[This version is provided by http://www.cyber-rights.org]
This was originally at
PROMOTING ELECTRONIC COMMERCE
Consultation on Draft Legislation
the Government’s Response to the Trade and Industry Committee’s Report
Presented to Parliament by the
Secretary of State for Trade and Industry
by Command of Her Majesty
PROMOTING ELECTRONIC COMMERCE
Consultation on Draft Legislation and the Government’s Response to the Trade and Industry Committee’s Report
Part I The Consultation Document and the Government’s Response to the Trade and Industry Committee’s Report
The Draft Electronic Communications Bill
The Consultation Document and the
Government’s Response to the Trade and Industry Committee’s Report
3. The summary is available at www.dti.gov.uk/cii/elec/conrep.htm
Copies of the responses themselves are available for viewing by appointment at the DTI Library, Lower Ground Floor, 1 Victoria Street, London SW1H 0ET. Please telephone William LeSadd on 020 7215 6699 for further details. Some respondents have also made their contributions available electronically on the world wide web.
A=Gold 400 C=GB
Department of Trade and Industry
Room 220, 151 Buckingham Palace Road
London SW1W 9SS
Response to the Trade and Industry Committee’s
Paragraph 7 The Government’s proposals to facilitate trust in electronic commerce must not interfere with existing, and often long-standing, electronic commerce relationships.
Paragraph 8 The Government’s proposals are tied, perhaps unduly, to the creation of a regulatory regime based on one particular technology - public-key cryptography - and a specific market model, which, although they could be considered attractive at present, may not be optimal bases for electronic commerce carried out over the internet in the future.
A good example of the above is the leading role the UK has taken in both EU and OECD discussions on cryptography. On the former the DTI helped ensure a compromise was reached which balanced the important security requirements relating to the generation of electronic signatures with the need to encourage an open and flexible market. In the OECD the DTI is working to establish a framework which recognises the importance of global compatibility between national and regional initiatives on authentication. The UK is one of the key players in forming the international agenda, particularly within Europe and has developed models such as for dealing with illegal content on the internet that have been adopted around the world.
The draft Bill is an important part of the Government’s policy to create in the UK the best environment worldwide in which to trade electronically by 2002. Overall the draft Bill builds on the draft EU Electronic Signatures Directive, is consistent with the 1997 OECD Cryptography Guidelines and goes some way towards implementing the provisions (e.g. Article 5) of the UNCITRAL Model Law on Electronic Commerce.
Paragraph 34 Notwithstanding legitimate reasons for delay, we are concerned at the time it has taken the present Government to establish and implement a cryptography policy. It is our perception that inadequate political control has been exercised over the development and determination of cryptography policy. The policy agenda has been allowed to drift for too long. It is imperative that Ministers take a firm grip of the issues from now on.
Nevertheless, the Government has not been slow to rise to the challenge. The UK has played a leading role in the debate. The UK was the first country in Europe to recognise the need to deal with both authentication and confidentiality issues in a single framework, because the same technology underpins both kinds of service. Policy on cryptography and e-commerce more broadly has been driven at the highest levels politically. The Government rejects the Committee’s suggestion that inadequate political control has been exercised over the development and determination of cryptographic policy:
- The Government’s cryptography policy was launched within a year of the General Election by Barbara Roche in April 1998 when she announced the Government’s intention to pursue a more liberal policy than the previous administration, by rejecting the mandatory nature of the scheme which they had consulted on shortly before the General Election.
- The former Secretary of State for Trade and Industry (Peter Mandelson) set the target for the UK to be the best environment worldwide in which to trade electronically by 2002 in the White Paper - Our Competitive Future: Building the Knowledge Driven Economy.
- On 5 March 1999 the Secretary of State for Trade and Industry and the Home Secretary jointly launched Building Confidence in Electronic Commerce. In parallel with the consultation, the Prime Minister personally launched a partnership with industry to find solutions to the problems posed by encryption for law enforcement.
Paragraph 36 We believe it is essential that every measure included in the forthcoming Electronic Commerce Bill is designed to facilitate rather than restrict electronic commerce and that this should be the criterion by which Parliament judges the Bill.
Paragraph 117 Now that key escrow has been dropped by the Government, the rationale for an electronic commerce bill is open to question. We recommend that the Government think twice about the content of its forthcoming Electronic Commerce Bill and only include in the Bill measures which will promote electronic commerce, rather than measures discarded from the previous key escrow policy which are concerned with controlling, not facilitating, electronic commerce.
