1993-06-01 - Re: Electronic Contracts

Header Data

From: smb@research.att.com
To: wcs@anchor.ho.att.com
Message Hash: bdd7c2def8eb1d08b172222534466c3212c8c8848ace93b782ba758fd3c0b648
Message ID: <9306010741.AA20187@toad.com>
Reply To: N/A
UTC Datetime: 1993-06-01 07:41:32 UTC
Raw Date: Tue, 1 Jun 93 00:41:32 PDT

Raw message

From: smb@research.att.com
Date: Tue, 1 Jun 93 00:41:32 PDT
To: wcs@anchor.ho.att.com
Subject: Re: Electronic Contracts
Message-ID: <9306010741.AA20187@toad.com>
MIME-Version: 1.0
Content-Type: text/plain


Digital signatures on contracts are probably legal.  I did some checking
on the subject a while back; someone forwarded me the following official
opinion from the U.S. Controller General.  The specific reasoning applies
only to the U.S. government, but most of the principles generalize.
I'll add one note of my own -- from what I've read lately of the
Federal rules of evidence, printouts of data recorded on disk, tape,
etc., are considered to be equally original, as it were.

A reference I haven't checked is Benjamin Wright, ``The Law of Electronic
Commerce- EDI, Fax, and Email: Technology, Proof, and Liability''.  It is a
1991 book published by Little Brown and Co., 1991.

		--Steve Bellovin

<FF>

United States General Accounting Office  [Comptroller General]
 
MEMORANDUM
 
DATE:     June 19, 1991
 
TO:       Assistant Director, AFMD/ASA - John C. Martin
 
FROM:     Assistant General Counsel, OCG/AFMD -
            Thomas H. Armstrong
 
 
Subject:  Electronic Contracting (B-238449)
 
This responds to your request for our opinion regarding
whether agencies can use Electronic Data Interchange (EDI)
technologies to create valid contractual obligations that can
be recorded consistent with 31 U.S.C. (s) 1501 (section 1501).
For the reasons stated below, we conclude that they can.
 
BACKGROUND
 
EDI is the electronic exchange of business information between
parties, usually via a computer, using an agreed upon format.
EDI is being used to transmit shipping notices, invoices, bid
requests, bid quotes and other messages.  Electronic
contracting is the use of EDI technologies to create
contractual obligations.  EDI allows the parties to examine
the contract, usually on video monitors, but sometimes on
paper facsimiles, store it electronically (for example on
magnetic tapes, on discs or in special memory chips), and
recall it from storage to review it on video monitors,
reproduce it on paper or even mail it via electronic means.
Using EDI technologies, it is possible for an agency to
contract in a fraction of the time that it now takes.  The
"paperless" nature of the technology, however, has raised the
question of whether electronic contracts constitute
obligations which may be recorded against the government.
 
DISCUSSION
 
Section 1501 establishes the criteria for recording
obligations against the government.  The statute provides, in
pertinent part, as follows:
 
<FF>

     "(a) An amount shall be recorded as an obligation of
     the United States Government only when supported by
     documentary evidence of--
 
          (1) a binding agreement between an agency
          and another person (including an agency)
          that is--
 
               (A) in writing, in a way and
               form, and for a purpose
               authorized by law. . . ."
 
31 U.S.C. (s) 1501(a)(1)(A).
 
Under this provision, two requirements must be satisfied:
first, the agreement must bind both the agency and the party
with whom the agency contracts; second, the agreement must be
in writing.
 
Binding Agreement
 
The primary purpose of section 1501(a)(1) is "to require that
there be an _offer_ and an _acceptance_ imposing liability on both
parties."  39 Comp. Gen. 829,831 (1960) (emphasis in
original).  Hence the government may record an obligation
under section 1501 only upon evidence that both parties to the
contract willfully express the intent to be bound.
 
A signature traditionally has provided such evidence.
_See_ _generally_ 65 Comp. Gen. 806, 810 (1986).  Because of its
uniqueness, the handwritten signature is probably the most
universally accepted evidence of an agreement to be bound by
the terms of a contract. _See_ 65 Comp. Gen. at 810.  Courts,
however, have demonstrated a willingness to accept other
notations, not necessarily written by hand.  _See_, _e.g._,
_Ohl_&_Co._v._Smith_Iron_Works_, 288 U.S. 170, 176 (1932)
(initials); _Zacharie_v._Franklin_, 37 U.S. (12 Pet.) 151,
161-62 (1838) (a mark); _Benedict_v._Lebowitz_, 346 F.2d 120
(2nd Cir. 1965) (typed name); _Tabas_v._Emergency_Fleet_
_Corporation_, 9 F.2d 648, 649 (E.D. Penn. 1926) (typed, printed
or stamped signatures); _Berryman_v._Childs_, 98 Neb. 450,
153 N.W. 486, 488 (1915) (a real estate brokerage used
personalized listing contracts which had the names of its
brokers printed on the bottom of the contract in the space
where a handwritten signature usually appears).
 
