Institute for the Management of Information Systems

_____________

Summary

1. Most of the concepts on which this consultation paper is based, including that of independent trusted third parties issuing certificates or holding keys, appear relevant only to a sub-set of a sub-set of the current or prospective electronic commerce markets.

2. The failure of UK law to keep pace with the growth of electronically negotiated and transmitted agreements and the problems of organising cost-effective, secure and trustworthy communications are now a severe barrier to the growth of UK based electronic commerce (e.g. pan-European, let alone international, financial services).

3. The only action required, however, from Government is to bring the law on electronic writing, signatures and other authentication into line with that for the paper based equivalents and to remove barriers to the use of stronger security by those under criminal attack (including by former members of the cold war security services).

4. A trusted service is one which honours its obligations regardless of the technology used or the failings of others. Such services are better viewed as electronic variations or add-ons to the centuries old frameworks for international trade under conditions of uncertainty. These range from Bankers’ letters of introduction or credit through Notary services, a variety of Certification and Verification Services (e.g. Lloyd’s Register or Den Norsk Veritas), Reference services (e.g. Dun and Bradstreet) to the routines of the Credit Card Operators (for Merchant Identities and Clearing as well as for issuing individual cards). A review of how these are regulated in a converging world may be desirable but there appears to be little or no case for a new and separate framework for their electronic equivalents.

5. Fragmented national law enforcement policies based on outdated concepts also pose major problems (including cost, complexity and vulnerability to fraud and industrial espionage) for the internal communications of globally integrated corporations as well as for those who need secure, reliable and confidential external communications with suppliers and customers. Many of these problems are directly shared with the law enforcement agencies. Four weeks is too short to do more than test the climate for co-operation in this area.

6. The frameworks and priorities for co-operation should recognise that retaining the secure processing hubs of international users (banks, petrochemical, aerospace suppliers etc.) are far more important to the UK economy than the "competitiveness" of technology or communications suppliers. Some of the latter could earn more by trunking jobs overseas.

7. There is also a need for a fundamental review of the responsibilities and liabilities of those carrying value-added communications traffic (e.g. those providing networks and services over which valuable and/or confidential content may be carried, lost, corrupted, re-routed or copied).

8. It is to the economic advantage of the UK to take a lead in creating a favourable environment for electronic commerce with a cost-effective and technology independent legal framework that is compatible with the UNCITRAL model law. Any further government intervention, whether for law enforcement or consumer protection purposes, needs a far longer period of consultation, lest it be counter-productive at all levels

Introduction

9. The Institute for the Management of Information Systems (IMIS) is the professional association for IS and IT managers and, as is increasingly the case, for user managers with responsibility for IS and IT systems. In its submission to the House of Commons Trade and Industry Committee Enquiry on Electronic Commerce, the Institute distinguished between those areas where there was widespread agreement on the need for rapid legislation "to ensure that the UK remains among the most attractive places in the world to business electronically" and those concerned with the interception of communications, where the issues are complex and rushed legislation could be very damaging to the UK economy while still not achieving the objectives of the law enforcement agencies.

10. The overall position of the Institute on the proposals is

11. IMIS strongly supports the response to this consultation paper being made by EURIM, the Parliament-Industry Group concerned with the politics of the Information Society. The main differences in our response are to raise the need for a more far-reaching review of law enforcement powers and responsibilities (civil as well as criminal) than is currently planned for the review of IOCA and the need for a comprehensive review of consumer protection structures and issues. It may be that no change is needed. If so, such a review is still needed to help prevent back-door changes via secondary legislation to implement EU directives.

12. HMG appears to be basing its proposals on a model of authentication and confidentiality which has limited validity outside military, diplomatic and other government and public sector hierarchies and is inapplicable to most of the business and commercial world. It also appears to link consumer protection needs with those of criminal law enforcement. These should be handled in separate legislation.

13. The case for linking the licensing of confidentiality services with those of authentication and non-repudiation services appears to be based on the fact that they MAY use similar technology (although for very different purposes). However, given the different nature of the services and the very different customer protection needs, the responsibilities and potential liabilities of those offering the services also appear very different.

14. The under-writing of authentication and non-repudiation may be better viewed as a legal or financial service (albeit one which may be offered by technology or telecommunications providers). The Financial Services Authority is therefore likely to be a more appropriate regulator than OFTEL . The latter will need to replicate functions currently carried out by others, including those with regard to well-established contract-based electronic trading

15. Authentication services to help enforce intellectual property rights (e.g. digital "watermarking) may also have very different (volume as well as nature) needs. This may also, however, be an even bigger market

16. The different types of electronic transaction and customer may well lead to a hierarchy of regulatory needs - from those which are best policed as part of the role of "electronic trading standards officers" (micropayments for electronic browsing, low value transactions for home shopping etc.), through "financial services regulation" (for home banking or the distance selling of financial services etc.) to the real-time monitoring of the "exposure" of major financial institutions. The differing cost/risk profiles will almost certainly require different regulatory approaches. Attempts to predict these or to "promote" particular approaches are likely to be counter-productive.