- the UK to be the best environment for electronic business by 2002;
- 25% of Government services to be available electronically by 2002 (rising to 100% by 2008); and
- 90% of routine procurement of goods to be done electronically by 2001.
The draft Bill also contains measures designed to ensure that the effectiveness of existing law enforcement powers is not undermined by the criminal use of the very technologies (such as encryption) which the Bill seeks to promote.
- through clarifying the status of electronic signatures;
- by removing legal barriers so that the option of communicating electronically can be offered instead of the use of paper; and
- by building confidence in the provision of cryptography services.
Paragraph 37 While, we accept the Government’s judgement that legislation should not be delayed still further solely to allow for a standard consultation period, especially as the issues on which DTI sought views were so familiar to likely respondents, the time constraints cited by DTI have been entirely of their own making.
5. The DTI received 252 responses in total (of which 246 were received in time to be taken account by the consultants for their summary).
Paragraph 40 We consider it a potentially serious omission that DTI has not indicated how its proposals for electronic signatures would affect Scottish law and we recommend that they quickly do so.
As in the case of England and Wales, the legislation will present the opportunity to provide a clear basis in law for the operation of electronic commerce. The powers in the draft Bill should enable this policy to be implemented in a consistent way throughout the UK, but also by means which ensure that this is achieved in the most appropriate way for each jurisdiction.
Paragraph 41 Although electronic signatures are not currently without legal standing, legislation to clarify their status would command widespread support.
Paragraph 44 One objection to the Government’s proposals for the recognition of electronic signatures is that they are better suited to a civil law jurisdiction, than to the English common law tradition.
Paragraph 46 A second objection to the proposal that some electronic signatures will carry a rebuttable presumption of validity is that this would reverse the burden of proof in contractual disputes, potentially undermining confidence in electronic commerce if means of forging electronic signatures are developed.
Paragraph 51 We recommend that the Government lay before Parliament the justification for such a radical change to the way signatures are considered by English law and explain in greater detail than hitherto whether or not the EU Electronic Signatures Directive genuinely necessitates such a change to be made
This means that in many, but not all, circumstances the law is flexible enough to be capable of accommodating electronic signatures. However there will be uncertainty, until sufficient case law has built up. This could take some years. The responses to the consultation launched by the previous administration indicated considerable support for a rebuttable presumption that an electronic signature was what it claimed to be. However, many of the respondents to the recent consultation argued against introducing such a presumption because:
- they argued that the burden of proof would be shifted, to consumers for example, to prove that they had not signed a document, thus reversing the position in existing law;
- the technology, and its likely use in most situations, is not sufficiently developed to be able to set the necessary standards;
- moreover, even if the technology were robust, it is hard to control how people use it (e.g. although a properly implemented electronic signature cannot be forged, a smart card can easily be lost or not properly protected);
- the flexibility of common law, which makes English Law the jurisdiction of choice for many international transactions, might be compromised by such a measure.
Paragraph 58 The outdated definitions of words such as "writing" and "signature" in law are potentially significant barriers to the development of electronic commerce in this country. DTI seems not to appreciate the need for swift legislative action in this area and would appear to have made limited progress since 1997. We favour the Government taking powers in the forthcoming Electronic Commerce Bill for secondary legislation to update definitions of words in law to take account of new information and communication technologies and drawing on the approach of the Australian draft Electronic Transactions Bill 1999. We recommend that the Government quickly publish an analysis of legal changes required, both in relation to English and Scots law and identify those transactions and official proceedings which it believes should not be allowed to be conducted electronically.
There may be a few examples where it is not appropriate to take such a step, at least in the near future. The publication of an analysis of the references in legislation to "in writing" or "signed" is not compatible with the timetable for bringing the Bill before Parliament. The Society for Computers and Law has estimated that here may be as many as 40,000 references to "writing" and "signature" alone.
Paragraph 64 We acknowledge the need for some form of accreditation scheme relating to TSPs to persuade firms and individuals "standing on the edge of the e-commerce lake wondering whether it is really safe to dive in" that electronic commerce is as safe and reliable as traditional forms of commerce.
