Why Does A Scrawl Still Exist in the 21st Century?

Why Does A Scrawl Still Exist in the 21st Century?

This was our first week in our new Blockpass ID Lab, and we have five new PhD students starting their work on trust, cryptography and identity. At the core of our focus is to build new worlds which are more trusted, and which can be scaled into a citizen/GDPR-focused 21st Century. So let’s have a look at the old world …

When my Amazon package arrives, I have now perfected the wavy line across the screen for signing for the package (my cosine wave signature), and the delivery person takes one look at it, and smiles, and leaves. I have even given up on trying to write my name, so I often just do a straight line. Other times I will draw a saw tooth signature, but most of the time it’s a straight line. No-one ever checks your signature these days!

So what’s the point of me signing for my Amazon package? That a human received the package? If UPS asked me if it was my signature, I would say “No!”, but I’d say, “I did add a straight line there”:

So I have just been signing-off on some legal aspects for one of our spin-outs, and I really can’t believe that in the 21st Century that something like this is seen as something that can be trusted:

You can see I make a great effort on the “W” (for William), but I just lose it after that.

I still cannot understand how it is credible that I sign the last page of a legal document, which has a staple in it, and where other pages can easily be inserted or changed. So to overcome this I get asked to initial each page … Doh!

The credibility of signatures, especially when these days you just take a photo, is almost zero. The ability to capture a hi-res and then integrate it into any document. Why can’t we have trusted methods that we could use for the most creditably to authentication methods? As a crypto Prof, I just can’t believe why we can’t have something that, at least, proves my identity, and that only I can verify.

Any when was the last time that someone checked your signature on your bank card? Why is it still there?

I worry even more, as I get asked to send PDF documents with my wet signature inserted as a GIF file. What crazy world is that? It has ZERO credibility. As you can see here — in a Tweet — that my signature is known:

A changing world …

I have heard from so many speakers, in the conclusions to their talks, that the answer to many of the problems in computer security is the use multi-factor (MF) authentication. But it is still lacking on most systems, along with virtually no companies providing ways for users to actually choose the devices and methods that they trust.

In a GDPR world, these areas will go to the top of the list for the design of any IT system. The major barriers are thus to build systems which have strong digital trust (rights and identities) along with human trust (useful services and strong governance). The best cryptography in the world won’t help, if users do not actually understand how it increases the levels of trust that they can have with their interaction with on-line services.

And so our governments and the legal industry setup small pilots, and move tings on in the same old pace as we have in the past. But the transformation needs to work at a massive scale, and where wet signatures are deprecated as the main trusted factor in a transaction.

Conclusions

I can’t believe the way that wet signatures are used these days. No-one every checks them, and they are now integrated into electronic documents. We often have to submit a research proposal with a signature integrated into the document, and which we just take a JPEG of the signature and integrate it. What has happened to proper crypto signatures? If it works in Bitcoin world, where I sign with my private key, why not in the real world. And … crypto key pairs still hold risks (ask anyone who has had their bitcoins stolen), so why can’t we have properly biometric methods of authentication for high-risk transactions, and can we have a bit of control, please?

What about trust?

As we become more dependent on the Cloud, we can never be 100% sure that everything is correct and as it should be. This might relate to receiving an email from someone who says that they know you, but how can you tell if the person is genuine? The email address looks fine, but the email content does not have the same writing style as the person who normally writes from that email address.

Unfortunately there is very little that we can do, at present, to determine if this is genuine, but things are changing, and it is trust that is becoming the key element of how we interact with the Web.

Bruce Schneier highlights this, in that we are entering a new phase, and defines that:

Trust and cooperation are the first problems we had to solve before we could 
become a social species. In the 21st century, they have become the most important problems we need to solve — again. Our global society has become so large and complex that our traditional trust mechanisms no longer work.

So, he highlights that our traditional methods of trust, such as wet signatures, no longer work.

Postscript

And here’s a bit of fun from miiCard:

Want to be part of the debate? Then come along to the Edinburgh Meetup on Blockchain on 17 October 2018: