The Mark That Belongs to No One
On the Quiet Catastrophe Hiding Inside Every Digital Signature — and the Three-Hundred-Year-Old Rule That Nobody Bothered to State Aloud
Keywords: electronic signatures, attribution, Statute of Frauds, UETA, E-SIGN, pseudonymity, anonymity, blockchain, digital signatures, UCC, enforceability, private law
There is a peculiar species of intellectual failure that consists not in getting the answer wrong but in forgetting to ask the question. For three and a half centuries, the law of signatures has been asking one question with metronomic consistency — whose mark is this? — and for the better part of the last three decades, the scholarship on electronic signatures has been answering a different question entirely: what does the mark look like? The result is a literature that celebrates the extraordinary flexibility of signature form with the breathless enthusiasm of a child discovering that any crayon will do, while neglecting to mention that the crayon must belong to somebody.
A recent article — rigorously doctrinal, methodically constructed, and rather more honest than its predecessors — has taken the trouble to say what should have been said long ago. The thesis is simple enough to state in a single sentence: in American private-law signature doctrine, a signature does not satisfy the signature requirement for enforcement unless it is attributable to an identifiable legal person. That is not a proposal. It is not a reform. It is a description of what the law already requires and has required since the Statute of Frauds was enacted in 1677. The novelty lies not in the rule but in the fact that anyone needed to articulate it at all.
But someone did need to articulate it. And the reason someone needed to articulate it is that the modern literature on electronic signatures has produced a genuinely impressive quantity of analysis on the question of form — what counts as a “symbol,” whether a typed name suffices, whether an email header qualifies, whether a click on a button is a “process” — while systematically underemphasizing the question on which enforceability actually depends: to whom does the mark belong?
I. Five Sources, One Requirement
The article examines the five principal sources of American private-law signature doctrine: the Statute of Frauds, the Uniform Commercial Code, the Restatement (Second) of Contracts, the Electronic Signatures in Global and National Commerce Act (E-SIGN), and the Uniform Electronic Transactions Act (UETA). Each source uses different vocabulary. Each was drafted by a different body, at a different time, for a different purpose. And each, on close textual reading, contains the same structural requirement — that the signature be linked to an identifiable person.
The Statute of Frauds says “signed by the party to be charged.” The UCC says “executed or adopted by a person with present intention.” The Restatement says “as that of the signer.” E-SIGN says “legally attributable to the person to be bound.” The UETA says “the act of the person.” Five formulations. Five vocabularies. One requirement: there must be a person. And the person must be identifiable — not to the public, not necessarily to the counterparty, but to the legal system. Identifiable in the institutional sense: amenable to service of process, subject to the jurisdiction of a court, capable of bearing a judgment.
This is the definition that prior treatments have lacked, and it is the definition that makes the thesis operationally useful rather than merely conceptually tidy. “Identifiable” does not mean “identified on the face of the document.” It does not mean “known to the counterparty at the time of signing.” It does not mean “publicly disclosed.” It means: recoverable, through evidence available to a court — including evidence obtainable through compulsory process — at the time enforcement is sought. The definition is evidentiary, not facial. It is temporally flexible: the question is not whether the signer was identified at signing, but whether the signer is identifiable at enforcement. And it embraces all lawful evidentiary mechanisms, from the testimony of an attesting witness to the audit logs of a computerised onboarding system. The Schwartz and Solove continuum of “identified,” “identifiable,” and “non-identifiable” maps directly onto the analysis, as does Froomkin’s distinction between “traceable” and “untraceable” anonymity. Only the last category — truly non-identifiable, untraceable, beyond the reach of every available legal process — defeats the attribution requirement. Everything else is pseudonymity or privacy, and neither has ever been incompatible with a valid signature.
The convergence is not coincidental, and it is not the product of coordinated drafting. It is the product of a logical constraint that every enforcement regime must satisfy whether or not its drafters articulate it: the legal system can only impose obligations on persons it can identify. A contract without a party to be charged is not an enforceable contract. A negotiable instrument without an identifiable signer is not a negotiable instrument. A deed without an owner is a piece of decorative parchment. The attribution requirement is not one of several requirements that the law imposes on signatures, any one of which might be relaxed for policy reasons. It is the condition without which the entire machinery of formality — evidentiary, cautionary, channeling — becomes an exercise in bureaucratic theatre.
II. The Three-Step Framework
The article proposes a three-step decision procedure for analyzing any disputed signature, whether inscribed with a quill on vellum or generated by a cryptographic algorithm on a distributed ledger. The procedure is descriptive, not prescriptive. It describes what courts are already doing, whether or not they know it.
