The Digital Signature Task Force (Task Force) was initially asked to answer several questions posed by Dr. Bill Weems (University of Texas Health Science Center Houston) resulting from implementation in Spring of 1999 of Phase I of The University of Texas System Public Key Infrastructure (UTSPKI). In undertaking the research to answer Dr. Weems' questions, the Task Force members decided that it would be helpful to provide more general guidance about the legal issues associated with creating, sending, receiving and storing documents associated with digital signatures, as well as to answer the specific questions posed. This report sets out the general guidance first, and then applies the general principles to Dr. Weems' questions and to other questions.
For introductory information about the UTSPKI and digital signatures, the reader should turn to readily available information published elsewhere. Dr. Weems maintains a site that explains the UTSPKI at www.uth.tmc.edu/xorgs/utspki/overview-phase-i.htm. In addition, the American Bar Association has published a Digital Signature Guidelines Tutorial at www.abanet.org/scitech/ec/isc/dsg-tutorial.html. The reader is encouraged to stop now and go to these sites and read the information presented there. Better yet, read the information and then obtain a digital certificate and start using it. Nothing teaches like experience.
Almost all of the laws that currently apply to contracts and to communications with government agencies still apply. All the state laws and agency rules and regulations (including but not limited to the Regents' Rules and all Business Procedure Memoranda (BPMs)) that currently apply to the University's activities will still apply. For the most part, there are no new rules for digital signatures.
There are, however, a few new rules for digital signatures that equate the effect of a digital signature with the effect of a manual signature in specific contexts. These new rules simply state, "one is as good as and has the same effect as the other."
When you have a question about a legal issue associated with the use of digital signatures or encryption, reread General Principles I and II first, then read through this report to see whether it might answer your question. If those approaches fail, you may refer the question to Ms. Georgia Harper in the Office of General Counsel for The University of Texas System.
Three Texas statutes that address digital signatures are particularly relevant to the University's concerns: Tx. Bus. & Com. Code Section 2.108 (Chapter 2 [Sales] of the Uniform Commercial Code [UCC]); Tx. Bus. & Com. Code Section 2A.110 (Chapter 2A [Leases] of the UCC); and Tx. Govt. Code Section 2054.060 (Information Resources). There are also rules issued by the Department of Information Resources (DIR) that are particularly relevant: Tx. Adm. Code, Title I, Part X, Chapter 201, Rule 201.14 (Digital Signatures); and Standards Review and Recommendation Publication 13, also issued by DIR (Digital Signatures & Certificate Authority Guidelines).
The National Conference of Commissioners on Uniform State Laws (NCCUSL) [adopted] a new uniform law, the Uniform Electronic Transactions Act (UETA), at its annual meeting July 23 - 30, 1999. The earliest Texas could pass legislation based on UETA would be early in 2001, almost 2 years from now. Nevertheless, we will review this law because in the interim, the substance of UETA is likely to become law via federal preemption. Congress will likely pass a law this session that would preempt any state's laws that are inconsistent with UETA. The proposed federal law is S.761, the Millennium Digital Commerce Act.
NCCUSL is also likely to adopt the Uniform Computer Information Transactions Act (UCITA) that will, among other things, validate electronic transactions in computer information, including click-through transactions. Such transactions are usually in the nature of licenses rather than sales. Unlike UETA, this uniform law is quite controversial and its adoption by any state other than Washington (home of Microsoft) is uncertain.
Tx. Bus. & Com. Code Section 2.108 and Tx. Bus. & Com. Code Section 2A.110: Contracts for the sale or lease of goods accompanied by digital signatures are considered "signed."
Tx. Govt. Code Section 2054.060: A digital signature may be used to associate a person with a record, that is, "authenticate" written electronic communications (i) sent to state agencies so long as the digital signature complies with DIR rules and (ii) sent to local governments so long as the digital signature complies with the local government's rules. What is a "written electronic communication?" Rule 201.14 (see below) defines this phrase as a digital representation of information that is sent by one individual, state agency, local government, corporation, partnership, association, organization or any other legal entity to another such entity. Information is not defined in Rule 201.14 or in Chapter 2054. Webster’s Dictionary defines "information" as facts or data. Based on this broad definition, this statute appears to authorize use of digital signatures in almost any situation.
