RESPONSE TO THE DTI
CONSULTATION DOCUMENT 'BUILDING CONFIDENCE IN ELECTRONIC COMMERCE' Date: 30 March 1999 Version: 1.0 John R T Brazier Professional Projects Co Ltd 19 Barttelot Rd Horsham West Sussex RH12 1DQ Table of Contents Summary Introduction Acknowledgements 1. Legal Recognition of Electronic Signatures 2. Electronic Commerce Promotion 3. UNCITRAL Model Law 4. Spam 5. The Role of Intermediaries 6. Service Licensing 7. Liability 8. Private Signature Keys and 'Duty of Care' 9. Lawful Access to Encryption Keys 10. Law Enforcement 10.1 Licensing 10.2 Law Enforcement Needs and Public Perceptions 10.3 Technologies 11. Appendix A: Licensing Criteria 11.1 General Licensing Criteria 11.2 Licensing Criteria for Certification Authorities 11.3 Licensing Criteria for Confidentiality Service Provision 11.4 Licensing Criteria for Key Recovery Agents References Summary This document is a response to a number of requests for comment made in the DTI document 'Building Confidence in Electronic Commerce' (URN 99/642). It aims to support the DTI and the Government in meeting their aims to make the UK the best place for electronic commerce in the world while meeting the needs of law enforcement. It is structured around the series of questions in the DTI document, and follows their order. Some of the questions have been grouped together where it seemed appropriate to do so. The following list summarises the main points in the response. Naturally, there are a large number of other comments and observations within the main body of the document.
This document is a response to the proposals outlined by the DTI in March 1999 entitled 'Building Confidence in Electronic Commerce'. It aims to do the following:
Many of the topics cannot be discussed in enough detail due to the extremely short timescale that has been given for consultation, and thus some of the ideas will be undeveloped. However, it is hoped that these can still be useful as the proposed legislation progresses. Acknowledgements This document would not have been possible without the help from a large number of people, and I have attempted to ensure that references are given where possible. Where this has not been possible, I would like to take the opportunity of thanking them now. All errors and sins of omission remain my own responsibility. 1. Legal Recognition of Electronic Signatures 'The Government would welcome views on the appropriate means of ensuring legal recognition of electronic signatures and writing.' This section of the DTI paper (paragraphs 16 to 22) raises a number of fundamental issues. A choice is presented on how statutory requirements can be updated for the acceptance of electronic signatures: either individually by primary legislation, or via a mechanism where primary legislation confers powers on the Government to amend legislation by statutory instrument on a case by case basis. In general, and subject to the following comments, the second alternative is clearly the only workable one: it seems unlikely that there would ever be enough Governmental time for individual pieces of primary legislation. However, the powers granted should be extremely specific and limited. In effect, they would only exist to give legal recognition to electronic signatures and writing for specific statutory requirements. They should not cover any of the technologies or mechanisms on how the systems function, nor deal with access and signature confirmation issues: these should be dealt with separately. In addition, giving electronic signatures the equivalent force of written signatures raises further points:
'The Government is also seeking views, subject to the constraints set out in this section, on whether there are other significant changes that should be made through UK primary legislation to promote the development of electronic commerce.' The Government wishes to make the UK the best place for electronic commerce and, presumably, the country with the most electronically based transactions, per capita or as a percentage GDP, so that it is a major electronic trading player. Competition resides in countries such as the USA, which has two key long term advantages: (1) a cheaper cost base for its businesses (by keeping taxes and materials costs such as fuels low) and (2) a huge internal market [note 1]. These factors interact as the large market provides economies of scale to American companies. These benefits work in that companies in the USA can invest more in electronic commerce and take higher risks with new initiatives. Thus the UK Government needs to take positive actions to counteract this inherent advantage that lies with the USA. In addition, the Government can take actions to increase the likelihood of the usage of electronic commerce, and provide incentives to do so. Thus a number of recommendations can be made:
'The Government would welcome views on whether any of the provisions of the UNCITRAL Model Law on Electronic Commerce (other than those on signatures and writing) should be implemented by UK primary legislation.' Currently, there are a large number of factors that reduce the benefit of electronic commerce because of the need for paper documents and their retention (sometimes for very long periods of time). In general, the UNCITRAL Model Law [UNC] is a good model, and parts of it should be put into effect as soon as possible if we are to move rapidly to large-scale use of electronic commerce. The following comments assume that there would still be an adequate period for discussion before any legislation were actually implemented. The Model Law can be viewed as falling into several types of provision:
