25 June 2000
Date: Fri, 23 Jun 2000 15:58:11 -0400
From: William Allen Simpson <wsimpson@greendragon.com>
To: cryptography@c2.net
Subject: Electronic Signatures Yield Unpleasant Surprises
-----BEGIN PGP SIGNED MESSAGE-----
Electronic Signatures Yield Unpleasant Surprises
Knowledgeable Internet users might think that the "Electronic Signatures
in Global and National Commerce Act" -- passed overwhelmingly by the US
Congress last week -- would provide virtual world commerce with the same
protections expected in the physical world.
Surprise! No, that would be "digital signatures", never mentioned in
the Act. Digital signatures are designed to detect changes in digital
content, and computationally irreversible functions ensure that the
signature belongs to a particular entity.
The Act imposes the language of UETA (the bastard sibling of the
notorious UCITA that has been opposed by the attorney generals of most
states) upon the US as a whole.
Don't touch that dial (or click that mouse)
Instead, these electronic signatures are a "sound, symbol, or process".
By the simple act of pressing a telephone keypad that makes a sound
("press 9 to agree or 7 to hear this menu again"), clicking a hyper-link
to enter a web site, or clicking "continue" on a software installer, the
consumer consents to be bound to an electronic contract.
The only protections for the consumer are "a statement of the hardware
and software requirements", and that this legally binding consent is
confirmed "in a manner that reasonably demonstrates that the consumer
can access information in the electronic form that will be used". This
can be performed by an "electronic agent ... without review or action by
an individual".
Every time a link is clicked, web browsers routinely provide this
hardware and software information, without any user knowledge or
intervention. For example,
GET /digsig/ HTTP/1.0
Referer: http://www.cdt.org/
Connection: Keep-Alive
User-Agent: Mozilla/4.73 (Macintosh; U; PPC)
Host: www.cdt.org
Accept: image/gif, image/jpeg, image/pjpeg, image/png, */*
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
Surprise! The vendor already knows where you've visited previously,
your software version, what kind of computer you are using, the types of
images you can process, that you speak English, and other esoteric
arcana.
Added costs
Using new electronic signatures, will commerce cost less? It might save
money for the vendor, but it brings new Congressionally approved charges
for the consumer.
Surprise! If you need a physical copy of the invoice for company
records, or you'd like a printed copy of the manual that describes the
features and operation that motivated your purchase decision, or you
want an actual CD-ROM of the software that you purchased, or an immutable
copy of any other electronic records, the vendor is now authorized to
charge an extra fee.
Surprise! Many consumers comparison shop on-line, but quit before
purchasing, making their final purchase at a later time in a
conventional manner. Vendors are now permitted another new fee for
"withdrawal of consent".
According to Congressional staff, this new fee may not have been
intended to be charged until after a consummated transaction. Such a
limitation is not explicitly stated in the legislation. It is hard to
imagine that a court would enforce the new fee without an actual
purchase of a product.
However, according to the same staff, this specific language was vetted
with Dell, Gateway, Hewlett-Packard, MicroSoft, and other vendors. No
consumer advocates were mentioned.
Incredible shrinking wrap
In technical terms, each request and response for an electronic record
is called a transaction. These requests may be separated by
considerable time, and may even be made from browsing sessions on
different computers.
The Act defines transaction as
"an action or set of actions relating to the conduct of business,
consumer, or commercial affairs between two or more persons...."
The Act specifically contemplates that the vendor can specify
"whether the consent applies (I) only to the particular transaction
which gave rise to the obligation to provide the record, or (II) to
identified categories of records that may be provided or made
available during the course of the parties' relationship;"
Surprise! The process of clicking now generates a legal relationship
with a vendor, and can bind the consumer for categories of records.
This gives legal weight to web site product disclaimers, poor privacy
practices, or installer shrink-wrap conditions, simply by making them
available (perhaps via another URL).
Note the use of future tense in the language: "the electronic form that
will be used", "may be provided or made available". There is no
guarantee that the records have actually been seen by the consumer
prior to contract.
