FIPR Library: Microsoft

Microsoft’s Response to the

Government’s Consultation Document:

Building Confidence in Electronic Commerce
22 March 1999

This paper sets forth Microsoft’s response to Building Confidence in Electronic Commerce—A Consultation Document (URN 99/642, 5 March 1999). Microsoft applauds the Government’s aim to make the UK "the world’s best place in which to trade electronically." We particularly welcome the Government’s decision not to require service providers to escrow encryption keys and are committed to working with law enforcement to address their legitimate needs on access to encrypted data.

We have serious concerns, however, that the proposed licensing conditions—particularly the intent to link these conditions to legal recognition of electronic signatures—will actually make the UK a less attractive environment for e-commerce. These proposals are inconsistent with existing commercial practices and business models and threaten to undermine consumer confidence in e-commerce while imposing prohibitive costs and burdens on businesses and users. We would respectfully recommend to revise these proposals as discussed below.

Key messages

Escrow of encryption keys should remain wholly voluntary, both for service providers and for users.

The legislation should not impose any new rules where existing law does not require a hand-written signature.

Where existing law requires a hand-written signature, any electronic signature should presumptively be deemed to satisfy that requirement .

The legislation should clearly provide for party autonomy.

Service providers should be permitted to offer both licensed and unlicensed services.

The legislation should not impose new liability rules on providers of confidentiality or electronic signature services.

The licensing conditions should be revised and simplified.

Escrow of encryption keys should remain wholly voluntary, both for service providers and for users.

The Government was right to withdraw its support from earlier proposals to mandate key escrow for licensed encryption service providers (¶¶ 37, 82). It should remain firm in this position and ensure that the legislation does not impose key escrow or key recovery obligations on any third party or user and does not permit such obligations to be imposed through secondary legislation.

Requiring licensed providers to escrow their customers’ encryption keys would impose massive costs on UK businesses and consumers while providing few if any tangible benefits to law enforcement. The technology to implement third-party key escrow on a broad, commercially viable scale has not yet been developed. Even if developed within a few years, any solution would be tremendously complex to implement and expensive to maintain. Raising the cost and complexity of licensed services by saddling them with commercially unnecessary key escrow obligations would merely stifle the growth of UK e-commerce before it has taken root.

Also, as other developed countries move decisively away from key escrow, the Government’s earlier key escrow proposal would have left UK firms at a competitive disadvantage internationally. In January, the French Government announced that it will dismantle most existing domestic encryption controls, thereby acknowledging the failure of a four-year effort to impose mandatory key escrow on domestic users. Similarly, the US Government recently released domestic companies from commitments to develop key escrow products in exchange for export licenses, recognising that after two years little progress had been made towards technical solutions. Had this Government proceeded with plans to impose key escrow on licensed providers, UK e-commerce participants would have suffered from substantial technical and cost burdens not borne by key international competitors.

Consistent with the Government’s decision not to impose key escrow obligations on licensed providers, key storage should not be a condition for obtaining a license. Part III of Annex A to the consultation document, which sets forth the proposed licensing conditions for confidentiality service providers, states: "Where keys are stored, the applicant must be able to demonstrate they have the ability to securely hold the encryption keys (or other appropriate information) of their clients." This condition could be read to assume licensees will necessarily wish to offer key escrow or similar services to consumers. However, many licensees may see insufficient market demand for key escrow, or find they are unable to offer this service on a cost-effective basis. These providers should not be precluded from obtaining a license simply because they choose not to offer key escrow services. Accordingly, the "key storage" licensing condition should be revised to make clear that, if a licensee intends to offer key escrow or similar services to clients, only then must it demonstrate the ability to hold encryption keys securely. The condition should make it clear that licensees are free not to offer key escrow services if they so choose.

