FIPR Draft Ecommerce Bill Press Release

FIPR: Foundation for Information Policy Research

_____________

FIPR Draft Ecommerce Bill Press Release

FOUNDATION FOR INFORMATION POLICY RESEARCH

Embargoed until release of bill: Friday 23rd July 1999

ELECTRONIC COMMUNICATIONS BILL WILL HARM UK INDUSTRY, HOLD BACK GROWTH OF ECOMMERCE, UNDERMINE CONSUMER PROTECTION, AND VIOLATE EUROPEAN CONVENTION ON HUMAN RIGHTS
_____________

For more information, contact FIPR.

Since the early 1990s, civil service policy advice to Conservative and Labour Ministers has advocated draconian legislation restricting the use of encryption on the Internet. The Conservatives proposed compulsory licensing of encryption in Government, but recanted in opposition. Labour opposed controls in Opposition, but now propose "decryption notices" which overturn basic principles of human rights and civil liberties.

Today the Government published an Electronic Communications Bill that will give ministers broad powers to control the use of encryption in electronic commerce. Although some of the more objectionable aspects of previous proposals have been dropped from primary legislation, the bill gives ministers the power to introduce them later as regulations.

Caspar Bowden (Director of FIPR) said:

'Electronic businesses can trade from anywhere in the world. Threatening a mountain of red tape will cause e-business to move to places with a more supportive climate such as Ireland or Canada.'

'The Home Office argues that being asked to produce a decryption key is like being asked to provide a DNA sample. But innocent people might lose a key to stored data, or never know the key to data that is e-mailed to them - and unless the court is convinced, it means jail.'

Overwhelmed by resistance from industry and users, the government has been forced to abandon a succession of elaborate but futile frameworks for regulation, wasting three years in which UK e-commerce could have established a world lead.

Big Bureaucracy

Compulsory licensing with mandatory key escrow subsequently became voluntary licensing linked to key escrow, and now the terminology has metamorphosed again into a register of approved providers. Despite a fiercely critical Trade and Industry Select Committee report, the DTI has ignored the spirit of their findings and appears still to want to keep open options for strict regulation. Six pages of impenetrably worded legislation could see the return of key escrow through secondary powers which would allow the Secretary of State to make escrow a condition of approval.

Businesses already deterred by vacillation and delay, will have little idea of what to expect until the regulations are eventually published. Different regulations can be published by different departments, no timescales are set out, and businesses will face constant debilitating uncertainty about whether electronic products and services may in future face much stricter regulation.

FIPR wishes to see cast-iron curbs on secondary powers which could require (or coerce) without further primary legislation: (a) operation of key escrow by approved providers, (b) linkage of weight or validity of signatures to being an approved provider, (c) use of approved provider of certificates or encryption for dealings with Government.

Big Brother

There are also serious civil liberties concerns. The bill will give police the power to demand decryption keys from anyone they suspect of possessing them, and failure to hand keys over can lead to a two year jail sentence. The defence will be presumed guilty of withholding a key unless they can prove otherwise (a likely contravention of the European Convention on Human Rights), and decryption notices will be secret, so it will be impossible to complain effectively if they are used in an oppressive way.

Handing over a decryption key used for years on end would give the police access to very much more information than they need. Decryption notices can also be served on innocent correspondents of a suspected person, with an indefinite obligation not to change keys and maintain secrecy.

FIPR believes that criminals should not be able hide behind encryption, but the way in which the government intends to deal with this is completely unsatisfactory and infringes basic human rights.

To obtain power to serve a decryption notice FIPR suggests that the authorities should establish to a judge with reliable evidence that the:

Decryption Notices and Human Rights

*) No presumption of innocence : burden of proof on defence to show they DO NOT have a key

*) "Tipping-off" condition - actually an indefinite obligation of secrecy of excessive width

*) Safeguards?

Could key escrow return under secondary powers?

The Trade and Industry Select Committee commented in their report:

(115): 'A number of respondents advocated that statutory instruments should be ratified by affirmative resolutionwe have been critical in the past of Government's reliance on regulations which escape effective parliamentary scrutiny.'

(107): 'Powers should not be taken in the forthcoming Bill to permit the introduction of key escrow or related requirements at a later date.'

Part I: Register of Approved Cryptography Service Providers

Secondary powers

Part II: Admissibility of E-Signatures and Powers to Amend Legislation

Secondary powers

QUOTES:

The Director of the Foundation, Caspar Bowden, said:

'Civil servants have tried for years to get industry to buy into their proposals for regulating electronic commerce. It's time they realised that this is not going to happen, and that the world has moved on. Things are very different now from what they were in 1996 when these ideas were first floated.'