Binding the consumer
Although consent for the use of electronic transactions is streamlined,
and may already be automated by using standard browsers, vendors
apparently found this is too onerous. An escape clause is provided:
"The legal effectiveness, validity, or enforceability of any contract
executed by a consumer shall not be denied solely because of the
failure to obtain electronic consent or confirmation of consent by
that consumer...."
Surprise! The ability to give consent, the sole new consumer protection
of the Act, is not a strong protection. Should the consumer fail to
agree to post-sale shrink-wrap license conditions, blocks the vendor from
receiving secret registration communications from software, or fails to
otherwise electronically transmit consent, the vendor's terms and
conditions remain enforceable.
Note that no such provisions bind the vendor!
Lack of privacy promotes spam
The contractual and consent provisions assume the parties' ability to
identify and communicate with each other. The Act requires accuracy,
and the ability "to update information needed to contact the consumer
electronically".
Surprise! Many customers don't want to be contacted electronically,
using fake email addresses for registration. These consumers prefer not
to receive future promotional spam from the vendor. Many vendors sell
email addresses to others proliferating spam.
An unintended side effect of the accuracy provisions is that spam
marketeers might be required to use accurate return addresses for
commercial messages. This could aid in filtering and prosecution for
violations of acceptable use policies.
Privacy protections were present in earlier versions, but were removed
in the final version. Congressional staff indicate that privacy itself
is too big an issue, to be decided at a later time.
Buyer beware: vote with your dollars
Without verifiably secure digital signatures, consumer protections
against fraud and abuse, and consumer privacy, consumers have no reason
to trust electronic commerce. Consumer and privacy advocates should
oppose final adoption of this Act.
Should the Act be signed into law, consumers should refuse consent to
engage in electronic commerce in the US. Other countries have better
protections, and are easily reachable on the Internet.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
iQCVAwUBOVPA/9m/qMj6R+sxAQEdfgP/atBObX1l0b3OaHpU5vBRC0+DP8f7tTTB
fgdzKCr2YbSCnk5JnNbU62ZyiC5pyj2VejefcCQIrHXWQTaRqrPB2nSTEAY2ajTy
zJNmPeQBK22dazlUHUj1JbR+UetCx5sCL8qtYdyeiS1dwMvyek1wHUGgi0XkUvte
RcLmQFdtP8E=
=5mbd
-----END PGP SIGNATURE-----
Date: Sun, 25 Jun 2000 00:32:50 -0400 (EDT)
From: "P.J. Ponder" <ponder@freenet.tlh.fl.us>
To: William Allen Simpson <wsimpson@greendragon.com>
Cc: cryptography@c2.net
Subject: Re: Electronic Signatures Yield Unpleasant Surprises
On Fri, 23 Jun 2000, William Allen Simpson wrote:
< . . . . >
> Surprise! Many consumers comparison shop on-line, but quit before
> purchasing, making their final purchase at a later time in a
> conventional manner. Vendors are now permitted another new fee for
> "withdrawal of consent".
>
> According to Congressional staff, this new fee may not have been
> intended to be charged until after a consummated transaction. Such a
> limitation is not explicitly stated in the legislation. It is hard to
> imagine that a court would enforce the new fee without an actual
> purchase of a product.
>
> However, according to the same staff, this specific language was vetted
> with Dell, Gateway, Hewlett-Packard, MicroSoft, and other vendors. No
> consumer advocates were mentioned.
A reporter for CNet wrote a story on this bill before it passed and
the story focused on 'digital signatures'. I wrote the reporter and
pointed out that the bill dealt only with 'electronic signatures' which
have nothing to do with cryptography. This is the response I got back
from the reporter:
|| I contacted the House as soon as I got your email, and after some
|| probing-it took a couple of hours to get someone "informed" on the
|| phone-determined that I had been misinformed. The House people had
|| talked extensively about digital signatures, when the bill is in fact
|| about electronic signatures, as you said. That the people I spoke with
|| did not initially know the difference in this important legislation is
|| a bit disconcerting.
This is a pretty sad state of affairs. We don't really expect the elected
members of Congress to know very much, but it is alarming to find out the
staff can't (or won't) do a decent job, either.