[This version is provided by http://www.cyber-rights.org]

This was originally at

PROMOTING ELECTRONIC COMMERCE

Consultation on Draft Legislation and the Government’s Response to the Trade and Industry Committee’s Report

Part I The Consultation Document and the Government’s Response to the Trade and Industry Committee’s Report

Part II Explanatory Notes 
The Draft Electronic Communications Bill

Part I 

The Consultation Document and the Government’s Response to the Trade and Industry Committee’s Report
 
 

Introduction

1. This Command Paper invites comment on the Government’s proposals for an Electronic Communications Bill set out in Part II. It also sets out the Government’s response to the recommendations contained in the Trade and Industry Committee’s report¹ on the Government’s previous consultation document².

2. The Government welcomes the Committee’s report. It, and the other responses to the consultation document launched in March 1999, have contributed to the measures set out in the draft Bill.

3. The Committee restricted its report to the issues raised by that consultation document, and we have followed this approach in this document. The Government looks forward to the Committee’s further report in which it intends to deal with broader issues concerning electronic commerce.

Since the Government gave evidence to the Select Committee and the publication of the Committee’s report there have been a number of developments, which the Government would like to highlight:

The Government received 252 responses to its Building Confidence in Electronic Commerce consultation document. The DTI has separately published a summary³, by independent consultants, of the responses to the consultation.

2. The Government is now consulting on the draft Electronic Communications Bill. The draft Bill takes into account the responses to the consultation process, the Select Committee’s report and discussions with interested parties over the last few months. It forms a key part of the Government’s strategy for making the UK the best place in the world to do electronic business, by starting the process of modernising the law and creating a climate in which electronic business can be conducted with confidence. 

3. In parallel with the previous consultation the Prime Minister asked the Cabinet Office Performance and Innovation Unit (PIU) to consider encryption, e-commerce and law enforcement. A task force was established and a Report⁴ outlining their main findings was published on 26 May. As a result of this report, the Government has confirmed that there will be no mandatory link between key escrow and the approvals system introduced by the Electronic Communications Bill.

4. The Government has decided not to introduce, in legislation, a rebuttable presumption of legal recognition for electronic signatures. Instead, the Government proposes to make it clear that all types of electronic signatures will be legally admissible in Court. 

5. The Government has decided that the liability of Trust Service Providers (TSPs), both to their customers and to parties relying on their certificates, is best left to existing law and to providers’ and customers’ contractual arrangements

6. The Government sees the availability of high-quality cryptographic services as an important building block to meeting its goal of building confidence in electronic commerce. The previous consultation document set out the intention to introduce a statutory, but voluntary, licensing scheme for Trust Service Providers. Given the Government’s decisions not to offer statutory privileges as an incentive for the statutory scheme, and its voluntary nature, the Government has decided that the scheme is best described as an "approvals regime". The Government believes that a voluntary approvals scheme will provide customers with an assurance of high standards and a means of redress when things go wrong.

7. The Government’s earlier consultation paper also sought views on whether it should take any measures to regulate unsolicited email ("spam"). The majority opinion was to allow the industry to take effective voluntary measures, but that the Government should keep a watching brief and be ready to take legislative action if necessary. The Government has decided to follow this approach and work with industry and rely on existing measures. The EU Distance Selling Directive (97/7/EC) contains provisions requiring Member States to enable consumers to register their objection to receiving unsolicited emails sent for the purpose of distance selling, and to have their objections respected. The Directive does not apply to business-to-business transactions and certain contracts are excluded, including those related to financial services (subject of a separate EU proposal). The Directive has to be implemented by 4 June 2000, and DTI plan to consult on its implementation later in the summer.

8. The Government also sought views on whether it should introduce any other legislative measures to promote electronic commerce. It has decided not to do so in this draft Bill. However, the Government looks forward to any further suggestions that may arise in response to this consultation, in the Performance and Innovation Unit’s broader e-commerce study and in the Committee’s next report.

1. www.parliament.uk/commons/selcom/t&ihome.htm
2. www.dti.gov.uk/cii/elec/elec_com.html
3. The summary is available at www.dti.gov.uk/cii/elec/conrep.htm
Copies of the responses themselves are available for viewing by appointment at the DTI Library, Lower Ground Floor, 1 Victoria Street, London SW1H 0ET. Please telephone William LeSadd on 020 7215 6699 for further details. Some respondents have also made their contributions available electronically on the world wide web.
4. www.cabinet-office.gov.uk/innovation/1999/encryption/index.htm