Step 1: Formal Validity. Is the act a “signature” under applicable law? Does it constitute a symbol, sound, or process executed or adopted with the intent to sign? The law’s answer to this question is — and has always been — maximally permissive. An “X” suffices. A typed name suffices. A rubber stamp suffices. A corporate letterhead on a fax header suffices. An account number entered into a banking terminal suffices. The mark cases of the early American Republic established the outer limit of form flexibility two centuries ago, and the electronic signature statutes have extended it to encompass anything “electronic.” Step 1 is rarely where a disputed signature fails. When it does fail, the failure is typically on the intent prong — not “is this a symbol?” but “did the person intend to sign?”
Step 2: Attribution. Is the signature attributable to a legal person identifiable through evidence available to a court? This is the critical step — the step where the analysis shifts from the properties of the mark to the identity of the person. And this is the step that the existing literature has under-specified. Attribution is not a property of the signing act. It is a property of the evidentiary record available to a court. A signing act that was perfectly identified at the time of signing may nonetheless fail Step 2 if the evidentiary record degrades before enforcement — if witnesses die, logs are deleted, or records are lost. Conversely, a signing act that was entirely unidentified at the time of signing — a pseudonymous blockchain transaction, say — may satisfy Step 2 if the evidentiary record at enforcement permits identification through chain analysis, exchange records, or compulsory process.
Step 3: Consequences. If Steps 1 and 2 are both satisfied, any remaining claim of “anonymity” reduces, on analysis, to pseudonymity or privacy. Neither defeats enforceability. If Step 2 fails — if the signature cannot be attributed to any person identifiable through legal process — then enforcement collapses. There is no “party to be charged.” The signature is form without function.
III. The Aerotek Architecture
If the three-step framework is the skeleton, then the Texas Supreme Court’s 2021 decision in Aerotek, Inc. v. Boyd is the musculature. The article treats Aerotek as the most fully developed judicial operationalization of Step 2 — a burden-shifting framework that transforms the attribution question from an abstract inquiry into a litigation-grade standard.
The facts were unremarkable. Four employees completed an online hiring application that required each to create unique login credentials, enter personal identifying information, and electronically sign an arbitration agreement before the application could be submitted. All four later denied signing. Aerotek produced timestamped audit logs, testimony from a business witness who had helped design the system, and an in-court demonstration showing that the application’s locked business rules made it impossible to submit the application without signing the arbitration agreement.
The Court held that once the proponent demonstrates the efficacy of the system’s security procedures, the burden shifts to the alleged signer to produce evidence — not mere denial — of how the signature could have appeared without the person’s act. Bare sworn denials, even from multiple declarants submitting word-for-word identical declarations, do not create a fact issue. The argument that the system was accessible “from anywhere” does not defeat attribution, because the relevant question is not where the system can be accessed but whether access was restricted to unique credentials held by the person. The argument that the proponent’s witness is not an IT expert does not defeat the prima facie showing, provided the witness is sufficiently familiar with the system’s design and operation.
The article distils this framework into a four-element appellate test. Element one: the proponent must present evidence that the system restricted access through a unique credential not known to the proponent. Element two: the proponent must present evidence that the system recorded the disputed act as performed through that credential. These two elements constitute the minimum prima facie showing. Element three: if the proponent satisfies both, the court may draw a rebuttable inference that the signature was the act of the credential holder. The alleged signer may defeat the inference by producing evidence of credential compromise, system malfunction, unauthorized third-party access, provider error, or delegated access without authority. Element four: the burden that shifts is, at minimum, a production burden — the alleged signer must come forward with some evidence. Whether it extends to a persuasion burden is an open question.
This is the test that the literature has been missing. Not a philosophical proposition about the nature of identity. A litigation standard. Something courts can quote. Something practitioners can design around.
IV. The Email Wars and the Agency Trap
The article applies the framework to a series of decided cases and demonstrates that the three-step structure explains holdings that have confused courts and commentators for years.
The Cunningham/Khoury split on email signatures is the clearest example. One Texas court held that an automatically generated email signature block — the sender’s name appended by the email client without any per-message act — did not constitute a signature under the UETA because it lacked “present intention.” Another Texas court, and a federal court, disagreed: the initial act of configuring the signature block suffices. The split has generated substantial commentary, most of it devoted to debating which court got the intent question right.
