Frequently Asked Questions about Fax Security

CONNOTECH Experts-conseils Inc.

Table of contents

1. Can Confidential Documents be Sent by Fax?

Fax does not guarantee confidential transmission on a few respects:

1. The most frequently expressed concern about fax confidentiality is the handling of incoming fax messages. A mailed document comes in a sealed envelope with the addressee's name on its face. A fax document is printed on a fax machine which is often located in an open office environment and shared between a number of colleagues.
   
   
2. An often overlooked but potentially more damaging fax message leakage is typing errors in dialing the destination number. Somebody receiving a random fax which is not addressed to him has no legal obligation to ignore the information contained in the message. When abbreviated diallers are used, typing errors can have even more dramatic consequences. For instance, let's assume a distributor wants to keep its profit margin secret. When sending a purchase order by fax, if the operator inadvertently presses the speed dial button corresponding to the customer's fax number instead of the manufacturer's, sensitive information leaks to the wrong place!
   
   
3. Yet another source of information leakage from fax transmission is industrial espionage ([1], [2], [3]). Although considered a criminal offense in most jurisdictions, fax interception is relatively easy. Reported estimates of the special electronics required to intercept a fax transmission start at $20 ([1]). Law enforcement agencies do purchase relatively sophisticated fax interception equipment ([4]). Fax espionage is less labor intensive than voice conversation interception. The review of a pile of intercepted fax messages is faster than listening to a tape of recorded conversations. In some countries, fax espionage is common, encouraged if not organized by the local governments in order to assist local companies with competitive information ([5], [1]).

These threats should be considered when issuing guidelines on which type of documents can be sent by fax. In practice, the need to accelerate the business cycles forces the use of fax for confidential documents that deserve a more secure communications mean.

2. Is Fax Subject to White Collar Fraud?

As business transactions rely more and more on fax as a mean to enter contractual agreements, fax may become the target of white collar fraud. Forgery of a document transmitted by fax is very easy. It can be done by cutting and pasting actual pieces of paper or doing the equivalent operations with a computer, a fax machine, and maybe a scanner input device ([6]). The latest off-the-shelf word processor software can easily merge the bit map image of a scanned signature into any document, authorized or not by the signatory. The printed copy of a document created this way may be distinguishable from an original. But for the receiver of such document transmitted by conventional fax, there is no way of detecting a fraudulent use of the signature from the received document. To prevent white collar fraud using fax, secure authentication of fax transmission has to be provided by other means or by enhancing conventional fax transmission.

3. What is the Legal Status of a Fax Transmission?

How does a fax message compare to delivery of an original document by certified mail? This question deserves a detailed answer. The endless subtleties of the law of evidence applied to the facsimile are extensively covered in [8]. Another article by a law specialist, [9], covers some rules of evidence and a modern business communications technology, namely EDI. This reference [9] contains a rare acknowledgment of digital signatures by an author of legal doctrine (although with no precedents). We do not pretend to summarize these questions in what follows, we simply describe some of the issues at stake.

Fax Delivery Report as Transmission Evidence

The fax delivery report transmitted by a typical fax machine at the end of a transmission is simply a confirmation that the fax transmission was completed with an acceptable error rate ([7]). Usually, this report includes the called subscriber identification (CSI), the number of pages, the time, and he total duration of the call. Unfortunately, the number which was actually dialed at the outset of the call is not always printed. This information is valuable to track misdirected fax transmissions.

The CSI is a 20 character code that the owner of a fax machine may configure to display the fax number (as recommended) or other identifying information. When a fax machine is moved with an office department or company, the CSI programming should be updated. The CSI is exchanged between the fax machined in the group 3 facsimile protocol and is usually reported at the caller's machine on a small alphanumeric display.

In summary, a fax delivery report is simply an internal record of business activity with uncertain legal status. Nonetheless, it may assist elementary precautions with respect to fax security.

Notification by Fax

This question is best illustrated by an example. Let's assume a lease contract requires a notification of renewal within a stated time limit. The notifying party sends a fax a few days before the deadline, and double checks the dialed number. If a dispute arises, the judge would typically consider the testimony of the sender's employee to the fact that the fax message was sent and that a fax delivery report was printed by the fax machine. Unless the receiver testifies that the fax machine was diligently attended, and that the message was not received, the notification should be accepted by the judge. Other situations fall in a grey area.

The short answer to this question could be that ultimately, the notification by fax is valid. Given the cost of bringing the proper evidence to a court, it might be useful to rely on a more secure notification method.

Handwritten Signature Transmitted by Fax

A signature appearing on a document transmitted by fax is technically like a photocopied signature. Based on the existing practice in a give context, this signature may be accepted by a judge. For instance, the monetary value of a transaction may indicate whether the signature transmitted by fax is sufficient evidence or not.

