Legal Esignatures for Elections

March 10, 2011

Electronic signatures have obvious applications to government.  One area that is evolving rapidly is the election system at the core of the US democratic government.  The internet has already had dramatic impact on the practice of politics, and electronic signatures combined with electronic documents and social networks seem destined to change politics and and policy in ways that we are only now beginning to comprehend.  Recent court cases are setting precedents for the role of electronic signatures in US elections, we will highlight a couple in this post.

Last summer Utah’s Supreme Court ruled that electronic signatures on a petition to nominate a gubernatorial candidate must be honored.  The court overruled the state’s election commission and required that signatures on an online nominating petition be accepted, see Anderson v. Bell.  As a result of this ruling Mr. Farley Anderson was listed on the ballot for Utah governor in 2010.  While Mr Anderson was not successful in his campaign to become the governor of Utah this ruling is likely to have significant impact on electronic signature gathering in elections in Utah and beyond.

Meanwhile a case in California is wending its way through the courts.  Michael Ni, a founder of Verafirma, submitted an electronically stored petition containing his electronic signature to the San Mateo County Elections Office.  Verafirma is an electronic signature technology company focused on use of electronic signatures in politics.  His submission was rejected by the elections office and the rejection was upheld by the Superior Court in San Mateo County.  This is now being appealed at the state Court of Appeals and will probably be heard soon.

Briefs have been filed on behalf of Mr. Ni by the Asian American Action Fund, Citizens in Charge, the Humane Society of the United States, the National Taxpayers Union, the Electronic Signature and Records Association, Antonio Gonzalez, and Joe Trippi.  Links to many of the filings and briefs can be found on Verafirma’s Twitter feed.

Verafirma believes that the use of electronic signatures can dramatically reduce the cost of qualifying ballot initiatives, encourage more citizen involvement and increase the quality of legislation submitted to voters.   This seems reasonable and  I think that the effects of reducing friction and increasing participation in our democratic process could be staggering.  What will a democracy of the late 21st century look like?

3 Comments | digital signature, electronic document, electronic signature, esignature | Tagged: , | Permalink
Posted by Mike Ambrose

State Government Electronic Signature Guidelines

June 3, 2009

Somebody pointed out to me that the state of Minnesota has guidelines/considerations for deploying electronic signatures, Electronic Records Management Guidelines – Electronic and Digital Signatures.  I may add this to my sidebar. Much of this is discussed on other pages or posts on this blog.

Utah, Washington, Oregon, North Carolina, California, Nebraska and Texas have all adopted electronic record and signature guidelines where they have chosen to license or register certificate authorities to do business with the state. In many cases they have updated laws that specifically required handwritten signatures as a response to their states ratification of UETA.

I am not sure how well they deal with the distribution aspect of issuing credentials, this has proven to be a challenge for the federal government as well when trying to deploy credentials for FDA and other governmental applications.  In fact, FDA regulation 21 CFR Part 11 on Electronic Signatures and Records, approved in 1997, is still not being enforced and when enforcement commences it is likely to be relatively lax.

As I have stated on other postings and papers this is still the crux of the problem.  This has led governments to adopt an ad-hoc array of electronic signature methodologies with some success but has thwarted ubiquitous adoption of electronic signatures government.  If people have any updates or success stories in this area I would love to hear them.

2 Comments | digital signature, electronic signature | Permalink
Posted by Mike Ambrose

Tax Time and other eSignature Events

February 2, 2009

The IRS reports that last year nearly 90 million (around 58%) of US tax returns were submitted electronically, using the IRS approved PIN-based signatures.  These simple electronic signatures show the increasing comfort of the American public with use of electronic signatures on extremely important legal documents.

Also – Silanis had a recent webcast where Patrick Hatfield of Locke Lord Bissell and Liddell, LLP presented on recent case law around use of electronic signatures. You can download the presentation from Silanis or get a PDF summary from Locke Lord Bissell and Liddell. The gist of it is: Make sure that the intent is confirmed, i.e. make it very clear that the signer is aware of the affirmative action of the electronic “I agree.”  The courts will enforce the signature like any other, even in insurance recission cases!

An interesting point made by Patrick in the presentation: there are still no cases where the purported signer has denied that he signed the contract.  Does this mean that we are spending too many calories worrying about signer authentication?

