FIPR Library -- MacRoberts Response

MacRoberts

_____________

April 1 1999

INTRODUCTION

We welcome the decision of the Government, expressed in the Queen's Speech at the Opening of the 1998/9 Session of Parliament and in the "Our Competitive Future: Building the Knowledge-Driven Economy" White Paper in December 1998 to legislate within the United Kingdom in a manner which will facilitate the establishment and growth of Electronic Commerce.

However, despite the rapid growth in this area, we very much regret that the Government has not chosen to enter into a meaningful consultation with industry, the legal profession and other interested parties before enacting legislation. The Consultation Document was issued on 5th March, with responses required by 1st April 1999. This is significantly shorter than existing Guidelines would normally require.

We understand the government's desire to have legislation placed on the statute book as soon as possible but given that the present Session is half over, that the parliamentary process has a number of procedural steps, and that the government's large majority will necessarily lead to less opposition input into an E-Commerce Bill, we would strongly suggest to the Government that the timetable be made more realistic if it really has the desire to make the United Kingdom the E-Commerce venue of choice.

We are concerned that the government's other priorities will make the opportunity for further legislation in this area limited for the foreseeable future after an E-Commerce Act is passed.

We are conscious that similar consultation exercises either have taken place or are in course in other parts of the world. In particular the European Commission consultation "PROPOSAL FOR A EUROPEAN PARLIAMENT AND COUNCIL DIRECTIVE ON CERTAIN LEGAL ASPECTS OF ELECTRONIC COMMERCE IN THE INTERNAL MARKET (COM (1998) 586 FINAL)" is ongoing and may impact on any UK legislation in this area. We do not believe that any Directive is likely during this session of parliament. In addition there exist detailed consultation papers in this area from the New Zealand Law Commission and the Australian State of Victoria. The Australian Commonwealth government issued an "Issues Paper" in November 1998 and a draft of an "Electronic Transactions Bill" for comment in January 1999. In addition there are a number of discussion documents emanating from the United States legislative and executive branches at both Federal and State level.

In none of these initiatives was such a short period allowed for comment as is proposed in the United Kingdom

That said, we would make the following comments on the matters raised in the consultation paper. We believe that it is possible for the United Kingdom to become an E-Commerce venue of choice but in order to do so many of the existing perceptions and paradigms of government will require to be set aside. In our conclusions in these comments we will address the principles expounded in paragraph 3 of the Introduction to the Consultation Paper and comment on the extent which these will, in our opinion, be met by the proposals of the government.

INTERNATIONAL CONTEXT

E-Commerce does not exist in a national vacuum. The products and services of e-commerce do not stop at traditional territorial frontiers, nor can their passage across these frontiers accurately be measured or controlled. The corollary of this is that, for the e-commerce entrepreneur, the services can be provided as easily from one country as from another. If one country imposes restrictions or regulations which impede, restrict or unduly control the carrying on or carrying out of e-commerce, the business will move elsewhere.

Lest it be thought that this affects merely the siting of a few computers, it should not be overlooked that there is a vast infrastructure allied to the provision and support of e-commerce services and the provisioning of materials for sale through these channels. Even if one were to discount the provision of software online (in which the source of these "goods" is less relevant due to lack of transport and shipping costs), even a cursory examination of the major e-commerce vendors' sites today would illustrate that the majority of the goods are sourced from the jurisdiction in which the e-commerce vendor is based.

Equally, in a truly international (or rather transnational) market, for the purchaser or user of these e-commerce services, the consumer can and will purchase goods and services from whichever vendor is able to offer the best goods or services on the most favourable terms. For an online purchaser of software it does not matter whether the vendor is based in Glasgow or San Francisco, the end result from the purchaser perspective is the same. E-Commerce is the catalyst which for UK business makes any considerations of geographic remoteness or location largely irrelevant to the target market.

We shall, later in these comments, make some observations on the government's proposals on encryption and cryptography, but these must be seen in light of these general observations on the international nature of e-commerce.

We do not propose to comment on the EU proposals in this paper; our comments on this have already been made and submitted both to the EU Commission and to the appropriate officials at the DTI. A further copy will be available on our website (http://www.macroberts.co.uk/) in the course of April 1999.

