<<

. 5
( 15)



>>

c) Problem of the expansion of foreign currency use
If part of domestic economic activity is based on foreign currency, its influence,
which is conveyed by the domestic currency™s short-term interest rate, can pull
down the “real economy.” Moreover, the influence of monetary policy can become
insignificant, being limited to bank lending in domestic currency. Price changes for
goods and services provided by foreign countries may influence the domestic
economy as well.
The impact on domestic short-term interest rates would not be weak, but would be
relatively strong as long as the policy authorities control the “high-powered”
money. However, it™s possible that the effect of fluctuations in the domestic short-
term interest rate on the long-term rate is weakened through arbitrage trading. The
mechanism of arbitrage trading buffers itself against much influence from the
movements in short-term interest rates. However, this is not limited to the digital
cash environment alone.
d) Problem of taxation
Tax evasion and trends toward tax cutting would lead to a decrease in revenue.
e) Restrictions and supervisory problems
Via the Internet, money is easily transferred to and deposited in financial institu-
tions overseas, especially into those countries having few or no regulatory
controls. This risks creating the domino effect of currency contagion and transfer-
ring some of the corruptive influences of the recipient country to the originating
country. Restriction and supervision of such transactions is virtually impossible
without the countries™ mutual cooperation. Moreover, the individual scope of the
financial institutions poses their own problems, since financial systems differ
among countries. The problem of the scope of deposit insurance is present as well.
f) Problem of cash laundering, etc.
Government intervention regarding code keys and other transaction aspects may
arise. Wanting to adopt such measures is natural for the authorities, but in conflict
with the issue of personal privacy (Mester, 2000).
Finally, the authorities lose profit, because cash (not digital cash) is a debt with no
interest and the authorities acquire interest from assets. Or the substitution of
privately issued digital cash for government-issued currency reduces seignorage8.
But the pursuit of profit is not their objective, nor is it the goal of the central bank,
as the ECB says.




Conclusions
Here I have laid out the advantages and disadvantages of digital cash. It™s easy to believe
that there are many advantages to promoting digital cash. It also seems that the progress
of IT is unstoppable, but fortunately this will make our world a more convenient and
efficient place to live.



Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
The Spreading Use of Digital Cash and Its Problems 95


Nevertheless, there are a number of concurrent problems. None of these challenges are
apt to be resolved swiftly and painlessly. I have analyzed these issues not only from the
customer standpoint but also regarding financial institutions and authorities.
For financial institutions, this trend cannot be stopped, and so it would be prudent for
them to view it as a business opportunity. If they do not find ways to adapt, they will
become obsolete and fade away completely from the market. By promoting e-finance, a
company can give market share and negotiating power over suppliers, as well as earn a
profit. The authorities should pay careful heed as well, guiding the “sound” market to
maturity and taking care not to confuse it with excessive intervention. At the same time,
they must maintain a sound financial system.
As online marketplaces are created, the choices that are made in their construction will
shape the experiences of consumers. To make online shopping more familiar it may be
useful to simulate the physical world, to bring into the virtual world analogs of physical
objects and spaces. It is also incumbent on those who stand to benefit from e-commerce
to make positive efforts to educate both the media and the public regarding e-commerce
and its security (Jarupunphol and Mitchell, 2002). Now, many potential participants are
reluctant to participate in e-commerce because of payment confidentiality, payment
integrity, and payment authorization concerns. Software agents have the potential to
take on characteristics of people in the new marketplace.
We cannot turn back now. What we need to do is analyze this trend not just from a
practical perspective but also from a theoretical one. Much research ahead is also
anticipated within the academic fields.




Endnotes
1
In detail, see Kurihara (2000).
2
See, for example, U.S. Department of Commerce (1998).
3
The settlement service for which insurance is included.
4
Counterfeiting has broadened to include digital cash as well as paper cash. And
the liquidity, speed and anonymity of digital cash tends to be higher than that of
paper cash.
5
See, for example, Lubove (1996), U.S. Department of Commerce (1998), and Mack-
intosh (1999). In Japan it is becoming preferable to avoid low interest rates.
6
Salomon (1996) also suggests the possibility that some computer software compa-
nies may be competing against financial institutions.
7
However, a current system is subject to radical change if it is first established
outside of an existing system; for example, a second central bank.
8
Lacker (1996) has applied this result in a general equilibrium model.




Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
96 Kurihara


References
The Banker. (1997, October). Getting smart.
Banks, E. (2002). E-finance. Chichester: John Wiley & Sons.
BIS. (1996). Implications for central banks for the development of electronic cash.
BIS. (2000, March). Statistics on payment systems in the Group of Ten countries.
Basle Commitment on Banking Supervison. (1998, March). Risk management for elec-
tronic banking and electronic cash activity.
Berger, A. N., Hancock D. and Marquardt, J. C. (1995). A framework for analyzing
efficiency, risks costs, and innovations in payment system. Journal of Cash,
Credit and Banking, 6, 815-830.
Business Week (1995). The future of cash. June 12.
Cline, K. (1998, March/April). The smart card disconnection. Banking Strategies.
Congressional Budget Office. (1996). Emerging electronic methods for making payments.
Washington, D.C.: U.S. Government Printing Office.
Davidson, S. (1997, April). Survey forecasts retail trends; Banking industry. American
Community Banker, 6(4).
Gerlach, S. (1999). Who targets inflation explicitly? European Economic Review, 43, 801-
813.
Hancock D. and Humphrey, D.B. (1998). Payment transactions, instruments, and sys-
tems: a survey. Journal of Banking and Finance, 21, 1573-1624.
Humphrey, D. and Pulley, L. (1998, November/December). Unleashing electronic pay-
ments. Banking Strategies.
Jarupunphol, P. and Mitchell, C.J. (2002). E-commerce and the media “ influences on
security risk perceptions. In W. Cellary & A. Iyengar, Internet technologies,
applications and social impact. Boston: Kluwer Academic Publishers.
Kane, E. J. (1996). Comment on alternative monies and the demand for media of exchange.
Journal of Money, Credit and Banking, Part2, 28, 961-964.
Kurihara, Y. (2000). Currency integration in the EU (in Japanese). Japan: The Chunichi
Newspaper.
Kwast, M. and Kennickle, A. (1997). Who uses electronic banking? Results from the 1995
survey of consumer finances. Washington D.C.: Division of Research and Statis-
tics, Board of Governors of the Federal Reserve System.
Lacker, J. (1996). Stored value cards: costly private substitutes for government currency.
Federal Reserve Bank of Richmond Economic Quarterly, 82, 1-25.
Lubove, S. (1996, October). Cyberbanking. Forbes.
Mackintosh, J. (1999). Mondex reaches Japanese smart card deal. The Financial Times,
February 15, 4.




Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
The Spreading Use of Digital Cash and Its Problems 97


Mester, L. J. (2000, March/April). The changing nature of the payment system: should
new players mean new rules? Business Review (Federal Reserve Bank of Phila-
delphia).
Orr, B. (1997, August). Smaller banks into Internet banking. ABA Banking Journal.
Poole, W. (1970). Optimal choice of monetary policy instruments in a simple stochastic
macro model. Quarterly Journal of Economics LXXXIV, 197-235.
Redman, R. (1997, September). Making a virtual connection. Bank Systems & Technol-
ogy.
Revell, J. (2001). Emerging methods of payment. In P.M. Gardner & P.C. Versluijs, Banks
Strategies and Challenges in the New Europe. New York: Palgrave.
Rosenblum, H. (1996, November/October). Electronic cash: hype and reality. Banking
Strategies.
Salomon, F. (1996). Opening windows with the internet. Eurocash, June 6.
Santomero, A. M. and Seater, J. J. (1996). Alternative monies and the demand for media
of exchange. Journal of Money, Credit and Banking, Part2, 28, 942-960.
Shirreff, D. (2001). Small change to virtual cash, The Financial Times, Jan. 11, 17.
Solomon, E. H. (1999). What should regulators do about consolidation electronic cash?
Journal of Banking and Finance, 23, 645-653.
Timewell, S. (1996, August). Shopping for cash, The Banker.
Tringham, M. (2000). Digital cash catches on. The Times, July 28, 30.
U.S. Department of Commerce (1998). The emerging digital economy.
Weiner, S. T. (2000). Electronic payments in the U.S. economy: an overview. Economic
Review (Federal Reserve Bank of Kansas City) 4th Quarter.
Winer, J. (2002). How to clean up dirty money. The Financial Times, March 28, 1.
Woodford, M. (2000). Monetary policy in a world without cash. NBER Working Paper
No.W7853.




Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
98 Ruzic




Chapter VI



Electronic Signature:
The Core Legislation
Category in
Digital Economy
Fjodor Ruzic
Institute for Informatics, Croatia




Abstract
E-Business, as well as all of the active participants in the digital economy environment,
raises a host of new legal issues that must cope with the fact that the technical
expectations imposed by participation in digital economy will increase. Besides
technology implementation, it is evident that the biggest barriers to E-Business today
come from the notion that people don™t trust the security and authenticity of the E-
Business environment. Since the companies doing E-Business activities are not operating
in an unregulated world, the old rules still apply in the new digital environment.
Considering the functionality and applicability of such issues, this chapter is finding
one, generic shaped, key category that links all of the separate E-Business legal issues
in one regulated scene “ the answer is done by introducing the electronic signature
as the equivalent of a hand-written signature no matter what type of information
technology is in use. There are more legal environments, solutions and applications
of electronic signature from which several examples are described accompanied with
the E-Business view on electronic signature utilization.




Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
Electronic Signature 99


Background and Introduction to the
Digital Economy
Digital economy is the infrastructure development of modern society towards full
coverage of information society attributes. Information society is coming through three-
revolution convergences:
• digital revolution, that opens the ways for
• economic revolution, that in turn, strengthens
• social revolution.


In the scope of the information society development, the core categories should be
recognized, introduced and activated (Castells, 2000). The information society under-
lined with information-communications systems™ full utilization and knowledge-based
economy and social activities, functions just like any society. There is the community
of the people that communicate to exchange opinions, knowledge, etc., and act under
social rules agreed to by most of its members. Thus, we can acclaim three basic segments
of the information society, each of them consisting of one core category:
• infrastructure - telecommunications infrastructure (the members of the society
must communicate)
• services - the content (the goal of communications is to transfer the content)
• legislation - electronic signature (the goal is to compile rules of intercommunica-
tion processes in which the electronic content is interchanged).


E-Business, as well as all of the active participants in the digital economy environment,
raises a host of new legal issues which is being driven by four key factors:
• electronic medium “ doing activities, business in digital form, in real-time over
open digital networks without paper or traditional legal and security methods raises
new legal issues;
• geographical constraints “ although a digital economy is not constrained by
geographical borders, countries have different laws, languages, cultures;
• business models “ new ways of doing business electronically in a digital economy
environment may present unfamiliar and unknown legal constraints;
• legislation models “ legislators and courts alike are transforming laws as they
struggle to address the features and implications of the digital revolution and
digital economy, as well.


All of these facts are considering E-Business systems, too. What makes the positive
future scenario of the E-Business systems in the age of the information-communications



Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
100 Ruzic


systems development on which the digital economy is based? It is almost undoubtedly
the Web development process, which is on the road in recent days. This development
is correlating with the integration of the telecommunications development, content
integrity and legislation definition improvements. Most of the new services are Web-
based or Web-oriented that makes the clear future for E-Business development in order
to fulfill information needs in the modern society.
Information technology is reshaping today™s economy and transforming businesses and
consumers. This is about more than e-commerce, or e-mail, or e-trades, or e-content. It
is about the “e” in economic opportunity that makes the arena for new digital economy.
Technology and electronic commerce are changing the way that all industries and
companies are doing business. From the automotive industry to the healthcare industry,
from banking to retailing, virtually every company is moving quickly to take advantage
of the tremendous opportunities offered by doing business electronically.
The e-marketplaces are changing the way business is done, and as they do so the
technical demands are increasing. The marketplace would assume the role previously
exclusively held by the personal relationship, assessing the reliability and worthiness
of potential manufacturers. Products could be triple or quadruple sourced, as desired,
provided market liquidity is evident. The time from design to production and shipping
could be significantly reduced, thus providing greater agility to respond to changing
market conditions or fashion sense, and in an integrated environment could reach right
down to the fabric cutting room floor. Thus, ideally, communication is improved,
transaction costs reduced, time-to-market is significantly reduced, and the entire process
made more fluid and responsive.
Electronic commerce has changed the way business is conducted significantly. Busi-
nesses are focusing on conducting as much as possible through the Internet - be it
payments of bills or ordering an appliance. For all of these things to happen through the
Internet, there is a need for massive infrastructure comprising servers, operating
systems, applications, software and the information-communications systems (embed-
ded into Internet terminology). E-Business needs the support services of service
providers and communications providers who make things happen through the Internet.
Telecommunications technologies like WAP (Wireless Application Protocol), VoIP
(Voice over Internet Protocol), have emerged, and many more new technologies are in
the E-Business environment. All are occurring before the impact of the existing or
previous technology slowly sets in our minds.
Related technology issues for any E-Business environment are faced with:
• Convergence: all information appliances will be connected to some version of the
Internet. At the same time, the cost of moving people and goods around is going
to go up, and the cost of moving information around is going down. The result:
a massive restructuring not only of the economy but also of the human landscape.
• Standardization: E-Business will operate in a much more open standards world
than it has in the last decade. The tremendous private and public investments in
Internet technology over the past year also mean that it will be very difficult for any
single company to invest sufficiently in research, development and marketing to
promote large-scale proprietary standards.



Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
Electronic Signature 101


• Globalization: E-Business goes to the future of the Internet worldwide, and it™s
clear that some of greatest impact of information-communications systems will be
in developing global E-Business, marketplaces and alliances.


Currently and in nearly future, the critical technologies for E-Business environment are:
• Embedded computing,
• Wireless technology,
• Intelligent agents,
• Open and transparent communications infrastructure,
• Simulation and data visualization.


These constraints reshaped management challenges for most of the subjects acting
within the digital economy. New technologies of data visualization, simulation tech-
niques and broadband telecommunications platforms will become important E-Business
tools (Volti, 2001). E-mail, networked groupwork and intelligent agents will rise in use
among all organizations, improving communication and logistical coordination through
an e-logistic environment.
Under these terms exists a new generation of employees and customers who will use
information technology and the Internet as part of growing up. Their expectations about
media, about service, about communications, and about transactions will be vastly
different from a decade ago, and their behavior patterns will turn out to be the biggest
surprise that information technology delivers to business in the next century.
And, what are the defining characteristics of E-Business? This is partly defined by the
nature of the business activity. Typical features would include:
• A broad range of suppliers and products, with a strong representation of buyers,
thus providing a critical mass of participants to establish the market, and the
liquidity to buy or sell as needed;
• Well-established technical specifications and requirements for participation in the
market;
• Quality assurance for the market, with feedback loops regarding product quality,
fulfillment history, and financial transactions;
• Paperless transactions with enforceable legal agreements;
• Online contracts with digital signatures to associate authorized agents with
specific documents;
• Security of the market, with strong user authentication, high standards for docu-
ment integrity, transaction security, and preservation of the privacy of data of the
participants.




Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
102 Ruzic


It is evident that the technical expectations imposed by participation in the digital
economy will increase. Businesses with high levels of e-competence will have a competi-
tive advantage over those who do not. What are the requirements for successful
participation? The answer will change, from industry to industry, but the minimal
requirements would include a strong telecommunications infrastructure, with open
Internet connectivity, and routine telecommunications services, along with a commit-
ment to modern technical standards, system security, and transparent legislation and
regulation environment.
Businesses that offer services and have taken to the Internet seriously have a respon-
sibility to their customers to offer services in a secure manner (Ang, Dubelaar & Lee,
2001). With increasing networks across the globe for mission critical electronic com-
merce, securing the networks would be the primary focus. Various technologies and
concepts is in place such as Virtual Private Networks (VPN), Secure Sockets Layer (SSL),
Secure Electronic Transactions (SET) and many more to overcome and mitigate risks of
transacting over the Internet. While security of operating systems, applications, physi-
cal, logical security are addressed by the respective organizations, the areas that are
exposed are the networks and communication lines which leave the organization™s gates.
Security is a fundamental requirement for E-Business applications such as e-mail,
purchase orders, the transmission of credit card information and workflow automation
using signature-based forms




Secure and Trustworthy E-Business
The unprecedented global growth of the Internet, the promise of E-Business, and the
emergence of mobile business have a profound effect upon the way organizations
operate. The digital economy, that leverages the benefits of technological convergence
and new business models, offers unparalleled advantages for an immense variety of
service providers and their customers in the cyber marketplace. Providers see significant
economies in operating in an E-Business environment that has global reach, with the
prospects of cost reductions being passed on to the customer. Similarly, for online
consumers, the Internet offers infinitely expanded buyer information and a range of
choices that are daunting to comprehend. However, in spite of these apparent benefits
the transition to the digital economy has not been without problems. For many organi-
zations there is continuing uncertainty over which operating model to adopt, and the
rather intimidating lessons of some high profile failures. The global E-Business environ-
ment will continue to pose difficult and far-reaching management challenges to leaders
of online businesses. Some of these challenges are already evident and have a profound
effect upon the ways of doing business. Among them, and of paramount importance, is
the issue of how E-Business can maximize its value to consumers and simultaneously
retain their trust and confidence.
It is evident that the biggest barriers to E-Business today come from the notion that
people don™t trust the security and authenticity of E-Business environment. Building
consumer trust and confidence requires thoughtful analysis of the nature of the



Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
Electronic Signature 103


relationship between buyers and sellers. This notion is also about privacy in the E-
Business environment (E-Privacy). In the context of E-Business, E-Privacy has to be
established as a core value that connects organizational culture with the best interests
of the consumer. The value of E-Privacy can be viewed as an important indicator of
business success. Worldwide, many high profile business failures are attributable to the
lack of recognition accorded E-Privacy, and the lack of commitment to it as a consumer
issue. The consequences of this oversight can lead to an erosion of consumer loyalty,
negative publicity, and the loss of potential business.
When examining barriers to the implementation of E-Business, numerous studies have
singled out consumers™ lack of trust as a major factor. Some people reduce the trust
problem to one of security, arguing that if security issues are resolved, people will be
happy to transact online. However, when the trust problem is broken down into its
constituents, privacy, ease-of-use or the credibility of information on the Web is revealed
to be as important to consumers as security.
As far as the introduction of a new e-payment system is concerned, one should not
underestimate the power of the media and reputable institutions in approaching consum-
ers and assuring them of the system™s security. Since the average consumer is unlikely
to be able to assess the objective security of, say, an encryption algorithm, this issue
remains, to a large extent, one of trust “ namely trust in familiar information sources. Thus,
a well-orchestrated marketing effort would help give consumers enough pre-interac-
tional trust to understand, accept and use the new E-Business system. Thus, security
and trust mechanisms inhibit the free flow of business information required to achieve
the full potential of business benefits promised by E-Business investments.
Lack of trust is a significant problem for any E-Business “ the parties evolved in the E-
Business processes must feel trust in the people and companies doing business on the
Internet. In many traditional business relationships, trust is based on a combination of
judgement or opinion based on face-to-face meetings, or recommendations of col-
leagues, friends and business partners. However, the E-Business environment generally
does not involve human interaction and, therefore, this new context requires a new
understanding of trust. Trust must be established and managed continuously in a wide
range of E-Business activities.
The basis of trust is in ethics, and the topic is frequently discussed in the context of social
and democratic processes (Conte & Castelfranchi, 1995). It is also a fundamental
requirement of economic activity where the behavior of people and organizations takes
place in conditions of uncertainty (Jones & Wilikens, 2000). When one party is
dependent on the behavior of another party, the uncertainties give rise to risks. The
notion of trust within an E-Business environment involves having confidence in the
other parties, and hence having an expectation that the risks will not result in financial
or any other loss.
The specific application of trust in the E-Business environment involves several key
factors:
• Identity: the ability to identify party, good, service and to locate them in physical
space, including identification and location services such as digital certificates;




Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
104 Ruzic


• Reputation, and recommendations from parties who are themselves trusted or
experienced; and proxies for reputation, such as brand names and seals of
approval;
• Security of the E-Business environment including transaction data, integrity,
authentication and non-repudiability, secrecy and privacy with alternatives that
reduce the risk of data disclosure.


E-Business is generally considered to evidence many of the characteristics that render
trust very important. The parties commonly have little or no knowledge of one another.
They are also usually in different locations. They therefore cannot depend on physical
proximity, handshakes, body-signals, a common legal jurisdiction, or even necessarily
a definable jurisdiction.
The context of use and domain of application of the E-Business system being designed
should be taken into account. Context of use can be viewed as an important requirement
for the design. Different applications require diverse levels of security. Buying food can
be done with a credit card with basic cryptographic protection, while electronic banking
needs more sophisticated authentication and security mechanisms. Several techniques
help in establishing online e-trust:
• Electronic authentication,
• Electronic signature,
• Escrow payment services (online),
• Public Key Infrastructure (PKI).


Trust in E-Business systems is influenced by factors such as anonymity, security,
reliability, and the amount of control that parties have, as well as the reputation of the
entity that introduces the system. There are a number of guidelines that address the
different facets of security required for E-Business systems in the digital economy.
Issues of trust and security are connected to exchange, storage and management of
business and personal information. These techniques includes basic tasks to be done
in order to achieve a secure and trustworthy environment:
• Providing a clear and prominent policy on security with clear visibility of the
security techniques employed;
• Explaining security measures in management and storage of the data;
• Establishing a customer support line on security-related issues;
• Supplying regular information updates on changes and upgrades in security;
• Taking into consideration security issues specific to the type of E-Business
system;
• Giving users access to their data, allowing them to change it, and timely delete
outdated information (it can assist in building trust relations with customers);



Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
Electronic Signature 105


• Minimizing the security costs (both financial and temporal) imposed on users;
• Creating a security management culture (by educating employees and implement-
ing strict information handling policies within the company);
• Building a trust policy and trust recovery plan in the event of a security breach likely
to undermine trusted relationships with customers.


From the wealth of information that proliferates on the topics of the Internet, or e-commerce
specifically, there is a consensus on basic risks. Any transaction or message, financial
or otherwise, would be subject to the risks. In an ordinary commerce environment, plenty
of avenues are available to address these risks through formal signatures and other
mechanisms that would ensure secure transactions. The major risks facing E-Business
environment are considering key issues:
• Identity or authenticity of the person: Who sent the message? Does the sender
have the authority to bind the organization he or she represents?
• Data Integrity: Is the message complete or has it been altered? Is it true that the
copy of the message has not been altered?
• Denial of Service: Launch of an attack which would bring down the service.
• Non Repudiation: Proving up the message in court, ensuring that the sender
cannot falsely deny sending the message, ensuring that the sender cannot falsely
deny the contents of the message.
• Confidentiality: Ensuring that information is not disclosed to unauthorized
parties.


