Wednesday, August 3, 2016

Patent licensing updates: 11 licensees and growing

In our previous installment "Patents and the small business inventor," we noted the high cost of acquiring a patent, maintaining it with the patent office, fighting off ex-parte re-examinations, and then enforcing the granted legal rights to your intellectual property (IP) against companies that are often much richer than you are as a small inventor.  With the advent of the Alice ruling, some even hope your patent will fail this legal challenge, though all such challenges to our patent have been dropped or lost.

Competitors will threaten you with counter lawsuits.  Competitors will threaten you with high legal fees needed to protect your IP as they play linguistic games around the meaning of "is" (no actual confusion) and "publishing house" (means nothing without context) and present straw man arguments.  They will say what you invented was obvious, a conclusion they wish to reach by discounting the truly obvious fact that sufficient technology existed for decades under public key infrastructure (PKI), yet not a single vendor or academic offered the new approach before.  And once you did offer the approach along with a publicly available patent disclosing it, everyone followed this "now obvious" solution.

Fortunately, Yozons has been working with our law firm to iron out patent license agreements with various parties.  We now have 11 companies covered by our patent license, from the largest to the smallest of competitors in the e-signature space, as well as PDF vendors and real estate vendors.  It is a slow moving process involving lawyers, bean counters and sometimes the courts themselves.

Two companies we approached had suggested they would cease operations rather than acquire the license, but in the end, both ended up purchasing the license rather than closing shop.  This is good as competition is much needed, and our license fees are most reasonable.

Our '079 patent works well in the United States, Canada, Australia and New Zealand.  We have some success in the U.K., but as the E.U. moves itself backwards with it's updated (they had a previously sound e-signature directive) Advanced Electronic Signature regulation called eIDAS, our invention cannot work.  Our IP has no place in a PKI world, and that's a good thing.

In fact, no web-based solution will work easily with eIDAS, and it's just silly to suggest that end users will be better suited to keeping digital signature keys and documents secure on their own.  Security is hard, and end users are known for skipping anything hard.  Click here?  Looks legit to me?  Gotta see this?  Pretending that infected PCs and misplaced laptops, phones and tablets is the route to "advanced" electronic signatures misunderstands that adjective, as if going back to 1990s failed PKI via committee-generated standards will ever work in practice.

There is a reason why e-signatures in the U.S.A. have taken off compared to other countries and the E.U.  We invented it!

Saturday, February 14, 2015

HTML-based documents are compact and readable, and allow for a flexible, responsive design

Some have asked why Yozons Open eSignForms doesn't work with uploaded documents like those of most every other competing web-based contracting system.  These people point out that they already have legacy systems that produce PDFs or Word documents and they'd like to drive those through a modern workflow, often mostly for electronic signatures.

Of course, there is a need for such a requirement, and it's pretty common for those who work with older applications created before e-signatures grew in popularity.  Previously, those PDF documents were printed for a wet signature.  Yozons believes that this sort of capability is already well provided by competitors, almost all of which take the approach of accepting PDF, Word or other types of files. Yozons' original Signed & Secured allows for signing of any type of file since 2001, but this approach was deprecated by Yozons in favor of HTML documents starting back in 2004, which eventually lead to the eSignForms in 2005 predecessor to Open eSignForms in 2011.

Open eSignForms is designed to use HTML-based documents.  Sure, with Open eSignForms you can attach PDFs and other types of files with ease, and you can even export signed HTML documents in PDF format to produce legal copies (the legal original remains the digitally signed HTML version), but we don't allow them become the primary document to be filled out and signed.  There is an image overlay scheme that provides something similar for filling out an inflexible document that must maintain its exact layout, but this has all of the same limitations of using uploaded PDFs.

A big benefit of HTML documents over PDFs and Word is that they are typically much smaller in size.  If you do only a few contracts, size may not matter, but if you do hundreds or thousands per day, size matters, and this gets more important if you need to store those documents for many years or decades.  Long term viability of a document format is important for e-signatures, and anybody who has done word processing for a long time can point out how older file formats are no longer useful because of software version changes.  HTML has always been supported by many different browsers, so no one vendor controls HTML to produce vendor lock-in.

