Making Online Transactions Legal, Enforceable and Secure:

Electronic Signature

Judy Borreson CarusoUniversity of Wisconsin-Madison

October 21, 2004

Copyright Judy Borreson Caruso 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational

purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or

to republish requires written permission from the author.

Outline

• Historical context

• Definitions

• E-Signature Act (E-Sign)

• Federal Student Aid (FSA) and Family Educational Rights and Privacy Act (FERPA)

• What’s happening in the real world

Historical context of signatures

Signing in writing serves the following general purposes:

1. Evidence: A signature authenticates a writing by identifying the signer with the signed document.

2. Ceremony: The act of signing a document calls to the signer's attention the legal significance of the signer's act.

3. Approval: In certain contexts defined by law or custom, a signature expresses the signer's approval or authorization.

4. Efficiency and logistics: A signature on a written document often imparts a sense of clarity and finality to the transaction and may lessen the subsequent need to inquire beyond the face of a document

Historical context of signature

• Signature must have these attributes:– Indicate who signed and difficult for another to

produce– Identify what is signed making it impractical to falsify– Affixing the signature should be an affirmative act– Optimally the signature and its creation should

provide the greatest assurance of authenticity with the least possible expenditure of resources

Electronic Signature & Digital Signature

• Electronic SignatureAn electronic sound, symbol or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.

• Digital Signature (one type of Electronic Signature)

An electronic identifier created by computer, intended by the party to be the same as manual signature. It is one type of electronic signature if ‘intent to sign’ is present.

Examples

• Electronic Signature– “I accept” button – Digitized version of handwritten signature– Anything that can be construed as ‘intent to

sign’

• Digital Signature– Data field on database that says “I accept”

button was pushed

E – Sign Act

• Electronic Signatures in Global and National Commerce Act (S.761) (E-Sign Act)– Applies for transactions requiring a signature

• Makes e-commerce possible• Consent required• Good security required

• Uniform Electronic Transaction Act (UETA) (State) - not incompatible with E-

Sign

E-Sign Act• “electronic records and related electronic signatures are

not to be denied legal validity or enforceability merely because they are in electronic form”

• Purpose: facilitate growth of e-commerce

• Applies broadly to Federal and state statutes and regulations governing private sector

• Government may establish appropriate performance standards for the accuracy, integrity, and accessibility of records retained electronically, to ensure compliance with applicable laws and to guard against fraud (FERPA)

E-Sign Act

• Requires Consent– Consent from the consumer to replace a

written signature with an electronic one – No one is obligated to agree to use or

accept electronic records or signatures

When does E-Sign apply?

Contract formation. Regulations that directly regulate the form or content of legal agreements in commercial, consumer or business transactions

When does E-Sign apply?

Notice and disclosure requirements. Consumer must receive a clear and conspicuous statement of:– 1) the consumer’s right to receive paper records; – 2) the consequences of later withdrawing consent to

receive electronic records; – 3) the hardware and software required;– 4) procedures required to withdraw consent; and– 5)whether consent is for a single transaction or many

similar transactions.

E-Sign Act

• A state may pre-empt portions of the Act only by adopting Uniform Electronic Transactions Act (UETA)

• It does not apply to creation of wills, codicils and testamentary trusts; to adoptions, divorce or other family law; and a few other contract types

E-Sign Act

• Technology neutral• Fails to set minimum security or other

technical standards• Just about “anything” that two parties care to

call an electronic signature will be treated as valid

• Act allows you to dispute the authenticity of particular signatures but you have to prove it isn’t yours or is not otherwise authentic

E-Sign – What is a Valid Electronic Signature?

• Broadly defined as any symbol, sign or process attached to or logically associated with an electronic record and made with the intent to sign an electronic record. Examples include:– A name typed at the end of an e-mail message by the

sender– A digitized image of a handwritten signature– A biometric identifier– A code or personal identification number– A digital signature in a public key cryptography

system– A mouse click on an “I accept” button

E-Sign Act – What is a valid signature?

• Valid e-signature by itself doesn’testablish trustworthiness of the document.

