?

Log in

No account? Create an account

Tue, Sep. 29th, 2009, 12:19 pm
Signatures don't do what you think they do

Security people tend to think that we live in a secure world, one in which everyone is constantly auditing the behavior of everyone else, and the end result is widespread mutually ensured honesty. We don't even vaguely live in that world. We live in a trusting world, where most people are mostly good, and the need for auditing is much lower than it would be if everyone were greedy sociopathic automatons. I would not want to live in a world which worked that way, and it would probably not only be an unpleasant place to live, but an extremely unproductive one as well, as every attempt by anyone to get anything done would be destroyed by theft and corruption.

I say this not to engage in broad philosophizing but because I have a very concrete point to make about a very specific thing: signatures. People  think of signatures as being a strong form of physical evidence, useful in court proceeding for proving that a particular person really did sign a particular thing. While this belief being widespread does a good job of denying that things they signed are actually their signature, which is a good thing, the claimed difficulty of forging signatures is simply not true. Anyone can practice forging a signature from a few samples for a few hours and be able to do a passable replica. Anyone with decent skill who practices a bit can get quite skilled. And people aren't very consistent about how they sign their own signatures, making even legitimate matches sometimes look fake. Thumbprints would be far better as a piece of evidence.

Despite that, signatures are still very important and good at what they're used for. What is that? It's to make it clear that someone knows when they're entering into a binding agreement. You can't be forced into an effective contract just because you said 'yeah, whatever' when asked if you want to participate, and you can't be forced into a contract by being tricked into signing a document which says something different than what you think it says. The theory of contracts is based on parties mutually agreeing to be contractually bound, and requires they all go through sufficient ceremony that it's clear when a contract has been entered into (sometimes merchants can get into binding contracts much more easily, but that's because they're expected to be more savvy, the law is big on protecting little old ladies from being suckered).

For example, take the use of signatures for receiving packages. There isn't even a contract entered into when a package is signed for, but the reasoning behind it is the same - it's to make clear that the person receiving the package knew they were receiving a package, and not claim later that there was a misunderstanding. To the extent that the signature has any evidenciary power in this case, it's mostly in that people generally by default put down their real name, and since the delivery person generally doesn't even know what the potential name of a recipient might be, it's hard for someone to lie later and claim that no package was delivered at all.

The hoopla around cryptographic signatures is largely misplaced. Having signatures which were on a web page which clearly stated what was being indicated and the signature was done by moving the mouse like a pen in a drawing area would do a much better job of indicating what signatures are supposed to indicate, and probably be much easier to back up in court later.

Now somebody please explain this to Bruce Schneier, because he doesn't get it.

Wed, Sep. 30th, 2009 08:01 pm (UTC)
peter_geoghegan

I've often thought that the way in which I'm regularly asked by delivery men to sign a touch screen PDT while vouching for goods somewhat trivialises the whole notion of a signature. Firstly, my "signature" invariably ends up being an illegible, pixelated scrawl packed into an area the size of a business card. Secondly, it's a 1-bit per pixel image that can easily be copied digitally. The use of PDTs in this way is widespread practice here in Ireland, and probably is in most other western countries too.

There has been a big push towards "chip and PIN" (an EMV implementation that requires the customer to enter a 4 digit PIN rather than sign a voucher) verification for point of sale credit and debit card transactions here and in the UK in the last 3 years.

It was argued on http://www.chipandspin.co.uk that the reason the banks made this push was to put the onus of paying for fraudulent transactions on merchants and customers:

"Sales vouchers [for credit cards] were governed by laws that evolved for cheques [that's "checks" in American], of which the most important is that a forged signature is completely null and void. This gives the customer strong protection against abuse of a stolen card. Although some argument can be made about card terms and conditions, and about possible negligence by a customer, in practice the banking industry paid the costs of fraud."

Incidentally, it was also argued that chip and pin amounted to little more than what Schneier would call "security theatre".

You say "To the extent that the signature has any evidenciary power in this case, it's mostly in that people generally by default put down their real name, and since the delivery person generally doesn't even know what the potential name of a recipient might be, it's hard for someone to lie later and claim that no package was delivered at all."

I'd suggest that a bigger problem in practice is people having no record or recollection of having received goods, and claim falsely, perhaps in good faith or perhaps in wilful ignorance, that they never received anything. As you say, most people won't steal at the first opportunity, if only because their reputation is worth more to them than what can be immediately stolen. That's not to say that I believe that good will and morality don't play a large role, but having your reputation harmed in the event of being caught is an obvious deterrent that accounts for why many sociopaths aren't outwardly sociopathic. Prison is another one.