PDFs do have advantages, of course, such as being able to create a document that will render and print just as it was laid out, including working with fonts that the reader may not have available. But font availability is changing with the web open font format (WOFF) that allows fonts to be downloaded from the Internet even if the user's browser doesn't support that font directly.  We won't mention the ongoing and myriad security issues related to Adobe Reader and the need to have that troublesome plugin updated regularly to avoid putting your computer at risk.

PDF and Word files require special software to view them in any meaningful way.  If you open either in a text editor, it's pretty hard to read the content or make any sense of it.  However, with HTML, a document is still pretty readable.  The contractual terms can be seen even if no web browser were available, but of course web browsers are not only available, they are appearing in more and more places.

With HTML, Open eSignForms is able to do things that fixed documents in PDF or Word format simply cannot match.  With HTML, whole sections of a document can be replaced at run-time based on which party is working the document, or based on data values, etc.  You just can't make a PDF document hide a paragraph or swap out some language based on data in a transaction.  And of course a PDF cannot natively support data entry over the web.

HTML also supports form input natively, so using HTML documents to allow for data entry is built-in and understood by all Internet users.

Also, as the mobile web has most recently demonstrated, the Internet will continue to change over time and gain more powers that are available via HTML.  The mobile web has introduced the concept of responsive design so that a page renders well on a small phone screen as well as on a large monitor.  HTML is suited for all of these ever-changing needs.

HTML is a very good format for documents.  It is standardized internationally, can be read even without special software (at least when it's HTML and not a Web 2.0 document where most of the rendering is done via Javascript and thus is no longer readable without a browser, making them suffer some of the same issues that PDF and Word documents already have), is compact, and supports screens of all sizes without the need for any special plug-ins.

Lastly, those with disabilities can have HTML documents read to them or shown in braille, etc. HTML is the new international, interoperable document format, whereas PDF and Word are old, proprietary formats that continue to morph as they try to remain relevant for those who are locked in and cannot yet migrate to the HTML standard.

Tuesday, January 20, 2015

Untrustworthy electronic signatures

Eileen Y. Chou, of the Frank Batten School of Leadership and Public Policy at the University of Virginia, published a study on how people perceive electronic signatures over traditional handwritten signatures.  It appears in the December 2, 2014 issue of Social Psychological and Personality Science.

We find the study fascinating because the usage of e-signatures has exploded in the past decade, indicating growing acceptance and preference, while the study suggests such e-signatures are viewed by some as less trustworthy.  No doubt there is both a generational as well as a business-versus-consumer difference in perception.  And of course the breadth of implementations of e-signatures truly does mean that some are indeed more trustworthy than others.  Some suggest checkboxes are valid e-signatures, but we wouldn't bet that the courts will side with you if that's all you can present as evidence of a signed contract.  We know there are even e-signature vendors that provide no credible proof, such as via digital signatures, that electronic documents or their signatures are valid.

Then again, this is true for wet signatures, too.  Most people just don't think about them.  For example, signatures on checks and credit card receipts are effectively never checked for validity.  The cost of comparing handwritten signatures is just too high and few can do it well.  Fewer still have a sample wet signature on file to compare against, and of course handwritten signatures change over the course of time, the type of writing implement used, whether it's cold or hot or damp, etc.  As a leftie, far too many of my signatures ended up smeared.

Wet signatures also come with built-in delays and expenses for printing and delivery, and all returned documents have to be checked to ensure nothing has been altered since it was originally provided.  Paper faxes are often impossible to read, especially when receiving a fax of your fax, and few users have a fax machine handy these days as they require a both a device and a landline.  In the days of cell phones and Internet browsers and email, paper is not as easily processed as it once was.

The study discusses the idea of "presence," indicating that most felt a handwritten signature indicated greater presence of the signer.  Of course, there is no basis for this belief, it's just something most do not take time to consider.  Sure, if you get a notarized signature in which both parties present valid identification and the signing takes place in front of each other, there is substantial presence involved. Naturally, it's precisely this sort of presence -- including its hassle and expense -- that most drives the adoption of e-signatures.  Every time a paper letter arrives in my mailbox for my son who is now at the university, it is clear how much trouble paper is, presence is, and of course the privacy issues it raises.  Did I open the letter?  Toss it?  Did it arrive in my neighbor's box yet again so they had possession before me?  Did they toss it or tell me "they didn't notice" it was misdelivered until after they opened it?  Am I traveling?  Even if I'm home, must I wait several days to receive it?  Will I have to drive to the post office to return it should it require a response?

