ESIGN PUBLIC WORKSHOP Tuesday, April 3, 2001 FEDERAL TRADE COMMISSION P R O C E E D I N G S MS. HARRINGTON: It's time to begin. Thank you, and I am going to turn this over to Jodie Bernstein for a few welcoming and opening remarks. MS. BERNSTEIN: Good morning, everybody. We are delighted to see all of you here this morning. And we want to start on time because, as always, we have a full agenda which I know will be a very productive session. So, thank you all for coming on behalf of the Bureau of Consumer Protection, and the U.S. Commerce Department, as well. Actually, the NTIA is really represented here this morning down at the end of the table and we're delighted to be able to do this together with them, because if, for no other reason, that Congress directed us to do this together, but we would have done it anyway. We would have done it anyway. And as you know, it is a fairly discrete specific kind of requirement that the Congress inserted into the statute directing us to assess burdens and benefits involved in meeting the, quote, "reasonable demonstration" requirement that is in the statute, and asked us to report back to the Congress by June 30th. Your comments that some of you have already submitted and your participation today will obviously be of great assistance to us. We've used these workshop formats on a number of subjects, and on occasion with the Commerce Department with NTIA, it's worked very effectively. And we look forward to that as we prepare the report, but today's discussion will be critical in informing ourselves. So, again, thank you for participating. We know it will be a full day. And again, welcome, and we need to make a thank you to VeriSign for the coffee and goodies out in the hall. So, thank you all very much, and it will sweeten our morning. MS. HARRINGTON: Thank you, Jodie, and as always, you're setting the standard, you finished your remarks two and a half minutes ahead of schedule and that's how we intend to conduct the whole day, that is right on schedule or maybe even just slightly ahead of. Let me go over a few of the housekeeping and procedural matters that you need to know about. First of all, many of you received from Eric -- Eric, raise your hand -- public comment cards, and we have more of those. There is at the end of the day, a portion of the day set aside for participation from the public for those of you who are here, but not sitting at the table, to engage in the discussion. And if you wish to participate during that portion of the day, we need you to fill out a card telling us who you are and if you have some representational status, tell us about that, too, so that we can gauge the number of people who want to participate during that portion of the program, and allocate the time correctly and make sure that we get to each one of you. Second, we have overflow space in Room 332. As you see, this is being telecast on closed circuit within the building, and so if you don't want to be in this room, either because you can't find a chair or whatever, feel free to go to Room 332. Beginning at noon, and continuing until the end of the day, we have in the overflow room some demonstrations by vendors and technologists of procedures that might be used or are being used to comply with various aspects of the consumer consent provisions in ESIGN. We think that's pretty interesting stuff and we would urge you to go down there and take a look. During our roundtable discussions, which begin with the legal issues panel at 9:30, here is the process: For discussants who wish to participate, we ask you to just raise your name tag up, set it on end, and the moderators will recognize you in whatever order seems to make sense for the flow of the discussion. Now, an important point that we want to make is that today's goal is to really advance the discussion of these issues and not to rehash what people have already submitted in very fine and substantive comments. So, moderators will be assertive in making sure that what we're having here is a discussion and not a series of speeches. We want participants to talk to one another, to challenge each other. If we have participants with significantly opposing views, we hope that you will talk to each other, because we have asked you to participate, principally based on your expertise and knowledge, and we, the staff of the NTIA and the FTC, presume that the participants know a lot more about these specific areas of concern than we do. So, we need you to help us flush out the issues, challenge one another, refine thinking. Our experience is that as a result of these discussions, and we've had, as Jodie said, many, many workshops like this here at the FTC, some with our colleagues from the NTIA, and our experience is that by the end of the day, we find that there is often more agreement than disagreement and that people's thinking is often modified as a result of listening and talking with each other. So, that said, are there any other housekeeping details that we need to touch on? MS. MAJOR: Mike Pazyniak asked me -- Mike, stand up -- MS. HARRINGTON: Into the microphone, please. MS. MAJOR: If anybody regarding the tech demos has any questions, that you should see Michael and he will help you. MS. HARRINGTON: Okay, and one other very important point, any time someone speaks, you need to speak into the microphone so that the people downstairs in the overflow room can hear what you are saying, and we also have webcasting of this session today, so there may even be people out there who are listening to this program. And we also have email participation as an option for people in the public who are not here and want to email in their questions that we can get to either during the discussions or during the public participation session. We invite those of you tuning in on the Internet to send us your questions. And I believe that the instructions for doing that can be found on the FTC website, FTC.gov. That said, let's start. We are going to hear from three very thoughtful commenters. We're asking them to give us about five to six minutes of overview comments that set the stage for this discussion. We are interested in hearing them highlight issues of consensus, controversy, disagreement, and to help us set the stage for the discussion. So, we're going to begin by hearing from Margot Saunders who is with the National Consumer Law Center. Margot, do you want to grab a microphone there. And for all of our presenters who we're so grateful to, let me just warn you, I'll be watching the clock. MS. SAUNDERS: Thank you very much for inviting me here today. I have a lot to say, but apparently I have a lot of opportunity to say it, so I'll try to spread it out all over the day. Can you hear me all right? Let me first explain that the National Consumer Law Center is a public interest law firm that represents low income consumers, and we became involved in this issue at first very reluctantly, because we didn't believe that electronic commerce issues were very relevant to the very poorest of the poor who we represent. And then we read ESIGN, the electronic signature bill that we're talking about today, just as on the day that it was set to go through the Senate on unanimous consent in August 1999. And realized that it said, quite starkly, that a writing should -- a writing -- a legal requirement for a writing would be satisfied by an electronic record. Sitting by itself as it did in that law, and as it does -- as that language does in the Uniform Electronic Transactions Act, created quite a bit of stir among the legal services advocates, because we realized that the first thing that would happen to many low income people is they would be faced with dealing with -- with receiving electronic records in place of paper writings, whether or not they had a computer. So, it was from that perspective, the interrelationship between electronic commerce and the real world commerce that we address this whole issue. And that's, I think, an important perspective to keep in mind. If we were only dealing in ESIGN, with the commerce between people or participants who were both online, we would be devising different types of consumer protection. But it's the interrelationship between the physical world and e-commerce that creates somewhat of the controversy and a lot of the difficulty in trying to design appropriate consumer protections. We initially sought, obviously, quite a few more consumer protections than we actually got. The consumer consent provision is a real product of the legislative process, rather than a necessarily well thought out and conceived negotiation. It's, I think unfortunately, probably a -- more like a sausage than a clean resolution -- than a clean legal resolution of a bill, of a problem. I think that what would be best for me to do in my remaining two minutes would be to explain exactly what we're most afraid of. We see consumers in the real world who are taken advantage of all the time. We see, especially in low income and minority communities, consumers who are -- who are not sophisticated, who do not have sufficient choice in the marketplace, or even when they have it, they do not feel or do not know how to exercise it. We see, unfortunately, in the low income marketplace, many, many instances of some businesses skirting the edges of legality, taking advantage of the lack of clarity in the law, often quite brazenly pushing the envelope of the law in trying to see how much they can get away with. I think predatory lending, which is a new issue for many people, is an evident problem which is an indication of how there are certainly some people in industry, in commerce in this country, who will push the envelope and do whatever is legal, whether or not it is right. We know that if e-commerce in the name of facilitating e-commerce, a law allows the delivery of an electronic notice or disclosure to someone, whether or not they can actually receive it, but some members of business will take advantage of that. So, for example, we're concerned about the little old lady sitting at home who is visited by the home repair siding salesman. Right now, that siding salesman has to, and while he's going to rip her off in many instances, he has to at least give her paper writings evidencing the full details in which he's going to rip her off so that if she goes to an attorney later, she has the information, and the attorney can try to help her. She also has a very important notice of the right to cancel the transaction, and she has it as a piece of paper in her hand. After he leaves, and she has three days to think about that, that's an FTC required notice. If ESIGN did not have the consumer electronic consent provision, then she could be asked to sign, among all the pieces of paper that she signs that day, an agreement that would allow the -- all of these disclosures and notices in the contract itself to be sent to her at an email address established by the salesman. We know that that will happen if it's legal, and if that happens, that little old lady will be even worse off than she is now. At least with electronic consent, she has to be able to -- the electronic consent process has to indicate that she has the ability to access electronic records, and that is not likely to be able to happen -- to occur in this instance. MS. HARRINGTON: Thank you, Margot. Now we will turn to Jerry Buckley, who is counsel for the Electronic Financial Services Council, and one helpful thing that Margot did for us, I think, was to tell us what her organization is most concerned about in all of this, and if both you and Ben could be thinking about that, to tell us your thought on that as you present that would be useful. So, thanks, Jerry. MR. BUCKLEY: Thank you, Eileen. I represent -- I'm a partner in Goodwin & Proctor, and I represent the Electronic Financial Services Council, which I believe is the only trade association which is focused entirely on trying to promote changes in the law and regulations which will facilitate the electronic delivery of financial services. Last year's passage of the landmark ESIGN legislation has cleared the way for businesses and consumers to access the benefits of conducting all sorts of transactions online. The act amends thousands of state and federal laws in a very simple way, as we know, it simply provides that a signature, a contract or a related record in any transaction in interstate or foreign commerce may not be denied legal effect, validity or enforceability solely because it is in electronic form. The long-range effects of this sample change in the law in our view will make this one of the most important statutes to be passed by the 106th Congress. We expect that not only will consumers be able to access products and services 24 hours a day, seven days a week, but and not only will literally billions of dollars be saved in records management, but it will also bring a wider array of products and services to inner-city residents and to rural consumers. It will allow consumers to shop in the privacy of their homes, without pressure. It will allow consumers to ask questions about products, without embarrassment. It will empower more effective, timely and understandable consumer disclosures, and it is this feature of being able to have explained financial products in simpler and more understandable terms that we believe will some day empower consumers to take the features of various financial products to mix and match them and to create new financial instruments tailored to their individual needs. Combinations of lending, insurance and securities features, engineered mutually by a financial institution, and financial services providers and consumers online, we believe can allow the creation of products which meet consumers' unique needs, and we believe that this process, which is going to take some time, will justify the claim that this, indeed, is landmark legislation for the financial services industry. While these changes in business processes will be substantial, the business community, to its credit, we believe, is approaching the use of these powers in a thoughtful and methodical way. That the ESIGN Act has not spawned the rapid deployment of new products in our view is healthy. Rather, businesses, in our experience, are steadily developing the infrastructure to offer financial products which will gain wide market acceptance. I shall speak later about the efforts of our organization to promote industry guidelines for the origination and sale of home mortgage loans in the secondary market. As you all know, with the passage of this legislation, you and I, Eileen and I could enter into a contract to do business online, and I could give her a lease or arrange for a mortgage, but whether that product would be accepted in the secondary market, whether the lease would be financed by a financial institution, will depend upon the ability of the various industries to develop the infrastructure that is necessary. It reminds me of when the secondary mortgage market was being created some 20 years ago, all of the reps and warranties, all of the procedures that were followed, were developed carefully back in the early 1980s, and we have had very little problem in that industry. I think we have to approach the creation of the infrastructure for