CONSULTATION DRAFT: "BUILDING CONFIDENCE IN ELECTRONIC COMMERCE" ISSUED BY THE DEPARTMENT OF TRADE AND INDUSTRY IN MARCH 1999
Legal Recognition of Electronic Instruments
3.1 Question 1: The Government would welcome views on the appropriate means of ensuring legal recognition of electronic signatures and writing.
The Association asserts that legal recognition for electronic signatures is essential. However, such recognition would need to take account of potential changes in processes and technologies such as those offered by biometrics, otherwise there is a risk that legislation could become outmoded in the near future.
If electronic signatures are given the same legal standing as hand-written signatures, this would reduce much of the concern surrounding the use of statement of fact documents which are increasingly replacing conventional proposal forms. There are presently concerns surrounding potential misrepresentation whereby the proposer might state that certain information provided on a statement of fact was inaccurate. These problems could be mitigated by some form of digital certification capable of proving the authenticity of information and the fact that it originated from the proposer.
Non-acceptance of electronic delivery and signature is a barrier to e-commerce today and, accordingly, we would support the earliest possible reforms. Whether or not reform was through primary legislation would be dictated by sufficient space becoming available in the Parliamentary timetable. We consider that secondary legislation would also be prudent to cater for piecemeal problem areas which could be considered on a case-by-case basis. This would ensure that a legal framework developed which was both safe and flexible.
Other Possible Legislative Changes to Promote Electronic Commerce
3.2 Question 2: The Government is also seeking views, subject to the constraints set out in this section, on whether there are other significant changes that should be made through UK primary legislation to promote the development of electronic commerce.
The "general comments" section of this memorandum points to other Government reviews of electronic commerce which we hope will ultimately lead to reforms on a more widespread basis.
English law does not presently provide generic mechanisms for business to be transacted in dematerialised forms.
If the United Kingdom is intent on creating the most attractive legal environment in which to conduct business electronically then it is imperative that a dispute resolution process is developed which is compatible with procedures prevailing throughout the European Union. Major reforms to the UK's civil justice system are being introduced with effect from 26 April 1999 and it may be that these changes might facilitate the development of such a dispute resolution process.
The promotion of e-commerce legislation for signatures and contracts may also necessitate a review of the current law relating to evidence, real property, financial regulation, the Companies Acts and related tax statutes.
There will also be a need for regulators to dematerialise their requirements on business and for registrars (such as Companies House, the Land Registry and The Patents Office) to accept dematerialised records.
3.3 Question 3: The Government would welcome views on whether any of the provisions of the UNCITRAL model on electronic commerce (other than those on signatures and writing) should be implemented by UK primary legislation.
The Association contends that it is important that those aspects of the UNCITRAL model relating to non-repudiation are implemented by UK primary legislation.
In addition, we believe that Article 10 (Retention of Data Messages) will be important in the financial services sector where, in the future, policy documentation, certificates and statements may be relayed by electronic means.
Article 14 (Acknowledgement of Receipt) may also be important where acknowledgement is a formal requirement. An inability to do this electronically will hinder the growth of e-commerce in these areas.
3.4 Question 4: The Government would welcome views on whether the industry solutions being developed to combat SPAM are likely to be effective. Or should the Government take further steps to regulate the use of SPAM?
The Association concurs that SPAM is an unacceptable form of marketing and poses one of the greatest threats to wider adoption of E-mail and e-commerce.
Whilst we consider that the sending of unsolicited E-mail should be illegal, we do, however, believe that it will be extremely difficult to legislate and enforce, particularly where the originator of SPAM is based outside the UK (and EU) legal jurisdiction.
In order to create a level playing field, for E-mail and other forms of direct marketing, we would support the extension of the EC Telecoms Data Protection Directive (97/66/EC) to embrace unsolicited E-mail.
With regard to the other possible additional tools for dealing with "spamming" suggested in paragraph 31 of the consultation document, we suggest that these could hamper bona fide business transactions and be extremely difficult to enforce. In particular, as far as "spoofing" is concerned, the primary concern is unwanted content rather than the identity of the source. The prohibition of such practices would severely restrict organisations with varied business interests which own and use bona fide multiple identities. In addition, the creation of registration lists with attachments would be extremely difficult to enforce as the definition of "advertising" varies across different industry sectors. For example, in the financial services sector, a wide variety of literature including statements, reminders and responses to customer enquiries issued to existing and prospective customers may be classified as "advertising". As such, registration lists could preclude financial services companies from sending any kind of on-line communication to their customers.
The Association considers that the "self-governing" initiatives that are currently being undertaken by the Internet Service Providers, the Direct Marketing Association and others will result in greater control and curbing of illicit activities.
3.5 Question 5: The Government would like to start a debate on whether any changes are needed to existing legislation to allow such intermediaries to prosper and would welcome views.
The Association has no comments to make.
Licensing Regime for Trust Service Providers (ie Providers of Cryptography Services)
3.6 Question 6: The Government would welcome views on the licensing conditions set out in Annex A.
We suggest the following criteria should be added to the licensing criteria set out in Annex A:-
3.7 Question 7: We would welcome comments on the illustrative examples of cryptography services.
The Association has no comments to make.
3.8 Question 8: We recognise that various organisations are considering different business models for providing cryptography services to the public and would welcome views on how they should fit into the licensing regime.
Standards of encryption must be recognisable by both users and potential customers. In other words, the customer must be satisfied that information provided will be afforded the appropriate degree of protection. Equally, business users must be able to demonstrate that they have taken the necessary precautionary measures to protect their customers by shielding their data from unauthorised viewing.