LEGAL RECOGNITION OF ELECTRONIC INSTRUMENTS

A) Electronic Signatures and Electronic Writing

We are concerned that the Consultation Paper misses the point here; we believe that rather than assess how electronic signatures and writings can be made to emulate traditional forms of recording, that some examination should be made of the purpose which writings and signatures are designed to achieve.

In relatively few cases is writing required for legal effect to be given to any agreement, contract or arrangement; where writing is required (as for heritable (real) or leasehold property transactions, this is set out in the appropriate statute. We do not consider there to be any legal, commercial or public policy grounds why, with the appropriate safeguards and verifications, electronic writings should not be permitted in most of these areas.

Proposed legislation in other jurisdictions has also suggested the exclusion, at least in its initial stages, of matters relating to public registers of Births, Deaths and Marriages, testamentary (probate) affairs, matters requiring sword affidavits and court procedures. We would support such exclusions, but with power for regulations to be issued allowing electronic writings in these areas also. We also believe that it should be possible for parties to agree, notwithstanding any general exclusion to the contrary that they wish electronic writings to be give effect to.

Whilst transactions in land have traditionally been accorded a special status for authentication, we do not consider that with the advent of land registration and the creation of licensed "cyber-notaries" (solicitors or other authorised persons who could pace their imprimatur on a deed in an "ordre public" way) there is any longer objective justification for this distinction.

We are strongly of the view that any legislation should be as facilitating as possible and that the overall intent should, as far as is possible, to afford electronic writings the same legal status as other forms of writings or recordings.

In its 1998 Report, the New Zealand Law Commission noted (at para. 22) that the objectives of the building of a legal framework for electronic commerce could be summarised as follows (as they had been in the Australian Electronic Commerce Expert Group Report)

The NZ Law Commission identified a primary objective of their work as the need to facilitate business efficiency by ensuring that the law keeps apace with technology rather than reacting to it in an ad hoc fashion. We would commend this objective to government.

We would suggest wording in legislation in similar terms to the following:

Writing

(1) A person may use writing in electronic form for any purpose for which writing is required or permitted by law;

(2) The effect of writing in electronic form is the same for the purposes of any law as that of writing in paper form if the electronic form is such as to permit retention of the writing for subsequent reference (whether it is in fact so retained).

(3) This section -

(i) applies despite any provision to the contrary made by the particular law;

(ii) without limiting paragraph (i), applies even if the particular law expressly or impliedly requires an original document if the electronic form is such as to permit reproduction of the document at any time as it existed when used for the relevant purpose;

(iii) does not apply in relation to a particular transaction if the parties to that transaction otherwise agree or any of those parties reasonably requires a kind of writing other than writing in an electronic form;

(iv) does not apply to the extent that its operation is excluded by [section dealing with excluded areas], save that the parties may expressly agree to permit electronic writings in an excluded area.

We consider it imperative that any legislation in this field should make as few changes to the existing legal framework and rules as practical, having regard to the requirement to facilitate electronic writings and should be expressed in a technologically neutral fashion so as not to restrict or fetter and future changes in technology or business methods.

In our opinion, the adoption of wording similar to that suggested above could be done by primary legislation and would not therefore require delegated powers to amend statutes by secondary legislation (which we believe is undesirable from a certainty and accountability perspective). We are not aware of any reason why electronic writings should not be permitted ab initio in a de plano way, subject only to a short list of exclusions, which might on cause shown be added to or restricted.

As far as electronic signatures are concerned, we do not believe that there is any reason why these should not be recognised by law - indeed we believe that, in Scotland at least, they may already be so recognised.

We all have signatures; some are simple, child-like, almost printed; others display a flourish of hand, marking the writer as an artist or a creative person; whilst others still are wholly illegible. Nonetheless, signatures, whatever their character, all possess the same quality - that of identifying uniquely their author.

It is into this framework that electronic signatures have to fit. The problem is simple; a traditional signature - even if no two signatures by the same person are wholly identical - possesses such characteristics of drawing, of flow and of style that it is possible for experts to state with almost total certainty whether two signatures were made by the same hand or by different persons. It is on such identification that the fraud statutes are based.