electronic transactions in the same thoughtful way, and we're trying to do that. The act is self effectuating, that is it does not require the issuance of regulations to become effective, but does allow for regulatory guidance of the kind that the Federal Reserve issued last Friday. What is important, though, is that the provisions of the act not be superseded or changed by regulations, thus the act imposes a healthy set of requirements. First that regulation be consistent with section 101 of the act, secondly that it not add to the requirements of section 101, that there be substantial justification for the regulation, that the methods would be substantially equivalent to the requirements imposed on records that are not electronic records, and that the regulations not impose unreasonable costs on the acceptance or use of electronic records. We think these are very important provisions in the act, and we strongly support them. The consumer consent provisions of the act are important, and we very strongly supported those when legislation was being considered. We have noted in the paper that we submitted that we -- that the procedures to use the powers -- first of all, I'm sorry, that we are encountering some challenges with respect to the reasonable demonstration test as well as to the issue of when disclosures must be provided. I would emphasize that these are by no means barriers to the use of the act, but rather hurdles to the utility of which may be inappropriate, and may need examination in the future. These and other issues which we will cover in more detail in the legal issues discussion to come. We want to thank the FTC and the Commerce Department for organizing this workshop, and we would also like to point out that while we have responded to the request for suggestions of areas where the statute might be creating problems or need modification, we believe that at this stage, the appropriate course of action is to allow more time for businesses and consumers to gain experience working under the provisions of the act, as passed, before trying to fashion improvements. The need as we see it at this point is not for new legislation, but for patient efforts to develop business practices which will bring the benefits of this legislation to a wide number of users as reasonably as possibly. Thank you. MS. HARRINGTON: Thank you, Jerry. Ben? MR. DAYANIM: Thank you. I want to thank you very much for including me in today's proceedings. And I was listening to Margot and to Jerry and it brought back memories from several months ago. I have to say it's almost as if we planned the -- our remarks, although we didn't, because I think what we've heard from Margot and Jerry is really the two different perspectives on ESIGN, the fears and the promise associated with the act, and so that sets me up very nicely to kind of try, anyway, to draw them together, and I have the unique pleasure today of speaking on behalf of myself. I'm an attorney with Paul Hastings, I was involved with ESIGN on behalf of a client, but I'm here speaking my own mind today which gives me perhaps a little more flexibility than otherwise might be the case. I think in considering the issues that both Margot and Jerry raised, you first need to step back and ask yourself what is the objective that was attempted through the consent provisions. And I think that everyone, with perhaps the exception of Professor Winn, who submitted comments, very interesting comments to the proceeding here, would come at this from the perspective of saying we don't want to affect the substantive law that existed prior to ESIGN, except in the narrow aspect of allowing electronic media to substitute for paper. In other words, in this particular instance of consumer protections and consent, we simply want to replicate the substantive protections that exist in the offline world by translating them onto the online world. And we don't want to favor or disfavor the online world in doing that. And, you know, as I said, I think that was the near unanimous objective, and I think it's a very high-minded objective, and it sounds like a very appropriate objective, and I actually think it is the appropriate objective. The problem is, is that when you try to implement that objective, you run into the reality that there are inherent differences between electronic media and paper. And so then the question becomes how do you accommodate those differences without overly -- without strangling the very benefit that you're trying to achieve by enabling e-commerce to flower. And that is, you know, maybe not simply put, but somewhat simply put, that the nub of the issue with which we all struggled in trying to devise the consent provisions. And you will hear a lot more about them in the panels later today, so I'm not going to really address any of the details now. I will simply say that in my view, what ESIGN did, and Margot is quite right, I think it was like cutting sausages, it was not necessarily by design, although I think every individual had this goal in mind, was try to reach that balance. And I think it approximates that balance, although not very elegantly, and in ways that I personally would have preferred it not, nevertheless, I think at the end of the day it comes out roughly at that spot. And I do share with Jerry the view that the fact that you haven't seen necessarily, although I think it's all a matter of perspective, an explosion of financial services or other e-commerce that takes advantage of ESIGN is not reflective of the consent provisions themselves, perhaps in isolated instances it might be, but as a general rule it's not, it's simply that businesses are trying to figure out the best way they want to approach e-commerce generally, and I think some of that has been -- is part of a larger economic picture and some of it is part of just a re-assessment by businesses regarding how they want to approach the Internet and how they want to approach e-commerce. I don't think this is a situation where the statute has created any barriers. MS. HARRINGTON: Thank you. I would invite any of the folks who are at the table right now to ask any questions of these presenters that you might have, or make any observations that you might have. We have about four minutes left on this session. And I think that we can use it. And I actually have a question. And it comes out of Margot's concern, which is that, if I can summarize, that the most vulnerable of consumers may be victimized by the businesses that operate on the ethical margins. And is that a fair -- MS. SAUNDERS: That's our primary concern. MS. HARRINGTON: -- statement of your concern. MS. SAUNDERS: We have others, too, but that's the main one. MS. HARRINGTON: One question I have is whether the concern about both consumers and businesses that might be more at the margin, ought to drive policy, and if so, why? And I would invite any of you very quickly to answer that. MS. SAUNDERS: Well, I would hope that this society that we live in is one that -- one in which we care for everyone, including our less fortunate, and we have 200-plus years of laws that recognize that the less fortunate and the less sophisticated should be protected. Certainly our entire legal system is based on the whole analysis of ensuring a fair resolution of problems, our criminal justice system is based on the expectation that we should allow innocent -- excuse me, guilty men to go free rather than wrongly convict an innocent one. Since biblical times, laws have limited commerce based on the recognition that the difference in bargaining power between individuals, especially individuals in need of borrowing money, need to be protected from lenders. So, unless we're on a radically different course, I would hope that we not change that basic premise of our legal system. MS. HARRINGTON: Okay, thank you. Bob? MR. WITTE: Hi, I'm Bob Witte, I'm with Kirkpatrick & Lockhart, and I'm here on behalf of the Investment Company Institute. You know, I think that's a really key question, and I think Margot is fair and right in saying that we have to care as a society about the less fortunate and less able to protect themselves. The question, though, I guess is, is that what drives the policy. And I think it's got to be a consideration in the policy, but whatever the policy is, whatever the rule is, whatever the orders are, there will always be a margin. There will always be somebody, some group that's at the edge of it, and as you said, Margot, there will always be unfortunately some people who are taken advantage of. So, as I think was clear from both Jerry and Ben's remarks, the issue is a balancing, and the question is are we going to have a rule that -- I don't even think that's the question, I think the question is how do we avoid having a rule that so burdens or adversely affects the business and the commerce that is important to everybody, at whatever end of the spectrum, by overconcern, we want to avoid overconcern without lack of concern for those who are less able to care for themselves. And notwithstanding biblical times, there is a certain ethic in this country, too, about people having responsibility for their own actions, and while we need to take into account those who are less able to take responsibility, or respond to fraud, which is really what you were talking about, we need to recognize that there is some element of responsibility inherent in our social structure, and I think in our own government. MS. HARRINGTON: Elizabeth, very quickly. MS. YEN: Thank you, Eileen. I'm Elizabeth Yen, I'm a lawyer with the firm of Hudson Cook, and I'm in the Connecticut office of Hudson Cook. I just wanted to respond quickly that for the transactions that we already believe are very, very important and put consumers at high risk, we already have a lot of statutory protections built in in terms of, for example, Margot referred to the rights of cancellation, recision notices have to be delivered in duplicate, certain disclosures have to be in ten point, all cap, bold-faced type, and you've got a lot of sort of form and also substantive protections built into the system. In the fraud context, in the context of e-commerce fraud, I think it's going to be difficult for the merchant to actually prove that all of those disclosures were provided. And even without e-commerce, obviously you have some shady dealings where people do not observe those formalities. And at the end of the day, those contracts are void. I don't know that the result would be any different in the electronic world. MS. HARRINGTON: That's going to be the last word. We're up at about 65,000 feet looking down on our task here, which is to evaluate the cost and benefits of the reasonable demonstration portion of the consumer consent provisions, but that weighing of costs and benefits necessarily begins, I think, with the very broad look that we've just taken. And thank you very much to our three overview presenters, it was excellent. We're now going to move into the legal issues panel, which will be moderated by my colleague, April Major. Let me remind all of the participants, and we need some of you who are on this panel to move up to the table now, and they would be Margot, Jerry and Ben are already here, Elizabeth, Bob, Jane Stafford, Mark MacCarthy, and I see Jeff Wood is already here. So, if you would take your seat, let me remind you, panelists or discussants, if you want to speak, raise your tent, and please identify yourself, name and organization, so that our reporter can get that into the transcript. Thank you. MS. MAJOR: Thank you, Eileen. I want to thank all of you for your thoughtful comments and agreeing on being here today for today's discussion. I want to thank Margot and Ben and Jerry for setting the stage for the day's discussion and providing such an excellent framework for which we will work upon for the next hour when we discuss the legal issues associated with section 101(C)(1)(C)(ii). Now, if there's anything that we can agree upon today, I think, it's that ESIGN is not an easy statute. Section 101(C)(1)(C)(ii) has caused a good deal of controversy, to say the least, and that's what we're here to talk about right now. Particularly when we're studying what the statute requires, what the statute provides, and how to comply with the statute. So, I would like to start this panel off with the most basic question of what does section 101(C)(1)(C)(ii) provide, what does it require of sellers, and what does it require of consumers, and I think this discussion will necessarily lead into a discussion of the ambiguities which all of you have mentioned in your comments that are associated with this section. Ben, would you like to lead us off in what you think this provision requires? MR. DAYANIM: I will attempt to do so. Well, looking at it on its face, it really has two key components, and we all know what they are. The first is that the consent or the confirmation of that consent be electronic. And the second is that the consent or the confirmation of the consent be done in a manner that reasonably demonstrates that the consumer can access the information that is going to be provided to him or her. And it is there that all of the controversy lies. My view of what that means, I tend to think that it was intended as a common sense test. And I think that most folks are interpreting it that way. In other words, the electronic part is fairly self evident. The reasonable demonstration part is the part that creates the ambiguity, and I think there -- if it appears from the circumstances that the consumer was able to access the information, I mean that's reasonable demonstration. A good way to do that, although not necessarily required, although I would think that it would be a good practice, would be to provide the request for consent that the consumer is responding to in the same format in which the records will be provided, because then if the consumer is able to understand your request and respond to it, then presumably the consumer can -- that presumably the consumer will be able to access the records that will be provided subsequently as well because they will be in the same format. There are many ways to do it. In the comments that I submitted, I had two suggestions that are not original to me, they were two suggestions that were raised at the time of the statute, and although I recognize that there may be some concern with them, I think that they are nonetheless essentially appropriate. And the first is to provide the request for consent in the form of an attachment to an email, and therefore if the person is able to open the attachment and respond, in other words read the instructions and respond appropriately, then that person would be able to access the records. And the other manner is through a, for example, if it's website type function, to have it come up on the screen, again in the same format that that record will ultimately provided. I mean, that's a -- that may be considered to be a little -- what's the word -- some might consider that to be a little Pollyanna-ish, because the words themselves are ambiguous and there is room for mischief there. But so far we haven't seen it. MS. MAJOR: Well, I -- go ahead. MR. WITTE: If I could just expand a little bit, this is Bob Witte, expand a little bit on