[This version is provided by http://www.cyber-rights.org]

Unique Reference Number: URN 99/891

A report for the DTI summarising responses to

BUILDING CONFIDENCE IN ELECTRONIC COMMERCE
A CONSULTATION DOCUMENT

INTRODUCTION

 
1. There were 246 responses. 42 were from individuals and 204 from organisations, including 33 from Police Forces or other law enforcement agencies, 42 from trade associations, and 12 from law firms. The responses were generally relevant and reasoned. Many said that they would have liked more time to respond, and looked forward to future consultation on the details.

2. The Government’s overall objectives, the concept of legal recognition of electronic signatures and writing, and the intention to build confidence in electronic commerce through a legislative framework and other actions, were all widely welcomed. 

3. Perhaps the most striking overall feature of the responses was the plea for a ‘light touch’ in any legislation or regulation. There were many calls for the market and the technology to be allowed to evolve, and some for the industry to be allowed to develop self-regulatory or guidance mechanisms. 

4. A common general request was that the UK should not ‘go it alone’ vis-à-vis EU or other international initiatives. There was fear that any significant UK-only requirements on industry would lead to a relocation of service providers abroad. 

5. Many people repeated the view that the whole issue of lawful access should be decoupled from the measures to build confidence in electronic commerce, and would be better dealt with in a separate Bill, possibly after the forthcoming Home Office review of the Interception of Communications Act 1985 (IOCA). Confidence-building measures were thought to be more urgent, whilst lawful access measures were seen as: (a) likely to cause delay, and (b) having the potential to reduce confidence in the UK as a good place to base an electronic commerce service or business. 

6. There was a virtually unanimous welcome from industry and individuals for the removal of the requirement for key escrow as a condition of a licence for the provision of confidentiality services. So strongly was this felt that many went into considerable detail rehearsing why the Government was right to remove it. The view of Police Forces was that some effective form of authorised access to encrypted material is increasingly becoming essential to them. 

7. There was approval for the objective of having a ‘technology-neutral’ bill, but doubt about whether the proposals will achieve it, mainly because of the perceived emphasis on a particular business model. 

8. There were calls for the Government to go as far and as fast as possible in legislating for the use of electronic writing. The DTI’s parallel consultation on electronic communications to shareholders under the Companies Act was seen as a good example. 

9. There were three notable shifts of opinion in the responses, compared to the previous consultation. First, the concept of voluntary licensing of TSPs was questioned. A weighty minority argued that an accreditation scheme would be more appropriate, in some cases stating that it should be largely independent of Government.

10. The second shift of opinion was that many expressed their opposition to the establishment of a rebuttable presumption that a digital signature is valid. They pointed out that the result would be to reverse the current practice on hand-written signatures - to the detriment of individual users and the benefit of merchants and other organisations.

11. The third shift was that there was far less opposition, even from individuals, to the principle of properly authorised lawful access (no doubt because of the dropping of mandatory key escrow). Indeed nearly every organisation which addressed the issue expressed willingness to assist wherever possible, provided they do not have to plan or restrict their business processes in advance on the basis that they must be in a position to do so. There was much comment on detail, a common point being that the most appropriate assistance should generally be to provide law enforcement agencies with access to plaintext rather than a cryptographic key.

12. Paragraphs 13 to 41 cover the main issues in more depth.

 
13. There was great emphasis that electronic commerce can not and should not be limited by national frontiers. A common plea was for the UK to be ‘better, not different’ - for example by means of a light approach to regulation combined with Government encouragement in ‘softer’ areas such as tariff reduction, social inclusiveness, promotion of electronic commerce benefits, etc. There was general approval of the EU draft Electronic Commerce Directive (including specifically the ‘country of origin’ principle), and of the draft Electronic Signatures Directive. 

14. Of those who addressed the issue, most approved the UNCITRAL Model Law, particularly the sections on formation of contract including time, date and place. However a few advised caution because they believed it was drafted primarily for an EDI environment rather than electronic commerce. 

15. Several internationally-oriented respondents raised the issue of the EU Data Protection Directive’s rules on transfers of personal data outside the European Economic Area. They saw the requirements as a potentially serious barrier to electronic commerce, citing the example of the difficult current negotiations over transfers of personal data to the USA.

