Businesses and Consumers Prepare for Electronic Contracting
By David M. Nadler and Kendrick C. Fong
Just as the Internet revolutionized the way people communicate around the world, it is also changing the way business is conducted. The World Wide Web has graduated from a simple public relations tool to the foundation for electronic commerce in the digital age. Vendors are moving beyond information-only sites to transaction-based pages that let customers order products and track purchases.
Engineers, product designers and managers from different corners of the globe can collaborate to develop and manufacture new products in an efficient and effective manner. Indeed, according to several online experts, business-to-business electronic commerce will account for over $60 billion in revenues by the year 2000 and will help fuel economic growth well into the 21st century.
Many businesses and consumers, however, are still wary of conducting extensive business over the Internet because of the lack of a predictable legal environment governing transactions. For electronic commerce to work, businesses must be able to confidently engage in transactions with strangers, in real time over the Internet, with the belief that the transactions are reliable, provable and enforceable.
Traditionally, this has been accomplished through the concept of a signed agreement. Companies have used watermarks, letterheads and sealed envelopes in conjunction with signatures to assure that transactions and messages have not been tampered with and to verify the parties' identities.
The requirement of signed writings, along with use of watermarks and letterheads, served well in the era of pen and paper. In cyberspace, these elements are absent, begging the question of how to verify the identities of contracting parties and prove the validity of business transactions. The most widely accepted answer thus far is the electronic or digital signature. Digital signatures are produced by a private key/public key system. The private key is used by the signer to create the signature, and the public key is made available to the recipient of the document to verify the signature and authenticate the document.
Given the advent of digital signature technology and the increasing amount of business transactions on the Internet, several states have passed digital signature/electronic commerce legislation, including Utah, Washington, California, Arizona, Florida, Hawaii and New Mexico. Other states - including Virginia, Georgia, Michigan, New York, Rhode Island, Minnesota, Nebraska, Vermont and Illinois - are actively considering digital signature legislation.
Last month, President Clinton issued a directive to the Secretary of Commerce to work with state governments and the private sector to produce common approaches for authentication of electronic transactions through digital signatures.
Most of the digital signature legislation passed or being considered recognizes the validity of Internet contracts and helps facilitate electronic commerce. For example, typical digital signature legislation is designed to (1) ensure that electronic records and signatures meet the traditional writing and signature requirements under common law and statute, (2) designate a class of "secure" electronic records and "secure" electronic signatures that provide a heightened degree of legal protection, and (3) specify when digital signatures will qualify as "secure" signatures, as well as the rules that govern the activities of the various parties to a digitally signed transaction.
Digital signature legislation typically supplements existing law concerning signatures and contract validity. Thus, current law concerning contract formation and the statute of frauds still applies. Electronic contracting also raises new legal issues that the legislation addresses. For example, typical digital signature legislation places liability for signature "forgery" on the holder of the private key.
One whose paper signature is forged can often do little to prevent the forgery or warn others of the forgery. With digital signatures, however, forgery prevention differs. Absent highly unlikely, coincidental malfunctions of multiple key generation systems, a digital signature cannot be forged unless the keyholder fails to reasonably safeguard the private key from theft or unauthorized use. Because liability for loss under the law typically falls on persons who are best able to avert the loss, digital signature legislation places a large part of the responsibility for forged digital signatures on the keyholder.
And though states are beginning to officially sanction the use of digital signatures, some risks still remain. The most difficult problem facing lawmakers and users of digital signatures is to assure that the party who distributes a public key is who he says he is. Paper signatures have an intrinsic association with a particular person because they are made in the signer's unique handwriting. However, a private key used to create digital signatures has no intrinsic association with a particular individual.
Anyone can pay to receive a private key simply by submission of an e-mail address and user name to certifying companies. An association must therefore be made by a certification authority identifying the person with a particular private key.
Accordingly, the reliability of every digital signature created by a private key will depend in part on the reliability of a certification authority's association of that key with a person.
David M. Nadler is a partner in the Washington law firm of Dickstein Shapiro Morin & Oshinsky LLP. He can be reached by e-mail at NadlerD@dsmo.com. Kendrick C. Fong is an associate at the firm.
©1997, TechNews. All rights reserved.