Article 15 should define time stamping more precisely, and more analysis and discussion should take place before adoption. Firstly, time stamping should be done on a cryptographically strong basis on document hashes, so that the time stamp is (1) accurate; (2) 'stamps' the whole document (in the way a digital signature 'signs' all the characters in a document); (3) is cryptographically strong; and (4) the stamping protocol removes the possibility of cheating. Otherwise, computer-generated times can be quite unreliable, which would be an issue in a court action. Secondly, whilst the Article attempts to define certain points at which the message has been 'sent' and 'received', these should probably be analysed further. For example, one might have two 'sent' times: one representing the last point at which the message is still under the originator's control, and one when it enters the systems outside the originator's control. In conclusion, the UN Model Law is an excellent basis for further legislation, and some parts should be developed relatively quickly. 4. Spam The Government would welcome views on whether the industry solutions being developed to combat spam are likely to be effective. Or should the Government take further steps to regulate the use of spam? All the evidence is that the amount of spam reaching the intended recipients is actually decreasing at present, as the filtering systems become more effective. For now, simple monitoring of the situation would seem to be adequate (in general, the less legislation, the better). In addition, this document is probably inappropriate for a discussion about spam, as any intended legislation would have an effect on freedom of speech. Because of the importance and likely complexity of any such proposals they would be better discussed separately. Given the comments in the previous paragraph, it is worth making a comment on 'spoofing'. For the purposes of this document, 'spoofing' is defined as the modification of a mail header for the intention of deceiving the receiver (as compared to the frequent use of 'alias' mail headers to assist mail routing and management). Spoofing undermines the credibility of all mail addresses, and thus undermines identification on the net (even if it is not entirely clear what identity is). If legislation became essential, the author would sooner see the proper development of anonymous remailers and the removal of spoofing. This would allow people to bulk-mail via the anonymous remailers (which would also help the filtering systems), and would open the way to get rid of spoofing if this was determined to be an important issue. It is recognised that anonymous remailers are contentious, but they can provide valuable services to society (it is known, for example, that both the Samaritans and the Police have made use of them, and one is currently running to provide email anonymity for Kosovo Yugoslavs [KAH]). 5. The Role of Intermediaries The Government would like to start a debate on whether any changes are needed to existing legislation to allow such intermediaries to prosper and would welcome views. It is difficult to predict how the new services listed in paragraph 32 of the DTI document will develop. It seems likely that initially most legislation in addition to the recognition of electronic signatures will be that identified in Section 3 above: the need to make electronic documents legally equivalent to paper ones in all aspects, and the recognition of electronic 'originals'. These initiatives will allow business to move completely into digital space, where they will develop entirely novel services. Other changes likely to be required will be further development of the Data Protection Act, as databases become tightly interconnected and a detailed profile on each citizen is developed. Of course the largest intermediary will become the Government itself, as all its 'services' and methods of communication with its citizenry move into the electronic domain. Given that modern Governments typically expend over 40% of the GDP (42.8% in the UK in 1996 [GSS]), the UK Government will become by far the largest transactional force on the net in this country. These last two factors are likely to drive more revolutionary aspects of legislation, as the amount of information on each private individual increases:
6. Service Licensing ' ... services which will be eligible to apply for licenses under the proposed regime. They are intended to be illustrative, rather than prescriptive and we would welcome comments on them. We recognise that various organisations are considering different business models for providing cryptographic services to the public and would welcome views on how they should fit into the licensing regime.' 'The Government would therefore welcome views on how best to distinguish between the provision of licensed and unlicensed services in order to protect the consumer.' The separation of services may not occur as much as is envisaged in the DTI document, especially for certificate providers because of the requirements needed for effective certificates. For example, it is critical that a key certificate is time-stamped at generation and revocation, as it is vital to know for what period the key is valid. Presumably certificate providers will have to actually carry out the registration process, and will have to provide methods for access to the certificates (and thus a directory service). Lastly, under most protocols one might expect the issuer of the certificate to have to sign the revocation certificate [note 2]. This immediately means that certificate providers will in most cases provide the services of registration, certification, revocation, time-stamping and directory maintenance. The main exception to all-inclusive service providers might be in the provision of directory services, where one can envisage organisations becoming specialists in the maintenance of massive databases of directories, of which certificates and their revocations would comprise a part. It is possible that key generation might become a separate service, but it seems less likely as many keys might well require certificates. Given the relatively exacting conditions given for licensing in the Appendix A, it seems most likely that service providers that can meet them will provide as many services as they can. The signature key generation service is discussed in more detail in Section 8. It is proposed here that it should not be the service that is licensed, but the service provider. This would be analogous to a doctor or lawyer: these professions are licensed (but not, it should be noticed, by the Government), but the services they provide are not. Even the demarcation between solicitors and barristers does not affect the services each can offer in their own area. As an example, it can be seen that a barrister can act in any court case: they are not licensed according to if they can prosecute or defend, and the type of cases they can take (libel, murder, etc). A barrister is free to specialise if he or she so wishes: but that is not the condition of the license. The same applies to the medical profession. With this model, the provider is licensed, not the service. This avoids the difficulty of new services having to be 'licensed' or 'unlicensed', and allows the provider to freely develop new services. 7. Liability 'The Government recognises that the issue of liability is a key concern of industry and would particularly welcome views on the issues set out in this section.' 'Some general questions are:
'The Government would welcome views on this approach, how this limit should be set, or suggestions for alternative approaches.' 'Are there any other liability issues concerning cryptography services which need to be addressed in legislation?' Several factors make liability a difficult issue:
The first is that liability of a certificate must be limited, in part at least, by its value to its owner. Thus the value of a digital signature certificate to an individual is much lower than that of one belonging to a large multinational corporation. In addition, individuals currently pay exactly nothing to have their hand-written signatures 'certified': which implies that the current going rate for a private digital signature certificate also tends to nothing. This is supported by the fact that whilst companies such as Thawte and VeriSign do provide individual certificates, and that they are in the low price range (typically $10 to $20 per year, excluding free ones that are virtually not certificates at all: see [THA] and [VER]), very few people actually take them out. There is, of course, little incentive currently to use such certificates, but cost is still an important factor: people do not wish to pay for them. The liability models of these two companies are interesting. VeriSign's disclaimer shows a simple model: they have three 'classes' of certificate, and their liability caps go up according to the class (from $100 for Class 1 to $100,000 for Class 3). Thawte accept liability (excluding punitive damages) for negligence, but put no value on it. Both companies do extend their liability to third parties, although careful reading of both documents seems to show that both liability statements are undermined by other sections. From these observations a general model can be advanced: most cryptographic services, being generally 'invisible' to the great majority of the public, will have a very low perceived value to their users (and thus liability has to be low). Yet to large corporations they are likely to have very high values (and there must be consequent high liabilities). Coupled with the fact that the services are still experimental and will change, the following approach is recommended:
8. Private Signature Keys and 'Duty of Care' 'Also should a specific "duty of care" be imposed on holders of private signature keys (e.g. to keep their private key secure, to notify a Certification Authority within so many hours of realising it has been compromised etc)?' This issue has been separated out from the rest of the liability requests because it has implications that are not directly related to liability, and relate to other parts of this document. There are likely to be two basic systems of use for digital signatures:
9. Lawful Access to Encryption Keys 'The Government would welcome views on its proposals for lawful access to encryption keys.' The author will state that he is against key escrow, on the basis that it will not work. However, the arguments will not be repeated here, mostly because the author knows that the Government is aware of many people's opposition [HEN]. If there is interest in this point then there is an excellent technical article at [ABE]. The one comment that will be made is that if key escrow does end up being incorporated into the legislation then the Government will not meet its goal in making the UK the best place in the world for electronic commerce. The DTI paper requests views on two proposals: making an offence of the failure to comply with what might be called a 'decryption warrant', and the 'tipping off' offence. The first appears to be a logical proposal, especially in a non-escrow regime, and would be equivalent to the obligation to provide records in the case of