what Ben said. It seems to me that the mischief, in part, comes from, as it often does in legislation or rules of any kind, from the language. And those of us who were involved somewhat in the process of the legislation know, I was one who yelled and screamed a lot about the particulars of the language, because the language of the statute does tie the demonstration to the consent. It talks about consent in a manner that reasonably demonstrates as opposed to there being a reasonable demonstration. And so what that gives rise to is some uncertainty. And I say uncertainty because during the process, the legislative process, in discussing this issue on the Hill and elsewhere, people who advocated the language really said well, nobody is going to interpret it that way. And frankly I think that's Ben's position. And he's nodding, let the record show, but I think that's really the issue. You know, how tied, really, is the demonstration to the consent. And we have legislative history that helps. While it may -- as legislative history often does -- suggest various avenues, there's some consensus there, too. I think there are four paradigm kinds of ways that you can expect to have a reasonable demonstration. One is what I've called the self validating sort of consent, similar, really, to one of Ben's examples. An easy one is somebody's accessing information on the Internet, and the consent is there on the Internet, it's all in HTML, they are going to get all of the disclosures that are going to be covered by the consent in HTML, merely the process of accessing and consenting demonstrates an ability to deal with HTML, so that ought to be a reasonable demonstration. That one seems to me no controversy really available as to whether that would be adequate. Legislative history, I think pretty strongly suggests, if you look at the colloquies and elsewhere, that you could go even further than that, that it would be at least sufficient if you provide an opportunity to test a format, let's say a PDF format that you might push out to the consumer in the course of the consent, maybe you are going to correspond with them over the Internet or through email and say okay, attached here is a PDF document, give it a shot, see if you can open it, and then respond with an affirmation that says I could open it. And that then that would be a sufficient reasonable demonstration. That's the second paradigm. And as I said, I think there's a fair amount of support, in fact a lot of support, in the legislative history to suggest that that's enough. Even though you can't really say that that is quite the manner of the consent, it is the consent, per se, at least, that affirmed it. Another possibility, of course, is that you get an affirmation of the ability to deal with this particular format, irrespective of whether the particular provider at the particular time has provided an opportunity to test that format out. And if anybody, whether it's a sophisticated user or Aunt Sally, says yeah, I can use this, you know, why isn't that good enough. And then there's a fourth, which is frankly hardest to tie to the consent, but which logic suggests, at least to me, really ought to be sufficient. And that is if you could really demonstrate that the consumer could access or even did access the relevant information, irrespective of whether that's part of the consent process, and there are many circumstances in which this could occur, then why is that not enough to be a reasonable demonstration of the ability of the consumer to access? Now, those are different paradigms, I suppose there are others, but those are the ones that come to mind to me, and they're the ones that people in the investment company industry, and I think certainly in the financial services and probably more broadly, much more broadly than that, people are struggling with deciding well, what can we do, and what will work. The law is full of reasonableness tests, and those of us who are lawyers would have a lot less to do if there were none in the law, but the fact is they work pretty well by and large, but what we've had here is kind of an unhappy conjunction, I think, of first of all -- MS. MAJOR: Let me interrupt you because you've just brought up about six different issues that I think all need to be addressed. MR. WITTE: Well, give me one more minute and I promise to be quiet for a while. MS. MAJOR: Okay. MR. WITTE: Jerry says no. The conjunction is, first of all, as I mentioned, the problem with the statutory language, which gives you question as to whether you're limited more than you might otherwise be. The second is that there are substantial risks involved in not complying, and we'll talk about that, I'm sure, as time goes on, and the third is that at least so far, there has been kind of a remarkable dearth of regulatory interpretation. There are regulatory agencies, at least in our industry, in the financial services industry broadly, that have jurisdiction. Jerry mentioned the Federal Reserve came out, although I would say finally, although they were really among the first to come out with any regulations actually speaking to ESIGN, and on this subject they really didn't say much. They basically said well just do that, and whatever that is, do that. The IRS came out with rules that parallel ESIGN, and they also said well, do that, and in our sector, the SEC, for reasons that I really couldn't say, have not spoken to this. So, there are areas in which regulatory interpretation is very helpful, especially the kind which the SEC, at least, has been want to use, which is here's some examples of what will work, you know, you can maybe do other things, but these will work. And of course I would submit if you took my four examples and said these will work, things will be a lot better, because the down side, the risk factor would be very small. MS. MAJOR: Thank you. Margot? MS. SAUNDERS: In many ways, although most of us think it could be done better, there's an elegant beauty to this electronic consent provision, because it accomplishes some protection for three different problems. One, it presumably tests the consumer's capacity to access any electronic records. So, that's an important -- that's especially important to my clients. Two, it protects the consumer's capacity to access the type of records that will be provided by this business. In other words, the software capabilities. And three, it serves to emphasize to the consumer the significance of what the consumer is agreeing to in regards to receiving future electronic communications. So, with those few words, which I attribute to Andy Pincus, general counsel of the Department of Commerce, he tried to address those three distinct concerns that consumer advocates had. I believe that my example that I gave of the little old lady sitting at home would not -- there is no way under this language that a court could find that even if the salesman provided a laptop to her, and she then electronically consented through either the Internet or an email account that the salesman established for her, that using the laptop provided by the business seeking the consent, that that would not reasonably demonstrate that the consumer can access information. I also believe that the consumer sitting at the car dealership, who accesses information through the car dealership's Internet website or through an email account established by the car dealer, even if the consumer is on the premises of the car dealer, that that does not -- I don't think -- indicate that the consumer can reasonably access information. The consumer -- this requirement is that the consumer has to do something affirmative, take some steps. That does not mean that a consumer -- and I think this is unfortunate, but I don't believe that a consumer who then goes to the public library or goes to a public access computer or kiosk and consents through a website or through an email account that they already have, that that -- I don't think that that process would be illegal. In other words, I think that would be acceptable under this scenario -- under this language. MS. MAJOR: Mark, would you like to respond to that? MR. MacCARTHY: Not directly to what Margot was saying. MS. MAJOR: Okay. MR. MacCARTHY: I'm Mark MacCarthy with Visa. Just a couple of quick comments. One, I think it is important that our friends at the Federal Reserve have stepped up and, you know, made some attempt to interpret the ESIGN legislation in the context of administering their own organic statute, the Truth in Lending Act and the regulation Z. I think that does show that it is possible and indeed desirable for existing regulatory agencies to step up and to show how the requirements of ESIGN can be used in conjunction with the underlying regulatory requirements with respect to disclosure, but our sense is that it is desirable at this point to leave the kind of flexibility that was built into the Electronic Signatures Act in place, and that regulatory interpretations that narrow or confine the range of different ways in which people could comply with the consent provision would really cut short some of the experimentation and flexibility that the statute, I think, wisely left unconstrained. One thing that I think would be worth putting on the table is we're discussing the consent issue as if consent is universally required in the context of disclosures, but it's worth mentioning that the fed had indicated in at least a couple of areas, consent is not required. Now, perhaps it falls into the category that you're talking about, the sort of, you know, self-validating kind of situation, but for example, in the area where electronically a solicitation or an application form has to contain on it or with it any of the required disclosures under regulation Z. If that kind of application is being delivered electronically, then it doesn't make sense to prior to delivering that electronically to ask for consent to deliver the disclosures electronically. You're already in the situation where someone is reading the application form or reading the solicitation, and the required disclosures have to be done in conjunction with that. It doesn't create a loophole because, you know, it doesn't create the possibility that someone would, for example, in the paper world, withdraw the information from the paper and say I'll give it to you electronically. The information in the paper world still has to be provided in paper form rather than in electronic form, but recognizes realistically that to require consent before providing disclosures in that kind of context is a kind of catch 22. So, we're sort of acting as if it were universally assumed that you need consent, but in fact in some circumstances, disclosures, electronic disclosures, will take place even though for practical reasons there won't be a requirement for consent. MS. MAJOR: Well, I think you're bringing up the issue that a lot of you discussed in your comments. Some of you are asking for more guidance with respect to this language reasonably demonstrate. Some of you are asking for narrow interpretations of this, and some of you are discussing the need for broad and flexible interpretations of the statute. And I would like to you discuss this in the context of how does one reasonably demonstrate that they can access this information in the manner that it's being provided? Jeff, would you like to continue? MR. WOOD: Sure. Jeff Wood, I'm an attorney with Household Bank and I very much appreciate being invited today. I want to follow up on one issue that I think is very important. The Congress, you know, adopt one -- sort of a one-size-fits-all approach, and one thing that the Federal Reserve recognized which is mentioned is that, you know, not all disclosures are the same, not all contracts are the same, not all documents are the same, you know, we banks have a lot of information to provide to consumers and, you know, many times customers are frustrated because they're receiving so much information that they don't know what to do with. But what was recognized I think is a very important point, is that, you know, disclosure is provided at the application stage, which don't need to require consent under the proposal, or the interim final role, you know, are different from disclosures that are provided at the stage of contract. And, you know, I think that's a very important point. With respect to the reasonable demonstration test, I think that it is -- it is workable, if not totally unworkable, but I think that it does reflect a tension that is probably an appropriate tension between, you know, letting commerce do whatever commerce needs to do on the one hand, and on the other hand providing appropriate protections. So, I think that it's there, and I think that one thing that is difficult, and I think we'll get into this later in the day when we talk about practices, how do you actually -- how do the technological people, you know, actually ensure that there is, you know, that there has been that demonstration. And Bob went through some of the four paradigms, and I think that a conservative business is, you know, more likely to pick the one sure bet, you know, if the customer is using a website and receiving documents in HTML, then he's got it. You know, that's too bad in a way, because that's limiting, that's going to limit the nature of e-commerce. And so that's too bad, and I don't know exactly what the way is around that. There's just one more point, that not only are there different levels of disclosures, but there are also different types of disclosures. For example, under the Graham-Leach-Bliley Act, you provide a privacy statement along with the right to opt out. That's kind of an interesting one, because the customer doesn't have to respond to the privacy statement, he doesn't have to access -- he has to be able to access the documents, but he or she does not have to acknowledge receiving it under the law and the regulations, but there does need to be an opportunity to opt out if the company is sharing personal information with third parties. So, you know, does the opportunity to opt out if, you know, access to a particular matter, did that help to reasonably demonstrate that the customer got the document. You know, I mean there raises a lot of issues. MS. MAJOR: So, do you interpret ESIGN as requiring that the consumer -- they respond to the seller that they have actually received this information, is there this extra step required here? MR. WOOD: You know, that's an extremely important issue, and I think that yes and no is the answer. I think that depending on the nature in which the documents are received. If they're received in a certain way. MS. MAJOR: Give an example. MR. WOOD: The example of the HTML, the consumer clicked consent, you know, I apply, for example, or I agree, or submit. MS. MAJOR: So, you're saying that the consumer is already on the Internet, already sitting behind a computer. MR. WOOD: Right. MS. MAJOR: The information is being disclosed to the consumer via an HTML webpage, it's enough that the consumer clicks on I consent or I agree, that that you would interpret as complying with section 101(C)(1)(C)(ii)? MR. WOOD: I think that would have to be reasonable, reasonable demonstration, with respect to -- only with respect to what's being provided