Be careful what you sign

Your mother probably told you not to sign anything before you have fully read it. Are you still cherishing that habit? Do you think you can also keep it up if digital signing becomes commonplace? The answer is that it depends on the data format that you sign.

Whenever you place a legally binding signature it is important that you are fully aware of what you sign. Not just for your own security, but also because others must be able to rely on the signature. No judge or jury is likely to hold you to a digital signature that you made without being conscious of what you signed. But you also have a responsibility to be mindful that you are not being tricked into signing wrong content.

It is really easy to trick you into things. Modern-day computing has brought us many rich formats for nicely formatting our texts, but they all have one deficit: they have something to hide. The only exception is plain text, also known as raw text or ASCII. Formatted documents only show what they want you to see, but that may only be a partial truth.

Let's demonstrate how simple it is to trick you into things. The webpage http://openfortress.nl/demo/iou_dyn.html appears to be a harmless plain HTML page, detailing how much you owe. If it were what you owed me, I bet you would sign it. However! This page incorporates JavaScript to alter its appearance to my liking. On even days, it says that you owe me EUR 10, on odd days it says that you owe me EUR 1000. If you sign for the HTML document, you are formally approving these scripted variations!

The problem is the hidden script [1] and the fact that you only get to see the result of one particular outcome of a script run. Since you are signing for the complete document, the whole document is what you should look at. Source code has nothing to hide.

What, you cannot appreciate the finesses of source code? Ah well, you are not alone. There are more like you, I've heard. So what we are looking for is a form of source code that reads like, or better even, that equals readable text, right? As it happens, there is one such format. It is called plain text or ASCII, and it reads as easily as a webpage. You will have to refrain from layout options such as smallprint and blinking text, but when dealing with formal text that need not bother anyone. Clarity comes first.

If you have a key for digital signing, if it is valuable to you and if ever you use it to sign, better make sure that what you are signing is plain text. And demand nothing more or less form services that ask for your signature.

Footnotes

[1]	For those who are curious about the code, here's how simple it is to print the varying number: <SCRIPT LANGUAGE="JavaScript"> monthday = new Date ().getDate (); if ((monthday % 2) != 1) document.write ('10'); else document.write ('1000'); </SCRIPT>