Unfortunately with Electronic Signatures it is not so simple. There is no "written" signature as such - although PenOp® technology (http://www.penop.com) seeks to bind a written signature to a MSWord document using a digital pen and tablet. Whilst it is possible to have one's signature digitised and translated into a TrueType font, this does not mean that the signature (or the underlying document) is valid.

In Scots and English law, few documents require to be signed to be valid; for those that do, the level of formality is generally low; few documents require a specific form of execution to be valid. The primary test for validity of a signature is evidential - Goodman v J. Eban Limited [1954] QB 550, Court of Appeal. Thus "signatures" include those printed on cheques, rubber stamps, typewritten signatures and other forms of execution where the intention of the writer to make some sign that he has adopted the contents of the writing can be deduced.

Some documents do, however, require to be signed - contracts for land, certain mercantile documents such as Bills of Exchange and documents requiring execution in the presence of a Notary Public or Commissioner for Oaths; But these are few in number.

In the DTI proposals for the Licensing of Trusted Third Parties for the Provision of Encryption Services (http://www.dti/gov/), the DTI recognised (in Annex A, para. 1) that "Although electronic "partners" may well be prepared to contract with one another on the basis of "trust" (as many organisations do already) there is a perception that some form of legislation should underpin the basis of this electronic communication. For example, if there were a dispute on the alteration or disclosure of a message, recourse to the courts may well be appropriate."

To date the UK courts have not had to deal with such a problem. Indeed, even the US courts appear only to have considered the question of the validity of electronic signatures in one case, that of Michael Doherty -v- Registry of Motor Vehicles, (www.magnet.state.ma.us/itd/llegal/case.htm) Charlestown Division of the Commonwealth of Massachusetts, May 28th 1997, in which an electronic signature was accepted.

From a UK perspective, it is to be hoped that the courts would reach a similarly pragmatic approach. Certainly, the Society for Computers and Law Working Group found that many words like information, document and recording could be extended to electronic information, whilst signature and writing could not. In the US, in Clyburn v Allstate, the Court stated:- "In today's "paperless" society of computer generated information, the court is not prepared, in the absence of some legislative provision or otherwise, to find that a computer floppy diskette would not constitute a "writing" within the meaning of [the Statute]". (826 F. Supp. 955,956 (D.S.C. 1993)).

For the businessman the problem is not new; whatever the reluctance of the legal system to adapt, business has, through the ages, had to move from the "X" to the telegram, the fax and now to E-Mail and other forms of Electronic Commerce. It is just the ease with which electronic signatures and the underlying information can be altered or created and the anonymity of author and sender that has heightened the concern. Certainly with the globalisation of trade, it would be more convenient if commerce could be conducted remotely by electronic means rather than by parties gathering in a single room - existing techniques of part and counterpart and of faxed copies are far from satisfactory from a verifiability perspective.

From a legal standpoint, the difficulties may, as with much of this area, be more imagined than real; common law almost certainly treats as a signature any symbol or mark affixed to a document with the intention of accepting responsibility for its contents or indicating agreement therewith or evidencing sight of the document.

The Florida Digital Signature Act of 1996 states:- " 'Signed' includes any symbol executed or adopted by a party with present intent to authenticate a writing." In the 1864 U.S. case of Weston -v- Myers, the Illinois Supreme Court stated:- "It is true that a written signature in script may be a safer mode of subscribing one's name, but where a party has adopted a signature made in any other mode, and had issued an instrument with such adopted signature, for value, he is estopped from denying its validity." The essence of a signature is the intent of the person adopting it, not the security it embodies.

We believe that wording similar to that adopted in Florida would be sufficient to meet both the present and any future signature requirements. In addition such a wording meets the technology neutrality principle which we have mentioned above.

Electronic signatures also have one feature which makes their use even better than "traditional" signatures; unlike the hand-written signature, an electronic signature cannot be forged, nor can the underlying document be altered. If only page 30 of a document is signed, a dishonest party could make a minor alteration subsequently on page 4 and this would not be apparent from the document. With an electronic signature, the signature could be bound to the actual document so that if any change were made, this fact would be apparent when the signature block was checked.

The UNCITRAL Model Law on Electronic Commerce proposes that a signature could be made electronically provided a method is used to:

Our comments on the Proposals are in keeping with the UNCITRAL approach.