16. Those who addressed the topic of export controls wanted more liberalisation, and the licensing process streamlined (not to be limited to products with key recovery or key escrow mechanisms). 

LEGAL RECOGNITION OF ELECTRONIC INSTRUMENTS

 
17. Virtually everyone wanted electronic signatures and electronic writing to be made recognisable in law. On process, most favoured enabling primary legislation followed by secondary legislation on the details after proper notice and consultation. Some called for an ‘opt-out’ approach, by means of a general validity law with a few specific exceptions to it (e.g. transfers of land, wills, etc). 

18. On the substance of the required legislation, the following significant comments were made, with particular emphasis on the first two:

• There should be no requirement for an electronic signature where none currently exists for a hand-written one. In other words the flexibility offered by current law should be preserved.
• The proposed rebuttable presumption of validity will unfairly reverse the current evidential situation.
• Consider the advantages of, for example, the Australian law which in effect says that unless the parties agree otherwise no electronic signature is valid unless it was actually made by the purported signatory.
• There should be no distinction between electronic signatures certified by a licensed as opposed to an unlicensed CA.
• The additional property of document integrity offered by some digital signatures (‘advanced electronic signatures’) should be specifically addressed by any new legislation; similarly there were some calls for the current distinctions between signature, witnessed signature, notarised signature, and seal to be addressed.
• Certification of an electronic signature by a CA is only one step in a chain of events involving hardware, software and human processes of many kinds - it is unrealistic to focus entirely on the CA when legislating for the reliability of the final output.
• The state of the technology, and/or its binding to human processes, is currently inadequate to support an assumption that when a person creates a digital signature, they are absolutely agreeing to the exact terms their signature is being electronically associated with.

19. It was agreed that the bill should establish legal recognition of other forms of electronic writing, and most wanted this to be as wide as possible, including in many cases allowing for electronic originals.

 
20. Several respondents urged that fiscal and taxation uncertainties in electronic commerce should be removed, in an internationally harmonised way.

21. There was a strong view that what consumers really need for confidence in electronic commerce, is the assurance of redress when things go wrong. Therefore there should be simple and effective dispute resolution mechanisms.

22. There were suggestions that unauthorised misuse of cryptographic keys should be made an offence.

23. ISPs and others called for intermediaries to be given some elements of common carrier status with, for example, immunity for the content of their clients’ websites etc. There were also suggestions that it should be an offence for service providers knowingly to allow their services to be used for criminal purposes.

24. On the question of unsolicited e-mail, or ‘spam’, the majority opinion was to allow the industry to take effective voluntary measures, but that the Government should keep a watching brief and be ready to take legislative action if necessary. However the view that legislation is needed now was very strongly argued by a minority, including some important industry participants. There was also some expectation, particularly by consumers, that provisions under the EU Telecommunications Data Protection Directive against unsolicited calls and faxes would and should also apply to unsolicited e-mail. There was little enthusiasm for a labelling requirement, but opinion was almost equally divided on whether there should be a law against ‘spoofing’ (i.e. the mis-representation of the origin of e-mail).

25. Some responses urged that consumers are more concerned about ‘second party confidentiality’, i.e. privacy and data protection issues, than the problems of third party confidentiality which predominate in the consultation document. They felt that consumer confidence would be increased by updating data protection law specifically in the electronic commerce context, for example on tracking of website visitors, data-gathering via ‘cookies’^* , etc. 

LICENSING REGIME

 
26. The theoretical basis of ‘voluntary licensing’ was questioned: there was general agreement that some form of consumer protection is desirable (indeed that it should be the main focus), but accreditation was widely seen as a more appropriate solution. It was assumed that any scheme would be vigorously branded, with a ‘kite-mark’ and much promotion. Many called for some form of built-in consumer redress mechanism, and a surprising number referred specifically to the ABTA bond as a good model. Subject to the scheme being strongly branded, there was a general welcome (with a few exceptions) for the Government’s acceptance that an organisation can offer both licensed and unlicensed services.

