The significance of these issues should not be underestimated by government or the private sector. Even the most conservative estimates predict an annual doubling of the volume of electronic commerce over the coming years. In the absence of a global policy framework, national governments are approaching the issue with some degree of uncertainty and run the risk of placing themselves at a competitive disadvantage. Legislation in this area should be drafted through primary legislation at the earliest opportunity and space made in the legislative timetable to accommodate sufficient scrutiny and attention. At all times consideration should be given to global interests as effective policy implementation in this area will be impossible without some degree of co-operation and decision making at UN/WTO level. Significant attention should be paid to OECD and US learnings in order to achieve the goal of the UK to be the centre for e-commerce in Europe.
Q1. The Government would welcome views on the appropriate means of ensuring legal recognition of electronic signatures and writing.
We are satisfied that the Government is best placed to identify and utilise the appropriate mechanisms to enable electronic signature and writing recognition. The following principles should be met :
However, we are already experiencing cases where organisations are expressing a desire to create and use a signature (and certificate) which applies to the organisation as a whole (coupled with appropriate safeguards around the validity and use of such a signature/certificate). This would seem likely to be a growing trend and we would therefore question the practicality of any statement that proposes, under the technology neutral issue, that signatures be created using means that the signatory can maintain under his/her sole control.
Q2. The Government is also seeking views, subject to constraints (non-discriminatory, technology neutral, EU draft Directive E-Commerce), on whether there are other significant changes that should be made through UK primary legislation to promote the development of electronic commerce.
Some level of de-regulation in the telecoms industry to ease the cost burden on Internet connections would be welcome. Electronic commerce (business to consumer) is dependent on the ease and cost with which consumers are able to access. Further consideration should be given to the opportunities presented by digital TV and a regulatory environment which will promote the growth of the industry in line with the ‘convergence of media’ issue.
Reference to the E-Money debate and legislation at EU level should be made in order to consider the ease with which a transaction can take place with conventional payment methods.
We would also welcome a review of the Export, Import and Use legislation around cryptographic mechanisms. Particularly in light of recent moves by the French and US governments which have positioned the UK badly in the level of regulation applied. This may mean a revisiting of the Wassenaar agreement but there is no reason why UK should not honour the principles of the existing agreement (as amended in December 1998) and still relax the stringent controls in place.
Q3. The Government would welcome views on whether any of the provisions of the UNCITRAL Model Law on Electronic Commerce (other than those on signatures and writing) should be implemented by UK primary legislation.
Whilst many of the principles within the model law are entirely appropriate it seems realistic to take these forward in an international framework rather than through domestic regulation. Documents published by the OECD attempt to address such issues. We generally support arguments proposed at this pan-national level and consider them relevant due to the fundamental nature of a ‘borderless environment’.
Q4. The Government would welcome views on whether the industry solutions being developed to combat spam are likely to be effective. Or should the Government take further steps to regulate the use of spam?
Whilst important, this appears to be irrelevant in terms of this consultation paper. Measures already in place for commercial communications and the Data Protection Act should/can provide adequate coverage if suitably amended.
Q5. The Government would like to start a debate on whether any changes are needed to existing legislation to allow intermediaries and their role in electronic commerce to prosper and would welcome views.
Introducing an additional layer of intermediary services would appear to be unnecessary and extremely difficult to operate in practice. Existing providers of traditional "trust services" are well placed to provide the types of services described, and thus new entrants into this ‘trust’ market will no doubt examine the opportunities peculiar to e-commerce. This is a purely commercial and market related issue. The real attention of the Government should be focused on the overall climate of encouraging trust and not on the intricacies of the trust market place.
Considering the issue of law enforcement and the removal of mandatory key escrow from the proposals, development of key recovery technology would seem to be a key area for attention.
The need to confirm contracts in writing as set out in the Distance Selling Directive somewhat negates the ability to truly interact on-line. E-mail must be recognised as a durable and reliable medium of communication and law may need to be amended to reflect the totality of recognition of digital signatures. This should also be considered in relation to the non-discriminatory policy for e-commerce.
Q6. The DTI’s initial thinking on the licensing regime for Trust Service Providers is set out in Annex A, and we would especially welcome views on this annex.
We invite views on these criteria, and would also welcome views as to the level at which the standards should be set for each of them or how they should be assessed.
Whilst recognising the fact that the criteria will be addressed by secondary legislation, the concept of technology neutrality must be adhered to and it would appear that this is not the case in the initial suggestions proposed in Annex A. The BBA have addressed this area in some depth and we largely support their comments. It is perhaps worthwhile to suggest that under the General Licensing Criteria section, key generation should include an appropriate ITSEC level. This is referred to in the Licensing Criteria for Certification Authorities section and Conditions on a TTP for the provision of a Confidentiality Service. Consistency in best practice transfer and minimum standards should be achieved in all areas so as not to inadvertently favour one service which would quickly be exploited in the market. Other than the aforementioned, the criteria appear to be satisfactory.
