Signing e-mail to legally bind e-mail attachments: Easier said than done

Here on ZDNet, in the blogs, their comment areas, and in e-mails you have not seen, my fellow blogger George Ou and I have been debating the challenges to securing e-mail.Although many Internet users assume it to be otherwise, most e-mail traversing the Internet and even corporate networks is insecure.

Here on ZDNet, in the blogs, their comment areas, and in e-mails you have not seen, my fellow blogger George Ou and I have been debating the challenges to securing e-mail.

Although many Internet users assume it to be otherwise, most e-mail traversing the Internet and even corporate networks is insecure. Recognizing that e-mail security is in the eyes of the beholder, that requires a bit of explaining because there are various aspects of e-mail that make it insecure. For starters, although the technology exists for all of us to place a digital signature on an e-mail -- one that virtually guarantees that an e-mail purporting to be from you came from you and nobody else -- almost no e-mail is sent with such a digital signature on it. In addition, although ways to scramble the contents of an e-mail exist (either before it's sent, or just while it is in transit), little if any e-mail ever gets encrypted.

At the heart of the debate between me and George is the reason things are the way they are: that today's e-mail users aren't going through the trouble of securing their e-mail through any number of means (digital signatures, encryption, etc.). I say the reasons for this are primarily technical ones and that it's the fault of the e-mail solution providers who are in a position to make it easier to secure e-mail (a prerequisite to adoption). George says the it's users who are to blame because the tools exist and users just don't bother to use them. I say the reason people don't use them is that they're too difficult to use, often requiring the downloading and plugging in of third party tools that don't work with everything, and that that's too much friction for anything to be adopted en masse. He thinks I'm blowing the usability issue out of proportion.

One scenario I've offered as evidence of that friction is the one where Party A sends a document for signature to Party B. The document is sent as an attachment to an e-mail. I personally get many of these documents. Today, most such documents end up as a part of a ridiculous process that, in my estimation, demonstrates the failing of today's e-mail system. Party B (the recipient) opens the document, prints it out, signs it and then does one of three things: (1) mails the signed document back to Party A via snail mail, (2) faxes the signed document back to Party A (requires both parties to have fax machines), or (3) scans the signed document into a PDF file and sends it back to Party B as an e-mail attachment (requires that you have a scanner handy and that Party B is capable of opening a PDF file).

This seems to me to be a process that can be boiled down to two clicks for Party B. One to open the document for viewing (regardless if the client is rich like Outlook, Web-based like Gmail, or even mobile like a BlackBerry) and another to send it back signed so that when it is received by Party A (the original sender), it is easily recognized as having been signed in contractually binding fashion.

On the grounds that services like Google's Gmail (one that George used as an example of why he felt I was incorrect about e-mail encryption) offer no way to digitally sign an e-mail through their Web interfaces, I don't see an e-mail system that -- across the board -- is up to the task of securing e-mail in whatever fashion we want it secured. But, taking my example above, George says my arguments are, to some extent, an overly complicated process that needn't be so complicated.

One sticking point between the two of us for example, is the question of what constitutes as "legally binding" when dealing with e-mail attachments. George has argued that an attachment doesn't necessarily need to be digitally signed for it to be binding and that what really needs to be digitally signed is just the e-mail to which the document is attached. Notwithstanding the absence of any ability to digitally sign e-mails in interfaces like Gmail and others, if he's right, then the Internet's e-mail system (I use this term loosely to describe all the discreet e-mail technologies in use by Internet users) might be closer to securing most of its e-mail than I originally thought.

But is that true? Is it just as simple as Party B signing a reply (and including the attachment before sending) to Party A without signing the attachment itself? As it turns out, it a bit more complicated than that.

First, let's forget for a second that e-mail clients that have a "Reply with digital signature" button in their user interfaces are a rarity (I know of none). In fact, today, in order for Party B to pass an attachment back to Party A, the REPLY button by itself isn't a very good choice since, in most e-mail clients, the act of replying drops the attachment. Using the FORWARD button keeps the attachment, but would force Party B through the minor inconvenience of re-addressing the e-mail (the sort of friction that's a dealbreaker if you ask me). But apart from the technical issues and the way e-mail clients are really ill-suited to a world where documents are digitally signed and passed around, there are also legal issues.

I contacted Joe Rosenbaum in New York, a partner at Reed Smith who helps lead that firm's global Advertising Technology & Media law practice group. Over the years, Rosenbaum has served as an important legal resource to me when I editorially delve into legal matters that go beyond my limited knowledge of the law. According to Rosenbaum, there are circumstances under which digitally signing the e-mail that contains the attachment (as apposed to signing the attachment itself) will suffice. But the requirements make it clear that it's not just a blanket rule. For example, going back to the previous example, Party A must indicate to Party B that a digitally signed e-mail is an acceptable form of assent. Said Rosenbaum:

Much of this depends on how the email initially sent (or in some cases the response) is framed. If the original sender indicates that a digitally signed email response affirmatively assenting to all the provisions of the attachment will be acceptable to signify agreement, there is no reason to think it would not be enforceable.