If a signed paper document arrives by mail or fax, the recipient has no idea about any presence involved in the signing.  In fact, we all know from daily experience that even legitimately signed signed documents are often actually signed by spouses and admins.  Most "handwritten" signatures you see were created by a machine, such as those on business checks or mass mailings.  Even the President uses a machine to sign most documents sent out.

The study abstract does not discuss how the signed documents were presented to subjects for their gut reaction.  Were e-signed documents presented on paper or electronically?  Were paper documents presented on paper or electronically (most businesses end up scanning paper records for long term storage and to provide availability anyway)?  How did the perceived validity change for those with familiarity and general acceptance of technology?

Presumably, there was no education provided to participants about handwritten signatures or electronic signatures before undergoing the experiment, so we are left with gut feelings that rarely are correct.  After all, validating a handwritten signature based on whether it looks right is the very basis for most scams because looks are deceiving.  All phishing attacks work because everything looks correct.  Signature verification is more art than science even for those few who have a previous sample signature on file to compare against?

Do subjects know that paper documents created with high resolution scanners and printers make the creation of fraudulent documents easier than ever before?  Does Ms. Chou know that if she writes a letter of recommendation once, the holder can change the letter or make it so she's written similar letters for anybody else using simple copy/paste operations on a computer? Or simply lift her signature image and put on any other document. Or that a forged paper document could just be created with a forged ink signature because nobody else knows what Ms. Chou's signature looks like.

Was there any discussion about the powers of a digital signature to detect any change to a document after it was signed? Or that e-signatures, when done correctly, come with accurate timestamps, IP address tracking, etc., and that all parties can have an immediate copy for their records?  For example, with Open eSignForms, we digitally sign the document and embedded data at each step of the process, so we can show you how it looked as it was originally sent out, and how it looked as each signature was applied.  And of course many documents with signatures have more data to be provided (good old forms!), and trying to read handwritten data is often tricky and generally requires re-keying to get that data into business applications. Try adding data validation to a paper form!

Are the results of this study any different than those about paper correspondence being more meaningful to some than email?  Some prefer paper books to ebooks too, and some prefer dirty newsprint to online reading.  How about ATMs versus cashing checks?  How about cash over cards and smart phones?  Every new innovation goes through a transition period as people adjust. E-signatures are very new to most people, so the fact that some hold to the idea that the old ways are better is fully expected.

Heck, even autographs are giving way to selfies with the celebrity.

Wednesday, October 15, 2014

SHA-1 is considered insecure while the EU pretends to legislate "advanced" e-signatures

Google announced that it is updating its Chrome browser to display warnings on web sites that use HTTPS (SSL/TLS) backed by a digital certificate signed with SHA-1.  In Why Google is Hurring the Web to Kill SHA-1, Eric Mill gives many reasons why Google is pushing ahead of schedule to rid the web of SSL certs that are considered less secure because they are signed by a Certificate Authority (CA) using SHA-1.

While it's true that SHA-1 is approaching the end of its useful life, it's stubbornly present in many systems and applications.  Getting rid of it isn't easy.  But we have to start sometime!

Of course, creating useful collisions in SHA-1 is still mostly an uncertain game.  We have not heard of any actual SHA-1 collisions that are useful.  "Useful" is a key consideration in that creating a second set of data the hashes to the same SHA-1 hash as some "real" document is hard enough, but doing so in which that second data is a meaningful replacement for the first is even harder.  If a collision could change "$100" to "$200," you'd have a real problem (of course this is just a short text example to illustrate the point, not a real scenario).  But if "x4z]" ended up hashing to the same as "$100", it would be less interesting because the replacement is not meaningful and thus would not be a realistic spoof.

While the Google announcement surrounds SSL certificates, digital signatures for e-signatures are likely a bigger problem.  SSL certificates tend to be renewed every 1 to 3 years, so they do not last very long, and most new certificates issued will use SHA-2 instead of SHA-1.

Digital signatures on documents tend to be "forever."  They do not expire.  While the user's signing keys may change from time to time, once a digital signature is applied to a document, it remains that way going forward.  Since most e-sign vendors use SHA-1 in their digital signatures (aside from the few odd players that don't appear to use any digital signatures at all like Sertifi and AssureSign), all documents being signed may be forged in the future.  Fortunately, most documents become somewhat obsolete after years go by (that is, few want to forge a 5-year sales agreement for example).

