May 2, 2000



Ms. Josephine Scarlett
Office of the Chief Counsel
National Telecommunications and Information Administration
United States Department of Commerce
Washington, DC 20230


Dear Ms. Scarlett:


We are writing to express our concern about the privacy issues raised by the Electronic Signatures in Global and National Commerce Act ("ESIGN" ), Pub. L. No. 106-229, 114 Stat. 464. The Center for Democracy and Technology supports ESIGN's goal of facilitating completion of online contracts. However, implementation of ESIGN could raise significant privacy concerns. The law does not provide new privacy protections for the personal information that would be collected to authenticate the electronic documents, signatures and contracts anticipated by this Act. We believe that as the initial ESIGN implementations enter the market, it will be important to revisit the privacy considerations and establish rules to build privacy protections into the emerging technologies.

Privacy Concerns

The Electronic Signatures in Global and National Commerce Act, Pub.L. No. 106-229, 114 Stat. 464 (2000), was enacted to facilitate the use of electronic records and signatures in interstate or foreign commerce and to remove uncertainty about the validity of contracts entered into electronically. However, the Act raises the possibility that people may be forced to sacrifice their privacy if they wish to use electronic records and signatures to engage in commercial transactions.


ESIGN will facilitate the use of electronic signature systems that in many cases rely on commercial third parties to guarantee the signature.


In order to guarantee the identity of those using electronic signatures, third parties will need to collect detailed personal information. They may also be able to collect detailed information about how a person uses that electronic signature.


Current law does not protect the information collected by these third parties. They will be free to sell, distribute, or use this information as they please without a person's knowledge or consent. In addition, law enforcement may have access to this sensitive personal information with a mere request, without any judicial oversight, and without notice to the person.


For example, in order to enter into an electronic contract, a person might be required to use a cryptographic digital signature, based on a certificate they obtain from some commercial third party who guarantees their identity. The commercial party will need to collect detailed, personal registration information in order to verify the person's identity when the certificate is issued. In some systems, the commercial party might also know when and how the certificate is used, creating a rich storehouse of transactional information tracking the time and nature of a person's business transactions. If the person uses the certificate for many different applications, the commercial party could develop a detailed dossier of the person's activities online. Nothing in ESIGN prevents this commercial party from using or selling this private information, and nothing in the bill controls law enforcement access to this highly private record of a person's life, which was never before available in one place.


Further steps should be taken to directly address the privacy concerns. First, it is important that protections against misuse of data by third parties be provided. As noted above, privacy protections are needed to govern third parties so that sensitive personal information accumulated by these parties cannot be freely sold, disclosed, or used without permission.


Second, the widespread use of electronic signatures could create new storehouses of information about a person's identity, their interactions with the government, and possibly detailed records of their online activities in general. Such personal information has never been available to law enforcement or government agencies in a central location before, and creates new possibilities for intrusive surveillance and monitoring. Under current law, such information might be available to government agencies with a mere request, or with the weak privacy protections of a subpoena. Tougher standards more appropriate for this information - including probable cause, judicial oversight, and notice to the person whose information is disclosed should be assured.


Conclusion


CDT supports the ESIGN's goal of encouraging use of electronic records and signatures in domestic and international commerce and facilitating completion of online contracts. We believe that vision can be achieved without forcing people to compromise their privacy. We look forward to continuing our work with you and your staff to ensure that Americans take advantage of the Internet's power to facilitate commercial interaction online, and that they can do so with the necessary safeguards in place to protect their privacy and security.


Sincerely,
Paula J. Bruening
Staff Counsel
Center for Democracy & Technology
1634 I Street, NW
11th Floor
Washington, DC 20006
(202)637-9800