fraud, and even a blood sample in the case of drunk driving. The principle, as indicated in the paper, is fair. However, it should be the principle that the person must produce the plaintext versions of the documents, not the keys. This is because in a public key environment, messages can only be decrypted by the recipient, not the sender. Thus if corporations were receiving messages from criminals and had to yield their confidentiality keys, then this would require generation of entirely new replacement keys. This could become a major cost burden to large companies with complex internal public key infrastructures (especially as a large corporation might, through no fault of their own, get involved in numerous cases). Individuals could also find it a significant effort and personal cost to have to replace their keys. Most of the individuals and corporations will be entirely innocent parties. The Government may find plaintext (or even key) recovery less workable in practice: it is easy to envisage situations where a person has encrypted material that cannot be decrypted (for example, it was encrypted with a temporary - and now deleted - key). If the suspect can demonstrate that they use a system that leads to such a result, will this be a 'reasonable excuse'? The second proposal, creating an offence of 'tipping off', is difficult to understand outside of the context of key escrow. If there is no key escrow, then how can a key be acquired without the subject knowing about it? If this is a reference to the fact that people may place their keys voluntarily in escrow, and thus they would be available, then the legislation would appear to have some sense. However, it is difficult to envisage any person who believes that they might be targets of the security agencies placing their key in escrow (voluntarily or otherwise). As Parliament should not be in the business of generating worthless legislation, it is impossible to support this proposal unless the Government can clarify the point. 10. Law Enforcement 'The Government would welcome ideas on how its law enforcement and electronic commerce objectives might be promoted via the licensing scheme or otherwise.' 'The Government would welcome views from industry on the extent to which the needs of law enforcement agencies can be met by existing and forthcoming developments in encryption and communications technologies.' 10.1 Licensing It is not recommended that licensing have any special relationship with law enforcement, aside from the normal co-operation required from any business in the modern age. If an attempt is made to convert service providers into quasi-law enforcement agencies then this will provide a major barrier to licensing: most providers simply will not license as they are unlikely to be trusted by their customers. The benefits of licensing operate best in an open market with the minimum of regulation possible (along with the free use of all aspects of cryptographic technology). This will benefit electronic commerce as it will increase confidence and allow experimentation and development, giving all the services free reign. One possible outcome will be a situation where unlicensed service providers will be used for low-value transactions and licensed ones for high-value transactions. Of course, future services may well also have an impact on the development of licensed services. 10.2 Law Enforcement Needs and Public Perceptions It is frequently stated that the Law Enforcement Agencies require covert access to communications channels, and the capability of being able to carry out real time decryption of such channels when required (as implied in paragraph 86 of the DTI document). Yet the evidence of this is minimal: even within the DTI document, every case referred to as evidence for law enforcement interests (paragraph 50) actually refers to stored information on computers, not in transit. It has already been agreed in Section 9 above that agencies should be able to enforce decryption of impounded documents (where possible). This implies that the evidence for such a need is minimal, or that the law enforcement agencies have reasons for not divulging it. This very statement points to a key issue throughout the entire cryptology debate: the growing public mistrust in law enforcement and security agencies. This distrust makes proposals such as key escrow likely to fail as much for reasons of public resistance as for the many technical reasons. This mistrust has probably grown because:
Clearly the Government needs to handle these perceptions more effectively. One good way to start would be firstly to find evidence for the quoted 'needs' of law enforcement agencies: otherwise they are likely to be regarded as open-ended wishes. Perhaps a better approach would be for the Government to divulge all the electronic intelligence gathering activities that are in progress, at least in overview terms, and place them under an appropriate and open Parliamentary review process. This seems to be unlikely, yet on the other hand the Freedom of Information act would be an excellent opportunity for such a step. The point of this section is that both individuals and corporations have a rising level of mistrust with regard to Governments. They will tend to take greater care to ensure privacy in communications in what is beginning to be perceived as a hostile environment. Every action that the Government can take to reduce such mistrust will tend to enhance confidence and thus will tend to improve electronic commerce. It is also more likely to get public agreement for appropriate law enforcement support. 