Submission on the Electronic Commerce consultation of the DTI
April 1 1999
This is a response to the DTI paper "Building Confidence in Electronic Commerce" URN 99/642, issued on 5 March 1999. It is submitted by Barry John Chatfield, who can be reached at the electronic mail address barr@dbconsult.co.uk.
This submission contains only my own opinions.
I am currently the Director of Database Consultants Ltd. which has provided database administration & development services since 1995.
Over the past 2-3 years the internet has been a growing source of data stored in my clients databases. Obviously any public perception of an adverse climate for the secure storage and transmission in the UK will adversely affect my business and those in contract and permanent employment in the same business area.
I therefore have an interest in the establishment of a sound policy that will inspire international public confidence in the UK's infrastructure & business climate.
On Thursday 11th March 1999 I faxed a letter to the Secretary of State for Trade and Industry, objecting to the abbreviated consultation period on this document. The reply I received from Dr Stephen de Souza indicated that legislation will be introduced shortly after Easter.
My concerns regarding the consultation are amplified by this reply. Not only are the public not to be allowed sufficient time to make constructive comment on this document, but it would seem that the DTI has no intention of spending sufficient time considering the responses that it receives.
The incomplete removal of Key escrow from the released draft of the consultation document presages the rushed nature of this consultation. The overall impression is of a consultation process that is only being undertaken for form's sake.
However, in the hope that some good may come of making comment, I submit my response.
In general, I am in whole-hearted agreement by the submission made by Mr Clive Feather. There are however some other points I wish to make.
While the consultation document concentrates on the commercial impact of regulating encryption within the UK, the true scope of the internet's reach is global. Just as email has grown as a quick, reliable method of communication based on a common standard, in order for an encryption product to gain public acceptance it will need to be globally available, based on a common standard, and reliable.
Products such as PGP already provide this technology on a global basis. Any product mandated by the UK government will have a legal basis within the UK, but, will not gain international acceptance for a number of reasons.
1. The UK's role in the UKUSA system & Echelon is now widespread knowledge; see the following websites :
2. The provision of government sponsored crippled / broken encryption software.
Sweden's government bought Lotus Notes without realising that the version exported from the US has part of its key handed over to the NSA reducing the effective key-length to 40 bits.
"The great story of the solution of the Enigma machine ... remained a tightly held secret for almost 30 years. ... The British government insisted upon this because it had given the thousands of Enigma machines that it had gathered up after the end of the war to its former colonies as they gained independence and needed secure systems of communication." (The Codebreakers, Kahn, 1996, ISBN 0-684-83130-9)
The only way to build public confidence in the security of their communications is through a roots-up acceptance of independently developed technology.
Not only is there profit in Britain providing an e-commerce friendly environment, but Britain is in a position to produce much of the cryptographic technology to support that environment on an international market. It can only do that if the overseas perception is not of an industry that is 'in bed' with the UK Government.
While the DTI's emphasis in this consultation is naturally on e-commerce, it cannot be unaware of the non-commercial / non-financial applications of encryption. The UKERNA submission mentions several areas that need consideration, such as distance learning and examination marking. I'm sure that other organisations such as Amnesty International can make equally valid non-commercial cases for freely-available, non-escrowed encryption free from the taint of contact with any government.
It is my firm view that it would be counter-productive for the government to give any encryption technology or product an endorsement any stronger than "you may use this encryption product/technology to communicate securely with any government department".
On this I find myself in agreement with Labour's stated position prior to the general election :
"It is important that privacy is rigorously protected over the new networks, for both personal and commercial reasons. We do not accept the "clipper chip" argument developed in the United States for the authorities to be able to swoop down on any encrypted message at will and unscramble it.
"The only power we would wish to give to the authorities, in order to pursue a defined legitimate anti-criminal purpose, would be to enable decryption to be demanded under judicial warrant (in the same way that a warrant is required in order to search someone's home).
"Attempts to control the use of encryption technology are wrong in principle, unworkable in practice, and damaging to the long-term economic value of the information networks. There is no fundamental difference between an encrypted file and a locked safe. A safe may be effectively impregnable in that the effort taken to open it would destroy the contents. An encryption algorithm, similarly, may be effectively unbreakable.
"Furthermore, the rate of change of technology and the ease with which ideas or computer software can be disseminated over the Internet and other networks make technical solutions unworkable. Adequate controls can be put in place based around current laws covering search and seizure and the disclosure of information. It is not necessary to criminalise a large section of the network-using public to control the activities of a very small minority of law-breakers.
"In all other areas, privacy must be rigorously protected, particularly in the light of the potential for secondary, micro-marketing on the new networks. The Data Protection Act already applies to personal information held in relation to computerised services and providers should be aware of their responsibilities under the Act. We would wish to consult with the Registrar to ensure that the provisions of the Act provide adequate protection for new digital services.
"As long as sources were only traced when specific legal permission for defined reasons had been given, and this process were openly monitored, we believe the arrangements set out above would provide the most appropriate balance between freedom of speech and freedom from harm."
Barry J Chatfield 1 April 1999
Go back to the start of this document.
Go to the library of current responses.
Last Revised: April 12 1999