Sign on the Cyber Line

Apr 01, 2002 10:30 PM  By

When the Electronic Signatures in Global and National Commerce Act (E-Sign) became law in October 2000, it gave contracts with an electronic signature the same legal weight as those signed in ink. It also led many Internet experts to believe that e-commerce would be revolutionized: The security inherent in e-signatures would encourage businesses that spend thousands of dollars an order to purchase online, rather than from a sales representative.

E-signature technology, contends Bill Brice, CEO of Dallas-based software and consulting company AlphaTrust, could be a boon to business-to-business catalogers or anyone else with a repetitive business process that requires them to collect a signed document, such as a purchase order or a contract, within a tight time frame. When trying to improve efficiency, “the first thing to do is to look at a process that may be costly or causing the business pain because of a time delay, and look at the ability to do it online,” he says.

But nearly two years after E-Sign was passed, few online merchants are taking advantage of e-signature technology. Some marketers don’t yet see a need for using e-signatures, while others seem to be waiting until the technology becomes less expensive and less unwieldy.

The technology behind e-signatures

E-signatures provide a method of digitally “signing” a document online and ensuring that the recipient cannot alter it in any way. Each transaction must include a means of authentication — to make sure that the person electronically signing the document is who he says he is. “An e-signature verifies that the person signing it has acknowledged the document in its original state,” says Karl Ware, founder/executive vice president of BioNetrix, a Tysons Corner, VA-based software development firm.

Digital certificates are one of the technologies for facilitating e-signatures. These so-called certificates are actually electronic credentials that contain a person’s name, a serial number, an expiration date, and a copy of the holder’s “public key,” which works to encrypt messages. Public key infrastructure (PKI) allows the users of a public network such as the Internet to securely exchange data using a pair of cryptographic keys, one public and one private. The private key is supposed to be known only to the individual to whom it belongs; it can be stored on a computer hard disk or a smart card. A public key is made available to anybody who wishes to communicate securely with the person who owns the complementary private key.

Some companies, such as Mountain View, CA-based VeriSign, offer digital certificate management services. If Acme Widgets Co. wants to provide its managers with the ability to electronically sign off on purchase orders, the management services provider will oversee the issuing and tracking of those employees’ digital certificates; if an employee leaves the company, the services provider will make sure to revoke his certificate.

Other vendors, such as BioNetrix, develop software for centrally managing user authentication. “When I issue a digital certificate to you, it is a piece of software, so it sits on your PC. If you go to another PC, or you are away from the desk where that certificate has been issued, you can’t sign anything,” Ware says. “It can’t be copied to another PC, but if you’re on the road, you also can’t sign anything.” Then again, he says, if a user has the digital certificate on his laptop and the computer is stolen, documents can be signed on his behalf.

For that reason, BioNetrix offers a variety of authentication methods. “Before you can open a certificate to sign a document, Bionetrix challenges you for a fingerprint, a smart card, a token, or facial or voice recognition, instead of requesting a four-digit PIN, which is a typical method for signing documents,” Ware says. Costs of such authentication methods vary. On the lower end, fingerprint scanners that can be embedded in laptops typically start at $100.

Why the apathy?

Although e-signatures can save companies time and money, business-to-business catalogers have been slow to embrace the technology. AlphaTrust’s Brice blames this on a lack of information. But others say it’s more a matter of a lack of need.

Melville, NY-based Henry Schein, a $2.3 billion supplier of medical, dental, and veterinary supplies, hasn’t deployed e-signature technology. “With all our e-commerce and EDI activity — which there is a great deal of here — there are no e-signatures involved,” says senior vice president/chief information officer James A. Harding. “When we transact from our suppliers, these aren’t coming with e-signatures. And we’re not looking to get a signature directly back from our customers, who are doctors or dentists.”

Nor has Madison, WI-based Conney Safety Products, which sells industrial safety supplies, seen a need for e-signatures. “It’s certainly not on the top of our priority list right now,” says vice president of marketing Mark Gross. “We don’t have the application for it at this point. If we were going to contract to act as a safety consultant for an organization, for instance, then we might consider it.”

BioNetrix’s Ware believes that the ability to use a roaming digital certificate, one that sits on a server and not on an individual PC, might make the technology easier and more palatable to users. “But easier generally means less secure, so strong authentication is a must in this case,” Ware says.