The article points out what the commentary has missed: both courts agree on Step 2. Both courts assume that the signature must be attributable to the person against whom enforcement is sought. The entire disagreement is about Step 1’s intent prong — whether “present intention” requires a per-message act or encompasses a standing configuration. The attribution requirement is uncontested on both sides. The split strengthens rather than weakens the thesis, because it demonstrates that even courts that disagree on everything else agree on the one thing that matters: there must be a person.
The St. John’s Holdings decision illustrates the complementary failure mode. The Massachusetts Land Court held that text messages could constitute a writing for Statute of Frauds purposes and that the sender’s name could satisfy the signature requirement. But the court denied enforcement because the texts were sent by a real estate broker who lacked authority to bind the seller. The holding is a Step 2 attribution failure — not a failure of form, not a failure of intent, but a failure of the attribution chain at the agency link. The broker’s signature was attributable to the broker, but not to the seller. Attribution to the wrong person is attribution failure for enforcement purposes, precisely as the UCC’s unauthorized-signature mechanism of § 3-403 would predict.
V. The Digital Mirage
The article’s treatment of digital and cryptographic signature systems is both the most technically ambitious and the most practically important section. The key insight is that the sophistication of the cryptographic technology is irrelevant to the attribution analysis. A 4096-bit RSA key pair with a self-signed certificate is, from the standpoint of the five sources, legally identical to an illiterate farmer’s “X” with no witnesses. Both are marks that cannot, without additional evidence, be linked to any identified person. The cryptographic strength protects the integrity of the record. It does not answer the question of whose record it is.
Digital signature systems are arranged along an attribution spectrum. At one end is the PKI/CA model — the institutional gold standard — where a certificate authority verifies the subscriber’s identity before issuing a certificate that links the public key to the verified person. At the other end is the truly anonymous key pair, generated without identity verification and unlinked to any person through any available process. Between the endpoints lie intermediate cases: self-generated keys that may become attributable through extrinsic evidence; blockchain addresses that function as pseudonyms recoverable through exchange records or chain analysis; and direct party-to-party key exchanges where attribution rests on the encounter itself.
The blockchain discussion is where the article earns its keep. The claim that blockchain transactions are “anonymous” is, in the vast majority of cases, a misdescription. A blockchain address is a persistent identifier linked to a traceable chain of transactions — functionally identical to a common-law pseudonym. The article identifies four evidentiary conditions that determine whether blockchain attribution succeeds or fails in civil litigation: evidence exists and is compellable through domestic process; evidence exists but is held offshore and beyond compulsory process; evidence exists but is too inferential without corroboration; and evidence has been destroyed or has expired. These are not blockchain-specific conditions. They describe the general structure of evidentiary failure at Step 2 regardless of the underlying technology.
VI. Three Errors That Keep Recurring
The persistent conflation of anonymity with pseudonymity and privacy produces three recurring error patterns, each with the same structure: an actor uses a pseudonym or a privacy-protective mechanism; a court or commentator describes the actor as “anonymous”; a legal conclusion about enforceability is drawn from the characterization; and the conclusion is wrong because the actor is in fact identifiable through legal process.
The first error treats pseudonymous signatures as unenforceable — as though the signer’s “real name” must appear on the document. This is wrong under the common law, which has always permitted pseudonymous contracting, and wrong under every electronic signature statute, which defines signature by intent and process, not by the content of the mark.
The second error conflates privacy-protective mechanisms with anonymity. An actor who communicates through encrypted channels or transacts through a VPN is described as “anonymous” when the actor is merely private — identifiable through compulsory process directed at an intermediary but not visible to the casual observer. Privacy is fully compatible with signature doctrine. The error lies in treating reduced public visibility as reduced legal identifiability.
The third error treats transactions through “anonymous” digital systems as categorical legal black holes — as though the use of a particular technology determines the enforceability of the transaction. The analysis must be case-specific. The correct conclusion is never “blockchain transactions are unenforceable” or “blockchain transactions are enforceable.” It is: this particular signature is or is not attributable to this particular person through available evidence.
VII. The Hard Cases
The article does not pretend that the framework dissolves every difficulty. It identifies five categories of dispute in which Step 2 encounters genuine evidentiary stress: shared credentials, where the evidence establishes that someone with access acted but not which person; compromised devices, where the credential holder’s system was used without the holder’s knowledge; corporate authority, where the electronic act must be traced through two links — person to act, and person to principal; cross-border evidentiary failure, where the attribution evidence exists in theory but is held in a jurisdiction beyond compulsory process; and heightened-formality carveouts, where the legislature has determined that general electronic attribution is insufficient.