1 Comment | digital signature, electronic document, esignature | Tagged: | Permalink
Posted by Mike Ambrose

MD5 Bites the Dust

January 6, 2009

The MD5 hash algorithm, invented by Ron Rivest, has historically been a key part of digital signatures. It has been considered weak for use in modern digital signature and cryptographic applications but has continued to see use in many systems. However, the long known weaknesses in MD5 are finally exploited in a demonstrable (and disastrous) way.

Many electronic signature solutions use the ubiquitous MD5 hash algorithm to insure the integrity of digital documents. While methods for creating “collisions” for data signed with the MD5 hash have been known for a while, it is highly unlikely that such a collision would actually be a readable document.  So the use of MD5 as an internal document checksum for document integrity is probably not a big problem.

The problem is that researchers created a collision that produces a bogus digital signature.  This is foundational for SSL on e-commerce sites, and may also be used in electronic  signatures that use SSL digital signature algorithms and certificates as part of an authenticating signature.  This can be a big problem for electronic signatures.

Fortunately Verisign and many other certificate authorities had already begun the transition to SHA-1 as the signing algorithm of choice.  Now everyone can make sure that they update their SSL certificates for their digital signing solutions to certificates that are signed with the more modern SHA-1 algorithm and the makers of electronic signing/verifying applications should not honor MD5-based digital signatures on certificates associated with newly signed documents.

1 Comment | digital signature, electronic document, esignature, XML digital signature, XML electronic signature | Tagged: , | Permalink
Posted by Mike Ambrose

New EU Action Plan on Esignatures

December 29, 2008

It is interesting that the EU, whose Esignature Directive  generated much of the impetus and direction for the ETSI TS 101 903 and the W3C XAdES standards, has now acknowledged that they have not been successful in standardizing electronic signatures for cross border use of member states. I suspect that the trusted credential infrastructure challenge referenced in my paper XML Electronic Signatures has created at least part of the problem.

The original European Directive mandated that they would have interoperable e-signatures and electronic identification for government by the end of 2009, but it doesn’t look to me like they will make it. It seems that they now have an “Action Plan on e-signatures and e-identification to facilitate the provision of cross-border public services in the Single Market”

Gosh – and I thought that they were so far ahead of us!

1 Comment | digital signature, electronic document, esignature, XML digital signature, XML electronic signature | Tagged: , , | Permalink
Posted by Mike Ambrose

A little on E-notarization

July 16, 2008

OK – I talked about this a long time ago and got busy and haven’t written anything. So I will try to at least say a little bit:

Notaries Public have a distinct place in society as being state licensed trusted witnesses. This has made the role of a notary public invaluable in many high value transactions such as real estate sales. The human notary’s function is to insure that the person is who they represent themselves to be and that they are executing the transaction of their own volition, i.e. they are not being coerced or in a state where they are unable to make decisions for themselves.

Many people have wanted to use PKI to replace this function, just as they want to use PKI for nearly all authentication functions. Unfortunately for PKI as a standalone solution to this problem the function of confirming that the person is not under duress or incapacitated is still best performed by a human agent.

Many states have enacted legislation to foster electronic signatures for electronic notarization. One notable effort has been put on hold, Virginia passed electronic notarization guidlines that were to take effect on July 1, but on June 24th got cold feet. They decided that much of the text, which was lifted verbatim from the Esign Act, was too ambiguous and offered too much opportunity for fraud. Maybe they believe that notarization must be more prescriptive in its implementation to help the poor county clerks that have to decide whether to accept signing methods!

One widely discussed electronic notarization method is Colorado’s. Colorado recommends the use of Document Authentication Numbers which is a very simple and clever method to electronically sign the document. The way that the Document Authentication Number works is that if a notary wants to obtain a license for electronic notarization they are assigned a unique notary identification number and are given a log that contains a sequence of random numbers. This sequence of numbers that is assigned to the notary is private to the notary and a copy is maintained by the Secretary of State for future validation purposes.

When a document is notarized the notary attaches his seal information, his identification number and one of the numbers from his log-book. He uses a different number for every document that he notarizes. This combination of notary number + random Document Authentication Number forms a unique signature for every electronic transaction.

