Response to the Consultation Paper published in March 1998
by the Department of Trade & Industry: an Information Society Initiative
The Law Societyís response to the Government Consultation Paper, "Building Confidence in Electronic Commerce", refers to solicitorsí electronic transactions in Cyberspace.
The Law Society of England & Wales supports some of the sections in the Consultation Paper and is in favour of the stated aim of promoting electronic commerce and of establishing equivalence between electronic and paper transactions. However, the Law Society also has strong reservations about several of the Paperís proposals.
Many of the Law Societyís reservations concern proposals which are not in line with the Governmentís stated objective of achieving equivalence between paper and electronic communications. For both consumers and commercial users of electronic communications, this will create uncertainty, and will not contribute to an environment in which people will feel confident in using e-commerce.
The Law Society also has a reservation regarding the Governmentís attempt to prejudge the fast evolving market of e-commerce by setting up a licensing scheme based on a specific and untried business model - the public key infrastructure (PKI) system. Reliance on the prediction that PKI will eventually govern the market in secure e-commerce transactions may distort the market place and the law before the market has even shown what choices consumers and companies wish to make in this field.
Paragraph 18 of the Consultation Paper suggests how to facilitate the legal recognition of electronic signatures and writing through primary legislation and on a case by case basis. This first option involves a lengthy process and is likely to produce laws which will no longer be relevant to the fast changing market of electronic commerce. The second option mentioned at paragraph 18 suggest the same case by case solution but through secondary legislation. The Law Society considers that both of these options should be rejected. If the definition of "writing" in Section 178 of the Copyright, Designs and Patents Act 1988 were substituted, much of the problem would be solved. It provides that writing includes any form of notation or code, whether by hand or otherwise, and regardless of the method by which, or medium in or on which, it is recorded.
The Government should take the necessary measures so that it can act through secondary legislation to ensure the recognition of all electronic signatures and documents. It should set a short period (such as 3 years) after which all legal requirements for writing and signatures on paper can be met electronically, except those for which a specific exception has been made before the end of the period. Setting a short period for compliance will emphasise the urgency of the issue and the need to identify the necessary exceptions.
Particular consideration needs to be given to transactions where English law requires the use of a deed, for instance transfers of land and mortgages. These require not only signature by the party to be bound but also attestation by another unrelated person. This concept can clearly be translated into dematerialised documents by the digital signature of the party to be bound being attested by the digital signature of an unrelated witness. It is likely that (as is presently the case for paper documents) commercial lenders, such as building societies and banks, will insist upon the digital signatures of borrowers being attested by the digital signature of a legally qualified person, both as a guarantee of the borrowerís digital signature and as an assurance that the borrower is aware of and understands the document which has been digitally signed.
Solicitors could be recognised as prime providers of the attestation of signatures to electronic deeds. In the case of transfers of land for example, solicitors constitute a logical choice for the attestation of signatures as they are the parties who would be dealing with the relevant documents of a land transfer and communicating them to the Land Registry. In addition, solicitorsí offices can be found in most high streets and they are already used to providing a similar service (usually without prior appointment) in the form of taking oaths. A consultation should be undertaken with HM Land Registry as to what attestation will be acceptable for dematerialised transfers of land.
It is useful to point out, however, that commerce frequently requires neither written documents nor signatures and that the vast majority of contracts are legally binding whether they are made orally, in writing on paper or by electronic mail. The Paperís provisions on the legal recognition of electronic signatures and writing are in danger of introducing uncertainty about the enforceability of current electronic contracts which could seriously damage the development of electronic commerce.
Although the Consultation Paperís stated intention is to promote equivalence between electronic signatures and documents and signatures or documents on paper, the proposals put forward have the contrary effect. Paragraph 19, for instance, purports to instal equivalence between electronic and written signatures by "creating, by statute, a rebuttable presumption that an electronic signature, meeting certain conditions, correctly identifies the signatory it purports to identify; and, where it purports to guarantee that the accompanying data has not been altered since signature, that it has not. (..) The present draft requirements for "advanced electronic signature" are that (..) it is created using means that the signatory can maintain under his sole control".
The Law Societyís first comment on this paragraph is that a personís private key, which will be used to sign documents, will usually be stored in a computer. At present, no ordinary computers have a truly secure operating system and, consequently, a person cannot be certain of having a signature key which is "under his sole control".
Second, with reference to the principle of establishing equivalence between electronic and written communication. The presumption which the paragraph purports to introduce, although it is "rebuttable", is the opposite of the presumption applied for paper communications. Currently, the presumption is that a document is not attributed to a person who denies having signed it. Therefore, a person who wishes to rely on a paper document allegedly signed by another must prove that the latter actually signed the document. According to the Consultation Paper, it is the alleged signatory of an electronic document who has to prove that he or she did not sign the document.
The Consultation Paper proposal thus would create an important difference between electronic and paper transactions and it places a new burden on users of information society services with possibly serious adverse implications for consumers. This will do nothing to promote confidence in electronic commerce.
On the issue of the burden of proof in electronic communications, the Government is emphatically urged to adopt instead the approach taken by the proposed Australian legislation on electronic commerce. The latter provides that, unless otherwise agreed between the purported sender and the recipient of an electronic communication, the purported sender of the electronic communication is bound by that communication only if it was sent by the purported sender or with the authority of the purported sender. The same rule should be adopted in the UK.
In response to the Consultation PaperĎs request for views on whether there are significant changes that should be made through UK primary legislation to promote the development of electronic commerce (Paragraph 23), the Law Society would suggest extending the scope of Section 75 of the Consumer Credit Act 1974. The cardholder protection provided for in the Act should unequivocally extend to transactions overseas (this will obviously be frequent in electronic commerce). This would do more to promote consumer confidence in electronic commerce than any other single proposal. As we have said, the Governmentís proposal to transfer the risk from the card issuer to the consumer, by transferring the burden of proof of authenticity of signatures, would have the opposite effect.
At Paragraph 32, the Consultation Paper requests views on whether "any changes are needed to existing legislation to allow [electronic service] intermediaries to prosper". The Law Society believes that no case has been made for any such changes, and that the law of agency, where relevant, remains adequate for this context.
The Consultation Paper proposes a voluntary licensing scheme for Certification Authorities: "Moreover, the legislation will specifically ensure that any electronic signature (regardless of who the Certification Authority is, or even if there is no Certification Authority, and regardless of what type of signature creation device is used) is capable of being given legal effect and can be submitted in evidence" (Paragraph 21).
The Law Society is pleased to see the abandonment of proposals for a mandatory licensing scheme for Certification Authorities. However, it is misleading to use the expression "licence" at all in this context, since a licence implies a permission to carry on an activity that would not be permissible without the licence. What is proposed is an accreditation scheme, and it should be described as such.
Again, however, the measures put forward in the Consultation Paper on this topic do not promote equivalence between paper and electronic forms of communication. Several sections of the Paper clearly show the Government favours licensed Certification. Paragraph 20 states "the licensing regime will be set up in such a way that an electronic signature, backed up by a certificate from a licensed Certification Authority, will automatically satisfy the conditions necessary to be regarded as legally equivalent to a hand-written signature". Similarly, Paragraph 21 states that "the Governmentís intention is not to deny legal recognition to electronic signatures which are not backed by certificates from licensed Certification Authorities, but parties relying on them may be taking on a higher level of risk". Signatures on paper are very rarely certified, and those relying on them accept the resultant risks. The Law Society believes the position in electronic commerce should be the same. If legislation is introduced to give special status to authenticated signatures, rather than leaving it to the users to decide what value to give to authentication, this will destroy equivalence with non-electronic documents and, by implication, cast doubts on the legal effectiveness of non-authenticated signatures .
In addition, the Consultation Paper makes the assumption that the market will use Certification Authorities, when there is no basis for the view that this is the business model that will in fact develop. Electronic commerce has been in progress for several years in the form of telex and fax and no greater need for signature certification has emerged than is required in paper commerce. Until it becomes clear both that Certification Authorities have an important role to play in electronic commerce, and that there are grounds for regulating them in the light of experience, accreditation schemes are not appropriate. There is a significant danger that the introduction of an accreditation scheme based on no relevant experience of the market, especially if coupled with a special liability regime, will in fact distort the market and its development, and give the UK a bureaucratic and unwelcoming environment as compared with other liberal markets.
If Certification Authorities prove to be the business model the market wants, it will be sufficient that the service providers clearly state whether they are licensed or unlicensed (preferably, accredited or unaccredited) in respect of that service. In the case of services relating to confidentiality keys, the supplier should be obliged to state clearly and prominently whether he will hold a copy of the customerís decryption key available for law enforcement access.
Also assuming that the Certification Model is chosen, the Law Society has the following comments regarding the first and second items of Paragraph 35:
"Licensed Certification Authorities will not be allowed to store the private key of a key pair that is used solely for electronic signature purposes. The responsibility for protecting a private signature key will therefore fall unambiguously on its owner.