Consultation
 

We invite comments by Friday 8 October. It may not be possible to take into account responses received after this. Any comments should be sent in writing to Stephen de Souza either by electronic mail (preferably in Word 6.0 or text format) to: X.400 address: S=ecbill O=DTI OU1=CIID P=HMG DTI                              A=Gold 400 C=GB internet address: ecbill@ciid.dti.gov.uk or to:  Communications and Information Industries Directorate Department of Trade and Industry Room 220, 151 Buckingham Palace Road London SW1W 9SS It would be helpful if those responding could clearly state who they are and, where relevant, who they represent. Should you wish any part (or all) of your comments to be treated in confidence, you should make this clear in any electronic mail or papers you send. In the absence of such an instruction, submissions will be assumed to be open, and will be copied to the Trade and Industry Committee; they may also be shared with others or published by Ministers, or placed in the Libraries of the Houses of Parliament.

 

Response to the Trade and Industry Committee’s Recommendations
 
 

Paragraph 7 The Government’s proposals to facilitate trust in electronic commerce must not interfere with existing, and often long-standing, electronic commerce relationships.

The Government accepts this in full. The previous consultation document made it clear that the Government does not intend to interfere with existing commercial relationships. The Government recognises that many businesses, ranging from banks to manufacturers, have been successfully carrying out electronic business, usually in closed user groups, for many years. The Government believes that the increasing use of open networks, such as the internet, is making electronic business easier, cheaper and more accessible, bringing its benefits to wider markets, including consumers. The Government believes that the draft Bill will facilitate electronic commerce, including in existing relationships, by clarifying the legal admissibility of electronic signatures.

Paragraph 8 The Government’s proposals are tied, perhaps unduly, to the creation of a regulatory regime based on one particular technology - public-key cryptography - and a specific market model, which, although they could be considered attractive at present, may not be optimal bases for electronic commerce carried out over the internet in the future.

The Government is committed to a technology neutral Bill. The draft Bill published today is intended to promote the provision of cryptography services and electronic commerce. Although many Trust Service Providers (TSPs) may well base their services on public key cryptography, there is no reason why other technologies (e.g. biometrics) could not be used by approved TSPs. The Government consulted on how alternative business models should fit into the approvals regime. Although there were few specific responses on this, the Government believes that varying business models will develop and that it is impossible to predict which are likely to succeed. The approvals regime needs to be flexible and responsive enough to accommodate this, which is why the draft Bill leaves the detail of the statutory regime to secondary legislation.

Electronic commerce is inherently global and the Government takes this into account in formulating policy, and recognised this in drawing up the previous consultation document. The international picture is complex. Our approach is based on trying to move quickly where there is reasonable international consensus, but not striking out unilaterally against the current of global e-commerce. 

A good example of the above is the leading role the UK has taken in both EU and OECD discussions on cryptography. On the former the DTI helped ensure a compromise was reached which balanced the important security requirements relating to the generation of electronic signatures with the need to encourage an open and flexible market. In the OECD the DTI is working to establish a framework which recognises the importance of global compatibility between national and regional initiatives on authentication. The UK is one of the key players in forming the international agenda, particularly within Europe and has developed models such as for dealing with illegal content on the internet that have been adopted around the world. 

The draft Bill is an important part of the Government’s policy to create in the UK the best environment worldwide in which to trade electronically by 2002. Overall the draft Bill builds on the draft EU Electronic Signatures Directive, is consistent with the 1997 OECD Cryptography Guidelines and goes some way towards implementing the provisions (e.g. Article 5) of the UNCITRAL Model Law on Electronic Commerce.

Paragraph 34 Notwithstanding legitimate reasons for delay, we are concerned at the time it has taken the present Government to establish and implement a cryptography policy. It is our perception that inadequate political control has been exercised over the development and determination of cryptography policy. The policy agenda has been allowed to drift for too long. It is imperative that Ministers take a firm grip of the issues from now on.

The speed of computers doubles every 18 months. Recent years have seen an explosive growth in the numbers of people connected to the internet, allowing complex data to be exchanged almost instantaneously over thousands of miles. This phenomenon is having a significant economic impact and will impact on society itself, often in unpredictable ways. The Government needs to take account of the interests of society as a whole: policy on electronic commerce needs to take account of broader issues, such as privacy and law enforcement. Against this background, Governments around the world have tried to formulate policies which capture the benefits and mitigate the potential downside. No Government has found it easy either to formulate or implement policy in this area.

