PROMOTING ELECTRONIC COMMERCE
Consultation on Draft Legislation and
the Governments Response to the Trade and Industry Committees Report
Presented to Parliament by the
Secretary of State for Trade and Industry
by Command of Her Majesty
PROMOTING ELECTRONIC COMMERCE
Consultation on Draft Legislation and the
Governments Response to the Trade and Industry Committees Report
||The Consultation Document and the
Governments Response to the Trade and Industry Committees Report
The Draft Electronic Communications Bill
The Consultation Document and the Governments Response to the
Trade and Industry Committees Report
- This Command Paper invites comment on the Governments proposals
for an Electronic Communications Bill set out in Part II.
It also sets out the Governments response to the recommendations contained in the
Trade and Industry Committees report1 on the
Governments previous consultation document2.
- The Government welcomes the Committees report. It, and the
other responses to the consultation document launched in March 1999, have contributed to
the measures set out in the draft Bill.
- The Committee restricted its report to the issues raised by that
consultation document, and we have followed this approach in this document. The Government
looks forward to the Committees further report in which it intends to deal with
broader issues concerning electronic commerce.
Since the Government gave evidence to the Select
Committee and the publication of the Committees report there have been a number of
developments, which the Government would like to highlight:
The Government received 252 responses to its Building
Confidence in Electronic Commerce consultation document. The DTI has separately
published a summary3, by independent consultants,
of the responses to the consultation.
- The Government is now consulting on the draft Electronic
Communications Bill. The draft Bill takes into account the responses to the consultation
process, the Select Committees report and discussions with interested parties over
the last few months. It forms a key part of the Governments strategy for making the
UK the best place in the world to do electronic business, by starting the process of
modernising the law and creating a climate in which electronic business can be conducted
- In parallel with the previous consultation the Prime Minister asked
the Cabinet Office Performance and Innovation Unit (PIU) to consider encryption,
e-commerce and law enforcement. A task force was established and a Report4 outlining their main findings was published on
26 May. As a result of this report, the Government has confirmed that there will be
no mandatory link between key escrow and the approvals system introduced by the Electronic
- The Government has decided not to introduce, in legislation, a
rebuttable presumption of legal recognition for electronic signatures. Instead, the
Government proposes to make it clear that all types of electronic signatures will be
legally admissible in Court.
- The Government has decided that the liability of Trust Service
Providers (TSPs), both to their customers and to parties relying on their certificates, is
best left to existing law and to providers and customers contractual
- The Government sees the availability of high-quality cryptographic
services as an important building block to meeting its goal of building confidence in
electronic commerce. The previous consultation document set out the intention to introduce
a statutory, but voluntary, licensing scheme for Trust Service Providers. Given the
Governments decisions not to offer statutory privileges as an incentive for the
statutory scheme, and its voluntary nature, the Government has decided that the scheme is
best described as an "approvals regime". The Government believes that a
voluntary approvals scheme will provide customers with an assurance of high standards and
a means of redress when things go wrong.
- The Governments earlier consultation paper also sought views on
whether it should take any measures to regulate unsolicited email ("spam"). The
majority opinion was to allow the industry to take effective voluntary measures, but that
the Government should keep a watching brief and be ready to take legislative action if
necessary. The Government has decided to follow this approach and work with industry and
rely on existing measures. The EU Distance Selling Directive (97/7/EC) contains provisions
requiring Member States to enable consumers to register their objection to receiving
unsolicited emails sent for the purpose of distance selling, and to have their objections
respected. The Directive does not apply to business-to-business transactions and certain
contracts are excluded, including those related to financial services (subject of a
separate EU proposal). The Directive has to be implemented by 4 June 2000, and DTI plan to
consult on its implementation later in the summer.
- The Government also sought views on whether it should introduce any
other legislative measures to promote electronic commerce. It has decided not to do so in
this draft Bill. However, the Government looks forward to any further suggestions that may
arise in response to this consultation, in the Performance and Innovation Units
broader e-commerce study and in the Committees next report.
3. The summary is available at www.dti.gov.uk/cii/elec/conrep.htm
Copies of the responses themselves are available for viewing by appointment at the DTI
Library, Lower Ground Floor, 1 Victoria Street, London SW1H 0ET. Please telephone William
LeSadd on 020 7215 6699 for further details. Some respondents have also made their
contributions available electronically on the world wide web.
- We invite comments by Friday 8 October.
It may not be possible to take into account responses received after this. Any
comments should be sent in writing to Stephen de Souza either by electronic mail
(preferably in Word 6.0 or text format) to:
X.400 address: S=ecbill O=DTI OU1=CIID P=HMG
A=Gold 400 C=GB
internet address: email@example.com
Communications and Information Industries
Department of Trade and Industry
Room 220, 151 Buckingham Palace Road
London SW1W 9SS
It would be helpful if those responding could
clearly state who they are and, where relevant, who they represent. Should you wish any
part (or all) of your comments to be treated in confidence, you should make this clear in
any electronic mail or papers you send. In the absence of such an instruction, submissions
will be assumed to be open, and will be copied to the Trade and Industry Committee; they
may also be shared with others or published by Ministers, or placed in the Libraries of
the Houses of Parliament.