Microsoft welcomes the Government’s invitation to work with law enforcement to meet their legitimate needs (¶ 84) and has met with Home Office representatives during the consultation period to further this effort. To ensure that this co-operation continues, we support the creation of an informal working group of encryption developers, service providers, and law enforcement so that dialogue and assistance—rather than mandatory key escrow or similar requirements—remain the preferred avenue to address law enforcement concerns.

The proposed legislation should provide that all electronic signatures are legally equivalent to hand-written signatures.

The Government’s proposal to extend legal recognition only to certain electronic signatures will undermine user confidence in e-commerce, impose unnecessary costs on businesses and consumers, and upset existing legal doctrine and commercial practices. These proposals, more than any other aspect of the legislation, threaten to defeat the Government’s goal of promoting e-commerce and if left unchanged will make the UK a cumbersome and even risky place from which to engage in on-line transactions. The legislation should provide that electronic signatures of all kinds are legally equivalent to hand-written signatures and should eliminate any connection between the legal effectiveness of an electronic signature and the licensing status of the relevant certification authority (CA).

The consultation document states that electronic signatures satisfying a detailed set of conditions will receive a "rebuttable presumption" of legal validity (¶ 19). This presumption will arise automatically in the case of electronic signatures certified by licensed CAs, while signatures certified by unlicensed providers may obtain the presumption if it can be shown independently that the licensing conditions were met (¶ 20). Any other electronic signature will merely "be capable of being given legal effect and can be submitted in evidence," but will not be treated as legally equivalent to hand-written signatures (¶ 21).

The legislation should not impose any new rules where existing law does not require a hand-written signature.

The consultation document does not clearly distinguish between cases where the law requires a hand-written signature and where it does not, but suggests (¶ 21) that signatures not meeting the legislative criteria might not constitute a valid form of assent even where the law does not currently require a hand-written signature. If implemented, this proposal would be extremely harmful to the development of electronic commerce.

In the vast majority of commercial transactions conducted every day—including on-line transactions—there is no legal requirement for a hand-written signature. Consumers, businesses and others indicate their consent to be bound by these contracts in innumerable ways, including by voice, fax, email, stamp, signature, hand-shake, wave, nod of the head, even by doing nothing. UK courts and legal doctrine have long recognised that commerce requires flexibility in contract formation and that, in most cases, a party that indicates its assent to be bound by a contract should be held to the contract regardless of the manner in which this assent was indicated.

It would be both absurd and tremendously damaging to the growth of electronic commerce if the legislation were to provide that, even where the law does not require a hand-written signature, certain (or indeed any) types of electronic signature were somehow less legally valid than other forms of assent. Electronic commerce has already been extremely successful by applying in the on-line world the same flexible rules regarding expressions of assent to a contract that parties have relied upon for years in the "off-line" world. To introduce legislation extending greater or lesser legal validity to electronic signatures than to other forms of assent would upset existing legal doctrine and business practices and would make the use of electronic signatures a far riskier proposition for all but the most sophisticated user.

To truly promote electronic commerce, the legislation should do no more than clarify that, where the law does not require a hand-written signature, a party may use any form of electronic signature or other electronic data to indicate its consent to be bound by a contract.

Where existing law requires a hand-written signature, any electronic signature should presumptively be deemed to satisfy that requirement.

For those transactions where existing law requires the use of a hand-written signature, the legislation should provide that this requirement can be met by any kind of electronic signature, unless the transaction at issue is expressly exempted for clear reasons of public policy. Specifically, the legislation should provide that all existing legal requirements for hand-written signatures may, after a one-year review period, be satisfied with any type of electronic signature unless specifically excepted by a governmental department and confirmed by Parliament (¶ 18).

We would respectfully submit that the proposed legislation errs to the extent that it provides that only signatures certified by licensed CAs or meeting the licensing criteria would satisfy the legal requirement for a hand-written signature, or that such signatures should be entitled to a presumption of validity (¶ 20). As described more fully below, these proposals are inconsistent with accepted business practices, confuse issues of legal validity and non-repudiation, would distort the market in electronic signature services, and are inconsistent with proposed EU law in this area.

