You "sign" an e-mail using software which creates what's known as a "digital signature." A "digital signature" is an encrypted (i.e., encoded as in 007-James Bond, C.I.A. stuff) piece of data added to an electronic message such as an e-mail. It can serve the same functions as a traditional penned signature and more.
What a digital signature is not is a scanned picture of a John Hancock. It's not "/s/ Mark Grossman." Rather, it looks like an unintelligible string of alphanumeric characters.
A typical agreement by e-mail might look like:
Pete: I hereby accept your offer to sell me
100 widgets for $500.
Sincerely, Mark Grossman.
No, I'm not crazy. That's truly what a digital signature looks like. It takes specially designed software to both create it and verify its authenticity.
Digital signatures require the use of secret passwords (or keys) and encryption. Understanding them requires an elementary understanding of a few cryptology concepts. (Buckle your seatbelt. I will keep it as simple as possible, but this part will still take more than one read to understand if you've never been exposed to these concepts before.)
When we were kids, we all played games with passwords. We decided that the password was "pizza" and that nobody entered the clubhouse unless they knew the password. For the game to work, the people on both sides of the clubhouse door had to know that the password was "pizza." This game is an example of a single password system. (When discussing encryption, a password is commonly called a "key").
With a single key (or password) encryption system, I encode my message with the word "pizza." Once encoded, the message becomes an unintelligible string of seemingly random characters. The message cannot be read until you decode it with "pizza." This simple single key encryption method has problems.
For example, let's say that I'm in Washington and you're in the American Embassy in Moscow. If we want to share secret information using a single key encryption system, I need a secure way to tell you the password. Barring that, we would have no way of sharing encrypted messages. Encryption doesn't work well if the Russians intercept my telephone call telling you the password.
Dual key encryption solves this dilemma. With a dual key system, I encode the message directed to you with your "public key." This is a key or password that you reveal to the entire world. You tell the world (and even the Russians) that if anybody wants to send you a confidential message, they should encrypt it using the public key "pizza." You public key is absolutely not a secret. You want the public to know it so that they can send you encrypted messages.
When you receive the message, you do NOT decode it using the word "pizza." In fact, the word "pizza" cannot decode it. "Pizza" only works to encode not decode. You decode with a secret key or password that only you know.
This dual key system solves the problem of sending a secure message to the embassy in Moscow. Washington encodes the message with the public key which the entire world can know. Only you can decode it using a secret key which only you know. Nobody else should ever know your secret key.
Great, you say. Now you can receive and read encoded e-mails (and play more sophisticated games in that clubhouse), but what does that have to do with a digital signature? The answer is that a digital signature is essentially a reversal of the process.
If I want to "sign" the e-mail which I encrypted using your public key, I create the digital signature with my private key (the key that only I know). If you want to verify that I truly sent the message or prove that I signed or assented to the message, you try to decode the "signature" with my public key. My public key will only decode the "signature" properly if I encoded it with my secret key and it had not been altered since I sent the message.
This second requirement, "not been altered since I sent the message," is what makes a digital signature superior to a traditional penned signature. Digital signatures verify the sender and the integrity of the contents. If anyone has altered the contents of the message, the software knows that it's not the document I signed. With paper documents, an alteration could be as easy as removing the staple and replacing a page which can be difficult to detect.
Uncertainty Slows Down the Growth of Electronic Commerce
So, you can sign an electronic contract with a digital signature. But is the contract legal and binding?
Unfortunately, there is some uncertainty in this area and this uncertainty hinders the growth of electronic commerce.
One problem is the law. This is a recurring theme in Cyber Law. The law always develops behind new technologies. So, while it's apparent that a signed paper can create a contract, it's only by careful analysis and through analogies that you can reach the same conclusion about a contract by e-mail.
Although it's clear to those who are familiar with cyberspace that the jumps from paper to electronic mail, and from pen to digital signature, are truly minor ones, until the legislatures and courts unequivocally reach this conclusion, there is some element of uncertainly. Uncertainty and large contracts don't mix well together unless you live to create stress for yourself.
A recent Georgia case illustrates the need for a cautious approach in adopting new technologies to create legally binding agreements. There, the judge ruled that a fax could not be a "writing" because a fax is only a series of beeps and chirps. Go figure.
This ruling is clearly a bad one. I suspect that this judge also thinks that the automobile is a passing fad. Nonetheless, where there is legal uncertainly, there is a greater possibility of bizarre rulings.
Until digital signature law is crystal clear, I think that you have to balance your risk against your potential gain.
If you can obtain a traditional signature on a significant contract, you should. Nonetheless, and despite the "beeps and chirps" ruling in Georgia, I strongly believe that a digital signature will carry the day in a court battle.
Certainly, if the practical realities of your business require you to accept a digital signature on an agreement, I say go for it. A digitally signed e-mail is better than a completely unverified e-mail. I think it's also better than a faxed signature since you can't really verify a faxed signature.