BUILDING CONFIDENCE IN ELECTRONIC COMMERCE
As an individual, I have a active interest in electronic commerce and the related areas of privacy and inclusive access to technology. Furthermore, I am involved professionally, on behalf on my employer Bull Information Systems – in the marketing of capabilities related to this area.
This response is a personal one however, and should be considered in that context.
I warmly welcome the governments stated intent of trying to develop the UK as the “World’s best environment for electronic trading by 2002”. Without a doubt electronic business and public sector interactions electronically provide many advantages in terms of costs of transacting business and providing services to individuals. By promoting electronic commerce, the UK government is promoting an environment where businesses can expand their trading horizons at a significantly lower cost of entry. Committing to a target of 25% of dealings by citizens with government to be done electronically also sends out a strong and positive message.
In the light of these positive statements, I was disappointed that the consultation paper dealt with a number of salient topics in the way that it did. In the spirit of constructive criticism, I would like to raise a number of areas of concern.
Given the stated intention of building confidence, I was surprised that the document focussed so much on technology issues such as Public Key Encryption. Furthermore, I suspect that any reluctance by the Public or business to embrace the principles of electronic trading are less to do with signatures and legal discussions on the definition of writing, and much more to do with a lack of understanding of the real benefits of electronic trading –transaction costs; access to wider choice; accessibility and timeliness – combined with the well known human trait of resistance to change. I would submit that if government wishes genuinely to encourage a sea change in the adoption of trading by electronic means, it needs to address some of the “softer” matters such as promoting the benefits, ensuring confidence through legal protections and supporting more inclusive access to the technology required.
I believe that Spam is not an issue the context of electronic commerce. It is annoying, can be offensive and, for providers, a costly and wasteful item. It is, however, something that is being increasingly tackled by internet service providers (ISPs) themselves using readily available commercial technology. As an active user of internet based services, both at work and home, the volume of Spam actually getting as far as my account has reduced considerably in the last 12 months, and this is due, I’m sure, of improved filtering by my ISPs. I do not see the incentive for government to try and formulate legislation in an area that is going to be difficult to define (just how would you define, legally, “Spam” mail?), and harder to enforce – given much of the Spam is generated outside of the UK.
I would draw the parallel with junk postal mail today. We may all bemoan receiving badly targeted, poorly executed mailings, but we can simply throw them away. They cost us nothing, and (in normal circumstances anyway) cause no more than an irritation. Spam is similar and can be dealt with similarly – with the added advantage that ISPs can technically “throw it away” on one’s behalf. The element that is missing is that of choice, in that currently there is no obligation on ISPs to ask individuals if they wish to receive junk mail or not – I believe that should be encouraged (though not legislated). Just as individuals can register with a mail preference service, maybe government should encourage industry to establish and run an e-mail preference service?
I was encouraged to see the distinction being drawn within the paper between electronic signatures (as a means to “prove” the person sending the document was who they claimed to be and to ensure that the contents remained untainted by external tampering) and encryption (as a means to keep private the transaction). The fact that these two, quite different, areas are to be catered for differently in the legislation is a timely recognition of the relative uses of each.
I do think there is scope, however, to recognise that other means of signing a transaction exist and will be developed. I also think further guidance is required in areas where a witnessed signature is currently required – how would one “witness” an electronic signature? I was not convinced that enough weight was placed within the consultation on providing protection for individuals who may sign documents electronically in an environment where perhaps insufficient consideration has been given (or is allowed) to the significance of the signature. The parallel I would draw is to the “cooling off” provisions within the Consumer Credit Act, allowing individuals the opportunity to take stock of a decision which might have been made without them being as aware of the significance of what they were signing. I would like to see similar provisions within any legislation, though only within certain categories of transaction (major purchases, credit agreements etc.).
One area of concern was however, the continued tone of the paper that encryption is something that is somehow on the margins of criminality and requires draconian powers to be vested in government and its agents to decrypt secured communications in the cause of democracy or law enforcement. The powers proposed giving a legal right of access are, in my view, somewhat limited since one assumes that short of physically assaulting a miscreant, the fact that the law says a suspect must reveal a key would be somewhat ineffective. By the same token, if failure to release a key were to be subject to penalties on the same basis as the crimes allegedly being committed under the protection of encryption (e.g. terrorism, paedophilia or worse) then the potential for massive miscarriages of justice would be increased. I would be extremely concerned if powers were taken that would allow courts to construe that a refusal to release a key was evidence in itself that the defendant was party to the crimes under investigation. People and companies need to secure documents and files for many reasons – examples include privacy and commercial sensitivity. An individual may be unwilling to release a key under pressure for a diverse range of reasons, not least because they genuinely may not know the key. Alternatively, it may be that they would be commercially disadvantaged (in the case of intellectual property) or simply embarrassed. The fact that a citizen may choose not to assist the police is already catered for within current legislation, and I do not see why additional powers are necessary. Use of encryption should not be seen as something to be considered criminal, any more than lawfully owning a shotgun. Encryption is simply a tool that can be used for a range of activities.
The paper also makes the point that access to encrypted material for interception purposes, would need to be “timely” and “covert”. Setting aside the view that interception must, by its nature, be an opportunistic line of enquiry, the possibility that the criminal fraternity would make it easy (by using a licensed TSP for example) for law enforcement agencies to decrypt their exchanges is remote at best. Criminals will always seek to thwart those pursuing them by trying to be one step ahead – these proposals will not address this issue.
The government should seek to separate the genuine need to encourage and foster the electronic trading environment from the need to provide law enforcement access to encrypted material. Fostering the use of e-business requires more than credible signature technology or the creation of a framework of trusted intemediaries, it requires a range of confidence building measures to reassure business and individuals that trading this way is no riskier than more traditional channels, and that it brings genuine benefits.
Electronic commerce has the potential to be as significant as the development of the telephone in the way society transacts business. UK Plc needs e-commerce to work – the government must play its part in ensuring success.
Chris D’Arcy, MCIM, 31st March 1999