at that time. I don't think that it necessarily works for documents that are provided at a later time. MS. HARRINGTON: Follow-up question, Jeff. You said that following the more conservative paradigm, using HTML only, would limit e-commerce. Can you specifically tell me, give me an example of how that is limiting? MR. WOOD: Yeah, one of the commenters made a good point about, for example, monthly statements that are provided at a later time, obviously. And one thing we've found in e-commerce is that our customers are a little leery of e-commerce at the beginning stage of the relationship, but after they're already a customer, after, you know, they know who we are, we know who they are, they're much more comfortable with it. And so, you know, we have customers, millions of customers, who, you know, want to sign up for what we call customer care, what many companies call customer care, which is receiving statements, or being able to make bill payments online, or that kind of thing. And the technology is a little different at that stage, maybe, than it is at the beginning stage. So, you know, specifically, you know, we find it -- it's kind of a -- it goes both ways. We find it difficult to consummate a transaction, you know, by that I mean originating a transaction, you know, at the first step, you know, there's a lot of hurdles. You know, there's the privacy statement, there's all the disclosures, there's the contract, et cetera. That' a little more difficult. But it's in a way a lot easier to provide statements. Now, the question was, one of the comments raised a very good question, you know, do you provide the statement online, meaning the customer can simply log onto the website and look at his statement, and how do you know that that customer did that? And that's kind of a -- that's kind of a little thing that we're working on. I mean, I think a lot of companies are working on. MS. MAJOR: Jane and then Ben. MS. STAFFORD: Yeah, one of the things that Mark brought up about the federal regulators coming in and beginning to define within their own venues certain aspects, regulations, E, DED, the alphabet that's been just recently promulgated by the Fed, raises some concerns in a sense of saying now we're going to have to look from ESIGN down to another regulation to see where we begin to comply and where we don't begin to comply. And I think that's just something that we're going to have to deal with as we go forward. The example, for example, of equity line, original disclosures, which are required by the regulation Z to be in writing, apparently do not have to be delivered with an ESIGN consent. And perhaps you can understand that, because that is something of a preliminary, informational, promotional type thing, even though there are required regulatory disclosures in it. I think that's one issue. So, I think we have to be concerned. Our other concern in terms of writing is a concern, and everyone who's creating contracts needs to be concerned with what state laws you're using, because different state laws have different writing requirements. And while you could have a state law that says you must deliver consumer a modified UCC to provide that you must deliver checking statements in paper, therefore you are now under ESIGN in order to be able to deliver that checking statement. And so you have to know your state laws. And most of us are working nationally or internationally, which creates a very interesting situation. We certainly can determine venue in our contracts, and hope that that stands up, but I think that's an issue. I think the other issue that we've talked about in terms of the technological piece, and I'm sure the technology people will talk about this is, is this statute clearly, I think we all kind of have come to a consensus that the HTML process really works well with ESIGN. You can create your click-through buttons, you can create your -- design your site so that if you don't agree, you don't get to go forward, and, you know, you've got an evidentiary piece. I think when you go into something like delivery by email, or even delivery of a message that something is available, if you go out on the website, but you have to deliver that by e-mail, and that is, by the way, a proposal I believe in the Fed's new regs, you have now just created an entire department of administration to make sure that that email has been delivered because this statute requires that, that you have to demonstrate that it has been delivered. If you have somebody who changes an email address, if you have a site down, there are some webmasters who do not return unreturned emails, how are you sure that that is delivered, and that's an evidentiary piece that you have to create within your institution. So, I think that there are some limitations, or I'm not sure, actually, in saying all of that, whether this requires regulations or requires more broadness. I don't know. But I think that the reasonableness standard of proving delivery is an extremely difficult one, and I think what really is going to happen is that at the early passes, people are going to stay with the HTML, but delivering on wireless, for example, is another whole issue that I'm not sure how we'll create the -- I mean it's a project we at Wachovia Bank are working on, but I'm not sure exactly how we're going to meet all the requirements on a wireless system where you have to have -- I mean, having one department of people having to count. The whole purpose of electronics is to get out of that business. MS. MAJOR: Thank you, very good remarks. Ben? MR. DAYANIM: Yeah, just two quick points coming off what Jane and Jeff mentioned, and I'll steal a page from Bob Witte's very appropriate school of very close statutory analysis. To point out that firstly, what we're not talking about here is delivery. I mean, if you read the statute, if you look at the section, you know, not the (C)(1)(C)(ii) piece that we've been focusing on, but the introductory piece. What it says is that where there's a requirement that a record be delivered or made available in writing, the requirement that it be in writing is satisfied if, et cetera. So, all this deals with is whether or not you're satisfying the requirement of writing, not satisfying the requirement of delivery. Delivery is a whole separate issue that ESIGN very consciously does not address. That's one point to keep in mind. A second point to keep in mind is that it doesn't say that if you don't meet this regime, that you haven't satisfied the requirement that information be in writing. So, firstly, you're only dealing with -- and I guess there are really three points, because firstly, you're not dealing with delivery. This doesn't get you home with delivery at all. Secondly, you're only dealing with requirements that have to be delivered in writing. So, things have don't have to be provided in writing don't really fall subject to this. That's important to keep in mind, too, when you're talking about some of the new disclosures or other kinds of requirements that you may be obligated to communicate, but not necessarily be obligated to communicate in writing. And then thirdly, even if you don't satisfy the technical language of the provision, I would say that -- using Bob Witte's I guess fourth paradigm -- if you reasonably -- if you can actually reasonably demonstrate that the person actually was able to access the information, then I really don't see any problem, and I've advised clients that way, because yes, you may not be eligible for what -- I'll use a term that maybe some people might disagree with, you may not be eligible for the safe harbor provided by this mechanism, but you've actually provided the information, the information actually was accessed. I cannot conceive of a circumstance where you would incur liability under that situation. MS. MAJOR: I think that we recognize that there is controversy over whether actual delivery is required and I would like some of you to address that. The other thing that you brought up was the in-writing requirement, and I think there are some issues involved in that. What is exactly -- what is, you know, something that's required to be in writing, what does that mean. But I know Teresa has a question, so I will let her go. MS. SCHWARTZ: I wanted to ask whether this -- I wanted to ask whether this distinction that I hear being drawn between preliminary disclosures that statutes may require in writing, whether those preliminary disclosures are -- should be treated differently under ESIGN from disclosures that are required in writing preliminary to an actual transaction. And whether that -- there is a line that might be drawn there, whether people agree that that is a line that senses, even though the statute doesn't draw that line, it calls for consent whenever disclosures are required by statute to be in writing, which can be preliminary disclosures. So, and I understand the Fed perhaps is drawing that line or appears to be drawing that line, but I wondered if others here would draw that same line, you know, more broadly across statutory requirements. MS. MAJOR: Bob or Margot, would you like to respond to that? MS. SAUNDERS: Can I respond to that and several others? MS. MAJOR: Absolutely. MR. WITTE: Only if I can. MS. SAUNDERS: I don't think -- unfortunately, I don't think ESIGN draws the distinction that the Fed has apparently made. As I said, I think the only -- the only distinction that the -- the only recognition that there would be an ongoing relationship that ESIGN makes is this requirement that the consumer must do -- must electronically consent, which is meant to -- I think one of the purposes is meant to emphasize to the consumer the importance of what they're doing, that they are agreeing to receive all future records electronically. I agree that with what Ben said on several points, that the statute specifically and deliberately does not address delivery. There is no mention of delivery, other than as a trigger for the consent, in here, and there's lots of legislative Congressional language that said that we look for delivery requirements under the other law that's being satisfied. I think the reason why is that we couldn't begin to agree on how we evaluate delivery. MS. MAJOR: So that the seller is under no obligation to in some way demonstrate that the consumer actually -- I mean he actually delivered the -- MS. SAUNDERS: I think the seller is absolutely under that obligation under the other law that requires the delivery of the document. So, for example, under the FTC's notice requirement to provide notice of the right to cancellation on a door-to-door sale, that rule, as I remember it, requires that the salesman deliver to or provide to in writing two notices -- two copies of the notice of the right to cancel. That means that that salesman has the obligation of ensuring that the -- I think -- consumer has received it. Because what is contemplated in that transaction, when the FTC passed that rule, was that the two people were standing right there. So, the -- we have to look at what was contemplated when the requirement for delivery was originally written, and if it was assumed that delivery would mean handing the other person a piece of paper, that also assumed that the person had to take the piece of paper. So, delivery cannot mean in that context simply posting it on the website or even emailing it. MS. MAJOR: I think that's a -- MS. SAUNDERS: But that -- I was just going to finish the sentence, but that same delivery requirement may not apply to other statutes which don't by their terms contemplate the face-to-face relationship. MS. MAJOR: I was just going to underline what you said. I think that it's important to remember that ESIGN doesn't exist in a vacuum, that it's always overlaying some pre-existing legal requirement, and that often is lost in this type of legal issues discussion. Continue. MS. SAUNDERS: Two other issues that I wanted to address very quickly. One is the in-writing requirement. The question has come up as to whether any document required by other law to be in writing must have been consented to electronically before it can be delivered electronically. That's, I think we've already addressed that question. The other issue there is, what does the other law have to say? Does the other law have to say the words in writing to trigger this requirement? And I would argue that the answer is no, if the other law implicitly assumed that the only way to deliver the information required was in writing, then that implicit assumption should trigger the electronic consent. For example, under North Carolina law, where I'm licensed, there's a four paragraph long requirement about late fees for mortgages, which we worked very hard to get through the legislature. This was 12 years ago, I think, and no one ever contemplated that there was any way to deliver all of these disclosures, other than in writing. So, while there's fairly complex disclosures that must be delivered to the consumer, the statute doesn't say in writing. I would argue that that implicit requirement for a writing would also require -- would also trigger the electronic consent, and that a mortgagor in North Carolina could not -- mortgagee in North Carolina could not deliver a late fees notice electronically without having previously received an electronic consent from the consumer. MS. MAJOR: Would it be your interpretation, then, that the in-writing requirement doesn't necessarily correspond with something that was required to be delivered in -- on paper, but when they use the term "in-writing," they are using the type of language to imply something that the consumer can retain, can hold onto, that doesn't necessarily have to be on a piece of paper. I think some of the legislative history in the floor debates used the term "paper," but is that necessarily part of the in-writing requirement? MS. SAUNDERS: I'm a little confused. If you're saying that the delivery of a writing requirement could be faxed? I'm not quite sure how you deliver something in writing before electronic disclosures existed, other than on paper. I mean -- silver paper or fax paper? MS. MAJOR: Something maybe that's required to be attached to on a label or a piece of clothing or written on a tire. MS. SAUNDERS: Oh. I think retention is very -- MS. MAJOR: Retention is really the key of that, right? MS. SAUNDERS: Yes, and I have that as a note here that I wanted to bring up, that we're all talking about access, but the consent provision also keys in the retention requirement. And ESIGN has a very specific protective retention requirement that goes far beyond UETA's retention requirement. And I think that the retention requirement in ESIGN is -- must be implicitly read into the access requirement. In other words, ESIGN does not require that a consumer must indicate that they have the ability to retain. That was the fight that we lost, unfortunately. But ESIGN does require that for a record to be provided that is otherwise required to be provided in writing, it can only be provided pursuant to the requirements of 101(D), and that -- so, that record retention requirement is triggered by an underlying law requiring a writing, which is one thing that's different from UETA, whose record retention requirement is only