FROM:	Ben Wright, 73457,2362
TO:	(NCSA) Jon Wheat, 75300,2557
DATE:	6/6/94 11:23 PM

Re:	Revised Article

To: 75300,2557

       THE VERDICT ON PLAINTEXT SIGNATURES:  THEY'RE LEGAL

Summary:  Contrary to conventional wisdom, commercial law generally
does not require that a signature be "secure" to be legally
effective.  That is good news for e-mail, and  electronic commerce
in general.


By Benjamin Wright

According to the digital cognoscenti, the only legally effective
way to sign an e-mail message is to run it through a cryptographic
algorithm (such as that for DES or RSA), compute a mathematically
unique authentication code,<1> and append it to the message.  But
if that's true, it will be many years before real (legal)
electronic commerce comes to e-mail users because very few people
authenticate their e-mail with cryptography.

But fortunately, that reading of the law is not true.  Many
business e-mail users already practice electronic commerce.  What's
more, the law should generally recognize and enforce it.


Forming Contracts

In commerce the central transaction is the contract.  Classically
speaking, a contract is born any time an offer (e-mail from Joe
Nightclub owner:  "Will you make me three custom discs for $1000
and deliver next week?") meets acceptance (e-mail from Artist:  
"Yes!").  Once a contract is formed, the law gives one party a
remedy if the other backs out.  

The orthodox view is that a simple, wholly plaintext e-mail
contract cannot be enforced because it is not signed in a secure
way and it will be impossible to prove in court.  This excerpt from
a popular magazine exemplifies the orthodoxy:

     [C]onsider an attempt to create an enforceable contract by
     exchanging an E-mail offer and acceptance.  In the real world,
     exchanging letters of offer and acceptance does create an
     enforceable contract (assuming something of value is also
     eventually exchanged).  Unfortunately, without authentication
     techniques (e.g., digital signatures), E-mail agreements are
     probably unenforceable in court.  Under legal rules governing
     evidence and contracts, it's hard to prove the existence of a
     contract based on E-mail; fabricating an E-mail message is
     just too easy.<2>  

With all professional respect to the author of this passage, I
disagree.  The orthodoxy is wrong.

Many types of contracts do have to be signed, says a law called the
Statute of Frauds (which dates back to Seventeenth Century
England),<3> but that law is admirably liberal in its use of the
term _signed_.  One signs a document when he adopts a symbol (any
symbol) on the document as his signature.  A signature need not be
in ink; it need not be an autograph; and it need not be the least
bit secure against forgery.  Remember the illiterate geezer in the
western movies who couldn't write his name?  He just marked an X on
the document.  The law recognizes that X as his signature.

A signature can be the ASCII characters "Joe Nightclub" appearing
in plaintext in the From line of an e-mail message.  "Joe
Nightclub" need not even be the sender's real name.  What is
important is not the nature of the symbol Joe uses to identify
himself, but rather the intent behind the symbol.  If Joe intends
the characters to be a token of his responsibility, then they are
his signature.  When Joe sends e-mail offering to buy discs, he
intends the characters in the From line to show he is responsible
for the message and the consequences that flow from it.  If that's
not his intent, what is it?

Along with Canada, Australia and many other countries, the United
States inherits the common law tradition of ancient England -- a
set of living, breathing principles that are more limber than you
might think.  The common law, being the law of the leading
industrial civilization over the past several centuries, has ample
experience negotiating waves of new technology -- handwriting,
printing press, typewriter, telegraph, telephone, telex, fax -- and
it is today suffering no particular problems digesting e-mail as a
medium for transacting commerce.

Given how many thousands of courts and judges there are, it is
possible that the odd one will disagree with my reading of the law. 
If this worries you (and those conducting more valuable
transactions might be worried), you can minimize the risk by
insisting that the e-mail sender include a statement that his name
in the e-mail is his signature.  This makes it very difficult for
him later to claim in court that his name, written in plaintext, is
not his signature.


Proving It

But wait!  cry the advocates of cryptographic authentication.  You
can't prove that e-mail came from Joe Nightclub.  Anyone could have
sent it.  The Artist herself could have fabricated it.

True.  You can write e-mail and make it appear to come from someone
else.  You can easily send e-mail from an address opened under a
false name.  But just as you can send fake e-mail, so you can send
fake letters, telegrams, telexes, and faxes.

Nonetheless, regardless of the medium through which a business
message is carried, the origin and genuineness of the message can
usually be proven in court.  Rarely are they proven from the
signature that happens to be attached to the message (or document),
despite what you may think from watching _Perry Mason_.  Much more
often, origin and genuineness are determined in court from all the
facts and circumstances that surround the message -- the full
relationship of the people involved.

We don't do business in vacuums.  We do business based on
relationships.  When the Artist receives e-mail from Joe Nightclub,
she wants to learn more before she parts with her precious discs. 
If she's never dealt with this customer before, she's going to
check the guy out:  call him on the phone, go meet him, ask for
references, or ask for advance payment.  Lest she be a fool, the
Artist wants to collect evidence that this is a bona fide customer
who is very likely to pay as promised.