Q7.The boxes below (p.20) provide some examples of services which will be eligible to apply for licences under the proposed regime. They are intended to be illustrative, rather than prescriptive and we would welcome comments on them. We recognise that various organisations are considering different business models for providing cryptography services to the public and would welcome views on how they should fit into the licensing regime.
Industry/commercial input is essential here. However, in attempts to be technology neutral it is important to recognise that the infrastructure (PKI) will have a potential influence on business models. The wider question is whether the legislation will interfere with the freedom of commercial entities to make market led decisions about how they will achieve the level of trust required for particular business purposes. It appears unhelpful for Government to attempt to consider commercial applications when the remit they should be addressing is the overall framework under which trust schemes will operate. The services that commercial entities can provide should not be unduly limited by specific legislative considerations. A light touch consistent with the current regulatory environment is appropriate to foster innovation in the market and ensure cost burdens do not deter new entrants.
Q8.The Government would therefore welcome views on how best to distinguish between the provision of licensed and unlicensed services in order to protect the consumer.
The purpose of licensing is to both engender trust and maintain quality standards. Thus the model of ISO9000 where companies are able to use the ISO9000 status in advertising and other literature, or the use of "kite mark" schemes consistent with current government proposals in other areas seem to offer the simplest and easiest solution. The key to this is, however, the strength of the licensing process which needs to be rigorous, clearly defined and publicly available (as should any other international standards due to the clear promotion of cross-border transactions at EU level) whilst remaining flexible and consistent with global solutions. Access to consumer information will play a significant role in this area as the consumer may not realise the need for recourse or additional information until something adverse occurs and the service provider is called to account. Due to the potential anonymity available on the internet the importance of access to this information is essential both on and off line and goes some way to satisfy social exclusion concerns.
Q9.The Government recognises that the issue of liability is a key concern of industry and would particularly welcome views on the issues set out in this section.
Some general questions are:
Q10. What liability regime should apply in respect of licensed providers of cryptography services?
Q11. The Government would welcome views on this approach (limit of liability on licensed service providers), how the limit should be set, or suggestions for alternative approaches.
Q13. Are there any other liability issues concerning cryptography services which need to be addressed in legislation?
The question of liability is important in providing customer protection. With personal credit card purchases sufficient protection is provided as a matter of course but in other circumstances, generally business to business transactions this is not the case. Thus, the relying party should have recourse according to the value of the transaction. Liability should apply to both licensed and un-licensed authorities.
Q12. Should a specific "duty of care" be imposed on holders of private signature keys (e.g. to keep their private key secure, to notify a Certification Authority within so many hours of realising it has been compromised etc.)?
Notwithstanding the need to remain technology neutral, it is essential that any trust relationship has the duty of care responsibilities required, particularly of the user. The models used within banking regarding PIN protection serve can be used as an example of what can be achieved. In addition, it is likely that best practice on behalf of the provider will lead to the development of a Code of Conduct or Service Level Agreement not only to provide additional confidence but possibly also as a means of differentiation.
Q14. The Government would welcome views on its proposals for lawful access to encryption keys.
Q15. The Government would welcome ideas on how its law enforcement and electronic commerce objectives might be promoted via the licensing scheme or otherwise.
Q16. The Government would welcome views from industry on the extent to which the needs of law enforcement agencies can be met by existing and forthcoming developments in encryption and communications technologies.
Mandatory key escrow would have placed the UK at a significant competitive disadvantage and as such we welcome the government’s decision to remove this clause. In financial services ultimate security is essential and it would seem there is an element of contradiction in the original proposal. We cannot satisfy security and confidentiality requirements whilst allowing access via a key deposited with an outside party. Data protection legislation would also need to be considered in this context. International experience, particularly in France and the US, should indicate that whilst a practical solution is required, mandatory key escrow is not the answer.
We consider that any law enforcement oriented solution should focus on access to plain text and not necessarily the encryption key (although verification could again be required).
We welcome the de-coupling of confidentiality from authentication, integrity and non-repudiation services in the licensing proposals and feel this will enable more detailed consideration.
A further point to raise would be the requirement for a clear audit trail, not just for law enforcement but also for commercial risk management purposes. This point has been raised several times at EU level in the context of E-money and Digital signatures - any decisions should be taken with reference to conclusions drawn at this level.
Q17. We invite views on licensing criteria for Certification Authority and conditions for Trusted Third Parties, and would also welcome views as to the level at which the standards should be set for each of them or how they should be assessed.
See Q6 reply.
Furthermore, consistent with current government support to smart cards in the Better Government White Paper, it may be appropriate to specify minimum ITSEC levels, ranging from E3 for large scale systems that rely on use of third party software (for example the Registration System) to E6 for critical small components such as smart cards (for example the Mondex card which is currently built to E6 standards). Common Criteria (which are expected to become ISO15408 later this year) should also be considered as a benchmark similar to ITSEC. As mentioned before, minimum standards should address not only verification but also generation of signatures and certificates.
Last Revised: July 8 1999