« Barcodes as EULAs, Notices, Contracts, Disclaimers, Legal Terms | Main | Behavioral Biometric Forensics | Privacy »

October 18, 2010

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Edward Vielmetti

Ben, a couple of thoughts.

Video is forgeable, just like anything else. If you want to make this ever so slightly more difficult to forge, you want to include some elements in the video which would be hard to replicate unless you were there at the time.

Some examples:

People who take photos of mushrooms that they find in the forest often put in the frame of the picture of the current day's newspaper. That proves that they didn't get them earlier than that date. There may be other digital timestamping techniques that you can use that are equally obvious. (Of course, you can try to post-date something with this technique, but at least it provides a reference point that's tough to fake).

If you are sending someone a link to a video on Youtube, you're putting forth the opportunity for the sender to retroactively edit that video and replace it with something else. Consider sending the video as an attachment instead.

Utterances like this that are witnessed by someone else in real time, especially someone trustworthy, provide an added level of authenticity. What if instead of recording a monologue, you recorded a dialog with someone who was in some kind of notary role? The interaction could be via two way audio or video, capturing the recipient as well as the sender, and if there were any question you could refer back to the trusted third party to authenticate.

Benjamin Wright

Edward:

Thanks for the comment. I agree that video can be forged. Handwritten signatures can be forged too.

However, successful, undetectable forgery of the whole package of evidence is not easy. In this example, the package of evidence that must be forged (with no trace of mistake) includes -- video, audio, email content, email audit trails, all relevant records of the email, and all of the time stamps. Plus, all of the forged facts must match up with the actual facts of the relationship between Ben Wright and Acme Corp. For example, there should be other timestamped emails between Ben and Acme discussing the non-disclosure agreement and the context of the agreement. The forgery must be consistent with those other emails.

In practice, making all of this match up places a big burden on the forger. If the forger makes even one mistake, he loses and he can go to jail for fraud.

--Ben

Matt Carlson

Ben,

Interesting idea. I'm a little unclear on something. If I'm negotiating an NDA, there might be several versions that are exchanged. If I understand correctly, you're proposing that in order to agree to it, I attach the NDA and a video of me stating my intention of being bound by the NDA to an email, right?

So what's to prevent the recipient from removing the NDA that I agreed to and attaching a different version? Lotus Notes allows this fairly easily.

I'll need a higher level of assurance before I can see using this for anything but the most trivial contracts. I agree with Edward that some type of notary might be useful in your protocol.

Matt

Thanks,

Matt

Benjamin Wright

Matt: Thank you for your comment.

The trickery that you suggest is subject to forensic analysis.

Email systems like Lotus Notes will keep an audit trail (meta data) showing whether the attachment was changed and when. If a party tries deceitfully to alter a contract by replacing the original attachment with a different one, and then to claim in court that the replacement is the original, he is buying himself a trip to jail (for fraud/perjury). See Munshani v. Signal Lake www.signallake.com/resources/email-forensics-library

--Ben

Toby

Pleeeeease don't use email for that kind of stuff. You REALLY nead a secure container - the communication needs to be encrypted.

Or would you send all this info on a Post card, or let it be hand delivered by 5-10 strangers?

And for the signature - laughable as well. Put a Certificate in there - digital signature.

Just think security first, and don't brainstorm like i wanna use this technology and that... blah, and at the end i'm gonna add some 'fake' security.

Also think that each product you use like zoho, is a corporation, with corporate interests... They CAN change whatever they want - you CANNOT trust any Corp(this of course includes the Email providers, cell service providers, internet providers, hosters...). But all these trust problems you can get around with a secure container.

Benjamin Wright

Toby:

I appreciate your comments, and I'd like to know more about them. I am grateful that you have really thought about my ideas and you have taken the time to state thoughtful arguments. What do you think about these rebuttals:

Businesses, governments and professionals have been using email for years to transact all kinds of important business and to exchange all kinds of semi-sensitive information. Should they stop doing that?

Email can be encrypted, in many different ways and to varying degrees of security and varying degrees of convenience/inconvenience. The ideas I state in the article above do not rule out encryption.

