JIBC

[Home] [Current Edition] [Compendium] [Forum] [Web Archive]
[Email Archive] [Guestbook] [Subscribe] [Advertising Rates] icon

Signed, Sealed and Delivered:
A Ritual for Digital Business

By Benjamin Wright
Email: Ben_Wright@compuserve.com

Attorney Benjamin Wright is author of The Law of Electronic Commerce (Aspen Law & Business. tel: 800-638-8437; fax: +1-301-417- 7650). For more about PenOp: <http://www.penop.com > or +1-212-244-3667.

This article provides general ideas, not specific advice on law, risk or security. If you need advice, consult a competent professional. Copy this article freely. All trademarks acknowledged.

You can now sign MSWord documents with a secure and legal handwritten signature.

Picture yourself concluding a dicey negotiation with a new business partner, Boris, with whom you've been corresponding by e-mail. You're undertaking a joint enterprise, the success of which calls for the utmost individual performance from each of you. To seal the deal, you prepare a letter in MSWord (very popular word processing program, having millions of installed users).

You're about to launch it as e-mail to Boris, but you stall. How do you sign the document to show your personal commitment and resolve? You could print it, sign it and mail it, but that is a hassle, and painfully slow if Boris receives his mail through the Russian postal system. Alternatively, you could attach to the electronic version of your document a bitmap image of your John Hancock, but that is risky, and a bit lame, because the image is just a file that can be clipped and pasted by anyone from one document to another. A hardier alternative would bind your autograph to the electronic document so that if clipped out it'd be invalid.

That's now possible with a new ActiveX component for MSWord, called PenOpr for MSWord. PenOp works with a digital pen to record your signature as it is written to an inexpensive digital tablet. PenOp charts the image of your signature as you write it and incorporates that image into the face of the MSWord document. (To see an example, download this article in MS Word 97 format from http://www.penop.com )

PenOp does yet more. As you write your signature, it measures the time it takes for you to impart the various strokes of the pen, which is unique to you. From the image and time data, PenOp creates a "Biometric Token" -- a digital representation of the signature that is cryptographically tied to your one-of-a-kind document. The Biometric Token becomes part of your document. When Boris gets your document, he can see that you personalized it the same as if it were paper-and-ink. With a viewer available no charge at , Boris can view the image of your signature and confirm that the signature (Biometric Token) belongs to the document he received and only that document.

The Ritual of Commitment

A business negotiation is as much an emotional sport as a logical one. The images and rituals informing the spectacle are as important as the stated words. One ritual -- recognized in all walks of life -- is the inscription of a handwritten autograph on a document. It conveys trust, volition, understanding, resolve, and conclusion, all in a single device. When John Hancock inked his famous signature to the Declaration of Independence, his intent was to all civilized people made manifest by the ritual. That same ritual is carried into the digital world by PenOp. PenOp is designed to apply signatures one-by-one. Each time an MSWord document is signed, muscle and bone must pick up a pen and write -- thus executing a physical ceremony. It is not a dry, automated process. The PenOp software is not designed for attaching a standardized signature file to documents.

Proof of Authenticity

Although ritual is its primary function, a signature can also convey some proof of document authenticity. What kind of proof would Boris have that your electronic letter, signed through PenOp, really came from you and no one else? The proof would be similar to, and in some ways even better than, the evidence he'd have if he received paper from you. He'd have an image purporting to be your autograph, which is bound by a cryptographic routine to the words of the document.

If the document were changed, he -- or an observer such as a court -- could tell. Boris could compare your signature to other electronic or paper signatures he may have from you. If he is of a mind to do it, he could even seek verification of your signature with the aid of a handwriting expert. When he gets your document, would Boris be required to grab the PenOp viewer and check your document? The answer is no. He could, if he so elects, just observe that the document contains something that professes to be a signature and take it on face value to be yours. That's always been our tradition with signatures. It is very rare in commerce that signatures are tested for genuineness.