17. The legislation needs to be technology neutral and internationally acceptable. The Ruritanian government will expect the same access through its own courts to the confidential communications of the local branch of Inter-Galactic Trading Corporation or the local representative of Amnesty International as are enjoyed by HMG, whether via intercept warrant to monitor transient communications or, more likely, by magistrates warrant (or Anton Piller Order) to browse through stored data on the file servers of the local digital communications provider.

Response to specific questions

§18 The Government would welcome views on the appropriate means of ensuring legal recognition of electronic signatures and writing.

We support option two: that HMG take powers in primary legislation to enable case by case amendments by statutory instrument to facilitate the legal recognition of electronic writing and signatures. We are, however, concerned that the proposals in paragraphs 19 - 20 give a privileged different position at law to licensed (or rather accredited) electronic signatures vis-a-vis paper based signatures and other forms of electronic verification or authentication (e.g. biometrics). The proposal, as drafted, raises fundamental issues, including of consumer protection and appears incompatible with current EU proposals. The case for a privileged position is not made and should be dropped. The same law should apply on-line as off-line.

§23 The Government is also seeking views, subject to the constraints set out in this section, on whether there are other significant changes that should be made through UK primary legislation to promote the development of electronic commerce.

We see no value in legislation to "promote" electronic commerce as opposed to rapid action to remove barriers as, and when, identified. The most important current barrier is that much of the technology does not work reliably and it is unclear who is responsible when it goes wrong.

There is therefore a need to greatly improve information for when a transaction disappoints, fails or is delayed while market volatility changes the assumptions on which it was agreed. Consumers want to know their rights. Was this transaction under UK, Belgian, German or US law? What is the difference? Business users and intermediaries (e.g. telecommunications and internet service providers) also need to know what they are responsible for, and to whom.

It may be that this problem is best solved by "Trusted Brand Names" providing "walled gardens" or "shopping malls" policed under UK consumer protection law with contracts adjudicated in the UK under UK law. Those going outside such protected zones should be warned they are on their own. Should all screens without a White Ensign in the corner (for policed by the Royal Navy and adjudicated under the Court of Admiralty) carry a Skull and Crossed Bones as default?

Even so, the legal frameworks for adjudication on the responsibilities and limits of liability of communications intermediaries for the information temporarily (or permanently) stored on their systems will need clarification in the near future. Given the uncertain (direction and timing) evolution of both technologies and markets the need is for a common law framework for evolving law in response to need, rather than attempts at prediction or "promotion".

§25. The Government would welcome views on whether any of the provisions of the UNCITRAL Model Law on Electronic Commerce (other than those on signatures and writing) should be implemented by UK primary legislation.

We agree with EURIM on the need to implement Article 15 of the UNCITRAL Model Code, dealing with the time and place of the formation of contracts.

§31. The Government would welcome views on whether the industry solutions being developed to combat spam are likely to be effective. Or should the Government take further steps to regulate the use of spam?

The industry solutions are unlikely to be effective unless and until responsibility for the costs is borne by those who benefit from the increased traffic revenues. The means of achieving that situation are, however, unclear. A widespread consultation is needed.

§32. The Government would like to start a debate on whether any changes are needed to existing legislation to allow such intermediaries to prosper and would welcome views.

We see no need for government action to "promote" particular types of intermediary as opposed to removing barriers to entry and market flexibility. The most immediately credible "trust" services are likely to be provided by those who are already "trusted" (e.g. Banks, Financial Services, Credit Reference Agencies, Post Office, Securicor, Lloyd’s Register etc.) provied they remain willing and able to accept financial liability when transactions go wrong..

There is, however, a need to review the application of UK and EU Competition Law to services provided by (or run in association with) the main US technology and communications suppliers . Only three organisations (Microsoft, AOL-Netscape and MCI-Worldcom) control most of the access software and switching hubs on the Internet. A shrinking number of large players (e.g.. AT&T/IBM and partners, EDS/MCI, AOL and partners, Microsoft and partners), now run (albeit under a multiplicity of brandnames) most current services.

§34. The DTI’s initial thinking on the licensing conditions is set out in Annex A, and we would especially welcome views on this annex.

Any licensing (i.e. permission to trade) should be organised as an add-on the routines of those who already regulate the paper-based equivalent. Given that most mass-market access is likely, within the near future, to be over digital TV and/or mobile phones, the need is to organise convergence between the relevant routines of the FSA (and other content regulators) and ITC and OFTEL, not to create a new regime.

§38. We recognise that various organisations are considering different business models for providing cryptography services to the public and would welcome views on how they should fit into the licensing regime.