Email -- without digital signatures -- is used as evidence in court on a routine basis. Email is authenticated for legal purposes without digital signatures all the time. There are more judicial cases in which email is accepted as evidence than you or I will ever be able to read.

If you want to add a digital signature to email, you can do that (just as you can add a notary stamp to an ink-signed sheet of paper if you want to do that).

I'd enjoy hearing more about what you think a "secure container" is. If the secure container boils down to the investigator having a private key that he must protect with strong security, then a lot rides on that private key and the security around it. What happens if the investigator dies (or quits his job) after he performs his work and he locks the evidence with his key? How will someone else be able to find, unlock and authenticate the evidence? If all of this these problems are solved by key escrow, then the escrow becomes a big institutional (and possibly expensive) issue. Further, I'd like to know how practical key escrow is for investigators and how well it is implemented in practice.

Regarding reliance on corporations: 1. Happens all the time for purposes of important and sensitive transactions. 2. Backup copies of records can be make to places like hard drives and storage facilities controlled by alternative corporations. 3. The "certificate" to which you refer depends on a corporation (i.e., certification authority) that can do a bad job or go out of business.

As we evaluate these issues, please remember that the world of investigations is large and diverse. Not ever investigation is as sensitive as a criminal investigation of a mafia boss. Some investigations are just (for example) internal reviews of human resources issues inside a corporation.

--Ben

Benjamin Wright

Footnote. The Zoho example to which Toby refers is introduced here: http://computer-forensics.sans.org/blog/2010/10/22/digital-forensics-investigators-write-report-store-digital-evidence

Electronic contracts

Thanks for sharing! However, the signature also has to be verified. After verifying by email or password, the signature is then associated with its user. One way for users to verify their own electronic signature is to privately activate it.

Benjamin Wright

To "Electronic contracts": You say, "the signature also has to be verified." You and I have different visions for legal signatures. You seem to believe that a signature must be verified the way that a PIN or password is verified. That approach to verification inevitably involves some form of pre-registration with an authority. In your name, you linked to http://www.docusign.com, so I assume you are advocating the Docusign approach. I take it that under the approach you advocate, the signer must, before signing go through some kind of set-up process that involves registration of email or a password with an authority.

However, your approach to signatures (as you describe it here) seems clumsy and bureaucratic, a deterrent to many potential signers. Your approach is not like handwritten signatures on paper or fax. Your approach does not allow for spontaneous signatures because it requires pre-registration. Furthermore, your approach relies upon some kind of a registration authority, which is costly and problematic.

The webcam signature I offer here is like a handwritten signature on paper. It involves no pre-registration and no registration authority. No one has to pay the costs of the registration authority. The signer can sign spontaneously. Like a handwritten signature, the webcam signature normally is not "verified," except (1) the relying party can informally look at the webcam signature and confirm generally that it looks and sounds like the signer, and (2) in the event of a serious dispute about authenticity (which is very rare!), an extensive forensic analysis can be undertaken, looking into topics like (a) the meta-data associated with the email to which the webcam video was attached, (b) whether the video was altered or fabricated, and (c) evidence from the contextual relationship between the parties.

Back to you, "Electronic contracts." What do you think?

--Ben

The comments to this entry are closed.

Wright's Online SANS Education

Jackson County Case Study

IT Administrators

Twitter

  • Follow benjaminwright on Twitter

Wright's Google Profile

Custom Professional Training

Local ARMA Quote

  • "The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.
My Photo

Blogger

  • Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He is a pioneer in the promotion of public relations to address Internet legal issues and crises. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

  • "The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

Important!

  • No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

    The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

    Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

    Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

    The only person responsible for Mr. Wright's words is Mr. Wright.

    Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

    Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

    Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

    Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

    Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

Search Wright's Blogs

Find More on This Blog

  • Google+

MY BLOGS HAVE LOADS OF CONTENT. SEARCH! ↓

Become a Fan

E-mail Mr. Wright

  • Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly, formally agree that the relationship is being formed. He does not give advice to non-clients.

    Contact Form

Find More on This Blog