'A signature is valid at present if you intended to make it. The government is taking powers which could discriminate in favour of signatures certified by organisations joining their approvals scheme. So in future if you complain to your bank and say `I never signed that!' they could be able to say: `tough luck, it's an approved signature - you're liable'. When frauds start happening, the customer will be blamed.'

'Electronic commerce is being seriously harmed by the attempt to tie electronic snooping provisions in with this Bill. The proper place for snooping regulations is in the new Interception of Communications Act. Making wiretapping a condition of the licensing of electronic commerce will just undermine confidence and drive business away.'

Notes for editors
1. About FIPR

FIPR is an independent non-profit organisation that studies the interaction between information technology and society, with special reference to the Internet; we do not (directly or indirectly) represent the interests of any trade-group. Our goal is to identify technical developments with significant social impact, commission research into public policy alternatives, and promote public understanding and dialogue between technologists and policy-makers in the UK and Europe. The Board of Trustees and Advisory Council comprise some of the leading experts in the UK.

2. Chronology

10 Jun 1996: DTI paper on regulatory intent concerning use of encryption on open networks.

17 Mar 1997: DTI Consultation Licensing of Trusted Third Parties for the Provision of Encryption Services.

27 Apr 1998: DTI Secure Electronic Commerce Statement.

19 Oct 1998: DTI Consultation paper postponed.

24 Nov 1998: Queen's Speech announces "Electronic Commerce Bill" this Parliamentary session.

3 Dec 1998: Trade and Industry Select Committee announces inquiry into E-Commerce.

19 Jan 1999: France abandons key escrow.

4 Mar 1999: PIU study announced at No.10 meeting for industry leaders, key-escrow "not the answer".

5 Mar 1999: DTI Consultation "Building Confidence In Electronic Commerce".

23 Mar 1999: "Scrambling for Safety III" conference: first public discussion of encryption policy by Home Office.

1 Apr 1999: 26 day response period of DTI Consultation ends: FIPR accumulates submissions on website.

19 May 1999: T&I Sel.Ctee Report "Building Confidence In Electronic Commerce: The Government's Proposals".

26 May 1999: Cabinet Office Performance and Innovation Unit Report, "Encryption and Law Enforcement".

22 Jun 1999: Home Office Consultation "Interception of Communications in the United Kingdom".

8 Jul 1999: Conservatives refuse to allow introduction of Bill under "carry-over" procedure this session.

23 Jul 1999: Draft "Electronic Communications Bill" published.

3. References

Cryptography and Democracy: Dilemmas of Freedom, a paper by Caspar Bowden, and Yaman Akdeniz, in Liberty eds., Liberating Cyberspace: Civil Liberties, Human Rights, and the Internet, London: Pluto Press, 1999, 81-125 - http://www.fipr.org/publications/cryptfree.pdf.

"Regulatory intent concerning use of encryption on open networks", DTI Jun 1996 - http://www.dti.gov.uk/cii/ENCRYPT/regpap1.htm.

Building Confidence In Electronic Commerce: The Government's Proposals, Trade and Industry Select Committee Report May 1999 - http://www.parliament.the-stationery-office.co.uk/pa/cm199899/cmselect/cmtrd ind/187/18702.htm.

Encryption and Law Enforcement, Performance and Innovation Unit Report, Cabinet Office, May 1999 - http://www.cabinet-office.gov.uk/innovation/1999/encryption/index.htm.

Building Confidence In Electronic Commerce, DTI Consultation, March 1999 - http://www.dti.gov.uk/cii/elec/elec_com.html.

Interception of Communications in the United Kingdom, Home Office Consultation June 1999 - http://www.homeoffice.gov.uk/oicd/ioca.pdf.

Licensing of Trusted Third Parties for the Provision of Encryption Services, DTI Consultation March 1997>.

Secure Electronic Commerce, DTI Statement April 1998 - http://www.dti.gov.uk/cii/c8/ana27p.htm.

STAND Website http://www.stand.org.uk/.

_____________

Other Press Releases:

Back to front page

_____________

The Foundation for Information Policy Research is registered in England and Wales under the Companies Act 1985 as a private company limited by guarantee (No.3574631). Application for charitable status is in progress

Last Revised: July 23 1999