This should encourage confidence in electronic signatures by helping to prevent repudiation"
Several systems allow one key to operate both encryption and digital signature services. Paragraph 35 appears to assume that there is necessarily a separate key for each procedure. The Law Society accepts the principle that an individual must be responsible for producing his or her key and for taking appropriate measures to protect it (such as storing it on a disc and keeping a copy at a bank) but it cannot accept the principle that "responsibility will fall unambiguously on its owner" if this is intended to make the owner liable to third parties. Electronic commerce is a new market and there is no case law to indicate what this responsibility entails. The imposition of new rules on liability in this way will not encourage confidence in the use of digital signatures and the potential extent of this liability is likely to be viewed with apprehension by any key holder.
As regards the second part of Paragraph 35:
" There will be no access by law enforcement agencies to private signature keys (wherever they are held), unless such keys have been used to encrypt information for confidentiality purposes."
This statement indicates a fundamental misunderstanding of the functions of keys. A private key is used to decrypt information which has been encrypted for confidentiality purposes. It is not, as suggested by Paragraph 35 used to encrypt information. A private key can only be used to encrypt information for the purpose of authentication (ie. to create a digital signature).
The wording of the second part of Paragraph 35 is vague and it is unclear whether, as soon as a key is used to encrypt data, law enforcement agencies are entitled to request the private key. According to the current terms of the paragraph, law enforcement agencies could unjustifiably oblige the holder of a private key to expose his/her private key as soon as a third party uses the corresponding public key to send him/her encrypted data. A corrupt member of a law enforcement agency has only to misuse a public key to encrypt an electronic mail message in order to expose the private key to seizure in this way.
In response to the Consultation Paperís request for views on the level of liability to which service providers should be exposed (Paragraph 42), the Law Society would emphasise that the electronic commerce market is still very new and that it is difficult to regulate a market of which we still have insufficient experience. It would seem wise, therefore, that existing laws should apply and that liability for an electronic service provider be the same as for any other service. The same provision should apply to licensed and unlicensed service providers as the market should not be distorted by special protection for, or burdens on, licensed bodies.
The Law Society would advocate the same approach to the question of whether there should be a "special duty of care" on holders of private signature keys (Paragraph 45).
Paragraph 43 of the Consultation Paper states that: "A minimalist approach would rely solely on the contract between the service providers and their client. However, this would allow a service provider the option of contracting out of all of his liability and might also give a third party, e.g. someone relying on an electronic signature, no protection at all". The Law Society does not agree. Attempting to contract out of all liability would not be possible, as it would constitute an unfair contract term in consumer transactions and the same would often apply to commercial transactions. It is considered that commercial users of the service would be able to judge for themselves, what the value is of contracting out liability. It should also be noted that where reliance is placed on current identity documents such as passports or driving licences, they are regarded as perfectly satisfactory despite a complete absence of any right of the person relying on these to compensation for any error or forgery of the documents.
It is in any case impracticable to try to install realistic limits on liability. The potential numbers of transactions in which reliance could be placed on a certificate might be huge. If there was a fixed aggregate limit for all claims, each claimant could find himself able to recover only a small fraction, without being able to know, at the time of reliance, what that fraction would be. If there was a fixed limit for each claim, the service provider could never know what the total liability could turn out to be. The risk might be uninsurable because of its potential magnitude and its unpredictability.
This illustrates very clearly why there must be grave doubts about the role of certificates in electronic commerce, especially since the risks appear to be satisfactorily accommodated within the banking system under current practice.
The Law Society welcomes the Governmentís recognition that imposing Key Escrow and Third Party Key Recovery (TPR) is impracticable. In practice, all current approaches for the creation and use of cryptographic key-pairs for signature and confidentiality purposes carry significant risks and imposing Key Escrow or TPR would simply make a data holder more vulnerable.
The Law Society would, however, encourage the Government to state clearly that users are free to decide whether to use Key Escrow or TPR services or not. Paragraph 51, for instance, states that the Government will be "encouraging the deployment of key escrow and key recovery technologies" and yet paragraph 52 states "Government proposals (..) do not impose (..) to use key escrow or key recovery technologies when encrypting communication".
Existing legislation enables law enforcement agencies to have access to material stored in a computer in a "visible and legible form" and therefore allows access to a plaintext version of a computerised document. However, there is no legislation which can force a suspect to provide the code to decrypt a document and, it is likely that law enforcement agencies will want new powers to deal with encyphered electronic transactions involving criminals.
Paragraph 68 of the Consultation Paper provides that the proposed legislation allows a warrant to order access to "keys or material in a comprehensible form". Access to material in a comprehensible form is already required in the existing legislation mentioned above. There is therefore no need for the Consultation Paper to cover this issue.