In the EU, they promote word play like "advanced" and "qualified" for electronic signatures based on digital signatures created using a typical PKI in which the signer has been issued a digital certificate (no doubt signed with SHA-1!) for a private key the user keeps secure.  This sounds good, but of course has serious flaws:
  1. Users cannot deny an electronic signature created using their "advanced/qualified" signature. The EU law says these are guaranteed to be valid.  No wet signature ever had such an absurd notion attached to it; that's why we have courts to decide based on evidence.
  2. Users may in fact not keep their private keys secure. Users are famous for being unable to keep such stuff secure because they really have no idea what their encryption keys are or how exploits can take place.  Every virus and hack attack is a potential theft of a user's encryption keys.
  3. All encryption requires software and hardware, and all software and hardware is vulnerable to attack. Thus, your keystore can be hacked. The device the key is stored on can be hacked. The device (like a PC, phone or tablet) the key is used on can be hacked.  Any network connections involved can be hacked. As the various credit card hacks have shown, devices can be hacked, replaced or have another device put in the middle of the communications cable (or wireless).
  4. The user may forget the password related to securing their private key. While this would prevent future signing, it could also mean that all data encrypted for storage would no longer be accessible.  There will be millions of users who will lose a lot of their data because it's encrypted using a key they no longer have access to.
  5. Users can be tricked into using their keys insecurely, including phishing attacks and social engineering attacks.
  6. What happens to all digitally signed documents done between the loss of control of a user's keys and detection that the keys were lost?  A user can revoke his keys, but only once he knows something has gone wrong.  But that user will not know what, if anything, was ever forged.
  7. How can a user know where his forged credentials are being used?  Cannot!
  8. Once a digital signature is applied by a user, that document will remain secure only for as long as the digital signature is valid. If the digital signature uses SHA-1, that may only be a few years away.
With services like Yozons Open eSignForms, many of these issues do not exist. When a credit card number and information is stolen, a user eventually finds out because invalid charges appear on his or her statement.  The credit card company can go back and find all fraudulent charges and reverse them.  Something similar happens when using an e-signature service -- the only signed documents you have can be found in the service.  Any fraudulently signed documents can be discovered and invalidated.  There is recourse to such a loss that is guaranteed to happen frequently across a large pool of users.

Documents digitally signed using Yozons Open eSignForms employ a 4096-bit RSA keypair with SHA-512.  This is not the norm among esign vendors who generally use much less secure technologies (including those absolutely worthless vendors/products that don't digitally sign at all).  While the greater security provided by Yozons is powerful today, eventually it will no longer be considered secure just like SHA-1's fate today and MD5 before.

Unlike "advanced" e-signatures created by users for themselves, a service can ensure documents are secure going into the distant future.  For example, if a digitally signed document in Yozons previously used 1024-bit RSA with SHA-1 (a very typical scenario still in practice today), our technology could easily retrieve that document, ensure the older digital signature is still valid, and if so, then re-digitally sign the document using 4096-bit RSA with SHA-512.  Such a document can remain secure for as long as necessary.

It is time for SHA-1 to be retired.  Yozons has updated all of its server SSL certificates to ensure they are protected with SHA-2.  But what about all those web sites and users who do this for themselves?  They most likely will not be on top of security issues like this, and that's the very problem we solve for our customers and their users.

Wednesday, October 8, 2014

Shared web services can cost your business

One of the great things about the Internet and the advent of web services (shared software as a service or SaaS) is the ability for businesses to jump into new technologies with relatively low barriers for entry.

For many large enterprises, deploying and managing hardware servers inside a data center for new services desired by a particular department is a death sentence for the project.  The teams are understaffed and overwhelmed supporting the myriad systems already deployed.  There is no operational expertise in-house for the new services.  For small companies, such deployments are often cost prohibitive because they lack the technical skills and resources to make it a success.

Purchasing web services has solved these problems very well.  Departments in enterprises and small businesses can essentially rent time on a large shared service, often paying for resources consumed (transactional) or users per month (subscription).  The cost of entry is low, and deployment tends to be quick.  It's a real benefit.

