Hi Everyone,
I just read a beautiful article by Tony Klein in the NAPPS Docket Sheet and it brings to mind something many of you have asked me about.
Digital Signatures.
For some of you that want it, our product prints an image of the server’s signature on the proof of service. Printed properly, it is real hard to distinguish it from the original. Most of you that have asked me about it did not want that feature when I told you about some of the risks involved. I wouldn’t even have our product doing that at all save for the fact that my competitors do and have mislead agencies into thinking that that all they are doing is digital signatures so its fine.
I will continue to provide this service to all of our customers that want it – BUT – I want to publicly advise you against it and tell you about what you are really doing.
First, I want to tell you what a ‘digital signature’ really is. Pertaining to our profession, a ‘digital signature’ is XML that is wrapped around a document or other content that has a ‘digest’ that is encoded with a ‘private key’ and is decoded/validated with a ‘public key’. It is unalterable without detection. Once the digest is validated against the content of the document – any alteration throws a big red flag. You do need special software to validate digital signatures. Its not really hard, but its not widely in practice in our profession.
If you are taking an image of your server’s signature and dropping it on a proof of service or causing your software to do the same, then you are FORGING their name on it. I don’t know what else to call it. No matter how you rationalize it to try to cover your behind the truth is plain. You are in no way using a ‘digital signature’.
Second, You are also likely perpetuating a fraud upon the court when you file it because you KNOW that it is not an original signature. I know the clerks accept it. They’d accept Twinkies if you filed them – but good opposing counsel could crush your business and your reputation over that.
It is hard to get caught for this – but the stakes are high when you do. Maybe you have your servers sign an agreement – that doesn’t make pen touch paper, it means that you are leveraging your position as a provider of income to distress your server in agreeing to not sign his name to sworn statements so you can forge his signature on it faster and return it to your client faster. A disgruntled ex-employee could wreak havoc for you by calling your clients and could also seriously damage your credibility with the courts by bringing this to light. Then they could absolve themselves by saying that it was all under duress.
I even question if your E&O would cover a suit over this. If you are criminally forging someone’s name even with their knowledge/consent and/or knowingly misrepresenting facts to a court and are in a position to have known better (a process server is expected to know the laws pertaining to his profession) – then you might want to ask your insurance guy about this. You may have some risk exposure issues to consider.
I think if all of these points were lumped together by a good attorney/prosecutor they could be used to pierce your corporate shield (if you are incorporated) and come after you personally.
Remember also that you may have been rationalizing this practice to yourself for some time now and may think its ok since you have not been caught yet. Do not think that just because the clerk accepts it that it is ok. Judges do not rationalize the same way that you do. Some courts have no problem with an image of the signature and have posted court rules accepting that practice. In this area I would suggest that no signature took place unless pen touched that paper in the first place or it is a true digital signature via public/private key signing. A copy of an actual signature on that actual document is one thing – but a generic copy of a signature dropped on a document that never had pen touch paper in the first place may not be what the court had in mind when they said ‘image of a signature’.
Please be informed and careful. As your software provider we have a responsibility to give you what you want – and we will - but we also have a higher responsibility to keep you in business and looking good so you can be wildly successful and keep paying us!
Issues like this are the real reasons you should consider joining NAPPS if you not already a member. This national association may provide you some extra work as a benefit, but more importantly, it serves to guide you in what are the best practices for this industry and keep you informed about things that could wipe out your business or cost you a lot of money.
J
Thank you for your time reading this – I know I tend to ramble on sometimes,
Rob
"I am the author of the document"
"I have reviewed the document"
"I am approving the document"
"I attest to the accuracy and integrity of the document"
"I agree to the terms ... by the placement of my signature on the
document"
"I agree with specific portions of the document"
The "I attest ..." choice is probably the most appropriate, but it
doesn't seem to be specific enough.
Your explanation of a digital signature is brief, concise, and
unfortunately, beyond my comprehension. Would you explain it again
for the technically challenged?
Tony Klein
Process Server Institute
667 Folsom St., 2d Fl.
San Francisco, CA 94107
415/495-3850 http://psinstitute.com
Hi Tony... All the software vendors are doing that with the signatures. It
makes me sick because it is not the 'Digital Signature' that everyone is
calling it. You can thank our good friend xxxxxxxxxx and xxxxxx xxxxxxxxx
for pushing this stuff around and getting people to use it in place of
original signatures.
I'm pretty resentful about that because I am hearing people tell me that
xxxx is doing digital signatures and they want that from LoyalDog. When I
explain to them that a REAL digital signature still involves the server
physically reviewing the document and signing it in a computer program like
Adobe and using a digital identity that costs a couple of hundred dollars,
then I don't get that request again - but for a second there they are fooled
into thinking that our competitor is offering them something advanced that
we do not. This kind of misleading of people is very offensive to me. I feel
kind of powerless to do anything about it. If I go around naysaying xxxxxxx
all over the place then I just look like a jerk and that calls my
credibility into question.
