Analysis of Part II of the (draft) Electronics Communications Act 1999
A summary of opinions
Part II is labelled 'Facilitation of Electronic Commerce, Data Storage, Etc' but is in fact three clauses which have little enough to do with this! Clause 7 deals with the status of 'electronic signatures', Clause 8 deals with amendment of legislation to allow the use of electronic communications or storage (what the March consultation called 'electronic writing'). Clause 9 is a technical clause which tries to explain which Minister is allowed to use Clause 8.
Fundamental problems with Clause 7
Electronic signatures are almost certainly already valid and there is no need for a Statute to make them valid.
The way that Clause 7 is written puts doubt onto whether signatures attached to stored documents have the same validity as signatures attached to communicated documents. Since the avowed intention of this Clause is to remove doubt, it is extremely perverse to add it!
Clause 7 discusses whether an electronic signature gives authenticity or integrity to a document. It fails to discuss the key point of whether something is a signature per se, viz: whether it shows intent to make it.
Clause 7(3) appears to be suffering from a misunderstanding of how signatures may be created. The intent may have been to enable ASCII signed emails to continue to be an acceptable signed document (albeit one that is relatively easy to forge). However, it will be hard to explain to a Court how an X509 certificate falls under 7(3)(b) as somehow describing a "procedure". Since there are perfectly good definitions of electronic signatures in the draft European Directive on Electronic Signatures it would seem wise to incorporate these.
Inspection of Clause 24 shows that Clause 7 may be delayed beyond the introduction of the rest of the Bill. One assumes that this is because of some worries that some legislation must first be rapidly amended under the powers in Clause 8 and that it's not just that the real point of the Bill is get Part III onto the statute book and everything else is irrelevant ?
Finally, it should be noted that in Clause 7(3) the word 'certified' is probably meant to be taken in its legal sense and not in the sense of having a Certificating Authority issue a 'certificate' document. If the rather general legal meaning is intended, then it seems foolish (and designed to cause just the sort of doubts that are meant to be being avoided) to use a word that, in just this context, has a closely coupled technical meaning.
Fundamental problems with Clause 8
The permitting of electronic writing can proceed at any pace that the Government wishes. There is no compulsion on them to get on with it, or indeed to make any report to Parliament as to progress (or lack thereof).
Clause 8 does not contain any provisions for consistency between the way in which legislation is amended. One assumes that after a few Statutory Instruments have been drafted and debated simple laziness will mean that a standard scheme will be adopted. Nevertheless, there is a serious risk that we will end up with a complete mish-mash of provisions and there will be few standard ways of doing things electronically.
There is a real risk to civil liberties (and indeed to the smooth operation of the marketplace!) that the Government will see the introduction of electronic methods of communication as an excuse to move towards a standardisation of identity schemes. A fundamental principle that is completely missing from Clause 8 is that the Government should not seek to require extra certification on any electronic documents that goes beyond the certification that it seeks for the equivalent paper based documents. If self-certified signatures are allowed on paper documents then self-certified signatures should be allowed on the electronic version as well.
Clause 8(6)(b) allows for rules to be made which will impose restrictions on those who start to use electronic schemes from returning to paper based schemes. This may be reasonable in many cases as a way of reducing administrative overheads, but it would not be reasonable if an electronic scheme was to change its nature or technical requirements.
Although at first sight Clause 8(7) is reasonable - there's no need to include matters in this Bill that have been covered in the Finance Bill 1999 - there is such a need because all branches of Government and all changes of legislation should be covered by the same set of groundrules and safeguards.
Finally, a brief look at Clause 9(5)(b) shows the wonderful generality of this Clause - a condition or requirement will be satisfied "only where a person so specified or determined is satisfied as to specified matters". ie: Ministers will get to be judge and jury for all their decisions as to how legislation ought to be amended.
An interchange of opinions
This material comes from UKCrypto. Please note that the various statements have been edited together to form a readable narrative. People did say all of these things but the 'conversation' was not necessarily in quite this order. In several places, the original spelling has been improved to avoid distracting from the underlying message.
While lots of people claim that other people are doubtful about the validity of electronic signatures, not many people have ever expressed a rational doubt of their own, and I know of no lawyers who think there is anything in this point at all. So what this clause has to do is lay to rest the alleged doubts of the fainthearts, without raising new doubts that trouble even the robust. It fails this test miserably.