Response to the Trade and Industry
Paragraph 7 The Governments proposals
to facilitate trust in electronic commerce must not interfere with existing, and often
long-standing, electronic commerce relationships.
The Government accepts this in full. The previous
consultation document made it clear that the Government does not intend to interfere with
existing commercial relationships. The Government recognises that many businesses, ranging
from banks to manufacturers, have been successfully carrying out electronic business,
usually in closed user groups, for many years. The Government believes that the increasing
use of open networks, such as the internet, is making electronic business easier, cheaper
and more accessible, bringing its benefits to wider markets, including consumers. The
Government believes that the draft Bill will facilitate electronic commerce, including in
existing relationships, by clarifying the legal admissibility of electronic signatures.
Paragraph 8 The Governments proposals are
tied, perhaps unduly, to the creation of a regulatory regime based on one particular
technology - public-key cryptography - and a specific market model, which, although they
could be considered attractive at present, may not be optimal bases for electronic
commerce carried out over the internet in the future.
The Government is committed to a technology
neutral Bill. The draft Bill published today is intended to promote the provision of
cryptography services and electronic commerce. Although many Trust Service Providers
(TSPs) may well base their services on public key cryptography, there is no reason why
other technologies (e.g. biometrics) could not be used by approved TSPs. The Government
consulted on how alternative business models should fit into the approvals regime.
Although there were few specific responses on this, the Government believes that varying
business models will develop and that it is impossible to predict which are likely to
succeed. The approvals regime needs to be flexible and responsive enough to accommodate
this, which is why the draft Bill leaves the detail of the statutory regime to secondary
In order to help the UK become the best environment in which to trade electronically by
2002, the Government should keep a close eye on international electronic commerce policy
developments and adopt best practice from elsewhere when appropriate.
Electronic commerce is inherently global and the
Government takes this into account in formulating policy, and recognised this in drawing
up the previous consultation document. The international picture is complex. Our approach
is based on trying to move quickly where there is reasonable international consensus, but
not striking out unilaterally against the current of global e-commerce.
A good example of the above is the leading role
the UK has taken in both EU and OECD discussions on cryptography. On the former the DTI
helped ensure a compromise was reached which balanced the important security requirements
relating to the generation of electronic signatures with the need to encourage an open and
flexible market. In the OECD the DTI is working to establish a framework which recognises
the importance of global compatibility between national and regional initiatives on
authentication. The UK is one of the key players in forming the international agenda,
particularly within Europe and has developed models such as for dealing with illegal
content on the internet that have been adopted around the world.
The draft Bill is an important part of the
Governments policy to create in the UK the best environment worldwide in which to
trade electronically by 2002. Overall the draft Bill builds on the draft EU Electronic
Signatures Directive, is consistent with the 1997 OECD Cryptography Guidelines and goes
some way towards implementing the provisions (e.g. Article 5) of the UNCITRAL Model Law on
Paragraph 34 Notwithstanding legitimate
reasons for delay, we are concerned at the time it has taken the present Government to
establish and implement a cryptography policy. It is our perception that inadequate
political control has been exercised over the development and determination of
cryptography policy. The policy agenda has been allowed to drift for too long. It is
imperative that Ministers take a firm grip of the issues from now on.
The speed of computers doubles every 18 months.
Recent years have seen an explosive growth in the numbers of people connected to the
internet, allowing complex data to be exchanged almost instantaneously over thousands of
miles. This phenomenon is having a significant economic impact and will impact on society
itself, often in unpredictable ways. The Government needs to take account of the interests
of society as a whole: policy on electronic commerce needs to take account of broader
issues, such as privacy and law enforcement. Against this background, Governments around
the world have tried to formulate policies which capture the benefits and mitigate the
potential downside. No Government has found it easy either to formulate or implement
policy in this area.
Nevertheless, the Government has not been slow to
rise to the challenge. The UK has played a leading role in the debate. The UK was the
first country in Europe to recognise the need to deal with both authentication and
confidentiality issues in a single framework, because the same technology underpins both
kinds of service. Policy on cryptography and e-commerce more broadly has been
driven at the highest levels politically. The Government rejects the Committees
suggestion that inadequate political control has been exercised over the development and
determination of cryptographic policy:
- The Governments cryptography policy was launched within a year
of the General Election by Barbara Roche in April 1998 when she announced the
Governments intention to pursue a more liberal policy than the previous
administration, by rejecting the mandatory nature of the scheme which they had
consulted on shortly before the General Election.
- The former Secretary of State for Trade and Industry (Peter
Mandelson) set the target for the UK to be the best environment worldwide in which to
trade electronically by 2002 in the White Paper - Our Competitive Future: Building the
Knowledge Driven Economy.