While E-Business flourishes through the Internet, in the digital world, laws and statutes
must be drafted and enacted to resolve disputes amongst parties. Issues will arise in the
courts of law whether documents with electronic signatures are valid or otherwise and
the extent of reliance that can be placed on the third parties. Any secure transaction is
sure to have its share of disputes and losses. These may be due to negligence by one
of the third parties or the parties to the transaction, or technological failures or any other
reason.
If the information-communications systems are used for day-to-day business and private
interests “ to buy consumer goods, submit tax forms or to send confidential messages
“ there will ultimately be the need for a digital identity. Other existing solutions “
identification using credit card numbers, etc. “ are simply makeshift solutions that are
being used temporarily in certain areas. Normally speaking, identity is something very
complex. It does not merely refer to name, date of birth, color of eyes and all those other
features contained in personal identification documents, but also means a person™s
entire personality, background and integrity.
Digital identity means considerably less than all these everyday meanings: first of all, that
a person owns and uses a digital ID “ in other words, an ID expressed in zeros and ones
that can be transmitted via the Internet (or any other data network). This ID is digital or



Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
106 Ruzic


is also termed an electronic certificate. It confirms not just name and e-mail address of
a person, but may also confirm other information - the name of company where a person
is working, etc. “ and the validity of the digital signature.
When a machine or a person issues someone with a certificate, this is confirmation of the
existence of this person, including the name and one or two other details. This identity
is invaluable for the entire digital economy - it forms a foundation for trust. But whether
this person is honest, creditworthy or reliable, or whether the machine is operated by a
reputable company “ i.e., what in fact belongs to identity in a broader sense of the word
“ remains unknown.
Nevertheless, this manner of ensuring reliability is also indispensable for the digital
economy. This is carried out using other means, beyond the scope of electronic signature
technologies. In the case of companies with a good Web presence “ with a shop system,
SSL, credentials, supplier brand, general terms and conditions, quality labels, etc. “ this
is a good indication of their reliability, and the legislator has provided for legal provisions
(remote sales law, EU e-commerce guideline, etc.).




Basic E-Business Legislation and
Regulation
Companies doing E-Business activities are not operating in an unregulated world. The
old rules still apply in new digital environment. And new statutes and regulations aimed
at digital violations are quickly emerging. When it comes to regulations, however,
ignorance is not bliss. Advertising, sweepstakes, unsolicited commercial e-mail (Spam),
trade regulation compliance, securities laws, tax regulatory compliance, and other
regulatory issues all can pose significant challenges for E-Business. Doing E-Business
activities in a borderless medium raises special challenges, given that many jurisdictions
have inconsistent laws regulating E-Business, e-commerce, e-signatures, etc.
At the core of all of E-Business activities is the fundamental question: “Is it legal?” And
the answer to that question will depend on what law applies and how online activities
are structured. Yet determining what law applies is easier said than done when
transactions are being conducted in what is essentially a borderless medium. At the same
time, the Internet is profoundly changing the law that applies to these business activities.
The law that governed our transactions six months ago may not be the law that governs
our transactions today or, even if the prior law is still relevant, it may apply in ways we
never contemplated because of legal developments in the interim (Zoellick, 2001). Many
countries have already enacted numerous statutes and regulations related to some
aspect of E-Business activities. In some cases, these laws represent an experiment
designed to anticipate and resolve issues that have not yet arisen, and in other cases
these laws represent significantly conflicting approaches to a common set of issues.
Some of the outmost areas of regulation and legislation in the digital economy cover
several key issues:



Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
Electronic Signature 107


• Electronic Transactions and Contracts (e-commerce): The electronic communi-
cation of documents, as well as electronic advertising, contracting, and payment,
are clearly the future of e-commerce. Companies have embraced e-commerce in
order to decrease costs, streamline transactions, and increase sales. To really do
high-value deals online, however, companies must feel confident that the transac-
tions they enter into today will be legally enforceable and binding tomorrow. In the
paper-based world, putting a contract on company letterhead and using ink
signatures help to provide that reassurance. Concern over what that means in the
digital world has produced an explosion of legislation at national, and international
levels.
• Electronic Finance (services, Tax and Customs): The proper characterization of
a transaction for tax purposes is probably the most difficult issue in the taxation
of e-commerce. Nevertheless, characterization is critical to determining how an e-
commerce transaction will be treated for income tax and consumption tax (VAT)
purposes. Local, national, and international tax authorities and organizations are
struggling with these concepts and trying to decide whether new legislation will
be needed or whether existing rules can be applied to the new concepts.
• Intellectual Property Laws (trademarks, copyrights, and patents): Companies
face unprecedented challenges both in protecting their intellectual property
worldwide and in minimizing the likelihood that they might be infringing someone
else™s intellectual property rights (Sang, 2002).
• Privacy and Personal Data Protection: Thanks to information-communications
systems, it has never been so easy to collect, reproduce, disseminate, and compile
personally identifiable information. Organizations have never faced such daunting
privacy issues regarding the increasingly indispensable information and, E-
Businesses should address the attendant privacy issues in order to avoid legal
liability. Given the current media and legal climate, and the fact that electronic
communications and technology tracking abilities will only increase in the future,
concerns about the privacy of electronic communications are recognized in many
countries, and many privacy-related bills are now pending at both the national and
international scene.
• Information Security (Cybersecurity, Cybercrime): New information and commu-
nications technologies give rise to new opportunities for their abuse, which in turn
give rise to legal restrictions. This notion arises the need to legislate against a
variety of new abuses and frauds “ or old frauds committed in new ways. Cyber-
crime may cause serious financial damage, and computer-related offences fre-
quently involve more than economic loss. Damage can be a waste of time, or the
loss of privacy and security. The most significant harm and danger caused by
cyber-crime is the threat of lost reliability and lost trust in cyber-space. There is
another aspect of harmful and dangerous activity within E-Business environment
“ the digital content broadcasting. There is no consensus yet, neither on what kind
of content should be prohibited, nor how it can be handled.




Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
108 Ruzic


• Consumer Protection: Considering the functionality and applicability of such
issues, it is worthy to find one, generic-shaped, key category that links all of these
separate issues in one regulated scene. It is obvious that as a signature means
almost everything in the physical world of paper-based business, some kind of the
instrument that could ensure security, trust and functionality of E-Business,
should be introduced. This issue is considered the core category of any national
and international regulation in digital economy “ the answer lies with introducing
electronic signature equivalence with a hand-written signature no matter what type
of information technology is in use.




Electronic Signature as the Core
Category in Digital Economy

Background

For E-Business of any kind (private or public sector) to grow, businesses must implement
the use of electronic signatures correctly, and legally. With the advent of electronic
signatures, E-Business is changing the way we sign and store documents. Thus, any
business that wants to succeed in the digital economy must deal with electronic
signatures. It is considered an everyday activity whenever a law or other arrangement
requires a signature of a person. A signature is needed as a medium for authentication
in order to identify the person (the signer), to indicate the person™s approval of the
information communicated and, to be legally applicable.
Whether captured on paper or electronically, a signature has a specific legal definition
and purpose. The Commercial Codes (the laws adopted by most countries to govern
commercial transactions) defines a document that is “signed” as one that includes any
name, word, mark, or symbol executed or adopted by a party with the present intention
to authenticate the writing. A signature usually serves several purposes, including
authentication and attribution of a document to its signer, a reminder of the significance
of the document, evidence that the signer intended the signed document to have legal
effect, and an indication that the signed document was intended to be the final version.
In today™s digital economy environment, establishing a framework for the authentication
of computer-based information requires a familiarity with concepts and professional
skills from both the legal and computer security fields. Combining these two disciplines
is not an easy task. Concepts from the information security field often correspond only
loosely to concepts from the legal field, even in situations where the terminology is
similar.
The historical legal concept of signature is broader. It recognizes any mark made with the
intention of authenticating the marked document. In a digital setting, today™s broad legal
concept of signature may well include markings as diverse as digitized images of paper
signatures, typed notations, or even addressing notations, such as electronic mail



Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
Electronic Signature 109


origination headers. A signature is not part of the substance of a transaction, but rather
of its representation or form. Signing writings serve the following general purposes:
• Evidence: A signature authenticates a writing by identifying the signer with the
signed document. When the signer makes a mark in a distinctive manner, the writing
becomes attributable to the signer.
• Ceremony: The act of signing a document calls to the signer™s attention the legal
significance of the signer™s act, and thereby helps prevent “inconsiderate engage-
ments.”
• Approval: A signature expresses the signer™s approval or authorization of the
writing, or the signer™s intention that it has legal effect.
• Efficiency: A signature on a written document often imparts a sense of clarity and
finality to the transaction and may lessen the subsequent need to inquire beyond
the face of a document.


To achieve the basic purposes of signatures outlined above, a signature must have the
following attributes:
• Signer authentication: A signature should indicate who signed a document,
message or record, and should be difficult for another person to produce without
authorization.
• Document authentication: A signature should identify what is signed, making it
impracticable to falsify or alter either the signed matter or the signature without
detection.