Nevertheless, the Government has not been slow to rise to the challenge. The UK has played a leading role in the debate. The UK was the first country in Europe to recognise the need to deal with both authentication and confidentiality issues in a single framework, because the same technology underpins both kinds of service. Policy on cryptography and e-commerce more broadly has been driven at the highest levels politically. The Government rejects the Committee’s suggestion that inadequate political control has been exercised over the development and determination of cryptographic policy:

• The Government’s cryptography policy was launched within a year of the General Election by Barbara Roche in April 1998 when she announced the Government’s intention to pursue a more liberal policy than the previous administration, by rejecting the mandatory nature of the scheme which they had consulted on shortly before the General Election.
• The former Secretary of State for Trade and Industry (Peter Mandelson) set the target for the UK to be the best environment worldwide in which to trade electronically by 2002 in the White Paper - Our Competitive Future: Building the Knowledge Driven Economy.
• On 5 March 1999 the Secretary of State for Trade and Industry and the Home Secretary jointly launched Building Confidence in Electronic Commerce. In parallel with the consultation, the Prime Minister personally launched a partnership with industry to find solutions to the problems posed by encryption for law enforcement. 

Paragraph 36 We believe it is essential that every measure included in the forthcoming Electronic Commerce Bill is designed to facilitate rather than restrict electronic commerce and that this should be the criterion by which Parliament judges the Bill.

Paragraph 117 Now that key escrow has been dropped by the Government, the rationale for an electronic commerce bill is open to question. We recommend that the Government think twice about the content of its forthcoming Electronic Commerce Bill and only include in the Bill measures which will promote electronic commerce, rather than measures discarded from the previous key escrow policy which are concerned with controlling, not facilitating, electronic commerce.

The Bill will be an essential enabling measure to spur on the growth of e-commerce in the UK. The Bill will support the Government’s targets for:

• the UK to be the best environment for electronic business by 2002;

• 25% of Government services to be available electronically by 2002 (rising to 100% by 2008); and

• 90% of routine procurement of goods to be done electronically by 2001.

The draft Bill is designed to promote e-commerce in a number of ways:

• through clarifying the status of electronic signatures;

• by removing legal barriers so that the option of communicating electronically can be offered instead of the use of paper; and

• by building confidence in the provision of cryptography services.

Paragraph 37 While, we accept the Government’s judgement that legislation should not be delayed still further solely to allow for a standard consultation period, especially as the issues on which DTI sought views were so familiar to likely respondents, the time constraints cited by DTI have been entirely of their own making.

The Government has sought to maintain a balance between allowing an adequate period for consultation, and pressing ahead with drawing up legislation. As the Committee recognises, the issues on which the Government sought views were familiar to many respondents. The Government was impressed by both the number⁵ and the quality of the responses. Moreover Ministers and officials consulted many companies and others in drawing up the previous consultation document. This document is the next step in an ongoing process of consultation. The DTI will continue consulting as the Bill is taken through parliament and will undertake future formal consultation as the Bill is implemented. The Government is committed to building confidence in e-commerce, building the legal framework in partnership with industry and other interested parties.

5. The DTI received 252 responses in total (of which 246 were received in time to be taken account by the consultants for their summary).

Paragraph 40 We consider it a potentially serious omission that DTI has not indicated how its proposals for electronic signatures would affect Scottish law and we recommend that they quickly do so.

The Government has always recognised that the implementation of the policy of the Bill is likely to require amendment also of basic provisions of Scots private law relating to requirements of writing, evidence and contract formation. In that regard, it is envisaged in the draft Bill that Scottish Ministers will have the power to make any necessary amendment of Scots law on matters of that kind, by means of subordinate legislation taken through the Scottish Parliament, subject to the consent of UK Ministers as the power will extend to legislating on reserved matters.

As in the case of England and Wales, the legislation will present the opportunity to provide a clear basis in law for the operation of electronic commerce. The powers in the draft Bill should enable this policy to be implemented in a consistent way throughout the UK, but also by means which ensure that this is achieved in the most appropriate way for each jurisdiction.

Paragraph 41 Although electronic signatures are not currently without legal standing, legislation to clarify their status would command widespread support.

Paragraph 44 One objection to the Government’s proposals for the recognition of electronic signatures is that they are better suited to a civil law jurisdiction, than to the English common law tradition.

Paragraph 46 A second objection to the proposal that some electronic signatures will carry a rebuttable presumption of validity is that this would reverse the burden of proof in contractual disputes, potentially undermining confidence in electronic commerce if means of forging electronic signatures are developed.

Paragraph 51 We recommend that the Government lay before Parliament the justification for such a radical change to the way signatures are considered by English law and explain in greater detail than hitherto whether or not the EU Electronic Signatures Directive genuinely necessitates such a change to be made 

The Government welcomes the Committee’s support for its intentions to reduce the present uncertainty over the legal admissibility of electronic signatures. The means of reducing this uncertainty has provoked considerable debate and the draft Bill sets out what the Government believes is a prudent approach. As the Committee recognises, the common law treats signatures in terms of their purpose (did the signatory intend to indicate their assent to what was in the document?), rather than their form (does the signature meet certain requirements?).