The three above-referenced sections of Texas law validate the use of digital signatures within their contexts. With respect to Tx. Govt. Code Section 2054.060, such signatures are valid so long as their use complies with certain rules. Let's look at some of those rules now.
Tx. Adm. Code Title 1, Part X, Chapter 201, Rule Number 201.14 - Digital Signatures: Rule 201.14 establishes acceptable digital signature technologies for the authentication of written electronic communications sent to state agencies by describing what communications it applies to, providing definitions, requiring digital signatures to be created by an acceptable technology, setting forth the criteria for determining acceptable technologies, listing acceptable technologies and providing a mechanism for adding new technologies to the list of acceptable technologies. In particular, the Rule requires that each state agency that chooses to accept digital signatures establish a level of security to authenticate sufficient for the transaction being conducted and that the level not effectively discourage the use of digital signatures (no "unreasonable or burdensome requirements"); permits an agency that chooses to accept digital signatures to refuse to accept certain digital signatures where the cost to do so is excessive and unreasonable; directs state agencies to review and consider DIR Rules and Guidelines as they determine whether and for what purposes to accept digital signatures; and directs them to comply with audit and records retention requirements in connection with accepting and providing access to written electronic communications authenticated with digital signatures.
One controversial part of Rule 201.14 (section (e)(1)(A)(i) and (C)) indicates that in order for public key cryptography to be an acceptable technology, one's private key may only be known to the subsriber. This creates a dilemma for state agencies in that information subject to disclosure under the Texas Public Information Act may be encrypted under circumstances where no one is able to unencrypt it. See other sections of this Report for more information on this issue.
Standards Review and Recommendation Publication 13 - Digital Signatures & Certificate Authority Guidelines: These Guidelines augment Rule 201.14 by addressing accreditation, reliability, technical interoperability and security issues. DIR directs state agencies to become familiar with Rule 201.14 and the policy, procedural, security and technology issues related to digital signatures and certification authorities. The publication links to the list of acceptable technologies and other resources. DIR recommends that state agencies: improve electronic access, use digital signatures where authentication is needed, consider the cost of accepting digital signatures that use expensive technologies, consider participating in nation-wide initiatives to assess "trust" issues, and pending the development of fully functioning accreditation processes, consider a particular framework for evaluating the use of digital signatures certified by certification authorities on the approved list.
UETA: As currently drafted, UETA applies (1) to electronic records and signatures related to any transaction where the parties have agreed to conduct the transactions electronically, except those transactions which are specifically excluded such as wills, codicils, testamentary trusts, secured transactions, commercial paper, banking, letters of credit, bulk transfers, warehouse receipts, bills of lading and other documents of title, and investment securities, and (2) where states wish to authorize the creation, use and retention of electronic records and signatures and conversion of paper to electronic records.
The parties' agreement to conduct transactions electronically need not be formal. For example, their actions can indicate the parties' agreement. Most importantly, UETA is not a substantive law. In addition, it does not change substantive law. The laws that determine when, whether and to what extent a contract has been formed or is otherwise enforceable are still the same. All UETA does is clarify that requirements that transactions be in writing and signed will be satisfied by electronic writings and digital signatures. In other words, "the medium in which a record, signature, or contract is created, presented or retained does not affect its legal significance." (Section 106, Reporter's Notes, Note 2.)
UETA covers both (1) transactions between parties that have agreed to conduct electronic transactions, and (2) governmental electronic records and signatures. Much of the substance of Part 2 which covers governmental electronic records and signatures is already enacted in Texas in the form of the statutes and DIR Rules and Guidelines described above. Arguably, the above-described amendments to Chapter 2 (Sales) and Chapter 2A (Leases) of the UCC implement the fundamental idea behind Part 1 of UETA (that any requirement that a contract be signed is satisfied by a digital signature) for transactions involving the sale or lease of goods. However, UETA is much more detailed and addresses requirements that contracts be in writing, written notice provisions and other issues. So, Texas is part of the way to having UETA's principles enacted, but not all of the way.
