About usContact usSite help
Quick links
Search this site

Home * Products Internet Access Hosting & Web Services Hardware & Security Mobile Services Voice Services Data Services Domain Services * Channel Partners * Business Resources Knowledge Centre Case Studies Business Solutions Useful Links * Helpdesk Product Help Technical Library Network Status Customer service * Toolkit WebMail Fax to Email DVS Control Centre Web Password Internet query tools Downloads Dial Companion for Broadband * Demon Newsletter

Home  |  About Us  |  Press Room  |  1999  |  Demon Internet and ScottishTelecom

press release

* Back to list
*
24/05/1999
Demon Internet and ScottishTelecom

Response to DTI Consultation Document on Building Confidence in Electronic Commerce.

Scottish Power Telecommunications Limited ("ScottishTelecom") and Demon Internet Limited ("Demon Internet") have jointly reviewed the DTI Consultation Document entitled "Building Confidence in Electronic Commerce" dated 5 March 1999 (the "Paper") and have prepared comments and recommendations in response to the Government's proposals on electronic commerce.

Considerable time and effort has been spent on reviewing the Paper and we hope that our comments and recommendations will be taken into consideration prior to the Government introducing any legislation on electronic commerce in the current Parliamentary session.

Our general view is that this is an area under development, in which what is practical and effective is to a large extent yet to be discovered. Industry drivers are likely to be transnational standards. We recommend, therefore, that primary legislation and any regulatory structures should be kept to the minimum required to enable business in the UK to rapidly take advantage of opportunities as they arise. The worst possible result would be for premature, detailed legislation to set standards peculiar to the UK and thereby hinder the development of electronic commerce here.

We have looked at various different issues on which the Government are seeking views, together with particular issues which have a commercial impact on our business in the field of electronic commerce. We would therefore comment as follows:-

  1. Time Period for Invitation of Comments - Summary Comment
    • The consultation period for commenting on the Government's policy on electronic commerce is too short, with respondents being given less than one month from publication of the Paper to review and comment on the Paper.
    Recommendation
    • If the Government are keen to seek views on the electronic commerce policy, a clear statement on how the views of industry will be sought following 1 April 1999 is necessary. This would be in line with the view expressed by the DTI that this is the "first step" in the development of a legal framework on electronic commerce.
  2. Electronic Signatures and Electronic Writing - Paragraph 16 - 22 Comment
    • Electronic writing and electronic signatures are two distinct concepts, however it is unclear from the Paper whether the Government views the concept of validity of electronic writing separately from the concept of validity of electronic signatures.
    • There are many things in the real world that are done in writing, but do not require formal signature. We expect that many electronic transactions will be the same, so it is necessary to ensure that electronic writing is acceptable, without requiring electronic signatures.
    • We are in favour of removing barriers to electronic commerce by giving legal effect to electronic writing wherever possible, however clarification is required on the distinction between the concepts of electronic writing and electronic signatures.
    1. Electronic Writing Comment
      • In relation to the legislative process which is to be followed to ensure the validity of electronic writing, the main criteria which require to be satisfied are:-
        1. that the legislative process is undertaken swiftly and without undue formality; and
        2. that sufficient legal safeguards are provided to protect the interests of any persons entering into electronic commerce transactions, but without such a degree of formality as to delay the development of on-line business transactions.
      Recommendation
      • We suggest that primary legislation is implemented to establish a framework for secondary legislation to set down statutory requirements for electronic writing where necessary and practical. This would avoid the delays which primary legislation on a case by case would involve. Secondary legislation will provide more flexibility as use and practice reveal how electronic writing works best.
    2. Electronic Signatures Comment
      • The Government's requirements for electronic signatures at paragraph 19 of the Paper exceed the capability of what is currently available for on-line technology. Firstly, the linkage to an individual relies upon that individual co-operating to keep information such as a passphrase or PIN as a secret. An individual may wish to deliberately compromise the signature because this is a smaller loss than standing behind it. Secondly, the linkage of the signature to the document being signed assumes a wide-ranging security model which must ensure that "what you see is what you sign", which is hardly even considered in today's applications.
      • We understand that discussions are underway in Brussels to consider the technical requirements for electronic signatures in the context of the draft EU Directive on Electronic Signatures.
      • The mechanisms required to give legal validity of on line transactions are complex and are in fact more akin to the requirements for signing formal documentation, for example notarising deeds or witnessing.
      • With the exception of those transactions which require to be in writing, in both Scots and English law transactions are legally effective even though not in writing or signed, the point being that they are "contractually binding" but not "probative" unless signed in the appropriate formal legalistic manner. In commercial reality, however, the vast majority of off-line transactions are of such a nature that they do not require to be "probative" by being formally signed and businesses accept a simple hand written signature as being sufficient evidence to give the transaction legal effect.
      • The majority of on-line electronic commerce transactions, as with off-line transactions, do not require a self proving procedure. To require such a procedure will cause difficulties for businesses in making formal legal arrangements for individuals to sign on behalf of the business every time a transaction arises.
      • It is not clear how any signature may either be "uniquely linked to the signatory" or be "capable of identifying the signatory", or even if this is always necessary. For many transactions a signature is merely a token that confirms the authority to enter into the transaction. A bank mandate, for example, provides the bank with a number of signatures that it should accept as authorising payment. From the bank's perspective the fact that the signature on a cheque matches one in the mandate provides sufficient comfort, without further formality. Similar, simple electronic signatures may also be required.
      • In the off line world along with a signature it is sometimes also necessary to state the capacity by which the individual is signing, for example as an authorised signatory or director of a company. This requirement should also be taken account of in on-line transactions.
      • With electronic signatures it should be possible for a corporate body to sign things, just as a partner may sign the partnership name in the off-line world. When a Certifying Authority issues a certificate, the form of the certificate is the data describing what is certified, signed by the Certifying Authority. One way of approaching the "signing on behalf of" requirement is for an individual to electronically sign an electronic document, and then for the company to sign that signature - in effect to counter sign. Indeed, the recipient of such a document may well not care which person signed it, only that it is suitably countersigned by the company - that is to say by someone with the authority to use the company's keys.
      • The practical development of electronic signatures will, as most things in this field, be driven by global standards. Premature, detailed legislation in the UK may adversely affect the development of electronic commerce here.
      • Separately, we are concerned that the government does not use its monopoly position when allowing electronic writing for communications with itself to unreasonably promote particular electronic signature schemes.
      Recommendations