triggered by an underlying law requiring retention. And that record retention requirement requires that the record accurately reflect the information and be capable of being accurately reproduced for later reference by the consumer. We can weed that in because it's required to be retainable by all parties. That means that going back to the HTML or MicrosoftWord discussion, that when a document is delivered electronically, which is otherwise required to be delivered by other law in writing, it's got to be delivered in a record format which can be accurately reproduced for later reference by the consumer. Now, I would posit that a word processing document such as WordPerfect or Word probably does not meet those requirements, because it's like writing on a chalkboard, and how can this consumer open the document and then be able to reproduce it for later reference and prove that it is the same document that they received, because it may have a different date on it, just simply by virtue of being opened by the consumer. So, that's a complication that should be factored in, which I think can be addressed using HTML or PDF or some other kind of format. MS. MAJOR: Bob? MR. WITTE: Boy, there's a lot of apples in with these oranges. I mean, it's a little scary, the last thing, I guess, because it sounds like the only things that will work are the things that wouldn't be sufficient because you're positive that they can't be retained because by printing them out by its nature changes them. That's a little scary. MS. SAUNDERS: I didn't mean that. MR. WITTE: If you didn't, that's good, because that's what it sounded like to me. I think we have to -- there's a lot of distinctions that I think are worth while trying to make, and I'm not sure how many of them I can hit, but I will try to hit a few. One of them is that it is worth noting, as Margot did note, that rule (C)(ii), which is the reasonable demonstration test, does not contain the retention requirement, and as Margot said, that battle was lost, if indeed it was fought, I would say it must have been lost early, because I don't remember that one being particularly hot, but in any event, it is true that (C)(1) says that you have to provide hardware and software information as to the ability to access and retain, which is fair enough, and appropriate, but there isn't a requirement that the consent itself evidence an ability to retain. It is true, again, as Margot said, that the requirements, you know, relating to record retention, well record retention doesn't really have anything to do with this, because we're not talking about regulatory requirements to retain documents, which is what 101(D) is all about, but 101(E) does talk about the capability of saying that if documents required to be in writing and are delivered in the form of electronic records, then they must be capable of access and retention by parties who are entitled to do so, whoever they may be. But that is not the consent, okay, because there isn't anything in ESIGN that requires the disclosures that are associated with the consent to be in writing, indeed it would be counterintuitive if they were required to be in writing, assuming, at least, that we distinguish the electronic communication from writing/paper, one of the great conundra of this thing. So, the ESIGN disclosures on consent process are not as a matter of law things which must be retained; however, anybody who wants to evidence compliance with the consent requirements is going to be well advised to at least be able to retain the information and have evidence itself, himself, whatever, of having done so. Which brings me back, I guess, to the earlier point that was made about delivery. There is nothing in ESIGN that I know of that requires proof that anything be delivered. I think, again, as Margot said, it is accurate to say that other law will determine whether or not you have delivered or not delivered. And in fact, one of the points that many of us on the industry side made early and often in this process is yeah, providing -- the ability to provide information in electronic form as opposed to paper or writing form does not mean that you don't still have to succeed in delivering it. What constitutes delivery, or whether there's really a delivery as opposed to make available requirement, is indeed determined by other law. Now, this distinction and this point, I am going to come back to what Ben said, the language in 101(C)(1) that talks about satisfying the requirement to provide such information in writing, is actually, it's a very intriguing provision, and to understand really what's meant here, because it's true, it says in writing, and it is true that many people asserted loudly during the process that we are not specifying requirements for delivery here, which there are no specific, you know, you shall deliver this way or deliver it by 2:00 in the afternoon or something like that, but on the other hand, what, after all, is the point of 101(C) if it is not to say that if you get this consent, and you provide the appropriate disclosures, and you obtain the reasonable demonstration, that you may indeed provide this information in electronic form. And that means provide it, you know. Yes, if you're supposed to provide it, succeed, somehow, and if you haven't succeeded, there may be a consequence, but it I think would be a mistake to suggest that those who apply the law are free to layer on all kinds of additional burdens on electronic communication under the rubric of delivery and say this is merely writing, and that is to say this is the 101(C) merely deals with the writing requirement, delivery, well, that's something else. And maybe that's out there, indeed it is out there, and it's something I've actually written about, the fact that it is out there, but I don't think it's really consistent with the whole point of this provision, to be layering on those kinds of additional requirements. MS. MAJOR: Elizabeth? MS. YEN: Yes, thank you. I wanted to just note that I think the law on delivery is going to evolve. The same way that the law on delivery with respect to use of the mail, for example, has evolved. And we now have a very robust body of case law that says you're entitled to certain presumptions, but things were delivered and received if you use the U.S. Mail, first class, postage prepaid. Those are issues that have been resolved in the courts over the last 50 or 60 years, they give us presumptions like the mailbox rule, and I think that we will find that evolve over time in the electronic world. As far as the question I think Teresa Schwartz raised earlier about the distinction the Fed has drawn between application disclosures, and the disclosures that pertain to an actual transaction. Transaction is a defined term in ESIGN, and if you read the definition, it appears to contemplate that you actually have a sale, a lease, an exchange, a licensing or some other disposition of property or services, and I think what happened was that if you look at that definition of transaction, plus the definition of consumer in ESIGN, a consumer is an individual who actually obtains products or services through a transaction. You could come up with an argument that 101(C)(1) really is focused on a transaction. So, I was actually very pleased to see that the distinction was drawn in these new Federal Reserve interim rules. I believe it was Eileen who asked earlier for an example of some possible hinderance to the development of e-commerce, and I thought I would just give you an example of a hypothetical that I just sort of made up on the fly. Suppose I want to offer an entirely paperless credit card -- well, unsecured, open end line of credit, paperless. I might mail you the card, but I mean we could posit a scenario where maybe there isn't even a piece of plastic, it's totally paperless. You're on my website, I give you all the credit card applications, solicitation type disclosures that are required by Truth in Lending, and those apparently are not governed by 101(C), but then if you do -- and I instantaneously approve you for credit online. This is all taking 90 seconds. I now therefore have to give you a transaction disclosure, which is your credit card agreement and the disclosures that go with that. So now I am into this world of consent and reasonable demonstration. I for security reasons do not want you to tamper with your periodic statements that I am going to send you in connection with this loan account that we are about to open. So, I am probably not going to want to use HTML for those statements. I may prefer to use PDF, because that's a little harder for a consumer to then jigger. That is going to be a problem. I've had some technology people tell me that if I'm on a secure website, because we have collected some personal financial information from you in the course of your application for this process product. I've probably asked you for your social security number so it's a secure site. It's apparently going to be a technological issue to make you click open some sort of a test PDF file and then get back out of that file and confirm to me during this two-minute on line process that you were able to access something that mimics an account statement. I'm not saying it's not possible to do, but I have been told by some programming people that it really complicates the design of that website. MS. MAJOR: Thank you very much, Elizabeth, that example was very helpful. Jeff? MR. WOOD: Thank you. Yes, that is absolutely true, the use of different formats in a website, and one transaction I think is unduly complicating. I want to follow up on really just one point, and that's the question about the consent and the -- whether or not the ESIGN does apply or should apply or will apply to all documents, I really appreciate Elizabeth's point of the definition of transaction. I think that's very helpful. Also, it's tied together with the delivery issue, because, for example, you know, under reg Z you know, disclosure is provided to the consumer during at least five different points along the transaction. Not every consumer who looks on the website and receives, say, application disclosures about what's being typed on the website, well, apply, and that's one level, and I mean not every customer who applies and receives application disclosures, you know, will then proceed to a transaction because they might either not be approved for credit or they might decide might to go on with the credit product. And so on and so forth, on down the line. In Truth in Lending, not every document has to be provided in the same way. For example, the applications disclosure with a newspaper advertising, or printed in the direct mail solicitation. You don't know necessarily now that the newspaper is going to be opened up and read by John Doe and you have John Doe's consent to receive disclosures that way. So, the delivery, it's presumed because he bought the newspaper and read it. That standard is totally different at the time that John Doe is actually entering into a transaction and his ascent to -- his comments to repay and so forth is satisfied. So, I think the two, the level of disclosure and consent versus the delivery, I think should really go hand in hand. Likewise, there are post closing requirements, for example, many states have notices of right to cure for a delinquency prior to repossession. We did -- we had a question recently, and someone asked how many of these have to be driven by certified mail? Well, only a few states require that that type of notice be given by certified mail. You know, query now that would be implicated by ESIGN, and that's not what we're here to discuss today, but my point is many disclosures simply go out in mail, and they go to the mailbox, and you have the mailbox, so you don't know that the customer is going to open his mail and read it, you have a safe harbor because it's going to the mailbox. And I think, too, impose on e-commerce the requirement that the customer not only get it in his electronic mailbox, but that he open it and/or that he reply to it, I think is putting a burden on electronic commerce that goes above and beyond what is existing in the mail world. MS. HARRINGTON: Jeff, could I ask a follow-up on that? One difference between the mail, the U.S. Postal mail delivery system and the state of sort of electronic information and access to it, is that we know that conceivably, everyone can have mail delivered to them. There are a variety of ways to get real mail delivered, but we don't know, for example, that everyone can access PDF files. I thought Elizabeth's example was very helpful. So, while, you know, conceptually, I think it's probably right that we need to wait for this law to evolve, what do we do right now? What would be the -- what would satisfy the reasonable demonstration requirement that the consumer can indeed access PDF in like one minute? What would your company do? MR. WOOD: I think that's a good segue into the next topic about technology, because I think it's a technological question. If -- I think in some cases, you would need to have a return mail or a return something from the customer saying yes, I did access this, because you can't determine, you know, reasonably based on technology that it was opened. On the other hand, if you know that this customer -- I guess where I have a problem is, you know, if the customer's computer changes, you know, five years down the road, what happens then? But that, I think, is addressed by the act in the next session. MS. HARRINGTON: So, you say word back from consumer, yes, I can access PDS does it. Margot? Does that do it for you? Consumer says by email, yes, I can access PDF? MS. SAUNDERS: I think the consumer has had to -- sorry, I think it's required that the consumer must open a PDF document, read something in it and respond. That's -- that is very specific. MS. HARRINGTON: Okay, answer plus. MS. SAUNDERS: Answer plus, yes. MS. HARRINGTON: Answer plus. Anybody else, Jerry, quickly? MR. BUCKLEY: I just didn't want to respond to that point at this point, but I just wanted to make an observation regarding what the Federal Reserve has done. MS. HARRINGTON: Can you hold it, because Mark has an answer to this one. MR. BUCKLEY: Yeah, thanks. MR. MacCARTHY: I think in the context that you just described, something that would indicate automatically that the customer has opened up the required document would satisfy the requirement. If it was built into the system. MS. HARRINGTON: PDF sensor? MR. MacCARTHY: Something like that. MS. HARRINGTON: I want to go to these, we only have one minute. MS. MAJOR: Go ahead, Jerry. MR. BUCKLEY: I just wanted to say, and it's a point Ben made earlier, in writing doesn't necessarily mean on paper. And the Federal Reserve clearly contemplated that when it proposed its regulations long before ESIGN was even introduced. And I think that the Federal Reserve's ability to prescribe and permit the delivery of the early disclosures is outside of ESIGN, and rests on its general authority under its acts. So, it's important to keep in mind that ESIGN is a safe harbor, and that its requirements don't necessarily apply to acts which otherwise authorize an agency to permit the delivery of disclosures electronically. MS. MAJOR: Okay, Bob, you have