As indicated above, UETA does not apply to wills, codicils, testamentary trusts, secured transactions, commercial paper, banking, letters of credit, bulk transfers, warehouse receipts, bills of lading and other documents of title, and investment securities. The substantive laws in those areas are all undergoing their own revisions, and issues associated with electronic records and digital signatures either have been, are being, or will be addressed in those revisions. Further, when Chapters 2 (Sales) and 2A (Leases) of the UCC are revised after adoption of UETA, UETA will only apply to the extent the newly revised Chapters say it will apply.
The key provisions of UETA include:
Section 106 providing that a record or signature cannot be denied legal effect or enforceability solely because it is electronic; a contract cannot be denied legal effect or enforceability solely because an electronic record was used in its formation; any requirement that a record be in writing is satisfied by an electronic record; and any requirement for a signature is satisfied by an electronic signature.
Section 108 providing that an electronic record or signature is attributable to a person if it was the person's act. Whether it was a person's act can be proved in any manner, including showing the efficacy of security procedures undertaken to determine attribution.
Section 111 providing that electronic records will suffice in any case where a law requires that records be retained so long as the electronic record is accurate and can be accessed later.
Section 112 prohibiting exclusion from evidence of any record solely because it is electronic or not in its "original" form.
Section 202 providing an opportunity for states to designate the administrative level at which decisions about (1) sending, accepting, creating and using electronic records and signatures will be made and (2) specifying related requirements.
Senate Bill 761 (The Millennium Digital Commerce Act): In connection with interstate contracts, this bill will make the core provision of UETA the law of the land in any state that has not adopted UETA. It will provide that contracts relating to an interstate transaction cannot be invalidated solely because they are digitally signed and that people can agree amongst themselves how they want to deal with digital signatures.
Texas Public Information Act: Information that is generated by the University during the normal course of business is subject to the provisions of the Texas Public Information Act (TPIA). Absent the application of specific statutory exceptions restricting the disclosure of particular documents, the University is obligated to locate and make requested information available for inspection and/or copying in a timely manner. If public information is in the possession of a University employee, it must be delivered to the custodian of records in order for the University to satisfy its statutory obligations under TPIA. Failure to comply with the TPIA in a timely manner by the University's custodian of records can result in criminal penalties, including incarceration.
The encryption of information deemed to be public information under TPIA cannot be used to circumvent the public disclosure of requested documents. Accordingly, faculty and staff who are issued a private key must be informed (1) that the key and the records encrypted with it remain the property of the University; (2) that encrypted information must be unencrypted in order to satisfy statutory obligations under the provisions of TPIA; and (3) that failure to comply with this requirement will result in disciplinary action.
Digital signatures are a method for authenticating - associating a person with a record - and verifying that the record has not been changed. Until now we have had no practical ability to authenticate. There will be many circumstances where both parties to a communication will benefit from the added protection digital signatures offer. For example, a department such as the Office of General Counsel could decide that communications from attorneys to clients should be signed to assure authenticity and content integrity. On the other hand, in a circumstance where there would be little or no benefit to either party to authenticiate and verify a communication, there is no reason to use or require a digital signature.
Under current Texas law, digital signatures have the same legal effect as manual signatures when applied to (a) contracts for the sale or lease of goods and (b) electronic communications with state agencies. Their legal status in other contexts important to University business is evolving quickly.
Where authentication or verification of record integrity is desired in those contexts (contracts for the sale or lease of goods and electronic communications with state agencies), digital signatures are an acceptable way of accomplishing those objectives so long as:
the digital signature has been issued by a certification authority approved by the State of Texas (see DIR Rules and Guidelines described above);
the component institution or System Administration, as the case may be, has
reviewed the DIR Rules and Guidelines as part of the process of deciding whether to accept digital signatures;
has established the level of security appropriate to the circumstances, avoiding requirements that are unreasonable or burdensome; and
can comply with records retention and audit requirements relevant to the digitally signed record or contract.
