Someone recently asked about the security of a signature image on their web page. They wondered if they should remove it or if there was some way to keep it from being downloaded or spidered and cached by search engines. While I can understand the desire to give that personal touch to a web page I wouldn't publish an image of my signature. That being said, here's some analysis.

I assume we all agree that there is no reliable way to keep a publicly viewable web image of anything, including a signature from being viewed, downloaded, cached, reused, etc. If you disagree, consider that you're not trying to hide it from search engines. You're trying to hide it from people, unscrupulous people specifically. How can you make it public while at the same time hide it from people with questionable intentions? My web-enabled mind reading system is not finished yet, is yours?

What is the risk to the signature anyway? Some unscrupulous person might use it to forge your signature or worse put it directly onto the document assuming the quality is good enough, which it is not. So what? What is the person likely to sign where a bogus signature would not work just as well?

Signatures are not a secret, very few people actually check the signature on documents, when they do they rarely compare it to a specimen that is absolutely known to be produced by the subject, and even if they did they are not usually a handwriting expert.

Signatures are a good example of the audit trail in a security system. They're only scrutinized when something goes wrong.

So, what good is a signature? Signatures are helpful for auditing a transaction. Notarized signatures are even better.

An example:

When you discover that your bank account is overdrawn you audit the transactions on your account. When you discover a number of checks that seem suspicious you will ask the bank for copies only to discover that you didn't sign the checks, they were forged.

Now what? You compose and send a formal written complaint (that's signed) to the bank challenging the transactions. [Time warp to the courtroom, assuming the perpetrator has been caught.] The judge will not take the banks word that you didn't sign the checks. You will be required to testify and probably sign a notarized affidavit stating that you didn't sign the checks. You and the bank present a handwriting expert as a witness in an attempt to prevent reasonable doubt. The handwriting expert takes samples of your handwriting and the perpetrator's handwriting, using these samples she compares them to the checks and is able to verify with some certainty that the perpetrator signed the checks. [You can complete the story. Did the defense provide reasonable doubt?]

My point to all this is that a signature is not a secret, just like your bank account number, bank routing number, social security number, drivers license number, date of birth, mother's maiden name, and dog's name are not secrets. They are not authenticators (secret), they're identifiers (not secret). Attempting to hide a signature will do little good except reduce the universe of people who have seen the real signature (this is my reason for keeping my signature off the web). You could use a fake signature, as someone proposed, but it really won't matter. Any transaction that relies heavily on a signature will typically require notarization, which has its own issues.

Thoughts to ponder:

How many people could publish your signature [social security number, driver's license number, mother's maiden name, etc] on the web?
What keeps them from doing it?
Do you still think these are secrets?

"Three people can keep a secret if two of them are dead."
--Benjamin Franklin

• The Credit Card Prank
• The Credit Card Prank II

NOTE: I do not condone this kind of behavior, but it does prove my point.