There are two kinds of digital signatures: signatures good enough for a six dollar trade among friends, and signatures good enough for a six figure trade between strangers. [1] This Article considers both, from the digital equivalent of an initialed placemat to secure verification techniques more like notarizations. Nationally and internationally, diverse groups and bodies have been propelling the development of digital signature and certificate authority regulation and legislation. This Article examines the need for such legislation, questioning the assumption that current law presents, at best, uncertainties or, at worst, outright barriers to the use of electronic records and signatures. This analysis attempts to determine the extent of such uncertainty or conflict, by examining case law, as well as the most crucial technological and policy issues that face the drafters of digital signature legislation. Finally, the major statutes, drafts, and model laws are evaluated with regard to their efficacy in addressing the concerns so identified. [2]

The fundamental question legislation drafters face is the same question courts face: under what circumstances are electronic records and signatures as trustworthy as traditional writings and signatures? Beyond this question, however, many groups have also considered whether there is a need to legislate proactively in order to encourage the use of the more secure varieties of electronic signatures and to stimulate electronic commerce. To analyze fully the existing common-law environment for the treatment of digital records and signatures, one would ideally examine cases involving both low security records (e.g., a faxed signature, a name in text at the end of an e-mail) and records protected by elaborate security measures (particularly those that have been cryptographically signed). Unfortunately, while the law has long dealt with the application of new technologies by which non pen-and-ink signatures are used, as of yet there are no cases ruling on the per se validity of writings or signatures where a message was cryptographically signed. [3]

Thirteen states have digital signature statutes that apply generally to public and private settings; at least six have already passed “comprehensive” legislation also including the regulation of certificate authorities. [4] Pioneered by the Utah Digital Signature Act, [5] the “comprehensive” laws set precise rules governing the validity of signatures, the issuance and revocation of certificates, and the regulation of certificate authorities. In addition, a growing number of states have enacted limited statutes specifying only a vague outline for digital signature validity and delegating broad rulemaking authority to executive agencies. [6] Various guidelines and model laws have also contributed greatly to the evolution of state laws in this area, including efforts by the American Bar Association, the National Conference of Commissioners on Uniform State Laws (“NCCUSL”), which is preparing a Uniform Electronic Transactions Act, and the United Nations Commission on International Trade Law (“UNCITRAL”).

Several subordinate concerns must also be considered in the preparation of digital signature laws and drafts. As should be evident from the discussion herein, different types of electronic “signing” yield different levels of reliability. Drafters must acknowledge that it may be necessary to abandon bright line, “yes or no” rules in order to treat different kinds of signatures appropriately in all cases. This may mean leaving digital signatures equivalent to normal, signed documents in some cases and attaching evidentiary presumptions to others, even within the same statutory scheme. Some of these protections may be appropriate for generically defined signatures, and other measures may be appropriate only when specific, proven technologies, such as public key encryption, are used. In addition, digital signature laws must avoid interfering with the validity of electronic authentication procedures agreed to by contract, and with the validity of already-valid traditional signatures.

Drafters concerned solely with removing impediments in pre-existing laws may view the question of enhanced protection for secure signatures very differently from those who think the legal environment should proactively encourage the use of secure authentication methods. Either viewpoint may be appropriate, but drafters must be aware of their objectives. Moreover, digital signature statutes would be most effective if they were uniform and compatible with the laws of other states and nations. Yet, this goal must be balanced against preserving decentralization of regulation in order to allow experimentation and evolution in this nascent industry, and to avoid the negative privacy implications of an overly centralized infrastructure.

In short, the legal landscape is treacherous. It is therefore critical that any legislation be made with deliberate caution, adherent to two basic, guiding principles. First, given the uncertain environment, legislation must be narrowly tailored to address specific legal needs and obstacles. Second, the level of legal protection and recognition granted signatures must be no greater than is commensurate with the security and reliability provided by the weakest form of signature to qualify for such protection.

 

Adam White Scoville