Record retention schedules should be updated to reflect that electronic records are being retained instead of or in addition to paper records and unencrypted versions of records and contracts should be available for audit. Business Procedures Memorandum 53 (BPM 53) provides additional information about protecting confidential and sensitive information.
All employees of System Administration and its component institutions should be advised when issued a digital certificate that most (if not all) of the University's records are subject to the provisions of the Texas Public Information Act. Just because it is possible to encrypt a document does not mean that it should be encrypted. Encryption should be employed to protect confidential information. BPM 53 describes confidential information as information that is exempt from disclosure under the TPIA. Ostensibly, only information that is exempt from disclosure under TPIA should be encrypted at all.
On the other hand, encryption is quite likely to become a widely used technology and it may be difficult effectively to discourage employees from encrypting information subject to disclosure under the TPIA. So long as DIR Rule 201.14 indicates that escrowing of individuals' private keys renders public key cryptography unacceptable, we must recommend that such information not be encrypted. Certainly, if information is encrypted to protect it during transmission or otherwise, once an encrypted document subject to the TPIA is in the possession of its intended recipient, it usually should be unencrypted and stored in an unencrypted format.
All employees of System Administration and its component institutions should be advised when issued a digital certificate of appropriate security procedures for the use and handling of digital certificates.
All System Administration and University local registration authorities should be properly trained to understand the importance of using consistent procedures to identify all certificate holders because those procedures affect the admissibility of business records in suits related to digitally signed transactions. In addition, local registration authorities should be advised that they may have to provide sworn statements or testimony about the procedures they use to identify certificate holders or other matters related to their work as local registration authorities.
When can System Administration and component institutions begin accepting digitally signed documents, including contracts?
Answer: In accordance with the Recommendations set forth above, written electronic communications and contracts for the sale or lease of goods with associated digital signatures may be accepted when the component institution or System Administration, as the case may be, has reviewed the DIR Rules and Guidelines as part of the process of deciding whether to accept a digital signature; established the level of security appropriate to the circumstances, avoiding requirements that are unreasonable or burdensome; and established procedures that will permit it to comply with records retention and audit requirements relevant to the digitally signed record or contract.
Further, the relevant body of law must be consulted before using digital signature authentication for things other than contracts for the sale or lease of goods. Some laws require that information exchanged must be documented in a particular form. Unless that area of law has been "updated" to validate electronic records and signatures, they may not be enforceable. See question 16 below about copyright assignments for an example of this kind of problem. In some cases the document itself can carry with it inherent rights such that infinite numbers of duplicates would not be acceptable. For example, negotiable instruments such as promissory notes may not be amenable to electronic transmission and signature as duplication and inability to distinguish "originals" could affect negotiability.
Additional guidance from the Business Affairs Office will be helpful.
Who determines the circumstances under which digital signatures should be used for authenticating electronic communications and online interactions? For example, who determines whether documents should be digitally signed or a userid/password authentication technology should be replaced by a digital signature requirement for accessing authorized resources or filling in and signing online forms?
Answer: These are business decisions that should be made in accordance with the recommendations set out above and with due regard for any legal requirement that a signature be "in writing" where no applicable law equates a digital signature with a manual signature.
For example, it could be either a personal decision or a departmental decision to sign email messages. Similarly, it would be a business decision to require the use of digital signature technology to access and use a University online form for requesting electronic reserves. No state or federal law or regulation affects either of these decisions (regarding signing the email or the online form). On the other hand, suppose that a statute requires new employees to attend an orientation and sign a certificate saying that they attended. It would still be a business decision to (1) permit new employees to attend such an orientation by completing an online tutorial; (2) to fill in an online form verifying that they did so; and (3) to sign the form with a digital signature; but the University should have the Office of General Counsel or its own legal office review the relevant statute to be sure that the online form with a digital signature will satisfy the statutory requirements that the new employee "sign" a certification that he or she attended the training.
Can a subscriber use his or her University issued digital IDs for non-state activities?
Answer: The same laws that apply to the use of state property for personal purposes apply to digital certificates. This means that generally, a digital signature issued by System Administration or a component institution in connection with an employee's duties should be used only for work-related tasks. Incidental personal use that does not result in charges to the State is not considered to be a misuse of State property.