10.3 Technologies The law enforcement agencies should recognise that not only are there current technologies that undermine systems like key escrow (such as subliminal channels, steganography and Diffie-Hellman type protocols), there are future technologies coming that will, under certain conditions, undermine the concept of covert interception (quantum cryptography, see [SCH] for an introduction). Thus the agencies may well at a future point find themselves without the capability of effective covert communications monitoring, notwithstanding paragraph 80. This shows that the second request above, with regard to technology, is almost certainly addressing the issue in the wrong way: it is the wrong question. The debate throughout this decade on the whole issue of 'access to keys' and 'key escrow', and even the attempts to limit the cryptographic technology itself, have been an attempt to provide a 'magic bullet', a solve-all panacea for the law enforcement agencies. Like most panaceas, it is also a chimaera. The speed of technological development is such that any technology-based solution will inevitably be made redundant by a newer development, especially when there is an incentive to do so. In general, law enforcement agencies will have to become more sophisticated, with a greater general knowledge of the technologies that we have been discussing. They will have to make greater usage of methodologies such as traffic analysis rather than trying to depend on the internal message content. They will also no doubt make use of Tempest-style technologies (when authorised) to view information at the point of creation or use, rather than at the point of transfer. However, this comment should not be taken as a declaration of open season on civil rights, with massive covert monitoring on a grand scale. This more holistic approach, grounded in an improved technological knowledge with more even use of multiple police techniques, is actually a more effective path for the law enforcement agencies in the long term. It provides policing in depth, using diverse methods. Magic bullets fail when the disease becomes resistant. 11. Appendix A: Licensing Criteria 'We would welcome views on these criteria, and would also welcome views as to the level at which the standards should be set for each of them or how they should be assessed.' The criteria should be set such that as many organisations as possible can become licensed if they so wish. It would be inappropriate to develop criteria that only allowed the very largest corporations to become licensed service providers: in this field it is notable that it is usually the small, new companies that have driven development and change. Most of the criteria are sensible and valid; however, there are some comments that should be made, and these are covered below. 11.1 General Licensing Criteria
There are no special comments on confidentiality service providers, although the author suspects that in real life there will be little need for them. 11.4 Licensing Criteria for Key Recovery Agents The discussion of KRAs is not clear in the document. Footnote 17 of paragraph 38 attempts to redefine KRAs as a type of third party service provider, acting as a logical recipient of a copy of every message generated (in PGP terms it is a Corporate Message Recovery centre, with the message having an Additional Recipient Packet keyed for the recovery centre). However, this redefinition goes completely against the meaning of the term 'Key Recovery Agent': which is an agency that recovers keys. This observation is reinforced in the Appendix, where the KRA must provide ' ... the appropriate key-recovery information to the law enforcement authorities ... '. Thus the KRA is, in fact, a key escrow agency and there seems to be no reason for the existence of such agencies outside of a key escrow environment. Despite the suggestions in the text about 'key encapsulation', in the end people will not lodge their keys with such services, or create a message readable by such agencies, if they believe that they will be monitoring targets. As it is unclear that such agents will exist, no further comment is made on the licensing criteria. References [ABE] H Abelson et al, The Risks of Key Recovery, Key Escrow, & Trusted Third Party Encryption [ECH] Sunday Times Focus article on Menwith Hill and Echelon, 31 May 1998 [ESD] Proposal for a European Parliament and Council Directive on a Common Framework for Electronic Signatures, 13 May 1998, COM(1998) 297 final [GSS] Government Statistical Service, The Nation's Accounts 1996 [HEN] D Hendon, RE: Crypto Task Force chairman is pro-escrow? UK Crypto Mail List, ukcrypto@maillist.ox.ac.uk [KAH] L Kahney, Email Assist for Yugoslavs, Wired News, 29 March 1999 [SCH] B Schneier, Applied Cryptography, Second Edition, John Wiley & Sons, 1996 [THA] Thawte Digital Certificate Services [UNC] UNCITRAL Model Law on Electronic Commerce [VER] VeriSign [WOL] F Wolf, Representative of Virginia, accusations against France in the US House of Representatives, 28 April 1993 Notes Note 1: It might be thought that USA businesses are more deregulated, but it is no longer clear that this is true overall due to the great changes in both countries over the last twenty years. For the purposes of this paper it is assumed that the general openness and opportunities in both the UK and the USA markets are similar except for scale. [Return] Note 2: This might not be true where there is a pyramidical organisation of certification authorities; however, whilst OFTEL is named as an initial licensing authority the DTI document does not propose any kind of public key certification hierarchy. [Return] |