FIPR Draft Ecommerce Bill Press Release
For more information, contact FIPR.
Since the early 1990s, civil service policy advice to Conservative and Labour Ministers has advocated draconian legislation restricting the use of encryption on the Internet. The Conservatives proposed compulsory licensing of encryption in Government, but recanted in opposition. Labour opposed controls in Opposition, but now propose "decryption notices" which overturn basic principles of human rights and civil liberties.
Today the Government published an Electronic Communications Bill that will give ministers broad powers to control the use of encryption in electronic commerce. Although some of the more objectionable aspects of previous proposals have been dropped from primary legislation, the bill gives ministers the power to introduce them later as regulations.
Caspar Bowden (Director of FIPR) said:
'Electronic businesses can trade from anywhere in the world. Threatening a mountain of red tape will cause e-business to move to places with a more supportive climate such as Ireland or Canada.'
'The Home Office argues that being asked to produce a decryption key is like being asked to provide a DNA sample. But innocent people might lose a key to stored data, or never know the key to data that is e-mailed to them - and unless the court is convinced, it means jail.'
Overwhelmed by resistance from industry and users, the government has been forced to abandon a succession of elaborate but futile frameworks for regulation, wasting three years in which UK e-commerce could have established a world lead.
Compulsory licensing with mandatory key escrow subsequently became voluntary licensing linked to key escrow, and now the terminology has metamorphosed again into a register of approved providers. Despite a fiercely critical Trade and Industry Select Committee report, the DTI has ignored the spirit of their findings and appears still to want to keep open options for strict regulation. Six pages of impenetrably worded legislation could see the return of key escrow through secondary powers which would allow the Secretary of State to make escrow a condition of approval.
Businesses already deterred by vacillation and delay, will have little idea of what to expect until the regulations are eventually published. Different regulations can be published by different departments, no timescales are set out, and businesses will face constant debilitating uncertainty about whether electronic products and services may in future face much stricter regulation.
FIPR wishes to see cast-iron curbs on secondary powers which could require (or coerce) without further primary legislation: (a) operation of key escrow by approved providers, (b) linkage of weight or validity of signatures to being an approved provider, (c) use of approved provider of certificates or encryption for dealings with Government.
There are also serious civil liberties concerns. The bill will give police the power to demand decryption keys from anyone they suspect of possessing them, and failure to hand keys over can lead to a two year jail sentence. The defence will be presumed guilty of withholding a key unless they can prove otherwise (a likely contravention of the European Convention on Human Rights), and decryption notices will be secret, so it will be impossible to complain effectively if they are used in an oppressive way.
Handing over a decryption key used for years on end would give the police access to very much more information than they need. Decryption notices can also be served on innocent correspondents of a suspected person, with an indefinite obligation not to change keys and maintain secrecy.
FIPR believes that criminals should not be able hide behind encryption, but the way in which the government intends to deal with this is completely unsatisfactory and infringes basic human rights.
To obtain power to serve a decryption notice FIPR suggests that the authorities should establish to a judge with reliable evidence that the:
*) No presumption of innocence : burden of proof on defence to show they DO NOT have a key
*) "Tipping-off" condition - actually an indefinite obligation of secrecy of excessive width
The Trade and Industry Select Committee commented in their report:
(115): 'A number of respondents advocated that statutory instruments should be ratified by affirmative resolutionwe have been critical in the past of Government's reliance on regulations which escape effective parliamentary scrutiny.'
(107): 'Powers should not be taken in the forthcoming Bill to permit the introduction of key escrow or related requirements at a later date.'
Part I: Register of Approved Cryptography Service Providers
Part II: Admissibility of E-Signatures and Powers to Amend Legislation
The Director of the Foundation, Caspar Bowden, said:
'Civil servants have tried for years to get industry to buy into their proposals for regulating electronic commerce. It's time they realised that this is not going to happen, and that the world has moved on. Things are very different now from what they were in 1996 when these ideas were first floated.'
'A signature is valid at present if you intended to make it. The government is taking powers which could discriminate in favour of signatures certified by organisations joining their approvals scheme. So in future if you complain to your bank and say `I never signed that!' they could be able to say: `tough luck, it's an approved signature - you're liable'. When frauds start happening, the customer will be blamed.'
