[2512] in cryptography@c2.net mail archive
Utah^-1: April 14th Draft Mass. Act Available
daemon@ATHENA.MIT.EDU (Robert Hettinga)
Wed Apr 15 13:01:41 1998
Date: Wed, 15 Apr 1998 06:56:25 -0400
To: cryptography@c2.net
From: Robert Hettinga <rah@shipwright.com>
This act is the "if you sign it, it's still legal if the signature is
digital" law I've been talking about. It's pretty much the opposite
approach to the Utah (nee Novell) digital signature law, which defines
digital signatures and certificates down to a gnat's eyelash.
Cheers,
Bob Hettinga
--- begin forwarded text
MIME-Version: 1.0
Date: Tue, 14 Apr 1998 18:18:38 -0400
Reply-To: Digital Signature discussion <DIGSIG@LISTSERV.TEMPLE.EDU>
Sender: Digital Signature discussion <DIGSIG@LISTSERV.TEMPLE.EDU>
From: Daniel Greenwood <dan@CIVICS.COM>
Subject: April 14th Draft Mass. Act Available
Comments: To: Digital Signature discussion <DIGSIG@VM.TEMPLE.EDU>
Comments: cc: "Greenwood-ITD, Dan" <Dan.Greenwood@state.ma.us>, dang@mit.edu
To: DIGSIG@LISTSERV.TEMPLE.EDU
The new draft Massachusetts Electronic Records and Signature Act (MERSA)
is available today at:
http://www.tiac.net/biz/danielg/mersa.htm (uploaded to the official
Mass. site soon).
[I will also e-mail an MSWord version, text version or htm version upon
request]
Notably, we have opted to change the global definitions of writing and
signature for the entire Mass. General Laws (and added a definition for
Record). We have also amended the exception to scope dealing with
interpretations that are "repugnant to the context" of a law. Now the
exception speaks to interpretations that are "clearly inconsistent with
the purpose" of the law. We have not gone the route of attempting to
specify every possible exception - though we look forward to seeing how
NCCUSL deals with this issue.
Also note that the government section deals only with "electronic"
records and signatures and that the section that deals with purely
private sector transactions is limited in scope in two ways. First, it
is limited to deal on with business to business transactions. Second,
it is limited to contracts. Records retention, originals and evidence
requirements are dealt with in the government section of the draft. Non
business to business contract issues (notably consumer issues) are not
effected by this draft. The drafters believe that more detailed
treatment may be appropriate in the law dealing with purely private
transactions, but we feel that there is no immediate pressing need for
legislative changes and that it is important to work through the Uniform
Law process with NCCUSL to develop more complex or farther reaching
statutory provisions. While the drafters of MERSA have opinions as to
appropriate more detailed legal reforms, we favor working through NCCUSL
because that process is far more deliberate and open and because of the
advantages of coordinated multi-state legislation in this legal area.
Finally, please note that our definition of "signature" is significantly
changed. We have opted to apply the new definition to the entire corpus
of law and not to the electronic signatures act alone. Our new global
definitions of record, written and signed are excerpted below:
"record", "writing", "signature", and their derived words shall have the
following meanings. "Record" means information that is inscribed on a
tangible medium or that is stored in an electronic or other medium and
is retrievable in perceivable form. "Writing" means a record, including
an electronic record, unless such meaning is clearly inconsistent with
the purpose of a rule of law, provided that the mere requirement that
information be "in writing," "written," or "printed", or use of any
other word that purports to specify or require a particular
communications medium, shall not by itself be sufficient to establish
such purpose. "Signature" shall mean any symbol or method executed or
adopted for the purpose intended by the person it identifies. Where any
rule of law requires a written record or a signed writing, or uses any
other words that purport to specify or require a particular medium for
communicating or storing information, that requirement shall be
construed to allow the broadest possible use of electronic records and
electronic signatures unless there is clear public interest to the
contrary.
The proposed Act deals with the special case of "electronic" signatures
and records in a bit more detail (with respect to admissibility, records
keeping, validity, etc.). "Electronic" is a defined terms meaning:
electrical, digital, magnetic, optical, electromagnetic, or any other
technology that is similar to these technologies.
There are many possible purposes and meanings of a manual signature.
Online environments create even more possibilities. For example, a
signature may be executed or adopted by a party with the intent:
* to identify that party;
* to verify/identify what party created or sent a record,
* to verify/indicate a record has not been altered
* to verify the informational integrity of a record or term
* to identify as a friend or foe (as in military and intelligence beacon
signals)
* to accept or adopt [agree to] a term or a record
* to indicate the geographic location of of data transmission or
reception
* to verify/indicate that a party has authority to take certain action
* to verify that a party has acknowledged receipt or notice of a record
* to verify/indicate that a party holds a given role within or
relationship to an organization or entity
* to verify/indicate the completeness of the content of a record other
formalistic [legal] requirements (as for filing or to meet formalistic
requirements)
Unfortunately, outside of online environments that are based upon prior
agreements among closed groups of parties (such as EDI systems), most
online environments provide precious little context from which to
determine objectively what meaning should be assigned to the click of a
button that says "submit form" or "continue" or "sure" or my personal
favorite: "yes - because the lawyers made me do it." At this stage of
development of the online marketplace, it is premature to attempt to
list out the possible meanings of a signature in a global definition of
the term that will be applied to many different types of transactions
and many different contexts. However, there must be an "intent" to do
something in order for a signature to occur. The basic UCC provides a
valuable definition for review:
"'signed' includes any symbol executed or adopted by a party with
present intention to authenticate a writing."