We note the Government's proposals regarding the licensing of Certification Authorities. These proposals are in line with the approach adopted in other jurisdictions, notably the EU and Malaysia.

In the Australian Electronic Commerce Expert Group ("ECEG") report mentioned above the ECEG adopted the following definition of an electronic signature:-

"Electronic signatures can be defined as any symbol or method executed or adopted by a party with the present intention to be bound by or to authenticate a record, accomplished by electronic means. Authentication is generally defined to mean establishing the validity of the identity of a particular entity. Electronic signatures could include a sophisticated biometric device, such as a fingerprint computer recognition system or even the simple entry of a typed name at the end of an e-mail message. This definition focuses upon the legal purposes of the signature, not upon the particular technology used to accomplish the signature."

The certification Authority system proposed by the Consultation Paper would not cover all these (and other) possibilities. The only type of electronic signature which the Proposal addresses is that of the digital signature - the dual key pair asymmetric cryptography system. This takes many forms, not all of which involve the use of third parties. One of the most common systems of digital signature Pretty Good Privacy ("PGP") uses the same key pair for encryption (discussed later) and for signature. For this reason the Paper's proposal to split access between keys for signing and keys for encryption is unworkable and not technologically neutral.

The Consultation Paper states that an electronic (presumably digital) signature backed up by a certificate from a licensed Certification Authority will automatically satisfy the conditions necessary to be regarded as legally equivalent to a hand-written signature. An electronic signature not backed up by such a certificate is not denied legal recognition but it would appear than evidence will require to be led as to its effect. This is not neutral from a technology perspective and appears designed to force users into the Certification Authority route - perhaps for the encryption reasons discussed later. Why should users not be their own "Trusted Third Party" for digital signatures; after all we trust few people as much as ourselves? What is the position if a user chooses to use a Certification Authority based outwith the UK / EU? Initial indications suggest that a number of public sector bodies will be offering themselves for licensing as Certification Authorities. Irrespective of our law-abidingness, many citizens would be concerned by the concept of "trusting" the government to look after their secrets.

The proposals in the Consultation Paper are not technologically neutral, entrust to parties selected by government (through the licensing system) and within the control of that government a role of being in control of the citizen's secrets, and may breach the fundamental human rights of the citizen set out in the European Convention on Human Rights.

A preferable approach would be to provide that:-

a) Unless otherwise provided by law or contract, the recipient of an electronic signature assumes the risk that an electronic signature is forged, if reliance on the electronic signature is not reasonable under the circumstances.

b) In assessing reasonability, the following shall be taken into account:-

i) that it is unique to the person using it;

ii) that it is capable of verification;

iii) that it is under the control of the person using it;

iv) that it is linked to data in such a manner that if the data are changed, the digital signature is invalidated."

This would allow the government's preferred approach, whilst not penalising, directly or indirectly, those who preferred an alternative solution.

  1. OTHER POSSIBLE LEGISLATIVE CHANGES TO PROMOTE ELECTRONIC COMMERCE
  2. A) The Need for Change

    Provided that the primary legislation mentioned above is adopted to assimilate, from a legal perspective hand-written and electronic documents, we do not believe that, at the present time any specific legislation is required in this area.

    B) Examples of Other possible Legal Barriers to Electronic Commerce

    We believe that the use of electronic filing and communication should be encouraged by government, possibly by financial incentives, and that the legislation should be drawn as widely as possible to allow for future technological developments.

    We believe that provisions similar to Article 11,12, 14 and 15 of the UNCITRAL Model law could usefully be incorporated into a UK Electronic Commerce Act.

    Article 11.  Formation and validity of contracts

    (1)  In the context of contract formation, unless otherwise agreed by the parties, an offer and the acceptance of an offer may be expressed by means of data messages. Where a data message is used in the formation of a contract, that contract shall not be denied validity or enforceability on the sole ground that a data message was used for that purpose.

    (2)  The provisions of this article do not apply to the following: [...].

    Article 12.  Recognition by parties of data messages

    (1)  As between the originator and the addressee of a data message, a declaration of will or other statement shall not be denied legal effect, validity or enforceability solely on the grounds that it is in the form of a data message.

