FIPR: Foundation for Information Policy Research

This note contains a brief response to `Building Confidence in Electronic Commerce' (DTI document URN 99/462). Because of the short consultation period, during which FIPR's Director was engaged in organising the only open public meeting to consider the proposals and both the senior technical and legal advisers were largely overseas, it has not been possible to prepare a detailed response. However, a meeting of the FIPR Advisory Council did consider the consultation document on 30th March 1999. Here we summarise our responses on the most important points. If it would be useful, we would be pleased to expand on any issues which are of special interest.

The most significant issue we see with the proposed legislation is that the rebuttable presumption of validity of electronic signatures is likely to undermine consumer protection. Firstly, there are the general problems widely discussed by the e-commerce community under the rubric `granny chooses a bad password and loses her house': encouraging naive users to make large transactions with unproven technology which they do not know how to control is questionable public policy. Secondly, there is the specific problem that the presumption of validity could shift the burden of proof from businesses to their customers. This could make it much harder for the victims of fraud to seek redress, whether against banks, merchants, credit card companies or insurers.

Many people have experience of banks refusing to refund `phantom withdrawals' made from their accounts as a result of cash machine fraud. Even when a number of people had been sent to prison for this offence, some banks continued to maintain that their systems could not possibly be at fault, and so long as this defence held up they had little incentive to improve their security. The lesson to be learned is that the players responsible for security should also bear the costs of security failure. But the proposed legislation tries to shift liability to the consumer, in order to provide incentives for approved security service providers. While this may be intended to prevent crime, we fear that it is rather more likely to promote it.

We are also concerned that the `Modernising Government' proposals, which were published the day before the close of this consultation period, foreshadow a transfer of liability to the private sector, and will therefore encourage powerful players to insist on the licensing of counterparties in order to pass the liability on. This could make the government's whole IT programme hostage to the crypto policy proposals.

But frauds are certain to occur; the protection technology required to justify the imposition of strong non-repudiation on retail customers is not available now and is not likely to be for some years. Attempting to create legal certainty in the absence of technological reliability is courageous, but the proposed direction is completely misguided.

Ministers should watch developments in UK plc's main competitor, the USA, where the rapid uptake of electronic commerce is largely due to the EFT Act and Schedule E, which limits cardholder liability to $50 in the event that something goes wrong and thus places the liability squarely with the banks - who are precisely the players in the best position to manage the risk.

Britain should follow the US example, and as retail electronic commerce will almost certainly use credit cards rather than digital signatures, the appropriate response would be to reinforce and extend the Consumer Credit Act. We suggest reducing the lower limit for actions against the card issuer from GBP 100 to GBP 20, and raising the small claims limit (above which it is imprudent for individuals to sue banks) from the present GBP 3,000 to perhaps GBP 20,000. For future applications in which electronic signatures play some role, we suggest adoption of the Australian model in which such a signature is only binding if the alleged signer actually made it. This reflects both the current legal situation and the reasonable expectations of consumers, and will motivate the promoters of systems employing digital signatures to ensure that they are fit for purpose - whether through improved technical protection measures, or (more likely) through insurance.

FIPR feels that the main issue in the uptake of electronic commerce is managing risk, and the main problem facing businesses is the lack of a loss history on which rational underwriting decisions could be based. Until we have more experience, it is prudent to encourage traders to build on existing business models rather than trying to redistribute the risks in ways which take us out of known territory (and are also likely to introduce perverse incentives). The government should also reconsider the role of existing regulators, such as the Office of Fair Trading, rather than assuming that OFTEL can be all things to all people. Most disputes are likely to be bank card transaction disputes or consumer credit disputes which happen to have an online aspect, rather than intrinsically `online' disputes.

In a similar vein, if the risks of electronic commerce are to be borne ultimately by insurance, then it would make sense for underwriters' laboratories to approve the systems. Such approval, which is currently required for systems such as burglar alarms, is much cheaper than the ITSEC/Common Criteria process - typically two weeks and GBP 10,000 rather than a year and GBP 1,000,000. We can see no reason for imposing the more expensive evaluation process if insurers are happy with the cheaper, traditional option. We perceive a conflict of interest here between CESG's role as the government's technical adviser on cryptography, and its desire to promote ITSEC/Common Criteria processes and products.

We welcome the principle that legislation should be technology neutral, but are concerned at the apparent attempt to promote CESG's proprietary public key infrastructure (which industry does not want) and, in general, infrastructures with few, large CAs rather than many small ones (the latter being appropriate in many applications). Policy should also avoid discriminating in favour of identity certificates (which are of interest mainly to government) and against authorisation certificates (which are of most interest to business); and it should not promote multifunction smartcards, which have failed in the marketplace, against the wide variety of hardware and software solutions being adopted in real applications. Finally, it should not lock users into particular browsers, word processors, operating systems or other products; standards must open enough for independent implementation.

We particularly caution the government against using its monopoly position in the fields of health care and welfare provision to promote particular electronic signature products. The risk is of repeating historical precedent and leading UK plc down a blind alley in supporting systems which fail upon the global stage.

In general, the directions in which government is trying to push the technology seem to be the opposite of those which are favoured by the developer community, and which experience suggests are more likely to prevail. There is a feeling that government is trying to get a `free ride' by twisting commercial developments to suit its own, often incompatible, purposes. This is bad policy; it is unlikely to satisfy either consumers or business, and in the long term will be damaging to government too. If government wishes (for example) to issue citizens with identity certificates to authenticate transactions with tax and welfare systems, it should go ahead and do so. One is reminded of the Japanese proverb that the man who chases two rabbits goes to bed hungry.

As for confidentiality, the consultation document emphasises third party confidentiality (e.g., wiretaps) while the main consumer concern remains second party confidentiality (i.e. data protection). This concern cannot be met by technical measures such as encryption, but requires the strengthening of data protection law and - especially - enforcement. We welcome the government's new data protection legislation and hope that the Registrar/Commissioner will have the technical, legal and other resources needed to police it vigorously.

The Home Office review of the Interception of Communications Act provides an excellent and timely opportunity to visit the issues of proportionality, scrutiny and accountability as applied not just to wiretaps but to the associated and envisaged law enforcement and intelligence resources, ranging from the network centre to traffic analysis. There is some overlap with electronic commerce concerns; if police viruses can be used to steal confidentiality keys, they can presumably also steal signing keys and this will undermine non-repudiation. However if government follows our suggestion to avoid imposing a strong non-repudiation requirement on consumers, these conflicts will be much less serious. Government should also reconsider its view that police officers should be able to demand either plaintext or keys, as this will merely encourage the proliferation of systems that provide forward secrecy.

We also suggest that government should stop and think very carefully before it promotes the establishment of a public key infrastructure which will certify keys that individuals can use to sign arbitrary content. There is no obvious commercial requirement for such an infrastructure, as the prevailing internet payment mechanism (SSL/TSL) requires certificates only for merchant servers. The proliferation of certificates in individuals' hands would lead to the creation of encryption products that abuse them, regardless of any government warnings on the certificates. We suspect that the thoughtless deployment of a general public key infrastructure would come to be regretted by signals intelligence purchasers and providers alike in years to come.

In view of all the above complexities, we welcome the consultation process initiated by the Cabinet Office. However, this should include SMEs, professions, academics, consumer organisations and liberties groups rather than limiting the non-governmental input to a few large companies. This will help to avoid rough edges, such as the unequal treatment of incorporated and unincorporated organisations in the current document, and will also maximise buy-in by the influential players.

Finally, we would urge ministers to avoid the temptation to take broad powers to change the rules of liability in networked environments. This could seriously undermine confidence, and delay the emergence of a mature consensus on Internet governance. The rules of online life are not in the end going to be negotiated in private between central government and large IT companies. As more and more of our national life acquires an online component, so the full range of our national institutions will become engaged. In addition to the DTI and the `e-commerce' industry, Internet governance will be a concern for professions, educational institutions, local government, religious organisations, clubs, and all the many other players who contribute to the diversity, stability and social cohension of a mature democracy.

For this diversity, stability and cohesion to develop and endure in cyberspace, it is important that the rules of the game are not subject to capricious change. It would be an extremely grave error to deny the online environment the opportunity to develop the certainty and predictability which established law, precedent and custom give to the physical world.

Go back to the start of this document.

Go to the library of current responses.

Go to FIPR home page.