PAPER ON REGULATORY INTENT CONCERNING USE OF ENCRYPTION ON PUBLIC NETWORKS
The Government recognises the importance of the development of the Global Information Infrastructure (GII) with respect to the continuing competitiveness of UK companies. Its aim is to facilitate the development of electronic commerce by the introduction of measures which recognise the growing demand for encryption services to safeguard the integrity and confidentiality of electronic information transmitted on public telecommunications networks.
2. The policy, which has been decided upon after detailed discussion between Government Departments, involves the licensing and regulation of Trusted Third Parties (hereafter called TTPs) which will provide a range of information security services to their clients, whether they are corporate users or individual citizens. The provision of such information security services will be welcomed by IT users, and will considerably facilitate the establishment of, and industry's participation in, the GII, where trust in the security of communication has been acknowledged to be of paramount importance. The licensing policy will aim to preserve the ability of the intelligence and law enforcement agencies to fight serious crime and terrorism by establishing procedures for disclosure to them of encryption keys, under safeguards similar to those which already exist for warranted interception under the Interception of Communications Act.
3. The Government intends to bring forward proposals for legislation following consultation by the Department of Trade and Industry on detailed policy proposals.
4. The increased use of IT systems by British business and commerce in the last decade has been a major factor in their improved competitive position in global markets. This reliance on IT systems has, however, brought with it increased security risks; especially concerning the integrity and confidentiality of information passed electronically between trading bodies. The use of encryption services on electronic networks can help solve some of these security problems. In particular TTPs will facilitate secure electronic communications either within a particular trading environment (eg between a bank and its customers) or between companies, especially smaller ones, that do not necessarily have any previous trading relationship.
5. In developing an encryption policy for the information society, we have also considered how the spread and availability of encryption technology will affect the ability of the authorities to continue to fight serious crime and terrorism. In developing policy in this area, the Government has been concerned to balance the commercial requirement for robust encryption services, with the need to protect users and for the intelligence and law enforcement authorities to retain the effectiveness of warranted interception under the Interception of Communications Act (1985).
6. Consideration by Government has also been given to the requirement for business to trade electronically throughout Europe and further afield. The inter-departmental discussions have therefore taken into account draft proposals by the European Commission, concerning information security (which include the promotion of TTPs), and discussions on similar issues taking place within the OECD.
3. The Government's Proposals
7. By their nature, TTPs, whatever services they may provide, will have to be trusted by their clients. Indeed in a global trading environment there will have to be trust of, and between, the various bodies fulfilling this function. To engender such trust, TTPs providing information security services to the general public will be licensed. The licensing regime would seek to ensure that organisations and bodies desiring to be TTPs will be fit for the purpose. The criteria could include fiduciary requirements (eg appropriate liability cover), competence of employees and adherence to quality management standards. TTPs would also be required to release to the authorities the encryption keys of their clients under similar safeguards to those which already exist. We would expect organisations with existing customers, such as banks, network operators and associations (trade or otherwise) to be prime candidates for TTPs.
8. The Government will consult with organisations such as financial services companies, who have made existing arrangements for the use and provision of encryption services, with the intention of avoiding any adverse effects on their competitiveness. It is not the intention of the Government to regulate the private use of encryption. It will, however, ensure that organisations and bodies wishing to provide encryption services to the public will be appropriately licensed.
9. The services which a TTP may provide for its customers will be a commercial decision. Typically, provision of authentication services may include the verification of a client's public key, time stamping of documents and digital signatures (which secure the integrity of documents). TTPs may also offer a service of key retrieval (typically for documents and files that have been encrypted by employees) in addition to facilitating the real time encryption of a client's communications.
10. Licensed TTPs operating within a common architectural framework, on a European or even a global basis, will be able to facilitate secure communications between potential business partners in different countries. Providing the respective clients trust their TTPs, secure electronic commerce between parties who have not met will become possible because they will have confidence in the security and integrity of their dealings.
11. It is envisaged that a common architectural framework will be needed to support the information security services being offered by TTPs in different countries. Clearly this will be a matter for negotiation between interested parties taking into account developments in international standards organisations. The architecture would need, however, to support both the provision of integrity and confidentiality and therefore be capable of verifying public encryption keys and escrowing private ones. There is no reason why it should not also support a choice of encryption algorithms, such as those on the ISO (International Standards Organisation) register.
12. In support of such an architectural framework we would envisage manufacturers developing software or hardware products for use by the business community. Such products will need to be consistent with whatever standard (or standards) are arrived at to enable TTPs to interoperate. The type of algorithm used for message encryption, and whether it is implemented in hardware or software, will be a matter of business choice.
13. The Government is working closely with the European Commission on the development of encryption services through their work on information security. Arrangements concerning lawful interception and the regulation of TTPs in that context are matters for Member States to determine. However, the Commission has an important role in facilitating the establishment of an environment where developments in the use of TTPs can be fostered. The Commission should soon be in a position to bring forward a programme of work involving, for example, the piloting and testing of TTP networks.
14. The Government are also participating in discussions at the OECD on encryption matters. Where possible we will encourage the development of networks of TTPs which facilitate secure electronic trading on a global basis.
15. Export controls will remain in place for encryption products (whether in hardware or software form) and for digital encryption algorithms. However, to facilitate the participation of business and commerce in the information society the Government will take steps, with our EU partners, with a view to simplifying the export controls applicable to encryption products which are of use with licensed TTPs.
16. Officials from the Department of Trade and Industry have already held preliminary discussions with various industry group on the general concepts surrounding the provision of encryption services through TTPs. A more formal consultation on the Government's proposals will be undertaken by the Department of Trade and Industry with all interested parties prior to the bringing forward of legislative proposals. The Government recognises that the successful facilitation of electronic commerce through the introduction of information security services by TTPs either in the UK or in Europe, will, to a significant extent, depend on their widespread use across business. It will therefore be important to secure the broad acceptance of the business community for the Government's proposals. The Department will pay particular attention to this during the consultation process.