    (2)  The provisions of this article do not apply to the following: [...].

    Article 14.  Acknowledgement of receipt

    (1)  Paragraphs (2) to (4) of this article apply where, on or before sending a data message, or by means of that data message, the originator has requested or has agreed with the addressee that receipt of the data message be acknowledged.

    (2)  Where the originator has not agreed with the addressee that the acknowledgement be given in a particular form or by a particular method, an acknowledgement may be given by

    (a) any communication by the addressee, automated or otherwise, or
    (b) any conduct of the addressee, sufficient to indicate to the originator that the data message has been received.

    (3)  Where the originator has stated that the data message is conditional on receipt of the acknowledgement, the data message is treated as though it has never been sent, until the acknowledgement is received.

    (4)  Where the originator has not stated that the data message is conditional on receipt of the acknowledgement, and the acknowledgement has not been received by the originator within the time specified or agreed or, if no time has been specified or agreed, within a reasonable time, the originator:

    (a) may give notice to the addressee stating that no acknowledgement has been received and specifying a reasonable time by which the acknowledgement must be received; and
    (b) if the acknowledgement is not received within the time specified in subparagraph (a), may, upon notice to the addressee, treat the data message as though it had never been sent, or exercise any other rights it may have.

    (5)  Where the originator receives the addressee's acknowledgement of receipt, it is presumed that the related data message was received by the addressee. That presumption does not imply that the data message corresponds to the message received.

    (6)  Where the received acknowledgement states that the related data message met technical requirements, either agreed upon or set forth in applicable standards, it is presumed that those requirements have been met.

    (7)  Except in so far as it relates to the sending or receipt of the data message, this article is not intended to deal with the legal consequences that may flow either from that data message or from the acknowledgement of its receipt.

    Article 15.  Time and place of dispatch and receipt of data messages

    (1)  Unless otherwise agreed between the originator and the addressee, the dispatch of a data message occurs when it enters an information system outside the control of the originator or of the person who sent the data message on behalf of the originator.

    (2)  Unless otherwise agreed between the originator and the addressee, the time of receipt of a data message is determined as follows:

    (a) if the addressee has designated an information system for the purpose of receiving data messages, receipt occurs:
    (i) at the time when the data message enters the designated information system; or
    (ii) if the data message is sent to an information system of the addressee that is not the designated information system, at the time when the data message is retrieved by the addressee;
    (b) if the addressee has not designated an information system, receipt occurs when the data message enters an information system of the addressee.

    (3)  Paragraph (2) applies notwithstanding that the place where the information system is located may be different from the place where the data message is deemed to be received under paragraph (4).

    (4)  Unless otherwise agreed between the originator and the addressee, a data message is deemed to be dispatched at the place where the originator has its place of business, and is deemed to be received at the place where the addressee has its place of business. For the purposes of this paragraph:

    (a) if the originator or the addressee has more than one place of business, the place of business is that which has the closest relationship to the underlying transaction or, where there is no underlying transaction, the principal place of business;
    (b) if the originator or the addressee does not have a place of business, reference is to be made to its habitual residence.

    (5)  The provisions of this article do not apply to the following: [...].

    We are not convinced that the options proposed by the Model Law are correct from a UK perspective (particularly in relation to Article 15) but believe that this is an area in which primary legislation is required.

  3. OTHER LEGISLATIVE POSSIBILITIES
  4. A) Unsolicited Commercial E-Mail (Spam)

    Given the international / transnational nature of the Internet, we doubt whether industry self-regulatory initiatives, however well-meaning, can wholly solve the problem of Unsolicited Commercial E-Mail ("UCE").

    In the US, the Netizens Protection Act 1997 (H.R 1748) was drafted to amend the US Communications Act of 1934 to provide that it was unlawful for any person within the US to use a computer or other electronic device to send unsolicited advertisements to an e-mail address: (1) of an individual with whom the sender lacks a pre-existing or ongoing business or personal relationship unless such individual provides express invitation or permission; or (2) unless the sender clearly provides, at the beginning of the advertisement, the date and time of the message, the identity of the business, entity, or individual sending the message, and the sender's e-mail address. The 1997 Act was referred to the Subcommittee on Telecommunications, Trade and Consumer Protection in June of last year.