As early as 1951, we recognized that a signature does not have
to be handwritten and that "any symbol adopted as one's
signature when affixed with his knowledge and consent is a
binding and legal signature."  B-104590, Sept. 12, 1951.
Under this theory, we approved the use of various signature
machines ranging from rubber stamps to electronics encryption
 
2                                                      B-238449
 
<FF>

devices.  _See_ 33 Comp. Gen. 297 (1954); B-216035,
Sept. 20, 1984.  For example, we held that a certifying
officer may adopt and use an electronic symbol generated by an
electronic encryption device to sign vouchers certifying
payments.  B-216035, _supra_.  The electronic symbol proposed
for use by certifying officers, we concluded, embodied all of
the attributes of a valid, acceptable signature:  it was
unique to the certifying official, capable of verification, and
under his sole control such that one might presume from its
use that the certifying officer, just as if had written his
name in his own hand, intended to be bound.
 
EDI technology offers other evidence of intent to be bound
with the same attributes as a signature--for example, a
"message authentication code," like that required by the
National Institute of Standards and Technology (NIST) for the
electronic transmission of data._1_/  In our opinion, this form
of evidence is acceptable under section 1501.
 
A message authentication code is a method designed to ensure
the authenticity of the data transmitted; it is a series of
characters that identifies the particular message being
transmitted and accompanies no other message.  As envisioned
by NIST's Federal Information Processing Standard (FIPS)
113,_2_/ a message authentication code could be generated when
the sender inserts something known as a "smart card"_3_/ into a
system and inputs the data he wants to transmit.  Encoded on a
circuit chip located on the smart card is the sender's key.
 
____________________
 
_1_/  The Congress has mandated that NIST (formerly the National
Bureau of Standards) establish minimum acceptable practices
for the security and privacy of sensitive information in
federal computer systems.  Computer Security Act of 1987,
Pub. L. No. 100-235, (s) 2, 101 Stat. 1724 (1988).
 
_2_/  FIPS 113 adopts American National Standards Institute
(ANSI) standard X9.9 for message authentication.  It outlines
the criteria for the cryptographic authentication of
electronically transmitted data and for the detection of
inadvertent and/or intentional modifications of the data.
By adopting the ANSI standard, FIPS 113 encourages private
sector applications of cryptographic authentication; the same
standard is being adopted by many financial institutions for
authenticating financial transactions.
 
_3_/  A smart card is the size of a credit card.  It contains
one or more integrated circuit chips which function as a
computer.
 
3                                                      B-238449
 
<FF>

The key is a secret sequence of numbers or characters which
identifies the sender, and is constant regardless of the
transmission.  The message authentication code is a function
of the sender's key and the data just loaded into the system.
After loading his data into the system, the sender notifies
the system that he wants to "sign" his transmission.
The system sends the data first to the chip on the smart card;
the chip then generates the message authentication code by
applying a mathematical procedure known as a cryptographic
algorithm.  The card returns the data along with the just-
generated message authentication code to the system, which
will transmit the data and code to the recipient.
 
When a contracting officer notifies the system that he wants
to sign a contract being transmitted to a contractor, he is
initiating the procedure for generating a message
authentication code with the intention of binding his agency
to the terms of the contract.  The message authentication code
evidences that intention, as would a handwritten or other form
of signature.  The code, incorporating the sender's key, is
unique to the sender; and, the sender controls access to and
use of his "smart card," where his key is stored.  It is also
verifiable.  When the recipient receives the contract, either a
notation identifying the message authentication code and the
sender, usually by name.  The recipient can verify its
authenticity by putting the data that he just received into
his system and asking his system to generate a message
authentication code.  That code should match the one
annotating the message received._4_/
 
Writing
 
To constitute a valid obligation under section 1501(a)(1)(A),
a contract must be supported by documentary evidence
"in writing."  Some have questioned whether EDI, because of
the paperless nature of the technology, fulfills this
requirement.  We conclude that it does.
 
Prior to the enactment of section 1501, in the Supplemental
Appropriations Act of 1955,_5_/ the was no "clean cut
definition of obligations."  H.R. Rep. No. 2266, 83rd Cong.,
2d Sess. 50 (1954).  Some agencies had recorded questionable
obligations, including obligations based on oral contracts, in
 
____________________
 
_4_/  For the sake of simplicity, this example does not describe
the complicated system of controls used to ensure that no
human knows the keys that are used to generate message
authentication codes.
 