All the mundane facts and circumstances she collects can be,
through testimony and otherwise, used in court to lend credence to
Joe's e-mail.  Sure, there will be disputed evidence.  And under no
circumstances are the judge and jury guaranteed to believe that any
given message is genuine.  But that is just the way commercial law
works.  Proving things in law is much more sloppy than proving
things in science.


Forgeries

A supposed virtue of paper over e-mail as a legal medium is that it
is hard to make inconspicuous changes to paper, whereas plaintext
ASCII can easily be changed.  Upon receipt of Joe's e-mail offering
$1000, the Artist could change it to say the offer is for $2000. 
If she took this e-mail to court, there would be no way to tell
from the face of the message whether it originally said $1000 or
$2000.

Yet paper suffers the same infirmity.  If the Artist receives a
letter from Joe offering $1000, she could rip it up and write a
replacement, offering $2000, on a sheet of cheap, fake letterhead. 
She could then scribble something that purports to be Joe's
handwritten signature.  Later, a court could not tell from the face
of the document whether Joe did or did not send it.  Although Joe
would repudiate it, sternly declaring that neither the letterhead
nor the signature is his, the Artist would swear that this is
indeed the letter she received.  If this is not Joe's normal
letterhead and signature, she'd contend, then Joe must have sought
to deceive her, and the court, by sending an offer using unusual
letterhead and signature.  Although the Artist would be lying, the
court would not know it just from inspecting the letter.

Indeed, we can play the same authentication games with paper that
we can with plaintext e-mail.  When you receive a paper letter in
the mail, bearing what looks to be an original autograph, you have
no technical proof of its origin.  Neither do you have technical
proof of origin when you get a telegram or telex (unless you
require it be authenticated with a cipher code, which is rarely
done).  So the reality is that routine business communications are,
and have always been, risky.  Still, business traders seem to have
compensated for this risk.


Cryptography's Role 

Don't misunderstand.  I'm not denigrating cryptography as a means
for ensuring the authenticity of messages or denying its rightful
role in electronic commerce.  Just as the engraved and magnetized
paper used for currency is necessary for financial transactions in
the world of paper, so cryptographic authentication is needed for
electronic funds transfers.  But just as we don't securely engrave
and magnetize the pulp on which we write business letters and
contracts, so we don't need to cryptographically authenticate most
of our business e-mail.

Sure, if you use e-mail for business you should keep complete
records, and the more secure the records, the better.  Consult your
own lawyer.  If you work for a large organization, records can be
secured by placing them under the control of an independent
department (e.g., internal audit).<4>  But if you work solo, you
can just establish a routine for making a log of business messages
on your PC.  Yes, someone could claim you falsified your log.  But
if you faithfully keep the log as a regular business practice, you
can, if ever called to court, confidently vouch for the integrity
of your records, and your story will more likely jibe with the
ambient facts and circumstances.

It is ironic that some of the most ardent champions of e-mail are
so quick to assume that plaintext e-mail is somehow deficient.  If,
as they suggest, it is necessary to use fancy cryptographic methods
to make e-mail legal, then they ask much more of digital media than
we do of its predecessors.

=========
NOTES:

<1>  The proponents of cryptography often refer to unique
authentication codes as "message authentication codes" or "digital
signatures."  These are streams of scrambled numbers that, when
unscrambled using the necessary cryptographic keys, give
mathematically supportable evidence as to who created a message and
whether the message has changed.  See Larry Oyama, "Using
Encryption and Authentication for Securing Data," EDI Forum,
Special Edition on EDI Legal and Audit Issues (1992) p. 111.

<2>  Victor J. Cosentino, Virtual Legality, BYTE (March 1994) p.
278.

<3>  For example, the statute of frauds, as rendered in Section 2-
201 of the Uniform Commercial Code, says that a contract for the
sale of goods worth $500 or more is generally not enforceable
unless it is supported by a "writing" that is "signed."

<4>  See, Benjamin Wright, The Law of Electronic Commerce (Boston: 
Little, Brown and Company) Section 6.4.

============
Benjamin Wright (bwrigh01@reach.com) is a Dallas-based attorney and
author of _The Law of Electronic Commerce:  EDI, Fax and E-mail_. 
He is the instructor for a series of "virtual" seminars on the law
of electronic commerce, sponsored by the National Computer Security
Association (75300,2557@compuserve.com or (800) 488-4595).  These
seminars will be delivered via online computer conference.

This article provides general information and is not legal advice
for any specific situation.  The formation of contracts is
inherently risky, and this article does not advise which level of
risk is appropriate for you.  If you plan to conduct legal
transactions, you should consult your own attorney.  

Copyright (c) 1994 by Benjamin Wright.  All Rights Reserved.  This
article may be reprinted or redistributed as a whole, but only with
the above information.