It is common, of course, for one visually to examine her own signature on a document, after-the-fact, to confirm for herself that the document is hers and that she intended it to be the final document (not a draft). While it is certainly possible this informal examination would fail to detect a forgery, it is very reliable in the context of other facts that corroborate the authenticity of the document. PenOp supports such an informal examination as it incorporates a graphic image of the signer's signature into the MSWord document.

Signature Forgery

What prevents someone from falsifying a document by forging your autograph with PenOp? Practically speaking, the forger would face several formidable challenges. Your PenOp signature cannot just be clipped from one document and pasted to another. If it is, the PenOp viewer will show that the document is not the one to which the signature was originally attached. To forge your autograph successfully, the forger must mimic it well.

PenOp makes mimicry harder by requiring the image of the signature physically to be drawn on a digital tablet within a period of time that comports with the time you normally take to sign. Tracing is not an option, as it used to be with paper and ink. Another obstacle stands in the way of the forger. A signed document does not exist in a vacuum. For the forger to achieve his goals, he has to know a lot about the private facts and circumstances between you and Boris -- he has to know in detail what you two have been saying to each other, what industry jargon you've been using, and what each expects of the other. He has to intercept and carefully corrupt all the channels of feedback between you so neither of you is ever tipped off that something is amiss. If a crook e-mails Boris a contract falsely claiming to be from you, he has to make sure Boris doesn't telephone you to talk about it, or drop you a thank you card in the snail mail. That's not easy.

No Keys Required

A PenOp signature should not be confused with a so-called "digital signature," which is a complex process involving public key cryptography. The best recognized public key software is PGP. A digital signature shows that a certain key authenticated a document. However, a digital signature does not necessarily involve the action or volition of a warm, fleshly being. It is simply the execution of a mathematical algorithm using a number (key) stored in a computer somewhere. It is most commonly used to authenticate machines on a network. It is a cold, mechanical event, devoid of the emotional or social meaning associated with handwritten signatures.

To use public key crypto one must first go prove your identity to a "certification authority," vow to keep the secrecy of a private key (using passwords, smart cards, etc.) and thenceforth immediately tell the authority if you ever lose the key. What's more, a recipient like Boris has to coordinate with you and the authority to confirm your key belongs to you and has not been revoked. It's a hassle. Digital signatures are great for making secure networks, but as symbols of commitment between sentient people they fall short. They are too abstract. They have no flourish, no flair, no style.

No Waiting for New Laws and Rituals

In principle, a PenOp signature can be just as legally effective as any other kind of signature. Generally speaking a legal signature is simply a symbol -- any kind of symbol -- that you adopt for the purpose of taking responsibility for a document. (See for instance Beatty vs First Exploration Fund, 25 B.C.L.R.2d 377 (1988), holding that an autograph on a fax is a legal signature.) That standard is satisfied by an autograph captured through PenOp.

The special advantage of such an autograph is that its purpose is clear. It is understood by both law and custom as a metaphor for taking personal responsibility. Under both law and business custom, a signature remains effective even if it might theoretically be subject to forgery, repudiation or digital trickery. The possibility of forgery might make proof in court less than perfect, but commerce has always enjoyed less than perfect proof. Extremely high degrees of proof are very expensive to achieve. Some folks are tempted to make electronic commerce more difficult than it needs to be. They say we need radical new laws, we all need to learn new social rituals, and we need to organize our lives in ways very different from our established commercial customs.

PenOp reminds us of the collective wealth invested in those customs and our surprising power to exploit them even in cyberspace. When Boris gets your letter, signed with the aid of PenOp, centuries of tradition, dating to J. Hancock and before, arrive in its wake. From the signature Boris intuits far more than can be gleaned just from the bare words in the letter. He knows it's the flesh and blood you undertaking the commitment, rather than merely your ThinkPad. Below appears the author's signature, as captured and attached by PenOp to this document. If you possess this document in its original electronic form, available at http://www.penop.com, you can confirm the binding of this signature to the document by using the viewer available at the same address.