Quite a few agencies are doing this. It is a growing problem that will one
day blow up in the faces of the same customers that demand it. Most of my
customers heeded my warnings and abandoned the idea. Some have not and
probably never will.
I am attaching 2 affs/declarations for you to check out. If my customers
didn't demand it so hard from me I would be ashamed for having done it. I
have, however, advised all of them against it. The one signed by xxxxxxxxx
is indiscernible from an original if printed on a high quality color laser
printer.
The digital signatures that you are self-signing from Adobe are not usually
accepted because it is a 'Level 1'.
Usually it is the Level 2s that are accepted because you set up your
certificate/digital identity with a trusted third party. With the Level 1
method you are currently using in Adobe, the Self-Signed Certificate is not
considered 'trusted' enough. See the Washington rules for digital
signatures. You can do a level 2 with Adobe when you get the right
certificates:
______________________________________________________
From Washington RCW 19.34.020
(11) "Digital signature" means an electronic signature that is a
transformation of a message using an asymmetric cryptosystem such that a
person having the initial message and the signer's public key can accurately
determine:
(a) Whether the transformation was created using the private key that
corresponds to the signer's public key; and
(b) Whether the initial message has been altered since the
transformation was made.
______________________________________________________
I will explain the digital signatures here - but the simple concise way I
did it before IS the 'technically challenged' version!
Consider this document:
<Affidavit>
<Digest>asdfjalsdjflasjdfl;ajsdl;fjwoeirowiralskjf</Digest>
<Content>I am an affidavit</Content>
<Public Key>fasdfa;ljf;lj2j2l3234235tasdfasd</Public Key> </Affidavit>
Now... This document here was encrypted with a Private Key that you can't
see here. No-one has the private key except the author. However, the Public
Key and the Digest together are used mathematically and when the Content 'I
am an affidavit' is pushed through it, if it all doesn't add up
mathematically, then a flag is sent up and it fails
validation/authentication. If someone changes that affidavit, then when it
is ran through the Public Key and Digest equation, it won't come back with a
'true' signal. This is the foundation of PKI (Public Key Infrastructure)
which you will be seeing more of in the future. When you get your Public and
Private keys from a 'trusted' third party, then you're in good shape. This
is why self-signed ones usually not considered 'trusted' enough. With a
self-signed certificate you are saying ' I am who I say I am because I say
that I am'. With a third party certificate you are saying 'I am who I say I
am because Thawte (Or another trusted party) has verified this through their
PKI department and issued me the private key that I encrypted this message
with so I have to be me.'
Personally, I used (and still do internally) self-signed certificates for
years. They DO verify the content fine, but the going trend is to involve
that third party and further verify the author's identity to establish a
level of 'trust'.
So.. A good digital signature system will:
1) Verify that the author is who they say they are.
2) Verify that the content has not been changed after the signature was
applied.
Its really a little simpler than it looks because the technology does most
of the work. For me it seemed real complicated until I started playing with
it.
PLEASE ADDRESS THIS IN YOUR PRESENTATION IF YOU CAN! It's going to cost
someone a whole lot of money and damage our profession if left unchecked.
NAPPS needs to advise servers not to do this! I'm ccing xxxxxx on this so
maybe he can understand the differences about the digital sigs...
Rob
-----Original Message-----
From: loya...@googlegroups.com [mailto:loya...@googlegroups.com] On Behalf
Of psins...@juno.com
Sent: Saturday, May 26, 2007 10:08 PM
To: loya...@googlegroups.com
Subject: Digital Signatures (or not) on your proofs of service.
I am a member of NAPPS and read the same article.
Robert Dayton is absolutely correct in what he is telling you. In
addition, just how easy is it to prove that you are Forging a
signature as discussed?
Well it does not require a document expert or a handwriting expert to
do this.
You just take two separate returns of service affidavits and lay them
on top of each other and you have it. If you want to take just 10
minutes you will prove for a FACT that it is a Forgery. Take the two
signatures and use a stickpin. If you can get 10 points that are exact
matching holes to the signature it is a forgery if you cannot see it
with your eyeballs that they are point for point an exact match.
How is this possible and how is that simple? Well it is a scientific
fact that a human being will not sign their name exactly the same EVER
so if you have the eyeball exact match or the ten-stick pin match on
ten points or less you have a forgery on your hands people.
This is done with people forging a check signature and it has been
around for a long time.
When do you need a document expert or handwriting expert to tell you?
That is when the paper, ink and other factors are looked at and the
person doing the Forgery is using their own hand writing the signature
in an attempt to get it done and then you are NOT going to get an
exact match because another human being is in fact moving the pen
after practice of mimicking the persons handwriting.
In closing, what is being discussed is VERY easy to prove and put you
right out of business. Do not do it as Robert is telling you.