This means that in many, but not all, circumstances the law is flexible enough to be capable of accommodating electronic signatures. However there will be uncertainty, until sufficient case law has built up. This could take some years. The responses to the consultation launched by the previous administration indicated considerable support for a rebuttable presumption that an electronic signature was what it claimed to be. However, many of the respondents to the recent consultation argued against introducing such a presumption because:

• they argued that the burden of proof would be shifted, to consumers for example, to prove that they had not signed a document, thus reversing the position in existing law;

• the technology, and its likely use in most situations, is not sufficiently developed to be able to set the necessary standards;

• moreover, even if the technology were robust, it is hard to control how people use it (e.g. although a properly implemented electronic signature cannot be forged, a smart card can easily be lost or not properly protected);

• the flexibility of common law, which makes English Law the jurisdiction of choice for many international transactions, might be compromised by such a measure.

The Government has therefore decided not to create a rebuttable presumption for the validity of any types of electronic signature. However, Clause 7 of the draft Bill makes it clear that all types of electronic signatures, whether facilitated by "approved" providers or not, and irrespective of the jurisdiction where they were issued, will be legally admissible in Court. This is sufficient to implement the current provisions regarding electronic signatures in the draft Directive. 

Paragraph 58 The outdated definitions of words such as "writing" and "signature" in law are potentially significant barriers to the development of electronic commerce in this country. DTI seems not to appreciate the need for swift legislative action in this area and would appear to have made limited progress since 1997. We favour the Government taking powers in the forthcoming Electronic Commerce Bill for secondary legislation to update definitions of words in law to take account of new information and communication technologies and drawing on the approach of the Australian draft Electronic Transactions Bill 1999. We recommend that the Government quickly publish an analysis of legal changes required, both in relation to English and Scots law and identify those transactions and official proceedings which it believes should not be allowed to be conducted electronically.

The Government welcomes the Committee’s support for its view that certain requirements of form (e.g. for information to be in writing or signed) in legislation drawn up before the advent of electronic commerce are potentially significant barriers to its development. The Bill will be the first available legislative opportunity to address this broadly, though the Finance Bill addresses matters concerning the Inland Revenue and HM Customs and Excise. The draft Electronic Communications Bill includes a power in Clause 8 to enable Ministers to draw up secondary legislation to permit such requirements to be met electronically. For example, the DTI plans to use powers under the Bill to amend the Companies Act 1985 to enable companies to communicate with shareholders electronically. 

There may be a few examples where it is not appropriate to take such a step, at least in the near future. The publication of an analysis of the references in legislation to "in writing" or "signed" is not compatible with the timetable for bringing the Bill before Parliament. The Society for Computers and Law has estimated that here may be as many as 40,000 references to "writing" and "signature" alone.

Paragraph 64 We acknowledge the need for some form of accreditation scheme relating to TSPs to persuade firms and individuals "standing on the edge of the e-commerce lake wondering whether it is really safe to dive in" that electronic commerce is as safe and reliable as traditional forms of commerce.

Paragraph 65 We recommend that the Government sponsor a voluntary accreditation scheme for TSPs which is based on the needs of users and service providers but which is not grounded in legislation. We think it prudent that the Government take powers to establish a statutory-backed scheme but recommend that these powers are held in reserve unused unless and until it is demonstrated that a voluntary scheme fails to protect the interests of all consumers and service providers.

The Government welcomes the Committee’s support for the principle of a voluntary approvals scheme. The previous consultation document set out the intention to introduce a statutory, but voluntary, licensing scheme for Trust Service Providers. Given the Government’s decisions not to offer statutory privileges as an incentive for the statutory scheme, and its voluntary nature, the Government has decided that the scheme is best described as an "approvals regime". The Government believes that an approvals scheme will provide customers with an assurance of high standards and a means of redress when things go wrong. It also believes that these standards should not be set in stone because the market is moving so quickly and there is no agreement on what commercial models are likely to succeed. Heavy-handed regulation would risk stifling innovation and growth. 

Many respondents to the recent consultation argued for a "light touch" in any legislation or regulation. One noticeable shift in opinion from the consultation launched by the previous administration was that voluntary statutory licensing was questioned. There were many calls for the market and the technology to be allowed to evolve, and some for the industry to be allowed to develop self-regulatory or guidance mechanisms.