Paragraph 65 We recommend that the Government sponsor a voluntary accreditation scheme for TSPs which is based on the needs of users and service providers but which is not grounded in legislation. We think it prudent that the Government take powers to establish a statutory-backed scheme but recommend that these powers are held in reserve unused unless and until it is demonstrated that a voluntary scheme fails to protect the interests of all consumers and service providers.
Many respondents to the recent consultation argued for a "light touch" in any legislation or regulation. One noticeable shift in opinion from the consultation launched by the previous administration was that voluntary statutory licensing was questioned. There were many calls for the market and the technology to be allowed to evolve, and some for the industry to be allowed to develop self-regulatory or guidance mechanisms.
The choice between a statutory voluntary regime, or a suitable self-regulatory regime, is finely balanced. The Government is in close dialogue with the Alliance for Electronic Business in relation to its work in developing a non-statutory, self-regulatory scheme. The Government therefore proposes, in Part I of the draft Bill, to take powers to set up a statutory voluntary scheme by secondary legislation. After Royal Assent, the Government will need to decide whether to bring such a statutory scheme into being, or to follow the recommendation of the Trade and Industry Committee and hold the powers in reserve, relying on self regulation. Our assessment will take account of the robustness, industry acceptance and quality of the self-regulatory scheme which by then should have emerged from industry and make a judgement about how its merits would compare with those of a statutory scheme. We will consult on that decision.
Paragraph 66 We see no reason why existing means of distinguishing licensed or accredited services from unlicensed or non-accredited services cannot be applied successfully to TSPs.
Paragraph 67 There is a danger that TSPs and their customers will be confused by the multi-layered design of the proposed statutory licensing regime. We would welcome early clarification by DTI and OFTEL of how the proposed licensing regime will work in practice, were it to be introduced.
Paragraph 70 We recommend that, if DTI intends to establish a statutory licensing scheme, it spell out which licensing functions it would be prepared to delegate to an industry body in future and which it would prefer a public sector body to perform; and that it set out the criteria an industry body must meet in order for it to be considered as the licensing authority for TSPs.
The Government believes that any scheme should have the following characteristics:
- The scheme should be wide enough to cover a broad range of services including signature and confidentiality services.
- The scheme should be demonstrably rigorous, impartial and trusted by all sectors of industry (i.e. it needs support from a broad cross-section of industry, including users). It should not act as a barrier to new entrants to the market.
- The scheme should have a means of taking into account the views of consumers.
- The scheme needs the ability to set standards (procedural and technical). If the scheme is non-statutory, there needs to be a clear mechanism for Government to monitor progress and influence the development of such standards, in line with its objectives for promoting electronic commerce, Modernising Government and law enforcement.
- The scheme needs effective mechanisms for ensuring compliance with these standards, including for example:
- assessment of service providers, perhaps linked to a "kitemark";
- sanctions and the ability to monitor and take enforcement action against members that breach the "code of practice";
- a means of redress for consumers if consumers are unhappy with the response from the service provider;
- publicity, i.e. making available the code of practice, a register of members and, perhaps, annual reports aimed at consumers.
- The scheme should take account of the draft EU Electronic Signatures Directive (including provisions on liability and data protection). In particular it should provide UK providers with a means of showing that their signature service meets the standards envisaged in the draft Directive, to facilitate trade with other EU countries. There could be scope for different levels of service, so it might not be necessary for all signatures to meet the Directive standards.
Paragraph 73 A comparison of the 1997 and 1999 DTI consultation documents would suggest that little effort has been devoted over the last two years to considering the detailed licensing criteria to be applied to TSPs, or the effect of such criteria on the market. The licensing criteria for TSPs recently set out by DTI are not fit to be written into law. Unless they are improved, then the licensing system will be a damaging and embarrassing failure. We invite the Government to inform Parliament how it intends to work with electronic commerce providers and users to design more suitable criteria.
The DTI will continue to work with industry in developing a set of criteria designed to generate public confidence that cryptography services from a TSP approved under the UK regime are high-quality and reliable. The DTI will also work with industry in representing UK interests in refining the criteria outlined in the draft EU Electronic Signatures Directive, which will form the basis of mutual recognition of electronic signatures in the EU.
Paragraph 79 We recommend that the Government exercise caution before implementing a statutory liability regime in this nascent market. We suggest that, until the market develops further, the most useful requirement might be for TSPs to set out in full their liability provisions, including relevant limits, both to users and third parties, including how liabilities can be met, to assist consumer choice of TSP and swift redress when problems are encountered.