Each category receives a worked application of the Aerotek framework. The shared-credential case requires the proponent to produce additional identity-linking evidence beyond credential uniqueness. The compromised-device case requires the alleged signer to produce forensic evidence of specific compromise — not speculation about hypothetical failure. The corporate-authority case requires application of the three-step framework at each link of the attribution chain separately, using agency doctrine at the second link. The cross-border case exposes the asymmetric operation of evidence unavailability: the proponent who cannot produce offshore evidence fails the prima facie showing, while the alleged signer who cannot access the proponent’s offshore system may invoke spoliation doctrines.
The framework does not make hard cases easy. It makes them legible.
VIII. What This Means
The contribution of this article is, in one sense, embarrassingly simple. It names a requirement that has been operating inside signature law since the first illiterate farmer pressed a mark into a deed under the watchful eyes of attesting witnesses. The witnesses were there because the mark, standing alone, was meaningless. They supplied what the mark could not: a link between the act and the person.
The Statute of Frauds deserves particular attention here, because its treatment in the article transforms it from a mere writing requirement into a comprehensive attribution framework. The phrase “party to be charged” — three words that have been glossed by courts for centuries without being subjected to the close textual analysis they deserve — is, on this reading, an attribution requirement stated as a noun phrase. “Party” is a legal person. “To be charged” identifies that person as the target of enforcement. The entire phrase presupposes a person who can be identified, served, summoned, and subjected to judgment. Remove any of these elements and the phrase becomes incoherent. There is no “party to be charged” if the party cannot be identified. Perillo’s canonical account of the three functions of legal formalities — evidentiary, cautionary, channeling — confirms the point. Each function presupposes a person: evidence of terms without evidence of assent is not evidence of a contract; caution directed at no one is not caution; a channeling mechanism that does not distinguish the bound from the unbound state of a specific person does not channel. The Statute’s exceptions — part performance, judicial admission, the merchant confirmation rule — reinforce rather than undermine the thesis. Each exception relaxes the formal requirement of a signed writing while preserving the functional requirement of an identifiable person. Part performance identifies the parties through their conduct. Judicial admission identifies them through courtroom acknowledgment. The merchant confirmation rule operates entirely through identified commercial actors. The attribution requirement is the invariant; only the formal means of satisfying it varies.
The UCC’s treatment of unauthorized and representative signatures provides perhaps the most elegant doctrinal confirmation. Section 3-403 provides that an unauthorized signature is “ineffective except as the signature of the unauthorized signer.” The system does not treat the unauthorized signature as no signature at all. It treats it as the signature of the wrong person — the person who actually made the mark. Attribution is corrected, not eliminated. The forger becomes liable because the system will not tolerate a signature without a person. Ratification completes the cycle: the person on whose behalf the unauthorized signature was made may adopt it, reassigning the attribution back to the principal. At no point does the system contemplate a signature that belongs to no one. The negotiable instrument system depends on continuous attribution — the ability of every holder to identify the person liable on the instrument at every point in its life. If attribution could be suspended, the instrument would be worthless during the suspension. Section 3-403 prevents this by ensuring that the signature is always someone’s.
That link is the attribution requirement. It is not a modern gloss on an ancient practice. It is the ancient practice. It appears in the Statute of Frauds’ “party to be charged.” It appears in the UCC’s “executed or adopted by a person.” It appears in E-SIGN’s “legally attributable to the person to be bound.” It appears in the UETA’s “the act of the person.” It appears in the Restatement’s “as that of the signer.” It appears wherever the law of signatures is applied, in whatever vocabulary the applicable source happens to use.
The electronic signature statutes did not create the requirement. They made it visible. In the world of paper and ink, the requirement was satisfied incidentally — most paper signers are present and identified. In the world of faceless electronic transactions, the requirement must be satisfied deliberately, through security procedures, audit trails, identity verification records, and the evidentiary infrastructure that surrounds the electronic act. The requirement is the same. The difficulty is new.
A signature may take any form — an “X,” a typed name, a cryptographic hash, a click on a button, a biometric scan, a deposit account number, a fax header, an email “from” field. The law has never cared about the form. But it has always cared about the person. A signature without a person is not a defective signature. It is not a signature at all. The word “signature” is, at bottom, a relational term: it denotes a mark by someone, of someone, attributable to someone. Remove the someone, and the mark is noise.
A signature may be anything. But it must be someone’s.