The choice between a statutory voluntary regime, or a suitable self-regulatory regime, is finely balanced. The Government is in close dialogue with the Alliance for Electronic Business in relation to its work in developing a non-statutory, self-regulatory scheme. The Government therefore proposes, in Part I of the draft Bill, to take powers to set up a statutory voluntary scheme by secondary legislation. After Royal Assent, the Government will need to decide whether to bring such a statutory scheme into being, or to follow the recommendation of the Trade and Industry Committee and hold the powers in reserve, relying on self regulation. Our assessment will take account of the robustness, industry acceptance and quality of the self-regulatory scheme which by then should have emerged from industry and make a judgement about how its merits would compare with those of a statutory scheme. We will consult on that decision.

Paragraph 66 We see no reason why existing means of distinguishing licensed or accredited services from unlicensed or non-accredited services cannot be applied successfully to TSPs.

The Government agrees with the Committee. The essential points are that approval should apply to a particular service, or range of services, rather than the provider and that there should be a clear distinction between approved and unapproved services. It is likely that service providers would be allowed to use a logo (or some other mark of recognition) in connection with those Cryptography services for which they had been approved. 

Paragraph 67 There is a danger that TSPs and their customers will be confused by the multi-layered design of the proposed statutory licensing regime. We would welcome early clarification by DTI and OFTEL of how the proposed licensing regime will work in practice, were it to be introduced.

Paragraph 70 We recommend that, if DTI intends to establish a statutory licensing scheme, it spell out which licensing functions it would be prepared to delegate to an industry body in future and which it would prefer a public sector body to perform; and that it set out the criteria an industry body must meet in order for it to be considered as the licensing authority for TSPs.

The Government does not believe that it is sensible, given the pace at which this market is developing and its present immaturity, to spell out now the exact division of functions between a statutory body and industry. The Government believes that the objectives of the scheme as a whole are far more important than the exact division of responsibilities. 

The Government believes that any scheme should have the following characteristics:

1. The scheme should be wide enough to cover a broad range of services including signature and confidentiality services.

2. The scheme should be demonstrably rigorous, impartial and trusted by all sectors of industry (i.e. it needs support from a broad cross-section of industry, including users). It should not act as a barrier to new entrants to the market.

3. The scheme should have a means of taking into account the views of consumers.

4. The scheme needs the ability to set standards (procedural and technical). If the scheme is non-statutory, there needs to be a clear mechanism for Government to monitor progress and influence the development of such standards, in line with its objectives for promoting electronic commerce, Modernising Government and law enforcement.

5. The scheme needs effective mechanisms for ensuring compliance with these standards, including for example: 

1. assessment of service providers, perhaps linked to a "kitemark";

2. sanctions and the ability to monitor and take enforcement action against members that breach the "code of practice";

3. a means of redress for consumers if consumers are unhappy with the response from the service provider;

4. publicity, i.e. making available the code of practice, a register of members and, perhaps, annual reports aimed at consumers.

6. The scheme should take account of the draft EU Electronic Signatures Directive (including provisions on liability and data protection). In particular it should provide UK providers with a means of showing that their signature service meets the standards envisaged in the draft Directive, to facilitate trade with other EU countries. There could be scope for different levels of service, so it might not be necessary for all signatures to meet the Directive standards.

Paragraph 73 A comparison of the 1997 and 1999 DTI consultation documents would suggest that little effort has been devoted over the last two years to considering the detailed licensing criteria to be applied to TSPs, or the effect of such criteria on the market. The licensing criteria for TSPs recently set out by DTI are not fit to be written into law. Unless they are improved, then the licensing system will be a damaging and embarrassing failure. We invite the Government to inform Parliament how it intends to work with electronic commerce providers and users to design more suitable criteria.

We do not accept this criticism. The previous consultation document made it clear that these were draft criteria and that potential licence applicants would be consulted about refining them. Nevertheless, the draft criteria reflected discussions with industry and were largely consistent with those laid down in the Annexes to the draft Electronic Signatures Directive. Respondents to the previous consultation Document (comments were specifically requested) did not seem to share the Committee’s view and certainly did not suggest they were unfit to be written into law. Indeed, although many respondents argued that what was proposed was more suitable for an industry-led accreditation scheme, there seemed to be a general appreciation that the draft criteria were a sensible basis for a scheme. 

The DTI will continue to work with industry in developing a set of criteria designed to generate public confidence that cryptography services from a TSP approved under the UK regime are high-quality and reliable. The DTI will also work with industry in representing UK interests in refining the criteria outlined in the draft EU Electronic Signatures Directive, which will form the basis of mutual recognition of electronic signatures in the EU.