- On 5 March 1999 the Secretary of State for Trade and Industry and the
Home Secretary jointly launched Building Confidence in Electronic Commerce. In
parallel with the consultation, the Prime Minister personally launched a partnership with
industry to find solutions to the problems posed by encryption for law enforcement.
Paragraph 36 We believe it is essential that every measure included in
the forthcoming Electronic Commerce Bill is designed to facilitate rather than restrict
electronic commerce and that this should be the criterion by which Parliament judges the
Paragraph 117 Now that key escrow has been
dropped by the Government, the rationale for an electronic commerce bill is open to
question. We recommend that the Government think twice about the content of its
forthcoming Electronic Commerce Bill and only include in the Bill measures which will
promote electronic commerce, rather than measures discarded from the previous key escrow
policy which are concerned with controlling, not facilitating, electronic commerce.
The Bill will be an essential enabling measure to
spur on the growth of e-commerce in the UK. The Bill will support the Governments
- the UK to be the best environment for electronic business by 2002;
- 25% of Government services to be available electronically by 2002
(rising to 100% by 2008); and
- 90% of routine procurement of goods to be done electronically by
The draft Bill is designed to promote e-commerce
in a number of ways:
- through clarifying the status of electronic signatures;
- by removing legal barriers so that the option of communicating
electronically can be offered instead of the use of paper; and
- by building confidence in the provision of cryptography services.
The draft Bill also contains measures designed to
ensure that the effectiveness of existing law enforcement powers is not undermined by the
criminal use of the very technologies (such as encryption) which the Bill seeks to
Paragraph 37 While, we accept the
Governments judgement that legislation should not be delayed still further solely to
allow for a standard consultation period, especially as the issues on which DTI sought
views were so familiar to likely respondents, the time constraints cited by DTI have been
entirely of their own making.
The Government has sought to maintain a balance
between allowing an adequate period for consultation, and pressing ahead with drawing up
legislation. As the Committee recognises, the issues on which the Government sought views
were familiar to many respondents. The Government was impressed by both the number5 and the quality of the responses. Moreover Ministers
and officials consulted many companies and others in drawing up the previous consultation
document. This document is the next step in an ongoing process of consultation. The DTI
will continue consulting as the Bill is taken through parliament and will undertake future
formal consultation as the Bill is implemented. The Government is committed to building
confidence in e-commerce, building the legal framework in partnership with industry and
other interested parties.
5. The DTI received 252 responses in total (of which 246 were received in
time to be taken account by the consultants for their summary).
Paragraph 40 We consider it a potentially
serious omission that DTI has not indicated how its proposals for electronic signatures
would affect Scottish law and we recommend that they quickly do so.
The Government has always recognised that the
implementation of the policy of the Bill is likely to require amendment also of basic
provisions of Scots private law relating to requirements of writing, evidence and contract
formation. In that regard, it is envisaged in the draft Bill that Scottish Ministers will
have the power to make any necessary amendment of Scots law on matters of that kind, by
means of subordinate legislation taken through the Scottish Parliament, subject to the
consent of UK Ministers as the power will extend to legislating on reserved matters.
As in the case of England and Wales, the
legislation will present the opportunity to provide a clear basis in law for the operation
of electronic commerce. The powers in the draft Bill should enable this policy to be
implemented in a consistent way throughout the UK, but also by means which ensure that
this is achieved in the most appropriate way for each jurisdiction.
Paragraph 41 Although electronic signatures
are not currently without legal standing, legislation to clarify their status would
command widespread support.
Paragraph 44 One objection to the
Governments proposals for the recognition of electronic signatures is that they are
better suited to a civil law jurisdiction, than to the English common law tradition.
Paragraph 46 A second objection to the proposal
that some electronic signatures will carry a rebuttable presumption of validity is that
this would reverse the burden of proof in contractual disputes, potentially undermining
confidence in electronic commerce if means of forging electronic signatures are developed.
Paragraph 51 We recommend that the Government
lay before Parliament the justification for such a radical change to the way signatures
are considered by English law and explain in greater detail than hitherto whether or not
the EU Electronic Signatures Directive genuinely necessitates such a change to be made
The Government welcomes the Committees
support for its intentions to reduce the present uncertainty over the legal admissibility
of electronic signatures. The means of reducing this uncertainty has provoked considerable
debate and the draft Bill sets out what the Government believes is a prudent approach. As
the Committee recognises, the common law treats signatures in terms of their purpose (did
the signatory intend to indicate their assent to what was in the document?), rather than
their form (does the signature meet certain requirements?).
This means that in many, but not all,
circumstances the law is flexible enough to be capable of accommodating electronic
signatures. However there will be uncertainty, until sufficient case law has built up.
