FIPR EC Bill Suggested Amendmentse

FIPR: Foundation for Information Policy Research

_____________

Electronic Communications Bill: Suggested Amendments and Explanatory Notes

Work in Progress

1	In subclause 2(6) after the word "approval" insert the words "or
otherwise".

Note on amendment 1

Clause 2(6) is intended to prohibit the imposition of a "key escrow"
requirement.  It does so, but only in the case of a requirement imposed by
"conditions contained in an approval".  This appears to leave open the
possibility, presumably unintentional, that the requirement might be imposed
in some other way.  The amendment, which is purely technical, is designed to
preclude this possibility.

 2	In subclause 7(3)(b), after the word "signature" delete the word "or".

 3	In subclause 7(3)(c), after the word "signature" insert the word "or".

 4	After 7(3)(c) insert a new subclause as follows:

"(d)	data logically associated with the means of producing the signature for
use in a procedure to be applied to the signature,"

Note on amendments 2 to 4

A certifier may certify a public signature verification key as belonging to
a particular person.  That is arguably the most typical case.  Without the
proposed amendments, clause 7(3) would fail to treat a signature verified
with such a key as having been certified, because neither (a) the signature
nor (b) the private key used to make the signature nor (c) any verification
procedure has been certified.  Subclause (d) would remedy this by including
the public key amongst the items capable of legitimate certification.

 5	After subclause 8(7) insert a new subclause as follows:

"(8)	No order under this section shall require an electronic signature to be
certified by any person other than its maker unless (apart from this Act or
any order made under it) a signature (not being an electronic signature)
made for the same purpose is required to be notarised or otherwise
authenticated by a person other than its maker.  A requirement for a
signature to be witnessed shall not be treated for this purpose as a
requirement for it to be authenticated."

Note on amendment 5

It is important for electronic commerce, and for dealings between citizen
and government,  and for the avoidance of reinforcing social exclusion, that
electronic signatures are not subjected to unnecessary burdens or
formalities which do not apply to ordinary signatures.  Ordinary signatures
are rarely required to be authenticated, even on such important forms as
registrations of births or tax returns (passport applications are a rare
exception).  (Witnesses to a signature are not required to know the
signatory and do not authenticate the signature, and this is made clear for
the avoidance of misunderstanding.)  Electronic signatures do not justify
special treatment: just as an ordinary signature by an unknown person does
not enable them to be identified, but enables a later signature to be
recognised as coming from the same person, so an electronic signature can
perform the identical function, and without any need for third party
certification.  Imposition by Government of unnecessary certification
requirements is equivalent to introducing "voluntary" identity cards.  The
amendment would prevent the use of secondary powers to introduce new
obstacles to the use of electronic signatures.

 6	After subclause 8(8) insert new subclauses as follows:

"(9)	No order under this section shall make any provision inconsistent with
the following provisions of this section.

"(10)	Unless otherwise agreed between the purported sender and the recipient
of an electronic communication, the purported sender of the electronic
communication is bound by that communication only if the communication was
sent by the purported sender or with the authority of the purported sender.

"(11)	Unless otherwise agreed between the purported maker of an electronic
signature and any person relying on it (or any person through or under whom
the person relying on it claims), the purported maker of the electronic
signature is bound by that signature only if the signature was made by the
purported maker or with the authority of the purported maker.

"(12)	Subsections (10) and (11) are not intended to affect the operation of
a law (whether written or unwritten) that makes provision for:

		(a)	conduct engaged in by a person within the scope of the person's actual
or apparent authority to be attributed to another person; or
		(b)	a person to be bound by conduct engaged in by another person within
the scope of the other person's actual or apparent authority."

Note on amendment 6

This amendment follows corresponding provisions in the recently passed
Australian Electronic Transactions Bill, which were recommended to the
Attorney-General of the Commonwealth (of Australia) by the distinguished
members of the Australian Electronic Commerce Experts Group.  It ensures
that unless users of electronic signatures explicitly agree otherwise
between themselves, the normal rule applies, namely that whoever relies on a
signature must prove it is genuine if it is disputed by the apparent maker.
This rule protects someone whose signature key is stolen by hackers by
clever technical means.  Neither ordinary PCs nor any available smartcards
are sufficiently secure to justify reversing this rule.  Although new
European Union standards are being proposed, the process is secretive and
does not justify proper public confidence in the security of the resulting
products.  Until secure products are available and have gained public
confidence through exposure to open and transparent expert scrutiny, there
should be no power to subject users of electronic signatures to
responsibility for stolen signature keys.  Without this amendment, clause
8(4)(g) coupled with clause 8(5)(d) and (e) would enable such a power to be
exercised.

 7	Delete subsection 13(2) and insert the following in its place:

"(2)	Subsection (1) shall not prohibit the making of provision by an order
under section 8 for-

(a)	treating an electronic communication as not having been made if the
intended recipient is not in possession of a key for electronic data
comprised in that communication and so notifies the sender within a
reasonable time; or

(b)	imposing on a person who is under a duty to store and make available any
data, and who stores it in any electronic form such that a key is required
to gain access to the data or to make it intelligible, a duty to secure that
the key is available when the data is required to be made available."

Notes on amendment 7

The existing subclause 13(2)(a) enables an unnecessary key deposit
requirement to be imposed where all that is necessary is for an
unintelligible communication to be treated as if it had not been made
(provided the recipient notifies the sender promptly that it is
unintelligible).  The amendment substitutes this more limited provision.

The existing subclause 13(2)(b) is unnecessarily wide, and would enable a
general requirement for either key escrow or key recovery facilities to be
introduced.  The amendment limits the duty to make a key available to the
only relevant case (where it is almost certainly already implied by law),
namely where the holder of the data is under a duty to hold a record and
make it available.

 8	In clause 15(2), delete "7,".

Note on amendment 8

Clause 7, making electronic signatures admissible, should come into force
immediately without being made dependant on the making of an order.


_____________

Return to the FIPR front page.

Last updated November 28, 1999.