one minute, and Margot has one minute to respond. MR. WITTE: Well, I hope it's a direct response, but in -- I think that the four paradigms that I identified at the beginning ought to all be sufficient, really, and if PDF or PDF plus or affirmation or affirmation plus. Mere affirmation, at least in a context of credibility, you know, maybe somebody who is established on -- for advocation purposes as a computer programmer is in a little bit different situation than Aunt Sally, my favorite example, but maybe not. There certainly ought to be contexts where that's sufficient, and what about proof of opening? You know, I mean after all, if you can ultimately establish that the PDF was used, what's wrong with that? I don't think there's any way to have a requirement that you show that the person actually opened it. You can't do that. There's almost no way to prove that they actually did. But at a minimum if you go back to the PDF plus opportunity test, is proof of test, and I don't think there's any basis for suggesting that there has to be a proof of testing. MS. SAUNDERS: I wanted to very quickly address the definition of consumer. The definition of consumer was added to ESIGN very specifically to mimic the definition of consumer in numerous state laws across the country for unfair and deceptive trade practices, Truth in Lending Act and others. I think that the expanded definition of consumer under those state laws has to be read into the definition of consumer in this law, because it's become a term of art rather than a new term which was specifically and newly depth-defying to ESIGN. MS. MAJOR: Well, thank you all so much, and we've ended at 10:30 on the dot. We will take a break until 10:45 and start then with the technology issues. (Pause in the proceedings.) MS. NIELSON: Hello, everyone, I'm Fran Nielson from the National Institute of Standards and Technology, welcome to the technology panel portion of the workshop. Thank you especially to all of the panelists and those who are here to provide their wisdom on this study. We're going to have -- I would like to make one little announcement before we get started, and that is there are some comment cards around so that if you have a question you would like to submit to the panel, if you could fill out your question and wave it in the air, one of our helpers will come pick it up and deliver it to the panel. So, I will say that at the start. First we're going to have some short technology demonstrations. I believe our first demonstration is Dr. Brown, iLumin. DR. BROWN: iLumin. I'm with iLumin and I'm grateful to be here today. What we wanted to show you was a platform that we have developed on the web to perform e-commerce that does have what we believe and our in-house counsel has said might conform to the law for consent, and so we'll have to see if we get sued or not. This is the log-in screen to the website. So, the website -- this is a web-based application where everything is done from a browser to a server at the e-commerce site. And so we have added here, "By logging in, I am consenting to receive any records electronically that I can access through digital handshake technology." So, we're informing you of that. If you have not yet registered with the site, the registration form here says, "By submitting the registration form below, I am consenting to receive any records electronically that I access through digital handshake technology." So, if I go back and log in, we'll get to some documents. And it says that I have two different signing rooms, I want to open up this signing room, and we have added the note here, "By completing any transaction in this signing room, I have consented to receive the records electronically." So, every time you come to something, we're informing you that if you continue on, you are consenting. So, here we have a form to change health plans, and I've started to fill this out, and I will just say I'm ready to sign it, and when I do, it's going to be processed and it comes back and we have the note on here, "By signing this document, I have consented to conduct this transaction electronically." So, every step of the way, we're informing you that if you continue with this, you are consenting to this. Now, some other work that we are doing involves the transformation of data from an XML document to different formats, and I just show this, because later in the law, on the record retention, it says, "Accurately reflects the information set forth in the contract or other records," and one of the things that we are doing is not only allowing the document, which we code as XML, to exist and be translated with the style transformation, as defined by W3C, to an HTML representation that you saw on the screen that I showed you just briefly, but we also are transforming it to the PDA format, the WML, for browsing, and also transforming the information to a wave file that can then be heard over a cell phone. And so in each of these cases, we're trying to take the same information and transform it so that the consumer may be able to receive it by dialing in off of a phone, by having a Internet appliance like a PDA be able to see it, as well as a web browser. And so in this work, we are keeping the data in an XML format, and that's what we are then transforming. And one of the things that we're concerned with that the law -- we're concerned with the statement that it accurately reflects the information set forth in the contract or other record, because we may have a truck driver who receives a bill of lading on his cell phone, and we'll listen to the document being read to him over the cell phone, and then sign that bill of lading digitally by typing a pass code onto the cell phone while the other end who receives that document may see it on the website. And so we're very concerned that we not be restricted to the exact format of it, that the information accurately reflects so that when it's read to you, with the wave file versus viewing it on a WML device versus an HTML device, that we get the same information. MS. NIELSON: Okay, thank you, Dr. Brown. The second demonstration, then, is from NewRiver. Virginia? While they are setting up their demonstration, I was asked to announce that there is a lunch room on the 7th floor. Today's menu may or may not appeal to you, six pieces of fried wings, macaroni and cheese and mixed vegetables for $4.55, or halfsmoke on a bun, a soda and chips for $3.25. And now back to our regularly scheduled program. I just had to say that. There's also a salad bar and sandwiches. MS. GOBATS: Thank you. My demonstration is a little different in that it's from the point of view of the investor. We're from the financial services base, and we are dealing with in this case E*Trade's customers, and E*Trade, I have to give you that information that of course it is an electronic service organization, and they are at the forefront of this kind of consent management. In the E*Trade world, people are transacting business electronically all the time, but they are asked from the point of view of consenting to the delivery of electronic documents in the future, they are asked to sign on with their E*Trade user name, their password and the log on. I don't have to fill anything in in this demo, but I would be filling this information in. And this is, of course, equivalent, really, to the signature, because I'm coming into a secure site where I'm already known. I'm going to log onto or click on account services, which shows me what my balance is, and most of the firms that we deal with are already providing electronic availability or electronic access to statements, not in lieu of paper, but as a service. I'm going to then click on set delivery options, where I'm offered trade confirmations up here in the right, trade confirmations, monthly statements or posted checks. I was interested in the comment about the checks in the earlier discussion. The education portion of this screen, electronic document service is the front end, here's how it happens, here's how E*Trade electronic delivery, document delivery service works, tell us how you want to do it, if you choose, if you consent, and how your documents are filed. This all conforms with the ESIGN regulations. I'm going to consent to not U.S. Mail delivery of my trade confirmation, but electronic delivery, and I'm going to request electronic delivery, it will be electronic delivery for statements as well. I don't have to re-enter, because we're fooling ourselves here. And then I see the consent to electronic delivery of trade confirmations, and I'm going to consent right on it. I'm not going to go through reading this, but we are showing them that we are making the disclosure right here and either I can change my mind and go back, or I consent. That's it. It's that easy. Log off, you've successfully logged off, thank you for using E*Trade, which is the normal log-off for E*Trade. The second one, demonstration is from a -- from the mutual fund world, and here, it's just a little bit different because the customers may or may not be electronic customers. Is it going to come up is the question. Electronic sign on. Now, when the person, when the investor comes into the site, they really are in the secure site already, because they've already obtained a password. If they haven't obtained that password, you see that the second option, which is to reset a forgotten PIN, and when you take that option, you also can get a new PIN, if you don't have a personal identification number already. As you see, you sign off your social security number and your PIN, and you log in, and I am going to -- I am presented with a view of my own portfolio, and then I'm going to click on the electronic delivery consent, and specify my electronic delivery preference, who do I want -- where do I want it mailed, and whether I want an investor statement, yes, I do, electronically, and I want to receive notification, which is an issue that the user has to know that they are going to be notified, and then whether I also want an additional paper copy. I continue, this is the disclosure part, and I agree. And that's it. It's that simple. You have enrolled, click, it's over. It's a simple process. MS. NIELSON: Okay, thank you. Our last mini demonstration, then, is from Selwood Research. Jeremy? MR. NEWMAN: I'm Jeremy Newman from Selwood Research of the UK, thank you very much for having us today. It's nice to be in Washington on a fine spring morning, representing I think the G in ESIGN, the global side of things, without which we would have ESIN. Essentially, and I'll ask Fran later what is meant by a halfsmoke on a roll, that's another matter. Really three key things we're trying to actually nail down, three corners, the holy triangulation of evidence of informed consent, and what I'm doing here in this presentation or illustration is to try and say well, how are we actually going to nail these three, because I don't think you can do just two of them. So, you need have the ability of receive records, informed consent, we talked about that, but I think ease of use both for the business and the consumer is really the paramount thing, it's reducing the burden on both sides. So, these are the three elements, again, we've got the business and the consumer and what we call the recital service provider at the bottom, and at some point in the overall scheme of things, the flow, the transaction flow, an invitation or a request is sent from the business to the consumer for this consent. So, what does the consumer see? In replacement for a signature block, where they actually say please sign here on a piece of paper, we have this thing called a sign spot, which tells the affirming party, the consumer in this case, what to do. And this could be manifested on an email, with a simple -- what I've got here, a preamble and a piece of text, and our proposal with recite a line, is that you pick up a phone and you say what you want to do, and that's recorded. So, you've got the evidence, you've got the informed consent, from the consumer, this could also be manifested on a webpage, and so you pick up a phone, you dial this toll free number, you enter a document code of some sort, invented by the business, the relying party, and I John Doe consent to receive electronic records from Acme underwriting as described in document number 0224973. Done. That's done by the consumer to the service, and then after this, the service provides links to both the business and the consumer, because the consumer is really a kind of pseudo relying party. The consumer needs to say, you know, after the event at some point, I did sign this and I did it on this time and I have this here proof. So, the links go back essentially as an identifier or a number that goes back to the consumer, that says if you want to retrieve your recording at some point downstream, this is the number that you use, and the business also gets instant electronic notification of the agreement having been struck. So, the benefits are obviously excellent evidence of informed consent, you can hear the person saying I want to do this, the accessibility is demonstrated, and Bob Witte earlier saying that there's no method that allows you to prove that the document has been opened, well this is one method, because you have to open the document to see the number, in order to key it into the telephone when you give the recital. So, it's very simple to use, everyone is familiar with using telephones, there's approximately 1.1 billion telephone handsets on the planet, and people are used to doing -- leaving voicemails and using telephones for doing things like card activation and so forth, and it's a very positive affirmation. I think that people need to bear in mind that positive affirmation is essentially preparing the consumer to say I want to do this, handing the card over to the consumer saying if you're ready, we're ready to do this, and we're moving away from this intense focus on authentication of the consumer. You have already established that. This is a system that goes on top of a known relationship between two parties to actually prove the policy of the transaction, and in this case as a consumer consent provision. Thanks very much. MS. NIELSON: Okay, thank you, Jeremy. I want to remind the panelists or tell them for the first time if they weren't part of the earlier panel, that the way we're going to proceed is if you want to make a comment, you flip your name card vertically. Having said that, I've already been asked by Margot to describe the difference in her opinion and maybe everyone's opinion what paper and electronic versions are, just to set the stage for our conversation. Okay, Margot. MS. SAUNDERS: Thank you. We're talking about these very interesting technological questions, but I want to bring us back to the difference between electronic and writings, and just clear -- kind of state for the record what we all kind of intuitively know. A piece of paper can be handed to or mailed to a person, and they can read it without special equipment. You need a computer to access or read an electronic record. A written record can be received by the consumer at no cost. It doesn't cost the consumer anything to have a mailbox. Everybody, including homeless people, have mailboxes and