This could take some years. The responses to the consultation launched by the previous
administration indicated considerable support for a rebuttable presumption that an
electronic signature was what it claimed to be. However, many of the respondents to the
recent consultation argued against introducing such a presumption because:
- they argued that the burden of proof would be shifted, to consumers
for example, to prove that they had not signed a document, thus reversing the
position in existing law;
- the technology, and its likely use in most situations, is not
sufficiently developed to be able to set the necessary standards;
- moreover, even if the technology were robust, it is hard to control
how people use it (e.g. although a properly implemented electronic signature cannot be
forged, a smart card can easily be lost or not properly protected);
- the flexibility of common law, which makes English Law the
jurisdiction of choice for many international transactions, might be compromised by such a
The Government has therefore decided not to create
a rebuttable presumption for the validity of any types of electronic signature. However,
Clause 7 of the draft Bill makes it clear that all types of electronic signatures, whether
facilitated by "approved" providers or not, and irrespective of the jurisdiction
where they were issued, will be legally admissible in Court. This is sufficient to
implement the current provisions regarding electronic signatures in the draft Directive.
Paragraph 58 The outdated definitions of
words such as "writing" and "signature" in law are potentially
significant barriers to the development of electronic commerce in this country. DTI seems
not to appreciate the need for swift legislative action in this area and would appear to
have made limited progress since 1997. We favour the Government taking powers in the
forthcoming Electronic Commerce Bill for secondary legislation to update definitions of
words in law to take account of new information and communication technologies and drawing
on the approach of the Australian draft Electronic Transactions Bill 1999. We recommend
that the Government quickly publish an analysis of legal changes required, both in
relation to English and Scots law and identify those transactions and official proceedings
which it believes should not be allowed to be conducted electronically.
The Government welcomes the Committees
support for its view that certain requirements of form (e.g. for information to be in
writing or signed) in legislation drawn up before the advent of electronic commerce are
potentially significant barriers to its development. The Bill will be the first available
legislative opportunity to address this broadly, though the Finance Bill addresses matters
concerning the Inland Revenue and HM Customs and Excise. The draft Electronic
Communications Bill includes a power in Clause 8 to enable Ministers to draw up secondary
legislation to permit such requirements to be met electronically. For example, the DTI
plans to use powers under the Bill to amend the Companies Act 1985 to enable companies to
communicate with shareholders electronically.
There may be a few examples where it is not
appropriate to take such a step, at least in the near future. The publication of an
analysis of the references in legislation to "in writing" or "signed"
is not compatible with the timetable for bringing the Bill before Parliament. The Society
for Computers and Law has estimated that here may be as many as 40,000 references to
"writing" and "signature" alone.
Paragraph 64 We acknowledge the need for some
form of accreditation scheme relating to TSPs to persuade firms and individuals
"standing on the edge of the e-commerce lake wondering whether it is really safe to
dive in" that electronic commerce is as safe and reliable as traditional forms of
Paragraph 65 We recommend that the Government
sponsor a voluntary accreditation scheme for TSPs which is based on the needs of users and
service providers but which is not grounded in legislation. We think it prudent that the
Government take powers to establish a statutory-backed scheme but recommend that these
powers are held in reserve unused unless and until it is demonstrated that a voluntary
scheme fails to protect the interests of all consumers and service providers.
The Government welcomes the Committees
support for the principle of a voluntary approvals scheme. The previous consultation
document set out the intention to introduce a statutory, but voluntary, licensing scheme
for Trust Service Providers. Given the Governments decisions not to offer statutory
privileges as an incentive for the statutory scheme, and its voluntary nature, the
Government has decided that the scheme is best described as an "approvals
regime". The Government believes that an approvals scheme will provide customers with
an assurance of high standards and a means of redress when things go wrong. It also
believes that these standards should not be set in stone because the market is moving so
quickly and there is no agreement on what commercial models are likely to succeed.
Heavy-handed regulation would risk stifling innovation and growth.
Many respondents to the recent consultation argued
for a "light touch" in any legislation or regulation. One noticeable shift in
opinion from the consultation launched by the previous administration was that voluntary
statutory licensing was questioned. There were many calls for the market and the
technology to be allowed to evolve, and some for the industry to be allowed to develop
self-regulatory or guidance mechanisms.
The choice between a statutory voluntary regime,
or a suitable self-regulatory regime, is finely balanced. The Government is in close
dialogue with the Alliance for Electronic Business in relation to its work in developing a
non-statutory, self-regulatory scheme. The Government therefore proposes, in Part I of the
draft Bill, to take powers to set up a statutory voluntary scheme by secondary
legislation. After Royal Assent, the Government will need to decide whether to bring such
a statutory scheme into being, or to follow the recommendation of the Trade and Industry
Committee and hold the powers in reserve, relying on self regulation. Our assessment will
take account of the robustness, industry acceptance and quality of the self-regulatory
scheme which by then should have emerged from industry and make a judgement about how its
merits would compare with those of a statutory scheme. We will consult on that decision.
Paragraph 66 We see no reason why existing
means of distinguishing licensed or accredited services from unlicensed or non-accredited
services cannot be applied successfully to TSPs.
