by existing law (e.g., unnecessary “writing” requirements) but otherwise letting the marketplace evolve unfettered.

Other states tried to occupy ground between the Utah and Massachusetts extremes. California, for example, enacted a law that permitted electronic signatures in transactions involving state government, if certain security criteria were met. The California Secretary of State was tasked to determine which technologies met this criteria, and enacted regulations that permitted use of public key digital signatures and “signature dynamics,” a biometric technology pushed by a company called PenOp.

In 1998, in response to the wide variety of state laws, the National Conference of Commissioners on Uniform State Laws (NCCUSL) commissioned the drafting of the Uniform Electronic Transactions Act (UETA). After significant debate, the drafters adopted a “technology neutral” approach -- that is, the law does not endorse PKI in any way, and largely follows the Massachusetts model. NCCUSL adopted UETA in July 1999. A number of different states subsequently enacted UETA, although some enacted it with significant variances from the “official” NCCUSL version.

Also in response to chaos at the state level, in 2000 Congress enacted E-SIGN, the Electronic Signatures in Global and National Commerce Act. E-SIGN is substantively very similar to UETA, although it added some consumer protection elements not found in UETA. Importantly, E-SIGN preempted (superceded) all state laws except state laws that conform to the official text of UETA. So, Utah-style digital signature laws, which had been enacted in several U.S. states, are now dead and completely replaced by E-SIGN (or a state enactment of UETA, if applicable). So, in the U.S., the law that applies to all e-signatures, including PKI digital signatures, is either E-SIGN (in states that have not enacted UETA), or UETA (in states that have enacted conforming versions of UETA).

The basic rules of both E-SIGN and UETA are quite simple: if a law requires a signature, an “electronic signature” will suffice – with “electronic signature” defined very broadly to include things like a plain-text typed name in an e-mail or an electronic click on an “I agree” button (importantly, an electronic signature must be applied by a user with the intent to be bound to a contract.) Similarly, if a law requires a “writing,” an “electronic record” (a digital copy that meets certain very minimal security criteria) will do. This approach solves the “signed writing” problem discussed in more detail below, but avoids the pitfalls associated with the Utah model.

The debate that has occurred in the U.S. has been echoed at the international level. The Utah approach initially found favor in many countries. More recently, however, it appears that the tide may have turned. After much debate, the European Union enacted an “Electronic Signature Directive” that requires E.U. member states to enact legislation that is substantively similar to the E-SIGN/UETA approach (although the directive also contains some special rules applicable to certification authorities). Some Asian countries have enacted Utah-style laws, but because this has proven challenging for global business that want to engage in e-contracting in those regions these countries have recently begun considering alternatives. Latin America, the Middle East and Africa have largely been silent on the issue of electronic signatures.

Electronic contracting – it’s more than just “signatures”!

Because the issues associated with digital and electronic signatures have received so much attention from the legal community, it is easy to miss the fact that signatures are only a small—and often irrelevant—element of electronic contracting.

It may be helpful to first make one point perfectly clear: under U.S. law (and under the law of most countries worldwide, although we won’t attempt a detailed international analysis here) it is absolutely possible to form a contract electronically. E-SIGN and UETA have helped cement this conclusion, but really this wasn’t a hard question even before these enactments.

Electronic contracting is, fundamentally, contracting. Contract law fundamentals apply. Any contract, electronic or not, requires (a) an “offer,” (b) “acceptance”, and (c) “consideration” – some promised exchange of value. A contract, electronic or not, will not be enforced if a successful defense can be raised: for example, if an element of the contract is “unconscionable” (violates public policy), if one of the contracting parties was too young to create a contract, etc.

Two recent cases where courts declined to enforce electronic contracts provide interesting demonstrations of these principles. In one case, a judge refused to enforce a license agreement that was presented as a link on a page where users could download Netscape’s SmartDownload software. Users were not forced—or even asked—to read the terms prior to downloading the software, nor was any sort of “I agree” button presented to users. The judge, focusing on what he called “the timeless issue of assent” found that there was no contract, not because of the electronic nature of the circumstances, but because there simply was no “acceptance” of the license terms by users.

In another case, a California judge refused to enforce a “forum selection” clause in AOL’s electronic user agreement, because doing so would deprive a California litigant of consumer protection rules available under California law that would not be available under Virginia law. To the court the question wasn’t whether the contract was valid due to its electronic nature, but rather whether the forum selection clause violated public policy.

And, for the record, many U.S. courts have enforced electronic contracts.