If use of a digital ID is limited to state activities, what constitutes a state activity?
Answer: Other laws unrelated to the use of digital signatures determine what is within the scope of one's employment and thus a state activity. It is considered beyond the scope of this Report to outline what is and is not a state activity.
Can a subscriber execute a digital signature using their University issued private key on personal documents? Note that their University digital IDs will often be used on subscribers' privately owned computers. An example of such usage is for distance education.
Answer: See question 3.
Who determines whether a record is exempt from disclosure under the TPIA or whether it is responsive to a request if not exempt, and what information is available to help them make their decision?
Answer: The question of whether a record is exempt from disclosure under the TPIA is a question of law. The Office of General Counsel frequently becomes involved in assisting custodians of records at component institutions of the University of Texas System in an effort to resolve specific questions arising from a public information request. Obviously encrypted documents cannot be reviewed in order to determine the applicability of statutory TPIA exemptions.
Due to the extensive body of law generated over the past twenty-seven years by both the Office of the Attorney General and by the courts, the interpretation of the specific statutory exemptions contained in the TPIA has become a difficult and complex task. See the Open Records Handbook published by the Office of the Attorney General. Whenever a novel question arises concerning the applicability of an exemption to a particular document or category of documents, the Office of General Counsel may ask the Open Records Division of the Texas Attorney General to make a ruling on the particular matter at issue. This ruling will then be binding upon the University.
Some requests are difficult to comply with since they use very global language or seek many years of records or otherwise fail to specifically identify the records being sought. Under the TPIA, if the request creates some confusion regarding what documents are being sought or raises issues regarding what documents would be responsive to the request, the TPIA authorizes the University to ask the requestor for clarification or modification of the request in order to permit the University to comply with its obligations under the TPIA.
If the requestor is ultimately dissatisfied with the University's response or an Attorney General's opinion, he or she can take them to court to resolve the dispute.
May the following records be transmitted and stored encrypted to keep them secret at all times: Test questions developed by faculty members, information related to individuals seeking tenure and promotion; lists of passwords?
Answer: If a record is exempt from disclosure under the TPIA it can be stored encrypted. There are over thirty statutory exemptions contained in the TPIA. During each session of the legislature, attempts are made to modify existing exemptions or to add new ones. Consequently, the law related to the TPIA appears to be slowly changing over time with few absolutes. Section 552.122, Government Code, exempts test items developed by an educational institution as well as a test item developed by a licensing agency or governmental body; however, the term "test item" remains largely undefined at this point. See Open Records Decision No. 626 (1994). Information related to individuals seeking tenure and promotion has been ruled to constitute public information subject to disclosure in the same manner as most material in the personnel files of public employees. See Open Records Decision No. 615 (1993). Information consisting of passwords, source codes, and other documentation intended to protect the security of computer records has been ruled to constitute a tool of the storage, manipulation, and security of information and the Attorney General ruled that the legislature did not intend the TPIA to compromise the physical security of information management systems. See Open Records Decision No. 581 (1990).
The State's Open Records Handbook explains the Act in detail, including descriptions of the multitude of exceptions.
May we escrow private keys to ensure that encrypted information subject to Texas Public Information requests can be produced as required by law?
Answer: There is considerable controversy over what should be done to protect public information from loss due to an inability to unencrypt it. The debate centers around escrowing individuals' private keys with one side noting that if an individual is unwilling or unable to unencrypt public information, someone ought to be able to do it. Critics of this approach point out that the "high" security one can achieve with private keys is lost when there is another way to get the key. Any store of private keys can be broken into, and so escrowed keys are inherently not so secure as unescrowed keys.
Currently, we are not permitted to escrow private keys unless the key is assigned to a role (i.e. an office) rather than to a person, and then, only if the person occupying the role agrees, because Rule 201.14 sections (e)(1)(A)(i) and (C) require that public key cryptography is only an acceptable tecnology if one's private key is known only to the subscriber. Since the DIR has made this decision, we will have to develop additional procedures for addressing the risk that information subject toTPIA requests may be stored in an encrypted format where no one is able to unencrypt it.
