These comments are submitted on behalf of PenOp Limited, a UK company, most of whose employees are employed in Frome, Somerset, UK. PenOp makes a family of electronic signature technologies focused on capturing handwritten signatures and binding them securely to electronic documents. See http://www.penop.com.
PenOp applauds the Document's careful attention to this important topic and its effort to achieve technology neutrality in the law of electronic signatures.
Nevertheless, PenOp is concerned that the Document is not "business model" neutral. The Document seems to favor a business model based upon a "certification authority". Certification authorities are very new to industry. It is unknown whether they can economically provide the types of signature authentication services contemplated by the Document. Remember, if no certification authority can perform the anticipated services at a profit for a sustained number of years, then government's effort to favor certification authorities will be in vain.
Paragraph 20 of the Document proposes to give competitive advantage to a business model based upon a certification authority. It states, "The licensing regime will be set up in such a way that an electronic signature, backed up by a certificate from a licensed certification authority, will automatically satisfy the conditions necessary to be regarded as legally equivalent to at a hand-written signature." The Document does not propose to provide a similar competitive advantage to any other business model, such as one that captures biometric information without the use of a certification authority.
This proposal is unfair and economically unjustified. If there is a need to set up a licensing regime for evaluating technologies, then that regime should be open to any and all business models. Government should encourage industry to invent new approaches and new business models. Government should be ready to license any business model that can prove its effectiveness.
Why is government so eager to endorse the certification authority business model to the exclusion of other models? There has been to date very little actual experience with certification authorities where they are used to facilitate legal electronic signatures. Although the ideas for using certification authorities in this way have been around for well over a decade, they have not proven very effective in practice. Granted there are in business a number of entities calling themselves certification authorities, but it is rare that they actually facilitate legal signatures on transactions like contracts or tax returns. Today, certification authorities perform other functions, such as confirmation as to the identity of a server when making an SSL connection over the World Wide Web.
The Document seems to say that a signature is equal to identification. This is incorrect. A signature has many functions that go beyond identification. A legal signature, especially a handwritten signature, is a ceremonial device for a person to show his voluntary and knowing approval of a transaction. A handwritten signature is a ritual that is culturally understood as a symbol of resolve and intent. The process of performing a handwritten signature warns the signer of the gravity of the undertaking and ensures that the signer has a fair opportunity to read the words of the undertaking. The Document makes no reference to this ceremonial aspect of a signature.
A handwritten signature does not guarantee identity to the person relying on a signed document. A handwritten signature is a powerful tool in favor of the signer, rather than in favor of the relying party. The signer may choose any handwritten mark or scribble he wishes, and he may change the mark from one document to the next. He has the power. The relying party cannot expect the handwritten signature, standing by itself, to be highly reliable evidence of identity (although it does provide useful evidence).
The Document is therefore wrong to equate signatures based just on "certificates" with handwritten signatures. The purpose of a certificate is not to ensure that the signer was warned of the gravity of the document being signed or that the signer had a fair opportunity to review the words of the document. The sole purpose of a certificate is to identify a person.
If the government's purpose is to promote a system for identifying citizens, then the government's initiative should be understood as such, and it should have nothing to do with the law of signatures.
Given that signatures play a ceremonial function that warns signers about what they are doing, it is critical that electronic signatures have appropriate user interfaces. The interface for an electronic signature must employ a ceremony or ritual that communicates to the signer had a human level. The Document fails to recognize this feature of a legal signature.
The Document favors signature systems that emphasize identification. Such favoritism is a threat to privacy. Strong identification regimes, such as those based on certification authorities, require that sensitive personal information about people be collected, stored in a central database, and then compared regularly against legal transactions. These regimes, in effect, are a method for tracking people about their lives. Intel and Microsoft have recently provoked outrage by equipping personal computers with serial numbers that allow people to be identified and tracked.
Traditional signatures did not work as tracking devices. They did not require registration with certification authorities. They did not involve automated checking of signatures against centralized databases to confirm identity.
Electronic signatures do not necessarily have to confirm identity in automated or easy ways.
Many laws require that documents the signed. But if every signature requirement is interpreted as a requirement for identification, then privacy will suffer. The identity of citizens will be confirmed much more often than is necessary.
Signature requirements should not be interpreted as identification requirements. Rather, signature requirements are primarily intended to protect the interests of the signer, to ensure she engages a solemn ceremony before becoming legally obligated to an important document.
PenOp supports intelligent reform of the law of signatures. Any such reform should recognize that many types of symbols can create legal signatures, without granting special advantages to any particular technology or business model. The law must also recognize the human and ceremonial dimensions of a signature. If a signature technology fails to express the signer's intent, in a way that fairly apprises the signer that the signature is being attached and what the signature means, then the signature cannot be valid. Handwritten signatures do so express a signer's intent because they are physical events that derive their meaning from culture and tradition. However, a signatures based on nothing more than a mathematical key (which the signer cannot see) and a certificate, is not fair to most signers because it involves no ceremony.
PenOp would welcome the opportunity to discuss its technology and its ideas in more detail with Department of Trade and Industry.
Go back to the start of this document.
Go to the library of current responses.
Go to FIPR home page.
Last Revised: April 21 1999