The proposed legislation is inconsistent with existing practices and emerging business models.

The proposed legislation is inconsistent with existing on-line commercial practices and emerging business models for how electronic signatures will be used in electronic commerce. Under the predominant view, consumers will not use a single certificate to establish their identity for all purposes, but instead will hold a large number of different signatures, each designed for specific uses and limited purposes. These signatures are likely to be based on some pre-existing relationship (sometimes formal, often informal) between the signatory and the issuer. Because these certificates will typically be used for transactions between the issuer and the signatory, there will often be no third-party reliance on the signature.

Because of their limited nature and use, most of these certificates are likely to be quite simple and inexpensive. Issuers of these certificates will be very cost sensitive and could not afford to issue them if the expense of ensuring their legal validity was set artificially high by a requirement that they meet certain regulatory criteria. Also, because the value of the transactions involved would typically be low, issuers could not pass along the additional costs to consumers through increased prices.

Crucially, there will normally be no need for a licensing regime to ensure adequate trust for either party to the transaction. The issuer will trust the certificate because it was issued by it or under its control. The signatory’s trust will be based not on the certificate itself, but on its pre-existing relationship with the issuer. Thus, if a high street bank issues certificates to its customers to use with the bank or a certain group of retailers, the signatory’s trust will be based on his relationship with the bank, not on the procedures used to generate the certificate. Similarly, reliance on the certificate by third-party retailers would be based on their relationship with the bank itself, not on the procedures used by the bank to certify its customers’ signature keys.

If electronic commerce is to flourish, industry needs the freedom to develop and offer whatever form of signature system best suits the particular purpose. None of these signatures should be ineligible for legal recognition, and the proposed legislation would thwart their development by requiring that they meet detailed licensing conditions in order to satisfy the legal requirement of a hand-written signature.

The consultation document confuses non-repudiation and legal equivalence to a hand-written signature.

The proposed licensing criteria are designed to increase the certainty of the relying party that the signatory is who he says he is—that is, to confirm the signatory’s identity. As stated in the document, the proposed legislation would create a rebuttable presumption that a qualifying electronic signature "correctly identifies the signatory it purports to identify" (¶ 19). This presumption would make it more difficult for the putative signatory to repudiate his signature in court.

The legislative proposal errs, however, by confusing this property of non-repudiation with legal equivalence to hand-written signatures. Non-repudiation has never been a feature of hand-written signatures, nor does the existence of a hand-written signature (or any other indication of assent to be contractually bound) ever prevent the putative signatory from claiming that the signature (or other indication of assent) is not his. To introduce such a presumption of non-repudiation solely with respect to electronic signatures would substantially alter existing legal doctrine and commercial practices.

The legislative proposal would also make contracting on-line subject to legal risks that do not exist in the off-line world. For instance, even a signature meeting the licensing criteria could be misused by a third party if the user lost control over the signature creation device. This added risk would work to the clear detriment of electronic commerce. Moreover, where this loss of control were not due to any fault of the signatory, forcing him to be bound by someone else’s use of his electronic signature would be patently unjust. Even where the loss of control were due to the signatory’s negligence, holding him to the transaction may lead to "penalties" wholly out of proportion to the degree of fault. The legislative proposal is particularly troublesome given the lack of any indication in the consultation document—nor are we aware of any—that parties to electronic commerce perceive any need for such a presumption of non-repudiation.

Finally, the legislative proposal might actually harm the very parties—namely consumers—that it seeks to protect. In one scenario of an on-line consumer transaction, a business would offer a good or service at a specific price, and the consumer would accept the offer using his electronic signature. In this case, the relying party would be the commercial party. While businesses may be eager to take advantage of such a presumption of non-repudiation, the benefit for consumers is difficult to fathom.