• Procedures for establishing trustworthiness include:– Authentication – know who it is– Access control (authorization) – manage what they

can do once you know who it is– Attribution/non-repudiation – hold-up-in-court proof of

that they said yes or no to the transaction– Integrity – no damage to the data– Confidentiality – keep data secret, even in transit

What transactions require consent under E-Sign - UW-System list

– Notice of Federal Family Education Loan Program (FFELP) eligibility (34 CFR 682.603)

– Parent Request for Parent Loans for Undergraduate Students (PLUS) (34 CFR 682.603)

– Notification of Financial Aid Award and changes to this award (34 CFR 668.165)

– Authorization to make Federal Work Study payments directly to account to satisfy current charges (34 CFR 675.16 and 675.16(a)(4)(i))

What constitutes acceptable measures under E-Sign?

1. E-signature itself2. Security measures for trustworthiness:

– Authentication – know who it is– Access control (authorization) – Attribution/non-repudiation – Integrity – Confidentiality

3. Consent4. E-Records Management5. Policy

1. E-Sign - What constitutes acceptable measures? – E-signature itself

• Securing the signature at the time of the transaction (securing the creation of the evidence)

• Securing the electronic document over the life of the transaction (securing the evidence over time)

What constitutes acceptable measures? E-Signature

• State of South Dakota Standards lists these options:– FAX– E-mail with certificate authority– E-Physical signature (saving a manual signature

electronically)– Digital signatures– Logon/password– Clickwrap– Credit card/debit cards– Biometric signatures– Smart cards

2. E-Sign - What constitutes acceptable measures? – Security

• Authentication – know who it is• Access control (authorization) – manage

what they can do once you know who it is• Attribution/non-repudiation – hold-up-in-court

proof of that they said yes or no to the transaction

• Integrity – no damage to the data• Confidentiality – keep data secret, even in

transit

Electronic Signature Options

Options Confidentiality Integrity Authenticity Non-repud.

Fax N N N N

E-Mail (with CA) Y Y Y Y

E-Physical Sign Y* Y* Y N

Digital Sign Y Y Y Y

Logon/Password Y* Y* Y Y

Clickwrap N N N N

Credit/debit cards Y* Y* N N

Electronic checks Y* Y* N N

Biometric Sign Y* Y* Y Y

Smart Cards Y* Y* N Y

* Meeting confidentiality and integrity requires the use of encryption.

(adapted from the State of South Dakota standards)

3. E-Sign - What constitutes acceptable measures? – Consent

• All transmission of credentials (ID/password etc.) should be encrypted

• Opt-in for electronic transactions

• Clear documentation required – what the consent is for – for one transaction or for all financial transactions

“Implied” consent – consent by circumstances

• Determined by how parties act

• By banking online, you are implying that this is OK

• By applying online…

• Only need e-signature if a written signature or a written notice/document is required

4. E-Sign - What constitutes acceptable measures? – E-Records Mgmt

• No clear record retention requirement under E-sign or FERPA (does state electronic retention is the same as paper)

• Best practice would be write once and read so electronic signature can be directly tied to each transaction

• Recommend retain consent as a record

5. E-Sign - What constitutes acceptable measures? – Policy

• Cultural -decentralized vs. centralized• Presence of Legal Counsel• Policy process – formal/informal• Enforcement culture• Demonstrate good faith• Need for privacy policy• Consider making available “terms

of use” document

MSUs Fin Aid Consent site

• http://www.finaid.msu.edu/econsent.asp

UW-Madison’s Financial Aids Awards Process

• E-Awards student self-service - message requests permission to do business electronically

• Student must click on ‘I Agree’ to continue

• If permission not given, a paper award letter is sent• If permission is given, the message does not appear

again

• From April – July 2004:– 6,446 students have agreed to do business electronically– 37 students have indicated unwillingness

UW-Madison E-Award

Family Educational Rights and Privacy Act (FERPA)