The intent must be present. Here, the intent only extends to the
authentication of a writing (a showing of genuineness). This presumes
nothing about an intent to be bound or to acknowledge notice or any
other purpose which may be served by the writing. While the exercise of
listing out some of the possible purposes of a signature has been
useful, we believe that it has demonstrated a need to define signatures
without reference to the purpose of the underlying records - including
the need to strike reference to an "intention to authenticate a
writing." There are situations where a signature is not intended to
authenticate a writing.
We also believe that it is important to maintain the close relationship
between the intent of the signer and execution or adoption of the
signature. We also believe that at base, a signature should be defined
to include some reference to the "identity" of the signer or the person
identified by an adopted signature that was signed by another person or
device. For style reasons, we have defined the term "signature" and
derived words rather than the term "signed" (a verb). Thus, we have
arrived at the following formulation (annotated with comments):
"'Signature' shall mean"
[Comment: Defining a noun rather than a verb. Earlier providing that
the definition also covers all derived words, such as "signed" and
"sign."]
"any symbol or method"
[Comment: This terminology captures all of the more specific "lesser
included" processes such as encryption, sounds, etc. Where possible, we
have chosen fewer words and references specific technologies (such as
encryption) or media (sound is a medium) in favor of a higher level and
hopefully more flexible, robust definition.]
"executed or adopted"
[Comment: The term "executed" covers all signatures created with intent
by the signer and the term "adopted" covers all signatures created
either by one other than the putative signer but later ratified or
accepted as a genuine signature by that person. We can not think of any
situations reasons to amend this part of the definition.]
"for the purpose intended by the person it identifies."
[Comment: This part of the definition was drafted so as to link the
signature to the intent of the signer or the person who adopts the
signature and to recognize that a signature must, by definition, in some
way identity the person whose signature it is. Even the case of a
charcoal "X" on parchment is executed by the person who signs for the
purpose of signifying that s/he is the one whose signature has been
affixed to the parchment. The usage of the phrase "for the purpose
intended" is meant to maintain the "intent" element of a signature but
not to risk the unintended consequences of defining the possible intents
in statute. The intent can be quite subtle and can only be determined
by reference to the context and circumstances that surrounded the
execution or adoption. We believe that where there is a usage of the
term signature or a derived word in statute, and where that term may
creates an ambiguity as to what purpose or intent existed, then the
drafters should consider requiring the parties to specify the purpose or
intent that would apply, or, where appropriate, the drafters should so
specify in the statute or Uniform Law itself. The phrase "by the person
it identifies" was drafted so as to allow subsequent adoption by a
person identified by a signature.]
Under general signature law, intent is an important element. This is a
critical element of forgery. Similarly, inducement to sign by trick or
ruse requires an analysis of the intent of the signer. Certain
signatures that require informed "consent" or "agreement" (which implied
agreement in fact) and the like depend on the actual (read: subjective)
intent specified by the relevant rule of law (as in consent to submit to
a medical procedure or signing the name of another with the "intent to
defraud."). Under contract law, on the other hand, the concept of
intent is primarily based upon the objective and not the subjective
intent of a person. I did not bother to look up cases on this point,
but according to the West Nutshell on Contracts: ". . . the focus is
ordinarily upon what the person to whom the communication was directed
should reasonably have understood."
At first glance, the more subjective intent required as part of a
signature seems to be at odds with the harder "objective intent" rule of
contract law. The key is to look to the surrounding context, the
circumstances, the words that actually appeared on the screen of the
signer, the course of dealing, any general standards that may have
developed, any sounds or other "gravity prompts" that may have alerted
the user, etc. These are the types of factors from which an objective
determination will be based. Drafters should beware of writing law that
purports to hold a person to possible purposes of a signature that the
signer would not have reasonably understood at the time of execution or
adoption of a signature. It seems to me that an objective test for
electronic contract liability is still appropriate. However, given the
current unpredictable nature of user interfaces (or any other dependable
widely deployed methods of knowing what a user saw, heard, was notified
of, etc.) it would be unfair to index the objective understanding to the
receiver of the electronic transmission in an "open environment" without
prior agreements between the parties. Therefor, if a law were to
specify message attribution or other contract liability based upon an
objective intent analysis, it should be based upon what the signer
reasonably should have understood the signature (or other manifestation
of assent, agreement, etc.) to mean. In any case, the Massachusetts
draft Act is truly non-substantive and does not purport to modify or
amend any underlying rules of contract law or any other substantive area
of law. Whatever a signature may mean legally, an electronic method
will now be acceptable under the proposed Massachusetts law.
--- end forwarded text
-----------------
Robert Hettinga (rah@shipwright.com), Philodox
e$, 44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
The e$ Home Page: http://www.shipwright.com/