      • We recommend that the outcome of discussions in Brussels on the draft EU Directive on Electronic Signatures is addressed prior to reaching a formal decision on what should be implemented in the UK bill.
      • There should be explicit recognition within the legislation that existing non-formal signing of emails and faxes will not be deprived of "contractually binding" effect by the introduction of more formal electronic signatures.
      • The Government should recognise that the process for formally signing transactions is only required in a minority of off-line transactions and this should be reflected in the requirements for on-line transactions also.
      • Provision should be made for the capacity in which an individual signs to be recognised.
      • The Government should avoid distorting the UK market for signature systems by ignoring global standards when choosing systems for its own purposes.
  3. Other Legislative Possibilities - Unsolicited Email (SPAM) - Paragraph 28 - 31 Comment
    • Email is by far the most important service that Demon offers to customers with up to one million items of email a day flowing across Demon Internet's systems. Approximately 5% to 10% of this mail is currently unsolicited commercial email, and some 99% of that currently has its origin in the USA.
    • Some detailed comments on this area are set out in Annex B.
    Recommendations
    • The best way forward is to make the sending of bulk unsolicited email an offence, with real penalties applied. Failing that, legislation in line with that for "junk faxes" would be an acceptable way forward.
  4. Licensing Regime for Trust Service Providers - Paragraph 33 - 41 Comments
    • The draft EU Directive on Electronic Signatures states that mandatory prior authorisation is prohibited and that no signature should be denied legal effect, whether or not a certificate has been provided by a licensed Certification Authority. It is proposed that under the UK bill a licence will be required from a Certification Authority to ensure a rebuttable presumption of the validity of the signature and the identity of the individual. Our view however is that this would inevitably create a quasi mandatory licensing scheme in order to have the full benefit of the law, which would be contrary to the Directive as currently drafted.
    • It is our opinion that a licensing regime for Trust Service Providers in electronic commerce is not required. The only benefit of imposing a licensing scheme for Certification Authorities or Trust Service Providers is that it enables quality standards to be set and monitored. However imposing a particular set of quality standards, for example ISO or BSI accreditation, would be as effective in giving consumers and businesses protection as a formal licensing regime. We have difficulty understanding why the Government is of the opinion that licensing would provide greater benefits than imposing a quality standard scheme.
    • A licensing regime may, in fact open the door to more widespread regulation of the Internet which would be both unnecessary and undesirable at this time. It this is the Government intention then further consultation is necessary.
    • If the Government does decide to impose a licensing regime, it should be clear that the licence only attaches to the service being provided and indeed the Trust Service Provider should only be required to take out a licence for such services it provides. It is difficult to see the justification for a Trust Service Provider having to acquire licences for all its activities. Again, this approach would have effect extend the scope of Internet regulation, which would be unnecessary and undesirable.
    • In the event that the Government's proposal for a formal licensing scheme is implemented, we do not believe that OFTEL are the most appropriate body to be designated as the initial licensing authority The Data Protection Registrar has appropriate experience in dealing with security and data issues.
    Recommendations
    • The proposed licensing regime should be abolished and a procedure providing quality standards (e.g. kite marks, ISO accreditation) should instead be available to organisations offering certification services. Accreditation of Certification Authorities should form the basis of legal validity, not licensing.
    • The Trust Service Provider should not be required to obtain a licence for each and every one of its functions, and the licence should be restricted only to the services for which it seeks a licence.
    • When a Court looks at a signature which derives from an unlicensed Certification Authority it should not, as proposed, be asked to determine if the standards and procedures were as reliable as those required for a licensed provider. Instead it should be determining if the standards and procedures are reliable enough for the signature to have the validity required in the specific case.
    • It is our view that the Data Protection Office has greater experience on security and data management issues and would be better equipped to regulate the licensing regime than OFTEL.
    • We believe that existing Advertising Standards Codes of Practice will be sufficient to provide consumer protection to those who wish to distinguish between licensed and unlicensed Trust Service Providers. Equally, there are other remedies for those who rely on services provided by an unlicensed TSP which "holds itself out" as licensed.
  5. Liability - Paragraphs 42 - 45 The paper raises questions about liability to be carried by Trust Service Providers. We also wish to raise the issue of liability for material which is transmitted by or made available on systems run by Internet Service Providers (ISPs). The liability issues affecting such intermediaries are one of the main barriers to the development of electronic commerce and it is essential that they are addressed in any legislation. We are surprised that the consultation paper does not address these issues.
    1. Minimum Level of Liability for Trust Service Providers Comments
      • It is our view that a minimum level of liability should not be imposed on Trust Service Providers by statute. Trust Service Providers must be able to agree with their customers the level of liability to be accepted, and be able to offer a range of services at varying costs with attendant variations in liability. Trust Service Providers must have the ability to balance liability with the cost of services on a risk/reward basis. To do otherwise will restrict competition.
      • When issuing a certificate, for example for one if its customer's signature keys, a Certifying Authority must be able to limit the liability it undertakes to third parties. We do not believe further legislation is required to establish that liability.
