THE ELECTRONIC SIGNATURE ACT OF 1996: BREAKING DOWN BARRIERS TO WIDESPREAD ELECTRONIC COMMERCE IN FLORIDA

WILLIAM E. WYROUGH, JR.[*] AND RON KLEIN[**]

Copyright 1997 Florida State University Law Review

I. INTRODUCTION
II. BACKGROUND
A. The Development of Electronic Commerce
1. What Is Electronic Commerce?
2. The Advantages of Electronic Commerce
3. The Federal Commitment to Electronic Commerce
4. Florida Moves Towards Electronic Commerce
a. Paperwork Reduction Efforts
b. Examples of State and Local Government Initiatives
B. Security Issues in Electronic Commerce
1. Security in Closed Networks
2. Security in Open Networks and the Internet
3. Firewalls
4. Development of Modern Cryptography
a. Data Encryption Standard (DES)
b. Escrowed Encryption Standard (EES)
c. RSA Encryption
d. Government Control Efforts
III. ELECTRONIC COMMERCE AND THE LAW OF SIGNATURES
IV. DEVELOPMENT OF DIGITAL SIGNATURES
A. Private Key (Symmetric) Cryptography
B. Public Key (Asymmetric) Cryptography
1. Integrity, Authenticity, and Digital Signatures
2. Associating the Public Key with the Person
a. Pretty Good Privacy (PGP) "Web of Trust" Model
b. Certification Authorities and Public Key Certificates
D. Digital Signature Initiatives
1. Federal Government
2. Private Sector
3. Other States
a. Utah Legislation
b. California Legislation
c. Wyoming Legislation
d. State of Washington Legislation
4. American Bar Association Digital Signature Guidelines
V. THE JOINT COMMITTEE 'S CONCLUSIONS AND RECOMMENDATIONS
A. Legal Status of Electronic Documents
B. The Legal Status of Electronic Signatures
C. Promoting the Use of Digital Signatures
D. Promoting Electronic Commerce in State Agencies
E. Future of Digital Signatures
VI. THE ELECTRONIC SIGNATURE ACT OF 1996
A. Legislative Intent
B. Definitions
C. The Legal Effect of Electronic Signatures
D. The Secretary of State as a Certification Authority for Digital Signatures
E. Accountability for Use of Electronic Commerce by State Agencies
F. Possible Future Role of the Secretary of State
VII. CONCLUSION

I. INTRODUCTION

The current information revolution has seen an increasing number of people using computers to exchange all types of information.[1] The rapid proliferation of affordable hardware and software, as well as affordable network connections, is making it more practical for people from all walks of life to take advantage of information technology.[2] As a result, opportunities are being created to make information flow more efficiently and accurately between people.

Using computers and telecommunications to conduct business transactions is generally referred to as electronic commerce.[3] Electronic commerce makes it possible to replace paper forms and documents with their electronic equivalents for many types of activities.[4] Applications of electronic commerce can be found throughout the public and private sectors, including the practice of law.[5]

A major concern when making the transition from a paper-based commercial environment to an electronic system of commerce is the effect that replacing written signatures may have upon the reliability and legality of transactions.[6] New technologies are making it possible to use electronic signatures to authenticate and preserve the integrity of transactions and documents.[7] For courts and lawyers, this means that the use of electronic pleadings, interrogatories, depositions, and briefs is becoming possible and practical.

In response to these developments, the Florida Legislature's Joint Committee on Information Technology Resources (Joint Committee) conducted an interim study of issues relating to electronic commerce and electronic signatures.[8] As a result of that study, the Joint Committee produced a report, with conclusions and recommendations, that became the basis of the Electronic Signature Act of 1996.[9]

This Article examines the issues associated with making the transition to electronic commerce via the use of electronic signatures and discusses the Electronic Signature Act of 1996. Part II discusses both electronic commerce and its concomitant security issues to provide a better understanding of the significance of electronic signatures. Part III discusses the history of traditional signatures and their legal importance, and provides a brief introduction to electronic signatures. Part IV examines the development of a type of electronic signature called a "digital signature." Part V highlights the conclusions and recommendations of the Joint Committee that formed the basis of the electronic signature legislation. Part VI describes the Electronic Signature Act of 1996, discusses its enactment, and analyzes its possible effect.

II. BACKGROUND

A. The Development of Electronic Commerce

1. What Is Electronic Commerce?

Electronic commerce is a broad concept that, for the purposes of this Article, is defined as the use of computers and telecommunications to conduct business transactions.[10] These transactions include the placing and tracking of orders, the delivery of products and services, the exchange of funds, and the documentation of such events.[11] In addition, electronic commerce may involve electronic submission of various types of documents to government entities such as regulatory agencies and courts.[12]

One type of electronic commerce is electronic data interchange (EDI), which focuses on the electronic equivalent of paper forms such as purchase orders, shipping manifests, Medicaid claims, loan applications, and electronic benefits transfers.[13] EDI transactions typically conform to standards for formatting and sequencing data in electronic transmissions.[14]

2. The Advantages of Electronic Commerce

Electronic commerce reduces paperwork and improves the speed and accuracy of many processes in both the public and private sectors.[15] It improves the processing of many types of filings and transactions that take place between the government and private sector, such as tax returns, corporate filings, and legal memoranda.[16] An example is the Texas plan to automate the thousands of Uniform Commercial Code filings the state processes each year.[17] Advocates of the Texas plan estimate that automation will reduce the processing time of these filings from ten days to two minutes.[18]