    Another Act proposed at federal level is the Electronic Mailbox Protection Act (s. 875). This proposal would ban "spoofing" and also obligate spammers to produce "do not contact" lists. Again, there is a heavy fine exercised on junk e-mailers for non-compliance.

    In May of 1998, the US Senate accepted a spam provision to the Anti-Spamming Amendments Act (s.1618/H.R 3888). This requires "spammers" to correctly identify themselves and to honour the recipient's request of their removal from the sender's mailing list. If the request is ignored, then heavy penalties will result. These provisions mirror the Nevada Senate Bill 13 (1997), which became effective from 1 July 1998.

    The Washington House Bill 2752 (1998) was enacted in March and became effective from 11 June 1998. This provides for the prohibition of bogus headers and misleading subject lines in commercial electronic mail. A select task force also was being set up to deal with the requirement for additional legislation on this subject.

    In the state of Maryland, E-mail Harassment Bill 140 was introduced in April of 1998, to prohibit the use of e-mail with intent to harass. Using the e-mail for anonymous or persistent communications with the intent to "annoy, abuse, torment, harass or embarrass one or more persons" could result in a maximum fine of $500 and/or imprisonment for a year. In February 1998, Maryland House Bill 1114 (1998) was introduced and referred to a committee. This will provide for the prohibition of commercial solicitations by e-mail.

    However, the legislation discussed above does not appear to meet with everyone's approval, in particular, the question of enforcement. Although the bills may go a long way to control domestic junk mail, it is debatable whether a citizen is protected from an overseas spammer. Similar issues exist in relation to any proposed UK legislation.

    Even if the UK were to pass legislation prohibiting UCE on penalty of large fines or imprisonment, this would have little effect as much UCE emanates outwith the UK, and the inevitable result of legislation such as mentioned above is to drive those who send UCE to less restrictive jurisdictions.

    The problem requires to be dealt with internationally. In the EU, the draft Commission E-Commerce Directive proposes dealing with UCE, although as with the UK Consultation Paper, the position is confused.

    One of the issues which has to be addressed at European level is whether their should be an e-mail preference service as exists in relation to direct mail and telephone selling. In the UK can opt out of such marketing and reputable marketers respect such opt out (unscrupulous marketers who are not members of the main industry bodies are largely uncontrolled). In some of Europe it is suggested that recipients should opt in if they want UCE; this would, we believe, be unworkable even at national level.

    Even if either of these schemes were adopted it would not assist in the problem of non-EU UCE; perhaps one solution might be to penalise those within the EU whose services were being marketed rather than the marketers themselves; a similar approach has been largely successful previously in the UK in relation to advertising on "pirate" radio stations and the advertising of and on "banned" satellite television channels of an adult nature.

    We do not consider that that extension of the EU Distance Selling Directive (97/7/EC) or the EU Telecoms Data Directive (97/66/EC) would be of assistance in this area.

    We believe that ISP's should not be penalised if their subscribers engage in bulk UCE transmission. Most reputable ISP's already prohibit spamming, but the interpretation of what constitutes "bulk e-mail" is far from clear and should not be the subject of legislation. If an ISP is being used for UCE sending, this will impact rapidly on his service and through complaints from other subscribers and those who receive the UCE. We believe that such commercial pressures will be sufficient to encourage ISP's to prevent or limit UCE.

    B) The Role of Intermediaries in Electronic Commerce

    We do not believe that any of the matters raised in the Consultation Paper require either Primary or Secondary legislation.

    Given that we believe that the law in relation to electronic commerce should facilitate electronic commerce by ensuring that it is on a level playing field with traditional forms of commerce, we do not consider that there should be afforded to electronic commerce any statutory benefits not afforded by statute to existing forms of commerce.

  5. licensing regime for trust service providers
  6. A) General

    We consider this part of the Consultation Paper to be one of the most serious, most concerning and least convincing parts of the Government's proposals. Whilst we recognise, and would not disagree with, most of the specific points set out in Annex A to the Consultation Paper, the whole ethos seems to be underpinned by the law enforcement agency rights referred to in paragraphs 35, 37 and 48 - 90. This agenda is reinforced by the fact that in a Paper supposedly on assisting the promotion of electronic commerce almost half is given over to the needs of law enforcement agencies.

