Electronic signatures bring on new identity crisis

 Many people were first introduced to the practice by the United Parcel
Service, which obtains an image of a signature using a stylus and an electronic clipboard.
Television ads proudly show how UPS can store and display the signature image for each
delivery.

 Some retailers collect signatures on an electronic touch pad when you present a
credit card-no more paper. The entire transaction is processed and stored electronically.
The resulting signature database is subject to no laws, regulations or policies.

 The logic and the economics of electronic signatures are apparent. Collecting,
storing and retrieving paper is expensive and cumbersome. Manipulating images is much
easier once the technology is in place.

 Both the UPS and credit card examples involve a transaction for which no underlying
paper document ever exists. In other instances, paper documents are collected with pen and
ink signatures and are then converted into images. Credit card bills may include images of
paper charge slips.

 Either way, once a computerized image of a signature exists, it can be easily
manipulated and reproduced. If you are a skilled forger, you may have to look for other
work. Rank amateurs can forge perfect signatures with the right computer tools.
Handwriting analysts might soon join typesetters in the unemployment line.

 A signature proves nothing. Missing signatures can be added electronically. If UPS'
computer shows you signed for a package, what does it mean? Sure it looks like your
signature. But how can you prove it wasn't the signature that UPS collected last year?

 This matters to government agencies that are adopting computer systems to take over
the paperwork in benefits delivery.

 Maybe UPS could take a picture of you with the package to prove that you accepted
it. But pictures are just images too, and they are also subject to manipulation.

 Need a picture of O.J. Simpson wearing sneakers? No problem. The computer and a
graphic artist can provide it. High-quality forged photographs have already been used in
political campaigns. Pictures may not help for routine identification.

 Some netizens have been chatting lately about the electronic signature issue. A few
are concerned that their captured signatures will be subject to abuse. At the moment,
however, I am not worried that UPS or another reputable company will go into the signature
business. But I never underestimate the inventiveness of criminals. They may find a way to
exploit electronic signatures. And it is always possible that someday a courier might be
tempted to use a stored signature image to cover up for a lost package.

 Electronic signature images and perhaps regular signatures are rapidly becoming
worthless as identification and as legal evidence. Proving that an image is my signature
is one thing. Proving that I actually signed it at a particular time and for a particular
purpose is something else entirely. 


 Without a chain of custody just like for physical evidence used in trials,
a signature image is just another bunch of easily manipulable bits.

 Everybody needs a reliable, universal and practical way to identify customers,
applicants, licensees, vendors and others. Ideally, a new identification system should
work face-to-face and over the Internet. Digital signatures, which use encrypted chunks of
code, or biometrics such as retinal scans or fingerprints may eventually fill the bill.
Technology opens new options as it forecloses old ones. But it will be some time before a
consensus and an infrastructure exist for a new identification standard.

 Meanwhile, we have to accept the reality that electronic signatures aren't worth the
paper they are printed on. 

Robert Gellman, former chief counsel to the House Government Operations Subcommittee on
Information, Justice, Transportation and Agriculture, is a Washington privacy and
information policy consultant. His e-mail address is rgellman@cais.com.
 


inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above