March 16, 2001 To the members of the FTC and NTIA: The following comments are submitted on the behalf of Silanis Technology Inc. Silanis has been developing and marketing electronic signature software products for almost decade. Our products have been installed in more than 800 organizations ranging from the Joint Chiefs of Staff to GMAC and used in applications as diverse as FDA-regulated CFR 21 Part 11 compliant documents, approval of mortgage-related documents, engineering drawings and task orders. Currently, there are over a quarter-million users of ApproveIt electronic signature technology around the world with 75% of our growth occurring in the year 2000. Silanis only develops and markets applications that permit automation of electronic signing and approval applications and our ApproveIt line of software applications have been acknowledged as the leading electronic signature and approval automation applications. As one of the co-founders of Silanis, my role over the past decade has been to understand what our customers, and the markets they represent, require in creating 100% automated business and organizational processes and delivering the correct solutions. Our requirements and resulting solutions have always been driven by our customers business processes and the surrounding regulatory and legislative landscape. As an example, Silanis was the first company with a COTS software application to pass an FDA inspection with respect to a CFR 21 Part 11 compliant application. Overall, Silanis has developed a great deal of expertise in these requirements since we have always focused on ensuring that we can me the legal requirements of signing which are based in procedure and not in technology. When the E-Sign law was enacted, one of its provisions was to provide a study to congress 12 months afterwards that addresses five issues. First, to assess the benefits to consumers of the procedures required by § 101(c)(1)(C)(ii). Second, to identify any burdens imposed by these procedures. Third, to compare the benefits and burdens and discuss whether the benefits outweigh the burdens. Fourth, to consider whether the absence of the consent procedure would increase consumer fraud. Finally, to suggest improvements or changes to the statutory language that we deem appropriate. In my comments, I will address these issues from a technology point of view since this is our domain. Afterwards, I will provide comments about how the technology can work with respect to these issues. (1) What are the benefits to consumers of the procedures required by § 101(c)(1)(C)(ii): there is no question there are clear benefits provided in this provision. If a statute, regulation or law requires that a consumer receives certain information to assist in understanding the nature of the transaction, its need in the electronic world is no different from the paper world. However, the ability to receive and read the information is very different in the electronic world compared to the paper world. With paper, there is no technical limitation to read the information. In the electronic world today, there is no standard in electronic document formats and implementing such a format that will be accessible by any software application on any hardware platform is far from reality. There are some pseudo-standards such as Microsoft Word and Excel and Adobe PDF for which no-charge viewers can be easily downloaded from their respective developer's web site. The real benefit to consumers of this provision will be to encourage online merchants and other e-businesses to use the most common formats available to ensure that consumers can easily access the required information as well as meet other let provisions of the E-Sign Act such § 101(d) (retention provisions). (2) Identify any burdens imposed by these procedures: the burdens imposed by this provision should be no greater than in the paper world. However, a lack of clarity in the wording of this provision could definitely lead to a serious burden on the process. This is due to the wording - "…in a manner that reasonably demonstrates that the consumer can access information in the electronic form that will be used to provide the information that is the subject of the consent…" This requirement could be interpreted, and may in fact mean that the consent can only be given by using the same format that the required information must be delivered in. In the e-business world where many processes are dictated by the design of a web site, it is often easier to obtain consent through a consent process built into the web site. However, delivery of the information may take place in a different format. For example, information regarding an insurance policy is better delivered (and may be required) in PDF (Adobe pseudo standard for hi-fidelity documents and information) than in HTML (Web page format, very low fidelity). Forcing consent to take place in the same format as the delivery of the information will definitely be difficult and may also result in a poor quality of access for the consumer. If this was not the intent of this paragraph, it would be better if the above sentence read - "…that they have or will have the ability to access information in the electronic form that will be used to provide the information that is the subject of the consent…" With this wording, the consumer can consent to their ability to receive the information electronically without already having the technology in place and creating difficult processes for the consumer to follow in a web site. (3) To compare the benefits and burdens and discuss whether the benefits outweigh the burdens: Given the comments above, the benefits clearly outweigh the burdens assumed the requirement to use the same format for obtaining consent and presenting the information related to the consent is clarified so it is not required. If its requirement continues, the complexity of the process may outweigh the benefit of the provision. (4) Will the absence of the consent procedure increase consumer fraud - we think this is very possible. Our opinion is not based on any studies but rather our knowledge of how and why to implement electronic consent. In the paper world, consent is often assumed due to physical process and possession of goods or information. In the electronic world, it is more difficult to demonstrate the existence of a process. So the electronic process must be a very explicit series of steps that can be authenticated through electronic security technology. A process that is secured in this manner cannot be as easily repudiated and fraud cannot be easily committed. (5) Can we suggest improvements or changes to the statutory language that we deem appropriate - this has already been done above. Finally, I would like to address the technology issues that have been raised as part of the request for comments. As described above, Silanis does in fact develop software that provides a process for electronic signing which is in fact the same as electronic consent. We are currently developing a program that targets consumer consent for transactions with Web merchants. Since it is only due out in June I cannot divulge the details other than to say it will be completely secure to minimize fraud and consumer abuse and follows our philosophy of creating products which are easy to use as pen and paper. I can also state that the security of the system is based on the same security technology we use today in our products that meet the security requirements of the US Federal government as outlined in FIPS_180-1, FIPS 186-1 and FIPS 140-1. Furthermore, it will not impose any burden on consumers to obtain additional technology or products other than those already used in the merchant's web site. We do feel that better technology will be developed in the future that will provide increased level of security. However the impact will be minimal on the consumer consent process since it simply requires that a process be followed while security technology only helps in attesting to this fact afterwards. In conclusion, I would say that the E-Sign law is generally suitable to its intent and that the consumer consent provision should remain. However, there is a clear need to clarify certain parts as we have indicated above.
Michael Laurie |