    In relation to the provisions of part IV of Annex A ("Conditions on key Recovery Agents") we do not believe that this is a right which law enforcement agencies should have and therefore we do not consider that any standards are appropriate. If, however, the government are minded otherwise (as we believe them to be) we believe that the tests and standards must be at the highest level and that a warrant signed by a High Court Judge or equivalent stating specifically the purpose of the obtaining of the private key must be the minimum test.

    We remain, however, of the opinion that, if it remains the government's intention to have compulsory key recovery in these circumstances from UK Trusted Third Parties (Licensed Certification Authorities), users of encryption will move to less penal jurisdictions.

    Contrary to that which is inferred in the Consultation Paper, (para. 35) there is no reason to encrypt information other than for confidentiality. This is recognised by the DTI in their "Information Society Initiative" in which they state in relation to PGP (a non-escrowed key encryption product), "A range of encryption software has been developed to address [the problem of security]. The programmes make it easy for you to put your message into code before sending it and for the recipient to decode it at the end of its electronic journey. The most popular software for this purpose, and the de facto world standard, is PGP (Pretty Good Privacy). Look at the Web site www.pgp.com for more information. Be aware that the use of some encryption systems may be illegal in certain countries."

    This is the very security which the government is seeking to abrogate

    B) Licensed and Unlicensed Services

    We would envisage that licensed providers will be issued with registration numbers for each service for which they are licensed and there should be a requirement as part of the licence conditions that the registration number be shown in respect of a licensed service. It would be a criminal offence to advertise a service as licensed which was not so licensed or to falsify a registration number. The absence of a registration number in respect of non-licensed services would make their status clear.

    C) Liability

    We believe that in order to carry out licensed services a Certification Authority (or provider of other licensed services) must be required to obtain and maintain insurance at a level sufficient to meet claims by those who rely on a certificate (or other service) issued or carried out by it. We believe that there should be a minimum level of insurance (50 million) and that the Certification Authority should be required to state that it is licensed and the level of insurance it carries. This will lead to competition between providers, who may each select differing levels of cover.

    An unlicensed Certification Authority should be liable for its negligence or fault, although the fact that it does not claim to be licensed should reduce the level of damages that might be awarded against it. We believe that minimum levels of insurance should be imposed on all parties carrying out certification services, whether or not licensed.

    We do not believe that any specific "duty of care" need be imposed in relation to holders of private signature keys, any more than at present a specific duty of care is imposed on holders on Bank ATM PIN numbers. Given that there will be a presumption that the private key was used by the holder or with his knowledge, we believe that the commercial consequences of a private key being wrongly used will be sufficient incentive for cancellation of the key if it is compromised.

    D) Licensing Fees

    No comment

    E) Export Controls

    No comment

  7. Law enforcement interests in cryptography
  8. Despite the impression given in the Consultation Paper, not all who use encryption are drug traffickers, terrorists and paedophiles. Scientists and other researchers exchanging research findings; businesses exchanging trade secrets, financial plans, sales information etc amongst management; accountants, lawyers and other professionals exchanging case related data; doctors exchanging diagnostic and other medical information etc. All have a legitimate and lawful need for encryption. We, of course, deplore the use of encryption by criminals at all levels but this does not give law enforcement agencies the right to intercept their private communications without their knowledge (other than as provided in the Interception of Communications Act). Criminals have been known to use getaway cars; should the police not have the right (following the "logic" in relation to encryption) to have each garage send them a set of keys for every car sold just in case they want to look in the glove box?

    We recognise that powers of search are afforded to law enforcement agencies in many circumstances and that the problem with encryption is that even after lawful interception, the message is hidden. However, this is not a new feature; the wartime BBC messages to resistance groups were early cryptography but unless you knew what "Mother will be late for tea" meant the message remained secret. Even under the government's proposals such a message would still be unknown - and not subject to code book seizure.

    We find the statement (in para 50) that "Law enforcement agencies would be better able to investigate such criminal activities if they had a power to obtain relevant encryption keys", trite. It would also be easier if the criminals advised them in advance what they were planning to do, but that also seems unlikely.