Paragraph 79 We recommend that the Government exercise caution before implementing a statutory liability regime in this nascent market. We suggest that, until the market develops further, the most useful requirement might be for TSPs to set out in full their liability provisions, including relevant limits, both to users and third parties, including how liabilities can be met, to assist consumer choice of TSP and swift redress when problems are encountered.

In the consultation document Building Confidence in Electronic Commerce, the Government recognised the complex issues involved in apportioning the liability of Trust Service Providers, and the need to balance the interests of the various parties who may be involved, either directly and indirectly, in a particular transaction. In the light of responses to the previous consultation the Government has decided not to introduce a statutory liability regime, and rely on the contract between the TSP and their client, and existing law. We will expect TSPs to make clear to their customers the extent of their liability.

Paragraph 80 We are persuaded that encryption will increasingly be a source of advantage to criminals with which law enforcement agencies are, at present, inadequately prepared to deal.

The Committee has highlighted concerns that the Government has had for some time. The Government is determined to ensure that the statutory powers on which the law enforcement agencies rely in combating crime are not undermined by new technologies. That is why, as part of a package of measures being proposed in an attempt to mitigate the consequences of rising criminal use of encryption, the Government proposes to use Part III of the Bill to introduce powers allowing properly authorised persons (such as members of law enforcement agencies) to serve written notices requiring any person to provide the means necessary (e.g. a decryption key) to make legally obtained material intelligible or to produce the material in an intelligible form.

Paragraph 81 We suggest that those organisations involved in electronic commerce will be much more willing to help the law enforcement agencies if there are reliable means to assess the extent of the problems posed by encryption, and that there would be advantage in Parliament having a fuller picture of the perceived threat.

The Government has been working closely with industry on this issue. The PIU Report on Encryption and Law Enforcement recommended that an approach based on openness and co-operation with industry would balance the aim of giving the UK the world’s best environment for e-commerce with the needs of law enforcement.

The Government has accepted this recommendation and is in the process of establishing a new Government/industry joint forum, to be chaired by the DTI. The joint forum will discuss the development of encryption technologies and ensure that the needs of law enforcement agencies are understood by the industry. 

Paragraph 90 By dropping key escrow as a licensing condition for TSPs, the DTI’s third attempt to formulate an acceptable cryptography policy is a marked improvement on its predecessors. We are disappointed, however, that the Government should still hold a candle for key escrow and key recovery. We can foresee no benefits arising from Government promotion of key escrow or key recovery technologies.

Paragraph 107 If the Government consider it necessary in future to introduce key escrow, key recovery or a related requirement on TSPs then we recommend that they do so only after stating precisely the reasons why such a change would be necessary as part of a full public consultation exercise. Powers should not be taken in the forthcoming Bill to permit the introduction of key escrow or related requirements at a later date.

The challenge that encryption poses for law enforcement is taken seriously by the Government. The Prime Minister personally launched the Cabinet Office PIU Study on Encryption and Law Enforcement and has accepted their recommendations. 

In particular, the Government agrees with the PIU’s conclusion that the widespread adoption of key escrow and key recovery is unlikely in the current climate. The Government therefore accepted the recommendation that a mandatory link between approved providers of services and key escrow would not support the Government’s twin objectives on e-commerce and law enforcement.

Paragraph 98 We think that the proposed new power to require decrypted data or private encryption keys to be provided when appropriately authorised will be a useful addition to the armoury of the law enforcement agencies. We recommend that the Government quickly clarify the situations in which it thinks this power will be likely to prove most helpful. In particular, Parliament should be given an indication of the criteria which will be used to decide against whom written notices for the provision of information will be served and whether it is proposed that the request should be for a private key or decrypted data.

The Government welcomes the Committee’s support for this measure. Strong encryption is already being used by criminals to conceal their activities. This is creating difficulties for law enforcement agencies and these will increase as the use of encryption becomes more widespread. The Government foresees that strong encryption will become the technology of choice for criminals wishing to protect the contents of their communications and data. The new powers proposed in Part III of the draft Bill will assist law enforcement agencies in their investigations wherever criminals are using encryption in an attempt to conceal their activities. 

The draft Bill sets out the conditions under which the service of written notices requiring the surrender of decryption keys or plain text may be authorised and who may authorise the use of the new powers. The ability to serve a written notice will be ancillary to existing statutory powers. This means that the new powers will apply only to material that is, or has been, lawfully obtained. The draft Bill provides that the disclosure of plain text rather than a key may be acceptable in all cases unless the written notice specifies that only the disclosure of a key itself is sufficient. 

