Tuesday, November 01, 2005

Weakness Discovered in Widely Used Process for Digital Signatures

As reported today, Chinese scientists have discovered a theoretical weakness in SHA-1, one of the most widely used HASH algorithms. My soapbox just got a bit sturdier. Who is going to assume responsibility for this risk in transactions or systems based upon SHA-1 (or the cost of switching technology over to a newer, more secure, system).

The following snippet from the CNET article makes my point:

To computer scientsts, the SHA and MD5 algorithms are known as hash functions. They take all kinds of input, from an e-mail message to an operating-system kernel, and generate what's supposed to be a unique fingerprint. Changing even one letter in the input file should result in a completely different fingerprint.

Security applications rely on these fingerprints being unique. But if a malicious attacker could generate the same fingerprint with a different input stream, the cloned fingerprint--known as a hash collision--would certify that software with a back door is safe to download and execute.

That would help a crook who wanted to falsely sign an e-mail instructing that someone's bank account be emptied. Or a digitally signed contract could, in theory, be altered but appear valid.

Link to the CNET Article here.

Wednesday, August 24, 2005

"[A]ny new computer system is subject to a certain number of 'glitches'"

This is what the 8th circuit court of appeals had to say in a case involving email notices from the District Court filing system.

Like I've said, the benefit of the doubt, at least for a while, is going to go to those claiming that electronic systems didn't work as they were supposed to.

Monday, June 06, 2005

An Actual Example of the "Black Box" Risk

Boing Boing covers an example of one of the risks I mention in the materials--that a court might not allow evidence of an electronic process to be used in court if the proponent won't (or can't) produce evidence of the process itself.

In this case, a court prohibited a prosecutor from using breathalyzer evidence because the State of Florida couldn't produce the source code on which the system operated.

Read BoingBoing's post.

Read the source story.

It doesn't take too much of a stretch of the imagination to see this same strategy at work in a civil case.

Wednesday, May 25, 2005

Example of Poor Implementation

A snippet from a message to the Electronic Contracting Practices Working Group of the Cyberspace Law Committee of the Business Law Section of the American Bar Association. This case is a good example of how electronic signatures/records/transactions/notices will fail to be effective due to implementation problems.


To Electronic Contracting Practices Working Group:

From Co-Chair Kathy Porter

I wanted to update you on a case that the Working Group has followed in the First Circuit involving the use of email to distribute changes in the employment policies of a company. In this case, the employer sent a mass e-mail to employers changing the dispute resolution provisions to mandate arbitration. The email contained two attachments, one with the new policy and one with FAQs. The text of the email was found by the district court judge to be confusing and vague. The employee claimed he never agreed to the new policy.

Campbell v. General Dynamics (1st Cir 05/23/2005)http://caselaw.lp.findlaw.com/data2/circs/1st/041828p.pdf

Campbell brought an ADA claim in federal court against his former employer General Dynamics. General Dynamics moved to dismiss case on grounds that company policy mandated arbitration. The company distributed a revised employee handbook to employees via e-mail. Campbell claimed he had not agreed to the revised policy. The district court denied General's Dynamics motion to compel arbitration , and the company appealed . The First Circuit affirmed.

However, the First Circuit recognized that the electronic distribution of the employee handbook was not per se invalid.

The court observed that "the Electronic Signatures in Global and National Commerce Act (E-Sign Act), Pub.L. No. 106-229, 114 Stat. 464 (2000) (codified at 15 USC Sections 7001-7031), likely precludes any flat rule that a contract to arbitrate is unenforceable under the ADA solely because its promulgator chose to use e-mail as the medium to effectuate the agreement."

..... "[b]y its plain terms, the E-Sign Act prohibits any interpretation of the FAA's 'written provision' requirement that would preclude giving legal effect to an agreement solely on the basis that it was in electronic form."

The court reviewed all of the circumstances surrounding the distribution of the email to General Dynamics' employees The court determined that "[w]eighing all the attendant circumstances ... the notice was wanting and ... therefore, enforcement of the waiver would be inappropriate."

The court noted that "the district court's opinion does exhibit a high degree of skepticism about the use of e-mail in this context," but opined "[w]e do not share that skepticism: we easily can envision circumstances in which a straightforward e-mail, explicitly delineating an arbitration agreement, would be appropriate."

Friday, March 18, 2005

2005 Georgetown University Law Center Advanced Computer and Internet Law Institute

On Friday, March 18, 2005, I presented a speech on the topic of proving electronic transactions. In particular, I argued that lawyers need to involve themselves in the process of designing electronic signature and transaction processes to make it easier to meet the burden of proving the terms and existence of the transaction.

The materials for the CLE are available here formatted as PowerPoint for Web and PDF.

Some of the key resources I used in preparing the presentation are available on line: