European Electronic Signatures Working Group

&

European Encryption Working Group

Response to DTI Consultation Document:

Building Confidence in Electronic Commerce

30 March 1999

_____________

 

The European Electronic Signatures Working Group (EESWG) and European Encryption Working Group (EEWG) appreciate this opportunity to respond to the Government’s consultation document Building Confidence in Electronic Commerce (URN 99/642, 5 March 1999). We welcome the Government’s initiative to promote the UK as the most attractive legal environment in the world in which to trade electronically. To that end, we strongly endorse the Government’s decision not to condition the licensing of service providers to their escrow of encryption keys, or otherwise to link key escrow to licensing, legal recognition of electronic signatures, or any other legal benefits.

We also welcome the Government’s decision to extend legal recognition to electronic signatures and electronic writing. We have concerns, however, that the proposed licensing regime, and specifically the proposal to link the legal validity of electronic signatures to licensing status or detailed licensing criteria, will make the UK an unattractive environment for on-line services and trade. Based on our long and varied experience in developing tools and services to support electronic commerce, we are convinced that these proposals are inconsistent with existing and emerging business models for the role electronic signatures will play as on-line commerce develops. In our view, the proposed regime will harm consumer confidence in e-commerce while imposing unnecessary—and in some cases prohibitive—costs on businesses and users.

As set forth more fully below, we would respectfully submit that the legislation reflect the following principles:

 

  1. All electronic signatures should be given full legal validity and effect.

    2. The consultation document specifies that electronic signatures that are either certified by a licensed CA, or are independently shown to meet the licensing criteria, will receive a rebuttable presumption of legal validity (¶ 19, 20). Any other electronic signature will be "capable" of being given legal effect and may be submitted in evidence, but will not be viewed as satisfying existing legal requirements for a hand-written signature (¶ 21).

    In our view, these proposals to extend legal recognition to only a limited class of electronic signatures are flatly inconsistent with the Government’s goal of promoting e-commerce. If left unchanged, they will make the UK a cumbersome and expensive location in which to engage in on-line transactions. The legislation would lessen consumer confidence in e-commerce, impose unnecessary costs on providers and users, and upset existing legal rules and commercial practices. In our view, the legislation should expressly provide that electronic signatures of all kinds enjoy full legal validity and should eliminate any link between the legal effectiveness of an electronic signature and the licensing status of the relevant certification authority (CA).

     

    1. All electronic signatures should presumptively satisfy the legal requirements for hand-written signatures.

      2. The legislation should provide that, where existing law requires the use of a hand-written signature, that requirement may be satisfied by any electronic signature unless the transaction at issue is expressly exempted for clear reasons of public policy. Specifically, the legislation should provide that all existing legal requirements for hand-written signatures may, after a limited period of review, be satisfied with any type of electronic signature, unless the legal requirement at issue is specifically excepted by a governmental department and confirmed by Parliament (¶ 18).

      In our view, the consultation document errs in proposing that only signatures certified by licensed CAs, or meeting the licensing criteria, would satisfy the legal requirement for a hand-written signature, or that such signatures would be entitled to a rebuttable presumption of non-repudiation (¶ 20). As set forth below, these proposals are inconsistent with accepted business practices, would distort the market in electronic signature services, mistakenly view non-repudiation as a feature of hand-written signatures, and are inconsistent with proposed EU law in this area.

       

      1. The proposed legislation is inconsistent with existing commercial practices and emerging business models.

        2. The proposed legislation is inconsistent with existing on-line practices as well as emerging business models on the role that electronic signatures are likely to play in e-commerce. Under the prevailing view, consumers will not purchase a single signature key pair, issued and/or certified by a single CA, with which they conduct all or even most transactions. Instead, users will hold a large number of different signatures, each issued or certified by a different CA and designed for clearly defined and limited uses. These signatures are likely to be based on some pre-existing relationship between the signatory and the issuer. Particularly where these signatures are used for relatively low-value transactions, issuers of these certificates are likely to be very cost sensitive and will not be able to pass on any additional costs associated with regulatory restrictions or licensing to their customers.

        Many of these certificates will be used solely for transactions between the signatory and either the issuer or those in a pre-existing relationship with the issuer. Thus, there will normally be no need for a licensing regime or other regulatory oversight to ensure adequate trust. The issuer will trust the certificate because it was issued by it or under its control. The signatory’s trust will normally be based not on the certificate itself, but on the signatory’s pre-existing relationship with the issuer. For instance, if an internet service provider issues certificates to its customers to transact with the provider or a defined group of retailers, the signatory’s trust will be based on its relationship with the provider, not on the procedures used to generate the certificate. Similarly, reliance on the certificate by third-party retailers will be based on their relationships with the provider itself, not on the specific procedures used by the provider to certify its customers’ signature keys.

        In addition, the proposed licensing scheme could make it more difficult for multi-national firms to implement viable electronic signature solutions. The consultation document does not expressly address avenues through which signatures certified by non-UK CAs could obtain mutual recognition under UK law, but seems to suggest that parties relying on such signatures "may be taking on a higher level of risk" (¶ 21). Given the inherently global nature of e-commerce, many multi-national firms might balk at the prospect of being forced to use UK-licensed CAs in order to obtain legal recognition for their electronic signatures in UK courts. We would therefore urge that the proposed legislation allow users to rely on non-UK CAs without thereby risking that their signatures will not be recognised in UK courts.

        The world of electronic commerce is populated by a tremendously diverse range of services and firms, each of which is searching for a successful business model. For electronic commerce to thrive, industry needs the freedom to experiment with and implement whatever business model—including electronic signature system—is most cost-effective, attractive to consumers, and best suited to the particular purpose. By limiting full legal recognition to only a narrow class of electronic signatures, the proposed legislation would constrict this natural market development and prevent the growth of innovative e-commerce services.

         

      2. The legal effect of electronic signatures should not be linked to the licensing status of the relevant CA.

        3. The legislation should not link any aspect of an electronic signature’s legal validity to the licensing status of the relevant CA. As an initial matter, we question whether CA services are sufficiently developed for detailed regulation of the type proposed given that these services are still in their infancy and may never present problems that would justify regulatory oversight.

        If the Government nevertheless proceeds with its proposals, it should ensure that the licensing status of the CA in no way affects the legal validity of the certified signature. The license should do no more than indicate to users that the licensee adheres to certain business standards or best practices. Users who value this information may then decide whether to pay any additional costs such licensing would entail. In this way, the market will determine the value of the license and whether the licensing conditions can be satisfied in a cost-effective manner.

        To link the legal validity of an electronic signature to the licensing status of the relevant CA would distort the market in certification services by giving consumers an artificial incentive to purchase licensed services solely for their legal effect, regardless of whether they value the licensing conditions themselves. This would make it impossible for policymakers or industry to measure accurately whether users perceive any actual value in the licensing conditions.

        The proposed legislation seems particularly inappropriate given the total absence of any indication that consumers or other users are being harmed by unregulated certification authorities, or that users want the legal effectiveness of their signatures to be linked to the licensing status of the relevant CA. The absence of firm evidence on either point strongly argues against the wisdom of such a licensing scheme, at least at this time.

         

      3. The consultation document confuses non-repudiation and legal equivalence to a hand-written signature.

        4. The consultation document specifies that the proposed licensing criteria are intended to increase the certainty of the relying party that the signatory is who he says he is—that is, to confirm the signatory’s identity. The document therefore concludes that the proposed legislation should create a rebuttable presumption that a qualifying electronic signature "correctly identifies the signatory it purports to identify" (¶ 19). This presumption would make it more difficult for the putative signatory to repudiate his signature in court.

        The legislative proposal errs by associating this property of non-repudiation with the very distinct property of legal equivalence to a hand-written signature. Non-repudiation has never been a feature of hand-written signatures, nor does the existence of a hand-written signature, or any other indication of assent to be contractually bound, ever prevent the putative signatory from claiming that the signature or other indication of assent is not his. To introduce such a presumption of non-repudiation solely with respect to electronic signatures would substantially alter existing legal doctrine and commercial practices.

        The legislative proposal would also make contracting on-line subject to legal risks that do not exist in the off-line world. For instance, even an electronic signature that satisfies the licensing criteria could be misused by a third party if the user lost control over the signature creation device were compromised. This added risk would clearly dissuade users from relying on electronic signatures to conduct business. Where this loss of control were not due to any fault of the signatory, forcing him to be bound by someone else’s use of his signature would be patently unjust. Even where the loss of control were due to the signatory’s negligence, binding him to the transaction may lead to results incommensurate to the degree of fault. The legislative proposal is particularly troublesome given the lack of any indication in the consultation document—nor are we aware of any—that parties to electronic commerce perceive any need for such a presumption of non-repudiation.

        Rather than impose rules subjecting electronic signatures to a presumption of non-repudiation, the legislation should instead provide that a party is bound by an electronic signature only if the message to which the electronic signature is attached was sent by the party or with his authority. This rule, which should apply to all electronic signatures, would provide true legal equivalence between hand-written and electronic signatures and more faithfully fulfil the Government’s goal of technology neutrality. Under such a rule, parties would have the same rights of repudiation with respect to electronic signatures as they have with respect to hand-written signatures—no more but also no less.

      4. The legislative proposal is inconsistent with the proposed EU Electronic Signatures Directive.

        5. The consultation document implies that the proposed licensing scheme and legal presumption are necessary in order to implement the proposed EU Electronic Signatures Directive. This is incorrect. Rather, legislation granting legal equivalence to all electronic signatures and eliminating any link between licensing status and legal validity would more faithfully implement the Directive.

        Article 5(1) of the current Council Working Group version of the Directive provides:

        "Member States shall ensure that advanced electronic signatures which are based on a qualified certificate and which are created by a secure signature creation device

        1. satisfy the legal requirement of a signature in relation to data in electronic form in the same manner as a hand-written signature satisfies that requirement in relation to paper-based data, and
        2. are admissible as evidence in legal proceedings."

        Article 5(1) seeks to harmonise Member State law only to the extent that it requires Member States to ensure that, with respect to the narrow class of electronic signatures meeting the criteria set out in the Directive, these signatures satisfy the requirement of a hand-written signature under national law. Nothing in Article 5(1) or any other section of the Directive in any way limits the ability of Member States to extend legal recognition to a broader category of electronic signatures—or indeed to all electronic signatures. Similarly, although the Directive provides that signature creation devices that meet the requirements of Annex III automatically satisfy the requirements of Article 5(1), nothing in the Directive limits Member States from extending full legal recognition to signatures created by devices that may not satisfy Annex III. Accordingly, the proposed legislation should not limit legal recognition to signatures created solely by "approved" devices (¶ 20).

        In addition, Article 5(2) of the current Council Working Group version of the Directive mandates the full legal validity and enforceability of all electronic signatures:

        "Member States shall ensure that an electronic signature is not denied legal effectiveness and admissibility as evidence in legal proceedings solely on the ground that the signature is in electronic form, or is not based upon a qualified certificate, or is not based upon a qualified certificate issued by accredited certification service provider, or is not created by a secure signature creation device."

        To the extent the proposed legislation would have any impact on contracts that currently do not require a hand-written signature, it would in fact violate Article 5(2). As described more fully in Part II.B of this response, a party may currently indicate its consent to be bound to most contracts in any number of ways, including by electronic means. Any change in the existing legal regime that effectively rendered certain electronic signatures legally less effective than other forms of assent would deny legal effectiveness to such signatures solely because they were in electronic form, and thus would violate Article 5(2) of the Directive.

        Even where UK law currently imposes requirements for hand-written signatures, however, Article 5(2) strongly supports a legal regime that extends full legal recognition and validity to all electronic signatures. While the distinction between Articles 5(1) and 5(2) of the Directive may arguably justify differing legal treatment in Member States in which hand-written signatures are already legally vested with non-repudiation or similar features, this distinction does not justify differing legal treatment in common-law jurisdictions such as the UK, where non-repudiation has never been a property of hand-written signatures.

         

    2. At a minimum, the legislation should impose no new rules where existing law does not require a hand-written signature.

      3. The consultation document does not clearly distinguish between situations in which the law requires a hand-written signature and where it does not, but suggests that electronic signatures not meeting the legislative criteria might not constitute a valid form of assent even where the law does not currently require a hand-written signature (¶ 21). Legislation to this effect would have no basis in policy or law and if implemented would be extremely harmful to the development of electronic commerce.

      In the vast majority of commercial transactions, UK law does not require the use of a hand-written signature. Parties to these transactions indicate their consent to be bound by these contracts in a wide variety of ways, including by phone, fax, stamp, signature, hand-shake, wave, nod of the head, or whatever other means are appropriate under the circumstances. UK lawmakers and courts have long recognised that commerce requires flexibility in contract formation and that, in most cases, a party that indicates its assent to be bound by a contract should be held to that assent regardless of the manner in which it was conveyed

      It would be extremely harmful to the growth of electronic commerce if the proposed legislation were to specify that, even where the law does not currently require a hand-written signature, certain (or indeed any) types of electronic signature or other electronic data were legally less valid than other forms of assent. Electronic commerce has succeeded largely by applying in the on-line world the same flexible rules regarding expressions of assent to a contract that parties have relied upon for years in the off-line world. To introduce legislation that afforded lesser legal validity to certain electronic signatures than to other forms of assent would upset existing legal doctrine and business practices and would make the use of electronic signatures a far riskier proposition for all but the most sophisticated user.

      At a minimum, then, the legislation should do no more than clarify that, where the law does not require a hand-written signature, a party may use any form of electronic signature or other electronic data to indicate its consent to be bound by a contract.

  2. The legislation should expressly provide for true freedom of contract with respect to electronic signatures.

    3. The consultation document provides that the Government "has no intention of disturbing the existing use of electronic messages between parties, usually within closed user groups, for doing business" (¶ 22). To the extent that this passage endorses the principle of party autonomy, we warmly welcome it. In our view, the proposed legislation should unambiguously provide that parties have the same freedom of contract with respect to the rules under which they will agree to be bound by electronically signed data as they currently have with respect to manually signed data.

    As described more fully in Part II.A.2, no one can anticipate all future applications of electronic signatures and certificates. Therefore, parties’ use of electronic signatures should not be constrained by the imposition of fixed technical, functional, or legal requirements that would render certain of these uses economically infeasible. A clear party autonomy provision would grant parties the flexibility to structure electronic transactions by agreement to meet their specific needs to the same extent that they may currently structure their non-electronic transactions.

     

  3. Both providers and users should remain entirely free to choose whether to escrow their encryption keys.

    4. In a letter to the Secretary of State dated 3 February 1999, the EEWG strongly urged the Government "to discard proposals to require licensed providers to implement key escrow or similar key recovery procedures." We warmly welcome, and are greatly encouraged by, the Government’s decision to consult on the basis that neither key escrow nor third party key recovery will be required of licensed providers, and that there will be no requirement for users to store encryption keys (¶¶ 37, 82). We would urge the Government to stand by this position in drafting legislation to ensure that it does not impose key escrow or key recovery requirements on any third party or user.

    Requiring licensed encryption service providers to implement key escrow or key recovery procedures would create substantial technical challenges for licensees and impose tremendous costs on both service providers and users. No adequately secure third-party key escrow technology currently exists that would allow cost-effective implementation on a mass-market scale. Developing and implementing such procedures would be difficult and extremely costly and would seriously hamper the development of electronic commerce in the UK.

    In addition, requiring licensed providers to engage in key escrow would isolate the UK among its major trading partners, effectively all of whom have either abandoned key escrow or are moving in that direction. The French Government recently announced its intention to abolish most existing domestic encryption controls, while the US Government recently released domestic companies from commitments to develop key escrow products in exchange for export licenses. Were the UK to impose key escrow on licensed providers, UK firms would face substantial technical and cost burdens not faced by their international competitors.

    We welcome the opportunity to work with Government and advise law enforcement on alternative solutions to key escrow to meet their legitimate needs. As responsible corporate citizens, we fully support law enforcement desires to prevent the use of encryption for unlawful ends, and hope that meaningful dialogue and co-operation with law enforcement will continue into the future to further this mutual goal.

    Finally, in light of the Government’s decision to consult on the basis that key escrow will not be imposed on licensed providers, we have reservations about the proposed "Key storage" requirement in Annex A, Part III, which provides: "Where keys are stored, the applicant must be able to demonstrate they have the ability to securely hold the encryption keys (or other appropriate information) of their clients." Depending on the meaning of the first phrase, this condition could be interpreted to require licensees to offer key escrow to their clients. Such an interpretation would effectively require licensees to put key escrow procedures in place, and thus contradict the proposal not to require licensed providers to escrow their customers’ encryption keys. We would respectfully recommend that the "key storage" condition is drafted to make clear that a licensee will be required to demonstrate the ability to hold encryption keys securely only if it intends to offer key escrow services to clients, and that licensees are free not to offer key escrow services if they choose.

  4. Providers should be permitted to offer both licensed and unlicensed services.

    5. The licensing regime should ensure that users have complete freedom to choose between licensed and unlicensed services. Users may perceive value in the information conferred by licensing status with respect to certain services, but not with respect to others. To ensure that industry can respond effectively to this market demand, the legislation should be structured to give service providers maximum flexibility to offer both licensed and unlicensed services.

    Risks of dishonest practices by providers or consumer confusion as to whether a specific service offered by a provider is licensed or unlicensed can be addressed through existing legislation. A number of consumer protection provisions of general applicability already exist under UK law, including rules requiring accurate labelling, truthful advertising, and against unfair or misleading trade practices. These laws will apply with equal force to providers offering confidentiality or electronic signature services and should provide adequate recourse against firms that engage in harmful practices.

    For these reasons, the Government should not require providers who are licensed for one cryptographic service covered by the licensing regime to become licensed for any other cryptographic service. As the consultation document correctly notes, such an "all-or-nothing" licensing regime would stifle innovation and retard the development of new value-added services without providing any benefits to consumers or industry (¶ 39). It would also prevent many firms from becoming licensed that might otherwise wish to do so.

     

  5. The legislation should not impose new liability rules on providers of confidentiality or electronic signature services.

    6. We do not believe that any new liability rules are necessary regarding the services outlined in the consultation document (¶¶ 42-45). Providers of these services—whether related to confidentiality or electronic signature certification—will be subject to existing UK liability rules. We believe it is too early in the development of these services to impose new sector-specific rules, as these may distort the market in unanticipated ways.

    Were the Government to impose new liability rules on providers, we would urge that these rules reflect the following principles. First, any liability rules should be subject to modification by contract. As described more fully in Part II of this response, parties require broad contractual freedom to ensure that they can develop and offer certification and other services for the whole range of possible uses and transactions. For the same reasons, parties need the freedom to draft and abide by liability provisions that best fit their needs.

    Second, parties should be able to notify third parties of any applicable liability rules by incorporating another document or source by reference. For instance, a certificate accompanying an electronic signature should be able to notify third parties of the applicable liability provisions by a hyperlink to the provider’s Internet site or some other source. To require all relevant liability rules to be contained in the certificate itself would be infeasible in most cases.