can get U.S. Mail. The electronic record can only be accessed through a computer connected to a third party from whom payment is generally required on an ongoing basis, the Internet service provider. If the consumer moves, the U.S. postal mail can be easily forwarded, at no cost to the consumer, and with minimal difficulty, with generally one notice to the post office a year will suffice to forward all incoming mail. ISPs generally do not forward electronic mail, occasionally with some ISPs, electronic mail will bounce back as undeliverable to the sender, but that's not automatic and it's not universal. A paper writing does not require special equipment to hold onto or retain. Consumer need only put a piece of paper in their drawer or a file or wherever they want, where it will stay until the consumer moves it. On the other hand, an electronic record can only be retained electronically. The consumer must continue to have access to a computer with the ability to retain the record. So if they retained it on a hard disk, they must be able to access it on the hard disk, or at least access to a computer with a printer to retain a printed -- to print out a printed copy of the electronic record. A paper writing is by its nature tangible, once handed to or mailed to a person, it won't go away. It won't -- nothing will happen to it unless the consumer does something to it. But an electronic record can be provided in a form which will disappear after a period of time to be determined by the provider of the record. For example, if the consumer is provided an important notice by the -- by an email with a web link, and the consumer doesn't access the web link within the expected period of days, the web link may no longer be available when the consumer goes to access it, unlike a piece of U.S. Mail, which will stay on the consumer's desk until they throw it away. The printed matter on a paper writing will not change every time someone looks at it, and a paper writing can later be used to -- in court to prove the contents of that writing. On the other hand, an electronic record can easily be provided in a format which is not retainable by the consumer. Many of us have had the experience of trying to retain or print out websites, and that's not always possible. But even if you can retain it, it will not necessarily have the same level of integrity or protection against inadvertent or deliberate change as a paper writing will have. The electronic record is not always preserved in a particularly locked format. Thank you. MS. NIELSON: Okay. Thank you, Margot. Our first question, then, to the panel members, what kind of software and other technology for obtaining consumer consent is out there? We've heard -- we've seen a demonstration from iLumin and from NewRiver and Selwood, they can chime in with more definition, or is there someone else who would like to make a comment on their particular product? MR. LAURIE: Thanks. I will put up my sign. I did want to mention that -- thank you. This is Michael Laurie from Silanas Technology. I wanted to mention that our company is also involved in providing software that is used for capturing consent, more specifically consent in the sense of somebody who is signing documents, and signing could be, you know, anything from a handwritten signature to whatever will provide that capability. So, our company has focused quite a bit over the past few years on understanding how those processes take place in the paper world, and making sure that the processes coming from the paper world can then be used in the electronic world as well. So, what we've found was with most of the people who use this type of technology is that being able to understand what they're doing at any given moment is crucial to achieving that capability. And probably I spent at least as crucial as security technology, which is often confused with the process of signing. So, Silanas has produced software that is capable of working in a number of different formats, some of which have been mentioned here, such as PDF, as well as word processing formats. And to some extent to also address the issues that were mentioned with regards to paper versus electronic, whereas a document can be maintained and its integrity can be maintained, as well as the consent that was provided as part of that document can also be maintained as part of that document. And that's something that we have been working on very hard to ensure that we recognize that paper is a very difficult technology to beat. It's -- you can take it out and use it whenever you need to, it never runs out of power, it doesn't crash on you or whatever, so it works all the time. Being able to replicate that in the electronic world is a real challenge, and something that to some extent our company has achieved so far. It's not perfect, but then neither is paper, as we have discovered. So, that's what I wanted to at least mention as a starter to this session. MS. NIELSON: Okay, thank you, Michael. Is it Tom? MR. WELLS: Hi, Tom Wells at b4bpartner, and we, too, have an electronic signature consent process, with a little different spin. We sign HTML or XHTML or dynamic HTML documents, depending on the type of data, by placing information on the document itself, the name of the consumer, a date and time stamp and document signature ID, because we think it's important, like Michael mentioned earlier, that in the electronic signature world, it closely mimics the physical world, so that the consumer has a document that has some indication that the document has been signed. And where we go a step further is, we've integrated that with a web vault product for the consumer that's stored at the institution's website, to date and time stamp the document so that the consumer can always dial back into the Internet and through an authentication process, look at his document. Similar to what E*Trade is doing with their file cabinet system, except with more functionality, you're able to fax in and you're able to multiple -- have multiple party signings within the web vault. But I wanted to get to Margot's point. I live in south Florida, and when Hurricane Andrew hits, documents do not stay on the desk stop. They fly everywhere. And understanding that, I think that the electronic -- certainly you mentioned all the favorable things about paper versus electronic, but there are some benefits about electronic versus paper. One of which is if your house is destroyed, your electronic records are not destroyed. Another one is accessibility. I believe, Margot, that the initial consumers are going to be -- are not going to be your typical clients, they're going to be high network individuals who travel often. It's a new technology. They have to have the capacity and the Digital Divide indicates that maybe some of your consumers may not have access immediately. So, accessibility, for people to be able to receive their records wherever they are, any time, anywhere. The third thing is the ability to share documents, and to clearly collaborate with third parties is an important feature, because when you have a piece of paper, then I need to either mail it to my attorney or fax it to my attorney and if I have to fax it, then it requires me to be concerned who is at the other end of that fax line, and it may be a secretary, and not the attorney. And then finally, the last thing is that I practiced estate planning law for 12 years, and when people die, the surviving spouse can't always remember where all those records are, and so probate estates may just continue on and on, which is not a bad thing for an estate planning attorney, but for the consumer, it's not the best thing. So, an electronic document aggregation tool can really solve a lot of the problems we have right now in the paper world. MS. NIELSON: Thank you, Tom. Let's go with Jane, and then Virginia. MS. WINN: Hello, my name is Jane Winn, I teach at SMU Law School in Dallas, Texas. I was going to say, and I live in Texas, where we've learned that when tornados hit buildings, they pull the papers out. What I think is interesting is who has chosen to participate in this public process, and who's absent. I don't notice any standard developing organizations here, and I think that you can't talk about consumer protection in electronic commerce without thinking about the role of standard developing organizations. Many of the problems that people are addressing in using existing technologies to mediate contract processes, as far as I can tell, arise from the fact that most of the products that we're working with right now were developed for the publishing industry. PDF is about brochures, HTML is about document mark-up. These technical standards were not developed with transaction processing in mind. Right now, today, while we're having this meeting, there are standard developing organizations around the world working on the next generation of electronic commerce technology, which will explicitly address transaction processing in contract formation. And if those people aren't present in the room today, it's not clear to me that consumer interests can be adequately protected. What I would suggest is that if we define the debate in terms of finding an equivalent to a writing, we're going to continuously miss the emerging issues in consumer protection. I think that what we've seen in a lot of arenas is that open public standards for technology are an important form of consumer protection, and all of these vendors here today with their fine products would be on a level playing field competing for consumer acceptance if there was a workable framework of open public standards. I personally would prefer not to do electronic commerce in a world where the standards are owned by organizations that have their headquarters in western states. Since law professors get into trouble for demeaning multinational corporations, I'm avoiding identifying specific organizations. So, what I would say is that the issue on the table can be thought of as contract formation processes generally, and I think that notwithstanding the fact that many of these product vendors who come here today have fine products, what the consumer's interest is, is in making sure that the standard developing organizations take account of consumer interests and remain accountable. MS. NIELSON: Okay, thank you, Jane. Virginia? MS. GOBATS: First I have to answer who's out there. Who's out there providing consent or thinking about servicing this issue of consent. Certainly the financial services space, where NewRiver practices, each of those, each of the organizations, all of the silos, insurance, banking, mutual funds, verbal annuities, back in insurance again, and all the people who are in the electronic commerce world already are working on their own consent process. Legacy Systems add a little piece of a routine, a technical routine, to the methodology they already use to deliver the electronic information about people's accounts, or people's financial portfolios. They already have PINs in place or secure environments in place. So, the people who are working are the insiders in financial industry, are working on something that just expands a process that's already in place by adding another method of communication. So, I think they are there developing their own services, or they are using an outsource or many outsources in combination, like the people who are here. That's who's there. To address Margot's issue on the subject of just reliability, you know, will that web link still be there, each time the notification that a document is available for electronic viewing is sent, a new hyperlink is sent. Now, I don't know if every organization does that, but certainly the ones I'm familiar with do that, send an email notification that your documents are ready for viewing, with a hyperlink in it to a secure site, a scalable secure site. MS. SAUNDERS: And how long does that remain on the web? MS. GOBATS: It isn't on the web, it's at a secure site that you are sent to. So, we're not in the HTTBS world. MS. SAUNDERS: Isn't there a limited amount of time that it stays there? MS. GOBATS: Yes, but it's regulated. Under financial services, there are rules about how long you have to keep the records available. So, I mean, you can call today and ask your mutual fund firm that you're doing business with to give you a statement from ten years ago and they will produce it, in paper. So, the question is whether they'll charge you or not, you know, it's too long, but there's a staging process, as when it's available in the site, at the secure site, for immediate access. When it's available for, you know, within 48 hours, when it's available within two days, or when it's available in a week, and by mail. So, the industry has addressed that issue of how long it's retained, and certainly in the mutual fund industry where service has been a theme, for a long time, and good service, the clients are aware of the fact that they can get old records in paper, and they are now being told that they can get those old records electronically. So, I think at least an attempt has been made to satisfy that caution. And then the nexus on being able to reproduce the record. Certainly the people that we are working with already have in place or are developing the methods of keeping the template that was used on the date that the document was delivered. So that if somebody wants an old document, the date of the delivery of that document is in the records, and the template that was used on that date is. So, essentially, the document is reconstructed on the fly, and it will look just like it looked then. And there are demonstrations of that. It's in -- it's alive and well at the moment. And then the last thing is that I think that from the point of view of all of the users, you know, across the broad spectrum of people who are technology conversant and those who are not, we're thinking at our firm, at NewRiver, that the process is really educate, educate people about what electronic delivery is about, then solicit their consent or solicit their -- or ask them if they're interested and if this is appropriate for them. It's not appropriate for everybody, just like automatic voice response is not appropriate for everybody, then collect it from them, and then maintain those records, and provide service, using those records of consent or I like to say preference. I prefer to get these kinds of documents electronically, and tell them that at any time, you can also get this in paper. If I need one, if I'm getting a divorce, and I need pieces of paper, I'm going to be able to get the paper, and I can turn off and turn on my choice at any time. I can consent to electronic delivery for three months, decide I really don't like it, then consent again, go back and forth, back and forth, consent and revoke. And in all of the screens, in these screens that I showed you, and in most of the screens that I've seen from our clients, that is right up front. One last thing, I'll give up my air time. Yes, there is a cost to electronic delivery, and it is the cost of the phone connection or the cost from your ISP, and that, we are obligated to tell people up front. So -- MS. NIELSON: Okay. Thank you, Virginia. Thomas, and then Bill's going to talk a little bit