Digital Signatures and Global E-Commerce: Part I -- U.S.

Initiatives.
In December 1999, two paper-dependent Maryland businesses -- a law firm and an office equipment
company -- executed the first lease agreement made official with a digitally signed "electronic
original." Using a digital certificate system supported by public key infrastructure (PKI) technology,
the law firm created the lease electronically, signed it with an electronic pen and pad, and sent it
securely via the Internet to the office equipment company. There it was signed electronically again
and stored in a repository as an "electronic original" document. Once stored, the digital document
was protected from undetected change, although interested parties could view or print it.
In one sense, the Maryland e-contract seems paradoxical since its purpose was to lease eight office
copy machines to create paper documents. Moreover, the parties also had to sign a paper lease
agreement since Maryland state law did not recognize digital signatures as legally binding (though
new legislation is pending). On the other hand, the ability to execute legally binding business
transactions without paper or physical signatures is a milestone in the development of e-commerce.
The event is an example of major new initiatives -- both legal and technological -- occurring in the
United States concerning digital signatures in a broader e-commerce business environment.

Historically, commercial transactions have taken place by phone, fax, wire, and mail, with paper
documents the end product of the transactions' official consummation. But when parties to business
transactions migrate from paper to electronic recordkeeping, many questions surface.
For example, when basic e-mail is the primary means of communication and document transfer
among parties to the transaction, it is difficult to know which document version is the latest or what
revisions have been approved. Moreover, in Web transactions, customers visit a particular site, read
a contract for purchasing goods or services, then click the "I agree" button. In HTML format, that
indication of agreement goes to a database but with no record of the question's text. Thus, at a later
time, it becomes very difficult to prove exactly what was agreed upon. Businesses need to address
these new issues as they migrate their contractual agreements and transactions from paper to
electronic formats.

There is no question that e-commerce is the wave of the future. Consider that the U.S. government
reportedly consummates at least 75 percent of its transactions electronically. Moreover, the federal
government has made it mandatory that all agencies make their public documents available
electronically and enable the use of digital signatures by October 2003. The private sector, which is
moving very aggressively to embrace e-commerce, reports similar figures.
E-commerce is among the most significant paradigm shifts in the history of commercial enterprises.
Its benefits include opportunities to define and dominate new markets -- globally as well as
nationally -- lower transaction costs, improve productivity, and gain greater market share. Today,
businesses are reinventing themselves around e-commerce. For example, General Motors, the
world's largest manufacturing company, aspires to be "the world's largest e-commerce company" by
integrating information delivery into Web-connected cars and the many other aspects of its global
businesses. Similar business initiatives abound throughout the world.
Digital Signatures
Digital signatures, a key component of e-commerce, are not new; they can exist in many different
forms, including automated teller machines and other computer systems that rely on personal
identification numbers (PINs) as a means of authenticating business transactions -- technologies that
are several decades old. A digital signature could comprise a smart card, a thumbprint, a retinal
scan, a voice recognition test, or all of the above, depending on the transaction's nature and the
security requirements surrounding it. A digital signature uses specially encrypted codes in electronic
messages that allow the recipient to verify the sender's identity, thereby establishing
trustworthiness in commercial transactions.
Digital signatures link a person's identity to a specially encrypted "private key" issued to only one
bearer. The private key is used to electronically sign a communication, which another party can
open with a "public key." A certificate authority maintains the public key and also issues and verifies
the digital certificates that validate the identity of each person in the e-commerce transaction.
Several software vendors, large and small, supply the core technologies, which are frequently
proprietary. It is very difficult to certify digital signatures in a PKI environment where a mix of
vendor products and certificate authorities is involved. Each vendor, for instance, has its own
certificate issuance validation and revocation protocols.
The U.S. E-Sign Act
In July 1996, the United Nations Commission on International Trade Law adopted a "Model Law on
Electronic Commerce." In retrospect, it was a forward-looking piece of lawmaking, given that the
Internet -- the principal vehicle for global e-commerce -- was just beginning to mushroom throughout
international business. In reviewing this law in the April 1997 Records Management Quarterly (the
predecessor of The Information Management Journal), this author predicted that it would spawn
similar legislative initiatives throughout the world -- and it has. During the last few years, many
nations have enacted new digital signature/e-commerce laws, including the United States.
On June 30, 2000, President Clinton signed into law the Electronic Signatures in Global and National
Commerce Act -- the "E-Sign Act." The measure grants electronic signatures the same legal status as
those written in ink on paper, making it easier, faster, and less expensive to conduct business online.
Moreover, the law promotes both domestic and international e-commerce by clarifying the legal
significance of commercial transactions in electronic form.
The E-Sign Act became effective on October 1, 2000. For his part, President Clinton hailed the new