The Government agrees with the Committee. The
essential points are that approval should apply to a particular service, or range of
services, rather than the provider and that there should be a clear distinction between
approved and unapproved services. It is likely that service providers would be allowed to
use a logo (or some other mark of recognition) in connection with those Cryptography
services for which they had been approved.
Paragraph 67 There is a danger that TSPs and
their customers will be confused by the multi-layered design of the proposed statutory
licensing regime. We would welcome early clarification by DTI and OFTEL of how the
proposed licensing regime will work in practice, were it to be introduced.
Paragraph 70 We recommend that, if DTI
intends to establish a statutory licensing scheme, it spell out which licensing functions
it would be prepared to delegate to an industry body in future and which it would prefer a
public sector body to perform; and that it set out the criteria an industry body must meet
in order for it to be considered as the licensing authority for TSPs.
The Government does not believe that it is
sensible, given the pace at which this market is developing and its present immaturity, to
spell out now the exact division of functions between a statutory body and industry. The
Government believes that the objectives of the scheme as a whole are far more important
than the exact division of responsibilities.
The Government believes that any scheme should
have the following characteristics:
- The scheme should be wide enough to cover a broad range of services
including signature and confidentiality services.
- The scheme should be demonstrably rigorous, impartial and trusted by
all sectors of industry (i.e. it needs support from a broad cross-section of industry,
including users). It should not act as a barrier to new entrants to the market.
- The scheme should have a means of taking into account the views of
- The scheme needs the ability to set standards (procedural and
technical). If the scheme is non-statutory, there needs to be a clear mechanism for
Government to monitor progress and influence the development of such standards, in line
with its objectives for promoting electronic commerce, Modernising Government and law
- The scheme needs effective mechanisms for ensuring compliance with
these standards, including for example:
- assessment of service providers, perhaps linked to a
- sanctions and the ability to monitor and take enforcement action
against members that breach the "code of practice";
- a means of redress for consumers if consumers are unhappy with the
response from the service provider;
- publicity, i.e. making available the code of practice, a register of
members and, perhaps, annual reports aimed at consumers.
- The scheme should take account of the draft EU Electronic Signatures
Directive (including provisions on liability and data protection). In particular it
should provide UK providers with a means of showing that their signature service meets the
standards envisaged in the draft Directive, to facilitate trade with other EU countries.
There could be scope for different levels of service, so it might not be necessary for all
signatures to meet the Directive standards.
Paragraph 73 A comparison of the 1997 and
1999 DTI consultation documents would suggest that little effort has been devoted over the
last two years to considering the detailed licensing criteria to be applied to TSPs, or
the effect of such criteria on the market. The licensing criteria for TSPs recently set
out by DTI are not fit to be written into law. Unless they are improved, then the
licensing system will be a damaging and embarrassing failure. We invite the Government to
inform Parliament how it intends to work with electronic commerce providers and users to
design more suitable criteria.
We do not accept this criticism. The previous
consultation document made it clear that these were draft criteria and that potential
licence applicants would be consulted about refining them. Nevertheless, the draft
criteria reflected discussions with industry and were largely consistent with those laid
down in the Annexes to the draft Electronic Signatures Directive. Respondents to the
previous consultation Document (comments were specifically requested) did not seem to
share the Committees view and certainly did not suggest they were unfit to be
written into law. Indeed, although many respondents argued that what was proposed was more
suitable for an industry-led accreditation scheme, there seemed to be a general
appreciation that the draft criteria were a sensible basis for a scheme.
The DTI will continue to work with industry in
developing a set of criteria designed to generate public confidence that cryptography
services from a TSP approved under the UK regime are high-quality and reliable. The DTI
will also work with industry in representing UK interests in refining the criteria
outlined in the draft EU Electronic Signatures Directive, which will form the basis of
mutual recognition of electronic signatures in the EU.
Paragraph 79 We recommend that the Government
exercise caution before implementing a statutory liability regime in this nascent market.
We suggest that, until the market develops further, the most useful requirement might be
for TSPs to set out in full their liability provisions, including relevant limits, both to
users and third parties, including how liabilities can be met, to assist consumer choice
of TSP and swift redress when problems are encountered.
In the consultation document Building
Confidence in Electronic Commerce, the Government recognised the complex issues
involved in apportioning the liability of Trust Service Providers, and the need to balance
the interests of the various parties who may be involved, either directly and indirectly,
in a particular transaction. In the light of responses to the previous consultation the
Government has decided not to introduce a statutory liability regime, and rely on the
contract between the TSP and their client, and existing law. We will expect TSPs to make
clear to their customers the extent of their liability.
Paragraph 80 We are persuaded that encryption
will increasingly be a source of advantage to criminals with which law enforcement
agencies are, at present, inadequately prepared to deal.