    Third, any default liability rules should apply equally to both licensed and unlicensed providers. Applying different liability rules depending on licensing status would introduce artificial incentives respecting the use of licensed services, and thus fail to reflect accurately the true value of licensing status to the market.

     

  6. The proposed licensing conditions should be simplified and tailored to address the specific service at issue.

    7. Certain of the proposed licensing criteria in Annex A are unnecessary or may not be appropriate for certain services that licensed providers may wish to offer.

    1. General licensing criteria.

      • Quality Management. The consultation document states that all licensees would need to demonstrate compliance with an appropriate quality system such as ISO 9000. This requirement would be inappropriate for providers offering certain types of certification services, such as for signatures used in micro-value transactions, as it would impose costs that the relevant market simply could not bear. This licensing condition should be revised to specify that the licensee must demonstrate compliance with a quality management system appropriate to the licensed service to be offered.

      • Information Security Management. All licensees would be required to obtain accreditation under the c:cure Scheme to BS 7799. While a high level of security management may be necessary for providers of confidentiality and related services, it will be inappropriate for a variety of other services (such as certain services related to electronic signature certification). The licensing conditions should make clear that BS 7799 accreditation will only be required where appropriate to the licensed service on offer and where necessary to protect users.

      • Key generation. The consultation document provides that applicants would need to demonstrate the ability to "issue separate key pairs for signature and confidentiality services." This criterion presupposes that licensees will want—or need—to become licensed for all cryptographic services if they seek to become licensed for any. As discussed in Part IV of this response, providers should be free to become licensed for as many or as few services as they choose. Accordingly, there should be no requirement that providers be able to issue key pairs for both signature and confidentiality services. Indeed, licensees should not be required to be able to generate any key pairs, as they may wish to allow their customers to generate their own key pairs.

    2. Licensing criteria for certification authorities.

      • Client authentication. This condition provides that licensees will be required to "identify" their clients, which must include "prior physical identification." This provision assumes that all electronic signatures certified by licensed providers will be used to establish identity. The prevailing view, however, is that most electronic signatures will merely identify an attribute of the signatory (such as membership in an association, employment in a company, etc.), for which the signatory’s identity will have either been established independently, or will be of little relevance. For these types of certificates, this licensing condition would impose unnecessary requirements. Even where the certificate at issue is relied upon to establish the signatory’s identity, we question whether the requirement for "physical" identification would always be appropriate. Given that many providers will have customers in remote locations or in other countries, physical identification may not always be feasible or cost-effective.

      • Revocation. For the reasons set forth in the preceding paragraph, a revocation service may be inappropriate for "attribute" certificates and thus should not be imposed on all service providers.

      • User signature generation products. This provision states that users will need to use "approved" signature generation products to "take advantage of full legal recognition." As explained more fully in Part I.A of this response, all electronic signatures should be treated as legally equivalent to hand-written signatures. Therefore, this provision should be deleted.

    3. Conditions on a TTP for the provision of a confidentiality service.

      • Key storage. This condition requires licensees to demonstrate their ability to securely hold encryption keys. This presupposes that licensees will necessarily wish to offer key escrow or similar services to consumers. As described more fully in Part III of this response, licensees may not find sufficient market demand for key escrow services to be able to offer this service on a profitable basis. The legislation should not prevent these providers from becoming licensed, or in any other way introduce a "compulsion" for licensees to engage in key escrow. This licensing condition should be revised to provide that only if a licensee offers key escrow or similar services to clients must it be able to demonstrate the ability to hold encryption keys securely. The condition should expressly state that licensees are free not to offer key escrow services.

* * *

The European Electronic Signatures Working Group and European Encryption Working Group appreciate this opportunity to respond to the Consultation Document. We would welcome further opportunities to discuss the views set forth herein with Government representatives. For further queries regarding this response, please contact Martin Hansen, BSA European Legal Counsel, at +44.171.495.5655 or by email (mhansen@cov.com).

Go back to the start of this document.

Go to the library of current responses.

Go to FIPR home page.

_____________

Last Revised: April 19 1999