4. Can Payment Orders be Sent by Fax?

A payment transaction is a special type of contract because

• the bank itself returns no value to the payer for the money taken out of the bank account, and
  
  
• money is the most attractive target for fraud.

Other types of business contracts are more neutral and less liquid. For instance, entering into a lease agreement is the exchange of occupancy rights against future payments. The special nature of payment spawns the requirement for strong authenticity protection throughout the payment system. For this reason, fax is not acceptable as a payment mechanism unless secured by appropriate means.

Authenticity protection using unique and secret voucher numbers means has been proposed ([10], [11]). This type of procedural security is seldom in line with the current practice in the financial industry which is based on algorithmic security. The general interpretation of a "security procedure" that is "commercially reasonable" ([12], [13], [14]) is definitely leaning towards computer and communications security.

Payment by authenticated fax transmission was once proposed by CONNOTECH Experts-conseils Inc. This proposal was based on affixing digital signatures to the digitized pages transmitted by a fax machine, using a dedicated fax authentication device ([15], [16]). This device would have implemented a facsimile security protocol that was formalized by CONNOTECH ([17]).

References

[1] Beacon, Michael, Assessing Public Network Security, Telecommunications, North American Edition, Vol. 23, Number 12, December 1989, pp 19-20

[2] Berry, S.L., Faxpionnage: A New Threat Hits Mahogany Row, Management Review, July 1990, pp 58-60

[3] Heffernan, Richard J., And the SPI Survey Says ..., Security Management, October 1991

[4] Godwin, Philip A., and McShea, Matt, Interception and Interpretation of Information from a Subscriber Loop Phone Line, in Proceedings of the IEEE 1992 International Carnaham Conference on Security Technology: Crime Countermeasures, IEEE, 1992, pp 127-131

[5] Barney, Michael G., Analysis and Selection of Communications Security Equipment, Proceedings of the 1993 IEEE International Carnahan Conference on Security Technology: Security Technology, IEEE, October 13-15 1993, pp 208-214

[6] Mahood, Laurie, Fax and Scanners, Letter to CompuServe Magazine, April 1995, p. 4

[7] CCITT Recommendation T.30, Procedures for Document Facsimile Transmission in the General Switched Telephone Network

[8] Me Lambert, Jean, Le télécopieur, un merveilleux cauchamard juridique ou Les aspects juridiques de l'utilisation du télécopieur en droit québécois, ("The fax machine, a marvellous legal nightmare or The legal aspects of fax usage under the Québec law") Cours de perfectionnement du notariat, 1992, no. 2, Chambre des notaires du Québec, SOQUIJ (also published in spanish in revue internationale du notariat latin)

[9] Nicoll, Christopher, E.D.I. Evidence and the Vienna Convention, Journal of Business Law, January 1995, pp 21-35

[10] Crockett, B., Pay-by-fax Developper Zeros in on First Client (Money Fax), American Banker, vol 157, issue 83, April 30, 1992, page 3

[11] USA patent document 5,265,008, Benton, William M. and Mee, William, Method and System for Electronic Funds Transfer via Facsimile with Image Processing Verification, November 23, 1993 (application no. 718,471, June 20, 1991)

[12] Uniform Commercial Code, UCC Article 4A, sections 4A-201 and 4A-202(b)-(c)

[13] United Nations Commission on International Trade Law, UNCITRAL Model Trade Law on International Credit Transfers, United Nations General Assembly, 47th session, Official documents Supplement 17 (A/47/17), 1992

[14] Geva, Benjamin, The Law of Electronic Funds Transfers, Matthew Bender, New York, 1992 (updated to release 2, October 1994)

[15] Moreau, Thierry, Payment by Authenticated Facsimile Transmission, a Check Replacement Technology for Small and Medium Enterprises (Payment Processing Overview), Unpublished document of CONNOTECH Experts-conseils Inc., Montréal, Qc, Canada, April 1995 (now obsolete)

[16] Moreau, Thierry, Secure payment method using facsimile, US patent 5,590,196, issue date December 31, 1996, filing date October 6, 1994

[17] Moreau, Thierry, Information Technology - Telecommunications and Information Exchange Between Systems - Group 3 Facsimile Security Protocol, A de facto standard of CONNOTECH inc., issue 1.0.2, internal document of CONNOTECH experts-conseils inc., January 1995

CONNOTECH Experts-conseils Inc.
9130 Place de Montgolfier
Montréal, Québec, Canada, H2M 2A1
Tél.: +1-514-385-5691 Fax: +1-514-385-5900