However, when the service offered is a core competency, using third party services is often undesirable and more costly than the price tag may suggest.  Web contracting and electronic signature services fit this bill for many companies.  Most companies realize that it is a trap to store key documents and contracts and allow customer interactions to be performed by a third-party vendor.  Of course, those service providers that offer "free tiers" tend to be the worst.  Instead of monetizing their purported service, you, their customer, is the actual product and they monetize you and your interactions with your customers instead.

With Yozons Open eSignForms, you have ultimate flexibility and complete brand control.  Each customer deployment is always an independent system: independent database and independent web application.  Even our lowest cost "shared hosting" only shares the physical server, but each customer running on that hardware has its own independent web application and database, keeping its users away from those of all other customers we service. 

Most SaaS vendors put millions of unrelated customers into a single huge system.  This makes migration away much harder, and of course creates a huge target for hackers who boast about big exploits and cause millions of user records to be stolen and sold on the black market.

Over time, the cost of paying a vendor to handle your contracting, your documents and the interactions with your customers, employees and business partners grows substantially.  Losing touch with your customers by using a third-party service is a cost few estimate correctly. 

Many companies initially jump on the SaaS bandwagon, giving them a leg up on the competition and providing services quickly at a low cost of entry.  But these companies ultimately ditch those early efforts and deploy their own services, which turns out to be more profitable for them and allows them to control their customer relationships and control their important business documents.

With Yozons Open eSignForms, you can easily migrate from shared hosting, but with fully independent customer systems, to private hosting, to bringing it all in-house.  You maintain full control over your independent system no matter how it's deployed, and that flexibility is what motivates companies to eventually abandon their forays into shared SaaS and instead take care of their own business themselves.

Tuesday, August 26, 2014

Have Internet, will travel

As I write this blog, sipping a cool rosé wine just outside of Walla Walla on an impressive compound once owned by a cell phone magnate, I cannot help but think how wonderful it is to have a job that allows me to work anywhere in the world almost as easily as when I'm home.

With a laptop, my new Asus second full HD monitor that is not any thicker than an iPad, and seemingly ubiquitous fast Internet/WiFi, working on the road is both comfortable, productive and liberating.

Summertime in Walla Walla is hot, in the 90s today, but all of the wineries and tasting rooms make you forget about the ever present sun beating down on your head.  This is a special place, so close to the Oregon border, but with rivers and mountains (mostly high hills for those who live near the Cascades and Olympics around Seattle), you almost forget that most of the land is flat and dry.  Walla Walla is home to their namesake sweet onion, but wineries have taken over.  You can't take a step without coming across another winery's tasting room.

I drove south today to see where the grapes are grown, and the vineyards are impressive.  It seems this has been a good summer and will yield a bumper crop.  The grapes are smaller compared to those we snack on, but they pack a powerful punch in the hands of talented vintners.  Amazingly, I've not tasted a "bad" wine, with whites, rosés and reds all in great form. 

It's a real shame that this part of my trip was marred by the tragic news of the earthquake in Napa that did considerable damage, including the oddity of seeing red wine flowing freely -- sadly down the gutters -- the result of broken barrels that tumbled.  The losses to Napa businesses and families is felt here in Walla Walla, showing that competition doesn't have to trump compassion.




Thursday, July 17, 2014

Physical therapy is hard work made easier with secure online records

One of our earliest customers on Open eSignForms is a physical therapy office run by a woman and her small team of PTs.  She has studied myriad forms of physical therapy and massage, including quite a bit of advanced training in Kauai.  Nothing like a business need to study for three weeks on the garden isle!

One of the biggest pains for PTs is the need for accurate record keeping, especially when needed for audits by insurance companies and other legal proceedings as some of her customers were hurt in accidents that resulted in seeking her care. 

With Open eSignForms, she and her staff are able to record their findings on their Physical Therapy Initial Evaluation form, recording the patient's information, type of injury, current health condition, symptoms, medications and to note how well the patient is able to perform various activities.  They can also create PT Treatment Notes that correspond with insurance billing codes, as well as Progress Notes to record changes in patient's health and functional activities as well as to record impressions and treatment plans. Lastly, they can enter their Discharge Summary Note to track the various activities their patients were seeking treatment for, recording their goal at initial evaluation, and then recording their status at the time of discharge.

With these secure patient records maintained in her own independent system, there is no lost paperwork, access is restricted to authorized personnel, and all records can be reviewed even while traveling on business, or when in Kauai for more training!