    Despite the assurances in paragraph 52 ("Common Myths"), we believe that the whole thrust and tenor of the Consultation Paper is to push business towards using a Licensed Certification Authority under the watchful eye of government. We find the argument that in some cases criminals used encryption to be insufficient to justify this major human rights violation which is being proposed. We do not wish to see the activities of law enforcement hindered but seriously question whether criminals of the types emphasised in the Consultation Paper are likely, after engaging in drug trafficking, terrorism or paedophilia, to be worried about breaking the law by not providing a private key escrow. Why would these criminals choose a form of encryption which was patently insecure from their perspective when other systems were readily available?

    For these reasons we are concerned that the major result of these proposals will be to stifle the legitimate growth of electronic commerce through the use of encryption as parties who would otherwise choose the Certification Authority route will be discouraged by the thought (however unlikely) of "Big Brother" looking over their shoulder. We are also concerned that the government's obsession with this area owes more to fiscality than to international crime.

    As far as we are aware, the law enforcement agencies cannot force a person to provide a password or any other information which might be used to incriminate him (other than DNA and fingerprints); given the government's intention to provide a technologically neutral approach to electronic commerce, why is this different?

  9. The partnership approach
  10. We welcome the government's desire for partnership. We wonder however whether this is best achieved by requiring TSP's to provide information to the law enforcement agencies without the knowledge of their customers. We are minded of the problems which have been created by a similar regime under the Money Laundering Regulations in relation to the activities of professionals such as accountants and solicitors who are being required to act contrary to the interests of their clients, without advising that client. We have grave doubts as to whether such disclosure requirements are compatible with the UK's obligations under the European Convention on Human Rights.

Conclusions

In conclusion, we welcome the government's desire to create a legislative framework in the United Kingdom which will allow Electronic Commerce to prosper and develop. We regret that the debate appears to have been derailed by the law enforcement issues of key recovery which should form but a small part of the topic.

In addition, we would encourage the Government, through its international links, to address the issue of intellectual property as we believe that the application of intellectual property rights (and in the area of e-commerce, particularly, trade mark rights) is likely to be one of the major obstacles in establishing a viable market in electronic commerce services and also in establishing a worldwide market for UK enterprises in this new developing area.

We would have liked the government's proposals in relation to electronic commerce to have clarified legislatively the position of ISP's. Whilst it had been thought that the Defamation Act provided some protection to ISP's, the decision of the High Court on 26 March 1999 against Demon Internet must cast doubt on this.

We are concerned that the provider of an information society service may still incur liability if he is informed by a third party that information which he is hosting or caching infringes the copyright or similar right or any other legal right of that third party. We do not believe that until such time as a judicial order has been made that the service provider should not be under any obligation to remove or disable access to information. It appears to us that to allow otherwise could lead to abuse by parties who did not wish accurate information with which they disagreed to be made available to third parties and that if a judicial intervention were not required the service provider could leave himself open to attack either by the party originally providing information or the third party objecting, no matter which way he decided it.

We believe that this needs urgent and effective legislative action.

Possible amendment by way of clarification to the Consumer Credit Act to clarify whether, and if so to what extent, credit card providers were liable in respect of electronic commerce problems would be of assistance also.

There are many other new areas in this new field emerging daily throughout the world. In most cases existing legal rules are sufficient to deal with them subject only to legislative input to ensure that the playing field is kept level.

Above all else, we believe that governments in the UK and elsewhere must recognise that there are aspects of this new frontierless society that cannot be readily controlled by national governments; that international agreement is necessary; and that governments should not seek individually to control that which can and will go elsewhere in the absence of a benign (or at least non-discriminatory) legal regime.

We have no objection to the publication of these comments.

For Further Information Contact:

 

MacRoberts Solicitors

152 Bath Street

GLASGOW G2 4TB, Scotland

 

David Flint Tel: +44 141 332 9988

df@macroberts.co.uk

Joanna Boag-Thomson

joannab@macroberts.co.uk Fax: +44 141 332 8886

Elaine McKinney

elainek@macroberts.co.uk

Go back to the start of this document.

Go to the library of current responses.

Go to FIPR home page.

_____________

Last Revised: April 12 1999