To some extent this is not much different than exhibits or schedules to an agreement. If the agreement is signed and in the body it indicates that exhibits, schedules, attachments, etc. are incorporated by reference and form a part of the agreement, they are binding as part of the agreement.

In theory, if one frames the email message in that same vein and obtains a digitally signed response that matches the requested action - sends back a response without disagreement or alteration, indicating agreement or assent - it is likely this would be binding. As a general rule, under traditional contract rules, if an offer is made and the manner of assent is specified in order to bind the parties, then if the individual accepting the offer proceeds to accept in the manner requested, a binding agreement would result.

However, if Party B thinks that a digitally signed e-mail will suffice when Party A has made no such indication, the result may not be legally binding. According to Rosenbaum:

If a different mechanism to accept is used, then it becomes a question of fact whether there was an intent to be legally bound, even though the acceptance was not exactly as requested.

Rosenbaum's next point covers what essentially amounts to integrity checking of the documents in question: order to make this work there must be a mechanism to authenticate the parties (digital signatures) and the attachments to ensure they have not been altered or separated in a way that calls into question their integrity or authenticity. Again, going back to traditional contract law, this is not different from worry whether an exhibit becomes unstapled or detached from the agreement in which it is referred to . .. . again, even with identifying marks (e.g., headers, footers, initialing pages, etc.) it often becomes a question of evidence and proof. To the extent that references in the email, identifying attributes and other mechanisms technological and otherwise can 'recognize' an unaltered attachment, there is no reason this could not be effective.

In the context of the larger debate between me and George, this point by Rosenbaum -- the one about "mechanisms" -- is critical. It's not enough to say that the technology exists so that George, me, or a law clerk can ensure that the attachment(s) "have not been altered or separated in a way that calls into question their integrity or authenticity." As long as digital signatures have existed, the technology to verify them has existed as well. The question is whether or not it exists as a dirt simple "mechanism" that can be used in the context of a contractually binding e-mail thread (one that includes one or more attachments). If it doesn't, it won't get used.

For example, if Party A receives a digitally signed e-mail from Party B that assents to the terms in an attachment, Party A must be able to, beyond any shadow of a doubt, easily verify that the attachment is the exact same one it sent to party B in the first place. This is more complicated than it sounds.

First, if the process involves exiting the e-mail client -- for example, to detach and compare the returned attachment with the original -- it's unlikely that mortals will embrace it. That's too much friction. But if the e-mail client could visually indicate to Party A that the returned document matches the one that was originally sent to Party B, then, that friction might be eliminated. However, for the e-mail client to do this, it would have to be able to keep tight track of every e-mail thread so that when Party B returns an attachment to Party A, the e-mail client knows which originating e-mail to match it up with. Again, it's not that these steps aren't doable. It's all doable in software. It's just that so many of the e-mail clients in use today don't have this sort of mechanism baked into them. When they do, and the many Party As get into the habit of telling all the Party Bs that a digital signature on the e-mail is an acceptable form of assent, then we'll be making progress.

While I have my own hunches as to why both the cultural and technical gaps towards a more paperless legal world haven't been bridged, I asked Rosenbaum "Why doesn't the legal community practice something more paperless using digital signatures?" The challenges, according to Rosenbaum, are, as George has argued, largely cultural. But in answering the question, Rosenbaum also hints at the sort of technical infrastructure that would need to exist in order for people to really embrace the idea. And that has been my main argument all along: that for this dream to become a reality, the only thing that can break down the cultural barriers is an infrastructure that takes all the friction out of doing so. Otherwise, people will do what they're doing today. They won't bother. Wrote Rosenbaum:

Ultimately we are creatures of habit and products of the judicial system in which we practice. Consider a situation in which all the parties create, negotiate and ultimately consummate an agreement using digital/electronic means. Now there is a dispute and parties are asked to produce 'true' copies of the agreement. Since no 'tangible' signature exists, testimony would be required to authenticate the legally binding intention behind the digital methodologies. This is by no means particularly difficult - no more than a handwriting expert might need to testify as to the authenticity of a signature - but it is something we are not used to or are yet comfortable with despite our 'information' society.

Paper signatures are witnessed generally and multiple people are involved in the exchanges of the original signed documents. In a digital world, I could sign an agreement alone without witnesses, raising the possibility that the signature might be challenged by someone claiming it was forged or coerced or not valid or authentic.

None of these obstacles are particularly burdensome - indeed, it would seem smarter and more facile to do this digitally. A corporation might have officers with digital signatures of different levels of authority. Contracts at certain levels would need to be signed by authorized officers. Systems could easily monitor and administer the authorization and security attributes and consequently make this process easier. ....I suspect our reluctance to migrate to a purely digital world is simply that old habits die hard and we need to simply allow increasing judicial cognizance and increasing adoption to slowly invade our world.

And I'll add "less friction"; the key to adoption.