Signing e-mail to legally bind e-mail attachments: Easier said than done

Signing e-mail to legally bind e-mail attachments: Easier said than done

Summary: Here on ZDNet, in the blogs, their comment areas, and in e-mails you have not seen, my fellow blogger George Ou and I have been debating the challenges to securing e-mail.Although many Internet users assume it to be otherwise, most e-mail traversing the Internet and even corporate networks is insecure.

SHARE:
27

Here on ZDNet, in the blogs, their comment areas, and in e-mails you have not seen, my fellow blogger George Ou and I have been debating the challenges to securing e-mail.

Although many Internet users assume it to be otherwise, most e-mail traversing the Internet and even corporate networks is insecure. Recognizing that e-mail security is in the eyes of the beholder, that requires a bit of explaining because there are various aspects of e-mail that make it insecure. For starters, although the technology exists for all of us to place a digital signature on an e-mail -- one that virtually guarantees that an e-mail purporting to be from you came from you and nobody else -- almost no e-mail is sent with such a digital signature on it. In addition, although ways to scramble the contents of an e-mail exist (either before it's sent, or just while it is in transit), little if any e-mail ever gets encrypted.

At the heart of the debate between me and George is the reason things are the way they are: that today's e-mail users aren't going through the trouble of securing their e-mail through any number of means (digital signatures, encryption, etc.). I say the reasons for this are primarily technical ones and that it's the fault of the e-mail solution providers who are in a position to make it easier to secure e-mail (a prerequisite to adoption). George says the it's users who are to blame because the tools exist and users just don't bother to use them. I say the reason people don't use them is that they're too difficult to use, often requiring the downloading and plugging in of third party tools that don't work with everything, and that that's too much friction for anything to be adopted en masse. He thinks I'm blowing the usability issue out of proportion.

One scenario I've offered as evidence of that friction is the one where Party A sends a document for signature to Party B. The document is sent as an attachment to an e-mail. I personally get many of these documents. Today, most such documents end up as a part of a ridiculous process that, in my estimation, demonstrates the failing of today's e-mail system. Party B (the recipient) opens the document, prints it out, signs it and then does one of three things: (1) mails the signed document back to Party A via snail mail, (2) faxes the signed document back to Party A (requires both parties to have fax machines), or (3) scans the signed document into a PDF file and sends it back to Party B as an e-mail attachment (requires that you have a scanner handy and that Party B is capable of opening a PDF file).

This seems to me to be a process that can be boiled down to two clicks for Party B. One to open the document for viewing (regardless if the client is rich like Outlook, Web-based like Gmail, or even mobile like a BlackBerry) and another to send it back signed so that when it is received by Party A (the original sender), it is easily recognized as having been signed in contractually binding fashion.

On the grounds that services like Google's Gmail (one that George used as an example of why he felt I was incorrect about e-mail encryption) offer no way to digitally sign an e-mail through their Web interfaces, I don't see an e-mail system that -- across the board -- is up to the task of securing e-mail in whatever fashion we want it secured. But, taking my example above, George says my arguments are, to some extent, an overly complicated process that needn't be so complicated.

One sticking point between the two of us for example, is the question of what constitutes as "legally binding" when dealing with e-mail attachments. George has argued that an attachment doesn't necessarily need to be digitally signed for it to be binding and that what really needs to be digitally signed is just the e-mail to which the document is attached. Notwithstanding the absence of any ability to digitally sign e-mails in interfaces like Gmail and others, if he's right, then the Internet's e-mail system (I use this term loosely to describe all the discreet e-mail technologies in use by Internet users) might be closer to securing most of its e-mail than I originally thought.

But is that true? Is it just as simple as Party B signing a reply (and including the attachment before sending) to Party A without signing the attachment itself? As it turns out, it a bit more complicated than that.

First, let's forget for a second that e-mail clients that have a "Reply with digital signature" button in their user interfaces are a rarity (I know of none). In fact, today, in order for Party B to pass an attachment back to Party A, the REPLY button by itself isn't a very good choice since, in most e-mail clients, the act of replying drops the attachment. Using the FORWARD button keeps the attachment, but would force Party B through the minor inconvenience of re-addressing the e-mail (the sort of friction that's a dealbreaker if you ask me). But apart from the technical issues and the way e-mail clients are really ill-suited to a world where documents are digitally signed and passed around, there are also legal issues.