The potential benefits to the private sector from electronic commerce are considerable.[19] On-line purchases and money transfers over telecommunications networks can have a significant impact on how business is conducted.[20] Securing deals and completing transactions quickly and accurately is critical for businesses to be competitive in the information age.[21]

3. The Federal Commitment to Electronic Commerce

The federal government has been actively pursuing goals related to furthering electronic commerce.[22] For example, on October 26, 1993, President Clinton issued a memorandum to the heads of all executive departments and agencies instructing them to implement electronic commerce in federal procurement procedures.[23] The President noted that electronic commerce would be cost effective and would simplify and streamline the purchasing process, promote customer service, and increase competition by improving access to federal contracting opportunities.[24] According to the memorandum, electronic commerce will fundamentally alter and improve the way the federal government buys goods and services.[25] Further, the memorandum included a time-line that called for complete government-wide electronic commerce for purchases, where possible, by January 1997.[26]

4. Florida Moves Towards Electronic Commerce

Various efforts have been made to foster electronic commerce in Florida.[27] Efforts include initiatives taken by state government, local government, and Florida State University. These initiatives are highlighted below.

a. Paperwork Reduction Efforts

i. Paperwork Reduction Act

During the 1992 legislative session, chapter 282, Florida Statutes, was amended by the passage of the Information Resources Management and Paperwork Reduction Act.[28] The Act placed special emphasis on reducing the government's paperwork burden.[29] The amendments called for the specific reduction of paperwork associated with the collection and dissemination of government information to and from individuals, small businesses, educational institutions, state agencies, and local governments.[30] Agencies would achieve this reduction by reviewing, on a regular basis, their paperwork requirements, and devising plans to streamline their reports and forms.[31] The use of electronic commerce is consistent with the Paperwork Reduction Act's intent because it significantly reduces the amount of paperwork involved in doing business with the state of Florida.[32]

ii. Paperwork Reduction Task Force

On June 19, 1995, Governor Lawton Chiles signed an executive order establishing the Governor's Task Force on Paperwork Reduction.[33] One of the purposes of the Task Force is to promote an economic climate that supports the growth of business and efficient operation of government.[34] The Task Force's mission is thus consistent with the benefits derived from electronic commerce. Task Force members, however, found that the legal staffs of some agencies were uncertain about the legal standing of electronic documents and signatures.[35] The Task Force submitted recommendations in a report to the governor on January 31, 1996.[36]

b. Examples of State and Local Government Initiatives

i. Florida Communities Network

The Florida Communities Network is a new initiative by the Florida Department of Management Services that uses a statewide telecommunications network, SUNCOM. The network helps state agencies, cities, counties, and qualified nonprofit organizations provide information and services faster and more efficiently by establishing and linking various Florida World Wide Web sites on the Internet.[37] For example, through the Florida Communities Network, one can access information on state government job vacancies and contract purchasing opportunities, as well as information on many private sector companies.[38]

Information and links to other World Wide Web sites are regularly being added to the Florida Communities Network.[39] William H. Lindner, Secretary of the Department of Management Services, describes the Network as an "effort to establish Florida as a leader in economic development and government efficiency through electronic commerce."[40]

ii. Department of State

The Florida Department of State has implemented a system that allows electronic submission of UCC filings with the Division of Corporations.[41] After establishing an account with the Division, a user can file documents via fax.[42] Upon receipt by the Division, the original documents are electronically time-stamped and entered into the Division's UCC database.[43] Acknowledgment of accepted and rejected documents is returned to the originator via fax.[44]

The Division also has developed a public access system for corporate, UCC, and fictitious-names databases. The system provides network access to the databases via the CompuServe on-line service.[45]

iii. Florida State University's Purchasing System

The purchasing process at Florida State University has recently been automated with the inception of the General Requisition Electronic Entry and Tracking System (GREETS).[46] Before GREETS, university departments had to fill out requisition forms and obtain certain signatures throughout several layers of the approval process.[47] The requisition routing and budgetary approval processes are now paperless and completely automated.[48] Purchase orders, however, are still printed and signed.[49]

iv. Department of Banking and Finance

The Department of Banking and Finance's goal is to "develop a paperless, EDI-oriented computer system for processing 100 percent of the payment or disbursement requests received in the Comptroller's office."[50] One project directed by the legislature involves the electronic transfer of state funds to local governments.[51] Electronic transfers will reduce the number of paper warrants processed and significantly speed the transfer of those funds.[52]

v. Sarasota County Clerk of the Court

During the 1995 Regular Session, Representative Lisa Carlton[53] and Senator Katherine Harris[54] introduced House Bill 711[55] and Senate Bill 1770,[56] respectively. These bills would have provided an exception to the current law that requires a notary seal to be made with a rubber stamp.[57] The bills attempted to remove this requirement, which prevented the clerk of the court in Sarasota County from converting to a completely paperless process.[58] Certain documents in the court process require certified, or notarized, signatures. The bills would have allowed an electronic version of a notary seal.[59] The death of both bills in committee led to the Joint Committee's project on electronic signatures.[60]

B. Security Issues in Electronic Commerce

1. Security in Closed Networks

Before the advent of open computer systems and open networks like the Internet, the bulk of electronic data was kept in closed computer networks, with access to the data controlled by the system operator.[61] Security for such networks was usually based upon a process through which each user was issued a user identification (ID), usually the user's name, and a password that the user entered.[62] Depending upon the user's need to access specific application programs, the system operator could control security by assigning different levels of access to each user ID.[63]

