At present, the risk of a forged signature is carried by whoever relies on it. If a shopkeeper accepts a forged cheque on your account, that is his bad luck; and if the bank pays it, it's the bank's bad luck. Governments and banks are now trying to change the rules so that with electronic transactions it will be the customer's bad luck if a payment from his account gets forged.

It's often claimed that new technologies, such as digital signatures generated by smartcards, are secure enough to justify this change in the rules. They are not.

A new report from the Foundation for Information Policy Research not only looks at what can go wrong technically, but also analyses the practices of some leading UK online banks. Despite advertising claims that consumers at not at risk, the terms and conditions imposed in the small print pass almost all of the risk to the customer.

This extensive and detailed report shows that all is not as well with e-commmerce as some would have us believe.

The report is at:


The report's authors are Nicholas Bohm, a member of the Law Society's working group on electronic commerce; Brian Gladman, recently retired as head of strategic electronics at NATO; and Ian Brown, of the computer science department at University College, London.

Nicholas Bohm said:

``It will do grave damage to the public confidence in electronic commerce that is vital to its success if its advent is used as an excuse to transfer to consumers the risks that should be carried by those who implement new electronic systems.''

Ian Brown said:

``Could a computer virus sign away your house? Or a hacker transfer your savings to her account? Computer insecurity means digital signatures aren't all they're cracked up to be''

Brian Gladman said:

``I hope that this paper alerts people to the dangers of assuming that on-line banking services will protect their interests in the same way that conventional banking services do.''

The chairman of the Foundation for Information Policy Research, Ross Anderson of Cambridge University Computer Laboratory, said:

``The history of the `cash machines that could never go wrong' seems set to repeat itself. Phantom withdrawals on the Internet seem destined to be a part of our future''



* The Electronic Communications Act 2000 - the first bill to have received the Royal Assent this millennium - gives ministers the power to make regulations which would change the rules in just this way. The regulations are expected to be published soon. An EU directive on electronic signatures is pushing all the countries in Europe to move in this direction. The US E-sign bill, which Bill Clinton signed into law last week, enables all sorts of electronic acts - not just digital signatures, but even clicking on a web link - to have the same legal force as signatures.

These laws can't just be ignored by British businesses and consumers. Clicking by accident on a link on the world-wide web can give rise to contractual obligations which can result in a judgment in a foreign court and be enforced against you here in the UK under international treaty.

* It is vitally important that ministers take care when writing the regulations. The Act can be found online at:

* The Foundation for Information Policy Research is an independent body that studies the interaction between information technology and society. Our goal is to identify technical developments with significant social impact, commission research into public policy alternatives, and promote public understanding and dialogue between technologists and policy-makers in the UK and Europe.


Brian Gladman 01905 748990

Ross Anderson 01223 334733