I contacted Joe Rosenbaum in New York, a partner at Reed Smith who helps lead that firm's global Advertising Technology & Media law practice group. Over the years, Rosenbaum has served as an important legal resource to me when I editorially delve into legal matters that go beyond my limited knowledge of the law. According to Rosenbaum, there are circumstances under which digitally signing the e-mail that contains the attachment (as apposed to signing the attachment itself) will suffice. But the requirements make it clear that it's not just a blanket rule. For example, going back to the previous example, Party A must indicate to Party B that a digitally signed e-mail is an acceptable form of assent. Said Rosenbaum:

Much of this depends on how the email initially sent (or in some cases the response) is framed. If the original sender indicates that a digitally signed email response affirmatively assenting to all the provisions of the attachment will be acceptable to signify agreement, there is no reason to think it would not be enforceable.

To some extent this is not much different than exhibits or schedules to an agreement. If the agreement is signed and in the body it indicates that exhibits, schedules, attachments, etc. are incorporated by reference and form a part of the agreement, they are binding as part of the agreement.

In theory, if one frames the email message in that same vein and obtains a digitally signed response that matches the requested action - sends back a response without disagreement or alteration, indicating agreement or assent - it is likely this would be binding. As a general rule, under traditional contract rules, if an offer is made and the manner of assent is specified in order to bind the parties, then if the individual accepting the offer proceeds to accept in the manner requested, a binding agreement would result.

However, if Party B thinks that a digitally signed e-mail will suffice when Party A has made no such indication, the result may not be legally binding. According to Rosenbaum:

If a different mechanism to accept is used, then it becomes a question of fact whether there was an intent to be legally bound, even though the acceptance was not exactly as requested.

Rosenbaum's next point covers what essentially amounts to integrity checking of the documents in question:

...in order to make this work there must be a mechanism to authenticate the parties (digital signatures) and the attachments to ensure they have not been altered or separated in a way that calls into question their integrity or authenticity. Again, going back to traditional contract law, this is not different from worry whether an exhibit becomes unstapled or detached from the agreement in which it is referred to . .. . again, even with identifying marks (e.g., headers, footers, initialing pages, etc.) it often becomes a question of evidence and proof. To the extent that references in the email, identifying attributes and other mechanisms technological and otherwise can 'recognize' an unaltered attachment, there is no reason this could not be effective.

In the context of the larger debate between me and George, this point by Rosenbaum -- the one about "mechanisms" -- is critical. It's not enough to say that the technology exists so that George, me, or a law clerk can ensure that the attachment(s) "have not been altered or separated in a way that calls into question their integrity or authenticity." As long as digital signatures have existed, the technology to verify them has existed as well. The question is whether or not it exists as a dirt simple "mechanism" that can be used in the context of a contractually binding e-mail thread (one that includes one or more attachments). If it doesn't, it won't get used.

For example, if Party A receives a digitally signed e-mail from Party B that assents to the terms in an attachment, Party A must be able to, beyond any shadow of a doubt, easily verify that the attachment is the exact same one it sent to party B in the first place. This is more complicated than it sounds.

First, if the process involves exiting the e-mail client -- for example, to detach and compare the returned attachment with the original -- it's unlikely that mortals will embrace it. That's too much friction. But if the e-mail client could visually indicate to Party A that the returned document matches the one that was originally sent to Party B, then, that friction might be eliminated. However, for the e-mail client to do this, it would have to be able to keep tight track of every e-mail thread so that when Party B returns an attachment to Party A, the e-mail client knows which originating e-mail to match it up with. Again, it's not that these steps aren't doable. It's all doable in software. It's just that so many of the e-mail clients in use today don't have this sort of mechanism baked into them. When they do, and the many Party As get into the habit of telling all the Party Bs that a digital signature on the e-mail is an acceptable form of assent, then we'll be making progress.

While I have my own hunches as to why both the cultural and technical gaps towards a more paperless legal world haven't been bridged, I asked Rosenbaum "Why doesn't the legal community practice something more paperless using digital signatures?" The challenges, according to Rosenbaum, are, as George has argued, largely cultural. But in answering the question, Rosenbaum also hints at the sort of technical infrastructure that would need to exist in order for people to really embrace the idea. And that has been my main argument all along: that for this dream to become a reality, the only thing that can break down the cultural barriers is an infrastructure that takes all the friction out of doing so. Otherwise, people will do what they're doing today. They won't bother. Wrote Rosenbaum:

Ultimately we are creatures of habit and products of the judicial system in which we practice. Consider a situation in which all the parties create, negotiate and ultimately consummate an agreement using digital/electronic means. Now there is a dispute and parties are asked to produce 'true' copies of the agreement. Since no 'tangible' signature exists, testimony would be required to authenticate the legally binding intention behind the digital methodologies. This is by no means particularly difficult - no more than a handwriting expert might need to testify as to the authenticity of a signature - but it is something we are not used to or are yet comfortable with despite our 'information' society.

Paper signatures are witnessed generally and multiple people are involved in the exchanges of the original signed documents. In a digital world, I could sign an agreement alone without witnesses, raising the possibility that the signature might be challenged by someone claiming it was forged or coerced or not valid or authentic.

None of these obstacles are particularly burdensome - indeed, it would seem smarter and more facile to do this digitally. A corporation might have officers with digital signatures of different levels of authority. Contracts at certain levels would need to be signed by authorized officers. Systems could easily monitor and administer the authorization and security attributes and consequently make this process easier. ....I suspect our reluctance to migrate to a purely digital world is simply that old habits die hard and we need to simply allow increasing judicial cognizance and increasing adoption to slowly invade our world.

And I'll add "less friction"; the key to adoption.

Topics: Collaboration, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

27 comments
Log in or register to join the discussion
  • Excellent article!

    I think you've done a great job on this article, and it has given us some things to think about if we are ever to move forward with digital signatures. For what it's worth, I agree more with your assertion that the friction is the problem. We need simpler means of dealing with all of this. It reminds me of the "old days" of e-mail using UUEncode and UUDecode to work with attachments. Until they largely idiot-proofed attachments ("Just click the paper clip"), most people would not bother.
    bmgoodman
    • Heck, at risk of showing my age, I even remember when you had to know the

      path to email server at the final destination, seperated by !. And, of course the path could change, and you, the person writing the email, had to know.
      DonnieBoy
      • The best book on this subj

        Secrets and Lies...

        Digital secrets in a networked world.
        pcguy777
  • Just as important, we also need to eliminate the need for testimony in most

    cases. This could be done by major email providers providing a "certified" copy of the email in a form that the courts would accept. This could be similar to me asking my educational institution provide a certified copy of my grades to a prospective employer. Then the only time that testimony would be required is if the authenticity was challenged, which would be rare.

    Well, we also need ALL of the major email providers to take the friction out to the process. This should also include the case that MULTIPLE parties must sign the agreement, and ALL must receive verification that ALL have signed. But, the email providers should also provide a management console to view and retrieve all signed agreements.

    But, just think of the damage to the companies that manufacture file cabinets!!!
    DonnieBoy
  • Dave, email providers must also provide an electronic filing cabinet with

    all of the agreements that have been signed, and a management console to search and retrieve. Another thing, companies could require any signed agreements to first pass through the legal department before being returned, thus requiring TWO signatures before being returned.

    Maybe Google will be the first to offer this service as a part of Google Docs mydomain. Then, you could require people to sign up for GMail if they want to electronically sign documents. Of course a universal standard implemented by all would likely follow if a major provider like Google offered a friction free implementation.
    DonnieBoy
    • But wait, there's more! (as you imply)

      I believe I've only scratched the surface of how complex the problem is. As I wrote this, I thought about going down the path of document/content management, but that seemed like overkill in terms of the points that needed to be made. That said, there are many issues that I didn't talk about that today, amount to obstacles to adoption. We have to start somewhere though.

      thanks for wriring
      dberlind
  • What about certificate expiration?