27. Many responses wanted industry leadership in the management of the scheme, and in developing its codes of practice, but most seemed to accept the need for some sort of overriding Government sponsorship (at least initially). The nomination of OFTEL as regulator was questioned by some: they suggested that it would require a considerable transfer of new skills. Respondents who are already regulated pleaded for a co-ordinated and coherent approach.

28. There was some concern that the licensing regime and criteria were unduly biased, towards a particular business model involving consumers with general-purpose certificates. Other models put forward included open business-to-business transactions, closed groups (of businesses, consumers, or both, with or without intermediaries such as banks, brokers, insurers, shippers, etc), business-to-government, and citizen-to-government. There was little response on the detailed question of how such models should fit into the proposed licensing regime, other than to emphasise the need for generality rather than model-specific provisions. 

29. Opinion was divided on the liability of a licensed/accredited service provider. Whilst many calls from lawyers and industry were for no Government action at all, or for any liability rules to be overridable by contract (‘party autonomy’), these were balanced by consumer and academic requests for a statutory compensation level for consumers. In addition to these contractual issues, several respondents pointed out the need for liability in tort to be established, with an explicit duty of care on service providers to third parties reasonably relying on their certificates etc. Among the difficulties foreseen with a statutory liability regime was whether the limit would be per transaction or per certificate: if the former, insurance for service providers would be difficult, with one certificate possibly being used for hundreds of transactions; if the latter, innocent parties to hundreds of transactions could have to share the statutory amount. 

30. There was a clear (though not quite unanimous) consensus that any liability regime should not distinguish between licensed and unlicensed service providers. 

31. There was a particularly sharp division on whether there should be duty of care on users to safeguard their private keys. Some regarded it as straightforwardly analogous to the contractual obligation to keep a bank card PIN confidential, while others dismissed the idea in strong terms as unrealistic and bad for consumer confidence. 

32. The issue of technology-neutrality was seen as crucial. The need was for the accreditation/licensing regime and criteria to be high-level and flexible, so as not to become obsolete or require constant updating to reflect changing technology and market-driven service developments. Similarly, many called for more explicit flexibility for providers to offer several levels of service, with varying conditions and liability etc. 

33. Many responses argued that it is simply too late to try to enforce a rigid demarcation between key-pairs used for authentication and for confidentiality. They acknowledged the major differences between the two functions, but felt that the use of the same key-pair for both has, perhaps unfortunately, become widely accepted in practice. 

34. Several respondents objected quite strongly to key generation by a CA, as unlikely to provide enough safeguards against a copy of a private key being kept or leaked. These respondents wanted all key generation processes to be in the user’s domain and/or under the user’s sole control.

 
35. Police forces were unanimous that the actual or potential use of encryption by criminals and suspects represents a serious threat to them and to society. Some asked for mandatory key escrow explicitly, but most simply said they need an effective solution and thought that PACE (the Police and Criminal Evidence Act 1984) did not presently provide sufficient powers in respect of encrypted material. Many acknowledged the need for a code of practice or guidelines to ensure operational acceptability, and endorsed a co-operative approach with industry. 

36. Other respondents, while generally accepting the principle that the police should be able to overcome the use of encryption by criminals etc, questioned the urgency of the requirement. Some suggested that PACE already works to enable a solution in most cases involving stored data, and that issues on interception of communications should await the review of IOCA and progress on the EU’s Enfopol discussions. 

37. Some authoritative responses doubted whether there is any technical solution available to the requirement for covert real-time interception of encrypted communications.

38. Of the following reservations on the detailed lawful access proposals in the consultation document, the first was particularly common:

• It should be rare for law enforcement to need or get cryptographic keys: plaintext should be their normal goal, and the choice should not be solely that of the police officer concerned.
• Where access to a cryptographic key is needed for some reason, it should normally be a session key rather than a ‘master’ key.
• A judicial warrant should be required in all cases.
• There should be independent oversight of a code of practice and complaints mechanism.
• Great care will be needed to draft and operate legislation compatible with the ECHR. In particular there were doubts over how the ‘no self-incrimination’ principle can be upheld in all cases. 

39. With some important exceptions, the need for the ‘tipping off’ offence was accepted, though there were concerns that it could be too widely drawn. In any event most felt strongly that notifying a user should be permissible (even necessary, if a key has been disclosed) as soon as any relevant investigation is finished. 