Signer authentication and document authentication are tools used to exclude imperson-
ators and forgers and are essential ingredients of what is often called a non-repudiation
service. A non-repudiation service provides assurance of the origin or delivery of data
in order to protect the sender against false denial by the recipient that the data has been
received, or to protect the recipient against false denial by the sender that the data has
been sent. Thus, a non-repudiation service provides evidence to prevent a person from
unilaterally modifying or terminating legal obligations arising out of a transaction
effected by computer-based means.
Traditional methods, however, are undergoing fundamental changes that are coming
with the digital economy. Although digital media is in use, documents continue to be
written on paper, but sometimes merely to satisfy the need for a legally recognized form.
In many instances, the information exchanged to effect a transaction never takes paper
form. Computer-based information can also be utilized differently than its paper coun-
terpart. For example, computers can read digital information and transform the informa-
tion or take programmable actions based on the information. Information stored in digital
media rather than on paper can travel near the speed of light, may be duplicated without
limit and with insignificant cost. Although the basic nature of transactions has not
changed, the law has only begun to adapt to advances in technology. The legal and
business communities must develop rules and practices, which use new information



Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
110 Ruzic


technology to achieve and surpass the effects historically expected from paper forms.
Electronic signature technology generally surpasses paper technology in all these
attributes.


Electronic Signature: Scope and Definition

The term electronic signature could be defined as a sound, symbol or process attached
to or logically associated with an electronic record by a person (a signer) with the present
intent to authenticate that record. Every downloading software activity from the Internet
includes reading the licensing agreement and clicking “I accept,” where a person is using
some kind of an electronic signature (the click combined with a person self identification
create the signature). If a person places a trade over the phone and verbally confirms that
wants to buy or sell stock, the recording of a person™s voice could be considered as an
electronic signature. Digital signatures and images of handwritten signatures also
constitute electronic signatures. A handwritten signature signals intent to agree with the
terms of a document, and it authenticates “ at least in theory “ the identity of the signer.
Handwritten signatures don™t have an exact parallel online. In the electronic world, a
person may end up doing the same things in a different way. The authentication may be
done up front and the signal of intent may be done later. Authentication, the act of making
sure that signers are who they say they are, can be handled online in several ways. A
signer can use a digital certificate or smart card, take a fingerprint or retina scan, answer
additional questions regarding personal identification. A signal of intent may be created
online by clicking an “I accept” button, by signing one™s name on an electronic signature
pad or by appending a signature image to a document.
Hence, the foregoing definition of electronic signature within most national legislation
is a generic, technology-neutral definition, which recognizes that there are many different
methods by which a person can sign an electronic record. In all cases, electronic
signatures are represented digitally, but they can take many forms, and can be created
by many different technologies. Examples of electronic signatures include:
• A name typed at the end of an e-mail message by the sender;
• A digitized image of a handwritten signature that is attached to an electronic
document (sometimes created via a biometrics-based technology called signature
dynamics);
• A secret code, password, or PIN to identify the sender to the recipient (such as that
used with phone cards and credit cards);
• A unique biometrics-based identifier, such as a fingerprint, voice print, or a retinal
scan;
• A mouse click (such as on an “I accept” button);
• A sound (or voice) attempting to issue a meaning to agree);
• A digital signature (created through the use of public key cryptography).




Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
Electronic Signature 111


There are other ways of signing an electronic document, and presumably many more will
be developed in the future. However, all forms of electronic signature must satisfy the
three requirements:
• there must be a digitally mediated symbol, or process,
• digitally mediated symbol, or process must be logically associated with an
electronic record, and
• digitally mediated symbol, or process must be made with the intent of a person (a
signer) to sign the electronic record.


Forms of Electronic Signature Technology

In an E-Business environment and networked economy, the terms of authentication and
identification of parties are vital elements of functionality, operability and security. We
should also underline the distinction between authentication and identification.
Authentication refers to the authentication or verification of a claimed identity. In other
words, the user wishes to log on to a network or service, or undertake an online
transaction and claims to be a certain person. The authentication process seeks to verify
this claim via the provision of a characteristic (PIN/password/token/biometrics or other
information), or multiple characteristics, known to be associated with the claimed
identity. There is therefore a one-to-one matching process involved, as the characteristic
in question is matched against the reference associated with the claimed identity,
according to predefined threshold criteria in the case of biometrics.
Identification seeks to identify a user from within a population of possible users,
according to a characteristic, or multiple characteristics that can be reliably associated
with a particular individual, without an identity being explicitly claimed by the user. There
is therefore a one-to-many matching process involved against a database of relevant
data. We should perhaps make a further distinction between identifying an individual
from within a known population using relevant characteristics (PIN/password/token/
biometrics, etc.) and seeking to identify an individual via connectivity address informa-
tion. In the latter case, we may correctly identify an address and the name that is registered
in association with it, but that does not necessarily guarantee that the same individual
undertook a specific transaction (unless robust biometrics have been used across
multiple processes).
While the rapid development of new information technologies has improved the ease of
access and use of digital information, it has also led to fears that consumer protection,
intellectual property rights, privacy and related issues could be eroded by the illegal
copying and redistribution of digital media. Mechanisms to protect digital content are
seen as a necessary step towards the creation of global business and commercial
information infrastructure. While equipment capable of copying digital content exists in
any E-Business environment, some technologies of electronic signatures are emerging
to provide organizations with the desired degree of protection, and to act as a disincen-
tive to information piracy. These technologies are relating to:




Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
112 Ruzic


• Watermarking: A technique for embedding hidden data that attaches copyright
protection information to a digital object and provides an indication of ownership
of object signed by watermark
• Fingerprinting: A technique that identifies the recipient of a digital object and its
owner, and acts as a deterrent to illegal redistribution by enabling the owner of
digital object to identify the original user of the redistributed copy.


E-Business users are not confident enough in the security of online systems to believe
that a hacker can™t break in and steal credentials there. Password lists and credit card lists
are stolen regularly from online servers and can just as easily be lifted from unsuspecting
users™ machines by malicious software. For instance, the “Love Bug” virus was designed
to collect user credentials and mail them out. So shared secret systems, including
passwords and biometrics, are inappropriate for use directly as electronic signatures, but
we will find that they still have an important indirect role. What we need are credentials
that don™t have to be given away to prove an identity or to create a verifiable electronic
signature. Fortunately, proven technology that solves these problems is available
through the Public Key Infrastructure environment.


Public Key Infrastructure

Security is always a concern with any electronic signature technology. An electronic
signature based on asymmetric cryptography (digital signature) is considered superior
to a handwritten signature in that it attests to the contents of a message as well as to the
identity of the signer. As long as a secure hash function is used, there is almost no chance
of taking someone™s signature from one document and attaching it to another, or of
altering a signed message in any way. The slightest change in a signed document will
cause the digital signature verification process to fail. Thus, public key authentication
allows people to check the integrity of signed documents. If a signature verification fails,
however, it will generally be difficult to determine whether there was an attempted forgery
or simply a transmission error.
Within a Public Key Infrastructure technology environment, an electronic signature is
accompanied by the term digital signature “ a data item that vouches for the origin and
integrity of a document or message (Forno & Feinbloom, 2001). Digital signature is a
mechanism employed within Public Key Cryptosystem that enables the originator of an
digital object to generate a signature using encipherment in order to provide the recipient
with the proof of the authenticity of the digital object™s originator (author).
Public Key Infrastructure uses a digital signature as one type of electronic signature. It
is made by asymmetric encryption in order to authenticate the contents of a document,
secure its integrity and confidentiality, and attribute it to a particular signatory. When
a digital signature is used by Public Key Infrastructure, the document is finalized,
encrypted using a private key, and then sealed by attaching a numerical hash file
reflecting the contents of the document. Any changes in the document result in a
numerical hash file that does not match that of the original document.



Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
Electronic Signature 113


Figure 1. View of the digital certificate




Within Public Key Infrastructure, the encrypted document is usually transferred through
a third party known as a Certification Authority. The Certification Authority may assist
in encrypting the document and in creating the numerical hash file, as well as authenticate
the identities of one or more of the parties through the digital certificate, keep a record
of the digitally signed document™s unique numerical hash file, and maintain the public
key that permits decryption of the document. Taken together, this multistep process
constitutes the digital signature.
A digital certificate can be issued by the organization initiating the approval process or
by a Certification Authority. A certificate usually contains the holder™s name, a serial
number, expiration dates, a private key that signs documents and messages through
encryption, and a public key that the recipient uses to decrypt the message. Cryptogra-
phy binds the digital signature to a document. If someone changes the terms and
conditions or prices in that electronic document, the signature will become invalid.
Although digital signatures and the assistance of Certification Authorities can be costly,
they provide worthwhile safeguards against electronic document tampering, deception,
fraud, and unwanted disclosure, particularly when the stakes are high. Most people
consider digital signatures to be the most robust technology available. But the strength


Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
114 Ruzic


of a digital signature depends on the rigor of its registration process. In some cases, a
Certification Authority may register new private key holders by simply asking users to
type in their email addresses. In other cases, the Certification Authority asks registrants
for several pieces of private information, such as Social Security numbers, the last four
digits of their driver licenses or the amount of the last check they wrote. If even greater
security is called for, registrants could be required to appear in person at the certificate
authority™s premises with multiple forms of identification. When this last term is used,
the electronic signatures made with assistance of the digital signature is taken as
equivalent to handwriting signatures in most national legislation regarding electronic
business and electronic commerce.
Public Key Infrastructure strength is a new issue at the signer side “ users (signers) must
keep their private keys private. That private key is on a computer or on a smart card and
the user has got to protect it, otherwise someone could get a hold of it and sign with it.
Because Electronic Signatures within Public Key Infrastructure environment are created
and verified by asymmetric cryptography, they use public-key cryptography, where one
key is for creating a digital signature and another key is for verifying a digital signature.
These two keys (which forms a key pair) are collectively termed as asymmetric
cryptosystem. The processes of creating a electronic signature and verifying it through
the Public Key Infrastructure accomplish the essential effects desired of a signature for
many legal purposes:
• Signer authentication: If a public and private key pair is associated with an
identified signer, the electronic signature attributes the message to the signer. The
electronic signature cannot be forged, unless the signer loses control of the private
key, such as losing the media or device in which it is contained.
• Message authentication: The electronic signature also identifies the signed
message, typically with far greater certainty and precision than paper signatures.
Verification reveals any tampering, since the comparison of the hash results (one
made at signing and the other made at verifying) shows whether the message is the
same as when signed.
• Affirmative act: Creating an electronic signature requires the signer to use the
signer™s private key. This act can perform the ceremonial function of alerting the
signer to the fact that the signer is consummating a transaction with legal
consequences.
• Efficiency: The processes of creating and verifying an electronic signature provide
a high level of assurance that the electronic signature is genuinely the signer™s.
Compared to paper methods (such as checking specimen signature cards - methods
so tedious and labor-intensive that they are rarely actually used in practice) digital
signatures yield a high degree of assurance without adding greatly to the resources
required for processing.


Digital signatures are a reversal of public-key cryptography “ data encrypted using a
sender™s private key can only be decrypted using the sender™s public key. By obtaining
the sender™s public key to decrypt the digital signature, the recipient ensures that the
digital signature was generated by the sender™s private key. Anyone with access to the


Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
Electronic Signature 115


Figure 2. Digital signature verification




sender™s public key can verify the digital signature. By comparing the hash values
generated from the data by the sender and the recipient, the recipient ensures that the
data did not change during the transfer.
Can a digital signature be forged? Not likely. It is protected by several layers of highly
complex encryption. We like to think that a handwritten signature is unique to the signer
and to the pieces of paper which hold it. What if someone produces a good likeness of
your handwritten signature? Or, what if on a long contract, someone changes the text of
the pages previous to the signature page? In these instances, the signature is valid, but
the document has been altered. With digital signatures, forgery is next to impossible “
much more difficult than forging a handwritten signature. First, a digital signature is more
of a process than just affixing a signature. For example, when the document is “digitally
signed,” the digital software scans the document and creates a calculation which
represents the document. This calculation becomes part of the “digital signature.” When
the recipient authenticates the signature, a similar process is carried out. The sender™s
and the receiver™s calculations are then compared. If the results are the same, the
signature is valid. If they are different, the signature is not valid.


Figure 3. Signed document flow within PKI environment




Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
116 Ruzic


The process of creating a digital signature in E-Business communication is accomplished
by the sender. The verification of the digital signature is performed by the receiver of the
digital signature. The writing and sending a check example, illustrates how digital
signature technology works.


Digital Signature Creation
• Sign: To begin the process, a check must be created. In order to create a digital
signature with the check, a process known as hash function, must occur. A hash
function is a mathematical algorithm that creates a digital representation or
fingerprint in the form of message digest. The hash function generally consists of
a standard length that is usually much smaller than the message but nevertheless
substantially unique to it. Hash functions ensure that there has been no modifica-
tion to the check (message) since it was digitally signed. The next step is to encrypt
the check and signature. The sender™s digital signature software transforms the
hash result into a digital signature using the sender™s private key. The resulting
digital signature is thus unique to both the message and the private key used to
create it. Typically, a digital signature is appended to its message and stored or
transmitted with its message. However, it may also be sent or stored as a separate
data element, so long as it maintains a reliable association with its message. Since
a digital signature is unique to its message, it is useless if wholly disassociated from
its message.
• Seal: Since public-key algorithms can be slow to transmit, the next step is to encrypt
this information. The check is encrypted with a fast symmetric key (uniquely
generated for this occasion) and then the symmetric key is encrypted with the
receiver™s public key. Now only the private key of the receiver can recover the
symmetric key, and thus decrypt the check. A digital version of the envelope has
been created.
• Deliver: At this point, the digital envelope is electronically sent to the receiver and
the verification process begins.


Digital Signature Verification
• Accept: The encrypted digital envelope arrives at the destination.
• Open: The receiver of the check decrypts the one-time symmetric key by using the
receiver™s private key. Then the check is decrypted using the one-time symmetric
key. Once this has been completed, the verification process begins.
• Verify: Verification of a digital signature is accomplished by computing a new hash
result of the original message. Then, using the sender™s public key and the new
hash result, the verifier checks: 1) whether the digital signature was created using
the corresponding private key; and 2) whether the newly computed hash result
matches the original hash result. The software will confirm the digital signature as
verified “ the sender™s private key was used to digitally sign the message and the




Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
Electronic Signature 117


message was unaltered. If the verification cannot be made, the software will identify
that verification has failed.


An electronic signature is a convenient, timesaving, and secure way of signing electronic
documents. An electronic document is any document that is generated or stored on a
computer, such as a letter, a contract, or a will. In addition, an electronic document can
be an image, such as a blueprint, a survey plat, a drawing, or even a photograph. and an
electronic signature can be used to sign these documents. It means that the authenticity
of any electronic document can be verified by an e-signature, but only if the document
originally was “signed” using an e-signature program (software). Although this
sounds complicated., it is a simple process and may vary slightly in the software in use,
and e-signature software does all the work. The signer selects the signature option, then
selects the document, and finally enters a secret Authorization Code. Everything is
accomplished electronically. In the PKI environment, a digital certificate is added to the
signed document, thus making verification available at any time after the document is
signed.
Unfortunately, nobody can actually see the signers™ handwritten signature, and there is
no relationship to the signer™s handwritten signature. While there™s more to it behind the
scenes, the visible portion of the digital signature is the signer™s name, title and firm name,
along with the certificate serial number and the Certification Authority name.
Digital signatures still face some cultural hurdles, such as convincing users to accept a
line of hash code instead of a penned name. Several software solutions cover both
ideologies by combining a PKI-based digital signature and a pictorial representation of
the handwritten signature.
Visible Electronic Signature Protocol is a digital electronic signature protocol that allows
the recipient of a secure electronic document to visually confirm the signature of the
author and the authenticity of the document, just as with a paper document. A signature
image, such as a seal or a written signature, is presented to the end user for verification.
This intuitive approach to the digital signature process allows for extremely high
confidence in the security and privacy of the encryption-decryption process, and