When recognised standards of encryption become available, the failure to adopt appropriate encryption measures may be in breach of principle 7 of the new UK data protection legislation ("appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data"). The onus on deciding what level of encryption is appropriate for its customers should continue to rest with the business concerned.
The Association considers that the Secure Electronic Transaction (SET) business model is an effective and secure means for satisfying both business and consumer requirements for a high level of security. The acquisition of a SET certificate is akin to holding a credit card which is authorised/guaranteed by a bank and is, accordingly, the only method which readily allows limited liability to be specified in legislation if it is lost or stolen.
3.9 Question 9: The Government would therefore welcome views on how best to distinguish between the provision of licensed and unlicensed services in order to protect the consumer.
A major aim of licensing is to generate confidence and thereby promote the e-commerce market by ensuring minimum standards of quality and service. In this regard, it is imperative that consumers have a high degree of trust in the licensing regime. We consider that if unlicensed services were permitted then this could create considerable confusion amongst consumers and undermine the general level of consumer trust.
Liability
3.10 Question 10: The Government recognises that the issue of liability is a key concern of industry and would particularly welcome views on the issues set out in this section. Is there a need for specific legislation?
As is borne out by paragraph 42 of the consultation document, liability in the world of e-commerce is complex and growth in electronically traded business may be hindered by any legislation that is too prescriptive.
To what extent should liability be prescribed by legislation?
The Association does not believe that there is a need for specific legislation to define maximum or minimum liability limits upon which any licensing would be conditional. Limits provided under common law should be sufficient ie breaches of the duty of care may result in damages which are limited only by the doctrine of foreseeability.
Should legislation impose specific requirements to state the liability regime in contracts and on certificates and other instruments which third parties might reasonably rely on?
The Association considers that a minimum level of liability should be agreed which cannot be decreased by contract. The guiding principles of floor limits for liability that are currently in use, for example, by credit card companies offering a certain level of liability on purchased goods, apply equally well to certification authorities. Furthermore, consideration could be given to extending the current trading standards rules and relevant laws to cover e-commerce.
Any liability regime must distinguish between general liability, business liability and consumer liability. Moreover, we note that neither the body of the document nor the licensing criteria outlined in Annex A specifically mentions the issue of insurance although the criteria do state that "... an applicant would need to demonstrate that they had the ability (ie sufficient financial resources) to meet any liability they wished to enter into...". Clearly, the availability of liability insurance would be critical in allowing applicants to fulfil this criteria without tying-up and putting at risk significant capital resources.
The Association contends that any minimum liability levels will only be as good as the insurance which is effected by the licensed trust service providers (TSP's). The exact scope of the cover required by TSP's is clearly still to be established, although the principal risks would seem to fall within the scope of
professional indemnity cover rather than public or product liability policies. In addition, to ensure effective public protection, there may also be a need for basic cover to be extended to include some form of fraud and dishonesty insurance.
The provision of insurance for TSP's will probably be a highly specialised field requiring an in-depth understanding of the technology and encryption techniques being used so that the risks involved can be assessed and priced realistically. It is difficult to predict what market might develop or the exact scope of cover that might be available but, at least initially, it might well be that only a limited number of insurers would feel able to provide the cover required.
The Association would oppose the introduction of insurance on a compulsory basis. Such a requirement would cause difficulty for insurers as they might well be placed in the invidious position of having to decide in effect whether a particular firm could trade or not.
3.11 Question 11: Should a specific "duty of care" be imposed on holders of private signature keys (eg to keep their private key secure, to notify a certification authority within so many hours of realising it has been compromised etc)?.
The Association considers that a specific duty of care should be imposed on the holders of private signature keys. The duty of care should be different dependent on whether the holder is an individual consumer or if it is a business. An average consumer should not be expected to possess the same degree of knowledge or ability as a business consumer. The key issue here is how would a holder know that the private key has been compromised until it is too late, as electronically a significant number of transactions can occur within a short period of time.
Legislative Proposals
Utilisation of the SET method would reduce the need for encryption. However, the imposition of key escrow could significantly impair the efficiency of e-commerce.
The Partnership Approach
The Association supports the Government's proposals to abandon the recommendations of the previous administration for mandatory key escrow and the other compulsory elements for the granting of licenses. Key escrow schemes would not provide a workable or cost-effective means of achieving law enforcement and could impair the efficiency of legitimate business interests. In any event, it is highly unlikely that businesses which have a criminal intent would use key escrow schemes.
The licensing regime should promote electronic signatures and electronic checksums which guarantee authorship and integrity but not encryption unless it is perceived as confidential. Moreover, there is a need to guard against the licensing process becoming a disproportionately costly overhead since there would be a very real danger that many SMEs will opt out, thereby creating an uncompetitive monopoly of large well known brand organisations. This is unlikely to be a positive development for open e-commerce in the United Kingdom in the long term.
The Needs of Law Enforcement Agencies
The Law Enforcement Agencies requirements are to be able to obtain access to the plain versions of encrypted communications by both overt and covert means. The former might be satisfied by obtaining a magistrate's warrant which would require decryption keys to be supplied. In terms of the latter, the Association suggests that consideration should be given to including the issue of covert access to encrypted communications within the review of the Interception of Communications Act which, it is understood, will commence later this year.
It has to be hoped that bona fide organisations will, as a matter of good practice, assist law enforcement agencies with information and access to records to continue the fight against corporate crime.
Licensing Criteria
The Association suggests that a TSP must effect a financial liability and business plan which includes the following additional basic elements:-
Ref I/528/290
7 April 1999
Go back to the start of this document.
Go to the library of current responses.
Last Revised by FIPR: May 7 1999