Consumers’ Association response to the consultation paper issued by the Department of Trade and Industry
Ref: 99-135
Consumers’ Association (CA) welcomes this opportunity to comment on the government’s detailed plans for a legal and policy framework that assists the building of trust in electronic commerce.
It is CA’s view that the electronic marketplace potentially offers many important benefits to consumers, particularly in terms of choice, convenience, competition in retailing, and efficient delivery of public services. Barriers to market entry are lower in an on-line environment, allowing suppliers to set up more easily and, increasingly, offering consumers an opportunity to by-pass restrictive distribution systems in retailing that have tended to keep prices high. Search costs for some consumers are also lower on the Net compared to the high street, and may fall further with the emergence of intermediaries who undertake to search for the best deal on behalf of an individual consumer. In this way the growth of e-commerce may well increase competitive pressure in retailing, with attendant benefits in terms of prices, quality and choice. By enabling easier communication between consumers, the on-line market may begin to erode the traditional power imbalance between suppliers and consumers, who traditionally have been diffuse and difficult to organise collectively.
However, these potential benefits are certainly not secured, and will only be fully realised if a proper public policy framework is in place to ensure consumer confidence and trust in electronic trade. We are still at a stage where only a minority of consumers, and the narrower population of Internet users, have actually taken the plunge and purchased goods electronically.
The extent of consumer mistrust in, and misconceptions about, some aspects of e-commerce was underlined by two pieces of market research commissioned by Which? Online in 1998. Fears and misconceptions about using the Net abound, even in the case of users. Just over half of consumers (Internet users and non-users) believe that the Internet facilitates fraudulent practices and just over one in three fear that it could pose a threat to national security. Just over two thirds of those surveyed said that they feared that, once personal details are placed on the Net, these can be accessed by anyone. The most widely held concern, however, was in relation to content of material transmitted over the Net - 89 per cent believe that the Net provides easy access to pornographic material, while 60 per cent think that there is no way of restricting children’s access to such content.
These concerns point in part to a need for greater consumer education about e-commerce. They also indicate the importance of measures to build greater consumer confidence and trust in the on-line world. For this reason, we support measures that would put electronic transactions on a more secure legal footing and give reassurance to consumers that, in theory, they have the same level of protection when engaging in e-commerce as they would in an off-line context.
We note that the consultation paper and responses to it will help shape legislation to be introduced in the current parliamentary session. Because of this impending legislative deadline and the relatively short consultation period, we have confined our comments below to what seem to us to be the main substantive consumer issues raised by the consultation paper + the use of encryption for authentication and confidentiality purposes, the shape of any licensing system for providers of encryption services, key escrow and key recovery, and liability. There are of course other elements that may play a role in promoting e-commerce, but these fall outside the scope of the consultation paper.
Cryptography clearly will play a major role in authenticating electronic communications (via digital signatures) and ensuring their integrity and confidentiality (via encryption). A voluntary licensing regime for providers of cryptography services (or Certification Authorities as they are called in the paper) will reassure consumers and businesses about the integrity of organisations providing such services and the nature of the technologies used. This should engender greater consumer confidence in transacting electronically and contribute to the long-term growth of e-commerce.
We recognise that a voluntary licensing system may mean that some suppliers and consumers will be potentially facing a higher level of risk when relying on cryptography services provided by unlicensed Certification Authorities, either because a digital signature is at greater risk of repudiation, or because the confidentiality or integrity of electronic messages is less assured. Such a situation may be acceptable provided that consumers are aware that they are relying on unlicensed cryptography services and that a greater risk may therefore be involved. Consumers will, however, need to be able to ascertain easily whether a Certification Authority providing cryptography services is licensed or unlicensed. Further work and consultation is needed in order to explore the best way of doing this.
We welcome legislation to put digital signatures on a more secure legal footing and to ensure that, as far as practicable, such signatures have legal equivalence with written signatures.
The consultation paper suggests two possible routes to ensuring that the law is technologically neutral in its treatment of signatures, electronic or written. One approach is to update statutory requirements for written signatures contained in primary legislation. The second is to take powers in primary legislation to update requirements by Statutory Order on a case-by-case basis. The second approach seems preferable to us in terms of speed and flexibility, provided that the specific safeguards mentioned in the paper (e.g. that any powers taken are tightly focused on the objective of ensuring legal recognition) are incorporated into such an approach.
In some circumstances, there may be valid reasons for a difference in the treatment of written and electronic signatures. Therefore, any case-by-case updating of the requirement for written signatures should be subject to consultation in each case, so that the rationale for any difference in approach can be explored.
It seems appropriate that the Government should not seek to deny legal recognition to electronic signatures not backed by certificates from licensed Certification Authorities, though it is clear that suppliers (and possibly consumers) relying on such signatures may face higher risks of repudiation in the event of a contractual dispute.
We agree that there are differences in the policy issues raised by digital signatures issued solely for authentication purposes, and encryption services used for confidentiality purposes. It therefore seems appropriate that these differences in usage are reflected in the voluntary licensing regime for providers of the different services.
The consultation paper notes that there is a potential balance to be struck between the benefits of encryption technologies and services in promoting electronic commerce, and the need to maintain public safety and national security. We would tend to support the view expressed in the OECD Guidelines on Cryptography Policy that this balance can best be achieved by ensuring that measures governing law enforcement access to keys are both proportionate and accountable.
In light of the importance of confidentiality services to the development of e-commerce, powers allowing law enforcement access to encrypted information in electronic form should be no greater than existing powers allowing access to information contained in other forms, and should be subject to the same legal safeguards and degree of judicial oversight. We therefore welcome the Government’s statement that its proposals are simply concerned with maintaining the effectiveness of existing legislation and will not extend the surveillance powers of the law enforcement, security, and intelligence agencies. This should be written into the Act. Given concerns that compulsory key escrow could pose a barrier to the development of e-commerce, particularly for small and medium-sized enterprises, we welcome the Government’s decision to remove key escrow and third party key recovery as mandatory conditions for participation in the voluntary licensing scheme. This is not to say that Trusted Third Parties and key recovery technologies may not play a significant role in the marketplace: such services may be attractive to some businesses as a safeguard against loss of encrypted data.
The consultation paper notes that, while the Secretary of State will be given powers to issue and modify licences, these powers are likely to be delegated to another body, which will have powers to contract out some of its functions if necessary. We agree that, in the first instance, licensing powers should be delegated to a statutory body (i.e. OFTEL), in order to ensure that the voluntary licensing regime is operational relatively quickly, with the possibility of delegation of some of these functions to an industry body at a later stage. These arrangements should be subject to review.
We agree that industry self-regulation initiatives, based on opt-out provisions, are likely to be the most effective means of tackling unsolicited email. We also support the proposal in the draft Electronic Commerce Directive for measures that would allow users to identify emails as SPAM before they are opened.
We support the view that there should be a statutory limit on liability of licensed Certification Authorities that cannot be decreased by contractual terms.
The issue of whether there should be a specific duty of care imposed on holders of private signature keys e.g. to notify the Certification Authority within a certain time frame in the event of the security of the private keys being compromised, requires further consideration. There may be differing views of what should reasonably be expected of private key holders in such circumstances, particularly given the relative complexity of cryptography services.
Consumers’ Association
April 1999
Go back to the start of this document.
Go to the library of current responses.
Last Revised: May 10 1999