THE PARTNERSHIP APPROACH

 
40. There was a striking general willingness to help find acceptable solutions to law enforcement needs, and to co-operate in whatever forum could best explore the modalities. However, few were prepared to speculate on what detailed proposals or solutions would emerge from such a forum. There was a call for complete openness from all sides in establishing the requirements. 

41. Several responses (from industry, the police, and academia) suggested the establishment of an institute to be called something like the ‘National Centre for Forensic Cryptography’. It would research and advise on technical, operational and legal aspects of this issue, and offer practical day-to-day operational assistance to the law enforcement agencies and those who co-operate with them.

April 1999
 
Annex

BUILDING CONFIDENCE IN ELECTRONIC COMMERCE 
A CONSULTATION DOCUMENT

Notes on responses to specific questions 

INTRODUCTION
 
 

The UK Government's consultation document 'Building Confidence in Electronic Commerce' received 248 responses from a wide range of organisations. The consultation document requested views on a number of topics such as legal recognition of electronic instruments, specific legislative changes, law enforcement issues and licensing criteria. The 246 responses addressed many, if not all of these topics resulting in some 4000 plus comments. Many of the responses provided detailed comments on a number of key issues and concerns. The attached tables provide a summary of some of the key points that were made in response to the specific questions posed in the consultation document. It should be noted that the attached represents a summary and not a definitive analysis of everything that was raised in the 4000 comments received. Every effort has been made to address the comments raised in a fair and even handed manner giving equal balance to divergent views and/or differences of opinion. 
 
 
 
 

LEGAL RECOGNITION OF ELECTRONIC INSTRUMENTS

Electronic Signatures and Electronic Writing 
 

The Government would welcome views on the appropriate means of ensuring legal recognition of electronic signatures and writing (para. 18). Two options were given:   Update statutory requirements for signatures and writing individually, in primary legislation. Take powers in primary legislation to enable the Government to amend legislation, statutory instrument, on a case by case basis to facilitate legal recognition of electronic signatures and writing.

Key points made

Many stated that there was an urgent need for some sort of legal recognition and what ever the UK government might do in this area it must be in line with what is being done elsewhere, e.g. other legislation in Europe compatible with the European Directive. Equally what the UK does needs to be in line with initiatives in other countries, e.g. in Australia. Option 2 seemed to be overwhelming favoured. It was thought that legislation should generally apply to all uses of 'electronic signatures and writing' with a few defined exceptions, e.g. wills, land transfers. If it is technology neutral then the legislation should allow for all forms of 'electronic signatures and writing' not just digital signatures. On the issue of rebuttable presumption as outlined in para. 19 - the consultation paper does not seem to be compatible with the situation today and some strongly argued that it in fact reversed today's situation. Most of those said that this situation was not acceptable. There should not be a need to insist on an 'electronic signature' being used just because the transaction is carried out electronically. There is a need to recognise the equivalence for all 'electronic signatures and writing' whether or not from a licensed Certification Authority (CA).

Summary

Without doubt there is a need to provide some form of legal recognition of electronic signatures to support the UK's drives towards electronic commerce. However, there is a need to make sure that any measures for legal recognition takes account of other initiatives such as those being driven by the European Union and UNCITRAL work. The main policy issue to be resolved is that of the rebuttable presumption.

OTHER POSSIBLE LEGISLATIVE CHANGES TO PROMOTE ELECTRONIC COMMERCE
 

The Government is also seeking views, subject to the constraints set out in this section, on whether there are other significant changes that should be made through UK primary legislation to promote the development of electronic commerce (para. 23).

Key points made

Lack of clarity on taxation creating a barrier - taxation issues for electronic commerce need to be addressed. Dispute resolution process - needs to be simplified, unified to take account of consumer redress. To create an environment of confidence and realistic expectation terms and conditions concerning customer redress should be readily available and unambiguous. Protection of consumer interests is vital to the success of building confidence in electronic commerce - this could be done by embracing the principles of mutual recognition and country of origin of laws. It should be a criminal offence to steal, or make unauthorised use of, someone's private or secret key. OFTEL should be given the objective to reduce tariffs for internet access. Consideration needs to be given the effect of the data protection act on trans-border flow of personnel data especially with regard to the EU Directive and national interpretations of this Directive. In addition there may need to be a simplification of procedures governing the protection of personnel data In response to the request for suggestions in para. 24 regarding timing most indicated a need for a longer time period for legislation and on-going consultation.