All this being said, there are two areas where electronic contracting raises some unique issues: (1) “signed writing” requirements, and (2) proof – i.e., proving contract formation, proving what the substantive terms of a contract are, and proving party identity.

“Signed writing” requirements

“Signed writing” requirements have caused a great deal of confusion in connection with electronic contracting – probably unnecessarily.

Most contracts require neither a “signature” nor a “writing” to be valid. There are a small number of exceptions to this general rule, usually based on a policy of requiring more proof in connection contracts where there is a higher degree of fraud risk or of high-stakes misunderstanding. Some examples of contracts that require a “signed writing” are contracts for:

Sales of goods priced over $500

Transfers of land

Obligations that cannot be performed in less than one year

Assignments (but not licenses) of some intellectual property

Courts have tended to construe the signed writing requirement very broadly, allowing, for example, fax headers or pre-printed letterhead to serve as a “signature.” It is likely the courts would have treated e-mail headers or plain-text e-mail signatures in a similar manner. E-SIGN and UETA have made this question moot, however: as described above, under E-SIGN and UETA “signature” and “writing” requirements are very easily met electronically.

The bottom line is that, despite the conventional wisdom to the contrary, when doing electronic contracting under U.S. law, meeting legal “signature” or “writing” requirements is not a significant issue, particularly in light of E-SIGN and UETA. (One caveat: E-SIGN has some special rules about “written notice” requirements in connection with certain legally-required consumer disclosures, applicable, for example, to the insurance and banking industries).

Proof

“Proof” issues associated with electronic contracting present some challenging questions. Imagine the following scenario:

Alice sends Bob a plain-text e-mail that says “Bob, would you like to buy my car for $5000? Your friend, Alice.” Bob replies with a plain-text e-mail: “Yes. Regards, Bob.”

Alice and Bob have formed a contract. There is an offer (Alice’s e-mail), acceptance (Bob’s e-mail), and consideration (the promised exchange of car and money). This is a sale of goods valued over $500, so a signed writing is required; per E-SIGN and UETA Alice’s plaintext “Alice” and Bob’s plaintext “Bob”—or even their e-mail headers—will meet the signature requirement, and the e-mail will serve as a writing. Let’s assume there are no applicable defenses (both of the parties were capable of contracting, etc.). The contract law analysis is easy: there is a valid, enforceable contract.

But what if Bob claimed that he never sent the message at all? Once Bob denies that he sent the message, Alice will have the burden of proving to a court that in fact it was Bob who contracted with her and what the substance of their agreement was. In this scenario such a burden would be difficult, but not necessarily impossible, to meet. Alice could, for example, subpoena server logs and determine that the message in fact came from Bob’s computer; she could get testimony from, say, Bob’s co-workers that he was sitting at his desk at the time that the message was sent. As a practical matter, under this scenario Alice would probably not be inclined to go to such lengths to enforce the agreement.

If Alice thought the risk of being unable to enforce the contract was too high, she could demand a more robust form of authentication from Bob. For example, she could require that Bob sign his e-mail with a digital signature created with a key pair certified by a commercial CA. Note that use of a digital signature would not change the contract law analysis: digital signature or not, Alice and Bob have a contract. But use of a digital signature may make Alice’s job of proving the contract easier, and make Bob’s denial less credible.

Anyone engaging in electronic contracting will need to make a careful risk/benefit determination around questions of proof. A party to an electronic contract may have to go before a judge and show (a) that there was, in fact, a contract formed – i.e., there was an offer, and acceptance, and consideration, etc.; (b) what the substance of the contract was; and (c) who the contracting parties are. Some methods of electronic contracting, such as use of CA-authenticated digital signatures, may make proving these points relatively easy. In some cases, however, the cost and hassle of employing robust authentication techniques simply won’t be worthwhile. For example, plenty of online businesses rely on “clickthrough” contracts where users self-report their identity. These businesses can still make good proof arguments: by keeping careful records they can show how they formed contracts with users and show the substance of the contracts; they will have some evidence of user identity. But these businesses presumably have made a decision to forgo the proof benefits accorded by more robust authentication techniques after weighing these benefits, the associated costs, and the risks and consequences associated with potential unenforceability of their electronic contracts.

The bottom line is that it is easy to form a contract electronically, and electronic contracts may be formed a variety of ways. But it may be difficult to prove an electronic contract in the event of a dispute. It is important to take this into account when engaging in electronic contracting, and to scale authentication techniques in accordance with the risk of unenforceability and the consequences if the contract were to be unenforceable.