Paragraph 80 We are persuaded that encryption will increasingly be a source of advantage to criminals with which law enforcement agencies are, at present, inadequately prepared to deal.
Paragraph 81 We suggest that those organisations involved in electronic commerce will be much more willing to help the law enforcement agencies if there are reliable means to assess the extent of the problems posed by encryption, and that there would be advantage in Parliament having a fuller picture of the perceived threat.
The Government has accepted this recommendation and is in the process of establishing a new Government/industry joint forum, to be chaired by the DTI. The joint forum will discuss the development of encryption technologies and ensure that the needs of law enforcement agencies are understood by the industry.
Paragraph 90 By dropping key escrow as a licensing condition for TSPs, the DTI’s third attempt to formulate an acceptable cryptography policy is a marked improvement on its predecessors. We are disappointed, however, that the Government should still hold a candle for key escrow and key recovery. We can foresee no benefits arising from Government promotion of key escrow or key recovery technologies.
Paragraph 107 If the Government consider it necessary in future to introduce key escrow, key recovery or a related requirement on TSPs then we recommend that they do so only after stating precisely the reasons why such a change would be necessary as part of a full public consultation exercise. Powers should not be taken in the forthcoming Bill to permit the introduction of key escrow or related requirements at a later date.
In particular, the Government agrees with the PIU’s conclusion that the widespread adoption of key escrow and key recovery is unlikely in the current climate. The Government therefore accepted the recommendation that a mandatory link between approved providers of services and key escrow would not support the Government’s twin objectives on e-commerce and law enforcement.
Paragraph 98 We think that the proposed new power to require decrypted data or private encryption keys to be provided when appropriately authorised will be a useful addition to the armoury of the law enforcement agencies. We recommend that the Government quickly clarify the situations in which it thinks this power will be likely to prove most helpful. In particular, Parliament should be given an indication of the criteria which will be used to decide against whom written notices for the provision of information will be served and whether it is proposed that the request should be for a private key or decrypted data.
The draft Bill sets out the conditions under which the service of written notices requiring the surrender of decryption keys or plain text may be authorised and who may authorise the use of the new powers. The ability to serve a written notice will be ancillary to existing statutory powers. This means that the new powers will apply only to material that is, or has been, lawfully obtained. The draft Bill provides that the disclosure of plain text rather than a key may be acceptable in all cases unless the written notice specifies that only the disclosure of a key itself is sufficient.
Paragraph 101 It is entirely unacceptable that the Government should announce a major review of the Interception of Communications Act 1985 and then fail to publish any further details of the review for over eight months, especially when the consultation exercise on building confidence in electronic commerce explicitly refers to the Act and the review. We recommend that the Government set out the options for change to the interceptions regime, and how they relate to the forthcoming Electronic Commerce Bill, before the Bill is debated by Parliament.
6. It is available at www.homeoffice.gov.uk/oicd/ioc.htm and from the Stationery Office. Responses are requested by 13 August and may be sent by email to email@example.com
Paragraph 102 We recommend that the Government give authoritative clarification of the status of the Enfopol proposals and their potential implications for relevant UK service providers.
Council Resolutions are not legally binding. The 1995 Council Resolution, for example, has not been incorporated into UK law. It is used solely as a basis for discussions with telecommunications operators in accordance with the statutory safeguards contained in the Interception of Communications Act 1985 (IOCA). It follows that if adopted, the present draft Resolution on interception of new technologies would place no legal obligations on telecommunications or Internet Service Providers in the UK.
The Government submitted an Explanatory Memorandum to Parliament on the draft Resolution on 8 February 1999 (10951/2/98 ENFOPOL 98 Rev 2). In fact, the Government sees little need for the draft resolution at the present time. The Government’s consultation document on the review of IOCA published on 22 June, includes consideration of the needs of law enforcement agencies in respect of providers of new communication technologies such as the internet and satellite telephony. The proposal for a draft Resolution will not prejudice this consultation process.
Paragraph 105 If, after three years of considering its policy on cryptography, the Government should announce the need for a partnership with industry, then that would suggest failure in the past to create such a partnership. We consider that the fault for failing to create such a partnership lies not with industry, which would appear to have been ready and willing to help, but with Government. Although DTI has been willing to listen to what industry and others have had to say about cryptography, we have gained the impression that they have not, until recently, taken much notice of what has been said to them. From now on, we expect the Government to work with all interested parties to devise a cryptography policy which is best for the UK as a whole, rather than one which is geared towards satisfying law enforcement concerns at the expense of Britain’s economic competitiveness.