Paragraph 101 It is entirely unacceptable that the Government should announce a major review of the Interception of Communications Act 1985 and then fail to publish any further details of the review for over eight months, especially when the consultation exercise on building confidence in electronic commerce explicitly refers to the Act and the review. We recommend that the Government set out the options for change to the interceptions regime, and how they relate to the forthcoming Electronic Commerce Bill, before the Bill is debated by Parliament.

The Home Secretary published a consultation document⁶ (Cm 4368) on the review of the Interception of Communications Act 1985 (IOCA) on 22 June. This review relates to the draft Electronic Communications Bill to the extent that the powers proposed in Part III of the draft Bill are designed to maintain the effectiveness of existing statutory powers including IOCA. These powers, to require the disclosure of decryption keys or plain text, will be available when encryption is encountered in interception operations authorised by the Secretary of State under IOCA. Without pre-empting the wider conclusions of the IOCA review, there is a need to address the threat posed by encryption and to protect the effectiveness of the existing interception regime.

6. It is available at www.homeoffice.gov.uk/oicd/ioc.htm and from the Stationery Office. Responses are requested by 13 August and may be sent by email to ioca@homeoffice.gsi.gov.uk

Paragraph 102 We recommend that the Government give authoritative clarification of the status of the Enfopol proposals and their potential implications for relevant UK service providers.

The draft EU Council Resolution on interception of new technologies (the so-called ENFOPOL proposals) supplements the existing Council Resolution of January 1995 on the lawful interception of communications. It makes clear that the law enforcement agencies’ requirements annexed to the 1995 Resolution apply equally to new technologies such as satellite and internet communications.

Council Resolutions are not legally binding. The 1995 Council Resolution, for example, has not been incorporated into UK law. It is used solely as a basis for discussions with telecommunications operators in accordance with the statutory safeguards contained in the Interception of Communications Act 1985 (IOCA). It follows that if adopted, the present draft Resolution on interception of new technologies would place no legal obligations on telecommunications or Internet Service Providers in the UK. 

The Government submitted an Explanatory Memorandum to Parliament on the draft Resolution on 8 February 1999 (10951/2/98 ENFOPOL 98 Rev 2). In fact, the Government sees little need for the draft resolution at the present time. The Government’s consultation document on the review of IOCA published on 22 June, includes consideration of the needs of law enforcement agencies in respect of providers of new communication technologies such as the internet and satellite telephony. The proposal for a draft Resolution will not prejudice this consultation process.

Paragraph 105 If, after three years of considering its policy on cryptography, the Government should announce the need for a partnership with industry, then that would suggest failure in the past to create such a partnership. We consider that the fault for failing to create such a partnership lies not with industry, which would appear to have been ready and willing to help, but with Government. Although DTI has been willing to listen to what industry and others have had to say about cryptography, we have gained the impression that they have not, until recently, taken much notice of what has been said to them. From now on, we expect the Government to work with all interested parties to devise a cryptography policy which is best for the UK as a whole, rather than one which is geared towards satisfying law enforcement concerns at the expense of Britain’s economic competitiveness.

On the contrary, the Government has worked with industry (users, technology providers and potential TSPs) in developing its policy on encryption. Over the last five years the DTI has hosted regular meetings of its Cryptography Working Group. The DTI has also regularly participated in the information security working groups of the CBI, the Federation of the Electronics Industry (FEI) and the British Computer Society (BCS). The Government recognises the importance of balancing the needs of all concerned - industry, users, law enforcement agencies and the general public - in this sensitive area.

In his foreword to the PIU Encryption report, the Prime Minister said:

The Government will continue to engage with industry on a dialogue on these important issues; through the Industry-government forum proposed by the PIU and through other fora. 

Paragraph 106 We recommend that the Government keep Parliament informed of the remit and membership of the Cabinet Office task force dealing with law enforcement aspects of electronic commerce and of any body established in its place.

The Performance and Innovation Unit (PIU) was created in 1998, to improve the capacity of government to address strategic, cross-cutting issues and promote innovation in the development of policy and delivery of the Government’s objectives. It acts as a resource for the whole of government, tackling issues on a project basis.

In February 1999 the Prime Minister asked the PIU to consider the issue of encryption and law enforcement, as a subset of its ongoing project on electronic commerce. The remit given to the PIU was:

• to study the needs of law enforcement agencies and of business;

• to examine the merits of the current encryption policy (and in particular key escrow); and, if necessary,

• to identify proposals that would satisfy both the need to promote encryption for electronic commerce and the Government’s duty to ensure that public safety is not jeopardised.

