UETA and Digital Signatures


Many people have never heard of the Uniform Electronic Transactions Act, or UETA. Even so, if you engage in any kind of transaction on the Internet, even non-commercial ones like downloading open source software, it has affected you.

UETA itself is not a law, but rather a model law that the National Conference of Commissioners on Uniform State Laws developed for states to use. As of December 2002, 41 states have adopted UETA, some with changes.

So, what is UETA? A uniform statute relating to the use of electronic communications and records in contractual transactions. Here are some important definitions from the statute:

  • Electronic Signature: "Means an electronic sound, symbol. or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record."
  • Effect of Electronic Signature: A "signature may not be denied legal effect or enforceability solely because it is in electronic form."
    "If a law requires a signature, an electronic signature satisfies the law."
  • Electronic Record: "Means a record created, generated, sent, communicated, received, or stored by electronic means."
  • Effect of Electronic Record: A record "may not be denied legal effect or enforceability solely because it is in electronic form."
    "If a law requires a record to be in writing, an electronic record satisfies the law."
    "A contract may not be denied legal effect or enforceability solely because an electronic record was used in its formation."

The result is that everytime you click on an "agree" button on a web site, that act is deemed to have the same effect and be as enforcable as you signing your name at the bottom of a contract.

Most of us take our signature quite seriously. At some point in your life you probably practiced writing it so that it looked the way you wanted it to. We hold digital signatures produced by digital certificates in a similar light. Validated certificates are difficult to get and so we feel some kind of weightiness in their use. We probably don't feel the same about clicking a button on a web form or checking a box. It just doesn't seem weighty enough and yet it has the same effect. In essence UETA has moved the signature from a unique artifact to any event (in the GUI sense) in a specific context.

I think this has significant ramifications in the world of digital identity. I think most geeks have always assumed (or at least hoped) that digital signatures would be somehow tied to some safe, secure repository of properties forming a digital identity. This law says that such is not the case.

This is a perfect example, I think, of state legislatures not waiting around for us to get the technology right or for some grand solution. They're going to go ahead and make laws affecting identity and we will be forced to follow along. If we want something different to happen, we need to do a better job of lobbying the 4800 or so people who make these decisions. Its not an easy task, but the alternative is not pleasant.