In relation to the interception of communications, access to a suspectís keys is clearly an important tool for law enforcement agencies however, in its present form, the proposed legislation cannot be admitted as a number of key safeguards and human rights principles have been disregarded.
The first comment of the Law Society is that decryption should be based on a warrant granted by a judicial authority and that proper safeguards should be introduced to guarantee a suspectís rights. Paragraphs 72 to 76 of the Consultation Paper offer only brief information on the proposed legislationís safeguards and uses very general terms. Serious human rights issues, such as the implications of the fair trial (Article 6 of the European Convention on Human Rights) or the right to privacy of correspondence (Article 8 of ECHR) are not adequately covered.
Legal professional privilege (the privilege against disclosure) should constitute a reasonable excuse for not complying with a requirement to decrypt encrypted material. Under existing legislation, confidentiality can be overridden on order of a judge but not privileged information. In order to be consistent with existing legislation, the proposed legislation on electronic commerce must also provide an exception for legal advisors in certain circumstances regarding the offence of "tipping off" an individual about the existence of an authorisation by the Secretary of State to have access to an encryption key. A solicitor must have the ability to give his or her client information if this is relevant to the legal advice which is being given. The same rules on professional privilege apply to the other categories of material to which the "special procedure material" protections of the Police and Criminal Evidence Act apply.
Concerns about disclosure of private keys are not answered by Paragraph 70 of the Consultation Paper. Contrary to what is suggested, the Law Society considers that the provision of an private key is not comparable to other statutory obligations such as providing fingerprints, DNA samples or producing documentary evidence of vehicle insurance cover. Nor is it comparable to a requirement to produce one or more specified documents. Disclosure of a private key could enable access to a very wide range of information which may be confidential, legally privileged and/or irrelevant to the matter under investigation.
On the issue of rights to privacy of correspondence, it is argued by the Home Office that since the Interception of Communications Act 1985 permits the interception of messages, Parliament must have intended the interceptors to be able to understand them, and that to impose a requirement for decryption does not amount to an extension of powers. The Law Society does not accept that such a conclusion necessarily follows. Even in 1985, intercepted messages could have been enciphered, or been in a foreign language, or simply have been full of circumlocutions known only to the parties so as to have been unintelligible to a listener. Parliament was not asked to impose on the parties any duty to explain unintelligible communications, and did not do so. Since a power to require decryption necessarily operates only after interception, so that "real time" access is already lost, there is no justification for it not to be subjected to the same controls as any other intercepted communication. The new power must be subjected to proper judicial control through the issue of a warrant based on sworn evidence.
An important and comprehensive report published by JUSTICE in 1998, entitled "Under Surveillance - Covert Policing and Human Rights Standards", puts forward a set of recommendations, based on human rights principles, which are intended as a basis for any new legislation on law enforcement powers. Two sections of the report specifically cover the interception of electronic communications and encryption.
The Law Society suggests that the Government reflect the reportís recommendations in its legislation on electronic commerce. Particular consideration should be given to the reportís request for a single regulatory system for the lawful interception, by law enforcement agencies, of all forms of communication. This will allow for uniform (rather than ad hoc) legislation covering access and admissibility of information as well as interception.
The JUSTICE report recommendations which the Law Society supports are as follows;
Recommendation 1 of the report:
" Existing legislation covering the use of technical surveillance devices - the Interception of Communications Act 1985 and the Police Act 1997 - should be reviewed with the aim of providing a single regulatory system for the lawful interception by law enforcement agencies of all forms of communication (including e-mail). This system should be based on a coherent set of principles as required by article 8 of the European Convention on Human Rights. There should be no exemptions from the statutory controls for operations when one party has consented to the surveillance ("participant monitoring")."
Recommendation 2 of the report:
"Authorisation to use technical devices which seriously interfere with privacy rights should be given by a person holding high judicial office. Such devices include the interception of telecommunications equipment and covert use of listening devices. They also include video equipment when it is used in covert surveillance of a targeted individual in a private place or where there is a reasonable expectation of privacy (see below). The application should be accompanied by a sworn affidavit setting out the evidence.
Where the surveillance method is less intrusive - for example, surveillance of a public event or of an individual in circumstances where it cannot be said that there is a reasonable expectation of privacy - authorisation from a senior police officer of at least the rank of superintendent is sufficient (see below)."
Recommendation 3 of the report:
" The grounds to be satisfied for authorising the use of an intrusive surveillance device should fully reflect the requirements of article 8 of the European Convention. As a minimum, they should include the following:-
Go back to the start of this document.
Go to the library of current responses.
Go to FIPR home page.
Last Revised: April 12 1999