law in the most glowing terms: "Soon, vast warehouses of paper will be replaced by servers the size
of VCRs," he said. This may or may not reflect what the law will actually mean for businesses during
the next few years. To aid in discussion, it is important to understand the E-Sign Act's main features:
* The law's design removes impediments to businesses developing e-commerce initiatives found in
existing U.S. statutes. Where existing laws require original records or documents bearing
authenticated signatures to support business transactions, the new law creates a legal environment
to overcome these. The law's ultimate intent, of course, is to enhance U.S. competitiveness through
the widespread use of new technologies.
* The law provides businesses the option of accepting digital signatures and choosing what kind they
will be (e.g., digital certificates, dual key encryption, passwords, or other types).
* More specifically, the law states that an electronic signature is whatever two entities agree it is. An
e-signature can simply be a typed name that individuals attach to an e-mail message or anything up
the ladder of technology sophistication, so long as the parties to the transaction agree. The law
states than an e-signature may be "an electronic sound, symbol, or process, attached to or logically
associated with a contract or other record and executed or adopted by a person with the intent to
sign the record."
* Finally, the law marks a major effort to harmonize existing state laws on digital signatures.
Currently, a total of 45 states have laws that recognize some form of digital or electronic signatures,
and the remainder have legislation pending. One of the biggest problems in implementing global ecommerce solutions is the plethora of existing laws and regulations relating to commercial
transactions throughout the world. The E-Sign Act will go a long way towards harmonizing the legal
environment for e-commerce in the United States.
Conversely, the E-Sign Act does not
* define what constitutes a legitimate, safe, secure digital signature -- matters that will be addressed
in future regulations. In fact, the E-Sign law gives regulatory agencies the authority to develop
specific criteria for the accuracy, integrity, and accessibility of electronic records.
* grant any special status to electronic records per se; it merely removes the impediments in existing
law to conducting business electronically. In this sense, the law may be characterized as media
neutral. E-records will be subject to the same legal scrutiny as physical ones.
* prescribe any specific technology; rather, the law is technology-neutral. While neutrality is legally
appropriate, it places the burden on businesses to determine the best technologies and practices to
support their own e-commerce initiatives.
* provide broad authority or mandate for businesses to convert records from paper to electronic
format. The law implicitly recognizes that paper records will be a medium for business
recordkeeping for some time to come. In fact, in business-to-business (B2B) e-commerce
environments, many firms lack the technology infrastructure to implement e-commerce solutions.
In business-to-consumer (B2C) e-commerce environments, the E-Sign Act recognizes that many
households lack personal computers with access to the Internet. Thus, the law contains various
provisions to protect consumers. For example, the law expressly requires the consumer's consent
prior to consummation of electronic transactions effectuated by means of digital signatures.

Some commentators take exception to President Clinton's optimistic statements concerning the new
law's virtues. Benjamin Wright, a Dallas-based attorney and editor of The Law of Electronic
Commerce, states, "What Congress did was much more symbolic than substantive. The law has not
changed, because the law has always said that a signature is a symbol adopted with someone's
intent to comply. It could be an X, a thumbprint, or even your company letterhead. The legal issue
has always hinged on what you intend."
For a document to be found legally binding in court, an appropriate party must be able to
authenticate that it was in fact signed by the person who claims to have signed it. Moreover, it must
be demonstrated that the document is "trustworthy" -- that it has not been altered in pursuit of some
malicious purpose. These principles have long existed in both paper and computerized
recordkeeping environments, and they remain embodied in the E-Sign law.
Public Key Infrastructure Technology
The term "public key infrastructure technology" refers to software functionality that provides for the
authentication and security of electronic commercial transactions. Although many smaller software
companies provide PKI functionality in proprietary products, Microsoft has incorporated it in the
Windows 2000 operating system. Since more than half of business desktops are expected to run
Win2000 by 2003, the technology infrastructure for e-commerce will be much more pervasive than it
is now.
The three major components of PKI functionality are:
1. A registration authority -- This functionality validates e-signatures and other essential components
of transactions and instructs the certificate authority to create a digital certificate.
2. A certificate authority -- This functionality creates a certificate and a public encryption key that
travels with the e-documents from sender to recipient. The recipient uses the certificate and
encryption key to ensure that the signer actually sent the documents and that they have not been
improperly altered. This provides a documented chain of custody to verify the integrity of the
documents and the e-signatures on them. Digital signatures should be unique for every document
and should be electronically "sealed" so they cannot be altered without detection, even by the
originator.
3. A digital repository -- This capability, usually a directory or database, stores digital certificates,
certificate users, and revocation lists.
All companies using digital signatures and other e-commerce measures need to decide how secure
their transactions must be. Most observers say that a signature text block on an e-mail message will
suffice for only the simplest transactions. For large businesses, it is generally agreed that digital
certificates used with e-signatures will provide the appropriate security protection, particularly for
major transactions. Moreover, when it comes to big transactions, there has always been a signed
paper document to make it official, even for deals that originate online. The key point, however, is
that businesses must decide how to secure e-commerce transactions, as well as how to retool their
computer applications to accept and store them.
Finally, PKI functionality must be supported by interoperability among the many disparate
computing environments currently installed in multinational businesses throughout the world. The
lack of common standards among competing PKI technologies and validation processes could retard
the deployment of e-commerce applications among multinational companies.