Respectfully,
Bryan McManis
MAGNUS PROCESS SERVING
Bryan McManis, BSBA, CPS, CLP
Certified and Bonded Process Server # 04-3-7
Fifth Judicial Circuit Court Ocala, Marion County Florida
Office 352-624-1884
Fax 775-206-9612
4508 SE 2nd PL
Ocala, FL 34471
Member of: N.A.P.P.S. Member of: N.A.I.S. Member of: I.P.S.A. Member
of: N.P.S.A.
Graduate of Florida Institute of Criminal Justice
Graduate of Detective Training Institute
http://www.MagnusProcessServing.com
http://www.MersProcessServer.com
This transmission may be:
1. Subject to the Process Server-Client Privilege.
2. Strictly confidential.
If you are not the intended recipient of this message, you may not
disclose, print, copy, or disseminate this information.
If you have received this transmission in error, please reply and
notify the sender (only) and delete the message.
Unauthorized interception of this e-mail is a violation of Federal
criminal law.
On May 26, 12:56 pm, "Robert Dayton" <loyalpu...@gmail.com> wrote:
> Hi Everyone,
>
> I just read a beautiful article by Tony Klein in the NAPPS Docket Sheet and
> it brings to mind something many of you have asked me about.
>
> Digital Signatures.
>
> For some of you that want it, our product prints an image of the server's
> signature on the proof of service. Printed properly, it is real hard to
> distinguish it from the original. Most of you that have asked me about it
> did not want that feature when I told you about some of the risks involved.
> I wouldn't even have our product doing that at all save for the fact that my
> competitors do and have mislead agencies into thinking that that all they
> are doing is digital signatures so its fine.
>
> I will continue to provide this service to all of our customers that want it
> - BUT - I want to publicly advise you against it and tell you about what you
> are really doing.
>
> First, I want to tell you what a 'digital signature' really is. Pertaining
> to our profession, a 'digital signature' is XML that is wrapped around a
> document or other content that has a 'digest' that is encoded with a
> 'private key' and is decoded/validated with a 'public key'. It is
> unalterable without detection. Once the digest is validated against the
> content of the document - any alteration throws a big red flag. You do need
> special software to validate digital signatures. Its not really hard, but
> its not widely in practice in our profession.
>
> If you are taking an image of your server's signature and dropping it on a
> proof of service or causing your software to do the same, then you are
> FORGING their name on it. I don't know what else to call it. No matter how
> you rationalize it to try to cover your behind the truth is plain. You are
> in no way using a 'digital signature'.
>
> Second, You are also likely perpetuating a fraud upon the court when you
> file it because you KNOW that it is not an original signature. I know the
> clerks accept it. They'd accept Twinkies if you filed them - but good
> opposing counsel could crush your business and your reputation over that.
>
> It is hard to get caught for this - but the stakes are high when you do.
> Maybe you have your servers sign an agreement - that doesn't make pen touch
> paper, it means that you are leveraging your position as a provider of
> income to distress your server in agreeing to not sign his name to sworn
> statements so you can forge his signature on it faster and return it to your
> client faster. A disgruntled ex-employee could wreak havoc for you by
> calling your clients and could also seriously damage your credibility with
> the courts by bringing this to light. Then they could absolve themselves by
> saying that it was all under duress.
>
> I even question if your E&O would cover a suit over this. If you are
> criminally forging someone's name even with their knowledge/consent and/or
> knowingly misrepresenting facts to a court and are in a position to have
> known better (a process server is expected to know the laws pertaining to
> his profession) - then you might want to ask your insurance guy about this.
> You may have some risk exposure issues to consider.
>
> I think if all of these points were lumped together by a good
> attorney/prosecutor they could be used to pierce your corporate shield (if
> you are incorporated) and come after you personally.
>
> Remember also that you may have been rationalizing this practice to yourself
> for some time now and may think its ok since you have not been caught yet.
> Do not think that just because the clerk accepts it that it is ok. Judges do
> not rationalize the same way that you do. Some courts have no problem with
> an image of the signature and have posted court rules accepting that
> practice. In this area I would suggest that no signature took place unless
> pen touched that paper in the first place or it is a true digital signature
> via public/private key signing. A copy of an actual signature on that actual
> document is one thing - but a generic copy of a signature dropped on a
> document that never had pen touch paper in the first place may not be what
> the court had in mind when they said 'image of a signature'.
>
> Please be informed and careful. As your software provider we have a
> responsibility to give you what you want - and we will - but we also have a
> higher responsibility to keep you in business and looking good so you can be
> wildly successful and keep paying us!
>
> Issues like this are the real reasons you should consider joining NAPPS if
> you not already a member. This national association may provide you some
> extra work as a benefit, but more importantly, it serves to guide you in
> what are the best practices for this industry and keep you informed about
> things that could wipe out your business or cost you a lot of money.
>
> J
>
> Thank you for your time reading this - I know I tend to ramble on sometimes,
>
> Rob