2. Security in Open Networks and the Internet

Because computing environments have become more decentralized and computers are being used more frequently for communicating and disseminating information, the security of the programs and data within computers is a greater concern.[64] Society is rapidly advancing toward the day when information technologies will be an integral part of daily life. Information networks are providing more people with access for many types of new uses. For example, efforts to bring electronic banking and "digital cash" or "digital checks" into homes and offices will have a great impact in the future.[65]

The chances of fraud and unauthorized access increase as more people use networked computers.[66] These problems become more prevalent when networks like the Internet are open to the public, as opposed to when networks are closed, access is strictly controlled, and security is primarily the concern of system administrators and security specialists. Thus, security is a concern for all users of computers linked to open networks.[67]

The Internet is a completely open network, with millions of users from all over the world on-line everyday.[68] Anyone with the right equipment and knowledge can use the Internet. As a result, hackers, thieves, con artists, and spies who are trying to covertly gather information for military, political, industrial, or personal advantage have easy access.[69] An attempt to break a security code is called an "attack," and the variety of attacks is limited only by the imagination of the attacker.[70]

Hackers can randomly generate computer IDs and passwords and access systems with relative ease.[71] In a test of a password generator called "Crack," more than thirty percent of one company's passwords were disclosed in less than a minute.[72] This lack of security has been cited as the main reason not to use the Internet for electronic commerce.[73] Depending upon the network environment, however, computer IDs and passwords may, in many cases, provide adequate security for a particular application.[74]

Although security was not a priority when the Internet was first created, the recent commercial interest in the Internet has spurred efforts to make transactions over the network more secure.[75] The basic connection protocol of the Internet, Terminal Control Protocol/Internet Protocol (TCP/IP), is undergoing a fundamental redesign. A new protocol, called IP version six, will include special security features such as encryption and authentication, both of which are transparent to the user.[76]

3. Firewalls

The risks of unprotected communications over the Internet has led to a thriving business in creating Internet "firewalls," combinations of hardware and software that restrict access and filter data entering and leaving the network.[77] Firewalls can be installed in a variety of configurations and are available from many vendors.[78] Firewalls are limited, however, and must be implemented carefully and integrated with a total plan for security.[79] Firewall technology is not infallible; constant vigilance and frequent updating of security plans are essential for organizations linked to the Internet to ensure the integrity of the organization's data.[80]

4. Development of Modern Cryptography

Cryptography is a security tool that involves the ciphering and deciphering of a secret code.[81] In an environment using cryptography, people who have access to the plain data behind the scrambled data share a common key.[82] This key is a predetermined algorithm for use in ciphering and deciphering.[83] Cryptography has existed for centuries and has been especially useful during wartime; the use of modern, computer-based cryptography began during the World War II era.[84]

a. Data Encryption Standard (DES)

In 1977, the federal government adopted the Data Encryption Standard (DES) as a Federal Information Processing Standard (FIPS).[85] All executive branch agencies must use DES whenever cryptographic protection is needed for nonclassified data.[86] Outside the executive branch, however, the use of DES is voluntary and is only required for those who wish to exchange encrypted data with federal agencies.[87] DES is used extensively for transferring funds and communicating with the Federal Reserve System.[88]

b. Escrowed Encryption Standard (EES)

As the use of encryption technology in data communications increases, law enforcement agencies will face more difficulty when intercepting and decrypting electronic messages.[89] The federal government has responded to this potential loss of electronic surveillance ability by adopting the controversial Escrowed Encryption Standard (EES), also known as the "Clipper Chip."[90] With EES, law enforcement agencies can access an escrowed key that gives them the ability to unscramble data.[91] This ability, which allows the government to eavesdrop on confidential communications, is controversial because the federal government developed EES secretly and then promoted it as a standard.[92] Federal standards are usually developed with broad public input.[93]

The federal government is still developing its policy on escrow.[94] The Clinton Administration has created an Interagency Working Group on Encryption Policy and has issued a new Key Management Infrastructure proposal that would be voluntary for private industry.[95] However, this new proposal, which has been dubbed "Clipper II," has already come under sharp criticism.[96]

c. RSA Encryption

Today, the business community is more involved in electronic commerce, and thus its need for secure communications is driving the data security movement.[97] One company in particular, RSA Data Security, Inc., has profited from this movement.[98] In 1977, the three founders of RSA developed and later patented an encryption algorithm that is now the de facto standard for commercial use.[99] RSA's Public Key Cryptosystem withstood tests by security experts and may be virtually impenetrable using existing, reasonably available technology.[100] The RSA algorithm has been incorporated into various companies' products, such as Lotus Notes and Netscape Navigator.[101]

d. Government Control Efforts

Through the Arms Control Export Act of 1976,[102] the federal government has attempted to control the export of strong encryption technologies, including those developed by RSA and others.[103] Export controls are an attempt to prevent strong encryption technology from being exported and possibly used in actions detrimental to national security.[104] Widespread foreign use of strong cryptography makes U.S. intelligence efforts more difficult because encrypted messages are hard to intercept and interpret.[105] Nevertheless, this export control policy has been criticized because it impairs the development of commercial encryption products.[106]

III. ELECTRONIC COMMERCE AND THE LAW OF SIGNATURES

Traditionally, paper documents, signatures, and seals have been used to authenticate transactions and activities.[107] A certified notary public often added a further degree of reliability by authenticating the identity of the person signing a document.[108] These forms of authentication were typically used to meet the signature requirement in the statute of frauds.[109] This 300-year-old British statute is incorporated into Florida's version of the UCC and provides that certain contracts or engagements will not be enforceable by way of action or defense unless there is some writing sufficient to indicate that a contract has been made between the parties and signed either by the party to be charged or by his or her authorized agent.[110]

The requirement for certain contracts to be in written form and signed has led to misunderstandings about the legality of electronic documents. By custom, the term "signature" has come to mean the name of a person written by that person at the end of the document, i.e., the person's autograph.[111] With this type of handwritten signature, one can use forensics to determine the authenticity of a signature.[112] Some believe that electronic documents should not be relied upon as legal documents because they do not contain such forensic evidence.[113] However, this historic view of a signature seems too narrow in a world undergoing rapid changes in technology.[114]

The UCC incorporates the statute of frauds by providing that many types of contracts are unenforceable without a "writing signed by the party against whom enforcement is sought."[115] Further, the UCC contains a general definition of the term "writing" that includes "printing, typewriting or any other intentional reduction to tangible form."[116]

This definition is inadequate for electronic documents. For example, does the phrase "tangible form" include computer hardware and software? In response to these questions, efforts are underway to revise the UCC to make it is more relevant to a computerized environment.[117] One such effort proposes a new UCC Article 2B, concerning licenses.[118] Draft Article 2B replaces the term "writing" with "record," which it defines as "information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form."[119]

In addition to the current UCC definition, section 1.01(4), Florida Statutes, contains a more general definition of the term "writing."[120] This general definition raises many of the same types of questions as the UCC definition when electronic documents are considered as writings.

The UCC has broadly defined what will suffice for a signature. As defined in the Florida Statutes version of the UCC, the term "signed" includes "any symbol executed or adopted by a party with present intention to authenticate a writing."[121] For authentication, a complete signature is not necessary.[122] "Authentication may be printed, stamped or written; it may be by initials or by thumbprint. It may be on any part of the document and in appropriate cases may be found in a billhead or letterhead."[123] Courts have to rely upon "common sense and commercial experience" when determining if a signature is legally binding.[124]

The UCC's broad definition is consistent with the case law dealing with signatures.[125] A signature is not limited to an individual manually signing his or her full name on a contract. Rather, a signature is a "name, mark, or sign affixed to, or made on a document in token of knowledge, approval, acceptance, or obligation."[126] In the absence of a statute providing otherwise, a signature may be in one's handwriting, printed, stamped, typewritten, engraved, photographed, lithographed, or cut from one instrument and attached to another.[127] It is immaterial what type of instrument produces the signature.[128] An individual's initials also may be binding.[129] Additionally, a signature may be legally binding on a party if made by an individual acting as an agent for that party.[130] Further, absent a requirement that a signature appear in a particular place, a signature is not confined to a certain location on the instrument, but can be binding if signed anywhere on the instrument or attached to the instrument.[131] As long as a signature is affixed to a contract with the intention of authenticating and being bound by the writing, the signer is bound.[132] In sum, the signer's intent, not the signature's form, is what controls the legality of a signature.

In today's technological world, strict adherence to signatures on paper has become an archaic rule of law.[133] Although Florida law has never dealt with the concept of modern electronic signatures, some existing statutes are relevant. For example, section 15.16(4), Florida Statutes, pertaining to the Department of State, states: "Notwithstanding any other provision of law, the department may certify or acknowledge and electronically transmit any record maintained by it."[134] This section recognizes the electronic transmission of official documents, but does not specifically address the issue of signatures. Further, section 116.34(3), Florida Statutes, states: "Any authorized officer, after filing with the Department of State his or her manual signature certified by him or her under oath, may execute or cause to be executed with a facsimile signature in lieu of a manual signature."[135] Some analogies to the use of electronic signatures can be drawn from this law because it departs from a strict adherence to manual signatures on a piece of paper. The statute also recognizes that validity and reliability can be achieved if the Department of State processes and keeps files of manual signatures to correspond with the facsimile signatures.[136]

In electronic commerce, traditional paper signatures can be replaced by using a variety of methods that are incorporated into the broad term "electronic signatures."[137] An electronic signature can be as simple as a signature on a document sent via fax.[138] It also can be a name or some other identifier included in an e-mail message.[139] Other forms of authentication may include the use of tokens such as smart cards.[140] Smart cards are similar in size and appearance to a traditional credit card.[141] A particularly secure type of electronic signature, known as a digital signature, is discussed in more detail below.[142]

A person's identity also may be associated with a message by using biometrics to analyze a person's unique physical attributes.[143] Attributes may include one's face, fingerprints, or retinas.[144] Another currently available technology performs a digital analysis of a person's written signature to verify authenticity.[145] Biometrics and other related technologies may be an appropriate authentication solution for a given application; however, these types of authentication solutions usually require special hardware and added expense.[146]

Given that the concept of electronic signatures is relatively new, there is a lack of case law addressing the legality of electronic signatures. However, cases have upheld the legality of transactions with fax signatures as long as an intent to authenticate a writing is present.[147]

Identities and documents can be authenticated in many ways. One method may be more secure than another in a given situation. However, the law generally does not require that a signature be secure or fraud-proof to be legally effective.[148]

IV. DEVELOPMENT OF DIGITAL SIGNATURES

A. Private Key (Symmetric) Cryptography

Computers provide the ability to make cryptography algorithms more complex and difficult to decipher.[149] Messages and other data can be encrypted using a particular software program and then decrypted using the same or similar software.[150] In such cases, the encryption and decryption processes must share a common key.[151] This type of cryptographic security system is called a "private key" or "symmetric" cryptosystem.[152] The keys must be private to prevent unauthorized access to the confidential data.[153]

DES is currently the most commonly used private key system,[154] and is considered by experts to be relatively resistant to most forms of attack.[155] This system has been used extensively in military intelligence and financial environments.[156]

Private key cryptography is useful to ensure the security of computer systems and maintain confidentiality of information.[157] It also is useful as a means of authenticating the identities of people and documents in electronic commerce, provided the sender and the recipient have a preexisting relationship and there are tight controls on key distribution.[158] However, private key cryptography is not practical for secure communications between certain entities or between private citizens. Public uses are difficult because the sender and recipient must have the same key to encrypt and decrypt; they have to transmit the secret key between each other.[159] If open data networks are used to exchange the private keys, the possibility of compromise is greater.[160]

Another drawback of private key cryptography and DES is the inability to authenticate content.[161] There is no way to verify the actual content of the message, or whether it was secretly changed by either the sender or the recipient. A third person would be unable to identify who made the change because either party could have used the common secret key to forge the other party's name.[162]

B. Public Key (Asymmetric) Cryptography

A major advance in cryptography came in the 1970s, when an alternative to private key cryptosystems was developed.[163] This system is called a "public key" or "asymmetric" cryptosystem.[164] Under this system, the sender and the recipient of electronic messages each use two mathematically generated keys, one public and one private.[165] The sender of a message locks or encrypts the data using the recipient's public key, which is made available to anyone.[166] Data in the message remains encrypted until it is decrypted by the intended recipient using his or her own private key.[167]

One advantage of public key cryptography over private key systems is that people who have never met can send encrypted electronic messages.[168] Further, public key cryptography resolves the private key cryptography problem of finding a secure way to exchange keys by eliminating the need to exchange them.[169] By pairing public and private keys together, "public key cryptography makes secure communications routine and potentially ubiquitous."[170]

1. Integrity, Authenticity, and Digital Signatures

Public key or asymmetric cryptography is one basis for digital signatures. A digital signature is defined as:

A transformation of a message using an hash function such that a person having the initial message and the signer's public key can accurately determine

(1) whether the transformation was created using the private key that corresponds to the signer's public key, and

(2) whether the initial message has been altered since the transformation was made.[171]

A digital signature, which is a form of electronic signature, can simultaneously authenticate a document's signer and check the document's integrity.[172] For electronic documents, a digital signature allows the recipient of the message to determine whether the message and the sender are authentic by using the sender's public key.[173] If the message was initially signed digitally using the private key of an individual sender, then the digital signature can only be verified by the recipient using the public key of the same individual sender.[174]

Digital signatures also may be used to verify message integrity.[175] To verify the integrity of a message, digital signature software uses a hash function to create a message digest, which is a number containing a mathematical summary that identifies the content of the message at the time the digital signature was created.[176] If the message is subsequently altered, the message digest cannot be matched by the recipient when the message is unscrambled and message integrity is lost.[177]

Another important aspect of digital signatures is that they do not allow repudiation if the sender denies sending the message.[178] Nonrepudiation binds signers to statements, which can be extremely important in many types of transactions, especially when settling disputes.[179]

2. Associating the Public Key with the Person

A digital signature assures the recipient of a message that the sender's private key corresponds with the public key obtained by the recipient.[180] Nevertheless, even this may not assure authenticity.[181] Even if the keys correspond with each other mathematically, there is no intrinsic association with a particular person.[182] In some cases, this association can be made using other available evidence.[183] For example, if two remote parties are attempting to conduct business using digital signatures to verify documents, one party may not be willing to take the other party's word that he or she is the person identified with a particular key pair. There is a risk that an impostor may be attempting to conduct the transaction.[184] The solution to this problem is to have one or more third parties, trusted by both of the original parties, certify the real people associated with the key pairs.[185]

a. Pretty Good Privacy (PGP) "Web of Trust" Model

Pretty Good Privacy (PGP) is a computer program that performs public-key cryptography, private key cryptography, and key management.[186] It is considered a very secure encryption method and is available on the Internet at no cost.[187]

The recipient of a message with PGP receives the public key of the sender along with the message, and thus can transform and decrypt the message.[188] The receiver must then judge whether the public key used is actually associated with the person identified as the sender.[189] To do this, the recipient may verify the public key with another trusted person.[190] That third party can say he or she knows and trusts the sender and the public key, thereby adding some measure of reliability to the process.[191] Such verifications can be repeated as often as necessary. This scheme has come to be known as the PGP "Web of Trust."[192]

b. Certification Authorities and Public Key Certificates

Another solution to the problem of associating the public key with the person involves the use of certification authorities.[193] A certification authority issues a public key certificate to associate a person with a key pair.[194] Publication of these certificates in a repository makes a public key and its identification with a specific subscriber accessible to anyone seeking to verify a digital signature.[195] Repositories are kept in computer databases that the public can access remotely.[196] Further, such access can be accomplished automatically by the software used to verify digital signatures.[197] Therefore, the certificate identifies a key pair with a prospective signer or "subscriber" and gives a person verifying the digital signature the assurance that the public key corresponds with the person listed on the certificate.[198]

The certification authority also can digitally sign the certificate to assure authenticity.[199] The issuing certification authority's digital signature on the certificate can be verified by checking the authority's public key and certificate.[200] In this way, a matrix, or hierarchy, of certification authorities can be established to issue associated certificates.[201] A person verifying a digital signature can check the chain of associated certificates and certification authorities until he or she is adequately assured of its authenticity.[202]

Certification authorities can be either public or private entities.[203] Depending upon the circumstances, a subscriber could choose which certification authority meets his or her particular needs.[204] Certificates issued by a government certification authority may be perceived as the most trustworthy because the government is presumed to be acting in the public interest and is more stable than private entities.[205] On the other hand, a private entity may be more focused on critical tasks because its livelihood depends on its relationships with its customers.[206]