'Electronic commerce is being seriously harmed by the attempt to tie electronic snooping provisions in with this Bill. The proper place for snooping regulations is in the new Interception of Communications Act. Making wiretapping a condition of the licensing of electronic commerce will just undermine confidence and drive business away.'
FIPR is an independent non-profit organisation that studies the interaction between information technology and society, with special reference to the Internet; we do not (directly or indirectly) represent the interests of any trade-group. Our goal is to identify technical developments with significant social impact, commission research into public policy alternatives, and promote public understanding and dialogue between technologists and policy-makers in the UK and Europe. The Board of Trustees and Advisory Council comprise some of the leading experts in the UK.
10 Jun 1996: DTI paper on regulatory intent concerning use of encryption on open networks.
17 Mar 1997: DTI Consultation Licensing of Trusted Third Parties for the Provision of Encryption Services.
27 Apr 1998: DTI Secure Electronic Commerce Statement.
19 Oct 1998: DTI Consultation paper postponed.
24 Nov 1998: Queen's Speech announces "Electronic Commerce Bill" this Parliamentary session.
3 Dec 1998: Trade and Industry Select Committee announces inquiry into E-Commerce.
19 Jan 1999: France abandons key escrow.
4 Mar 1999: PIU study announced at No.10 meeting for industry leaders, key-escrow "not the answer".
5 Mar 1999: DTI Consultation "Building Confidence In Electronic Commerce".
23 Mar 1999: "Scrambling for Safety III" conference: first public discussion of encryption policy by Home Office.
1 Apr 1999: 26 day response period of DTI Consultation ends: FIPR accumulates submissions on website.
19 May 1999: T&I Sel.Ctee Report "Building Confidence In Electronic Commerce: The Government's Proposals".
26 May 1999: Cabinet Office Performance and Innovation Unit Report, "Encryption and Law Enforcement".
22 Jun 1999: Home Office Consultation "Interception of Communications in the United Kingdom".
8 Jul 1999: Conservatives refuse to allow introduction of Bill under "carry-over" procedure this session.
23 Jul 1999: Draft "Electronic Communications Bill" published.
Cryptography and Democracy: Dilemmas of Freedom, a paper by Caspar Bowden, and Yaman Akdeniz, in Liberty eds., Liberating Cyberspace: Civil Liberties, Human Rights, and the Internet, London: Pluto Press, 1999, 81-125 - http://www.fipr.org/publications/cryptfree.pdf.
"Regulatory intent concerning use of encryption on open networks", DTI Jun 1996 - http://www.dti.gov.uk/cii/ENCRYPT/regpap1.htm.
Building Confidence In Electronic Commerce: The Government's Proposals, Trade and Industry Select Committee Report May 1999 - http://www.parliament.the-stationery-office.co.uk/pa/cm199899/cmselect/cmtrd ind/187/18702.htm.
Encryption and Law Enforcement, Performance and Innovation Unit Report, Cabinet Office, May 1999 - http://www.cabinet-office.gov.uk/innovation/1999/encryption/index.htm.
Building Confidence In Electronic Commerce, DTI Consultation, March 1999 - http://www.dti.gov.uk/cii/elec/elec_com.html.
Interception of Communications in the United Kingdom, Home Office Consultation June 1999 - http://www.homeoffice.gov.uk/oicd/ioca.pdf.
Licensing of Trusted Third Parties for the Provision of Encryption Services, DTI Consultation March 1997>.
Secure Electronic Commerce, DTI Statement April 1998 - http://www.dti.gov.uk/cii/c8/ana27p.htm.
STAND Website http://www.stand.org.uk/.
Other Press Releases:
Go to FIPR front page.
Go to FIPR E-Comm99 Draft Bill Review page.
Go to FIPR Electronic Commerce Policy Information Centre.
Go to FIPR Interception of Communications Information Centre.
Go to FIPR Regulations of Investigatory Powers Information Centre.
The Foundation for Information Policy Research is registered in England and Wales under the Companies Act 1985 as a private company limited by guarantee (No.3574631). Application for charitable status is in progress
Last Revised: July 23 1999