The Committee has highlighted concerns that the
Government has had for some time. The Government is determined to ensure that the
statutory powers on which the law enforcement agencies rely in combating crime are not
undermined by new technologies. That is why, as part of a package of measures being
proposed in an attempt to mitigate the consequences of rising criminal use of encryption,
the Government proposes to use Part III of the Bill to introduce powers allowing
properly authorised persons (such as members of law enforcement agencies) to serve written
notices requiring any person to provide the means necessary (e.g. a decryption key) to
make legally obtained material intelligible or to produce the material in an intelligible
Paragraph 81 We suggest that those
organisations involved in electronic commerce will be much more willing to help the law
enforcement agencies if there are reliable means to assess the extent of the problems
posed by encryption, and that there would be advantage in Parliament having a fuller
picture of the perceived threat.
The Government has been working closely with
industry on this issue. The PIU Report on Encryption and Law Enforcement recommended that
an approach based on openness and co-operation with industry would balance the aim of
giving the UK the worlds best environment for e-commerce with the needs of law
The Government has accepted this recommendation
and is in the process of establishing a new Government/industry joint forum, to be chaired
by the DTI. The joint forum will discuss the development of encryption technologies and
ensure that the needs of law enforcement agencies are understood by the industry.
Paragraph 90 By dropping key escrow as a
licensing condition for TSPs, the DTIs third attempt to formulate an acceptable
cryptography policy is a marked improvement on its predecessors. We are disappointed,
however, that the Government should still hold a candle for key escrow and key recovery.
We can foresee no benefits arising from Government promotion of key escrow or key recovery
Paragraph 107 If the Government consider it
necessary in future to introduce key escrow, key recovery or a related requirement on TSPs
then we recommend that they do so only after stating precisely the reasons why such a
change would be necessary as part of a full public consultation exercise. Powers should
not be taken in the forthcoming Bill to permit the introduction of key escrow or related
requirements at a later date.
The challenge that encryption poses for law
enforcement is taken seriously by the Government. The Prime Minister personally launched
the Cabinet Office PIU Study on Encryption and Law Enforcement and has accepted their
In particular, the Government agrees with the
PIUs conclusion that the widespread adoption of key escrow and key recovery is
unlikely in the current climate. The Government therefore accepted the recommendation that
a mandatory link between approved providers of services and key escrow would not support
the Governments twin objectives on e-commerce and law enforcement.
Paragraph 98 We think that the proposed new
power to require decrypted data or private encryption keys to be provided when
appropriately authorised will be a useful addition to the armoury of the law enforcement
agencies. We recommend that the Government quickly clarify the situations in which it
thinks this power will be likely to prove most helpful. In particular, Parliament should
be given an indication of the criteria which will be used to decide against whom written
notices for the provision of information will be served and whether it is proposed that
the request should be for a private key or decrypted data.
The Government welcomes the Committees
support for this measure. Strong encryption is already being used by criminals to conceal
their activities. This is creating difficulties for law enforcement agencies and these
will increase as the use of encryption becomes more widespread. The Government foresees
that strong encryption will become the technology of choice for criminals wishing to
protect the contents of their communications and data. The new powers proposed in Part III of the draft Bill will assist law enforcement
agencies in their investigations wherever criminals are using encryption in an attempt to
conceal their activities.
The draft Bill sets out the conditions under which
the service of written notices requiring the surrender of decryption keys or plain text
may be authorised and who may authorise the use of the new powers. The ability to serve a
written notice will be ancillary to existing statutory powers. This means that the new
powers will apply only to material that is, or has been, lawfully obtained. The draft Bill
provides that the disclosure of plain text rather than a key may be acceptable in all
cases unless the written notice specifies that only the disclosure of a key itself is
Paragraph 101 It is entirely unacceptable
that the Government should announce a major review of the Interception of Communications
Act 1985 and then fail to publish any further details of the review for over eight months,
especially when the consultation exercise on building confidence in electronic commerce
explicitly refers to the Act and the review. We recommend that the Government set out the
options for change to the interceptions regime, and how they relate to the forthcoming
Electronic Commerce Bill, before the Bill is debated by Parliament.
The Home Secretary published a consultation
document6 (Cm 4368) on the review of the Interception
of Communications Act 1985 (IOCA) on 22 June. This review relates to the draft
Electronic Communications Bill to the extent that the powers proposed in Part III of the
draft Bill are designed to maintain the effectiveness of existing statutory powers
including IOCA. These powers, to require the disclosure of decryption keys or plain text,
will be available when encryption is encountered in interception operations authorised by
the Secretary of State under IOCA. Without pre-empting the wider conclusions of the IOCA
review, there is a need to address the threat posed by encryption and to protect the
effectiveness of the existing interception regime.
6. It is available at www.homeoffice.gov.uk/oicd/ioc.htm
and from the Stationery Office. Responses are requested by 13 August and may be sent by
email to firstname.lastname@example.org
Paragraph 102 We recommend that the
Government give authoritative clarification of the status of the Enfopol proposals and
their potential implications for relevant UK service providers.