(I digress to comment, for avoidance of misunderstandings, that this clause is not about whether using electronics you can meet a statutory requirement for a signature, as on a will or a tax return or a passport application. You cannot do that today, mainly because those things must be on paper anyway, and it is clause 8, not 7, that may one day enable you to do so. Clause 7 is purely for signatures on things not currently required to be signed and not currently required to be done on paper, i.e. those things you can do by word of mouth, like buying and selling things.)
The first curiosity is that 7 refers only to communications. What if you want to sign a contract, not an email? I can just hear the draftsman's supercilious reply, "Well I assume you will communicate it to the other party, as it won't otherwise be much use; so it's really a commmunication after all."
This is the sort of thing that gives English statutory drafting a bad name, deservedly. All it does is raise a perfectly unnecessary doubt about document signing, which can only be met with an answer that may technically work but is frankly silly. And clause 22(2) refers to "communications or data", so why not 7? This is no way to lay to rest the doubts of the fainthearts, and it could raise some reasonable doubt in the robust. It will certainly do more harm than good.
Secondly, electronic signatures are not just simply made admissible; they are made admissible in relation to any question as to authenticity or integrity. Why limit them? Why not accept that they are put there not just to show authenticity or integrity, but to act as signatures, and make them admissible for whatever they may prove? Why indeed define electronic signature precislely so as to discard the function of the thing as a signature? This sort of pointless finicking about will again do more harm than good.
(I digress again. Why are there two different definitions of electronic signature, one for clause 7 and the other in clause 19 for Part III? I think the clause 19 definition is used only in clause 10(5), and enables signing keys used only for non-communications still to count as signing keys. But this sort of maze would be unnecessary if clause 7 was wider in the first place so that only one meaning sufficed.)
Thirdly, clause 7(3) looks technically wrong. I don't think a certificate ever certifies a specific signature, so 7(3)(a) never applies; and how can it be argued that a certificate which says "The following blob is John Smith's PGP public key" is certifying a procedure (except by rather indirect implication)? I happen to doubt the significance of certificates for electronic commerce; but if they matter, this is a discouraging foundation for their use.
If clause 7 is the meat in the sandwich, it needs to go back to the kitchen pretty soon, or the customers will begin to pack up and leave the restaurant.
The Bill and s 7, as I read its intent and the associated explanatory notes for s 7 and 8, is not to restrict this position (though that was the effect of earlier proposals) but to provide clarification by suggesting various definitions.
Nick is reading these clauses as though they impose restrictions; I think they are seeking to provide non-exhaustive definitions. Thus a "communication" includes both an email and contract, doesn't it? And I don't think that digital signatures are necessarily limited to issues of authentication and integrity.
But I agree: not the very best drafting.
If however, a certificate confers some form of permission on a key (and/or a key holder) then I am less doubtful and I do believe that certificates will have uses. However, this type of certificate will typically be issued and verified within a context set by multiple closed two party relationships where contracts can be used to set the conditions of use and hence avoid the difficult issues of open third party liability.
And, of course, we do not need any legislation to validate the use of certificates in such situations.
I can envisage potential applications for open certificates but the issues involved in their use seem most unlikely to be resolved by the proposals set out in the Electronic Communications Bill.
Clause 8 (which allows the Secretary of State to allow the use of electronic signatures (on any conditions) presumably is where any practical changes could be implemented in those cases where there are currently non electronic formalities required. What this will mean in practice is anyone's guess.
1. March consultation says that Government thinking about introducing some sort of presumption that electronic signatures are valid, tied to their notorious "voluntary licensing" scheme, so that only signatures supported by a licensed CA would give that presumption.
2. Responses to government reject the link between legal status and licensing of CSPs. They also say that a presumption is inappropriate - if I sign something with pen and ink, there is no statutory presumption that it means anything at all and we seem to get along OK, so why start somewhere else for electronic signatures?
3. Government still want to publish a bill, which needs some meat so that it can be a "promoting e-commerce" measure and can avoid just being a law enforcement measure... so introduces the meaningless Clause 7.
Even if they decide to allow electronic signatures, they can impose whatever conditions they think fit (nothing limiting this to conditions which are necessary because of the difference between paper and electronic signing or otherwise proportionate). What am I bid for mandatory key escrow for anyone using electronic signatures to file documents when they are under control of the Home Office?
Return to the Draft E-Commerce 1999 Bill Review front page.