The Government would welcome views on the appropriate means of ensuring legal recognition of electronic signatures and writing.
It is not clear that it can ever be certain that a digital signature has been used by the owner, any more that hand-written signatures are verifiable (except where a signing is witnessed).
The benefits to electronic commerce do not necessarily derive from achieving the nth degree of certainty and the costs of the required infrastructure to achieve that - including for example biometrics - could make this unachievable.
A "light touch", allowing trading partners to determine what standard is required would be more desirable. If the trade is at the lower end of the value spectrum, the risk are small - evidence the trading that goes on using fax at present.
The Government is also seeking views, subject to the constraints set out in this section, on whether there are other significant changes that should be made through UK primary legislation to promote the development of electronic commerce.
Although outside the immediate scope of the proposals, the costs associated with access to the internet are a constant obstacle cited by the users I am familiar with - SMEs. The UK telecomms position regarding the relatively high costs of local calls, ISDN etc means that internet take up in the UK is likely to continue to lag behind the US etc.
With regard to the voluntary statutory regime of licensing CAs and RAs, like many others, I am concerned about two issues.
Firstly that government will refuse to trade electronically with users of certificates from unlicensed issuers. We understand that this will be at the discretion of individual government departments, but that only reinforces our concerns.
Secondly, that this two tier approach will cause problems for the court (ie for users as a result of turning to the courts). I suspect that the courts would not be as likely to uphold a transaction made using a digital id from an unlicensed issuer, simply because is was from an unlicensed issuer? Whereas the test should be the how the certificate was issued (ie the issuers processes).
The Government recognises that the issue of liability is a key concern of industry and would particularly welcome views on the issues set out in this section.
It seems to me that there will be a close correlation between the cost of certificates and the level of liability. Taking into consideration my first point above, that without an additional hardware infrastructure to ensure that a digital signature is only used by the certificate owner, the main risk cannot be with the issuer (the issuer cannot ensure that I do not leave my PC turned on and the pin number of my certificate on the first page of my address book).
Again we must think about the current hand-written signatures where there is rarely evidence that the signature was made by the "owner", and in business the common use of pp (ie signing on behalf of) which will inevitably need to be paralleled in the digital future.
One alternative is to have more classes of certificates, as is the case now with Verisign and Trustwise issuing "Persona not verified" certificates.
Certainly we need maintain low cost certificate for low to medium risk transactions.
The reference after para 45 to a duty of care imposed on holders really only emphasises the problems that will be created if the government goes ahead with statutory liability and which I believe must be avoided.
In the healthcare domain, there is an essential need for encryption to protect confidential patient data being sent over NHSNet or the Internet. The government's own targets in the NHS Information for Health strategy are being put at risk by the difficulty in resolving the Key Recovery/Key Escrow issue.
These are significant targets supported directly by the Prime Minister:
"The challenge for the NHS is to harness the information revolution and use
it to benefit patients."
Rt. Hon. Tony Blair, All Our Tomorrows Conference, Earls Court, London. 2nd July 1998
I therefore suggest that the following concepts be reviewed in order to ensure that the ability of the NHS to achieve these targets is not impaired.
A) Exempt authorised areas of healthcare (definition to be agreed) from any proposed regulation for key recovery/escrow. For example, the risk to national security/crime prevention from encrypted messages between GPs and Hospitals must be capable of being regarded as non-existent.
B) The DTI should drop all the Law Enforcement proposals from the upcoming legislation and leave the Home Office to bring forward any necessary legislation later in the year. This would give a more realistic amount of time to find a solution acceptable to both industry and government and enable any proposals to take account of the IOCA review which I understand is planned for later in 1999.
Charles Waudby is the Chairman of the Healthcare Group of e centre uk and also a director of e centre uk.
The views expressed reflect discussions with colleagues, but should nevertheless be regarded as personal.
Go back to the start of this document.
Go to the library of current responses.
Go to FIPR home page.
Last Revised: April 16 1999