2 replies to this topic

[shackrock]

So, we all use radio buttons and checkboxes to agree to a company's Terms and Conditions - probably daily. What we don't do, is use electronic signatures. Even my banking and payment WebApps are all based solely on checkboxes and radio buttons.

Now, I am being asked to require digital signatures on certain digital form submissions. Something that makes no sense at all to me. To avoid this requirement, I am searching for legal documentation/case studies that show radio buttons and checkboxes are acceptable.


Some of my reasons:

• Digital/Electronic Signatures are used to verify somebody's identity, when you think that the transmission may be intercepted or spoofed. In my case, we are securely linked from our site to another site (two trusted sources, with an encrypted connection). There can be no interception or spoofing without some serious hacking or disclosure of credentials.
  
  
• For an example, SERTIFI (digi sig service) is simply forcing a user to signup with basic information (information that I already have in my system, plus much much more). The company then logs the user's email and IP address. The company attaches a key with this information and place a stamp on a document, digitally. Yet, we still have no proof that the user is who he says he is. We only know the information that they provided (not to mention the user's IP can also be spoofed, routed through a proxy server, etc...).
  
  
• Every website that we use on a daily basis does not require electronic signatures - so there MUST be some legal precedence to support this fact.

If anyone has any info, articles, case studies, etc... I'd love to have some real proof to support my argument.

Thanks

[WingedPanther]

My experience with CFR part 11 (US FDA regulations), is that a digital signature REQUIRES the user to reenter a username/password, and that the action must be logged digitally (in the database) as the signature. You're not likely to get away with anything less.

[shackrock]

This is fine - not a large deal, re-confirming authenticity of the user is easy as far as I'm concerned. What I'm trying to make clear is that a cryptographic key is unnecessary in this situation - and that the services who claim to offer these digi sigs are offering no additional protection in this circumstance.