    One issue that pops into my mind that neither you nor George considered regarding legal issues. What happens when the certificate you use to sign an email expires? In other words, my signature does not have an expiration date. 5 years after I sign my name to a document, you can still go back and verify that the signature was mine. But your typical SSL certificate expires in 1-3 years. What (if any) are the issues around verifying that you sent an email or digitally signed a document if you are trying to verify this after the certificate has expired? For arguments sake lets say the individual certificate you got from a public CA had a 1 year expiration, and that there is a legal issue 5 years later.
    t_mohajir
    • You are talking about a lot of friction that needs to be taken out of the

      process if there is to be adoption. Individual companies do NOT want to have to manage the problem of certificates expiring. They want major email companies to take care of that and make sure that agreements that were signed with expired certificates remain valid and legal.

      The automatic archiving and long term validity of signed agreements is just one of the many things that needs to be solved, with all of the details handled by a trusted provider.
      DonnieBoy
    • Yet another issue.

      Yes, not only do we need electronic filing cabinets to store the documents, we have the issue of certificate expiration as well. Millions of legal documents are recalled decades after they were originally signed.

      Thanks for writing.

      David
      dberlind
      • See my clarification to the start of this thread.

        Your understanding of Digital Signatures is mistaken.
        georgeou
        • Drop it George, it seems like everybody but you understands this clear as

          day. You are about the only one that does NOT understand that even though the law and the technology exist, the implementations, infrastructure and trusted providers DO NOT EXIST. There are a million little details that going into being sure you do in fact have a legally signed, and then being able to retrieve a copy that has the force of law possible 20 years later.

          Having to keep a "paper" (in this case electronic) trail of all of the digital signatures ever used by a particular person, and verifying that they are all valid, is NOT something that the average business wants to do. Heck, even large corporations are reluctant to use it because all of the details of implementation THAT HAVE NOT BEEN SOLVED.
          DonnieBoy
    • Major clarification, your cert expires but a signature does not expire

      Major clarification for you:

      Your Digital Certificate expires (but can be renewed) but a Digital Signature that's Digitally Time stamped during the time that the Digital Certificate was valid does not expire.
      georgeou
      • George, we all understand that clear as day, but that does not remove the

        complexity and uncertainty for anybody that is resisting electronic signatures. We need a trusted provider that can provide a "paper" trail of digital signatures, email addresses, valid dates, etc, in the case we ever DO need to validate those agreements 20 years later. In other words, we need a simple guaranteed way that we can present a certified copy of the agreement to a court of law, possibly 20 years later.

        That infrastructure does not exist yet, hence almost zero adoption of digital signatures.
        DonnieBoy
        • Federal law says that requirement for paper can be met by electronic sigs

          Federal law says that requirement for paper can be met by electronic sigs.
          georgeou
          • Again, we understand that, but that does NOT create the infrastructure

            needed to get everybody comfortable that 20 years later, validating the original agreement will be as easy (hopefully a LOT easier) as retrieving the original from the filing cabinet.

            Right now, there is not even one email provider that will store all of your electronic agreements for you and then supply them in a format that a court of law will accept at a later date.

            And that is maybe something else we need - a standard for the process of submitting electronically signed documents to a court of law, with no testimony required, unless it is disputed.
            DonnieBoy
        • And no, it's clear you don't understand that "clear as day"

          nt
          georgeou
          • Yes, we do understand it clear as day. But understanding it, and having the

            infrastructure in place to handle all of the little details needed to have the force or law, are two DIFFERENT things.

            So, we understand that technically digital SIGNATURES do not expire, it is only the CERTIFICATE that expires and can not be used after a certain date. But, that adds a lot of details and uncertainty to the process of maintaining digitally signed documents that can be called up at any time, and presented to and accepted by a court of law.
            DonnieBoy
          • Why don't you explain it?

            I'll admit, I don't understand the details of it. In terms of S/MIME, my understanding of it was that to encrypt a message, you need the public key from the personal certificate of the recipient of your email. You encrypt the email you are sending using the recipient's public key. The recipient decrypts the email using their private key. I think the pitfalls & limitations of this situation are pretty clear.