Summary

   

The Government would welcome views on whether any of the provisions of the UNCITRAL Model Law on Electronic Commerce (other than those on signatures and writing) should be implemented by UK primary legislation (para. 25).

Key points made

In general most of those who answered this question thought that the Model Law was applicable in part. Most thought that Article 5 of the UNCITRAL Model Law relating to the legal recognition of data messages should be included in the UK Primary Legislation. Most thought that Article 11 of the Model Law should be addressed, especially resolving issues relating to the jurisdiction applicable to an electronic contract and its formation.  Care should be taken on what from the Model Law is adopted since a number of the Articles are written specifically with EDI in mind. Many stated that whatever the UK does as regards legislation and the UNCITRAL Model should be compatible and consistent with the EU Directive. Some suggested the incorporation by reference of terms and conditions of service rather than, e.g. the necessity for explicit inclusion of terms and conditions in certificates.

Summary

UK legislation should adopt the best from the UNCITRAL Model Law and the relevant EU Directive(s).

The Government would welcome views on whether the industry solutions being developed to combat spam are likely to be effective. Or should the Government take further steps to regulate the use of spam? (para. 31).

Key points made

Some expressed the view is that 'spamming' was not a serious enough problem to merit legislation and some expressed the view is that 'spamming' was difficult to legislate on. A small minority expressed a strong view that there should be legislation on 'spamming'. The consensus opinion seemed to suggest that the problem of 'spamming' should be left to industry to resolve and for government to keep a watching brief on the effectiveness of the measures taken by industry. There was a body of opinion that suggested that the issue of junk email should be treated in the same way that junk faxes are treated, i.e. under the Telecommunications Directive. It was noted that most 'spam' originates from the US. There was little enthusiasm for labelling. Opinion was equally divided regarding the need for legislation to cover 'spoofing'.

Summary

There exists a strong case for the market to determine how to deploy technologies and methods to tackle the issue of 'spamming'. However, there is a need to recognise that some legal recourse could be required to address persistent offenders and the government needs to keep a watching brief on industry's progress on this issue.

The Government would like to start a debate on whether any changes are needed to existing legislation to allow such intermediaries to prosper and would welcome views (para. 32).

Key points made

Such legislation would be wholly inappropriate - such action could result in establishing restrictive trade practices. Intermediaries should not be held liable for the actions of their customers - intermediaries were mere conduits. For example, many argued for common carrier status for ISP. It should be an offence for an intermediary, e.g. an ISP, knowingly to allow their services to be used for criminal purposes. The government could play a key role in promoting best practice guidelines to advise and generally assist consumers and business users.

Summary

Legislation is generally inappropriate but government should play a key role in promoting best practice.

LICENSING REGIME FOR TRUST SERVICE PROVIDERS (i.e. PROVIDERS OF CRYPTOGRAPHY SERVICES)
 

The DTI’s initial thinking on the licensing conditions is set out in Annex A, and we would especially welcome views on this annex (para. 34).

Key points made

The conditions in the Annex included things that are clearly related to key escrow and therefore these conditions should be reviewed and appropriately modified. Many viewed the whole proposal as more relevant to an accreditation scheme than a licensing scheme.  The principle of technology neutrality did not fully apply to these conditions, e.g. there is a bias towards PKI technology and specific certificate providers.  The whole scheme should be international in nature. Service providers may want to be accredited/licensed under various different registration schemes.

Summary

There are two major policy issues: accreditation versus voluntary licensing Government regulation versus self-regulation.

We would welcome comments on the 'Illustrative examples of cryptography services' given in the box in paragraph 38. We recognise that various organisations are considering different business models for providing cryptography services to the public and would welcome views on how they should fit into the licensing regime (para. 38).