Figure 4. Verifying graphically presented e-signature; if the document is changed or
used certificate is not valid, the cross-circled mark is presented to the reader

valid signature non valid signature




verifies your signature identifies when a
and document document is modified




Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
118 Ruzic


provides for a tamper-resistant way to transmit documents which must remain secure,
such as e-commerce orders, contracts, blueprints, surveys, drawings, or photographs.
the protocol works by encrypting the signature image.
As E-Business searches for more secure authentication methods for user access, e-
commerce, and other security applications, it should be noticed that the security field
uses three different types of authentication:
• something user knows - a password, PIN, or piece of personal information
• something user has - a card key, smart card, or token
• something user is - a biometrics


If an E-Business system is carefully constructed, almost any of these technologies could
provide industrial-strength e-signatures with a number of additional tools that are not
available yet:


Smart Cards
With a digital certificate or smart card protected by a password, there is a two-factor
authentication - something owner knows and something owner has”and that makes e-
signature protection stronger. Smart cards have finally entered the public domain and are
used in a variety of applications, sometimes without the user being aware that they are
actually using a smart card. The smart card itself is simply a plastic card with an integral
embedded chip. This provides a degree of tamper resistance and security for the
information held within the card. Smart cards may be categorized into two primary types,
memory cards or microprocessor cards. Memory cards simply store data and allow that
data to be subsequently read from the card. Microprocessor cards on the other hand,
allow for additions and deletions to the data, as well as various manipulations and
processing of the data. The smart cards may be further categorized into contact or
contactless cards. Contact cards required the card to be physically inserted into a smart
card reader. Contactless cards enable the card to be read without physical contact via
a radio frequency link with an antenna embedded into the card. There is in fact another


Figure 5.: Smart card occurrences “ contact and contactless




Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
Electronic Signature 119


type of card called a combination card that combines both contact and contactless
technology. This allows for the card to be read by either type of card reader, alternatively,
to be read by both techniques at the same time, enabling a higher degree of security.
Smart cards support our contemporary networked society via a variety of applications,
including network access control, secure payment systems, health care applications,
ticketing applications, loyalty and other areas. They may also be used to store digital
certificates and passwords and can encrypt sensitive data. Perhaps one of the most
visible applications is that of SIM cards used for mobile phones. SIM stands for
Subscriber Identification Module and the SIM cards store subscriber information which
allows phones to be instantly personalized as well as providing roaming across different
networks and devices. The mobile phone SIM card also provides for a variety of value-
added services to be provided by the telecommunication companies as appropriate. An
often referred to aspect of smart card technology is the potential for the multi-application
card. The idea of multiple applications via the use of a single card is an attractive one.
However, for this to be possible there needs to be a degree of interoperability between
cards and applications. This interoperability has so far been rather weak, although there
are now various initiatives with the aim of improving this vital aspect of smart card
technology. There is of course an ISO standard for smart cards (7816 parts 1-10), although
other different industry sectors have tended to create their own proprietary versions
based around the ISO generic standard. There have also been related initiatives such as
the Microsoft PC/SC standard, which was originally for Windows-based systems only,
although this has now been opened up to be an across-platform initiative. Indeed, the
PC/SC initiative boasts an impressive membership of several distinguished companies
from the computer and telecommunications market place.
Another initiative called OpenCard has similar ambitions to provide interoperability
across applications. Perhaps most interesting development of all in this context is Java
Card (Wenderoth, 2001). Java card provides the potential for Java applets to run right
on the card itself, a very interesting capability for those seeking to develop smart card
applications. Smart cards are a valuable addition to this world because they interface
seamlessly with smart devices and intelligent systems, giving people convenient and
direct access to relevant information stored on powerful networks. The portable creden-
tials on the smart card can securely identify and authenticate its owner, across the range
of smart devices, providing a consistent means of authorization and digital signature for
E-Business transactions. With embedded applications, these reloadable personal data
carriers also allow users to tailor applications to fit personal needs. Smart cards are
becoming crucial components of the E-Business economy and contribute to the realiza-
tion of E-Business anytime, anywhere.
Public key cryptography is critical element in contactless systems. Traditionally,
contactless systems have employed little-to-no security, due in large part to the very
constrained nature (i.e., size or space limitations) of the token or card. To date, the
majority of the security leveraged has been password-based technology, symmetric
cryptography for authentication and/or confidentiality services or, in some very limited
situations, legacy public key algorithms like RSA. It is clear that no security at all is
unacceptable and that password-based systems have very well known management
issues and security vulnerabilities.



Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
120 Ruzic


Currently, the choice for strong security is between symmetric and public key cryptog-
raphy. Symmetric key cryptography is characterized by the use of a single key to perform
both the encryption and decryption of data. The primary weakness of symmetric key
cryptography is referred to as the key management problem. Since the same key is used
for encryption and decryption, it must be kept secure. Symmetric key cryptography
transforms the problem of transmitting messages securely into that of transmitting keys
securely. Ensuring that the sender and receiver are using the same key and that potential
adversaries do not know this key remains a major stumbling block for symmetric key
cryptography. In addition, when a new application is added to a symmetric key-based
system, it must be permitted the same level of trust as the existing applications. If this
new application (or any other trusted element of a symmetric key system) is compromised,
so too is the entire system. In a contactless system that has tens of thousands of tokens
or tags, the ramifications of this compromise can be catastrophic.
Public key cryptography overcomes the key management problem by using different
encryption and decryption key pairs. This presents a significant advantage because two
users can communicate securely without exchanging secret keys (Kozlov & Reyzin,
2003). The portable credentials on the smart card can securely identify and authenticate
its owner, across the range of smart devices, providing a consistent means of authori-
zation and digital signature for E-Business transactions. With embedded applications,
these reloadable personal data carriers also allow users to tailor applications to fit
personal needs. Smart cards are becoming crucial components of the E-Business
economy and contribute to the realization of E-Business anytime, anywhere.


Signature Pads
This is a strong way of signaling signer intent because the person is signing in a
traditional way. It™s hard for persons (signers) to argue that they didn™t know what they
were doing “ a signature pad also offers a biometric signature, so it is used to authenticate



Figure 6. Example of electronic pad system accepting written signature for digitalization
process in electronic signature-based applications




Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
Electronic Signature 121


the signature as well. It is helpful for E-Business to let customers sign applications in their
homes electronically. E-signature pads are used too, as the biometrics mechanism for
verifying a hand-written signature with the holder of a pen.
Biometrics refers to the automatic identification of a person based on his/her physiologi-
cal or behavioral characteristics. This technology of identification is preferred over
traditional methods involving passwords and PINs (Personal Identification Numbers) for
various reasons: the person to be identified is required to be physically present at the
point of identification, and there is no need to remember a password/PIN or carry a token.
At the same time, biometrics technology can potentially prevent unauthorized access to
or fraudulent use of computer networks and information appliances connected to the E-
Business environment. PINs and passwords may be forgotten, and tokens may be forged,
stolen or lost. Thus biometrics technology is used in two basic ways “ as an authenti-
cation systems or as an identification system. It is worthy to note that although
biometrics technology provides stronger identification, a biometric identification sys-
tem based solely on a single identification identifier (fingerprints, faces, voice or another
object) is not able to meet high performance requirements “ thus, identification based
on multiple biometrics represents an emerging trend.
Security systems use biometrics for two basic purposes: to verify or to identify users
(Nanavati, Thieme & Nanavati, 2002). Biometrics measures individuals™ unique physical
or behavioral characteristics to recognize or authenticate their identity. Common physi-
cal biometrics includes fingerprints; hand or palm geometry; and retina, iris, or facial
characteristics. E-commerce developers are exploring the use of biometrics and smart
cards to more accurately verify a trading party™s identity. For example, many banks are
interested in this combination to better authenticate customers and ensure non-repudia-
tion of online banking, trading, and purchasing transactions. Point-of-sales (POS)
system vendors are working on the cardholder verification method, which would enlist
smart cards and biometrics to replace signature verification (Schaechter, 2002). MasterCard
estimates that adding smart-card-based biometrics authentication to a POS credit card
payment will decrease fraud by 80 percent.
In the smart card “ biometrics convergence process, the biometric information could be
represented by a fingerprint (Struif, 2001). During the enrollment phase, a fingerprint
template of the user is stored in a secure environment (smart card). For integrity and
authenticity purposes, the (hashed) fingerprint is then inserted in an “attribute certifi-
cate” and the same smart card also stores an X.509 certificate of the user, which will be
used to digitally sign electronic documents. In order to validate the fingerprint-identity
pair, two important pieces of information are added to the attribute certificate:
a) the serial number of the smart card - in this way the fingerprint can only be used
with that smart card
b) the serial number of the X.509 user digital certificate - in this way, the fingerprint
can only be used together with its owner