E-commerce and Records Retention

The E-Sign Act contains provisions that directly address the issue of retaining electronic records in
e-commerce environments, an issue of high interest to RIM professionals. The act states that "any
requirement to retain a contract or record is met by retaining an electronic record of the information
in the contract or record." The law provides three key tests for the legal acceptability of electronic
records as a retention medium in e-commerce transactions:
1. The record must accurately reflect the information contained in the original contract or
transaction.
2. The record must remain accessible to those entitled by law to access it, for the period required by
law.
3. The record must be capable of being accurately reproduced, whether by printing or otherwise.
If these criteria are not satisfied, the electronic record's legal validity may be denied.
For information management professionals, the central issue is whether the organization's ecommerce applications -- and the electronic records that comprise them -- can demonstrably comply
with these requirements. It is also important that any computer data supporting e-commerce
applications be retained or destroyed under authority of an officially sanctioned records retention
program. All e-commerce data should be scheduled for retention based on periods that meet
business needs and comply with the law. Such retention periods should be implemented by
integrating data purge functionality consistent with approved retention periods into the software
environment supporting the applications. Information professionals should work with data owners
and information technology specialists to ensure that such purge functionality has been properly
incorporated into e-commerce applications. Data purge functionality would generally need to be
applied at the repository levels for various categories of business processes, customer groups, and
specific types of transactions.
Global E-commerce Initiatives
Many things need to be in place before international businesses can fully exploit the tremendous
opportunities presented by e-commerce. Multinational companies need a global commercial code
that addresses the many complicated issues raised by e-commerce, including, among others,
customs duties, taxation matters, exchange rates, and product inspection requirements. The global
initiatives related to these matters and their relevance for information RIM professionals in
multinational companies will be examined in subsequent columns.
REFERENCES
Briody, Dan. "Digital Signatures Create Market Potential." InfoWorld, 24 July 2000.
Hulme, George V. "E-Signatures: Ties That Bind." Informationweek, 3 July 2000.
Jones, Jennifer and Margaret Johnston. "Digital Signature Bill Enables E-commerce." InfoWorld, 19
June 2000.
King, Julia and Lee Copeland. "GM Retools for E-Commerce That Goes Well Beyond Cars."
Computerworld, 17 April 2000.

Montana, John C. "Developments in the Law of Electronic Commerce." The Information Management
Journal, January 2000.
Stephens, David O. "Electronic Recordkeeping Provisions in International Laws." Records
Management Quarterly, April 1997.
Wilde, Candee. "Legally Binding E-Documents Move Closer to Reality." Informationweek, 6 March 6,
2000.
Williams, Robert and Randolph Kahn. "The E-Sign Act." KMWorld, September 2000.
David Stephens, CRM, CMC, FAI, is vice president for the records management consulting firm of
Zasio Enterprises Inc. He has been a consultant in the field of records management for more than 18
years and has published books and articles about information management in the United States and
abroad. The author may be reached at dostephens@zasio.com.
http://www.thefreelibrary.com/Digital+Signatures+and+Global+E-Commerce:+Part+I+--+U.S.+Init
iatives.-a079742903