            For digital signatures my understanding was that you create a hash of the message, then you encrypt the hash using your private key. You then send the message and the encrypted hash to the recipient along with your public key. The recipient decrypts the hash with your public key. The recipient then uses the same hashing algorithm against the message and compares it to the decrypted hash to verify it.

            All good so far, and once again I think the pitfalls are very clear. What I didn't know about is the purpose of a digital time stamping service that George pointed out:
            https://digitalid.verisign.com/client/help/id_intro.htm#time_stamp

            "The use of a DTS would appear to be extremely important, if not essential, for maintaining the validity of documents over many years. Suppose a landlord and tenant sign a twenty-year lease. The public keys used to sign the lease are set to expire after two years. Solutions such as recertifying the keys or resigning every two years with new keys require the cooperation of both parties several years after the original signing. If one party becomes dissatisfied with the lease, he or she may refuse to cooperate. The solution is to register the lease with the DTS at the time of the original signing; both parties would then receive a copy of the time-stamp, which can be used years later to enforce the integrity of the original lease."

            But I think it goes to further prove David's point that while these technologies are available, they are NOT ubiquitously deployed and made so easy (frictionless) to use that people will actually use them. A good start would be for all the free email providers (Google, Yahoo, Hotmail, AOL, etc.) to include a free personal certificate with every email address with the private keys stored on their servers to prevent theft.
            t_mohajir
          • I think you hit the nail on the head. There are just too many little

            details that you have to understand to be confident that your electronically documents will have the force of law. And, then there are a lot of different ways to do it that would meet the requirement of the law. So, it is just too complicated even for large companies. We need trusted providers to do all of the heavy lifting for us, so we get a green button telling us that the document has been signed, and everything verified, DONE, END OF STORY.
            DonnieBoy
          • Legal rules that apply directly to e-signature

            In many ways, the issue of digital signatures as a legal structure has been, for the most part, solved through legislation.

            Two statues deal with the issue - the Uniform Electronic Transactions Act (UETA) and the Electronic Signatures in Global and National Commerce Act ( A federal statute) (E-SIGN)).

            UETA is a model act that has been enacted in every state.
            The main purpose of this model law is to make electronic signatures and electronic records valid and to remove the prejudice and confusion surrounding the use of electronic signatures and electronic records. The Comments to the statue make clear that it seeks to make electronic signatures, records, and contracts legally equivalent to manual signatures, records, and contracts. That is, the medium used for a signature, record, or contract does not affect its legal significance. A signature, record, or contract may not be denied legal effect because it is in electronic form nor can a contract be denied legal effect solely because an electronic record was used to form the contract. If a law requires a writing or a signature, UETA makes electronic forms permissible. Moreover, electronic signatures and records cannot be excluded from evidence merely because they are in electronic form

            The law does not require any particular technology. There is a NH case from 1848 where the court allowed a binding signature where it was transmitted as part of a telegraph message, pointing out that a wire used in that context is just a longer version of a pen. The new statutes approve of this view.

            The comments to the law give some expamples of valid and binding signatures. The line at the top of a fax showing the time and date. Typing one's name on an email message. In fact, just sending and receiving email where can bind the parties if that is their intention.

            Both parties have to agree to use digital signatures, but that intention can be found from course of usage as well as being explictely stated. That is, the agreement need not be explicit and can be implied from the overall circumstances of the transaction. Moreover, there is no reason to use a trusted thrid party to store documents unless the parties what to. Parties can store emails and attached documents and they can send documents in pdf format to the other party and to themselves at the same time so there is at leaset a date/time stamp. An email, a fax, or other sort of electronic communications are a "writing." A writing is not limited to ink on paper. Also, digital documents are deemed "oritinials" if that is the intent even if the digital document is a scan from a ink-on-paper document.

            The extent of the technology used for binding parties using electronic signatures depends on what the parties want to do. The less trust between the parties, the more formal and technical the requirments.

            But the law allows any method the parties want to use and the fact that it is electronic is not a barrier to a signature being effective and binding and for a document to be valid and binding if it is electronic format.

            Sorry for the long reply.
            legalbits