about the standards question that Jane brought up. MR. GRECO: Okay, very quickly, because I think there's a lot of other issues that we can get to here that's a more profitable use of folks time. My name is Tom Greco, I'm with the Digital Signature Trust Company, a particular type of provider of electronic signatures, digital certificates and digital signature technology. I think Virginia makes a very good point. There are going to be a number of applications that we're going to be attacking with this electronic technology. Some will merit the use of certain technology, some will not merit the use of certain technology. This is going to be a marketplace decision, businesses will offer up more or less complicated technologies depending on the merits. The use of an electronic process to do a home mortgage, for example, probably entails certain technology requirements and document storage, document integrity, retrieval of records. That's not necessarily the same for the run of the mill consumer electronic purchase, and we need to recognize that and certainly when we write new laws, for example, ESIGN, not try to make one size fit all. Not all electronic transactions are going to require PKI technology, but PKI technology works very well for certain types of applications. Margot raises the document integrity issue. That's one that PKI can solve. There are solutions out there that encompass long-term document storage, in terms of being able to provide a document 30 years from now, that was the same document or looks the same that the consumer signed today. These are the processes that are actually being worked out today. There are folks out there designing business processes to take advantage of electronics. That is coming. Notwithstanding Jane's comment that it might be appropriate to have standard-based bodies doing a lot of this work. The fact of the matter is that standards-based bodies take quite some time to develop. There are loads of standards right now that people are writing technology solutions to. PKI standards exist, for example, XML standards exist. They're out there, they're being attacked, and the users ever applying those processes. So, I think there's a lot of things happening right now to move towards a more fundamental fully developed electronic commerce world, and we'll see, back to the point of I think why we're here today, what is it that, you know, FTC and Commerce should be telling Congress in their report. Well, one of my points is that I think that we're at the very beginning stages of being able to answer some of the questions, what do businesses need, what do consumers need to make this kind of thing happen. And I think, you know, frankly, six months into it, we're willfully, you know, have a lack of knowledge of exactly what these processes should look like. I think this is a law that we can work with today, and as we gain more knowledge about what the, you know, hurdles are being presented by things like consumer consent, we'll have a better ability to tell, you know, Congress, for example, here's what we're finding, here's what businesses are finding, here's what consumers have been finding, these are the tweaks that are necessary. MS. NIELSON: Thanks, Tom. MR. BURR: Well, I'm Bill Burr from the National Institute of Standards and Technology. I would like to say that we at least occasionally do develop standards. We do work on them. And to some at least, in the area of digital signatures. And as Tom pointed out, there's really quite a lot of standards activity there. What I have been struck by all of this is that when I first saw the ESIGN Act, I was a little bit shocked in a way. If you contrast what we're doing in the U.S. with, say, the European Union Directive on Electronic Signatures and what's come out of that, with that or the German digital signature law and so on, they tend to favor what I would call a fairly very weight rigorous system of signatures, and I take the ESIGN bill to be very different than that, and in essence to say something along the lines of you don't have to do everything in a really heavy way, truly cryptographically rigorous fashion that will let the marketplace decide more and perhaps evolve. Technologies that are appropriate and meet business needs, and they don't necessarily have to be truly from the cartographers point of view rigorous or strong. Now, PKI, I think, is the strong technology. I think I read a paper of Jane's recently that was somewhat skeptical of the success of PKI, but it does, I believe, offer a way to do very rigorous heavyweight kinds of protections that will ensure integrity and who signed it and a lot of other things. From Margot's point of view, I don't think that broadly imposing that on everything will help the poor, the downtrodden, the people who are not technology adroit at all, it will make it much worse for them. They will have a lot more to overcome to participate. So, you know, you have to strike some sort of a balance here. There are lots of standards. I think as Tom point out, standards is a painful and tedious process, and we have a law, and people want to do business, and I think we're going to have to improvise, but I suppose we could have somebody here from the WC3, I think a couple of the companies here probably participate in that. But I don't know, you know, we're going to have to live with it as far as I see and do the best we can. MS. NIELSON: Okay. Thanks, Bill. Margot and then Jim. MS. SAUNDERS: I have a couple of points. One, despite what I may seem, I'm not troglodyte, I am not against e-commerce, I use it myself all the time, I think that it is a wonderful resource. I think that it will significantly help low income communities and low income people in particular, it will widen their choices and widen their marketplaces and I think it's terrific. But my function here today is to continue to remind everyone else that the whole world is not yet online and the difference is based between poor people and those who are online. I want to quote the Department of Commerce's statistics to you all, just again to set the stage that I think, Tom, you said that your product is going to not go -- it's not designed for my clients, it's designed for much wealthier folks, and -- MR. WELLS: Well, maybe not, I say that it would be a mistake to try and appease all the clients all of the time initially. MS. SAUNDERS: I completely agree. I'm just trying to -- as you all may notice, I'm only one up here, so I don't mean to be the one talking all the time, but according to the Department of Commerce's recent report on the Digital Divide, 45 percent of this country is online, but only 35 percent of the households have access from their home, and the balance of those -- so, we are talking about ongoing easy access to information for 35 percent of the population. While the remaining 10 percent between 35 and 45 percent who are online and 35 who have access at their home, a majority of those folks access the Internet from their work, which is not always a favorite thing to do for personal information. And another large percentage access it at public access points such as public libraries and schools. Or someone else's computers. But again, I want to remind us, remind everybody, if we were simply designing a system for communication that was solely online, the concerns that we continue to articulate would not be a problem. So that when a consumer was standing in a room, if we had a difference -- if there would be no problem about providing that consumer standing in the room with paper disclosures, we wouldn't need this electronic consent issue. If there would be no problem about the consumer who consented to receive online disclosures, and then six months or two years later had a financial reverse due to sickness or loss of job or something, and suddenly lost their access to the Internet, we wouldn't have as much -- and if that consumer could then easily go offline and say I want everything on paper because I don't have easy access any longer, we wouldn't have the same degree of concern. So, it's, again, it's the interplay between the physical world and the real world, and the electronic world that I'm most concerned with. I do want to take one second to respond to a couple of the demonstrations, by Dr. Brown specifically. He said that you could click on a button that said I am consenting to receive electronic records that I access using a certain technology, and I don't believe that unless the technology is used to actually consent, that that satisfies the law's requirement to electronically consent, quote, "in a manner" which reasonably demonstrates the consumer's capacity to access. So, and that wasn't clear from the demonstration. Also, another example provided was that a truck driver could be read a bill of lading over a wireless telephone. I don't know off the top of my head whether a bill of lading has an underlying state law requirement that it be in writing. But if it does, it may satisfy some requirement, but it does not -- that delivery of that bill of lading does not satisfy the requirement in 101(E), which is that if a writing is required, it must be provided in a manner -- it may be denied if it's not provided in a form that's capable of being retained, and how in the world would that wireless -- would that consumer, would that -- whether or not he's a consumer, would that truck driver be able to retain an oral communication of that bill of lading. Thank you. MS. NIELSON: Okay, I have Jim, and then Mark and then Bruce. MR. BRANDT: Thank you. I'm Jim Brandt with VeriSign, and VeriSign provides industry-leading technology to support secure electronic commerce in communication, specifically through the use of digital certificates and underlying public infrastructure, which, in fact, provides the security services that the ESIGN Act and also the government corollary JAPEA Act contemplates. That is to be able to identify specifically who is you're communicating, that is identification, over the web in electronic communication to protect the communications, to provide integrity to that information, and perhaps the privacy of the information as well. These technologies through standards of bodies working with Bill and others, internationally have developed and integrated this kind of technology within all of the technologies we've talked about here in terms of standard protocols, supporting secure mail, web interfaces, even secure form technology, as well as transactions associated with XML and others that are evolving. Now, in terms of its usage, I think although it's hard to define a ubiquitous standard, I think it's fair to say that within business, within business today, PKI is effectively the de facto standard for providing security for e-commerce transactions, and is becoming so within the Federal Government as well. I think what we find is that again, in terms of utility, there are enabling programs in driving the use of this kind of technology to provide the level of service that not only business but government is requiring, and is being required by their constituents, in terms of either trading partners wanting to have more convenience or more open access for more information, more timeliness, lower costs of operations, et cetera. So, there are real driving reasons why this technology is being enabled within government and industry today. I think it's fair to say that to date, that probably has not evolved into the commercial market, and I would submit probably because there is not enabling applications to drive it there. In terms of motivation by a consumer or other one to take advantage of this technology to become more familiar with it, and to reap some of the benefits that the technology can provide. I think there is, however, opportunities for the technology if some of the vendors here today, including VeriSign, to assist in that education and discovery and communication process that exists today. We, for example, have an opportunity for a consumer to come to VeriSign website and to request for a digital certificate to be able to explore the technologies in terms of email and communications, et cetera, on a trial basis. And this technology, of course, can go a long way, and this opportunity can go a long way to bridging that educational gap that we've talked about. I think in terms of the use, certainly, I think it's correct that not everybody today is connected, not everybody has a computer; however, this technology, it supports the ability for shared communication platforms, and provides the ability through a number of more recent developments in the industry to provide secure communications for individuals at shared resources such as at a kiosk or in a library computer, et cetera, where the benefits can be expanded beyond just the household. MS. NIELSON: Okay, thank you, Jim. Mark, did you change your mind? MR. MacCARTHY: Oh, I'm sorry, no, I was anticipating. MS. NIELSON: Okay, go ahead. MR. MacCARTHY: Since people tend to leave them up, I tend to put my down before I get called on. I think this has been a very fruitful discussion and I want to take the opportunity again to thank the Federal Trade Commission and NTIA for hosting this workshop. Having lived through both UETA and ESIGN, I found the discussion this morning very sophisticated and a very useful discussion for understanding from a variety of perspectives some of the nuances and the issues that we're still all trying to grapple with as this, I think, landmark bill gets implemented and dealt with in a variety of contexts. Having listened to part of the discussion, the technology discussion so far this morning, I want to address my comments coming back to the purpose of the workshop and the report, trying to give you our association's views, which include about a thousand companies who develop code and content for the Internet, for business, for end user consumers and for education. And I want to leave you with three points, some of which echo some of the earlier comments. The first is it's important to recall that ESIGN, it was meant to be a technology neutral bill. And underlying part of that technology neutrality was actually an element of protecting consumers from being held hostage to particular technologies and the legal implications of those. And so I think it's very important to remember that part of the technology neutrality is, in fact, a way of lessening the burden on consumers, rather than burdening them with specific obligations if a technology is used and therefore the law says that means X, Y or Z. I think what we've heard today is a variety of environments in which, depending on who the end users are, what the environment is, which includes legal obligations where writings may be required, that there will be adapted for those sectors the appropriate technologies that facilitate, pick a transaction, determine whether consent has occurred, which may not be a technological issue, I want to point out, and which provide the written background, other collateral information that is relevant to the transaction. And I think it's very important to understand that it will not be a one size fits all when it comes to this issue. Part of the discussion this morning, I think, I think what we've heard are that there are different levels of s |