      • There is already a plethora of consumer protection in place, including the Unfair Contract Terms Act 1977 and the Unfair Terms in Consumer Contracts Regulations 1994, the Distance Selling Directive 1998 and the Consumer Credit Act 1974 and therefore these will give adequate protection to consumers without imposing minimum levels of liability on Trust Service Providers.
      Recommendation
      • There should be no minimum level of liability imposed on Trust Service Providers and/or Certification Authorities as there is sufficient consumer protection already in existence.
    2. Content Liability Comment
      • We are concerned that, notwithstanding the proposals in the draft EU Directive on Electronic Commerce (which is recognised at the front of the Paper), the protection of intermediaries from liability proposed in the draft Directive is not addressed, and no equivalent measures are proposed.
      • Our experience of Internet service provision in the UK and abroad suggests that intermediaries can be held liable for the actions of their subscribers and for material flowing through, or stored on, their systems whatever the source, notwithstanding that they cannot monitor these things. The liabilities which potentially arise include those of defamation, intellectual property infringement, trading standards issues, regulatory infringements in some spheres and indeed straightforward criminal activity such as providing illegal material. The development of e-commerce will add further risks. This risk of intermediaries being found to be liable forms a barrier to commercial activity on the Internet.
      • The draft EU Directive proposes a "mere conduit" exemption and limits service provider's liability for other "intermediary" activities, and establishes "no obligation to monitor". We would support this.
      • However, the draft also discusses "notice and take down procedures", in which the service provider may be required to remove or block access to material, and a failure to do so will generate a liability. We are not entirely happy with this. The draft says:
        "It should nevertheless be stressed that these procedures do not and cannot replace existing judicial remedies."
      • Unfortunately, the effect of "notice and take down procedures" is likely to be just that unless they are carefully circumscribed.
      • It is not appropriate that intermediaries be required to take a decision on the merits of any individual claim (or predict the position a Court will take) or that they be liable if they fail to act appropriately. With the development of e-commerce the risks for intermediaries are increasing together with the complexity of possible disputes. It is not appropriate for an intermediary to be required to determine a dispute between two parties on the basis of written notice alone, and to be liable for results. Intermediaries should be protected from liability except where a party obtains an order of the Court requiring action to be taken. Further, appropriate protections will be required for intermediaries in the situation where they comply with an injunction or Court Order that has been wrongfully obtained.
      • Defamation is a live issue for Demon Internet. If, as the Godfrey case and recent German cases suggest, an ISP becomes liable as publisher as soon as a claimant puts it on notice, then the ISP is in an invidious position. First, the ISP is unlikely to know the facts of the matter, so even if one accepts that the ISP should be trying to determine the merits of a claim, it may not be in a position to do so. Second, given the potential expense of litigation an ISP has an incentive to take the safest approach and remove material or block access to it. The effect is to create a soft option for claimants who can push the ISP to act where they might not be able to convince a Court of the merit of their complaint. This potentially short circuits the usual process and undermines freedom of expression.
      • Copyright has been invoked, for example by the Church of Scientology, to push an ISP into removing or blocking access to material. In the case of the Church of Scientology this was an attempt to suppress material critical of the church and its beliefs. As e-commerce develops we can expect intellectual property disputes to arise. We already have direct experience of one company attacking a rival by asserting an intellectual property infringement and calling upon us to decide where the fault lies. If the rival is using e-commerce, then by serving notice on the ISP the attacker may cause access to the e-commerce site to be blocked, thereby succeeding in damaging the rival's business without going to the bother of testing their claim in Court. As with defamation, the ISP has an incentive to avoid being dragged into litigation. However, in this case the ISP is in much greater danger as it could be sued by the rival for damage caused to its business. The position is impossible.
      • There are many ways in which material carried by an ISP might give rise to what might be called "vicarious liability". For example, if information is leaked in a Usenet Newsgroup that affects a company's share price, should the ISP be expected to block access to articles on the basis of written notice? If so, just as in defamation and intellectual property, how is the ISP in a position to judge? This is not an academic issue, though we are not aware of an ISP being asked to act in these circumstances. Extending further, what liability might an ISP face if a customer is thought to be manipulating stock prices by publishing information on their web site? Would an ISP be liable if it received notice that a customer was selling dangerous toys or the like? This may simply create another potential means for one company to attack a rival.
      Recommendation
      • In the case of criminal activities, we believe the law enforcement agencies have adequate existing powers to require action by intermediaries, so no further or special arrangements are required.
      • The proposals in the draft EU Directive on Electronic Commerce giving protection to intermediaries against liability should be included in the UK bill.
      • Furthermore, the bill should give protection to intermediaries such that they are not required, through risk of acquiring liability, to take action in relation to third party content which is made available or accessed through their services unless a Court Order, for example an injunction or interdict, is served upon them.
  6. Duty of Care - Paragraph 45 Comment
