Replying to Avatar waxwing

Many years ago I had reason to mull over in great detail the question of "why don't banks and government institutions use digital signatures?" (there are many scenarios where this would make processes vastly more easy for users, for the banks themselves, while at the same time making processes more secure. And the common reason for explaining why digital signatures are not used "it's too complex to keep up with key management" only makes sense applied to *users* - banks and similar institutions can easily handle that).

It was interesting to hear people's responses to this question. For example, Mike Hearn basically brushed it off with "they're just dumb" or some flavor thereof, and also pointed out that a bank he had somewhere (California, Switzerland, I forget) actually did offer digital signing. I researched and found one bank in India that claimed to do it but didn't. By chance, a bank in Europe I was using, a year or two later, claimed to offer it *for the users*, and asked me to input my gpg key, which I did, but they never followed up with any functionality at all.

In retrospect I still think my original line of thinking was correct: it didn't pass the lawyers. The most crucial thing about modern digital signatures is their *transferrability*. This means that once a bank signs something, like a statement of account, it can be spread anywhere and is guaranteed to be authentic. This is astoundingly useful *to the bank's clients* but to the bank itself it only represents a liability if they get caught equivocating somehow. Notice how signatures would be useful to the bank at the level of actual transactions (e.g. swift transfers with their peers), but clients are not in the position of actually *transacting* at an equal level; they're just creditors. It's a little like a recent experience of cancelling a UK phone contract: I went through a phone process to cancel it then got charged a bill again; feeling irate, I wanted an email so I could have a record of the conversation I had with their customer service; but they don't offer any email address at all. Only phone or ephemeral chat windows. Same basic thing.
Avatar
joe 9mo ago

I don't think that's correct, thet could just include some wording in everything they sign saying it could be incorrect.

It's laziness or something not on our radar.

Reply to this note

Please Login to reply.

Discussion

Avatar
waxwing 9mo ago

Good point. My counter is: not only might that make the documents signed fail to fulfil the intended function, e.g. convincing a govt agency that you have income, but more fundamentally, lawyers would know better than I that a signed statement that happens to have small print that says "lol, jk, maybe this isn't true" might not hold up in a court of law. I have a vague feeling there's precedent for that kind of thing.

Avatar
joe 9mo ago

Don't they have liability with any report they make to the gov, regardless of digital sig? And I would think they include wording like that already to protect themselves.

Avatar
waxwing 9mo ago

Really good point. I remember checking that - they do, indeed, in many cases, have absolutely outrageous legal wording obviating themselves of *any* responsibility with respect to statements of account; and about my "lol, jk" comment on fineprint - *maybe* these cover-our-ass clauses don't hold up, or maybe they do - this is the IANAL part. On your first Q I think we're looking at it from slightly different frames: what I'm saying is that *if* they did it differently (actually non-repudiable signed statements) a lot of processes would be far more efficient/effective. Currently, they don't, so the kinds of things I'm imagined are not "reported to the govt.", just instead people take screenshots, printouts and send them to the govt. agency, which for me is much worse.