The draft EU Council Resolution on interception of
new technologies (the so-called ENFOPOL proposals) supplements the existing Council
Resolution of January 1995 on the lawful interception of communications. It makes clear
that the law enforcement agencies requirements annexed to the 1995 Resolution apply
equally to new technologies such as satellite and internet communications.
Council Resolutions are not legally binding. The
1995 Council Resolution, for example, has not been incorporated into UK law. It is used
solely as a basis for discussions with telecommunications operators in accordance with the
statutory safeguards contained in the Interception of Communications Act 1985 (IOCA). It
follows that if adopted, the present draft Resolution on interception of new
technologies would place no legal obligations on telecommunications or Internet Service
Providers in the UK.
The Government submitted an Explanatory Memorandum
to Parliament on the draft Resolution on 8 February 1999 (10951/2/98 ENFOPOL 98 Rev 2). In
fact, the Government sees little need for the draft resolution at the present time. The
Governments consultation document on the review of IOCA published on 22 June,
includes consideration of the needs of law enforcement agencies in respect of providers of
new communication technologies such as the internet and satellite telephony. The proposal
for a draft Resolution will not prejudice this consultation process.
Paragraph 105 If, after three years of
considering its policy on cryptography, the Government should announce the need for a
partnership with industry, then that would suggest failure in the past to create such a
partnership. We consider that the fault for failing to create such a partnership lies not
with industry, which would appear to have been ready and willing to help, but with
Government. Although DTI has been willing to listen to what industry and others have had
to say about cryptography, we have gained the impression that they have not, until
recently, taken much notice of what has been said to them. From now on, we expect the
Government to work with all interested parties to devise a cryptography policy which is
best for the UK as a whole, rather than one which is geared towards satisfying law
enforcement concerns at the expense of Britains economic competitiveness.
On the contrary, the Government has worked with
industry (users, technology providers and potential TSPs) in developing its policy on
encryption. Over the last five years the DTI has hosted regular meetings of its
Cryptography Working Group. The DTI has also regularly participated in the information
security working groups of the CBI, the Federation of the Electronics Industry (FEI) and
the British Computer Society (BCS). The Government recognises the importance of balancing
the needs of all concerned - industry, users, law enforcement agencies and the general
public - in this sensitive area.
In his foreword to the PIU Encryption report, the
Prime Minister said:
"I am determined to ensure that
the UK provides the best environment in the world for electronic business. Only by taking
a lead to promote electronic business will we reap the potential economic and social
benefits. But I am equally determined to ensure that the UK remains a safe and free
country in which to live and work.
The rise of encryption technologies threatens to
bring the achievement of these two objectives into conflict. On the one hand, business has
delivered a clear message that encryption is essential for developing confidence in the
security of electronic transactions. And lack of confidence is often cited as one of the
main brakes on electronic commerce. People also want to enhance the security of their
personal communications through the use of encryption. To meet these needs, the Government
is keen to support the strong and growing market in encryption products and services.
On the other hand, the use of encryption by major
criminals and terrorists could seriously frustrate the work of the law enforcement
agencies. Indeed there is already evidence that criminals, such as paedophiles and
terrorists, are using encryption to conceal their activities. It is a little known fact
that on average one in every two interception warrants issued results in the arrest of a
person involved in serious crime. If powers of interception and seizure are rendered
ineffective by encryption, all society will suffer. So it is vital that in our support for
the use of encryption we limit the damage to our ability to protect society."
The Government will continue to engage with
industry on a dialogue on these important issues; through the Industry-government forum
proposed by the PIU and through other fora.
Paragraph 106 We recommend that the
Government keep Parliament informed of the remit and membership of the Cabinet Office task
force dealing with law enforcement aspects of electronic commerce and of any body
established in its place.
The Performance and Innovation Unit (PIU) was
created in 1998, to improve the capacity of government to address strategic, cross-cutting
issues and promote innovation in the development of policy and delivery of the
Governments objectives. It acts as a resource for the whole of government, tackling
issues on a project basis.
In February 1999 the Prime Minister asked the PIU
to consider the issue of encryption and law enforcement, as a subset of its ongoing
project on electronic commerce. The remit given to the PIU was:
- to study the needs of law enforcement agencies and of business;
- to examine the merits of the current encryption policy (and in
particular key escrow); and, if necessary,
- to identify proposals that would satisfy both the need to promote
encryption for electronic commerce and the Governments duty to ensure that public
safety is not jeopardised.
To handle this remit, a joint Government/industry
task force led by David Hendon (Chief Executive of the Radiocommunications Agency),
working alongside the existing PIU electronic commerce project team led by Jim Norton, was
established to examine the issue and to recommend a way forward to the Prime Minister. The
task forces membership was drawn from:
the Home Office;
the National Criminal Intelligence Service (NCIS);
GCHQ Communications-Electronics Security Group;
the Department of Trade and Industry;
the Cabinet Office;
British Telecommunications; and
Its main findings and recommendations were published
on 26 May. The task force was wound up after it had completed its work. The coordination
of the further work will be taken forward by a special Unit set up in the Home Office.