    • It is our opinion that imposing a duty of care on holders of private signature keys to notify a Certification Authority that a key has been comprised, restricts the flexibility of the market and goes further than required to protect parties' interests in electronic commerce. Any necessary arrangements can be imposed by contract in the same way as at present in relation to credit card agreements.
    Recommendation
    • No legislation should be imposed requiring notification to a Certification Authority and/or Trust Service Provider where the holders of private signature keys have been compromised.
  7. Export Controls - Paragraph 47 Comment
    • The Paper states that proposed legislation will not affect the current export controls on cryptography products that are shaped by international agreements. However this clearly does not reflect what is provided in the EU Directive on Electronic Signatures. We would therefore expect further consultation on this prior to any legislation taking effect.
  8. Law Enforcement Interests in Cryptography & Human Rights - Para 48 - 79 Comment
    • In Demon Internet's response to the previous consultation paper, our view was that any form of key escrow would introduce risks to the security of Private Keys. We believed that Public Key encryption technologies would appear to many members of the public to be like a new magic where belief is more important than knowledge for proper operation. Thus any security risk, however farfetched, would immediately cast great doubt and uncertainty on the use of these technologies; adversely affecting the development of electronic commerce. This remains our view.
    • This consultation paper seeks solutions for the problem of near real-time access to encrypted material gathered lawfully under the provisions of IOCA. We are not experts in encryption, however, any weakening of an encryption system to introduce a "back door" for law enforcement access is going to carry the fear that the back door will leak or be discovered. The effect seems to us to be virtually indistinguishable from the effect of key escrow and key recovery. Furthermore, encryption systems for use on the Internet conform to global standards, so that any UK specific requirements may simply be ignored or introduce competitive disadvantages for UK businesses.
    • Our customers are concerned that their rights to privacy of communication should not be compromised. In that context it is a disappointment that the consultation document appears only to consider the needs of commerce and the needs of law enforcement. The OECD guidelines on Control of Encryption, of March 1997, includes the principles:
      "5. Protection of Privacy and Personal Data:
      The fundamental rights of individuals to privacy, including secrecy of communications and protection of personal data, should be respected in national cryptography policies and in the implementation and use of cryptographic methods 6. Lawful Access:
      National cryptography policies may allow lawful access to plaintext, or cryptographic keys, of encrypted data. These policies must respect the other principles contained in the guidelines to the greatest extent possible."
    • Our customers are concerned that their email be treated as confidential. There is currently some doubt as to whether email held waiting to be delivered falls under IOCA (while it is travelling over communication links, IOCA fairly clearly applies, but while it is held pending its next step to its destination, there is doubt).
    • In response to our customers' desire for privacy, particularly for email communications, we will be providing PGP built in to our own email software offering.
    • It appears to us to be reasonable that there should be an explicit right to demand the plain text of material required as evidence, subject to the usual restrictions on privileged material. (We assume that this right might be exercisable by the defence as well as the prosecution.) Where sensitive or private information is held on our systems, we would be concerned if encryption keys could be demanded instead of, or as well as the plain text, as that might compromise quite unrelated information.
    • We recognise that without the disclosure of the key there may be a problem in verifying that the plain text offered is indeed the original plain text, and suggest that the right to demand the key be solely linked to the need for such verification. It will be often be possible to avoid requesting the key. For example, in many schemes with session and master keys, only the session key that was used for a particular message need be revealed.
    • On the topic of penalties for failure to comply with an order to provide plain text, we note in passing that the problem of self-incrimination is summarily dismissed without much justification.
    Recommendation
    • Clarification is required that email is subject to IOCA at all times, and not to IOCA while it is being transmitted and PACE while it waiting the next step of its journey. The Government's proposal on this aspect of its policy requires to be addressed in the forthcoming IOCA review and we will provide a response following that review.
    • Greater weight should be given to consideration of privacy issues.
  9. Key Escrow and Key Recovery by Third Parties - Paragraph 80 - 82 Comment
    • The Paper concludes that the Government are no longer imposing requirements of key escrow and we are pleased that you have given consideration to industry's concerns that key escrow would constrain the development of electronic commerce. In the event that you have a change of mind on the issue of key escrow, we would expect further consultation to take place prior to anything being implemented to this effect.
1 April 1999

Note to editors:

Demon Internet - Founded in June 1992, Demon Internet is the pioneer of low-cost flat rate Internet connectivity in the UK and the Netherlands for both business and home users. As well as offering standard dial-up services, Demon Internet offers a comprehensive range of business services including business dial-up and network dial-up for small to medium-sized businesses and a leased-line solution for corporates. Web hosting is offered by Demon Internet who are the fourth largest web hosting business in the world. Technical support is provided, 24 hours a day, 7 days a week, free of charge to every user. In May 1998 Demon Internet was acquired by ScottishTelecom, the telecom subsidiary of ScottishPower PLC.

For further information please contact:

Colin McSeveny or Ann Hood at ScottishPower Press Office
Tel 0141 248 8200
Fax 0141 636 4579

* Back to list



©Copyright 2008 THUS

*