Rather than impose rules subjecting electronic signatures to a presumption of non-repudiation, the legislation should instead provide that a party is bound by an electronic signature only if the message to which the electronic signature is attached was sent by the party or with his authority. This rule should apply to all electronic signatures and would provide true legal equivalence between hand-written and electronic signatures. Thus, parties would have the same rights of repudiation with respect to electronic signatures as they have with respect to hand-written signatures—no more but also no less.

The legislation should not link the licensing status of the CA to the electronic signature’s legal effect.

The legislation should not link any aspect of an electronic signature’s legal validity to the licensing status of the relevant CA. Microsoft has some question whether CA services are even ripe for regulatory oversight given that these service are very much in their infancy, may never develop commercially, and may never present issues that justify regulation.

If the Government proceeds with licensing of CAs, however, the license should do no more than indicate to users that the licensee adheres to certain business standards or best practices. Users who value this certification can then decide whether to pay any additional costs such licensing may entail. In effect, then, the market will determine the value of the license and whether the licensing conditions can be satisfied in a cost-effective way.

Licensing status should not, however, be tied in any way to the legal effect of the underlying electronic signature. To do so would distort the market by giving consumers an incentive to purchase licensed services solely for their legal effect, regardless of whether they value the actual adherence to the licensing conditions themselves. This would distort the market by making it impossible to measure accurately whether users perceive any actual benefits in the licensing conditions.

Accordingly, the legislation should eliminate any link between the licensing status of the CA and the legal validity of the relevant electronic signature. The market will then determine whether consumers value the information that licensing status conveys sufficiently to pay any additional amount it might entail.

The legislative proposal is inconsistent with the proposed EU Electronic Signatures Directive.

The consultation document implies that the proposed licensing scheme and legal presumption are needed to implement the proposed EU Electronic Signatures Directive. This is incorrect. Rather, legislation granting legal equivalence to all electronic signatures and eliminating any link between licensing status and legal validity would more faithfully implement the Directive.

Article 5(1) of the current Council Working Group version of the Directive provides:

"Member States shall ensure that advanced electronic signatures which are based on a qualified certificate and which are created by a secure signature creation device

satisfy the legal requirement of a signature in relation to data in electronic form in the same manner as a hand-written signature satisfies that requirement in relation to paper-based data, and

are admissible as evidence in legal proceedings."

Article 5(1) does nothing more than require Member States to ensure that at least electronic signatures meeting the criteria set out in the Directive satisfy the requirement of a hand-written signature under national law. Nothing in Article 5(1) or any other section of the Directive in any way limits the ability of Member States to extend legal recognition to a broader category of electronic signatures—or indeed to all electronic signatures. Similarly, although the Directive provides that signature creation devices that meet the requirements of Annex III automatically satisfy the requirements of Article 5(1), nothing in the Directive limits Member States from extending full legal recognition to signatures created by devices that may not satisfy Annex III. Accordingly, the proposed legislation should not limit legal recognition to signatures created solely by "approved" devices (¶ 20).

In addition, Article 5(2) of the current Council Working Group version of the Directive mandates the full legal validity and enforceability of all electronic signatures:

"Member States shall ensure that an electronic signature is not denied legal effectiveness and admissibility as evidence in legal proceedings solely on the ground that the signature is in electronic form, or is not based upon a qualified certificate, or is not based upon a qualified certificate issued by accredited certification service provider, or is not created by a secure signature creation device."

To the extent the proposed legislation would have any impact on contracts that currently do not require a hand-written signature, it would in fact violate Article 5(2). As described more fully in Part 2(a) of this response, a party may under current legal rules indicate its consent to be bound to such contracts in innumerable ways, including by electronic means. Any change in the existing legal regime that effectively rendered certain electronic signatures legally less effective than other forms of assent would deny legal effectiveness to such signatures solely because they were in electronic form, and thus would violate Article 5(2) of the Directive.

