Monday, June 06, 2011

Digital Signing and Action at a Distance

Love the story today about President Obama and the auto-pen. Gotta love the pic of Thomas Jefferson’s Polygraph on that page too.

Both Jefferson's gadget and the auto-pen raise the question of cause and effect in the legal concept of signing/notarizing/witnessing.

In the old days a single cause (person with pen) created a single effect (signed vellum sheet). As soon as something - anything - intermediates between the cause and the effect, things get a lot more complex.

In IT, a so-called "digital signature" has little in common with its physical world analogs. For example a single cause may general multiple effects (one signed doc gets replicated a million times - each "copy" indistinguishable from the "original"). Moreover, the "cause" is always a computer program - not a person.

If I write the software that has the button that you press to "sign". Who/what does the signing? My software or you? If I change my software so that it just signs whatever needs to be signed, every day at 12:00 O'Clock. Who/what is doing the signing now? Given that "signed" documents produced from the latter process are completely indistinguishable from the former, how can the courts deal with the fact that my software may have gone haywire and signed a bunch of things on your behalf that never should have been signed?

In the world of bits, the blunt truth of the matter is that an "original" bit-stream of any object is a tough, tough thing to pin down. The closest analog that I know of is tamper evident content addressable storage like EMC Centera (That is what we use in the KEEP system here in Kansas).

No comments: