Re: Digital Signature Legislation (fwd)
At 20:54 AM 2/20/96 -0500, C. Bradford Biddle <biddle@pwa.acusd.edu> wrote:
---------- Forwarded message ----------
DIGITAL SIGNATURE LEGISLATION: SOME REASONS FOR CONCERN
[Copyright 1996 by Brad Biddle; permission granted for non-commercial electronic redistribution]
...
LIABILITY
The Utah Act makes two policy choices concerning liability allocation Under the Utah Act, consumers are held to a negligence standard in guarding their private encryption key. Thus, if a criminal obtains a consumer's private key and commits fraud, the consumer is financially responsible for that fraud unless the consumer can prove that the consumer used reasonable care in guarding the private key. ...
One important point here is what is "reasonable care"? In a very real sense, all consumer computer operating systems are not secure. I have posted a theoretical virus born attack on PGP's secret key to the cypherpunks mailing list (archives at http://www.hks.net/cpunks/). Nathinal Borenstein of First Virtual has posted to the same list, a description of a partially implemented attack on credit card numbers which has received heavy response. If there is enough reward, these attacks will occur. The question I have is, does "reasonable care" include keeping your machine "virus free"?
There is a second troubling policy choice relating to liability. The Utah Act limits the potential liability of one actor in the infrastructure -- the certification authority -- to a fixed amount (termed a "suitable guarantee" and determined by a complex formula or by administrative rule).
The historic precedent is the liability limit on nuclear power plants. For both these problems, a relatively low liability limit would force people to use other techniques (e.g. old style signed contracts) for large transactions. While we are working the bugs out of a new technology, with new standards of "reasonable care", everyone might win if the risks are limited.
PRIVACY
I believe the area of privacy is where the real problems lie. I will let other, more qualified, people suggest alternatives to the Utah law proposal.
Brad Biddle, Legal Intern <biddle@acusd.edu> Privacy Rights Clearinghouse, Ctr for Public Interest Law http://pwa.acusd.edu/~prc
[The views expressed in this article are not necessarily those of the Privacy Rights Clearinghouse or the Center for Public Interest Law.]
Regards - Bill ------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz@netcom.com | dead teenagers | Los Gatos, CA 95032, USA
On Thu, 22 Feb 1996, Bill Frantz wrote:
At 20:54 AM 2/20/96 -0500, C. Bradford Biddle <biddle@pwa.acusd.edu> wrote:
---------- Forwarded message ----------
DIGITAL SIGNATURE LEGISLATION: SOME REASONS FOR CONCERN
[...]
LIABILITY
[...]
The question I have is, does "reasonable care" include keeping your machine "virus free"?
A very good question, and one not answered by the Utah Act. The answer to the question of what constitutes reasonable care for holders of private keys will have to be addressed through the long, expensive, and inelegant process of common law evolution: court case after court case after court case slowly providing an answer. In contrast, the duties of certification authorities are explicitly described in the Act.
There is a second troubling policy choice relating to liability. The Utah Act limits the potential liability of one actor in the infrastructure -- the certification authority -- to a fixed amount (termed a "suitable guarantee" and determined by a complex formula or by administrative rule).
The historic precedent is the liability limit on nuclear power plants.
An interesting point, which can be spun several ways. The nuclear industry has been able to externalize the immense costs of waste storage, etc. Would the same investments have been made in nuclear energy if the nuclear industry was forced to internalize all of the costs it generates, including the costs of potential accidents? Probably not. I suspect that you could find people who would argue that the liability limits have had very good consequences (i.e., promoting investment in an ultimately beneficial technology) and others who would say that the current state of the nuclear industry points out the harm in allowing an industry to externalize costs.
For both these problems, a relatively low liability limit would force people to use other techniques (e.g. old style signed contracts) for large transactions. While we are working the bugs out of a new technology, with new standards of "reasonable care", everyone might win if the risks are limited.
Agreed. Letting market forces sort out the most appropriate risk allocations may be the best solution. This isn't really what the Utah Act does, however.
Regards - Bill
------------------------------------------------------------------------ Bill Frantz | The CDA means | Periwinkle -- Computer Consulting (408)356-8506 | lost jobs and | 16345 Englewood Ave. frantz@netcom.com | dead teenagers | Los Gatos, CA 95032, USA
Thank you for your thoughtful comments. Brad Brad Biddle, Legal Intern <biddle@acusd.edu> Privacy Rights Clearinghouse, Ctr for Public Interest Law http://pwa.acusd.edu/~prc For the record: Someone else who responded to my post on the Cypherpunks list referred to me as "Dr. Biddle." I think they were misled by Phil Agre's characterization of me as an "academic" in his introduction to my article. (Or perhaps just dazzled by the force of my arguments). I am, in fact, a law *student*, not a law professor.
participants (2)
-
C. Bradford Biddle -
frantz@netcom.com