_5_/  Pub. L. No. 663, 68 Stat. 800, 830 (1954)
 
4                                                      B-238449
 
<FF>

order to avoid withdrawal and reversion of appropriate funds.
_See_ 51 Comp. Gen. 631, 633 (1972).  Section 1501 was enacted
not to restrict agencies to paper and ink in the formation of
contracts, but because, as one court noted, "Congress was
by asserting oral contracts."  _United_States_v._American_
_Renaissance_Lines_, 494 F.2d 1059, 1062 (D.C. Cir.), _cert_.
_denied_, 419 U.S. 1020 (1974).  The purpose of section 1501 was
to require that agencies submit evidence that affords a high
degree of certainty and lessens the possibility of abuse.
_See_ H.R. Rep. No. 2266 at 50.
 
While "paper and ink" offers a substantial degree of
integrity, it is not the only such evidence.  Some courts,
applying commercial law (and the Uniform Commercial Code in
particular), have recognized audio tape recordings, for
example, as sufficient to create contracts.  _See_, _e.g._,
_Ellis_Canning_Company_v._Bernstein_, 348 F. Supp. 1212
(D. Colo. 1972).  The court, citing a Colorado statute, stated
that the tape recording of the terms of a contract is
acceptable because it is a "reduc[tion] to tangible form."_6_/
_Id_. at 1228.  In a subsequent case, the United States Court of
Appeals held that an audio tape recording of an agreement
between the Gainesville City Commission and a real estate
developer was sufficient to bind the Commission.
_Londono_v._City_of_Gainesville_, 768 F.2d 1223 (11th Cir.
1985).  The court held that the tape recording constituted a
"signed writing."  _Id_. at 1228.
 
In our opinion, EDI technology, which allows the contract
terms to be examined in human readable form, as on a monitor,
stored on electronic media, recalled from storage and reviewed
in human readable form, has an integrity that is greater than
an audio tape recording and equal to that of a paper and ink
contract.  Just as with paper and ink, EDI technology provides
a recitation of the precise terms of the contract and avoids
the risk of error inherent in oral testimony which is based on
 
____________________
 
_6_/  Some courts, interpreting the laws of other states, have
held that a tape recording is not acceptable.  _See_Roos_v._
_Aloi_, 487 N.Y.S. 2d 637 (N.Y. Sup. Ct. 1985), _aff'd_,
489 N.Y.S. 2d 551 (N.Y. App. Div.); _Sonders_v._Roosevelt_,
476 N.Y.S. 2d 331 (N.Y. App. Div. 1984).
 
5                                                      B-238449
 
<FF>

human memory._7_/  Indeed, courts, under an implied-in-fact
contract theory, have enforced contracts on far less
documentation than would be available for electronic
contracts.  _See_ _Clark_v._United_States_, 95 U.S. 539 (1877).
_See_ _also_ _Narva_Harris_Construction_Corp._v._United_States_,
 
For the purpose of interpreting federal statutes, "writing" is
defined to include "printing and typewriting and _reproductions_
_of_visual_symbols_ by photographing, multigraphing,
mimeographing, manifolding, or _otherwise_."  1 U.S.C. (s) 1
(emphasis added).  Although the terms of contracts formed
using EDI are stored in a different manner than those of paper
and ink contracts, they ultimately take the form of
visual symbols.  We believe that it is sensible to interpret
federal law in a manner to accommodate technological
advancements unless the law by its own terms expressly
precludes such an interpretation, or sound policy reasons
exist to do otherwise.  It is evident that EDI technology had
not been conceived nor, probably, was even anticipated at the
times section 1501 and the statutory definition of "writing"
were enacted.  Nevertheless, we believe that, given the
legislative history of section 1501 and the expansive
definition of writing, section 1501 and 1 U.S.C. (s) 1 encompass
EDI technology.
 
cc:  Mr. F. Jackson
 
____________________
 
_7_/  Of course, just as with any contact or other official
document, an agency must take appropriate steps to ensure the
security of the document, for example, to prevent fraudulent
modification of the terms.  Agencies should refer to NIST
standards in this regard.  _See_, _e.g._, FIPS 113 _supra_
(regarding message authentication codes).  In addition,
agencies should refer to the GSA regulations regarding the
maintenance of electronic records.  _See_ 41 C.F.R. (s) 201-45.2.
 
6                                                      B-238449
 
<FF>







Thread