At 20:54 AM 2/20/96 -0500, C. Bradford Biddle <biddle@pwa.acusd.edu> wrote:
---------- Forwarded message ----------
DIGITAL SIGNATURE LEGISLATION: SOME REASONS FOR CONCERN
[Copyright 1996 by Brad Biddle; permission granted for non-commercial electronic redistribution]
...
LIABILITY
The Utah Act makes two policy choices concerning liability allocation Under the Utah Act, consumers are held to a negligence standard in guarding their private encryption key. Thus, if a criminal obtains a consumer's private key and commits fraud, the consumer is financially responsible for that fraud unless the consumer can prove that the consumer used reasonable care in guarding the private key. ...
One important point here is what is "reasonable care"? In a very real sense, all consumer computer operating systems are not secure. I have posted a theoretical virus born attack on PGP's secret key to the cypherpunks mailing list (archives at http://www.hks.net/cpunks/). Nathinal Borenstein of First Virtual has posted to the same list, a description of a partially implemented attack on credit card numbers which has received heavy response. If there is enough reward, these attacks will occur. The question I have is, does "reasonable care" include keeping your machine "virus free"?
There is a second troubling policy choice relating to liability. The Utah Act limits the potential liability of one actor in the infrastructure -- the certification authority -- to a fixed amount (termed a "suitable guarantee" and determined by a complex formula or by administrative rule).
The historic precedent is the liability limit on nuclear power plants. For both these problems, a relatively low liability limit would force people to use other techniques (e.g. old style signed contracts) for large transactions. While we are working the bugs out of a new technology, with new standards of "reasonable care", everyone might win if the risks are limited.
PRIVACY
I believe the area of privacy is where the real problems lie. I will let other, more qualified, people suggest alternatives to the Utah law proposal.
Brad Biddle, Legal Intern <biddle@acusd.edu> Privacy Rights Clearinghouse, Ctr for Public Interest Law http://pwa.acusd.edu/~prc
[The views expressed in this article are not necessarily those of the Privacy Rights Clearinghouse or the Center for Public Interest Law.]
Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz@netcom.com | dead teenagers | Los Gatos, CA 95032, USA