Certification authorities can be licensed by the government to issue certificates.[207] The license can therefore represent that the authority has met certain requirements, which gives that authority added credibility.[208] A scheme of licensing also can add standardization and uniformity to the widespread use of digital signatures.[209]

D. Digital Signature Initiatives

1. Federal Government

The federal government has long been involved in the development and use of modern cryptography, primarily within the military and intelligence communities.[210] The National Institute of Standards and Technology, a part of the U.S. Department of Commerce, developed the Digital Signature Standard (DSS).[211] DSS was introduced in 1991 and approved as a Federal Information Processing Standard on May 19, 1994.[212]

DSS developers intended it to become the U.S. government's digital authentication standard.[213] Although DSS is the federal standard, the computer industry looks upon it unfavorably, preferring the RSA algorithm as a standard.[214] Unlike DSS, RSA can be used for secure exchanges of private keys.[215]

Public efforts to integrate digital signature technology include initiatives by the Internal Revenue Service (IRS), the U.S. Postal Service, and the General Services Administration (GSA). In 1995, the IRS announced plans to develop a signature verification scheme for income tax filings.[216] However, the IRS abandoned the plan because of disagreement over whether to use DSS or the more popular RSA.[217] The U.S. Postal Service is developing a system to certify electronic communications.[218] Under this system, the Postal Service would become a certification authority, certifying messages using public key cryptography.[219] The GSA is developing a public key infrastructure for use by all federal agencies.[220] The GSA's planned infrastructure reportedly will incorporate RSA and DSS to allow use by both the government and private sector.[221]

2. Private Sector

The private sector has been involved in the use of digital signatures, especially for financial transactions.[222] RSA Data Security, Inc. invented the most commonly used algorithms and holds intellectual property rights to much of the technology used for public key cryptography.[223] In 1995, RSA formed VeriSign, Inc. to build a digital certificate infrastructure and to facilitate the use of digital signatures.[224] VeriSign is believed to be the first company devoted exclusively to issuing digital identification for electronic commerce.[225]

Visa and Mastercard have announced that they will jointly develop a safe way for customers to use their credit cards on the Internet.[226] The project will use encryption technology to create a common secure transaction standard.[227] Additionally, Wells Fargo Bank is working with Netscape Communications Corp. to develop a system to transfer encrypted information to its customers over the Internet.[228] Wells Fargo is the first bank to offer its customers access to account information over the Internet and plans to expand that service to include transactions.[229]

Further, the Bank of Boston, Bank of America, and Chemical Bank have become involved in forming the Financial Services Technology Consortium's electronic check project.[230] The consortium plans to use digital signatures to sign and endorse checks and digital certificates to authenticate electronic checks.[231]

3. Other States

Digital signature laws from other states provide sample frameworks for standardized digital signatures.[232] Utah, California, Wyoming, and Washington have enacted digital signature laws.[233] While the federal government had seemed poised to provide a model for a digital signature regimen, the prospects for such a model now appear slim.[234]

a. Utah Legislation

On March 9, 1995, Utah adopted digital signature legislation.[235] Repealed and reenacted in 1996,[236] the Utah Digital Signatures Act specifies four purposes for the liberal construction of the law:

(1) to facilitate commerce by means of reliable electronic messages;

(2) to minimize the incidence of forged digital signatures and fraud in electronic commerce;

(3) to implement legally the general import of relevant standards . . . ; and

(4) to establish, in coordination with multiple states, uniform rules regarding the authentication and reliability of electronic messages. [237]

The Act authorizes the licensing of certification authorities by the Division of Corporations and Commercial Code within the Utah Department of Commerce.[238] The Act allows multiple certification authorities, but specifies qualifications for licensure[239] and duties.[240] Prospective licensees must maintain detailed, computer-based records of issued certificates that identify subscribers, contain subscribers' public keys, and are digitally signed by the certification authority issuing the certificates.[241]

The Utah law is comprehensive and addresses many issues. These issues include: "(1) the responsibilities of certificate holders or 'subscribers'; (2) the liability of a licensed certification authority; and (3) the legal presumptions established by digital signatures."[242] One very significant presumption is that a digital signature has the same legal effect as a handwritten signature if certain requirements are met.[243] One of those requirements is that the digital signature be verified by reference to the public key listed in a valid certificate issued by a licensed certification authority.[244] This is controversial because it creates the inference that unless a digital signature meets all of the requirements it is not as valid as a signature on paper.[245] Essentially, the Act creates a higher standard for electronic signatures than is required for paper signatures.[246]

The Utah law lists the required contents of certificates issued by a licensed certification authority.[247] It also specifies the qualifications required to obtain or retain a license as a certification authority.[248] Further, the Act devotes a section to the duties of the certification authority and those of subscribers.[249] These duties are very specific and comprehensive.