Colorado also allows notaries to use other, non-specified electronic notarization methods by special approval:

3. Notification of intent to notarize electronically shall be on forms prescribed by the Secretary of State, and shall include a statement whether the applicant or notary will use only document authentication numbers as his or her electronic signature. If the applicant or notary indicates an intention to use a different electronic signature than document authentication numbers, then the notification of intent shall also be accompanied by an example of the electronic signature that will be used by the applicant or notary, and shall include the following information:

(a) A description of the technology that will be used for the notary’s electronic notarizations, specifically for the creation of the notary’s electronic signature;
(b) The name, address, telephone number, and web or e-mail address of the supplier or vendor of such technology; and
(c) Such other information as the Secretary of State finds necessary to confirm that the technology complies with the requirements of the Colorado Notaries Public Act, article 55 of title 12 of the Colorado Revised Statutes.

I don’t know what other technologies are being accepted in Colorado, this seems to pose the same county clerk dilemma as Virginia has. Perhaps there are other guidelines published by the Secretary of State, does anyone out there know the answer to this?

In any case I will join the list of bloggers and pundits that applauds Colorado for making the whole electronic signature issue something that is very easy for anyone to understand!

2 Comments | digital signature, electronic document, esignature | Tagged: , , , , | Permalink
Posted by Mike Ambrose

Administrivia

February 14, 2008

Since PDF is so important I added a PDF page, see Portable Document Format (PDF) signature, in the Esignature technology section. It has more information than the post on this topic.

In the process of writing this page I was struck by the way Adobe evolved from the company that wrote printer software… but I digress.

Hope to get up some stuff on eNotarization and authentication real soon now. Anything else you would like to see?

Leave a Comment » | digital signature, electronic document, esignature, PDF | Permalink
Posted by Mike Ambrose

Do you trust me?

January 30, 2008

Another area that is routinely conflated into the electronic signature/document processing stew is the topic of authentication. Authentication has many meanings, but in the context that it is usually used in the electronic document space it refers to “How do I know it is you signing this document?” This has obvious ramifications for non-repudiation.

Authentication then brings in the issue of trust. Do I trust your credentials/identification? Just as in real-world, potentially you could be an impersonator with a fake id. Peter Gutmann at the University of Auckland has an interesting (if slightly dated) discussion of issues around using electronic signatures, with a focus on signature laws and using PKI as an adequate proxy for trustworthy credentials. This presentation can be found here, Guttman on PKI and signatures. One area to note is the section on Trust beginning on page 23.

Mr. Gutmann discusses types of trust. His taxonomy includes (but is not limited to):

  • Blind Trust, where we trust because we have to, or there are no significant repercussions for a breach of trust
  • Swift Trust, which is hedged (limited liability) trust given to establish business relationships
  • Knowledge Based Trust based on a history of interactions between the trusting parties
  • Indirect Trust based on a trusted intermediary, such as a credit card

All of these forms of trust come into play in the world of electronic transactions. A business supports blind trust when it allows you to request a car insurance quotation online and emails you a link where you can access the web based applications. When a quotation is issued based upon your applying at the private link it has granted you swift trust. And when it issues you the insurance based upon you making your first payment with your American Express it employs indirect trust, American Express guarantees the payment!

In each step the business is increasing its confidence, or trust, that you are you. This is has been done through a web of interlocking identification factors: you own the email address, the car is registered in your name and you have provided a valid credit card which has the same billing address as your car registration. Each step has been hedged so that the insurance company (which assumes all liability if it is defrauded) has made a decision on the acceptable levels of business risk.

Peter Gutmann seems to believe, and I concur, that prescriptive digital signature laws do little to mitigate the risk of electronic transactions in an acceptable way. Furthermore, they may create more problems than they solve.

I would add to this that the general electronic signature laws (ESIGN/UETA in the US) provide all of the legislative framework that is necessary. With these laws, and a sensible approach to risk management through authentication and intermediaries, electronic transactions should have no more risk than the face to face transactions that we engage in every day.

3 Comments | digital signature, electronic document, esignature | Permalink
Posted by Mike Ambrose

It’s About Time

January 23, 2008

A key requirement for an electronically signed document is a trusted time stamp. This is very important for non-repudiation of contracts (was I bound by this at the time?) and for other important documents such as the disclosure of patentable inventions.

Proof of the existence of a signed document at a given time can be demonstrated by having a time stamp of the document signature issued by a trusted timestamp authority (TSA). A TSA is an entity that can demonstrate that it maintains its clock against a recognized time source such as NIST in the US. There are also standards for trusted time stamps such as RFC 3161 and ANSI X9.95, and a number of vendors that provide this service.

The basic process for obtaining a trusted time stamp is this:
The requesting party generates a hash or digital signature (only hashes may be signed in RFC 3161 compliant signatures) of the signed document and sends this value to the TSA. The TSA attaches a time stamp token to the hash, then digitally signs it with the TSA’s certificate. The requesting party validates the time stamp token and then associates this token with the signed document. This establishes that the signed document existed at the time of the time stamp. It does this without the TSA being aware of the conents of the digital document being signed, thus preserving the confidentiality of the signed document.

There are several ways of generating a time stamp token. RFC 3161 requires support of a time stamp token that contains the time as Zulu time, specified to the second, or better. It also requires that the TSA include a unique serial number with every timestamp issued so that the TSA name and token serial number define a unique time stamp.

Some other methods of generating timestamps rely on “document chaining” which includes a piece of the previous timestamp with each certificate thus establishing the validity of the time. Other methods combine this with using a single timestamp for a given interval of time so that many documents receive the same timestamp, and it is calculated as function of all of these documents. Should this timestamp be challenged several other document authors could be used as witnesses! An interesting survey of timestamping methods by Michael de Mare can be found here.

Some other methods proposed use transient keys, meaning the key used for signing the document hash is a function of the time. Generation of “trusted time stamps” is an area of significant activity, and many vendors will emphasize the advantages of their (often proprietary) methods.

Usage of a trusted time stamp is necessary for increasing the reliability of an electronic signature in a document. For many documents an institution may rely on its own time server for a TSA – this is legitimate as long as the institution is able to document its timekeeping policies and demonstrate their reliability in the event that the time stamps are challenged.

With many vendors pushing their own methods for time stamping and the significant complexity that can be attached to the topic it is easy to get confused. However the question that a relying party should ask is “How good do they have to be?” There are many ways of legally establishing the time of the occurence of an event. Just insure that you can justify yours!

5 Comments | digital signature, esignature, timestamp | Permalink
Posted by Mike Ambrose

It’s the process, stupid!

January 11, 2008

Looking at my own experiences and speaking with some of you makes it seem that there are two types of people working on deploying electronic signatures in companies. One type is the techie – this is the person that can tell you ten different ways to detect alterations to an electronic record and why anybody that doesn’t get that an electronic document is just a record is just stupid. This person is ready to start coding – and he may never produce a system that is usable and delivers legally binding signatures.

The other type is the cautious manager – this individual believes the existing paper or hybrid edoc/paper processes work fine and knows at least five reasons that the project is too risky, it is too expensive and should be killed or endlessly postponed until it sinks from view.

Yet everyone agrees that as more business and personal interaction moves into cyberspace the need exists and will be serviced. Growth of online purchases continues to outpace brick and mortar in the US. More and more the government is accepting electronic documents to streamline operations and comply with various regulations.

At some point everyone will need to concede that there are ways to make electronic documents far more secure than signed paper documents, and that they are different than paper documents! It is all about the process that is followed. Care must be taken to insure that individuals are aware of the transactions that they are engaged in and that their personal data is properly protected. Ultimately there will be a rich history of civil cases, law firm Buckley Kolar presents an extracted summary at the ESRA conference here citing some of the legal groundwork that is forming. But how long will you wait for this to occur? Waiting too long insures that your business will be left behind.

You just need to get your techies to use their wizardry to match the legal requirements – they are pretty clear. An overview is even available on the implementing esignatures page on this blog. The process for creating a legally binding signature and responsibly managing electronic documents is not that complicated, you just need to follow it.

Maybe the question is not can you afford to proceed ahead with esignatures, but can you afford not to? Businesses are gaining real savings in $, time and customer satisfaction with electronic document flow and electronic transactions – are you one of these businesses or are they your competitors?

3 Comments | digital signature, esignature | Tagged: , | Permalink
Posted by Mike Ambrose

« Previous Entries
Follow

Get every new post delivered to your Inbox.