Paragraph 108 We suggest that the experience
of the relationship between ISPs and the law enforcement agencies underlines the need for
openness and transparency in the new partnership between industry and Government on law
enforcement aspects of encryption, so as to avoid confidence in electronic commerce being
The Government fully recognises the importance of
working with industry on these issues. That is why a joint Government/industry forum is
presently being established as a focus for this new co-operative approach. This
co-operation needs to be established on a basis of trust between both parties. It will
help industry understand the threat to law enforcement capabilities posed by encryption
and will assist law enforcement in understanding market trends and realities.
The UK has been very successful in developing an
effective working relationship between Internet Service Providers (ISPs) and law
enforcement interests. The regular forum, currently chaired by the Association of Chief
Police Officers, which includes a wide range of industry and law enforcement interests,
together with representatives of the DTI and Home Office, has played a central role in
developing and maintaining this relationship.
The forum has already produced a form for use by
Police forces in requesting information from ISPs under section 28.3 of the Data
Protection Act, which is now in the public domain. In addition, a best practice document
on traceability will shortly be published, once it has been agreed and ratified by the ISP
industry. The aim is for this document to become the industry standard for tracing those
responsible for the misuse of the internet. The forum is also working on a number of other
projects and is actively considering what more can be done to make the results of its work
widely available in order to meet concerns about the transparency of its discussions.
Paragraph 110 We see merit in NCIS being
notified whenever a local law enforcement agency encounters encryption during the course
of a criminal investigation.
The Government understands that NCIS (the National
Criminal Intelligence Service) sees merit in the establishment of such a national
notification scheme and that, at least initially, notifications should be sent to NCIS as
part of a strategic threat assessment of criminal use of encryption. Work is in hand to
address this issue further.
Paragraph 110 We also recommend that the
Government consider the establishment of a law enforcement resource unit for dealing with
computer crime, including encryption.
In line with the Committees recommendation,
and as recommended in the recently published PIU report, the Government has decided to
establish a dedicated resource (a new Technical Assistance Centre), operating on a
24 hour basis, to help law enforcement agencies derive intelligence from lawfully
intercepted communications and lawfully retrieved stored data. It is envisaged that the
Technical Assistance Centre will also be responsible for gaining access to decryption
keys, where they exist, under proper authorisation.
Separately, the issue of whether to establish a
national high technology crime unit is currently being considered by the Association of
Chief Police Officers (ACPO) Crime Committee.
Paragraph 112 We recommend that the
Government consider the case for a review of the rationale for the continuation of export
controls on cryptographic products, in the light of their widespread availability, and the
procedures by which such controls are implemented.
The Government recognises that export controls on
encryption products cause problems for exporters and also sometimes prevent IT users
acquiring the security technology they need. The Government has sought to ensure that the
controls bite only on encryption technologies which - if widely exported - would damage
its international objectives of combating terrorism and crime prevention. An example of
this is the recent issue of an "open" export licence for personal users of
laptops incorporating strong encryption.
The export controls on encryption, which are set
internationally within the Wassenaar Arrangements, were reviewed as recently as December
1998. The new, and relaxed, controls, have been broadly welcomed by industry. They will
soon be implemented in the UK.
Paragraph 113 Although the forthcoming
Electronic Commerce Bill is not likely to be a source of party political controversy it is
a vital measure for UK competitiveness and law enforcement. It requires full and rigorous
The Government is now consulting on the draft
Bill. The Government expects that, when introduced, the Bill, like any other, will be
fully scrutinised by Parliament.
Paragraph 114 We recommend that DTI publish a
full analysis of responses received to its recent consultation document, including a list
of those who responded to the document, at the same time as the Electronic Commerce Bill
The DTI published today a summary, by independent
consultants, of the responses to the consultation. The summary, and a list of respondents,
is available on the DTIs website (www.dti.gov.uk/cii/conrep.htm).
Paragraph 115 We recommend that draft
regulations arising from the Electronic Commerce Bill be given full public scrutiny before
they become law.
The Government believes that the draft Bill has
already benefited from previous consultation on the underlying policy, and looks forward
to the responses to this consultation. In general, the secondary legislation made under
the Bill is also likely to benefit from formal public consultation. The Committees
recommendation was made in the context of the approvals criteria and the regulations to
facilitate electronic communications and storage.
The Government is committed to developing the
approvals criteria in consultation with potential applicants for approval, and users of
their services, and will consult formally on all such regulations.
The Government also plans to consult widely on
draft regulations relating to the facilitation of electronic communications and storage
(Clause 8). However, once general principles have been established and agreed on in the
first series of regulations it may no longer be necessary to do this in every case, unless
new points arise. The Government will, therefore, keep consultation on such regulations
Last revised: Wednesday, August 3, 1999