The Act also addresses the liabilities of issuing certification authorities and accepting subscribers.[250] For example, the law states that by specifying "recommended reliance limits," certification authorities and subscribers recommend that persons should only rely upon the certificate in transactions in which the total amount of risk does not exceed the recommended reliance limit.[251] The law also states that a certification authority is not liable for losses due to forgeries, provided the authority complied with the law's requirements.[252]

b. California Legislation

In California, digital signature legislation was enacted into law on September 5, 1995.[253] Unlike Utah's legislation, the scope of the California law is limited to public sector transactions.[254] It enables parties who comply with the statutory requirements to conduct transactions with public entities by affixing digital signatures to related electronic documents.[255] The law states that the use of a digital signature has the same force and effect as the use of a manual signature only if it embodies certain specified attributes.[256]

Digital signatures are required to conform to regulations adopted by the California secretary of state.[257] By imposing conditions upon digital signatures, the California law creates a standard for electronic signatures that is arguably higher than the standard for written signatures. This concept, also embodied in the Utah law, is controversial because there arguably is no reason to have different standards for different forms of signatures. Further, requirements and conditions only serve to hamper the development of emerging digital signature technologies. However, the controversy is mitigated somewhat because California's law only applies to transactions involving the public sector.[258]

The California law rather broadly defines a digital signature as "an electronic identifier, created by computer, intended by the party using it to have the same force and effect as the use of a manual signature."[259] This definition does not include encryption.[260] Further, the law states that the use of digital signatures is optional.[261]

c. Wyoming Legislation

During its 1995 session, the Wyoming Legislature passed a bill creating an electronic filing system law.[262] As amended in 1996,[263] the law authorizes Wyoming's secretary of state to develop a statewide electronic filing system for required records.[264] The secretary is required to adopt rules to implement an electronic filing system if such a system is actually developed.[265] The rules must "prescribe a key encryption or other identification procedure for any person wishing to file records or other documents,"[266] and "prescribe a procedure for certification of the electronic filings by the secretary of state."[267] The law also limits the liability of the secretary of state for problems arising from entry errors in the electronic filing system.[268]

d. State of Washington Legislation

On March 2, 1996, the state of Washington passed the Washington Electronic Authentication Act.[269] It is substantially similar to the Utah digital signature legislation.[270] The Washington Act becomes effective on January 1, 1998.[271]

4. American Bar Association Digital Signature Guidelines

The American Bar Association has been involved in the development of model guidelines on digital signatures through the work of the ABA Science and Technology Section's Information Security Committee.[272] The guidelines were published on August 1, 1996.[273] The committee worked in close cooperation with Utah, and the guidelines are generally consistent with the Utah law.[274]

V. THE JOINT COMMITTEE'S CONCLUSIONS AND RECOMMENDATIONS

A. Legal Status of Electronic Documents

Documents usually signed to show authenticity are termed "writings" for legal purposes.[275] The Joint Committee concluded, however, that the present definition of "writing" in section 1.01(4), Florida Statutes, is unclear as to whether documents in a digital or electronic medium are writings for the purposes of the law.[276] Therefore, the Joint Committee recommended that the Legislature amend the definition of "writing" to "include information which is created or stored in any electronic medium and which is retrievable in perceivable form."[277]

B. The Legal Status of Electronic Signatures

The Joint Committee concluded that Florida law does not presently preclude the use of electronic signatures.[278] Nevertheless, some entities may be reluctant to use them until the law gives such signatures the same force and effect as traditional signatures.[279] Additionally, the Joint Committee concluded that encouraging the transition to electronic commerce fosters the state's interests in economic development and in creating a more efficient and effective government.[280] The legal basis for the use of electronic signatures, including digital signatures, must be explicitly established.[281] The Joint Committee recommended that the Legislature amend the law to facilitate electronic commerce and the use of electronic signatures by stating that electronic signatures may be used to "sign" writings.[282]

C. Promoting the Use of Digital Signatures

The Joint Committee studied the methods of authenticating signatures and documents that use digital signature technology.[283] It concluded that digital signatures are potentially more secure and efficient than manual signatures.[284] The Joint Committee also determined that state involvement in developing a legal infrastructure for third-party verification of digital signatures could enhance public trust and confidence in the use of digital signatures and thus benefit electronic commerce. Therefore, the Joint Committee recommended that the Legislature amend the law by allowing the secretary of state to serve as a certification authority.[285] The secretary would issue certificates verifying digital signatures and, when necessary, suspend or revoke certificates.[286]

D. Promoting Electronic Commerce in State Agencies

The Joint Committee decided that digital signatures can be an effective way to authenticate electronic messages.[287] Easier mechanisms, however, also can be employed to add the appropriate level of security, authenticity, and integrity to electronic data used for electronic commerce. Such mechanisms include computer IDs, computer passwords, and facsimile technology.[288] The selection of the mechanism should depend upon the application's security risk.[289] The Joint Committee concluded that the use of any mechanism facilitating the transition to electronic commerce should be encouraged as a matter of public policy.[290] It recommended that state agencies review all agency rules and internal procedures that: (1) require paper formats; (2) limit the admissibility of electronic records based on their electronic character; (3) require handwritten signatures; or (4) require notarization that precludes electronic filings.[291] The Joint Committee recommended that agencies consider amending such rules and procedures based upon an assessment of security risks and impose functional, rather than format-specific, requirements.[292]

E. Future of Digital Signatures

The Joint Committee concluded that the use of electronic commerce on the Internet is in its early stages.[293] Moreover, it found that it is not yet known whether electronic commerce in Florida requires certification authorities or a licensing system for certification authorities.[294] Comprehensive legislation on digital signatures requires additional study before it will be warranted in Florida. The Joint Committee thus encouraged the Legislature to require the secretary of state to study issues related to expanding the use of digital signatures for electronic commerce.[295] The secretary was to report the findings and recommendations to the Joint Committee by December 1, 1996.[296] The study should address whether additional legislation, such as a law establishing procedures for the public licensure of certification authorities and establishing legal presumptions for digital signatures, is required to further Florida electronic commerce.[297]

VI. THE ELECTRONIC SIGNATURE ACT OF 1996

In response to the Joint Committee's report and recommendations, two bills were filed during the 1996 Regular Session. Senate Bill 942[298] was sponsored by Senator Donald Sullivan,[299] while House Bill 1023,[300] an identical House companion, was sponsored by Representative (now Senator) Ron Klein.[301] Senate Bill 942 was eventually enrolled and became law on May 25, 1996.[302]

A. Legislative Intent

Section 2 of the Act provides legislative intent.[303] The Act's basic intent is to promote the development of electronic commerce in the public and private sectors.[304] To achieve this purpose, electronic messages must be reliable and the public must have confidence in the use of electronic signatures.[305] A functioning electronic commerce system thus requires a framework that can support secure electronic transactions.

B. Definitions

Section 3 of the Act amends the definition of "writing" in section 1.01, Florida Statutes, to include "information which is created or stored in any electronic medium and retrievable in perceivable form."[306] The Act thus makes it clear that electronic messages and documents are legally equivalent to paper documents.

Section 4 of the Act defines the terms "certificate," "certification authority," "digital signature," and "electronic signature."[307] These terms are particularly relevant to authenticating electronic messages and documents. An "electronic signature" is defined broadly to include "any letters, characters, or symbols, manifested by electronic or similar means, executed or adopted by a party with an intent to authenticate a writing."[308] Because electronic documents do not have the same physical characteristics as paper documents, the definition includes a statement that a document is "electronically signed if an electronic signature is logically associated with the document."[309] Other terms defined in the bill refer to digital signatures and a framework of certificates and certification authorities to support their use.[310]

C. The Legal Effect of Electronic Signatures

Section 5 of the Act states that use of electronic signatures is generally allowed under the law and gives electronic signatures the same force and effect as written signatures.[311] This is a clear departure from the Utah, California, and Washington acts, which only address digital signatures.[312] Conversely, the Florida law defines and distinguishes between the very broad term "electronic signature" and the more narrow term "digital signature."[313] It gives electronic signatures the same force and effect as written signatures, unless otherwise provided by law.[314] Therefore, all types of existing and future electronic signatures, including digital signatures, are now generally on an equal legal footing with written signatures in Florida.

The Act does not address how secure electronic signatures must be to be legally effective. There may be cases where, for various reasons, agency regulations or court rules will specify exactly how signatures are to be made. However, for general purposes, the new language added by section 5 makes it clear that electronic signatures can be used for the same purposes, and have the same force and effect, as traditional signatures.[315]

D. The Secretary of State as a Certification Authority for Digital Signatures

Section 6 of the Act authorizes the secretary of state to facilitate the use of digital signatures by issuing, suspending, or revoking certificates used to verify digital signatures.[316] It also authorizes the secretary to take necessary actions to achieve the purposes of the Act.[317] Therefore, the secretary of state has the discretion to become a certification authority if necessary. The secretary's role as a certification authority would thus be to associate people with digital signatures for authentication purposes. This role, however, does not include any type of authority over, or regulation of, any other entity that chooses to be a certification authority in Florida.[318] Section 6 of the Act also authorizes the secretary to impose a fee for issuing a certificate, and requires the secretary to promulgate rules for certification activities.[319] Any participation by the public or private sector in the secretary's certification program is voluntary.[320]

E. Accountability for Use of Electronic Commerce by State Agencies

Section 7 of the Act makes each agency head responsible for adopting certain control processes and procedures.[321] Such processes and procedures are intended to "ensure adequate integrity, security, confidentiality, and auditability of business transactions conducted using electronic commerce."[322] This section emphasizes the importance of addressing security issues in developing electronic commerce applications. Thus, accountability for security is placed with agency heads.

F. Possible Future Role of the Secretary of State

Section 8 of the Act directs the secretary of state to undertake a study of the issues related to expanding the use of digital signatures.[323] These issues include the secretary's role in promoting the use of digital signatures. In particular, the report is to address whether it is in the public interest for the secretary to (1) license, certify, or register certification authorities; (2) develop requirements for certification authorities to be licensed, certified, or registered; and (3) maintain a publicly accessible database that contains certification authorities.[324] The study also could cover topics such as standards for digital signatures, liability limits for certification authorities, and additional legislation and rules for digital signatures.[325] The findings of the study were reported to the Joint Committee on December 1, 1996.[326]

VII. CONCLUSION

The development of widespread electronic commerce is a complicated process. Important developments must occur if people are to feel comfortable with changing the way they conduct business. Indeed, such developments are underway as society becomes accustomed to using computers and networks. This will lead to more efficient networks and lower prices. Individual and networked applications are being developed to make it faster, easier, and safer to conduct electronic commerce.

Many people realize the potential of electronic commerce but are not yet demanding it. Such people are unlikely to use electronic signature software and hardware until they see that it is easy, beneficial, and legal. Leadership is needed in the private and public sectors to bring about change. The private sector must continue to develop and refine the networks, hardware, and software necessary to support electronic commerce. The public sector needs to facilitate electronic commerce by helping to build the processes and infrastructure, both operational and legal, to support secure and efficient electronic commerce.

The Florida Legislature took a leading role in the development of electronic commerce when it passed the Electronic Signature Act of 1996. The Legislature laid the basic legal foundation for treating electronic documents identically to other writings. Electronic signatures, including digital signatures, are defined in law and their legal effectiveness is established. Additionally, the secretary of state is involved in developing the infrastructure necessary to support reliable digital signatures. The Electronic Signature Act of 1996 is part of the process that will lead to widespread electronic commerce in the public and private sectors. To reap the benefits, however, the public and private sectors must work together to maximize the potential of electronic commerce.