Since fingerprints cannot be lost, duplicated, stolen or forgotten, a smart-card-finger-
print reader is providing a more reliable and convenient solution than traditional security
devices. Security is improved further by storing the fingerprint templates inside a SIM
card instead of the computer. This not only provides a more secure environment but it


Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
122 Ruzic


Figure 7: Visual presentation of the smart card “ biometrics integration smart card/
fingerprint reader (identification and verification unit for e-signature utilization)




also enhances portability and eliminates privacy concerns. What is more, it gives users
the flexibility of being able to carry their fingerprint template with them, safe in the
knowledge that no one else can use their smart card should it become lost or stolen. Such
devices enhance smart card and PKI security by requiring a fingerprint instead of a PIN
or password, and the credentials (digital certificate, etc.) are kept securely on portable
smart card.
Typical applications for such devices are remote electronic voting, secure home-
banking, secure e-commerce, secure e-finance.


Summary of Purposes of Electronic Signatures

The processes of creating an electronic signature and verifying it using Public Key
Infrastructure accomplishes the essential effects that a handwritten signature does
today for many legal purposes:
• Signer authentication: If a public and private key is associated with an identified
signer, the digital signature attributes the message to the signer. The digital
signature cannot be forged, unless the signer loses control of the private key;
• Message authentication: The digital signature also identifies the signed message,
typically with far greater certainty and precision than paper signatures. Verification
reveals any tampering, since the comparison of the hash results shows whether the
message is the same as when signed;
• Non-Repudiation: Creating a digital signature requires the signer to use the
signer™s private key. This act can alert the signer to the fact that they are
consummating a transaction with legal consequences;
• Integrity: The processes of creating and verifying a digital signature provide a high
level of assurance that the digital signature is genuinely the signer™s. Compared
to paper methods, such as checking signature cards, methods that are tedious and
labor-intensive, digital signatures yield a high degree of assurance without adding
greatly to the resources required for processing.


Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
Electronic Signature 123


Current Legislation and E-Signature
Infrastructure
It is difficult to compare national approaches to electronic authentication legislation
because so few countries have conceived of the purpose of such legislation in quite the
same way. Some countries focused only on the technical standards for the operation of
one technology “ Public Key Infrastructure. Others have spanned the entire range of
issues associated with the legal effect of electronic signatures, the legal framework for
the operation of a Public Key Infrastructure, and the establishment of a regulatory
apparatus to oversee Certification Authorities. In practice, there are several Legislative
Models that are confronted with the issues of the tension between Technological
Neutrality and Legal Specificity. Any legislative approach to electronic authentication
must accommodate the inherent tension between the goal of technological neutrality and
the goal of prescribing specific legal consequences for the use of electronic authentica-
tion systems. To the extent that legislation seeks to enable the use of diverse electronic
authentication techniques, including some that are not yet even conceived, it becomes
progressively more difficult to accord specific and meaningful legal consequences to
their use. The reason for this inverse relationship is fairly straightforward “ legislators™
confidence in the security and reliability of known electronic authentication mechanisms
allows them to grant greater legal benefits and presumptions to the use of those
techniques. They may be less willing to grant the same level of legal benefits to as yet
unknown techniques or to technologies that bear no imprimatur beyond recognition and
acceptance in the marketplace. This conundrum is the inevitable consequence of
legislating against a backdrop of rapid technological change.
Prior legislative initiatives began to emerge worldwide, and the use of asymmetric
cryptography as a means of creating digital signatures was widely perceived as the
nearly-universal foundation for all electronic authentication. One of the most compli-
cated issues surrounding the creation of a Public Key Infrastructure is the extent to which
the law should define or limit the liabilities of the three main parties to a secure electronic
transaction, that is, the person who digitally signs a message, the person who receives
the message and who may rely on its validity, and the Certification Authority that
vouches for the identity or some other attribute of the sender. In a purely open networked
transaction - that is, one in which the parties have not previously defined their respective
rights and duties by contract - there are several major faults of liability. Most importantly,
the Certification Authority may be liable to the recipient of the message for any
inaccuracies or misrepresentations contained in the certificate, or for the failure of the
Certification Authority to revoke an invalid certificate.
More recently, however, there has been growing recognition that other means of
electronic authentication, including biometrics and dynamic signature analysis, will take
on equal or greater importance in the years ahead. In fact, some of these techniques - and
particularly those that are based on biometric features - may prove to be more reliable and
less susceptible to compromise than digital signatures based on Public Key Infrastruc-
ture.




Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
124 Ruzic


Thus, no single technology will prevail as the sole means of electronic authentication.
Different technologies will likely be used in different settings and for different purposes.
This diversity of authentication techniques, while generally promoting the expansion of
electronic business, nonetheless poses a significant challenge for legislators, because
not all technologies necessarily require the same legal infrastructure or may be accorded
the same presumption of security and integrity. It is obvious that the widespread use of
Public Key Infrastructure-based digital signatures require a legally established trust
infrastructure, that defines the rights and obligations of the parties to an authenticated
transaction, including the potential liability of Certification Authorities to third parties.
Other technologies, such as voice authentication, may not require the same type of
legally-defined trust infrastructure, although it is very hard to predict how any of these
technologies will be used in widespread commercial practice and what their specific legal
requirements will be.
For those legislators and policymakers who believe that the continued expansion of
electronic business requires a known and reliable authentication mechanism with
established legal consequences, the preference is usually to enact legislation that
specifically addresses the use of digital signatures, and to save the issues raised by other
authentication techniques for another day. At the same time, legislators and policymakers
naturally fear that any attempt to codify a known authentication mechanism runs the risk
of stunting the development of other authentication mechanisms, or at least of giving
undue benefits to a technology that is itself only in the earliest stages of commercial use.
Apart from these concerns and the general desire to avoid the rapid obsolescence of new
legislation, there is also a concern among national legislators and policymakers that
premature endorsement of a particular technology will set the country outside of the
mainstream of technological and legislative developments internationally. For these
reasons, technological neutrality in electronic authentication legislation has become an
increasingly prevalent objective.
The manner in which legislators and policymakers have sought to accommodate the
conflicting concerns largely defines the typology of existing and proposed electronic
authentication legislation. Until the beginning of first decade of 21st century, the most
common approach has been to ignore authentication mechanisms other than those based
on digital signatures. These legislative initiatives are among the countries whose
electronic signature legislation activities started before 2000. More recent initiatives,
whether in the form of proposed legislation or reports by national experts groups, have
increasingly focused on the need to accommodate emerging and even unforeseen
technologies.
The second approach to electronic authentication legislation, accepts all or most
electronic authentication mechanisms on a technologically-neutral basis, and grants
these mechanisms a basic set of legal benefits. For example, technologies that are
accepted at the first level might satisfy writing and form requirements, but would not be
entitled to any presumptions concerning the signer™s identity or intent. At the second
level, the legislation creates a class of approved technologies whose use is invested with
a broader array of legal benefits and obligations. The legislation may define these
technologies “ sometimes referred to as secure or qualified technologies “ by reference
to general criteria, by reference to the specific techniques of asymmetric cryptography,
or by reference to a schedule of technologies approved by statute or regulation.


Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
Electronic Signature 125


<<

. 5
( 15)



>>