– Student protection law

– Student information cannot be released without the student’s consent

– Revision released on 4/21/2004• Allows this consent to be done

electronically

FERPA E-Signature Regulations

• Technology neutral• Specifically acknowledges the existence of the

E-Sign Act but is more specific• “Signed and written consent to release student

record information” may include a record and signature in electronic form. It must:– Identify and authenticate a person as the source of

the consent– Indicate the person’s approval

FERPA - revision

Doesn’t require institutions to ask the student for consent to do this transaction electronically

But…

Federal Student Aid rules are a “safe harbor”

E-Signature Rules for Federal Student Aid

• Issued by Department of Education – 2001

• Creates standards for electronic signatures in student loan transactions

• Created a FAFSA-PIN service (Free Application for Federal Student Aid)

FERPA E-Signature Regulations

• States that institutions can use the Federal Student Aid (FSA) standards as a “Safe Harbor” – “While agencies and institutions are not limited to any

particular technology or method, the Department (DOE) considers electronic signature standards established under the Federal Student Loan program to satisfy the written consent requirement in FERPA”

– Rooker, Director of Family Policy Compliance Office: “sections 3-7 of FSA standards for guidance on security measures.”

FSA standards

• Do not permit school officials access to PIN

• Allow students to change PIN

• PINs and passwords in secure database

• PINs and passwords encrypted when stored

Penn State FERPA Electronic Signature Process

• Upon arrival, student presents with driver’s license or passport.

• Compared to records. Photo ID issued.

• Student presents to signature station.

(taken from Margaret L. O’Donnell presentation at NACUA 11/12-14 2003)

Penn State FERPA Electronic Signature Process

• Student swipes ID card in machine. • Prompted for DOB. • Database match.• Student by digitized signature accepts electronic

services and agrees to Penn State Policies. • Agreement electronically stored. • Student issued PIN and Password.(taken from Margaret L. O’Donnell presentation at NACUA 11/12-14/2003)

What’s happening in the real world - Security

• Trivial electronic signatures – Passwords, PINs. This is ok for short-term recordkeeping but not adequate for long term recordkeeping

• Noncryptographic approaches:– “shared secret” = weakness is that parties must first

have a prior relationship to establish the shared secret

– the “shared secret” must remain known only to the 2 parties. Without face-to-face contact, establishing the validity of the shared secret is often difficult.

Non-cryptographic controls

• Password or PIN- shared secret

• Smart Card – shared secret

• E-physical signature (digitized signature) – shared secret

• Biometrics – like PINs should be encrypted, privacy concerns

Cryptographic controls

• Kerberos – authentication,password encryption

• Public Key Infrastructure

Public Key Infrastructure (PKI)

• Uses asymmetrical algorithms

• A pair of crypto keys – one public/one private

• Private key is kept secret by the owner

• Public key is widely distributed

• Provides confidentiality (encryption), integrity, authentication, non-repudiation

What is PKI? From

Burton, Public Key Infrastructure: Architecture and Concepts v2, 25 Jun 1999 Author(s) Jamie Lewis, Dan Blum  

Summary

• E-Sign Act applies for transactions requiring a signature– Makes electronic commerce possible– Consent required– Good security required– Remember privacy requirements

Summary

• FERPA rule– Allows student to give electronic consent to

release their information– Doesn’t require institutions to ask the student

for consent to do the transaction electronically– Student Federal Aid rules are a safe harbor

Summary

• For each business transaction:– Assess risk– Decide what level of security needed– Establish policy, if needed– Monitor new technologies as they become

available

Resources

• http://www.ifap.ed/gov/dcpletters/gen0106.html (Student loan e-signature standards)

• http://counsel.csa.edu/FERPA/publications (Margaret L. O’Donnell of CUA)

• http://www.nccusl.org (National Conference of Commissioners on Uniform State Laws)

• http://NAGARA (National Association of Government Archives and Records Administration)

• http://www.finaid.msu.edu/econsent.asp (MSU consent)• http://www.state.sd.us/standards (South Dakota

standards)• http://www.abanet.org (American Bar Association)

Questions?

judy.caruso@doit.wisc.edu