Digital signatures on contracts are probably legal. I did some checking on the subject a while back; someone forwarded me the following official opinion from the U.S. Controller General. The specific reasoning applies only to the U.S. government, but most of the principles generalize. I'll add one note of my own -- from what I've read lately of the Federal rules of evidence, printouts of data recorded on disk, tape, etc., are considered to be equally original, as it were. A reference I haven't checked is Benjamin Wright, ``The Law of Electronic Commerce- EDI, Fax, and Email: Technology, Proof, and Liability''. It is a 1991 book published by Little Brown and Co., 1991. --Steve Bellovin <FF> United States General Accounting Office [Comptroller General] MEMORANDUM DATE: June 19, 1991 TO: Assistant Director, AFMD/ASA - John C. Martin FROM: Assistant General Counsel, OCG/AFMD - Thomas H. Armstrong Subject: Electronic Contracting (B-238449) This responds to your request for our opinion regarding whether agencies can use Electronic Data Interchange (EDI) technologies to create valid contractual obligations that can be recorded consistent with 31 U.S.C. (s) 1501 (section 1501). For the reasons stated below, we conclude that they can. BACKGROUND EDI is the electronic exchange of business information between parties, usually via a computer, using an agreed upon format. EDI is being used to transmit shipping notices, invoices, bid requests, bid quotes and other messages. Electronic contracting is the use of EDI technologies to create contractual obligations. EDI allows the parties to examine the contract, usually on video monitors, but sometimes on paper facsimiles, store it electronically (for example on magnetic tapes, on discs or in special memory chips), and recall it from storage to review it on video monitors, reproduce it on paper or even mail it via electronic means. Using EDI technologies, it is possible for an agency to contract in a fraction of the time that it now takes. The "paperless" nature of the technology, however, has raised the question of whether electronic contracts constitute obligations which may be recorded against the government. DISCUSSION Section 1501 establishes the criteria for recording obligations against the government. The statute provides, in pertinent part, as follows: <FF> "(a) An amount shall be recorded as an obligation of the United States Government only when supported by documentary evidence of-- (1) a binding agreement between an agency and another person (including an agency) that is-- (A) in writing, in a way and form, and for a purpose authorized by law. . . ." 31 U.S.C. (s) 1501(a)(1)(A). Under this provision, two requirements must be satisfied: first, the agreement must bind both the agency and the party with whom the agency contracts; second, the agreement must be in writing. Binding Agreement The primary purpose of section 1501(a)(1) is "to require that there be an _offer_ and an _acceptance_ imposing liability on both parties." 39 Comp. Gen. 829,831 (1960) (emphasis in original). Hence the government may record an obligation under section 1501 only upon evidence that both parties to the contract willfully express the intent to be bound. A signature traditionally has provided such evidence. _See_ _generally_ 65 Comp. Gen. 806, 810 (1986). Because of its uniqueness, the handwritten signature is probably the most universally accepted evidence of an agreement to be bound by the terms of a contract. _See_ 65 Comp. Gen. at 810. Courts, however, have demonstrated a willingness to accept other notations, not necessarily written by hand. _See_, _e.g._, _Ohl_&_Co._v._Smith_Iron_Works_, 288 U.S. 170, 176 (1932) (initials); _Zacharie_v._Franklin_, 37 U.S. (12 Pet.) 151, 161-62 (1838) (a mark); _Benedict_v._Lebowitz_, 346 F.2d 120 (2nd Cir. 1965) (typed name); _Tabas_v._Emergency_Fleet_ _Corporation_, 9 F.2d 648, 649 (E.D. Penn. 1926) (typed, printed or stamped signatures); _Berryman_v._Childs_, 98 Neb. 450, 153 N.W. 486, 488 (1915) (a real estate brokerage used personalized listing contracts which had the names of its brokers printed on the bottom of the contract in the space where a handwritten signature usually appears). As early as 1951, we recognized that a signature does not have to be handwritten and that "any symbol adopted as one's signature when affixed with his knowledge and consent is a binding and legal signature." B-104590, Sept. 12, 1951. Under this theory, we approved the use of various signature machines ranging from rubber stamps to