25 June 2000
Date: Fri, 23 Jun 2000 15:58:11 -0400 From: William Allen Simpson <firstname.lastname@example.org> To: email@example.com Subject: Electronic Signatures Yield Unpleasant Surprises -----BEGIN PGP SIGNED MESSAGE----- Electronic Signatures Yield Unpleasant Surprises Knowledgeable Internet users might think that the "Electronic Signatures in Global and National Commerce Act" -- passed overwhelmingly by the US Congress last week -- would provide virtual world commerce with the same protections expected in the physical world. Surprise! No, that would be "digital signatures", never mentioned in the Act. Digital signatures are designed to detect changes in digital content, and computationally irreversible functions ensure that the signature belongs to a particular entity. The Act imposes the language of UETA (the bastard sibling of the notorious UCITA that has been opposed by the attorney generals of most states) upon the US as a whole. Don't touch that dial (or click that mouse) Instead, these electronic signatures are a "sound, symbol, or process". By the simple act of pressing a telephone keypad that makes a sound ("press 9 to agree or 7 to hear this menu again"), clicking a hyper-link to enter a web site, or clicking "continue" on a software installer, the consumer consents to be bound to an electronic contract. The only protections for the consumer are "a statement of the hardware and software requirements", and that this legally binding consent is confirmed "in a manner that reasonably demonstrates that the consumer can access information in the electronic form that will be used". This can be performed by an "electronic agent ... without review or action by an individual". Every time a link is clicked, web browsers routinely provide this hardware and software information, without any user knowledge or intervention. For example, GET /digsig/ HTTP/1.0 Referer: http://www.cdt.org/ Connection: Keep-Alive User-Agent: Mozilla/4.73 (Macintosh; U; PPC) Host: www.cdt.org Accept: image/gif, image/jpeg, image/pjpeg, image/png, */* Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 Surprise! The vendor already knows where you've visited previously, your software version, what kind of computer you are using, the types of images you can process, that you speak English, and other esoteric arcana. Added costs Using new electronic signatures, will commerce cost less? It might save money for the vendor, but it brings new Congressionally approved charges for the consumer. Surprise! If you need a physical copy of the invoice for company records, or you'd like a printed copy of the manual that describes the features and operation that motivated your purchase decision, or you want an actual CD-ROM of the software that you purchased, or an immutable copy of any other electronic records, the vendor is now authorized to charge an extra fee. Surprise! Many consumers comparison shop on-line, but quit before purchasing, making their final purchase at a later time in a conventional manner. Vendors are now permitted another new fee for "withdrawal of consent". According to Congressional staff, this new fee may not have been intended to be charged until after a consummated transaction. Such a limitation is not explicitly stated in the legislation. It is hard to imagine that a court would enforce the new fee without an actual purchase of a product. However, according to the same staff, this specific language was vetted with Dell, Gateway, Hewlett-Packard, MicroSoft, and other vendors. No consumer advocates were mentioned. Incredible shrinking wrap In technical terms, each request and response for an electronic record is called a transaction. These requests may be separated by considerable time, and may even be made from browsing sessions on different computers. The Act defines transaction as "an action or set of actions relating to the conduct of business, consumer, or commercial affairs between two or more persons...." The Act specifically contemplates that the vendor can specify "whether the consent applies (I) only to the particular transaction which gave rise to the obligation to provide the record, or (II) to identified categories of records that may be provided or made available during the course of the parties' relationship;" Surprise! The process of clicking now generates a legal relationship with a vendor, and can bind the consumer for categories of records. This gives legal weight to web site product disclaimers, poor privacy practices, or installer shrink-wrap conditions, simply by making them available (perhaps via another URL). Note the use of future tense in the language: "the electronic form that will be used", "may be provided or made available". There is no guarantee that the records have actually been seen by the consumer prior to contract. Binding the consumer Although consent for the use of electronic transactions is streamlined, and may already be automated by using standard browsers, vendors apparently found this is too onerous. An escape clause is provided: "The legal effectiveness, validity, or enforceability of any contract executed by a consumer shall not be denied solely because of the failure to obtain electronic consent or confirmation of consent by that consumer...." Surprise! The ability to give consent, the sole new consumer protection of the Act, is not a strong protection. Should the consumer fail to agree to post-sale shrink-wrap license conditions, blocks the vendor from receiving secret registration communications from software, or fails to otherwise electronically transmit consent, the vendor's terms and conditions remain enforceable. Note that no such provisions bind the vendor! Lack of privacy promotes spam The contractual and consent provisions assume the parties' ability to identify and communicate with each other. The Act requires accuracy, and the ability "to update information needed to contact the consumer electronically". Surprise! Many customers don't want to be contacted electronically, using fake email addresses for registration. These consumers prefer not to receive future promotional spam from the vendor. Many vendors sell email addresses to others proliferating spam. An unintended side effect of the accuracy provisions is that spam marketeers might be required to use accurate return addresses for commercial messages. This could aid in filtering and prosecution for violations of acceptable use policies. Privacy protections were present in earlier versions, but were removed in the final version. Congressional staff indicate that privacy itself is too big an issue, to be decided at a later time. Buyer beware: vote with your dollars Without verifiably secure digital signatures, consumer protections against fraud and abuse, and consumer privacy, consumers have no reason to trust electronic commerce. Consumer and privacy advocates should oppose final adoption of this Act. Should the Act be signed into law, consumers should refuse consent to engage in electronic commerce in the US. Other countries have better protections, and are easily reachable on the Internet. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 iQCVAwUBOVPA/9m/qMj6R+sxAQEdfgP/atBObX1l0b3OaHpU5vBRC0+DP8f7tTTB fgdzKCr2YbSCnk5JnNbU62ZyiC5pyj2VejefcCQIrHXWQTaRqrPB2nSTEAY2ajTy zJNmPeQBK22dazlUHUj1JbR+UetCx5sCL8qtYdyeiS1dwMvyek1wHUGgi0XkUvte RcLmQFdtP8E= =5mbd -----END PGP SIGNATURE-----
Date: Sun, 25 Jun 2000 00:32:50 -0400 (EDT) From: "P.J. Ponder" <firstname.lastname@example.org> To: William Allen Simpson <email@example.com> Cc: firstname.lastname@example.org Subject: Re: Electronic Signatures Yield Unpleasant Surprises On Fri, 23 Jun 2000, William Allen Simpson wrote: < . . . . > > Surprise! Many consumers comparison shop on-line, but quit before > purchasing, making their final purchase at a later time in a > conventional manner. Vendors are now permitted another new fee for > "withdrawal of consent". > > According to Congressional staff, this new fee may not have been > intended to be charged until after a consummated transaction. Such a > limitation is not explicitly stated in the legislation. It is hard to > imagine that a court would enforce the new fee without an actual > purchase of a product. > > However, according to the same staff, this specific language was vetted > with Dell, Gateway, Hewlett-Packard, MicroSoft, and other vendors. No > consumer advocates were mentioned. A reporter for CNet wrote a story on this bill before it passed and the story focused on 'digital signatures'. I wrote the reporter and pointed out that the bill dealt only with 'electronic signatures' which have nothing to do with cryptography. This is the response I got back from the reporter: || I contacted the House as soon as I got your email, and after some || probing-it took a couple of hours to get someone "informed" on the || phone-determined that I had been misinformed. The House people had || talked extensively about digital signatures, when the bill is in fact || about electronic signatures, as you said. That the people I spoke with || did not initially know the difference in this important legislation is || a bit disconcerting. This is a pretty sad state of affairs. We don't really expect the elected members of Congress to know very much, but it is alarming to find out the staff can't (or won't) do a decent job, either.