To handle this remit, a joint Government/industry task force led by David Hendon (Chief Executive of the Radiocommunications Agency), working alongside the existing PIU electronic commerce project team led by Jim Norton, was established to examine the issue and to recommend a way forward to the Prime Minister. The task force’s membership was drawn from:

Paragraph 108 We suggest that the experience of the relationship between ISPs and the law enforcement agencies underlines the need for openness and transparency in the new partnership between industry and Government on law enforcement aspects of encryption, so as to avoid confidence in electronic commerce being undermined.

The Government fully recognises the importance of working with industry on these issues. That is why a joint Government/industry forum is presently being established as a focus for this new co-operative approach. This co-operation needs to be established on a basis of trust between both parties. It will help industry understand the threat to law enforcement capabilities posed by encryption and will assist law enforcement in understanding market trends and realities. 

The UK has been very successful in developing an effective working relationship between Internet Service Providers (ISPs) and law enforcement interests. The regular forum, currently chaired by the Association of Chief Police Officers, which includes a wide range of industry and law enforcement interests, together with representatives of the DTI and Home Office, has played a central role in developing and maintaining this relationship.

The forum has already produced a form for use by Police forces in requesting information from ISPs under section 28.3 of the Data Protection Act, which is now in the public domain. In addition, a best practice document on traceability will shortly be published, once it has been agreed and ratified by the ISP industry. The aim is for this document to become the industry standard for tracing those responsible for the misuse of the internet. The forum is also working on a number of other projects and is actively considering what more can be done to make the results of its work widely available in order to meet concerns about the transparency of its discussions.

Paragraph 110 We see merit in NCIS being notified whenever a local law enforcement agency encounters encryption during the course of a criminal investigation. 

The Government understands that NCIS (the National Criminal Intelligence Service) sees merit in the establishment of such a national notification scheme and that, at least initially, notifications should be sent to NCIS as part of a strategic threat assessment of criminal use of encryption. Work is in hand to address this issue further.

Paragraph 110 We also recommend that the Government consider the establishment of a law enforcement resource unit for dealing with computer crime, including encryption.

In line with the Committee’s recommendation, and as recommended in the recently published PIU report, the Government has decided to establish a dedicated resource (a new Technical Assistance Centre), operating on a 24 hour basis, to help law enforcement agencies derive intelligence from lawfully intercepted communications and lawfully retrieved stored data. It is envisaged that the Technical Assistance Centre will also be responsible for gaining access to decryption keys, where they exist, under proper authorisation.

Separately, the issue of whether to establish a national high technology crime unit is currently being considered by the Association of Chief Police Officers (ACPO) Crime Committee.

Paragraph 112 We recommend that the Government consider the case for a review of the rationale for the continuation of export controls on cryptographic products, in the light of their widespread availability, and the procedures by which such controls are implemented.

The Government recognises that export controls on encryption products cause problems for exporters and also sometimes prevent IT users acquiring the security technology they need. The Government has sought to ensure that the controls bite only on encryption technologies which - if widely exported - would damage its international objectives of combating terrorism and crime prevention. An example of this is the recent issue of an "open" export licence for personal users of laptops incorporating strong encryption. 

The export controls on encryption, which are set internationally within the Wassenaar Arrangements, were reviewed as recently as December 1998. The new, and relaxed, controls, have been broadly welcomed by industry. They will soon be implemented in the UK.

Paragraph 113 Although the forthcoming Electronic Commerce Bill is not likely to be a source of party political controversy it is a vital measure for UK competitiveness and law enforcement. It requires full and rigorous parliamentary scrutiny.

The Government is now consulting on the draft Bill. The Government expects that, when introduced, the Bill, like any other, will be fully scrutinised by Parliament.

Paragraph 114 We recommend that DTI publish a full analysis of responses received to its recent consultation document, including a list of those who responded to the document, at the same time as the Electronic Commerce Bill is published.

The DTI published today a summary, by independent consultants, of the responses to the consultation. The summary, and a list of respondents, is available on the DTI’s website (www.dti.gov.uk/cii/conrep.htm).

Paragraph 115 We recommend that draft regulations arising from the Electronic Commerce Bill be given full public scrutiny before they become law.

The Government believes that the draft Bill has already benefited from previous consultation on the underlying policy, and looks forward to the responses to this consultation. In general, the secondary legislation made under the Bill is also likely to benefit from formal public consultation. The Committee’s recommendation was made in the context of the approvals criteria and the regulations to facilitate electronic communications and storage. 

The Government is committed to developing the approvals criteria in consultation with potential applicants for approval, and users of their services, and will consult formally on all such regulations. 

The Government also plans to consult widely on draft regulations relating to the facilitation of electronic communications and storage (Clause 8). However, once general principles have been established and agreed on in the first series of regulations it may no longer be necessary to do this in every case, unless new points arise. The Government will, therefore, keep consultation on such regulations under review.