1st April 1999
Until recently much misunderstanding and considerable uncertainty on the implications of E-Commerce has been raised by a lack of communication between practitioners and policy makers, IT suppliers and users, various government departments, law enforcement and the security services.
Resulting confusion over government policy in this area has, to our knowledge, led to at least one major bank opting not to use the UK as a base for certain E-Commerce operations.
We welcome the consultation paper and the considerable efforts both the DTI and Home Office have made recently to communicate with the industry at many meetings, including three sponsored by ourselves. But we remain concerned that consultation between all these groups, both formal and informal, should continue and broaden, as promised, beyond 1st April.
Although it is encouraging to note that a number of meetings have taken place with users and practitioners, we remain disturbed by the lack of representation for users on the Task Force considering practical alternatives to key escrow.
We urge that a formal and effective framework for furthering broad communication, to include real participation by representatives of the major IT organisations, user groups, IT suppliers and other key parties, must be put in place as soon as is practicable.
This continued consultation must be on a broad level because E-Commerce itself is broad. Indeed, Barbara Roche, representing OECD ministers at the OECD conference in Ottawa last October, said that E-Commerce extends beyond business, reaching into every facet of society and is, above all, a global issue. It covers a wide range of issues from taxation, legal liabilities, data protection, copyright, intellectual property rights, and consumer protection.
These issues are still actively being debated at European and global levels and UK legislation will ultimately have to take account of future agreements here.
In that context it was premature to combine law enforcement issues so intricately with the current E-Commerce proposals. Despite the revised stance on key escrow, there are persistent concerns that a form of key escrow may be introduced by the back door in the future. The government needs to clarify its position on this at the earliest opportunity.
We believe that the requirements of law enforcement and those of national intelligence and security, especially with regard to encrypted data, should be disentangled and debated in full in the forthcoming revisions to the Interception of Communications Act. IT practitioners, especially in the banking sector, are willing to help law enforcers in this area, provided they know what law enforcement's requirements are. A new model is necessary because using the existing one for telephone tapping to intercept heavily-encrypted data communications flows is not technically viable.
Although decryption may be desirable by national security agencies, there is evidence that electronic data traffic flow analysis may be as effective in catching criminals for the law enforcement agencies.
Without key escrow, the rationale for the remaining proposals for a voluntary licensing structure is weak. A code of conduct, a form of industry self-regulation, or some form of BS7799-like accreditation would all be based on stronger foundations and more likely to work in practice in this fast-moving area.
The legal liabilities of the planned licensing regime, for example with regard to presumption on responsibility for digital signatures, also need to be addressed in detail. An area that needs particular work is the duty of care offered by certification providers to parties reliant on their digital signature or confidentiality service. Users have the right to expect that service providers will have sufficient capital adequacy to offer them financial redress.
In addition, the government's position on the legal acceptability of digital signatures is flawed. Currently, the government's proposals suggest a presumption that if your digital signature is used, you are legally bound by it and are liable for the consequences of the transaction. That is a significant change from the situation with written signatures, where you are not legally bound by a signature, even if it appears to be yours.
On a national level, we see telecommunications issues such as pricing and the impact of voice services over the Internet, as vital to the future viability for the UK in E-Commerce. We therefore urge that this area be fully incorporated into the debate.
Several countries, notably Canada, Australia and Singapore, have developed E-Commerce policies that clearly separate law enforcement issues from commercial E-commerce facilitation. Unencumbered by such law enforcement concerns, these are proving attractive centres for E-Commerce investment. We urge that the government scrutinise developments in these countries to ensure that we are not caught napping.
Singapore already explicitly integrates developments from areas as diverse as primary school education and tax incentives into an E-Commerce master plan. It is questionable whether the UK government has really considered how it can lead, and not simply follow such E-Commerce innovation.
It is understood that when it is introduced, the Bill will largely empower secondary legislation in which the necessary detail will be contained. It is imperative for industry and public confidence that such legislation should be clearly and publicly announced with at least a two-month consultation period for each statutory change or introduction. Computer Weekly will continue to offer itself as a conduit for such discussions.
Dr John Riley and David Bicknell
Go back to the start of this document.
Go to the library of current responses.
Go to FIPR home page.
Last Revised: May 18 1999