Getting your Trinity Audio player ready...
|
Possession of digital keys or electronic signatures does not prove identity. We need to keep stating this simple fact until everyone understands what it means. Failing to understand this fact is dangerous, as more and more of our daily existence moves into the electronic realm. Identity, no matter what digital form we use to verify it, will always need to be backed up by something else in the “real world.”
There is another fact running alongside this one: possession does not equal ownership. That one’s easier to understand—if I steal your car, I possess it. Until I’m caught I can do as I please with it. But you are still the owner, and are entitled to have your property returned. I could steal your wallet, taking possession of your driver’s license and all your cards. I could go on a shopping spree with your credit cards, maybe even use your ID if I can fool people into believing that’s me in the photo. But I’m not the owner of that money, or ID. Most importantly, I’m not you.
This is all common sense to anyone who thinks about it for more than a few seconds. The problem is that many people don’t, and there are plenty of bad actors out there, ready to fill that empty space with misinformation.
Take this popular slogan from the “cryptocurrency” world as an example: “Not your keys, not your coins.” This assumes that if someone else is able to steal your digital assets, they’re not yours anymore. On the surface, sure, someone else has your money and can spend it. But are they really not yours anymore? That shouldn’t be the end of it.
Now imagine it wasn’t just a few coins in a digital currency wallet living on those blockchain keys, but your ID, the title to your house, the ownership of your business and that business’s property, your health, and your life history. Sorry, someone else has your keys and none of this is yours anymore. Could society really function this way?
It’s usually easier to prove legal ownership of something. There are documents stored elsewhere, records of purchase or sale, and banking records. But you’ll still need to prove you are who you say you are… somehow.
But how? This has been the premise of several suspense thrillers—the protagonist is alone in a strange city, and someone else has assumed his identity. He has no backup documents and needs to quickly find people who can attest that he is the true individual behind that identity before it’s too late. In reality, the plotline would probably be more mundane than the movie’s but just as frightening to the person targeted. For a real-life example of this, read the story of notorious mortgage scammer Matthew Cox, who made millions by stealing others’ identities and creating fake ones, and then consider how the ability to use a digital key or electronic signature can make this easier.
Likewise, if you’re doing business with someone then you need to know they are who they claim to be. A potential partner has “guaranteed” her identity with digital keys showing possession of valuable real estate or IP. She signs the contract with an electronic signature. But does all this “prove” she’s the legitimate owner? No, it doesn’t.
Satoshi Nakamoto’s keys vs. true identity
Take the case of Dr. Craig Wright, who wanted to prove he was the real person behind Bitcoin creator Satoshi Nakamoto. Many demanded he “prove” this fact by signing a transaction and/or moving bitcoins from Satoshi’s wallets. To the chagrin of his supporters and mockery of his opponents, he refused to do so unless he’d first proven his case through documentation and witness testimonies.
As Dr. Wright stated under cross-examination, even if he demonstrated the ability to move bitcoins from Satoshi’s wallets, his enemies would simply accuse him of stealing the keys (ironically, going against their own “not your keys, not your coins” ethos).
In a 2020 blog post titled “Keys ≠ Identity,” Dr. Wright argued this point at length.
“You cannot attribute identity because of a key,” he wrote. “Advanced electronic signatures require that identity be verified and stored prior to the use of a key. They are not transferable.”
It’s not necessary for a digital signature itself to reference the name/identity of the individual, and digital signatures usually don’t. If this key exists on a hard drive, USB stick, or plastic card, someone who isn’t you could conceivably use it, even if you’re “careful.”
What does the law say about signatures and identity?
To check whether the conditions for electronic signatures to be legally binding are understood broadly across major jurisdictions, let’s ask Google the question, “What is required for an electronic signature to be valid?” and check a few of the top results.
“Intent: Similar to a wet signature, an electronic signature is only valid if the signer has the intent to sign. In terms of a digital signature, this refers to the intent of a person that a sound, symbol or process is applied to an electronic record in order to have enforceability or a legal effect.” (“What Makes an Electronic Signature Legally Binding?“)
“A signature on an electronic document is legal only if the document and clauses within are fully transparent and the signature is made with intent.” (“The 7 Requirements For Electronic Signatures to be Legally Binding“)
“A specific Envelope ID; The identity of the sender; The identity of the signer(s) of the documents.”
(“Are Electronic Signatures Legal?“)
Again, during his cross-examination as part of the 2024 COPA trial in England, Dr. Wright was asked if a business agreement bore his (physical, non-digital) signature. He answered that it did, although he had not physically signed it himself. This answer drew an incredulous response from COPA’s counsel, who appeared flabbergasted by the notion that a person would allow a third party to use his signature. Dr. Wright replied, as per the examples above, that he had provided documented consent to do so, leaving a trail linked to his known real-world identity and his intention to sign the agreement.
Is remote signing really so unusual?
U.S. Presidents have used a technique known as an “autopen” to sign official documents, probably since the Truman era, and acknowledged openly since the 1970s. Also known as the “robo-pen,” the devices for adding signatures to documents where the signer is not physically present were first patented in 1803.
In Japan, the finger-sized “hanko” stamp is the most common form of a physical signature rather than a name signed with a pen. It’s common for individuals to hand over their personal stamp to approved individuals to use on their behalf to sign legally binding official documents, business contracts, expenditure approvals, etc. A company or section manager might give it to their assistant, and ordinary people hand it to their spouses or other relatives.
Knowing this, it’s easier to understand why a signer’s intent (and identity) and real-world identity are so important. Imagine standing in a room, watching a machine “sign” an essential piece of legislation (or give consent to a military action) while knowing the president is physically on the other side of the world. Do we know the president intended to sign it? Can we guarantee it was really the president who initiated the process? In the case of a world leader, questions of identity and intent are easier to answer, and there are likely plenty of witnesses at both ends. But what about private individuals, or developers working alone at 4 a.m.?
The same conditions apply to any form of signature, e.g., physical signing with a pen, electronic facsimile of this signature using an image file, or using a cryptographic key. Even when not stated explicitly, we understand that a person’s identity must be known and accepted to prove their intent. Having or using the signature (or stamp or key) of someone who is not yourself is convincing to an extent, but it doesn’t allow you to claim the identity of its original owner.
Granting permission for a third party to use your signature can be a formal or informal action, depending on the jurisdiction. But even in places where it’s strict, disputes can still arise.
The world is heading for a huge mess if the digital-keys-as-identity notion gains mass acceptance. Whether you believe Dr. Wright’s claim to have been Satoshi Nakamoto or not, the point behind his identity argument is still true. The digital society will fall into dysfunction if we can’t prove who we’re doing business with or if we’re not protected from bad actors stealing our own identities. Whether you’re the president signing with a remote pen or an ordinary person taking out a loan, your real-world identity (and the need for people in the real world to back you up) is essential.