For the foreseeable future it is probable that most authentication services (e.g. those related to merchant identities, smart card holders, biometric identities etc.) will be run under contract as low cost add-ons to their paper or plastic based equivalents by banks, credit card operators, retailers or as authentication (anti-piracy) services by publishers and rights collectors or provided by communications operators (including Internet service providers) as part of an end-to-end integrated service.

We do not see who would benefit, from licensing (alias accreditation) unless this greatly assists the development of inter-operability and cross acceptance between authentication systems or helps new entrants seeking to establish their "brand name". Greater priority should instead be given to support for standards activity to improve inter-operability, to review of the law regarding trade names, internet names and "passing off" and to the means by which DTI could help small firms reduce the cost of publicising themselves over the net.

§39. The Government would therefore welcome views on how best to distinguish between the provision of licensed and unlicensed services in order to protect the consumer.

The starting point should be the routines used for financial services. The issue is not whether the service is licensed but for what it is licensed and who is liable for what if things go wrong. Unless this is made clear to the consumer the provision of a license can be dangerously confusing. Government action should be postponed until after the resolution of the current muddled debate, including on liability, between would-be suppliers of encryption technology and those running current trust services

§42. The Government recognises that the issue of liability is a key concern of industry and would particularly welcome views on the issues set out in this section.

Some general questions are:

under existing legislation for the paper based equivalants)

§43. The Government would welcome views on what level of liability, if any, should be borne by an unlicensed Certification Authority.

The same liabilities should apply as for the equivalent paper based services.

§45. The Government would welcome views on this approach, how the limit should be set, or suggestions for alternative approaches.

Also should a specific "duty of care" be imposed on holders of private signature keys (e.g. to keep their private key secure, to notify a Certification Authority within so many hours of realising it has been compromised etc.)?

Are there any other liability issues concerning cryptography services which need to be addressed in legislation?

The area which most needs attention is the liability where a government or law enforcement agency gains access to keys or content and the owner of that key or content suffers loss due to negligence of that agency. Over recent years there has been a serious erosion in the standard of care for material that is "Commercial in Confidence" - perhaps because of past abuse of this classification with regard to public sector procurement contracts.

With the involvement of current/former members of the cold-war security services in industrial espionage on behalf of governments (and/or in fraud on their own behalf) this situation is an increasingly serious barrier to co-operation between law enforcement agencies and those who are the regular targets of organised electronic crime. Not only does liability need to be borne by the agencies concerned they also need to consider bringing their own security practices into line with those in the private sector handling information of equivalent value.

§79. Government would welcome views on its proposals for lawful access to encryption keys.

IMIS believes that the emphasis should be placed on access to the plain text with penalties for withholding access which are commensurate with those for the offence in connection with which the access is being sought.

§84. The Government would welcome ideas on how its law enforcement and electronic commerce objectives might be promoted via the licensing scheme or otherwise.

The proposals for licensing (alias accreditation) have little relevance to the promotion of Electronic Commerce or Law Enforcement. The law enforcement objectives are better met by building frameworks for active co-operation with those in the front line of the fight against organised electronic crime. The spend of the private sector on electronic security is now greater than that on physical security (grills, guards, alarms etc.) but co-operation is almost non-existent because of the low priority this has received within law enforcement. This, not licensing, is the point of leverage.

§90. The Government would welcome views from industry on the extent to which the needs of law enforcement agencies can be met by existing and forthcoming developments in encryption and communications technologies.

One way forward is to seek to share US access to the traffic routed through Internet peering centres. This is said to be routinely filtered by source and address and passed out for analysis using the massively parallel systems of the NSA. Sharing the cost of research into the Quantum computing power necessary to crack the next generation of military encryption might form part of the UK contribution.

A more immediately practical way forward is to seek to share the access of Microsoft and others (e.g. leading edge Internet Service Providers) to systems running the latest PC operating systems. These commonly include increasing amounts of "remote diagnostic software". Not only can files on the system be accessed from remote locations but keyboard entries and screen displays can be monitored and the microphones and cameras on voice and video response systems can be activated. The difference between using such facilities to help diagnose and fix problems, to tailor the response to individuals, to check for unlicensed software and, ultimately, to monitor not only usage but even behaviour within sight and sound of the system does, however, raise issues which need public debate.

Such ways forward require, however, a technical competence which is currently lacking in UK law enforcement agencies. Basic co-operation (including regular meetings and reviews of practical experience) between those responsible for electronic security for the main private sector users (i.e. not just the suppliers of technology or communications channels) and those with equivalent responsibilities in the relevant government agencies (not just law enforcement) is likely to give far quicker results, at far less cost .

Annex A - We invite views on these criteria, and would also welcome views as to the level at which the standards should be set for each of them or how they should be assessed.

The criteria should be based on those for the paper based equivalents. Those already licensed or accredited for these (e.g. Banks, Insurance, Credit Operations, Law firms etc.) should not face any additional costs or hurdles.

Go back to the start of this document.

Go to the library of current responses.

Go to FIPR home page.

_____________

Last Revised: April 16 1999