Key points made

A single business model is assumed throughout the document - consumer-to-business or consumer-to-government transactions. Some said that for other models, e.g. closed group of businesses or users, licensing is not generally appropriate. The examples given are not technology neutral and would be OK for secondary legislation but not for primary legislation. Some thought that it would not be helpful for Government to attempt to consider specific business models when the remit they should be addressing is the overall framework under which trust schemes will operate.

Summary

The overriding view was that any legislation should be business model independent and any scheme should be flexible enough to cater for any possible evolving models.

The Government would therefore welcome views on how best to distinguish between the provision of licensed and unlicensed services in order to protect the consumer (para. 39).

Key points made

Any scheme should use mechanisms such as branding, logos and kite marks for licensed services. Majority expressed rejection of the 'all or nothing rule'. Some thought it should be an offence to misuse the logo or kite mark. Most thought that if OFTEL was the licensing authority it would need a considerable increase in resource and appropriate skills if it is to perform this new role effectively and therefore facilitate the growth of electronic commerce.

Summary

Major point to be concluded is the rejection of the 'all or nothing rule'.

The Government recognises that the issue of liability is a key concern of industry and would particularly welcome views on the issues set out in this section.  Some general questions are: Is there a need for specific legislation? To what extent should liability be prescribed by legislation? Should legislation impose specific requirements to state the liability regime in contracts and on certificates, and other instruments which third parties might reasonably rely on? What minimum level of liability should be taken on by all providers of cryptography services, regardless of whether they are licensed or not? (para. 42). The Government would welcome views on what level of liability, if any, should be borne by an unlicensed Certification Authority. What liability regime should apply in respect of licensed providers of cryptography services? (para. 43). The Government would welcome views on this approach, how the limit should be set, or suggestions for alternative approaches. Also should a specific "duty of care" be imposed on holders of private signature keys (e.g. to keep their private key secure, to notify a Certification Authority within so many hours of realising it has been compromised etc.)? Are there any other liability issues concerning cryptography services which need to be addressed in legislation? (para. 45).

Key points made

About 50% of those that responded said the liability issue should be left to market to decide and was not suitable subject for specific legislation:  Setting liability through legislation would restrict the range of services the market could offer.  Setting a minimum level could be a problem for low value/grade certificates and setting an unrealistic maximum level will limit the potential for ultra high-grade certificates.  Any rules on liability are in reality artificial and it would in general be difficult to interpret such rules given the range of business/consumer contexts in which certificates might be used e.g. one-time transactions, multiple transactions and so on. There was a strong plea from industry that any statutory licensing regime should be capable of being over-ridden by specific contract, especially in business-to-business transactions. There was no clear consensus on the extent of liability - those that did respond provided a wide variation in the levels of liability: from zero in one instance up to £500,000 in another.  On the specific issue of stating liability on certificates many felt that incorporation by reference was a good option. Liability should apply equally to both licensed and non-licensed providers without differentiation. Liability is an issue that should extend to a third party relying on certificates. There should be a specific duty of care on licensed and non-licensed certificate issuers towards any third party reasonably relying on such certificates. There was a sharp division on whether there should be duty of care on users to safeguard their private keys. Some thought it was analogous to the contractual obligation of safeguarding a PIN while others dismissed the idea as being unreasonable and bad for consumer confidence. There should be some liability provisions in legislation governing the misuse of any information obtained by law enforcement agencies.

Summary

The liability issue produced the most widely diverging responses in this whole consultation exercise as indicated by the points.

LAW ENFORCEMENT INTERESTS IN CRYPTOGRAPHY
 

The Government would welcome views on its proposals for lawful access to encryption keys (para. 79).

Key points made

There was a general opinion that LEAs should be given reasonable assistance (subject to proper authorisation) to carry out law enforcement investigations. There was almost universal welcome from the public and industry for the exclusion of mandatory requirement for key escrow. It was generally felt that a more appropriate form of assistance was access to plain text rather access to cryptographic keys. Some felt that access to keys might well give access to information far beyond that which is covered by proper authorisation. Access to keys for law enforcement purposes could result in the subsequent need to revoke the keys and the expense of other key management overheads. What was generally acknowledged was the need for LEAs to fight crime and have access to the plaintext.  Most thought that one should be able to 'tip off' a suspect after the investigation was completed. Responses from police forces, and law enforcement agencies, were virtually unanimous regarding the problem of criminals using encryption. They felt that they needed special powers and assistance in dealing with this problem. It was strongly felt that the requirements for law enforcement related to electronic commerce should be addressed in separate legislation. Many responses differentiated between lawful access to stored data and intercepted communications. Many also recognised that existing measures for these two aspects were governed by different pieces of legislation. Further consideration of the lawful access and lawful interception issues should take account of: forthcoming review of IOCA legal position of self-incrimination under ECHR convention EU Directive development on lawful interception

Summary

There was a wide appreciation of the issues surrounding the process of carrying out lawful interception and the extra burden and problems that the use of encryption places on police investigations.  There was an overwhelming view that LEA should be given assistance in dealing with these problems and that government and industry should work together where-ever possible to tackle the problems brought about by the use of technology in this context.  There was a clear steer that whilst appreciating the problems that LEAs face, future legislation relating to electronic commerce should not be hampered by difficult LEA issues.

 

THE PARTNERSHIP APPROACH: MEETING THE NEEDS OF LAW ENFORCEMENT AND INDUSTRY
 

The Government would welcome ideas on how its law enforcement and electronic commerce objectives might be promoted via the licensing scheme or otherwise (para. 84).  The Government would welcome views from industry on the extent to which the needs of law enforcement agencies can be met by existing and forthcoming developments in encryption and communications technologies (para. 90).

Key points made

Everyone expressed complete willingness to co-operate in helping the law enforcement agencies in dealing with the encryption problem.  There was a surprising number of responses that came up with the suggestion that there should some form of 'national centre for forensic cryptography'. This notion came from industry, academia and from some police forces.

Summary

Greater co-operation and partnership between government and industry is needed together with some form of national centre.

LICENSING CRITERIA
 

We invite views on these criteria, and would also welcome views as to the level at which the standards should be set for each of them or how they should be assessed (para. Annex A). (I) General Licensing Criteria

Key points made

The criteria need to be more objective with respect to the requirement that the owners and directors should be 'fit and proper people'. A check needs to be made regarding the laws and regulations in Europe that may apply with respect to a having a registered office in the UK. Vetting of employees may be difficult under the new data protection act. For example, it is not currently possible for commercial organisations to inspect employees' criminal records, let alone contractors. The vetting of contractors and third party suppliers need to be considered.  Capital adequacy is crucial to the financial viability of an organisation. here may be a trade-off between the openness of a licensing scheme and the need to present a business plan. Business model behind the set of criteria was too restrictive. Some thought that the adoption of ISO 9000 and BS 7799 was a good idea commensurate with how these standards were being used by other countries, e.g. Australia, for CA/PKI management. On the other hand some had reservations about the management overhead using these standards if not used appropriately. There should be a certification practice statement for a CA and the scheme needs to encourage standardised practice statements. Some suggested that this should be in line with the work going on in Europe related to the EU Directive and European standardisation. There were several views on the liability issue but the main one suggested that this could be handled by insurance.  Many people had extreme difficulty with the concept of key generation being carried out by a CA unless there was some guarantee that a copy of the private key was not being kept by the CA.

Summary

This set of criteria received more comments than the other three areas in Annex A. Most appreciated that legislation could support the need for an overall framework for the application of electronic commerce. However there was a clear steer that specific criteria about business models and the business context of electronic commerce should be left to the market to deal with.

We invite views on these criteria, and would also welcome views as to the level at which the standards should be set for each of them or how they should be assessed (para. Annex A). (II) Licensing Criteria for Certification Authorities

Key points made

Specific details of the structure and content of certificates should be left to standardisation.  There should be some flexibility in the number of levels to allow, e.g. different grades of certificate, different liabilities. Any criteria should not be specific about certificate structure but should focus on the business context. Minimum criteria for certificates should be set which allows different grades of assurance to be associated with certificates for different business contexts and applications. Revocation of CA licence is also an issue that will need to be addressed. Many didn't like the suggestion of using ITSEC as a basis for technical assurance, on the grounds of cost.

Summary

Most appreciated the need for these criteria and various interesting contributions where made on statements of principle and supporting measures, especially regarding public-key certificates.