Even where UK law currently imposes requirements for hand-written signatures, however, Article 5(2) strongly supports a legal regime that extends full legal recognition and validity to all electronic signatures. While the distinction between Articles 5(1) and 5(2) of the Directive may justify differing legal treatment in Member States in which hand-written signatures are already legally vested with non-repudiation or similar features, this distinction does not justify differing legal treatment in a jurisdiction, such as the UK, where non-repudiation is not currently a legal property of hand-written signatures. Moreover, as explained more fully in Part 2(b)(ii) of this response, to introduce a presumption of non-repudiation for electronic signatures certified by licensed CAs would make electronic commerce less attractive for all users and particularly risky for consumers.

The legislation should clearly provide for party autonomy.

The consultation document states that the Government "has no intention of disturbing the existing use of electronic messages between parties, usually within closed user groups, for doing business" (¶ 22). Although this passage appears to endorse the principle of party autonomy, the legislation should clearly state that parties have the same freedom of contract with respect to the rules under which they will accept and agree to be bound by electronically signed data as they currently have with respect to manually signed data.

No one can anticipate all applications of electronic signatures and certificates. Therefore, parties’ use of electronic signatures should not be constrained by the imposition of unalterable requirements that render these uses economically infeasible in some circumstances. A clear party autonomy provision would afford parties the flexibility to structure electronic transactions by agreement to meet their specific needs to the same extent that they may currently structure their non-electronic transactions.

Service providers should be permitted to offer both licensed and unlicensed services.

The licensing regime should be structured to ensure that consumers have maximum freedom to choose between licensed and unlicensed services. Consumers may well perceive value in the information conferred by licensing status with respect to certain services, but not with respect to others. To ensure that the market is able to respond effectively to this consumer demand, the legislation should allow service providers maximum flexibility to offer both licensed services (where consumer demand justifies the additional cost of obtaining a license) and unlicensed services (where such consumer demand is lacking).

For these same reasons, the Government should reject the option that a provider holding a license for any cryptographic service covered by the licensing regime would be expected to be licensed for any other cryptographic service that it offered (¶ 39). As the document correctly notes, such an "all-or-nothing" licensing regime would stifle innovation and retard the development of new value-added services without providing any benefits to consumers or industry.

Any risk of consumer confusion as to whether a specific service offered by a provider is licensed or unlicensed can easily be dealt with through existing legislation. A number of consumer protection provisions of general applicability already exist under UK law, including rules against unfair or misleading trade practices, requiring accurate labelling, and truthful advertising. As these laws will also apply to providers offering services to UK consumers, any risks to consumers regarding inaccurate or unclear labelling of licensed versus unlicensed services can be dealt with fully under existing laws. In short, there is no need for new legislation or additional regulatory oversight in this area.

The legislation should not impose new liability rules on providers of confidentiality or electronic signature services.

We do not believe that any new liability rules should be introduced regarding the cryptographic services outlined in the consultation document (¶¶ 42-45). Providers of these services—whether related to confidentiality or electronic signature certification—will be subject to existing liability rules, including common-law tort and related rules and the Unfair Contract Terms legislation. We believe it is far too early in the development of these services to impose new and sector-specific liability rules, as these may well skew the market in unintended ways and make it more expensive to provide such services without extending any clear benefits to consumers.

However, were the Government to impose new liability rules on providers, we would urge that these rules reflect the following three principles. First, any liability rules—including requirements for minimum or maximum liability—should be subject to modification by contract. Meaningful contractual freedom is crucial to ensure that parties can use electronic signatures and other cryptographic services for the whole range of possible uses and transactions and can design the liability scheme to fit their needs.

Second, parties should be able to notify relevant third parties of the applicable liability rules—whether statutory or contractual—by incorporating another document or source by reference. For instance, a certificate accompanying an electronic signature should be able to notify third parties of the applicable liability provisions by reference to another source, such as a hyperlink to the provider’s Internet site. To require all relevant liability rules to be contained in the certificate itself would be unworkable in most cases.

Third, any default liability rules should apply equally to both licensed and unlicensed service providers. Applying different liability rules depending on licensing status would introduce artificial incentives for or against the use of licensed services and thus fail to reflect accurately the true value of licensing status to the market.

The licensing conditions should be revised and simplified.

Certain of the proposed licensing criteria in Annex A are unnecessary, too service specific, or may not be appropriate for certain services that licensed providers may wish to offer.

a. General licensing criteria.

Quality Management. The consultation document states that all licensees would need to demonstrate compliance with an appropriate quality system such as ISO 9000. Compliance with the requirement would be inappropriate for providers offering certification services for signatures used in extremely low-value, routine transactions, as it would impose added costs on such services that would make them cost-prohibitive in the market. This licensing condition should be revised to state that the licensee must demonstrate compliance with a quality management system appropriate to the licensed service to be offered.

Information Security Management. All licensees would be required to obtain accreditation under the c:cure Scheme to BS 7799. While a high level of security management will be essential for providers of confidentiality and related services, it may be inappropriate for other services (such as certain services related to electronic signature certification). The licensing conditions should make clear that BS 7799 accreditation will only be required where appropriate to the licensed service on offer and where necessary to protect users.

Key generation. The consultation document provides that all applicants would need to demonstrate the ability to "issue separate key pairs for signature and confidentiality services." This criterion presupposes that licensees will want—or need—to become licensed for all cryptographic services if they seek to become licensed for any. As discussed in Part 4 of this response, providers should be free to offer and become licensed for as many or as few services as they choose. Accordingly, there should be no requirement that providers be able to issue key pairs for both signature and confidentiality services. Indeed, licensees should not be required to be able to generate any key pairs, as their customers may prefer to generate their own key pairs.

b. Licensing criteria for certification authorities.

Client authentication. This condition provides that licensees will be required to "identify" their clients, which must include "prior physical identification" of the client. This provision incorrectly assumes that all electronic signatures certified by licensed providers will be used to establish identity and, therefore, that a person’s identity will be paramount. The prevailing view, however, is that most electronic signatures will merely identify an attribute of the signatory (such as membership in an association, employment in a company, etc.), for which the signatory’s identity will have either been established independently (e.g., during the hiring process, in becoming a member of the relevant group or association), or will be of relatively minor importance. For these types of "attribute" certificates, this licensing condition would impose unnecessary and costly requirements. Even where the certificate at issue is relied upon to establish the signatory’s identity, we question whether the requirement for "physical" identification would always be appropriate. Given that many providers will have customers in remote locations or in other countries, physical identification may not always be feasible or cost-effective. In many cases, documentary and related evidence should be sufficiently reliable to establish identity.

Revocation. For the reasons set forth in the preceding paragraph, a revocation service may be inappropriate for "attribute" certificates and thus should not be imposed on all service providers.

User signature generation products. This provision states that users will need to use "approved" signature generation products to "take advantage of full legal recognition." As explained more fully in Part 2 of this response, all electronic signatures should be treated as legally equivalent to hand-written signatures. Therefore, this provision should be deleted.

c. Conditions on a TTP for the provision of a confidentiality service.

Key storage. This condition requires licensees to demonstrate their ability to securely hold encryption keys. This presupposes that licensees will necessarily wish to offer key escrow or similar services to consumers. As described in Part 1, however, many licensees may perceive insufficient market demand for key escrow services, or may find that they are unable to offer such services to the market on a cost-effective basis. These providers should not be precluded from obtaining a license on that basis. Accordingly, this licensing condition should be revised to provide that, before a licensee offers key escrow or similar services to clients, it must be able to demonstrate the ability to hold encryption keys securely. The condition should make it very clear that licensees are free not to offer key escrow services.

* * *

Microsoft appreciates this opportunity to respond to the Consultation Document and welcomes further opportunities to discuss these views with Government representatives.

Go back to the start of this document.

Go to the library of current responses.

Go to FIPR home page.

Last Revised: April 20 1999