Digital signatures are nonrepudiable in that a subscriber's digital ID is certified by a State of Texas Approved Certificate Authority to be that of the identified subscriber who has agreed to maintain his or her private key under his or her sole control. Thus, what recourse, if any, does a subscriber have if he or she loses control over his or her private key and someone else uses it to illegally sign a document? Can a subscriber ever repudiate a digital signature that was executed prior to revocation of his or her certificate?
Answer: Under current law, digital signatures are not "nonrepudiable." A subscriber would have the same recourse to deny a digital signature as he does to deny a manual signature. UETA suggests that showing the efficacy of security measures associated with the issuance and use of a digital signature may make a digital signature harder to repudiate than a manual signature, but it is not impossible. The issue will be exactly the same as it would be to repudiate a manual signature, but the facts brought to bear on the issue will be different. On the other hand, Section 5.2 of BPM 53 states that "holders of means of access are responsible for unauthorized access to their accounts that results from their negligence in maintaining the confidentiality of their means of access." This suggests that extreme care should be used in maintaining control over a digital signature as it would be considered negligent to fail to do so.
Our contract with VeriSign allows us to cancel our digital certificates. Certainly, if a subscriber loses control over a digital certificate, it should be cancelled immediately. If a subscriber wants to repudiate a digital signature made before cancellation, it will just be a matter of bringing to bear all the evidence the subscriber can to show that the application of the signature was not the subscriber's act, knowing that the people on the other side of the dispute will bring to bear all the security procedures required to associate the subscriber with the unique certificate and guarantee that any use of it would be the subscriber's act as well as alleging that any failure to maintain control is considered negligence under our own policies.
Do the same policies and rules that apply to employees apply to students?
Answer: In general, yes, but the TPIA is an exception. For example, BPM 53 governing the protection of confidential and sensitive information applies to everyone. Students who are entrusted with sensitive or confidential information must protect it and are required to certify that they have read BPM 53 and understand their obligations under it.
On the other hand, records that are subject to the TPIA are almost always records generated by state employees, not students, so most student communications would not be considered public records. Additionally, some public records and some student communications are exempt from disclosure under another law that protects student privacy, the Family Educational Right to Privacy Act (FERPA). Decisions about what is exempt under FERPA are made exclusively by the University in accordance with federal law.
What statement
should be used in an e-mail message to digitally sign an attached agreement?
Would the following be satisfactory?
"Please find attached to this message the "Master Service Agreement"
between the University of Texas at _______________ and [Contractor].
The "Master Service Agreement" is signed by the digital signature
that binds the agreement and this email message".
Answer: A digital signature may serve several functions, including: (1) identification of the sender; (2) indication of the sender's assent to or adoption of a particular agreement; and (3) verification of the integrity of a particular message.
The University's VeriSign digital certificates state that they are intended to ensure e-mail came from the sender; to protect e-mail from tampering; and when encryption is used, to ensure the content of e-mail cannot be viewed by others. Thus, when you say nothing in your email message, your certificate details will show the recipient what your certificate is intended to do.
To eliminate ambiguity, and especially where the signer intends to limit a signature's functions, the party that digitally signs a message should clearly state the intended meaning of the electronic signature within the associated record. For example, if the sender intends the digital signature to verify the integrity of a particular contract but not to indicate assent to its terms, perhaps because it is only a draft, the sender should state:
This digital signature is attached to or associated with that certain record referred to as [insert name or description of record] sent by [Sender] to [Recipient], dated _____________, 1999, and is attached or associated for the purpose of verifying the integrity of the [insert name or description of record] and identifying [Sender] only.
Later, when the sender wishes to execute the contract and to indicate assent to the terms as well as identify the sender and verify content integrity, the sender would state:
This digital signature is attached to or associated with that certain record referred to as [insert name or description of record] sent by [Sender] to [Recipient], dated _____________, 1999, and is attached or associated for the purpose of verifying the integrity of the [insert name or description of record], indicating [Sender's] assent to and adoption of the terms of [insert name or description of record] and identifying [Sender].
When the parties to a contract intend to use digital signatures to execute the contract, it would be advisable to include the following statement in the contract:
The parties to this [Contract] agree to conduct this transaction electronically, including but not limited to electronic signatures, in accordance with §2054.060, TX. GOVT. CODE.
Does using a digital signature mean that we may dispense with other signature requirements such as confirming that the person who signed has authority to sign?
Answer: A digital signature only provides strong evidence that the person who signed is who his signature says he is. It says nothing about whether he is authorized to bind the entity on whose behalf he signed. Therefore, procedures related to verification of a person's authority to bind a particular entity should still be observed. For example, all contract administrators must still comply with all of the requirements contained in the Small Contracts Checklist related to signature authority.
Where should digitally signed contracts be stored?
Answer: BPM 53 addresses issues associated with the protection of state information resources, describing special procedures for resources that are sensitive or confidential. It does not specify where records should be stored but it sets out a broad plan for how to ensure that confidential and/or sensitive information is protected. Sensitive information is information that must not be altered in any way. Contracts would fall under the definition of sensitive information; therefore any decision about where to store digitally signed contracts should comply with the procedures described in BPM 53.
If a contract requires that notice be in writing, for example, notice of termination, would a digitally signed email message satisfy the requirement?
Answer: Even if UETA were already law in Texas, it would not affect a contract provision that requires the parties to give each other notice in writing, unless the parties had agreed to conduct business electronically. Remember, UETA would only apply to parties that have agreed to conduct their business electronically. As the notice provision says "in writing," it seems likely that at the time the contract was signed, the parties had not agreed to conduct business electronically. They can, of course, change their agreement, and such a change need not be in writing (unless the agreement says it has to be in writing), but to be on the safe side, it would be better to amend the contract to say that any requirement for a writing would be satisfied by an electronic record and any requirement for a signed writing would be satisfied by a digital signature. See the answer to question 1 above.
Is a "click-through" license valid and enforceable and how do you keep a record of such an agreement?
Answer: Click-through licenses may or may not be enforceable. That is an issue that would be determined by other law. The law we have discussed here only provides that such a license cannot be invalidated solely because it is electronic and signed electronically. UCITA, if it is adopted in Texas, speaks to the substantive issue of whether a "click-through" license is otherwise valid and enforceable. In the absence of UCITA, courts have applied UCC Chapter 2 by analogy to find in some cases that such licenses are enforceable and in other cases that they are not. That, in fact, is one reason that many people want a statute that specifically validates such licenses. We don't have that statute at this time.
Most manufacturers of online software include their license agreement among the files that get installed on your computer when you download the software or install it from the manufacturer's site. Because of the ambiguity about the enforceability of click-throughs (previously referred to as shrink-wrap licenses), many people did not think it necessary to maintain these contracts like other contracts actually negotiated and manually signed; however, if UCITA or anything like it is adopted in Texas, we will have to begin to treat these licenses like other contracts. Even today, we cannot treat electronic contracts like they are unimportant. Such contracts must be reviewed prior to indicating the University's assent in accordance with BPM 48, stored just like our other contracts, protected from being changed and made available for TPIA purposes and audit compliance.
Copyright law requires that assignments of copyright must be in writing and signed by the owner. Would a digitally signed assignment be valid and enforceable?
Answer: Because UETA would be state law, if adopted, and copyright law is federal law, UETA wouldn't apply to validate a digitally signed assignment to transfer copyright. On the other hand, if the transaction is an interstate transfer, the Millennium Digital Commerce Act would validate the use of a digital record and digital signature, since both copyright law and the Millennium Digital Commerce Act are federal laws. Until the federal law is passed by Congress, there is really no legal authority for relying on a digital document to transfer a copyright interest. Further, once the state passes a law based on UETA, the federal law will no longer apply (it is only an interim law). In other words, the person acquiring the copyright, would be best advised not to accept a digitally signed document because it may not be enforceable. It would appear that Congress will need to do more to address federal law requirements for signed writings.
Top
| Search
Crash Course in Copyright | Intellectual
Property Section | Office of General
Counsel