In his foreword to the PIU Encryption report, the Prime Minister said:
The rise of encryption technologies threatens to bring the achievement of these two objectives into conflict. On the one hand, business has delivered a clear message that encryption is essential for developing confidence in the security of electronic transactions. And lack of confidence is often cited as one of the main brakes on electronic commerce. People also want to enhance the security of their personal communications through the use of encryption. To meet these needs, the Government is keen to support the strong and growing market in encryption products and services.
On the other hand, the use of encryption by major criminals and terrorists could seriously frustrate the work of the law enforcement agencies. Indeed there is already evidence that criminals, such as paedophiles and terrorists, are using encryption to conceal their activities. It is a little known fact that on average one in every two interception warrants issued results in the arrest of a person involved in serious crime. If powers of interception and seizure are rendered ineffective by encryption, all society will suffer. So it is vital that in our support for the use of encryption we limit the damage to our ability to protect society."
Paragraph 106 We recommend that the Government keep Parliament informed of the remit and membership of the Cabinet Office task force dealing with law enforcement aspects of electronic commerce and of any body established in its place.
In February 1999 the Prime Minister asked the PIU to consider the issue of encryption and law enforcement, as a subset of its ongoing project on electronic commerce. The remit given to the PIU was:
- to study the needs of law enforcement agencies and of business;
- to examine the merits of the current encryption policy (and in particular key escrow); and, if necessary,
- to identify proposals that would satisfy both the need to promote encryption for electronic commerce and the Government’s duty to ensure that public safety is not jeopardised.
Paragraph 108 We suggest that the experience of the relationship between ISPs and the law enforcement agencies underlines the need for openness and transparency in the new partnership between industry and Government on law enforcement aspects of encryption, so as to avoid confidence in electronic commerce being undermined.
The UK has been very successful in developing an effective working relationship between Internet Service Providers (ISPs) and law enforcement interests. The regular forum, currently chaired by the Association of Chief Police Officers, which includes a wide range of industry and law enforcement interests, together with representatives of the DTI and Home Office, has played a central role in developing and maintaining this relationship.
The forum has already produced a form for use by Police forces in requesting information from ISPs under section 28.3 of the Data Protection Act, which is now in the public domain. In addition, a best practice document on traceability will shortly be published, once it has been agreed and ratified by the ISP industry. The aim is for this document to become the industry standard for tracing those responsible for the misuse of the internet. The forum is also working on a number of other projects and is actively considering what more can be done to make the results of its work widely available in order to meet concerns about the transparency of its discussions.
Paragraph 110 We see merit in NCIS being notified whenever a local law enforcement agency encounters encryption during the course of a criminal investigation.
Paragraph 110 We also recommend that the Government consider the establishment of a law enforcement resource unit for dealing with computer crime, including encryption.
Separately, the issue of whether to establish a national high technology crime unit is currently being considered by the Association of Chief Police Officers (ACPO) Crime Committee.
Paragraph 112 We recommend that the Government consider the case for a review of the rationale for the continuation of export controls on cryptographic products, in the light of their widespread availability, and the procedures by which such controls are implemented.
The export controls on encryption, which are set internationally within the Wassenaar Arrangements, were reviewed as recently as December 1998. The new, and relaxed, controls, have been broadly welcomed by industry. They will soon be implemented in the UK.
Paragraph 113 Although the forthcoming Electronic Commerce Bill is not likely to be a source of party political controversy it is a vital measure for UK competitiveness and law enforcement. It requires full and rigorous parliamentary scrutiny.
Paragraph 114 We recommend that DTI publish a full analysis of responses received to its recent consultation document, including a list of those who responded to the document, at the same time as the Electronic Commerce Bill is published.
Paragraph 115 We recommend that draft regulations arising from the Electronic Commerce Bill be given full public scrutiny before they become law.
The Government is committed to developing the approvals criteria in consultation with potential applicants for approval, and users of their services, and will consult formally on all such regulations.
The Government also plans to consult widely on draft regulations relating to the facilitation of electronic communications and storage (Clause 8). However, once general principles have been established and agreed on in the first series of regulations it may no longer be necessary to do this in every case, unless new points arise. The Government will, therefore, keep consultation on such regulations under review.