electronics encryption 2 B-238449 <FF> devices. _See_ 33 Comp. Gen. 297 (1954); B-216035, Sept. 20, 1984. For example, we held that a certifying officer may adopt and use an electronic symbol generated by an electronic encryption device to sign vouchers certifying payments. B-216035, _supra_. The electronic symbol proposed for use by certifying officers, we concluded, embodied all of the attributes of a valid, acceptable signature: it was unique to the certifying official, capable of verification, and under his sole control such that one might presume from its use that the certifying officer, just as if had written his name in his own hand, intended to be bound. EDI technology offers other evidence of intent to be bound with the same attributes as a signature--for example, a "message authentication code," like that required by the National Institute of Standards and Technology (NIST) for the electronic transmission of data._1_/ In our opinion, this form of evidence is acceptable under section 1501. A message authentication code is a method designed to ensure the authenticity of the data transmitted; it is a series of characters that identifies the particular message being transmitted and accompanies no other message. As envisioned by NIST's Federal Information Processing Standard (FIPS) 113,_2_/ a message authentication code could be generated when the sender inserts something known as a "smart card"_3_/ into a system and inputs the data he wants to transmit. Encoded on a circuit chip located on the smart card is the sender's key. ____________________ _1_/ The Congress has mandated that NIST (formerly the National Bureau of Standards) establish minimum acceptable practices for the security and privacy of sensitive information in federal computer systems. Computer Security Act of 1987, Pub. L. No. 100-235, (s) 2, 101 Stat. 1724 (1988). _2_/ FIPS 113 adopts American National Standards Institute (ANSI) standard X9.9 for message authentication. It outlines the criteria for the cryptographic authentication of electronically transmitted data and for the detection of inadvertent and/or intentional modifications of the data. By adopting the ANSI standard, FIPS 113 encourages private sector applications of cryptographic authentication; the same standard is being adopted by many financial institutions for authenticating financial transactions. _3_/ A smart card is the size of a credit card. It contains one or more integrated circuit chips which function as a computer. 3 B-238449 <FF> The key is a secret sequence of numbers or characters which identifies the sender, and is constant regardless of the transmission. The message authentication code is a function of the sender's key and the data just loaded into the system. After loading his data into the system, the sender notifies the system that he wants to "sign" his transmission. The system sends the data first to the chip on the smart card; the chip then generates the message authentication code by applying a mathematical procedure known as a cryptographic algorithm. The card returns the data along with the just- generated message authentication code to the system, which will transmit the data and code to the recipient. When a contracting officer notifies the system that he wants to sign a contract being transmitted to a contractor, he is initiating the procedure for generating a message authentication code with the intention of binding his agency to the terms of the contract. The message authentication code evidences that intention, as would a handwritten or other form of signature. The code, incorporating the sender's key, is unique to the sender; and, the sender controls access to and use of his "smart card," where his key is stored. It is also verifiable. When the recipient receives the contract, either a notation identifying the message authentication code and the sender, usually by name. The recipient can verify its authenticity by putting the data that he just received into his system and asking his system to generate a message authentication code. That code should match the one annotating the message received._4_/ Writing To constitute a valid obligation under section 1501(a)(1)(A), a contract must be supported by documentary evidence "in writing." Some have questioned whether EDI, because of the paperless nature of the technology, fulfills this requirement. We conclude that it does. Prior to the enactment of section 1501, in the Supplemental Appropriations Act of 1955,_5_/ the was no "clean cut definition of obligations." H.R. Rep. No. 2266, 83rd Cong., 2d Sess. 50 (1954). Some agencies had recorded questionable obligations, including obligations based on oral contracts, in ____________________ _4_/ For the sake of simplicity, this example does not describe the complicated system of controls used to ensure that no human knows the keys that are used to generate message authentication codes. _5_/ Pub. L. No. 663, 68 Stat. 800, 830 (1954) 4 B-238449 <FF> order to avoid withdrawal and reversion of appropriate funds. _See_ 51 Comp. Gen. 631, 633 (1972). Section 1501 was enacted not to restrict agencies to paper and ink in the formation of contracts, but because, as one court noted, "Congress was by asserting oral contracts." _United_States_v._American_ _Renaissance_Lines_, 494 F.2d 1059, 1062 (D.C. Cir.), _cert_. _denied_, 419 U.S. 1020 (1974). The purpose of section 1501 was to require that agencies submit evidence that affords a high degree of certainty and lessens the possibility of abuse. _See_ H.R. Rep. No. 2266 at 50. While "paper and ink" offers a substantial degree of integrity, it is not the only such evidence. Some courts, applying commercial law (and the Uniform Commercial Code in particular), have recognized audio tape recordings, for example, as sufficient to create contracts. _See_, _e.g._, _Ellis_Canning_Company_v._Bernstein_, 348 F. Supp. 1212 (D. Colo. 1972). The court, citing a Colorado statute, stated that the tape recording of the terms of a contract is acceptable because it is a "reduc[tion] to tangible form."_6_/ _Id_. at 1228. In a subsequent case, the United States Court of Appeals held that an audio tape recording of an agreement between the Gainesville City Commission and a real estate developer was sufficient to bind the Commission. _Londono_v._City_of_Gainesville_, 768 F.2d 1223 (11th Cir. 1985). The court held that the tape recording constituted a "signed writing." _Id_. at 1228. In our opinion, EDI technology, which allows the contract terms to be examined in human readable form, as on a monitor, stored on electronic media, recalled from storage and reviewed in human readable form, has an integrity that is greater than an audio tape recording and equal to that of a paper and ink contract. Just as with paper and ink, EDI technology provides a recitation of the precise terms of the contract and avoids the risk of error inherent in oral testimony which is based on ____________________ _6_/ Some courts, interpreting the laws of other states, have held that a tape recording is not acceptable. _See_Roos_v._ _Aloi_, 487 N.Y.S. 2d 637 (N.Y. Sup. Ct. 1985), _aff'd_, 489 N.Y.S. 2d 551 (N.Y. App. Div.); _Sonders_v._Roosevelt_, 476 N.Y.S. 2d 331 (N.Y. App. Div. 1984). 5 B-238449 <FF> human memory._7_/ Indeed, courts, under an implied-in-fact contract theory, have enforced contracts on far less documentation than would be available for electronic contracts. _See_ _Clark_v._United_States_, 95 U.S. 539 (1877). _See_ _also_ _Narva_Harris_Construction_Corp._v._United_States_, For the purpose of interpreting federal statutes, "writing" is defined to include "printing and typewriting and _reproductions_ _of_visual_symbols_ by photographing, multigraphing, mimeographing, manifolding, or _otherwise_." 1 U.S.C. (s) 1 (emphasis added). Although the terms of contracts formed using EDI are stored in a different manner than those of paper and ink contracts, they ultimately take the form of visual symbols. We believe that it is sensible to interpret federal law in a manner to accommodate technological advancements unless the law by its own terms expressly precludes such an interpretation, or sound policy reasons exist to do otherwise. It is evident that EDI technology had not been conceived nor, probably, was even anticipated at the times section 1501 and the statutory definition of "writing" were enacted. Nevertheless, we believe that, given the legislative history of section 1501 and the expansive definition of writing, section 1501 and 1 U.S.C. (s) 1 encompass EDI technology. cc: Mr. F. Jackson ____________________ _7_/ Of course, just as with any contact or other official document, an agency must take appropriate steps to ensure the security of the document, for example, to prevent fraudulent modification of the terms. Agencies should refer to NIST standards in this regard. _See_, _e.g._, FIPS 113 _supra_ (regarding message authentication codes). In addition, agencies should refer to the GSA regulations regarding the maintenance of electronic records. _See_ 41 C.F.R. (s) 201-45.2. 6 B-238449 <FF>